Secure in-packet bloom filter based forwarding tle pt node on a - - PowerPoint PPT Presentation

secure in packet bloom filter based forwarding
SMART_READER_LITE
LIVE PREVIEW

Secure in-packet bloom filter based forwarding tle pt node on a - - PowerPoint PPT Presentation

Feb 09, 2024 35 likes •199 views

Secure in-packet bloom filter based forwarding tle pt node on a netfpga 1st EUROPEAN NETFPGA DEVELOPERS WORKSHOP tle SEP 9-10 TH , 2010 pt UNIVERSITY OF CAMBRIDGE, UK Adnan Ghani and Pekka Nikander Presentation outline Background

slide-1
SLIDE 1

tle pt tle pt

Secure in-packet bloom filter based forwarding node on a netfpga

1st EUROPEAN NETFPGA DEVELOPERS WORKSHOP SEP 9-10TH, 2010 UNIVERSITY OF CAMBRIDGE, UK Adnan Ghani and Pekka Nikander

slide-2
SLIDE 2

Presentation outline

› Background

– In-packet Bloom filter (iBF) based forwarding – Link IDs and Bloom Filters – Forwarding decision – Using Link Identity Tags (LITs) – False positives and forwarding efficiency – Algorithmic view

› Computational iBFs

– Split key management – Flow diagrams – Implementation details – Latency measurements

slide-3
SLIDE 3

iBF-based forwarding

› Give names to links, not to nodes › Form a source-route using the links names › Encode the set, as a Bloom filter, into the packet header › Main drawback: false positives due to using Bloom filters › Details on next slides:

– Link-identity-based source routing – Forwarding decisions – Optimising with multiple link identifiers – Simulation results – Enhancing with computational link identifiers – Virtual trees

slide-4
SLIDE 4

Link IDs and Bloom filters

› No names for nodes

– Each link identified with a unidirectional Link ID

› Link IDs (Bloom masks)

– Statistically unique – Periodically changing – Size e.g. 256 bits – Local or centrally controlled

› Source routing

– Encode Link IDs into a Bloom filter (zFilter) – Naturally multicast

› “Stateless”

A D B C

0 1 0 0 0 1 0 0 1 1 0 0 0 0 1 1 0 0 1 1 0 0 0 1 1 0 1 A➜B B➜C A➜B B➜C zF: A➜B➜C

slide-5
SLIDE 5

Forwarding Decision

› Forwarding decision based on binary AND and CMP

– zFilter in the packet matched with all outgoing Link IDs – Multicasting: zFilter contains more than one outgoing links

zFilter Link ID & = zFilter

Yes/No

slide-6
SLIDE 6

Using Link Identity Tags (LIT)

› Better forwarding efficiency with a simple trick

– Define d different LITs instead of a single LID – LIT has the same size as LID, and also k bits set to 1 – [Power of choices]

› Route creation and packet forwarding

– Calculate d different candidate zFilters – Select the best performing zFilter, based on some policy Link ID LIT 1 LIT 2 LIT d Link ID LIT 1 LIT 2 LIT d Candidate zFilter zFilter 1 zFilter 2 zFilter d Host 1: Iface out Host 2: Iface out

slide-7
SLIDE 7

Using Link Identity Tags (LIT)

BF

& =

Yes/No

n

n?

& = & =

BF n LIT1 LIT2 LITd

slide-8
SLIDE 8

Forwarding efficiency

› Simulations with

– Rocketfuel – SNDlib

› Forwarding efficiency › 20 receivers

– Basic LID: 80% – Optimised: 88% › with 8 LITs

Wrongly sent packets

# receivers

slide-9
SLIDE 9

Algorithmic view

› Forwarding based on following algorithm › Security problem: An attacker may try to determine bits set to one in forwarding identifier. › Solution: Computational Bloom masks

Input: LITs of the outgoing links; zFilter in the packet header foreach LIT of outgoing interface do if (zFilter & LIT) = LIT then Forward packet on the link end end

slide-10
SLIDE 10

Secure case: Computational iBFs

› Form LITs algorithmically

– at packet handling time

› Secure periodic key K › Input port index › Output port index › Flow ID from the packet, e.g.

– Information ID – IP addresses & ports

› n from the packet

Z

IN port # K(t)

&

=

LIT(d)

yes/no

Flow ID

BF n

OUT port #

slide-11
SLIDE 11

ComputaTional iBFs

› O = Z(K, M, I) › K = semi static secret key – varies every few minutes or hours or days › M = medium dynamic data – e.g. captures a session, link indices, etc › I = dynamic, i.e. varies per packet › The key is split into three parts: K1 = KDF(K, ”1”); K2 = KDF(K, ”2”); K3 = KDF(K, ”3”); › O1 = F1(K1, <other semi static inputs>) › O2 = F2(K2, O1 || M) › O = O3 = F3(K3, O2 || I)

slide-12
SLIDE 12

Sender operations (as info)

Get pairs <O1, K2> and K3 for the forwarding elements on the path Find route between sender and destination and represent it by a set

  • f in/out pairs

Sender has data to send

For each link, compute O2 = (K2, O1 || link) For each O2 value in the O2-set

  • 1. Generate a nonce
  • 2. Compute O = F3(K3, O2 XOR nonce)
  • 3. Convert O into a Boom mask
  • 4. Add the Bloom mask into the iBF

Insert the iBF and the nonce into packet Send Packet

slide-13
SLIDE 13

Forwarding node operation

Receive a packet For each value in the O2-set O = F3(K3,O2 XOR once) (Parallel for all outgoing links) Is the O present in the iBF in the packet? Receive set of O2-values and K3 for the session Forward packet on that link YES NO

slide-14
SLIDE 14

Reference Datapath and modified datapaths

  • utput_port_lookup

parsers and LUTs user_data_path

  • utput_port_selector

input_arbiter user_data_path

  • utput_queues
  • utput_queues

input_arbiter

slide-15
SLIDE 15

Output_port_selector module structure

Register Access logic Register Interface Header State parser bit_counter ethertype TTL Combine results do_zFiltering Ctrl bus Data bus Mostique

  • r

AES

  • ut_ports

New TTL Header Counter

slide-16
SLIDE 16

itle pt ws l 1 pt 2-5 pt s or rea

Ericsson Internal | 2010-09-07 | Page

Latency measurement results

Path and packet format Average Latency Standard Deviation Wire (New) 12,784ns 4,448.96ns NetFPGA with Moustique (New) 15,272ns 4991.28ns NetFPGA with AES (New) 15,057ns 3,756.86ns Wire (old) 12,549ns 4,867.34ns NetFPGA with LIPSIN (old) 14,627ns 4,204.58ns