ShortMAC: Efficient Data-Plane Fault Localization

The rising demand for high-quality online services requires reliable packet delivery at the network layer. Data-plane fault localization is recognized as a promising means to this end, since it enables a source node to efficiently localize faulty links, find a fault-free path, and enforce contractual obligations among network nodes. Existing fault localization protocols cannot achieve a practical tradeoff between security and efficiency and they require unacceptably long detection delays, and require monitored flows to be impractically long-lived. In this paper, we propose an efficient fault localization protocol called ShortMAC which leverages probabilistic packet authentication and achieves 100 10000 times lower detection delay and overhead than related work. We theoretically derive a lower-bound guarantee on data-plane packet delivery in ShortMAC, implement a ShortMAC prototype, and evaluate its effectiveness on two platforms: SSFNet simulator and Linux/Click router. Our implementation and evaluation results show that ShortMAC causes negligible throughput and latency costs while retaining a high level of security.

[1]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[2]  Michael E. Kounavis,et al.  Encrypting the internet , 2010, SIGCOMM '10.

[3]  Michael Bailey,et al.  Shining Light on Dark Address Space , 2001 .

[4]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[5]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[6]  Tuomas Aura,et al.  Using conservation of flow as a security mechanism in network protocols , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[7]  Bruce M. Maggs,et al.  R-BGP: Staying Connected in a Connected World , 2007, NSDI.

[8]  Michalis Faloutsos,et al.  Routing amid Colluding Attackers , 2007, 2007 IEEE International Conference on Network Protocols.

[9]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[10]  Jennifer Rexford,et al.  Don't Secure Routing Protocols, Secure Data Delivery , 2006, HotNets.

[11]  Katerina J. Argyraki,et al.  Verifiable network-performance measurements , 2010, CoNEXT.

[12]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[13]  Brighten Godfrey,et al.  Pathlet routing , 2009, SIGCOMM '09.

[14]  Simon S. Lam,et al.  Digital signatures for flows and multicasts , 1998, Proceedings Sixth International Conference on Network Protocols (Cat. No.98TB100256).

[15]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[16]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[17]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[18]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[19]  Jennifer Rexford,et al.  Stealth Probing: Efficient Data-Plane Security for IP Routing , 2006, USENIX Annual Technical Conference, General Track.

[20]  John C.-I. Chuang,et al.  Network monitors and contracting systems: competition and innovation , 2006, SIGCOMM.

[21]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[22]  Ratul Mahajan,et al.  Sustaining cooperation in multi-hop wireless networks , 2005, NSDI.

[23]  Xin Zhang,et al.  Network fault localization with small TCB , 2011, 2011 19th IEEE International Conference on Network Protocols.

[24]  Vidya Kadam,et al.  An Acknowledgement-Based Approach for the Detection of Routing Misbehaviour in MANETS , 2011 .

[25]  Daniel R. Simon,et al.  Secure traceroute to detect faulty or malicious routing , 2003, CCRV.

[26]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[27]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[28]  Katerina J. Argyraki,et al.  Loss and Delay Accountability for the Internet , 2007, 2007 IEEE International Conference on Network Protocols.

[29]  Sharon Goldberg,et al.  Protocols and Lower Bounds for Failure Localization in the Internet , 2008, EUROCRYPT.

[30]  Baruch Awerbuch,et al.  An on-demand secure routing protocol resilient to byzantine failures , 2002, WiSE '02.

[31]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[32]  Xin Liu,et al.  Efficient and Secure Source Authentication with Packet Passports , 2006, SRUTI.

[33]  Xiaowei Yang,et al.  Source selectable path diversity via routing deflections , 2006, SIGCOMM.

[34]  Adrian Perrig,et al.  Seven cardinal properties of sensor network broadcast authentication , 2006, SASN '06.

[35]  Xin Zhang,et al.  Packet-dropping adversary identification for data plane security , 2008, CoNEXT '08.

[36]  Jennifer Rexford,et al.  MIRO: multi-path interdomain routing , 2006, SIGCOMM.

[37]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[38]  Reza Curtmola,et al.  ODSBR: An on-demand secure Byzantine resilient routing protocol for wireless ad hoc networks , 2008, TSEC.

[39]  Stefan Savage,et al.  Fatih: detecting and isolating malicious routers , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[40]  Biswanath Mukherjee,et al.  Detecting disruptive routers: a distributed network monitoring approach , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[41]  Adrian Perrig,et al.  Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes , 2010, 2010 IEEE Symposium on Security and Privacy.

[42]  Sandra L. Murphy,et al.  Digital signature protection of the OSPF routing protocol , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[43]  Xiaowei Yang,et al.  TVA: A DoS-Limiting Network Architecture , 2008, IEEE/ACM Transactions on Networking.

[44]  Ying Zhang,et al.  Understanding network delay changes caused by routing events , 2007, SIGMETRICS '07.

[45]  Guiling Wang,et al.  Catching Packet Droppers and Modifiers in Wireless Sensor Networks , 2009, 2009 6th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks.

[46]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[47]  Hisashi Kobayashi,et al.  Highly secure and efficient routing , 2004, IEEE INFOCOM 2004.

[48]  M.E. Hellman,et al.  Privacy and authentication: An introduction to cryptography , 1979, Proceedings of the IEEE.

[49]  Santosh S. Vempala,et al.  Path splicing , 2008, SIGCOMM '08.

[50]  Rosario Gennaro,et al.  How to Sign Digital Streams , 1997, Inf. Comput..

[51]  Radha Poovendran,et al.  The AES-CMAC Algorithm , 2006, RFC.

[52]  Roberto Tamassia,et al.  Multicast authentication in fully adversarial networks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.