RFL: Robust fault localization on unreliable communication channels

Abstract The current Internet is vulnerable to various attacks, e.g., source spoofing and flow hijacking attacks, which are incurred by misconfigurations or attacks. Either users or network operators are unable to easily localize these faults. Existing fault localization mechanisms can detect such attacks under an assumption that localization is performed upon reliable communication channels. Unfortunately, the assumption does not always hold. The forwarding paths of localization are not always reliable. Packets are usually dropped for some reasons. In particular, adversaries can interfere with fault localization by maliciously dropping packets. In this paper, we relax the assumption and propose a robust data-plane fault localization protocol named RFL that can localize faults and achieve source authenticity and path compliance even if communication channels in the network are not reliable. RFL samples and verifies packets in each network entity so that the packet source can efficiently localize faults of packet forwarding by verifying the sampled packets. By leveraging packet acknowledgment, packet sampling based fault localization is not impacted by packet loss in the communication channels. In particular, RFL leverages a symmetric key distribution scheme to implement robust key distribution among different entities, which ensures that packet sources can always correctly fresh their keys to perform correct localization. Our security and theoretical analysis demonstrates the robustness of RFL protocol. We implement the RFL prototype on Click routers. The experiment results with the prototype demonstrate that RFL achieves more than 99.5% localization accuracy while incurring only 10% throughput degradation.

[1]  Aiko Pras,et al.  How Asymmetric Is the Internet? - A Study to Support the Use of Traceroute , 2015, AIMS.

[2]  Xin Zhang,et al.  Network fault localization with small TCB , 2011, 2011 19th IEEE International Conference on Network Protocols.

[3]  Maurizio Dusi,et al.  Estimating routing symmetry on single links by passive flow measurements , 2010, IWCMC.

[4]  Ravi S. Sandhu,et al.  LIVE: Lightweight Integrity Verification and Content Access Control for Named Data Networking , 2015, IEEE Transactions on Information Forensics and Security.

[5]  Qi Li,et al.  Dynamic Packet Forwarding Verification in SDN , 2019, IEEE Transactions on Dependable and Secure Computing.

[6]  Ke Xu,et al.  Toward software defined smart home , 2016, IEEE Communications Magazine.

[7]  Ran Canetti,et al.  Efficient and Secure Source Authentication for Multicast , 2001, NDSS.

[8]  Sharon Goldberg,et al.  BGP security in partial deployment: is the juice worth the squeeze? , 2013, SIGCOMM.

[9]  Yih-Chun Hu,et al.  MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet , 2016, CCS.

[10]  Adrian Perrig,et al.  High-Speed Inter-Domain Fault Localization , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[11]  Sharon Goldberg,et al.  Protocols and Lower Bounds for Failure Localization in the Internet , 2008, EUROCRYPT.

[12]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[13]  Fan Yang,et al.  Robust and lightweight fault localization , 2017, 2017 IEEE 36th International Performance Computing and Communications Conference (IPCCC).

[14]  Ehab Al-Shaer,et al.  Active integrated fault localization in communication networks , 2005, 2005 9th IFIP/IEEE International Symposium on Integrated Network Management, 2005. IM 2005..

[15]  Adrian Perrig,et al.  SNAPP: stateless network-authenticated path pinning , 2008, ASIACCS '08.

[16]  Hannu Kari,et al.  Packet level authentication in military networks , 2006 .

[17]  Joseph Kee-yin Ng,et al.  Extensions to BGP to Support Secure Origin BGP , 2004 .

[18]  Gang Ren,et al.  A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience , 2008, RFC.

[19]  George Varghese,et al.  Automatic Test Packet Generation , 2012, IEEE/ACM Transactions on Networking.

[20]  Ke Xu,et al.  A general framework of source address validation and traceback for IPv4/IPv6 transition scenarios , 2013, IEEE Network.

[21]  Ke Xu,et al.  Enabling Efficient Source and Path Verification via Probabilistic Packet Marking , 2018, 2018 IEEE/ACM 26th International Symposium on Quality of Service (IWQoS).

[22]  R. E. Miles,et al.  Causes of Failure in Network Organizations , 1992 .

[23]  Marco Mellia,et al.  On the Analysis of Internet Paths with DisNETPerf, a Distributed Paths Performance Analyzer , 2016, 2016 IEEE 41st Conference on Local Computer Networks Workshops (LCN Workshops).

[24]  Sheng Ma,et al.  Optimizing Probe Selection for Fault Localization , 2001, DSOM.

[25]  Victor Muntés-Mulero,et al.  Survey on Models and Techniques for Root-Cause Analysis , 2017, ArXiv.

[26]  Adarshpal S. Sethi,et al.  Recent Advances in Fault Localization in Computer Networks , 2016, IEEE Communications Surveys & Tutorials.

[27]  Tilman Wolf,et al.  Source authentication and path validation with orthogonal network capabilities , 2015, 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[28]  Geoff Huston,et al.  Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs) , 2012, RFC.

[29]  Xin Zhang,et al.  Secure and Scalable Fault Localization under Dynamic Traffic Patterns , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Maitreya Natu,et al.  Probabilistic Fault Diagnosis Using Adaptive Probing , 2007, DSOM.

[31]  Yih-Chun Hu,et al.  Practical Proactive DDoS-Attack Mitigation via Endpoint-Driven In-Network Traffic Control , 2018, IEEE/ACM Transactions on Networking.

[32]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[33]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[34]  B. Huffaker,et al.  Distance Metrics in the Internet , 2002, Anais do 2002 International Telecommunications Symposium.

[35]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[36]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[37]  Ítalo S. Cunha,et al.  Measuring and Characterizing End-to-End Route Dynamics in the Presence of Load Balancing , 2011, PAM.

[38]  Scott Mansfield,et al.  Guidelines for the Use of the "OAM" Acronym in the IETF , 2011, RFC.

[39]  Maggie Xiaoyan Cheng,et al.  Data Analytics for Fault Localization in Complex Networks , 2016, IEEE Internet of Things Journal.

[40]  Mauro Femminella,et al.  Probabilistic Codebook-Based Fault Localization in Data Networks , 2018, IEEE Transactions on Network and Service Management.

[41]  Xin Zhang,et al.  ShortMAC: Efficient Data-Plane Fault Localization , 2012, NDSS.

[42]  Pekka Nikander,et al.  Host Identity Protocol , 2005 .

[43]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[44]  Alina Beygelzimer,et al.  Efficient Test Selection in Active Diagnosis via Entropy Approximation , 2005, UAI.

[45]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[46]  Scott Shenker,et al.  A data-oriented (and beyond) network architecture , 2007, SIGCOMM 2007.

[47]  Stephen T. Kent,et al.  An Infrastructure to Support Secure Internet Routing , 2012, RFC.

[48]  Pekka Nikander,et al.  Host Identity Protocol (HIP) Architecture , 2006, RFC.

[49]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2015, SIGCOMM 2015.

[50]  Josh Whitford,et al.  The Anatomy of Network Failure* , 2011 .

[51]  Yih-Chun Hu,et al.  Mechanized Network Origin and Path Authenticity Proofs , 2014, CCS.

[52]  David K. Y. Yau,et al.  Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[53]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[54]  Marcelo Bagnulo,et al.  Source Address Validation Improvement (SAVI) Framework , 2013, RFC.

[55]  Sean W. Smith,et al.  Aggregated path authentication for efficient BGP security , 2005, CCS '05.

[56]  Sandra L. Murphy,et al.  Digital signature protection of the OSPF routing protocol , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[57]  Hao Li,et al.  Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined Networks , 2016, CoNEXT.