secure in packet bloom filter based forwarding
play

Secure in-packet bloom filter based forwarding tle pt node on a - PowerPoint PPT Presentation

Feb 09, 2024 •35 likes •195 views

Secure in-packet bloom filter based forwarding tle pt node on a netfpga 1st EUROPEAN NETFPGA DEVELOPERS WORKSHOP tle SEP 9-10 TH , 2010 pt UNIVERSITY OF CAMBRIDGE, UK Adnan Ghani and Pekka Nikander Presentation outline Background

  1. Secure in-packet bloom filter based forwarding tle pt node on a netfpga 1st EUROPEAN NETFPGA DEVELOPERS WORKSHOP tle SEP 9-10 TH , 2010 pt UNIVERSITY OF CAMBRIDGE, UK Adnan Ghani and Pekka Nikander

  2. Presentation outline › Background – In-packet Bloom filter (iBF) based forwarding – Link IDs and Bloom Filters – Forwarding decision – Using Link Identity Tags (LITs) – False positives and forwarding efficiency – Algorithmic view › Computational iBFs – Split key management – Flow diagrams – Implementation details – Latency measurements

  3. iBF-based forwarding › Give names to links, not to nodes › Form a source-route using the links names › Encode the set, as a Bloom filter, into the packet header › Main drawback: false positives due to using Bloom filters › Details on next slides: – Link-identity-based source routing – Forwarding decisions – Optimising with multiple link identifiers – Simulation results – Enhancing with computational link identifiers – Virtual trees

  4. Link IDs and Bloom filters › No names for nodes – Each link identified with B ➜ C A ➜ B a unidirectional Link ID B C › Link IDs (Bloom masks) – Statistically unique A – Periodically changing – Size e.g. 256 bits D – Local or centrally controlled › Source routing – Encode Link IDs into A ➜ B 0 1 0 0 0 1 0 0 1 B ➜ C 1 0 0 0 0 1 1 0 0 a Bloom filter (zFilter) zF: A ➜ B ➜ C 1 1 0 0 0 1 1 0 1 – Naturally multicast › “Stateless”

  5. Forwarding Decision › Forwarding decision based on binary AND and CMP – zFilter in the packet matched with all outgoing Link IDs – Multicasting: zFilter contains more than one outgoing links Link ID & = Yes/No zFilter zFilter

  6. Using Link Identity Tags (LIT) › Better forwarding efficiency with a simple trick – Define d different LITs instead of a single LID – LIT has the same size as LID, and also k bits set to 1 – [Power of choices] › Route creation and packet forwarding – Calculate d different candidate zFilters – Select the best performing zFilter, based on some policy Host 1: Iface out Host 2: Iface out Candidate zFilter Link ID Link ID zFilter 1 LIT 1 LIT 1 zFilter 2 LIT 2 LIT 2 zFilter d LIT d LIT d

  7. Using Link Identity Tags (LIT) LIT1 & = LIT2 & = n? LITd & = Yes/No n BF n BF

  8. Forwarding efficiency Wrongly sent packets › Simulations with – Rocketfuel – SNDlib › Forwarding efficiency › 20 receivers – Basic LID: 80% – Optimised: 88% › with 8 LITs # receivers

  9. Algorithmic view › Forwarding based on following algorithm Input: LITs of the outgoing links; zFilter in the packet header foreach LIT of outgoing interface do if (zFilter & LIT) = LIT then Forward packet on the link end end › Security problem: An attacker may try to determine bits set to one in forwarding identifier. › Solution: Computational Bloom masks

  10. Secure case: Computational iBFs › Form LITs algorithmically K(t) – at packet handling time › Secure periodic key K IN port # › Input port index OUT port # Z › Output port index Flow ID › Flow ID from the packet, LIT(d) e.g. – Information ID = & – IP addresses & ports yes/no › n from the packet n BF

  11. ComputaTional iBFs › O = Z(K, M, I) › K = semi static secret key – varies every few minutes or hours or days › M = medium dynamic data – e.g. captures a session, link indices, etc › I = dynamic, i.e. varies per packet › The key is split into three parts: K 1 = KDF(K, ”1”); K 2 = KDF(K, ”2”); K 3 = KDF(K, ”3”); › O 1 = F 1 (K 1 , <other semi static inputs>) › O 2 = F 2 (K 2 , O 1 || M) › O = O 3 = F 3 (K 3 , O 2 || I)

  12. Sender operations (as info) Sender has data to send Find route between sender and destination and represent it by a set of in/out pairs For each O 2 value in the O 2 -set 1. Generate a nonce 2. Compute O = F 3 (K 3 , O 2 XOR nonce) 3. Convert O into a Boom mask Get pairs <O 1 , K 2 > and K 3 for the 4. Add the Bloom mask into the iBF forwarding elements on the path For each link, compute Insert the iBF and the nonce into packet O 2 = (K 2 , O 1 || link) Send Packet

  13. Forwarding node operation Receive set of O 2 -values and K 3 for the session Receive a packet For each value in the O 2 -set O = F 3 (K 3 ,O 2 XOR once) (Parallel for all outgoing links) NO Is the O present in the iBF in the packet? YES Forward packet on that link

  14. Reference Datapath and modified datapaths user_data_path user_data_path input_arbiter input_arbiter output_port_lookup output_port_selector parsers and LUTs output_queues output_queues

  15. Output_port_selector module structure Register Register Access Interface logic Mostique or AES Header Counter do_zFiltering Header Ctrl bus State parser bit_counter Combine out_ports results New TTL ethertype Data bus TTL

  16. itle Latency measurement results pt ws l 1 pt Path and packet format Average Latency Standard Deviation 2-5 pt Wire (New) 12,784 ns 4,448.96 ns NetFPGA with Moustique 15,272 ns 4991.28 ns (New) NetFPGA with AES 15,057 ns 3,756.86 ns (New) Wire (old) 12,549 ns 4,867.34 ns NetFPGA with LIPSIN 14,627 ns 4,204.58 ns (old) s or Ericsson Internal | 2010-09-07 | Page rea

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and

Selfishness in packet forwarding/ Secure protocols for behavior enforcement Security and Cooperation in Wireless Networks Georg-August University Gttingen Part I: Selfishness in packet forwarding the operation of multi-hop wireless networks

860 views • 36 slides
Bloom Filter-based Stateless Multicast va Hosszu hosszu@tmit.bme.hu Outline Multicast in

Bloom Filter-based Stateless Multicast va Hosszu hosszu@tmit.bme.hu Outline Multicast in

Bloom Filter-based Stateless Multicast va Hosszu hosszu@tmit.bme.hu Outline Multicast in publish/subscribe networks 1. Pub/sub network architecture 1. Bloom filter basics 2. What is a Bloom filter? 1. False positive probability 2.

424 views • 38 slides
Bloom Filter &amp; Hashing Barna Saha Bloom Filter Checks for SET MEMBERSHIP efficiently Is

Bloom Filter &amp; Hashing Barna Saha Bloom Filter Checks for SET MEMBERSHIP efficiently Is

Bloom Filter &amp; Hashing Barna Saha Bloom Filter Checks for SET MEMBERSHIP efficiently Is element x in the set? MoAvaAng Example Spam Filtering We have a set of 1 billion email addresses that we consider to be non-spam. Each

535 views • 20 slides
Bloom Filter based Inter-domain Name Resolution: A Feasibility Study Konstantinos V. Katsaros,

Bloom Filter based Inter-domain Name Resolution: A Feasibility Study Konstantinos V. Katsaros,

Bloom Filter based Inter-domain Name Resolution: A Feasibility Study Konstantinos V. Katsaros, Wei Koong Chai and George Pavlou University College London, UK Outline Inter-domain name resolution in ICN Scalability concerns Bloom

694 views • 33 slides
Scalable Name-Based Packet Forwarding: From Millions to Billions Tian Song , songtian@bit.edu.cn,

Scalable Name-Based Packet Forwarding: From Millions to Billions Tian Song , songtian@bit.edu.cn,

Scalable Name-Based Packet Forwarding: From Millions to Billions Tian Song , songtian@bit.edu.cn, Beijing Institute of Technology Haowei Yuan, Patrick Crowley, Washington University Beichuan Zhang, The University of Arizona 1 A

391 views • 28 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Outline Bloom filters Applications of Bloom filters Our replacement for Bloom filters

Outline Bloom filters Applications of Bloom filters Our replacement for Bloom filters

An Optimal Bloom Filter Replacement a Rasmus Pagh, IT University of Copenhagen Joint work with Anna Pagh, IT University of Copenhagen S. Srinivasa Rao, University of Waterloo a To appear in SODA 2005 1 Outline Bloom filters

405 views • 18 slides
Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps,

Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps,

Cloud and Big Data Summer School, Stockholm, Aug., 2015 Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps, centrally, a list of all the URLs it has found so far. It assigns these URLs to any

549 views • 37 slides
Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers

Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers

Now Arriving at Layer 3 Packet Forwarding although layer 2 switches and layer 3 routers are similar in many ways and ATM/Virtual Circuits are used at layer 2 these days 9/27/06 CS/ECE 438 - UIUC, Fall 2006 1 9/27/06 CS/ECE

514 views • 7 slides
An Adaptive Bloom Filter Cache Partitioning Scheme for Multicore Architectures Konstantinos

An Adaptive Bloom Filter Cache Partitioning Scheme for Multicore Architectures Konstantinos

An Adaptive Bloom Filter Cache Partitioning Scheme for Multicore Architectures Konstantinos Nikas Computing Systems Laboratory NTU Athens, Greece Matthew Horsnell, Jim Garside Advanced Processor Technologies Group University of Manchester

692 views • 32 slides
Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David

Bloom Filter Encryption and Applications to Efficient Forward-Secret 0-RTT Key Exchange David Derler , Tibor Jager , Daniel Slamanig , Christoph Striecks May 3, 2018E urocrypt 2018, Tel Aviv, Israel Key Establishment

1k views • 46 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
Space-Code Bloom Filter for Efficient Traffic Flow Measurement Abhishek Kumar, Jun (Jim) Xu

Space-Code Bloom Filter for Efficient Traffic Flow Measurement Abhishek Kumar, Jun (Jim) Xu

Space-Code Bloom Filter for Efficient Traffic Flow Measurement Abhishek Kumar, Jun (Jim) Xu Networking and Telecommunications Group College of Computing Georgia Institute of Technology {akumar,jx}@cc.gatech.edu Li (Erran) Li Bell Laboratories

281 views • 15 slides
Constructions and Applications for Accurate Counting of the Bloom Filter False Positive Free Zone

Constructions and Applications for Accurate Counting of the Bloom Filter False Positive Free Zone

Constructions and Applications for Accurate Counting of the Bloom Filter False Positive Free Zone Ori Rottenstreich Pedro Reviriego Ely Porat S. Muthukrishnan Technion Uni. Carlos III de Madrid Bar Ilan

461 views • 24 slides
NFD Development Progress Beichuan Zhang The University Of Arizona NFD: NDN Forwarding Daemon A

NFD Development Progress Beichuan Zhang The University Of Arizona NFD: NDN Forwarding Daemon A

NFD Development Progress Beichuan Zhang The University Of Arizona NFD: NDN Forwarding Daemon A year ago, we made the first public release Open source (GPL3+) New flexible packet format based on TLV Modular and extensible design

570 views • 25 slides
BPF in-kernel virtual machine 1 BPF is Berkeley Packet Filter low level

BPF in-kernel virtual machine 1 BPF is Berkeley Packet Filter low level

BPF in-kernel virtual machine 1 BPF is Berkeley Packet Filter low level instruction set kernel infrastructure around it interpreter JITs maps helper functions Agenda status and new use cases architecture

680 views • 41 slides
FUEL CELL POWERED MICROGRIDS Chris Ball Product Marketing Lead, Microgrids and Sustainability

FUEL CELL POWERED MICROGRIDS Chris Ball Product Marketing Lead, Microgrids and Sustainability

FUEL CELL POWERED MICROGRIDS Chris Ball Product Marketing Lead, Microgrids and Sustainability 1 Proprietary and Confidential Subject to NDA We Deliver Clean, Microgrid Provider for Generates Electricity Reliable and Resilient Business

667 views • 7 slides
Streaming Algorithm: Filtering &amp; Counting Distinct Elements CompSci 590.02 Instructor:

Streaming Algorithm: Filtering &amp; Counting Distinct Elements CompSci 590.02 Instructor:

Streaming Algorithm: Filtering &amp; Counting Distinct Elements CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 6 : 590.02 Spring 13 1 Streaming Databases Continuous/Standing Queries: Every time a new data item enters the system,

478 views • 26 slides
Privacy-preserving Wi-Fi Analytics Barcelona, Spain PETS 2018 Mathieu Cunche Sbastien Gambs

Privacy-preserving Wi-Fi Analytics Barcelona, Spain PETS 2018 Mathieu Cunche Sbastien Gambs

Privacy-preserving Wi-Fi Analytics Barcelona, Spain PETS 2018 Mathieu Cunche Sbastien Gambs Mohammad Alaggan Antidot, France (Work done while at Inria Lyon, France) Univ Lyon, Inria, France Universit du Qubec

691 views • 26 slides
Intermediate Blooms Taxonomy Mattox Beckman University of Illinois at Urbana-Champaign

Intermediate Blooms Taxonomy Mattox Beckman University of Illinois at Urbana-Champaign

Introduction and Objectives Blooms Taxonomy Intermediate Blooms Taxonomy Mattox Beckman University of Illinois at Urbana-Champaign College of Engineering Introduction and Objectives Blooms Taxonomy Objectives When we are done

449 views • 14 slides
Memory Systems Daniel Sanchez August 2007 University of Wisconsin-Madison Outline

Memory Systems Daniel Sanchez August 2007 University of Wisconsin-Madison Outline

Design and Implementation of Signatures in Transactional Memory Systems Daniel Sanchez August 2007 University of Wisconsin-Madison Outline Introduction and motivation Bloom filters Bloom signatures Area &amp; performance

909 views • 38 slides
Presenter: Sunitha Ravichandran Introduction The Objective of work done by authors of this

Presenter: Sunitha Ravichandran Introduction The Objective of work done by authors of this

CSE 6350 File and Storage System Infrastructure in Data centers Supporting Internet-wide Services Cheap and Large e CAM AMs for High Pe Perform rman ance ce Data-Int Inten ensi sive ve Networ orke ked Sy Syste tems ms Presenter:

583 views • 25 slides
Indexing Encrypted Data Using Bloom Filters Claude N. Warren, Jr January 11, 2020 Email:

Indexing Encrypted Data Using Bloom Filters Claude N. Warren, Jr January 11, 2020 Email:

Indexing Encrypted Data Using Bloom Filters Claude N. Warren, Jr January 11, 2020 Email: claude@xenei.com Github: https://github.com/Claudenw LinkedIn: https://www.linkedin.com/in/claudewarren Research Gate:

457 views • 18 slides
Meta-Learning Neural Bloom Filters Jack Rae Sergey Bartunov Tim Lillicrap Architecture

Meta-Learning Neural Bloom Filters Jack Rae Sergey Bartunov Tim Lillicrap Architecture

Meta-Learning Neural Bloom Filters Jack Rae Sergey Bartunov Tim Lillicrap Architecture Interested in neural networks with compressive, distributed memories. Problem Trend in the use of neural networks to replace classical data-structures.

784 views • 9 slides

More recommend