1 / 14

Enhancing Internet Security with Network Prefix Level Authentication

This paper presents the Network Prefix Level Authentication (NPLA) system aimed at addressing IP address spoofing and enhancing accountability on the Internet. By implementing packet-level authentication, the proposed architecture utilizes digital signatures to link actions to their actors, thus mitigating DoS and vulnerability scanning attacks. The implementation discussion covers key distribution, signature management, and compatibility with existing protocols. We assess overhead implications and propose a strategy for incremental deployment within contemporary networks, contributing to the future of secure Internet applications.

dewei
Télécharger la présentation

Enhancing Internet Security with Network Prefix Level Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China

  2. Structure • Motivation • Objective • Architecture overview • Implementation • Overhead • Conclusion and future work GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  3. Motivation • IP addresses spoofing • Lack of accountability • DoS, vulnerability scanning,... • Ruin noval applications in practice • ... GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  4. Objective • Our Goal • Provide packet level authentication on the Internet • Basic Approach • Digital signatures on packets GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  5. Objective • Accountability is the responsibility for one’s actions • Link actions to their actors • Punish misbehavior • Packet Authentication • Eliminate/mitigate source spoofing based attacks • Target for existing Internet not clean slate solution GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  6. Architecture overview (NPLA) GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  7. Implementation • How to implement if we intend to for partial deployment in today’s Internet • What kind of key • Which protocol layer • Signature size • Crypt. security • Key distribution • Granularity • Inject/verify entities • Interact with legacy entities • Host, router, NAT, prefix aggregation... • Overhead • Effectiveness GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  8. Requirements->Implementation • Strong identitifier/on route entities could verify the packets -> key type • Asymmetric key • Compatibility -> protocol layer • Shim layer between IP and TCP GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  9. Requirements->Implementation... • Key distribution • Public key infrastructure (PKI) • Routing protocols (BGP) • Offline • Signature size and security • ECC public key cryptography algorithm • Security: 163-bit ECC key = 1024-bit RSA key GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  10. Requirements->Implementation... • Security level/key management overhead -> authentication granularity • Host/personal level • Network prefix level (intra-domain) • AS level (inter-domain) • Signature injection and verification entities • Prefix border router • AS border router GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  11. Requirements->Implementation • Partial/incremental deployment, interact with legacy entities • Legacy host (strip off before arriving) • Router (compatible) • NAT (update) • Prefix aggregation (known to the administrator) • Incentive deployment • IP fragmentation GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  12. Overhead and performance • The overhead must be affordable • Computation overhead (FPGA crypt hardware) • Generate 645K/s and verify 283K/s signatures • Generate 3.8G/s and 1.7G/s traffic • Traffic overhead (%6-10%) • Memory overhead • 13MB for prefix level authentication GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  13. Overhead and Performance • Delay • ~16us per generation • ~24us per verification GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  14. Conclusion and Future Work • Authenticate packets to its claimed network prefix • Implementation challenges • How to make it work in practice? • Future work • Implementation in real networks GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

More Related