230 likes | 247 Vues
This research paper explores IP Anycast, its security model, group characteristics, and proposes the Secure Anycast Listener Discovery (S-ALD) protocol for secure group management. The paper also discusses the authorization scheme and secure channel establishment for Anycast communication.
E N D
Research on IP Anycast Secure Group Management Wang Yue wy@net.cs.pku.edu.cn Network & Distribution Lab, Peking University Network Research Workshop 2003 16th APAN Meetings
List of Topics • Review of IP Anycast • Anycast Security Model • Anycast Group Characteristics • Secure Anycast Listener Discovery (S-ALD)
Review of IP Anycast • An IP service defined in RFC1546 for IPv4, and in RFC2373 for IPv6. • Like Multicast, an IP anycast address is assigned to a set of network interfaces. • But, a packet for an anycast address is forwarded to the “topologically nearest” interface with this address.
Review of IP Anycast (continue) Anycast Group A is identified by its anycast address; Each member can also has an unicast address to identify itself.
Review of IP Anycast (continue) • Address modification for stateful service dst = a1 Client --------------------- Anycast Server src = u1 ( anycast address : a1 ---------------------unicast address : u1 ) dst = u1 --------------------- … …
List of Topics • Review of IP Anycast • Anycast Security Model • Anycast Group Characteristics • Secure Anycast Listener Discovery (S-ALD)
Anycast Security Requirements • Everyone can announce to the routing system or clients that it was the member of a certain group. Therefore, Anycast is vulnerable to attacks such as Masquerading, DOS, etc. • “Security Requirements of IPv6 Anycast ” (internet draft) • Unauthenticated anycast server announcements • Source address modification by an anycast server • Secure communication between anycast clients and servers
Secure Channel for Anycast • We need secure channels between anycast members and the routing system as well as clients. Certificate-based secure protocols are good for the purpose. ( red lines denote secure channels )
Authorization Scheme • IPv6 Anycast address format • Network prefix defines a topological scope where all members reside in • Global IP Anycast (GIA): prefix is null prefix • Regional IP Anycast (RIA): prefix is not null • AS-inner RIA : prefix insides an AS • AS-outer RIA : prefix does not inside any AS
Authorization Scheme (continue) • Three separate authorizations needed • Assigning an anycast address, e.g. by IANA • Entitling group membership to an interface, e.g. by the group owner • Admission control for an group member residing in a certain network region or AS, e.g. by the AS
Authorization Scheme (continue) • Authorization Hierarchy for GIA and AS-outerRIA address ( each color denotes a certificate chain )
Authorization Scheme (continue) • Authorization Hierarchy for AS-innerRIA address ( considering an anycast address prefix covers a network inside the AS )
Configuration • Group Discoverers need configure IANA or local addresses assigning authorities’ public key, and the public key for admission control certificate. • Clients need only configure IANA’s public key. • Truncation of certificate chains can be used to reduce cost, after the first try.
List of Topics • Review of IP Anycast • Anycast Security Model • Anycast Group Characteristics • Secure Anycast Listener Discovery (S-ALD)
Host-based Anycast using MLD • This internet draft proposes to discover anycast members the same way as Multicast Listener Discovery (MLD) protocol. • Host sends Report or Leave to the adjacent router (i.e. Group Discoverer) when joining or leaving a group. • Group Discoverers periodically send Query to learn status of adjacent members.
Anycast Group Characteristics • Semantically, each anycast group provides a service. • Normally, the frequency for members advertising to Group Discoverers their joining or leaving a group is low. • Members should report their status more frequently. • The processing delay for joining is not required strictly, as other members can provide the same service. • The processing delay for leaving should be as low as possible. • Locations of anycast members can be rather limited and stable, so we unnecessarily deploy one group discoverer in each access border of the routing system. It is both economical and secure in this way.
List of Topics • Review of IP Anycast • Anycast Security Model • Anycast Group Characteristics • Secure Anycast Listener Discovery (S-ALD)
Secure Anycast Listener Discovery • The Scenario • Secure channel between anycast member and Group Discoverer is built during the join phase on IPSec by authenticating the mentioned certificates.
S-ALD Features • Members report actively, not driven by a query • Network burst largely reduced • Members and Group Discoverers may not be on the same link • Group Discoverers should record status of registered members • For secure sessions’s sake • Other information, e.g. members’s load may be useful for anycast route choice • Considering Anycast group characteristics, S-ALD is secure, totally low overhead and manageable
Our contributions • Authorization Scheme for Secure Anycast • Anycast Group Characteristics • The Resulting S-ALD protocol
Prospect • IP Anycast is useful for service discovery, automatic configuration, load balance, etc. • But, concerning security, IPv6 restricts that anycast addresses must NOT assigned to hosts, “until more experience has been gained and solutions agreed upon”. • With Anycast Secure Group Management, we can break this restriction.