using off path and on path signaling for internet security
play

Using Off-Path and On-Path Signaling for Internet Security Saikat - PowerPoint PPT Presentation

Mar 31, 2024 •480 likes •651 views

Using Off-Path and On-Path Signaling for Internet Security Saikat Guha, Paul Francis Cornell University IETF 66 Off-path BoF Guha and Francis Using Off-path and On-Path Signaling for Internet Security Architecture Default-Off Data-Path

  1. Using Off-Path and On-Path Signaling for Internet Security Saikat Guha, Paul Francis Cornell University IETF 66 Off-path BoF Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  2. Architecture ◮ Default-Off Data-Path ◮ Turned “on” after off-path negotiation ◮ Default-On Off-Path Signaling ◮ Rate-limited ◮ Mediated by intermediaries ◮ Heavily Secured ◮ On-Path Signaling ◮ Coupled Off-Path negotiation with Data-Path Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  3. Network Elements g policy.cornell.edu policy.cs.cornell.edu Internet Cornell CS alice@cornell.edu Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  4. Discover P-Box g policy.cornell.edu policy.cs.cornell.edu Cornell CS alice@cornell.edu Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  5. Register Off-path policy.cornell.edu policy.cs.cornell.edu REGISTER alice@cornell.edu Cornell CS app = vncserver location = office ... alice@cornell.edu Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  6. Request Data-Path policy.cornell.edu policy.cs.cornell.edu INVITE To: alice@cornell.edu; app=vncserver Cornell CS From: bob@acme.com; app=vncviewer alice@cornell.edu bob@acme.com Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  7. Data-Path with Keys policy.cornell.edu policy.cs.cornell.edu OK 128.84.223.110:4111 Key-saikat: 123ABC Key-cs: 456DEF Cornell CS Key-cornell: 789012 Encryption: ssl alice@cornell.edu bob@acme.com Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  8. Authorized Data g policy.cornell.edu policy.cs.cornell.edu DATA <xyz> Auth-saikat: (123ABC) Auth-cs: (456DEF) Cornell CS Auth-cornell: (789012) alice@cornell.edu bob@acme.com Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  9. Network Elements g Off-path ◮ Policy ◮ Presence ◮ Messaging policy.cornell.edu policy.cs.cornell.edu Internet Cornell CS On-Path alice@cornell.edu ◮ Firewall ◮ TURN Relay ◮ Auditor Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  10. Discover P-Box g P-Box Discovery ◮ Static policy.cornell.edu policy.cs.cornell.edu ◮ DHCP (at boot) Cornell CS ◮ Off-Path Query alice@cornell.edu ◮ On-Path Query Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  11. Register Off-path Authenticate ◮ User, Domain ◮ Application ◮ Location policy.cornell.edu policy.cs.cornell.edu REGISTER alice@cornell.edu Cornell CS app = vncserver location = office Mechanism ... alice@cornell.edu ◮ Certificates ◮ Trusted Computing Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  12. Request Data-Path Request policy.cornell.edu ◮ Authentication policy.cs.cornell.edu INVITE To: alice@cornell.edu; app=vncserver Cornell CS ◮ Off-Path DoS From: bob@acme.com; app=vncviewer alice@cornell.edu ◮ Off-Path MitM bob@acme.com Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  13. Data-Path with Keys Response Token ◮ Contents ◮ IP:port policy.cornell.edu policy.cs.cornell.edu OK 128.84.223.110:4111 ◮ Firewall Key Key-saikat: 123ABC Key-cs: 456DEF CS Cornell Key-cornell: 789012 ◮ # bytes Encryption: ssl ◮ Time valid alice@cornell.edu bob@acme.com ◮ Replay Attack Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  14. Authorized Data g On-Path Signaling policy.cornell.edu policy.cs.cornell.edu DATA <xyz> ◮ Out-of-Band (NSIS) Auth-saikat: (123ABC) Auth-cs: (456DEF) CS Cornell Auth-cornell: (789012) ◮ In-Band (framing) alice@cornell.edu bob@acme.com Guha and Francis Using Off-path and On-Path Signaling for Internet Security

  15. Implementation ◮ P-Box: SER SIP Proxy, static policy rules ◮ P-Box Discovery: Static Configuration ◮ Registration: SIP REGISTER (with user authorization) ◮ Rendezvous: SIP INVITE (with SDP) ◮ Response: 200 OK (with SDP, local address, STUN addresses, TURN address and TURN server authorization key) ◮ Data-Path: In-band (framing inside TCP), TURN path must include authorization Callflows at: nutss.net/bof/cf.txt Guha and Francis Using Off-path and On-Path Signaling for Internet Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preferred Path Routing ( PPR ) Graphs Beyond Signaling Of Paths To Networks CNSM 2018

Preferred Path Routing ( PPR ) Graphs Beyond Signaling Of Paths To Networks CNSM 2018

Preferred Path Routing ( PPR ) Graphs Beyond Signaling Of Paths To Networks CNSM 2018 HIPNET workshop Toerless Eckert, Yingzhen Qu, Uma Chunduri Future Networks Santa Clara, California, USA {firstname.lastname}@huawei.com version

676 views • 20 slides
Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

The C-Path Vision: Sharing Data and Expertise to Accelerate the Development of Safe and Effective Therapies for Neonates Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a catalyst in the development of

410 views • 20 slides
CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update

CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update

CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update carries the entire path Loops are detected as follows: when AS gets route check if AS already in path if yes, reject route if no, add

448 views • 29 slides
The End-to-End Effects of Internet Path Selec5on S.

The End-to-End Effects of Internet Path Selec5on S.

The End-to-End Effects of Internet Path Selec5on S. Savage, A. Collins, E. Hoffman, J. Snell, and T. Anderson Presented by: Imranul Hoque

467 views • 19 slides
Different Goals for our NMS Many uses for Internet-scale path measurements: Towards a High

Different Goals for our NMS Many uses for Internet-scale path measurements: Towards a High

Different Goals for our NMS Many uses for Internet-scale path measurements: Towards a High Quality Path- Discover network trends, find paths Building network models oriented Network Measurement Run experiments using models and

209 views • 4 slides
Introduction to Path Analysis Ways to think about path analysis Path coefficients

Introduction to Path Analysis Ways to think about path analysis Path coefficients

Introduction to Path Analysis Ways to think about path analysis Path coefficients A bit about direct and indirect effects What path analysis can and cant do for you Measured vs. manifested the when of

589 views • 24 slides
The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way

The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way

The Wrong Path - Adultery Everyday Wisdom | Proverbs 5:1-23; 6:20-35; 7:1-27 Path #1 - The way Path #2 - The way of of the foolish the wise Picture from rootsrated.com via Ed Ogle/Flickr Pay attention to my commands, Gods Word. Proverbs

527 views • 25 slides
CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1

CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1

CSE 421 Longest Path in a DAG, LIS, Shortest Path with Negative Weights Shayan Oveis Gharan 1 Longest Path in a DAG Longest Path in a DAG Goal: Given a DAG G, find the longest path. Recall: A directed graph G is a DAG if it has no cycle.

571 views • 23 slides
Path Diversity ! Number of paths for a packet to transit between two points &quot; Inside an

Path Diversity ! Number of paths for a packet to transit between two points &quot; Inside an

In Search for Path Diversity in ISP Networks Renata Teixeira, Keith Marzullo, Stefan Savage, Geoffrey M. Voelker UC San Diego Internet Measurement Conference 2003 Path Diversity ! Number of paths for a packet to transit between two points

160 views • 5 slides
More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We

More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We

More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We are in in a graph context MOP2 Path definition 2 What is a path? A path is a sequence of nodes n 1 , n 2 , , n p Each

850 views • 65 slides
PATH F Framew mework LEC EC 1 12-4-19 19 PATH TH Fr Framework I k In Context W t Within

PATH F Framew mework LEC EC 1 12-4-19 19 PATH TH Fr Framework I k In Context W t Within

PATH F Framew mework LEC EC 1 12-4-19 19 PATH TH Fr Framework I k In Context W t Within O Oaklan and Ho Homelessn ssness ss S Sho hould B Be e Rare, B , Brief, &amp; , &amp; Non R n Recur ecurring Affordable Housing Policy

873 views • 31 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

540 views • 18 slides
Challenges and a Path Forward for Realizing Data-Driven Federal Internet Policy A Research

Challenges and a Path Forward for Realizing Data-Driven Federal Internet Policy A Research

Challenges and a Path Forward for Realizing Data-Driven Federal Internet Policy A Research Agenda for Law and Computer Science and Internet Data 8th Workshop on Internet Economics (WIE 2017) JamesMillerEsquire@gmail.com Adjunct Prof. of Law,

531 views • 40 slides
Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The

Introduction to Path Tracing Marc Sunet Table of contents From Ray Tracing to Path Tracing The Rendering Equation Monte Carlo Integration A Basic Path Tracer Variance Reduction and Optimisation Techniques Additional Resources Plan From Ray

1.08k views • 54 slides
A * A path finding algorithm. A path finding algorithm. Given a state space, such as a

A * A path finding algorithm. A path finding algorithm. Given a state space, such as a

A * A path finding algorithm. A path finding algorithm. Given a state space, such as a 2-dimensional map, find a path from point A to point B in that space, if such a path exists. If such a path exists, return a path within certain criteria

445 views • 30 slides
Design of capacitated networks with unsplittable shortest path routing Andreas Bley Zuse

Design of capacitated networks with unsplittable shortest path routing Andreas Bley Zuse

Design of capacitated networks with unsplittable shortest path routing Andreas Bley Zuse Institute Berlin (ZIB) Overview Practical background: Internet = shortest path routing Properties of unsplittable shortest path systems Integer

460 views • 17 slides
1 Basic Polic ie s for Small Gove r nme nts E xample for r e que sting vac ation time :

1 Basic Polic ie s for Small Gove r nme nts E xample for r e que sting vac ation time :

Basic Polic ie s for Small Gove r nme nts Basic Polic ie s for Small Gove r nme nts What is a polic y? Diffe re nc e b e twe e n a po lic y a nd pro c e dure Po lic ie s: Co mmunic a te a n o rg a niza tio n s c ulture ,

585 views • 5 slides
Sharing Research Data Sets Jeffrey Brown, Lesley Curtis, and Rich Platt June 13, 2014 Previously

Sharing Research Data Sets Jeffrey Brown, Lesley Curtis, and Rich Platt June 13, 2014 Previously

The NIH Collaboratory Distributed Research Network: A Privacy Protecting Method for Sharing Research Data Sets Jeffrey Brown, Lesley Curtis, and Rich Platt June 13, 2014 Previously The NIH Collaboratory: Data Sharing Principles- An Initial

841 views • 32 slides
W HO IS IN J AIL ? Population Changes 2008-2018: 34% Jail incarceration rate decreased 12%

W HO IS IN J AIL ? Population Changes 2008-2018: 34% Jail incarceration rate decreased 12%

PRETRIAL RELEASE: S TATE L AWS &amp; R ECENT L EGISLATION AMBER WIDGERY | MAY 2020 N ATIONAL C ONFERENCE OF S TATE L EGISLATURES Non-profit, bipartisan organization. Members are all 7,383 legislators and 30,000 legislative staff in 50

511 views • 23 slides
Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018

Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018

Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018 1 This training is presented to you by PPL in collaboration with the CHC Managed Care Organizations and the Office of Long Term Living The

682 views • 52 slides
Fraud Prevention/ Student Activity Account Best Practices November 6, 2019 Ag e nda F ra ud

Fraud Prevention/ Student Activity Account Best Practices November 6, 2019 Ag e nda F ra ud

11/12/2019 Fraud Prevention/ Student Activity Account Best Practices November 6, 2019 Ag e nda F ra ud Pre ve ntion Stude nt Ac tivitie s Cre dit Ca rds 2 3 1 11/12/2019 Cr e sse ys F r aud T r iangle Ne e d F r aud T r

585 views • 17 slides
WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam Kumar , Hyung-Sin Kim, John Kolb, Kaifei Chen, Moustafa AbdelBaky, Gabe Fierro, David E. Culler, Raluca Ada Popa This material is based on work

1.25k views • 30 slides
Short Term Certificates d raft-sheffer-acme-star-lurk-00 Yaron Sheffer, Diego Lopez, Thomas

Short Term Certificates d raft-sheffer-acme-star-lurk-00 Yaron Sheffer, Diego Lopez, Thomas

Short Term Certificates d raft-sheffer-acme-star-lurk-00 Yaron Sheffer, Diego Lopez, Thomas Fossati, Oscar Gonzalez de Dios IETF 97, Seoul Motivation Delegate the authorization to publish a web site Securely: owner can revoke the

488 views • 10 slides
PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure

IN3210 Network Security PKI and Certificate Security Outline Motivation Certificates Public Key Infrastructure Threats to certificates / PKI Protecting certificates / PKI 2 Certificates Motivation 3 Motivation: TLS

1.68k views • 108 slides

More recommend