1 / 20

Ethernet Network Systems Security

Ethernet Network Systems Security. Mort Anvari. Ethernet. Most widely used LAN technology Low cost and high flexibility Versions of different speed: 10Mbps, 100Mbps, Gigabit Use globally unique media access control (MAC) address (hardware address) for every interface card.

trent
Télécharger la présentation

Ethernet Network Systems Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ethernet Network Systems Security Mort Anvari

  2. Ethernet • Most widely used LAN technology • Low cost and high flexibility • Versions of different speed: 10Mbps, 100Mbps, Gigabit • Use globally unique media access control (MAC) address (hardware address) for every interface card

  3. Use of Hardware Address • Need an address to send a message to receiver on same Ethernet • IP address is not usable because network layer does not listen to wire • Use hardware address to identify receiver’s interface • Need to resolve receiver’s hardware address from receiver’s IP address

  4. Address Resolution Protocol • Protocol maps each IP address to corresponding hardware address in subnetwork • For computer i to get hardware address of computer j, i broadcasts a rqst message with IP address of j to the subnetwork rqst(ipa.j) i default router Internet switch r j

  5. Address Resolution • If j sees a rqst message from i with its IP address, j sends a rply message with its IP address and hardware address to i rply(ipa.j,hda.j) i default router Internet switch r j

  6. Functions of ARP • Three functions of ARP • Resolving IP addresses • Supporting dynamic assignment of addresses • Detecting destination failures

  7. ARP Spoofing Attack • To stop traffic from i to j, an adversary sends to i a spoofed rply message with IP address of j and a non-existent hardware address i default router Internet switch r j A rply(ipa.j,hda.x)

  8. Another ARP Spoofing Attack • To stop traffic from i to default router r, an adversary sends to i a spoofed rply message with IP address of r and its own hardware address i default router Internet switch r j A rply(ipa.r,hda.A)

  9. Countering ARP Spoofing Attacks • Proposed solutions include ARPWATCH and static ARP caches • ARPWATCH monitors transmission of rqst and rply messages over Ethernet and check them against a database of (IP addr, hardware addr) pairings • Static ARP cache stores permanent (IP addr, hardware addr) pairings of trusted hosts to avoid sending rqst and rply messages over Ethernet

  10. Insufficiencies of Proposed Solutions • ARPWATCH does not support dynamic assignment of IP addresses • Static ARP caches does not support dynamic assignment of IP addresses and detection of destination failures

  11. Need for Secure Address Resolution • When a computer receives a message m, it needs to determine whether m was indeed sent by claimed source, or was inserted, modified, or replayed by an adversary • Use secure address resolution protocol between each computer and a secure server

  12. Architecture of Secure Address Resolution Protocol

  13. Adversary • The adversary can perform three types of actions to disrupt communication between server s and any computer h[i] on the Ethernet • Message loss • Message modification • Message replay

  14. Secure Address Resolution Protocol • Use three mechanisms to counter adversary actions • timeouts to counter message loss • shared secrets to counter message modification • nonces to counter message replay

  15. Invite-Accept Protocol • Periodically, server s sends out an invt message to every computer on Ethernet • Every up computer is required to send back an acpt message including its IP address and hardware address • s updates its address database according to received acpt messages

  16. Invite-Accept Protocol s  h[0..n-1]: invt(nc, md) where md=MD(nc;scr[0])||MD(nc;scr[1])||…||MD(nc;scr[n-1]) h[i]  s: acpt(nc, ipa[i], hda[i], d) where d=MD(nc;ipa[i];hda[i];scr[i])

  17. Request-Reply Protocol • When a computer needs to resolve a destination’s hardware address, it sends a rqst message to server s • If destination’s hardware address is still valid, s sends back a rply message with address information • If destination’s hardware address is not valid anymore, s sends back a rply message with no address information

  18. Request-Reply Protocol h[i]  s: rqst(nc, ipa[j], d) where d=MD(nc;ipa[j];scr[i]) If found, s  h[i]: rply(nc, ipa[j], hda[j], d) where d=MD(nc;ipa[j];hda[j];scr[i]) If not found, s  h[i]: rply(nc, ipa[j], 0, d) where d=MD(nc;ipa[j];0;scr[i])

  19. Extensions • Four extensions of secure address resolution protocol • Insecure address resolution • Backup server • System diagnosis • Address resolution across multiple Ethernets

  20. Next Class • IPsec • Authentication Header (AH) • Encapsulation Security Payload (ESP) • key management

More Related