Scalable and Resilient Auto-Configuration of Virtual ... · Configuration of Virtual Private...
38
Scalable and Resilient Auto-Configuration of Virtual Private Networks Michael Roßberg Fachgebiet Telematik/Rechnernetze Technische Universität Ilmenau
Transcript of Scalable and Resilient Auto-Configuration of Virtual ... · Configuration of Virtual Private...
Scalable and Resilient Auto-Configuration of Virtual Private Networks
Michael Roßberg Fachgebiet Telematik/Rechnernetze Technische Universität Ilmenau
Overview
• Configuration of VPN infrastructures • Objectives to auto-configuration • Existing approaches & systems • „Our“ SOLID system
– Problems & basic approach – Resilient topologies – Achieved goals & properties
• Résumé & outlook 2
Constructing global VPN infrastructures • Security gateways
connect internal networks over untrustworthy networks
• Usually IPsec or SSL • Private IP address
ranges • Nested networks • Multiple networks per
gateway • Multiple gateways per
network • Cycles in the network ⇢ High complexity
3
Private Network
10.2.0.0/24
Private Network
10.1.0.0/16
Internet
Private Network
172.16.0.0/16
Private Network
10.2.5.0/24
Private Network
10.2.4.0/24
Private Network
10.2.3.0/24 Private Network
10.2.2.0/24
Private Network
10.2.0.0/24
Private Network
172.16.1.0/16
Private Network
10.2.1.0/24
Problems with the configuration of large VPNs (I) • Usually infrastructures configured statically &
manually � Problems with scalability
– Required labor increases – Susceptibility to errors increases
� Problems with agility – No direct connections between mobile users – No reaction to failures and attacks
4
Problems with the configuration of large VPNs (II)
5
Objectives to automatic VPN configuration • Self-configuration • Support for
– Nested networks – Private IP address ranges
• Scalability & Agility • Confidentiality, integrity & authentication • DoS-resistance / resilience • ... ⇢ Development of a number of very different
approaches 6
Example 1: Tunnel Endpoint Discovery (TED) • Reactive search of IPsec
gateways by IKE messages with destination address of target client
• Disadvantages – Requires public IP addresses
for all clients – No nested networks – Covert channel to arbitrary
hosts possible – Addresses not attested
BlackNetwork
Red Net 1
Red Net 2
7
Example 2: Group Encrypted Transport VPN (GET) • Central servers distribute symmetric keys • All IPsec gateways use the same security association
(incl. traffic keys) • Among others:
– No protection against internal attackers
– No Perfect-Forward- Secrecy
– Availability hard to guarantee
8
PrivateNetwork
PublicTransportNetwork
PrivateNetwork
CentralKey Server
PrivateNetwork
Backup Key Server
[RoSc09] Rossberg, Michael; Schaefer, Guenter: Ciscos Group Encrypted Transport VPN – Eine kritische Analyse, DACH security, 2009
Example 3: Dynamic Multipoint VPN (DMVPN) • VPNs consist of „Hubs” and „Spokes“ • OSPF-Routing between static hubs • Dynamic spokes contact pre-configured hub • Additionally “Spoke-to-Spoke”-connections • Problems:
– Configuration- overhead
– Internal attackers – Fixed hubs critical
for DoS-resistance
9
Private Network
Private Network
Private Network Private
Network
Private Network
Private Network
Related work
10 [RoSc11] Rossberg, Michael; Schaefer, Guenter: A Survey on Automatic
Configuration of Virtual Private Networks, Computer Networks, June 2011
TopologyTopology centralizedcentralizedcentralized decentralizeddecentralizeddecentralizeddecentralizeddecentralized distributeddistributeddistributeddistributeddistributeddistributeddistributeddistributeddistributed
ApproachApproach
Protocol Layer of VPNProtocol Layer of VPN
3 3 4 3 4 4 4 3 3 3 3 3 3 7 4 4 4
Protocol Layer of Forwarded DataProtocol Layer of Forwarded Data
3 3 3 3 3 3 2 3 3 3 3 3 3 4 3 2/3 2/3
Simple Config.Simple Config. Ø Ø + + + + Ø - + + Ø Ø Ø + + - Ø
Gateway FunctionGateway Function n n 1 0 0 0 n n 0 0 n n n 0 0 n 0Private AddressesPrivate Addresses + - + - + + + - - - - + + + + +NestingNesting - - - - - 1 1 1/n - - - - - - n n nUni-/MulticastUni-/Multicast u u u/m u u u u u u u u u m u u u uNAT TraversalNAT Traversal Ø - + - + + Ø Ø - - - - - - Ø + Ø
RobustnessRobustness - - - - - + + Ø Ø Ø Ø Ø Ø Ø + Ø Ø
ScalabilityScalability - + Ø + Ø + - Ø + + + + Ø - - - -
EfficiencyEfficiency + + Ø + Ø + + + + + + + - - - - -
E2E- Protection
- - + + + + + - - Ø + + + - - - -
PFS + - + + - + - + + + + + + - - - +Covert-Channel Resistance
+ - + NA NA NA + + NA NA Ø Ø + NA NA + +
Infrastruc-ture Hiding
- - - - - + - Ø NA NA Ø Ø - + Ø + +
Entity AuthenticationEntity Authentication
+ - ? + - + - Ø - Ø + + Ø Ø - + Ø
Data Integrity/ AuthenticationData Integrity/ Authentication
Ø - ? + ? + - Ø + + + + + - - Ø Ø
Static Access ControlStatic Access Control
+ + + - + + Ø + - - + + + Ø Ø + +
Dynamic Access ControlDynamic Access Control
+ - - - - + - Ø - - + + - + - - -
DoS-Resistance
- - Ø - - Ø - Ø + + + + - Ø Ø Ø Ø
GracefulDegradation
- - - + + + - - + + + + - - - Ø -
DoS-Recovery
- - - - - - - - + Ø - - - + + - Ø
Gen
eral
Pro
per
ties
Func
tio
nal
Ob
ject
ives
No
n-
func
tio
nal
Ob
ject
ives
Sec
urit
y
Co
nfid
enti
alit
yA
vaila
bili
ty
Eas
y V
PN
Gro
up E
ncry
pte
d
Tran
spo
rt (G
ET
)
Ham
achi
2
Key
dis
trib
utio
n vi
a D
NS
SE
C
Wip
pie
n
So
cial
VP
N
N2N DM
VP
N
Op
po
rtun
isti
cE
ncry
pti
on
Cry
pto
gra
phi
cally
G
ener
ated
A
dd
ress
es
Tunn
el E
ndp
oin
tD
isco
very
Sec
urit
y P
olic
y P
roto
col
Pro
acti
ve M
ulti
-ca
st IP
SE
C D
is-
cove
ry P
roto
col
WA
ST
E
P2P
VP
N
tinc
Clo
udV
PN
• Survey of 17 approaches
• All tailored for a special scenario
• Many weaken security
• None address – Nested tunnels – DoS-resistance – Internal
attackers
Secure OverLay for IPsec Discovery (SOLID) Derived research questions: • How can a scalable and robust VPN be
constructed automatically? • How can we construct efficient VPN structures
with as few associations as possible? • How can topology knowledge be kept local? • How can security challenges like internal
attackers be encountered? • How can DoS-resistance be achieved?
11
Main approach • Routing by a structured
overlay network • Gateways ordered by
internal addresses • Gateways may be
inserted multiple times • Routing information
is held within the topology
⇢ Combination of routing and dynamic topology control
Private Network 110.2.0.0/24
Private Network 210.1.0.0/16
Private Network 6
172.16.1.0/16
Private Network 310.2.1.0/24
Private Network 410.2.2.0/24
Private Network 5
172.16.0.0/16
Private Network 910.2.5.0/24
Private Network 810.2.4.0/24 Private
Network 710.2.3.0/24
12
[RSS10] Rossberg, Michael; Strufe, Thorsten; Schaefer, Guenter: Distributed Automatic Configuration of Complex IPsec-Infrastructures. Journal of Network and Systems Management, Volume 18, Issue 3, pp. 300-326, 2010
10.5.0.0/16
10.4.0.0/1610.3.0.0/16
10.0.0.0/16
10.31.0.0/16
10.30.0.0/16
13
Ring topology Guarantees discovery in O(n) steps
Net 6
Net 2
Public Network
Net 5
Net 4
Net 3
Net 1
Net 7
Net 8
Net 9
Embedding of the overlay structure
14
• Embedding of the ring into the transport network
⇢ Efficient embedding with local knowledge?
10.5.0.0/16
10.4.0.0/1610.3.0.0/16
10.0.0.0/16
10.31.0.0/16
10.30.0.0/16
15
10.2.0.0/16
Ring topology
Guarantees discovery in O(n) steps
• Tunnels are indirect at first
• Later optimization
Public or Private Network Private
Network
Optimization of forwarding paths
• Indirect connections will be optimized:
16
⇢ Optimal path in common transport networks ⇢ Only usage of local knowledge
Cross-connections (aka fingers) Discovery in O(log n) steps
17
⇢ Scalable VPN with very few connections
Level of security Dynamic contruction of associations leads to new threats? � External attackers: always IPsec protection � Internal attackers: end-to-end security
18
Intermediate 1Source TargetIntermediate 2
Assessment of security against internal attackers
• Only thing possible: attacker does not optimize routes & initiates many security associations � Attacker controls more connections � Traffic flow analysis, grey- & blackhole
attacks • However: attack difficult to coordinate & a
general problem of todays routing algorithms ⇢ High resistance against internal attackers
19
DoS-resistance
20
DoS-attacks
Resource Destruction
ResourceExhaustion
CPU
Memory
Bandwidth
✔
✔
✔
?
• No exposed instance • Fast repair process with possibility to re-route • Proactive planning of backup paths • VPN tunnels reduce attack vector
0.5
0.3
0.1
0.4
0.60.9
0.8
0.2
0.7
Basic bandwidth-attacker model
21
• Attacker observes node set • Attacks identified neighbors by bandwidth exhaustion • Possibly different probabilities of observation
X
pv
�
Planning attacks
• Assumptions: – Attackers know topology – Only network addresses unknown – Independent observations
• Attacker may choose observation points: – Randomly – Greedy – Optimally
22
Planning optimal attacks (I)
• Optimal attack for a “budget” :
• Vulnerability against optimal attackers
23
D
opt
(G,P
min
) =
max
(D
G
(X)
��� X ✓ V,
X
x2X
log p
x
� logP
min
)
Pmin
Eopt
(G) =
Z 1
Pmin=0D
opt
(G,Pmin
)
Planning optimal attacks (II)
24
0
20
40
60
80
100
0.0 0.2 0.4 0.6 0.8 1.0
P(X) of Attack
Affe
cted
End
-to-E
nd C
onne
ctio
ns [%
]
Vulnerability
Resistance
Planning optimal attacks (III)
• Finding optimal attacks is NP-hard ! – Reduction to Vertex Cover – Without relying on different probabilities
• But: – May be approximated – For smaller networks even possible optimally "
• Used binary linear optimization, e.g., by branch-and-cut
• Runtime heavily depends on graph structure
25
Constructing resilient topologies
• Optimal topologies � Bi-level Optimization Problem
• Operator:
• Attacker:
• Only solvable for very small instances ⇢ Heuristics & simple rules required
26
min
x
{attackGain(x, y) + c · costs(x),
for feasible topologies x}max
y
{attackGain(x(y), y),
for feasible attacks y}
[RGS12] Rossberg, Michael; Girlich, Franz; Schaefer, Guenter: Analyzing and Improving the Resistance of Overlay-Networks against Bandwidth Exhaustion Attacks, RNDM 2012.
Availability zones
27
[BRS09] Brinkmeier, Michael; Rossberg, Michael; Schaefer, Guenter: Towards a Denial-of-Service Resilient Design of Complex IPsec Overlays, International Conference on Communications (ICC), 2009
• Arrange nodes in zones
• Only neighboring zones may communicate
• Reduces observability ⇢ Constrains external &
internal DoS attacks ⇢ Requires support from
key exchange protocol
Performance analysis of SOLID
Simulation Prototype
28
[RSSM09] Rossberg, Michael; Steudel, Wolfgang; Schaefer, Guenter; Martius, Kai: Eine Software-Architektur zur Konstruktion flexibler IPsec-Infrastrukturen. 11. Deutscher IT-Sicherheitskongress, 2009
INET
OMNeT++
simLib
Architecture of the prototype
29
netfilter
uDHCPd
libnet
Charon
XFRM rtnetlinkioctl
strongDaemon
TUN
iptables
ipt_solidIPIP Tunnel
Device
Routing
IPsec Monitoring
DBusstroke
UD
P
init
Packetreinjection
UDPUDPPackets without
active SA
Dynam
icFirew
alling
Sockets
libnlC
reation of C
UG
associations
Linux Kernel
coreLib posixLib
soLib
⇢ Same base system in simulator und prototype
(Some) studied network topologies
30
99
224
225
226
227
228
229
231
232
233
234
235
237
239
240
243
247
250
253
256
258
262
263
265
266
289
293
230
236
238
241
242
244
245
246
248
249
251
252
254
255
257
259
260
261
264
267
268
269
270
271
272
273
274
275276
277
278
279280
281
282
283
284
285
286287
288
290
291
292
0
1
2
34
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2324
25
26
27
28
29
30
31
32
33
34
3536
37
38
3940
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95 96
97
98100
101
102
103
104
105
106
107
108
109
110
111112113
114
115
116
117
118
119
120
121
122123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138 139
140 141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220221
222
223
Internet
Internet Intranet
Lab network:
Direct scenario:
HOT graph:
Inserting a new node Simulation Lab experiment
31
⇢ Reusage makes simulation extremely significant
Efficiency of fingers (I)
32
Direct scenario • Comparison between
Sample-based and SkipGraphs
• Efficiency of SkipGraph asymptotically equal
• But sample based better as more exact
Search E�ciency =Ø Overlay–Hops with Random Fingers
Ø Overlay–Hops with Network under Test
Efficiency of fingers (II)
33
HOT graph • Comparison nested vs. direct scenario: – Sample-based a little bit
worse – SkipGraphs way worse
• Main cause: Samples allow more flexible selection of targets
⇢ Much more efficiency especially in nested scenarios
Overlay path lengths
34
• HOT router topology with cycles
⇢ Optimization algorithms might find only local minima
• Despite extreme assumption: – Average influence
barely measureable with significance
– Worst-case: sub-linear increase
Increase of DoS-resistance • Direct scenario • 50 nodes, p uniform
(0,1) • Monotone zone
distribution by probabiltiy
• 24h observation ⇢ Despite the strong
attacker significant increase
35
Résumé
• Reached objectives – Scalable & robust construction of VPN
overlays using local knowledge – Consideration of internal attackers – Increased DoS-resistance – Evaluation in complex scenarios
• “Only” needs to be adapted !
36
Outlook • Further development of the prototype
– Optimizations – Stabilization – Scalable cluster operation
• Management aspects • DoS-resistant micro- and macro-structures
• Two BMBF projects: – Mobility aspects – Further DoS-resistance
37
