Network Layer Security
description
Transcript of Network Layer Security
![Page 1: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/1.jpg)
Network Layer Security
1
![Page 2: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/2.jpg)
Outline
IPsec Security in Routing DDoS at Network Layer and IP Traceback IPv6 Security
2
![Page 3: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/3.jpg)
Network Layer: IP Security Overview
RFC 1636: “Security in the Internet Architecture” Issued in 1994 by the Internet Architecture Board (IAB) Identifies key areas for security mechanisms
• Need to secure the network infrastructure from unauthorized monitoring and control of network traffic
• Need to secure end-user-to-end-user traffic using authentication and encryption mechanisms
IAB included authentication and encryption as necessary security features in next generation IP (IPv6)• The IPsec specification now exists as a set of Internet standards
3
![Page 4: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/4.jpg)
Applications of IPsec Provides capability to secure communications across a
LAN, private and public WANs, and the Internet Examples include:
Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security
Principal feature of IPsec: can encrypt and/or authenticate all traffic at network (IP) level So all distributed applications (remote logon, client/server,
e-mail, file transfer, Web access) can be secured
4
![Page 5: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/5.jpg)
IP Security Scenario
5
![Page 6: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/6.jpg)
Benefits of IPSec
When IPsec is implemented in firewall or router, it provides strong security applicable to all traffic crossing the perimeter Traffic within company/workgroup has no overhead from security-
related processing IPsec in firewall resists bypass if all outside traffic must use IP and the
firewall is the only way Internet traffic enters organization IPsec below the transport layer (TCP, UDP); transparent to applications
No need to change software on a user or server system when IPsec is implemented in the firewall or router
IPsec can be transparent to end users No need to train users on security mechanisms, issue keys on a per-user
basis, or revoke keys when users leave organization IPsec can provide security for individual users if needed
Useful for offsite workers, setting up secure virtual subnetwork within an organization for sensitive applications 6
![Page 7: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/7.jpg)
Routing Applications
IPsec can play vital role in the routing architecture required for internetworking
IPsec can assure that: Router advertisement comes from authorized router Router seeking to establish or maintain a neighbor
relationship with a router in another routing domain is an authorized router
Redirect message comes from the router to which the initial IP packet was sent
Routing updates are not forged
7
![Page 8: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/8.jpg)
IPsec Documents
Architecture• Covers the general concepts,
security requirements, definitions, and mechanisms defining IPsec technology
• Current specification is RFC 4301, Security Architecture for the Internet Protocol
Authentication Header (AH)• An extension header to
provide message authentication
• The current specification is RFC 4302, IP Authentication Header
Encapsulating Security Payload (ESP)• Consists of an encapsulating
header and trailer used to provide encryption or combined encryption/authentication
• The current specification is RFC 4303, IP Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)• A collection of documents
describing the key management schemes for use with IPsec
• The main specification is RFC 5996, Internet Key Exchange (IKEv2) Protocol, but there are a number of related RFCs
Cryptographic algorithms• This category encompasses
a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange
Other• There are a variety of
other IPsec-related RFCs, including those dealing with security policy and management information base (MIB) content
8
![Page 9: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/9.jpg)
IPsec Services
IPsec provides network layer security services by enabling a system to: Select required security protocols Determine the algorithm(s) to use for the service(s) Establish crypto keys required to provide requested services
RFC 4301 lists the following services: Access control Connectionless integrity Data origin authentication Reject replayed packets (form of partial sequence integrity) Confidentiality (encryption) Limited traffic flow confidentiality
9
![Page 10: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/10.jpg)
Transport and Tunnel Modes
Transport Mode
• Provides protection mostly for upper-layer protocols, e.g., TCP or UDP segment, ICMP packet
• Typically used for end-to-end communication between two hosts
• ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header
• AH in transport mode authenticates the IP payload and selected portions of the IP header
Tunnel Mode
• Provides protection to the entire IP packet
• Used when one or both ends of a security association (SA) are a security gateway
• Number of hosts on networks behind firewalls can securely communicate without implementing IPsec
• ESP in tunnel mode encrypts, can authenticate entire inner IP packet, including inner IP header
• AH in tunnel mode authenticates the entire inner IP packet and selected portions of outer IP header
10
![Page 11: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/11.jpg)
Tunnel Mode and Transport Mode Functionality
11
![Page 12: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/12.jpg)
IPsec Architecture
12
![Page 13: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/13.jpg)
Security Association (SA)
One-way logical connection between sender and receiver that affords security services to traffic carried on it
In any IP packet, the SA is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP)
Security Parameters Index (SPI)• A 32-bit unsigned integer
assigned to this SA with local significance only
IP Destination Address• Address of destination
endpoint of SA, which can be an end-user system or a network system, e.g., firewall or router
Security protocol identifier• Indicates whether the
association is an AH or ESP security association
Uniquely identified by three parameters:
13
![Page 14: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/14.jpg)
Security Association Database (SAD)
Defines the parameters associated with each SA Normally defined by the following parameters in a SAD
entry: Security parameter index Sequence number counter Sequence counter overflow Anti-replay window AH information ESP information Lifetime of this security association IPsec protocol mode Path MTU
14
![Page 15: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/15.jpg)
Security Policy Database (SPD)
The means by which IP traffic is related to specific SAs Contains entries, each of which defines a subset of IP
traffic and points to an SA for that traffic In more complex environments, may be multiple
entries that potentially relate to a one or more SAs associated with a single SPD entry Each SPD entry is defined by a set of IP and upper-
layer protocol field values called selectors These are used to filter outgoing traffic in order to
map it into a particular SA15
![Page 16: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/16.jpg)
SPD Entries
The following selectors determine an SPD entry:
Remote IP address
This may be a single IP
address, an enumerated list
or range of addresses, or a
wildcard (mask) address
Latter two required to
support more than one
destination system sharing the same SA
Local IP address
This may be a single IP
address, an enumerated list
or range of addresses, or a
wildcard (mask) address
Latter two required to
support more than one source system sharing the same SA
Next layer protocol
The IP protocol header includes
a field that designates the
protocol operating over
IP
Name
A user identifier from the
operating system
Not a field in the IP or upper-layer
headers but is available if IPsec is running on the same operating
system as the user
Local and remote ports
These may be individual TCP
or UDP port values, an
enumerated list of ports, or a wildcard port
16
![Page 17: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/17.jpg)
Host SPD Example
17
![Page 18: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/18.jpg)
Processing Model for IP Packets
18
![Page 19: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/19.jpg)
Processing Model for Inbound IP Packets
19
![Page 20: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/20.jpg)
ESP Format
20
![Page 21: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/21.jpg)
Encapsulating Security Payload (ESP)
Used to encrypt the Payload Data, Padding, Pad Length, and Next Header fields If the algorithm requires cryptographic synchronization data then these data may be
carried explicitly at the beginning of the Payload Data field An optional ICV field is present only if the integrity service is selected and is
provided by either a separate integrity algorithm or a combined mode algorithm that uses an ICV ICV is computed after the encryption is performed This order of processing facilitates reducing the impact of DoS attacks Because the ICV is not protected by encryption, a keyed integrity algorithm must be
employed to compute the ICV The Padding field serves several purposes:
If an encryption algorithm requires the plaintext to be a multiple of some number of bytes, the Padding field is used to expand the plaintext to the required length
Used to assure alignment of Pad Length and Next Header fields Additional padding may be added to provide partial traffic-flow confidentiality by
concealing the actual length of the payload
21
![Page 22: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/22.jpg)
Anti-Replay Mechanism
22
![Page 23: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/23.jpg)
Transport Mode vs. Tunnel Mode
23
![Page 24: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/24.jpg)
ESP Encryption and Authentication
24
![Page 25: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/25.jpg)
ESP Protocol Operation
25
![Page 26: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/26.jpg)
Combining Security Associations An individual SA can implement either the AH or ESP protocol but not both Security association bundle
Refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services
The SAs in a bundle may terminate at different endpoints or at the same endpoint May be combined into bundles in two ways:
• Refers to applying more than one security protocol to the same IP packet without invoking tunneling
• This approach allows for only one level of combinationTransport adjacency
• Refers to the application of multiple layers of security protocols effected through IP tunneling
• This approach allows for multiple levels of nestingIterated tunneling26
![Page 27: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/27.jpg)
ESP with Authentication Option
In this approach, the first user applies ESP to the data to be protected and then appends the authentication data field
For both cases authentication applies to the ciphertext rather than the plaintext
• Authentication and encryption apply to the IP payload delivered to the host, but the IP header is not protected
Transport mode ESP
• Authentication applies to the entire IP packet delivered to the outer IP destination address and authentication is performed at that destination
• The entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP destination
Tunnel mode ESP
27
![Page 28: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/28.jpg)
Transport Adjacency
Another way to apply authentication after encryption is to use two bundled transport SAs, with the inner being an ESP SA and the outer being an AH SA In this case ESP is used without its authentication option Encryption is applied to the IP payload AH is then applied in transport mode Advantage of this approach is that the authentication
covers more fields Disadvantage is the overhead of two SAs versus one SA
28
![Page 29: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/29.jpg)
Transport-Tunnel Bundle
The use of authentication prior to encryption might be preferable for several reasons: It is impossible for anyone
to intercept the message and alter the authentication data without detection
It may be desirable to store the authentication information with the message at the destination for later reference
One approach is to use a bundle consisting of an inner AH transport SA and an outer ESP tunnel SA Authentication is applied to
the IP payload plus the IP header
The resulting IP packet is then processed in tunnel mode by ESP
• The result is that the entire authenticated inner packet is encrypted and a new outer IP header is added
29
![Page 30: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/30.jpg)
Combinations of Security Associations
30
![Page 31: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/31.jpg)
Internet Key Exchange
The key management portion of IPsec involves the determination and distribution of secret keys A typical
requirement is four keys for communication between two applications
• Transmit and receive pairs for both integrity and confidentiality
• A system administrator manually configures each system with its own keys and with the keys of other communicating systems
• This is practical for small, relatively static environments
Manual
• Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration
Automated
The IPsec Architecture document mandates support for two types of key management:
31
![Page 32: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/32.jpg)
ISAKMP/Oakley
The default automated key management protocol of IPsec Consists of:
Oakley Key Determination Protocol• A key exchange protocol based on the Diffie-Hellman algorithm but
providing added security• Generic in that it does not dictate specific formats
Internet Security Association and Key Management Protocol (ISAKMP)• Provides a framework for Internet key management and provides the
specific protocol support, including formats, for negotiation of security attributes
• Consists of a set of message types that enable the use of a variety of key exchange algorithms
32
![Page 33: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/33.jpg)
Features of IKE Key Determination
Algorithm characterized by 5 important features:
1. • It employs a mechanism known as cookies to thwart clogging attacks
2. • It enables the two parties to negotiate a group; this, in essence, specifies the
global parameters of the Diffie-Hellman key exchange
3.• It uses nonces to ensure against replay attacks
4. • It enables the exchange of Diffie-Hellman public key values
5.• It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle-
attacks33
![Page 34: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/34.jpg)
IKEv2 Exchanges
34
![Page 35: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/35.jpg)
IKE Formats
35
![Page 36: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/36.jpg)
IKE Payload Types
36
![Page 37: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/37.jpg)
Cryptographic Suites for IPsec
37
![Page 38: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/38.jpg)
Summary: IPsec
IP security overview Applications of IPsec Benefits of IPsec Routing applications IPsec documents IPsec services Transport and tunnel modes
IP security policy Security associations Security association database Security policy database IP traffic processing
Cryptographic suites
Encapsulating security payload ESP format Encryption and authentication
algorithms Padding anti-replay service Transport and tunnel modes
Combining security associations Authentication plus
confidentiality Basic combinations of
security associations Internet key exchange
Key determination protocol Header and payload formats 38
![Page 39: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/39.jpg)
Outline
IPsec Security in Routing DDoS at Network Layer and IP Traceback IPv6 Security
39
![Page 40: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/40.jpg)
Routing in the Internet
• The Global Internet consists of Autonomous Systems (AS) interconnected with each other:– Stub AS: small corporation– Multihomed AS: large corporation (no transit)– Transit AS: provider
• Two-level routing: – Intra-AS: administrator is responsible for choice: RIP,
OSPF– Inter-AS: unique standard: BGP
40
![Page 41: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/41.jpg)
4: Network Layer 4b-41
Internet AS HierarchyIntra-AS border (exterior gateway) routers
Inter-AS interior (gateway) routers
![Page 42: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/42.jpg)
4: Network Layer 4b-42
Intra-AS Routing
Also known as Interior Gateway Protocols (IGP) Most common IGPs:
RIP: Routing Information Protocol (distance vector – Bellman-Ford algorithm)
OSPF: Open Shortest Path First (link state – Dijkstra’s algorithm)
IGRP: Interior Gateway Routing Protocol (Cisco proprietary) (distance vector)
![Page 43: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/43.jpg)
4: Network Layer 4b-43
Inter-AS routing
![Page 44: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/44.jpg)
4: Network Layer 4b-44
Why different Intra-AS, Inter-AS routing? Policy: Inter-AS: admin wants control over how its traffic routed, who
routes through its net. Intra-AS: single admin, so no policy decisions neededScale: Hierarchical routing saves table size, reduced update trafficPerformance: Intra-AS: can focus on performance Inter-AS: policy may dominate over performance
![Page 45: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/45.jpg)
Routing Security Issues
Security attacks can come from: Misconfigured routers IP packet handling bugs SNMP “common” strings Weak passwords, poor encryption DoS from malformed packets
However, these attacks are well-known; defense measures can defend against them
45
![Page 46: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/46.jpg)
46
Routing Protocol Attacks
Intra-AS Routing Attacks RIP Attack OSPF Attacks
Inter-AS Routing Attacks: BGP
![Page 47: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/47.jpg)
47
Intra-AS: RIPv1 Overview
Routing decisions based on number of hops Works only within a AS Supports only 15 hops unsuited for large ⟹
networks RIP v1 communicates only its own information Has no authentication Can’t carry subnet mask so applies default subnet
mask
![Page 48: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/48.jpg)
48
Intra-AS: RIPv2 Overview
Can communicate other router information Supports authentication up to 16-char password Can carry subnet information But authentication is provided in clear text…
![Page 49: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/49.jpg)
49
Intra-AS: RIP Attack
Identify RIP router via nmap scan:nmap –v –sU –p 520
Determine routing table: If you are on same physical segment, sniff it Remotely: run rprobe, sniff
Add route using srip to redirect traffic to your system
![Page 50: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/50.jpg)
50
Intra-AS: Safeguards (RIP Attack)
Disable RIP, use OSPF: security is better Restrict TCP/UDP port 520 packets at border router
![Page 51: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/51.jpg)
51
Intra-AS: OSPF Attack
OSPF: dynamic link-state routing protocol Keeps map of entire network, chooses shortest path Update neighbors using LSAs messages “Hello” packets generated every 10 s, sent to 224.0.0.5 Uses protocol type 89
![Page 52: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/52.jpg)
52
Intra-AS: OSPF Attack
Identify target: scan for proto 89 NCSU: JiNao project identified 4 OSPF attacks
Max Age attack Sequence++ attack Max Sequence attack Bogus LSA attack
Attack tool: nemiss-ospf (hard to use?)
![Page 53: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/53.jpg)
53
Intra-AS: Safeguards: OSPF Attack
Do not use dynamic routing on hosts wherever not required
Implement MD5 authentication You need to deal with key expiration, changeover and
coordination across routers
![Page 54: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/54.jpg)
54
Inter-AS: BGP overview
Allows inter-domain routing between two ASs Guarantees loop-free exchange Only routing protocol which works on TCP (179) Routing information is exchanged after connection
establishment
![Page 55: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/55.jpg)
55
Inter-AS: BGP Attacks
Large network backbone: special attention to security So medium size networks are easier targets Packet injection vulnerabilities: very dangerous If we identify BGP routers, they have similar
weaknesses as TCP: SYN flood attacks Sequence number prediction DoS Possible advertisement of bad routes
![Page 56: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/56.jpg)
Outline
IPsec Security in Routing DDoS at Network Layer and IP Traceback IPv6 Security
56
![Page 57: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/57.jpg)
DDoS Attacks at Network Layer
What is a DDoS attack? How do we defend against a DDoS attack?
57
![Page 58: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/58.jpg)
What is a DDoS attack?
58
Internet DDoS attack is real threato On websites
Yahoo, CNN, Amazon, eBay, etc. (Feb. 2000) Services were unavailable for several hours
o On Internet infrastructure 13 root DNS servers (Oct, 2002) 7 were shut down, 2 others partially unavailable
Lack of defense mechanisms on current Internet
![Page 59: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/59.jpg)
What is a DDoS Attack?
Denial-of-Service (DoS) attacks: o Attempt to prevent legitimate users of a service from using it
Examples of DoS attacks include:o Flooding a networko Disrupting connections between machineso Disrupting a service
Distributed Denial-of-Service (DDoS) Attacks o Many machines are involved in the attack against one or
more victim(s)
59
![Page 60: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/60.jpg)
60
![Page 61: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/61.jpg)
What Makes DDoS Attacks Possible? Internet was designed with functionality, not security,
in mind Internet security is highly interdependent Internet resources are limited Power of many greater than power of a few
61
![Page 62: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/62.jpg)
Addressing DDoS attacks
Ingress filteringo P. Ferguson and D. Senie, RFC 2267, Jan 1998o Block packets that has illegitimate source addresseso Disadvantage : Overhead makes routing slow
Identification of origin (Traceback problem)o IP spoofing enables attackers to hide their identityo Many IP traceback techniques are suggested
Mitigating the effect during the attacko Pushback
62
![Page 63: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/63.jpg)
IP Traceback• Allows victim to identify attackers’ origin• Several approaches
– ICMP trace messages– Probabilistic Packet Marking (PPM)*– Hash-based IP traceback– …
*S. Savage, D. Weatherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback”, Proc. SIGCOMM 2000.
63
![Page 64: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/64.jpg)
PPM (1)
PPM scheme: Probabilistically
inscribe local path information
Use constant space in the packet header
Reconstruct attack path with high probability
64
![Page 65: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/65.jpg)
PPM (2)
65
Victim
Legitimate user Attacker
![Page 66: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/66.jpg)
PPM (3)
66
Victim
legitimate user attacker
![Page 67: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/67.jpg)
PPM (4)
67
Victim
legitimate user attacker
![Page 68: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/68.jpg)
PPM (5)
68
Victim
legitimate user attacker
V
RR R
R R
![Page 69: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/69.jpg)
What is Pushback?
Mechanism that lets a router ask adjacent upstream routers to limit the traffic rate
How it works: A congested router asks other adjacent routers to limit
the rate of traffic for that particular aggregate. Router sends pushback message Received routers propagates pushback
69
![Page 70: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/70.jpg)
Outline
IPsec Security in Routing DDoS at Network Layer and IP Traceback IPv6 Security
70
![Page 71: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/71.jpg)
IPv4 Security Limitations
IP packets can be sniffed IP addresses can be spoofed IP connections can be hijacked
71
![Page 72: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/72.jpg)
IPv6 Security Features
Two header extensions proposed for IPv6 security: Authentication Header (AH): ensures authenticity and
integrity of datagram Encrypted Security Payload (ESP): contains encrypted
data Security Associations (SAs) used for senders and
receivers to agree on security requirements, e.g., cipher to be used
These are very similar to respective IPsec concepts
72
![Page 73: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/73.jpg)
IPv6 Limitations: Mandatory IPsec
IPv6 mandates IPsec supportMyth: “So IPv6 has improved security”
IPsec already exists for IPv4 Problems with IPsec deployment as a general end-
to-end security mechanism Deployment of IPsec (v6) has similar problems as
those of IPsec (v4). So IPsec (v6) is not deployed as a general end-to-end security mechanism…
73
![Page 74: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/74.jpg)
IPv6 Limitations: Address Space
128-bit IP address ~10⟹ 38 possible IP addressesMyth: “It is unfeasible to brute-force scan an IPv6
network for alive nodes, as the IPv6 address space is so large. Such a scan would take ages!”
[Malone, 2008] measured IPv6 address assignement patterns
For hosts: 50% autoconf, 20% IPv4-based, 10% Teredo (IPv6→IPv4 conversion), 8% “low-byte”
For infrastructure: 70% “low-byte”, 5% IPv4-based Most compromised systems are hosts, which makes
brute-force scanning feasible (after compromise)74
D. Malone, “Observations of IPv6 Addresses,” Proc. Passive and Active Measurement Conference (PAM), LNCS 4979, 2008.
![Page 75: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/75.jpg)
IPv6 Limitations: Autoconfiguration and Address Resolution Based on Neighbor Discovery (ND) messages in ICMPv6 Stateless autoconfiguration more powerful than IPv4
counterpart…but also provides more potential vectors for attackers to exploit
Less support in Layer 2 machines for mitigation of ND attacks Secure Neighbor Discovery (SEND) was specified for
mitigating ND security threats, employing: Cryptographically-Generated Addresses (CGAs) RSA signatures (RSA signature option) Certificates
Not widely supported (e.g., in Windows XP/Vista/7)
75
![Page 76: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/76.jpg)
IPv6 Conclusions
IPv6 is in its infancy: Few attack tools publicly available Many bugs to be discovered…
IPv6 not widely supported in intrusion detection systems (yet)
Much training is needed for IPv6 networks
76
![Page 77: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/77.jpg)
Final Remarks
IPsec provides network layer security (IPv4): authentication, encapsulation, crypto key setup
Routing protocols (e.g., RIP) prone to attacks DoS attacks possible at network layer
Mitigation: ingress filtering, traceback, etc. IPv6 may offer better security (in theory)
In practice, attacks can still occur Training and safeguards needed for IPv6 networks
77
![Page 78: Network Layer Security](https://reader036.fdocuments.us/reader036/viewer/2022062323/56816765550346895ddc448f/html5/thumbnails/78.jpg)
Acknowledgement
These slides are partially based on
W. Stallings, Network Security Essentials, Pearson, 2011, http://williamstallings.com/NetworkSecurity/NetSec5e-Instructor/ (Ch. 9)
B. Rathore, “Router and Routing Protocol Attacks”, http://www.slideshare.net/vaceitunofist/router-and-routing-protocol-attacks
F. Gont, “The Truth about IPv6 Security,” FutureNet 2010, http://www.gont.com.ar/talks/futurenet2010/fgont-futurenet2010-ipv6-security.ppt
78