ShortMAC: Efficient Data-Plane Fault Localization (CMU-CyLab-11-007)

The rising demand for high-quality online services requires reliable packet delivery at the network layer. Data-plane fault localization is recognized as a promising means to this end, since it enables a source node to efficiently localize faulty links, find a fault-free path, and enforce contractual obligations among network nodes. Existing fault localization protocols cannot achieve a practical tradeoff between security and efficiency and they require unacceptably long detection delays, and require monitored flows to be impractically long-lived. In this paper, we propose an efficient fault localization protocol called ShortMAC which leverages probabilistic packet authentication and achieves 100 10000 times lower detection delay and overhead than related work. We theoretically derive a lower-bound guarantee on data-plane packet delivery in ShortMAC, implement a ShortMAC prototype, and evaluate its effectiveness on two platforms: SSFNet simulator and Linux/Click router. Our implementation and evaluation results show that ShortMAC causes negligible throughput and latency costs while retaining a high level of security.

[1]  Michael E. Kounavis,et al.  Encrypting the internet , 2010, SIGCOMM '10.

[2]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[3]  Xin Zhang,et al.  Packet-dropping adversary identification for data plane security , 2008, CoNEXT '08.

[4]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[5]  Stefan Savage,et al.  Fatih: detecting and isolating malicious routers , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[6]  Biswanath Mukherjee,et al.  Detecting disruptive routers: a distributed network monitoring approach , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[7]  Katerina J. Argyraki,et al.  Verifiable network-performance measurements , 2010, CoNEXT.

[8]  Paul Laskowski,et al.  Network monitors and contracting systems: competition and innovation , 2006, SIGCOMM 2006.

[9]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[10]  Ratul Mahajan,et al.  Sustaining cooperation in multi-hop wireless networks , 2005, NSDI.

[11]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[12]  Xin Liu,et al.  Efficient and Secure Source Authentication with Packet Passports , 2006, SRUTI.

[13]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[14]  Roberto Tamassia,et al.  Multicast authentication in fully adversarial networks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[16]  Tuomas Aura,et al.  Using conservation of flow as a security mechanism in network protocols , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[17]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[18]  Baruch Awerbuch,et al.  An on-demand secure routing protocol resilient to byzantine failures , 2002, WiSE '02.

[19]  David Wetherall,et al.  Source selectable path diversity via routing deflections , 2006, SIGCOMM 2006.

[20]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[21]  Santosh S. Vempala,et al.  Path splicing , 2008, SIGCOMM '08.

[22]  Bruce M. Maggs,et al.  R-BGP: Staying Connected in a Connected World , 2007, NSDI.

[23]  Jennifer Rexford,et al.  Stealth Probing: Efficient Data-Plane Security for IP Routing , 2006, USENIX Annual Technical Conference, General Track.

[24]  Simon S. Lam,et al.  Digital signatures for flows and multicasts , 1999, TNET.

[25]  Sandra L. Murphy,et al.  Digital signature protection of the OSPF routing protocol , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[26]  Reza Curtmola,et al.  ODSBR: An on-demand secure Byzantine resilient routing protocol for wireless ad hoc networks , 2008, TSEC.

[27]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[28]  Guiling Wang,et al.  Catching Packet Droppers and Modifiers in Wireless Sensor Networks , 2009, 2009 6th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks.

[29]  Brighten Godfrey,et al.  Pathlet routing , 2009, SIGCOMM '09.

[30]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[31]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[32]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[33]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[34]  Vidya Kadam,et al.  An Acknowledgement-Based Approach for the Detection of Routing Misbehaviour in MANETS , 2011 .

[35]  Daniel R. Simon,et al.  Secure traceroute to detect faulty or malicious routing , 2003, CCRV.

[36]  Rosario Gennaro,et al.  How to Sign Digital Streams , 1997, CRYPTO.

[37]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[38]  Michael Bailey,et al.  Shining Light on Dark Address Space , 2001 .

[39]  Michalis Faloutsos,et al.  Routing amid Colluding Attackers , 2007, 2007 IEEE International Conference on Network Protocols.

[40]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[41]  Katerina J. Argyraki,et al.  Loss and Delay Accountability for the Internet , 2007, 2007 IEEE International Conference on Network Protocols.

[42]  Sharon Goldberg,et al.  Protocols and Lower Bounds for Failure Localization in the Internet , 2008, EUROCRYPT.

[43]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[44]  Jennifer Rexford,et al.  MIRO: multi-path interdomain routing , 2006, SIGCOMM 2006.

[45]  Hisashi Kobayashi,et al.  Highly secure and efficient routing , 2004, IEEE INFOCOM 2004.