D2FL: Design and Implementation of Distributed Dynamic Fault Localization

Compromised or misconfigured routers have been a major concern in large-scale networks. Such routers sabotage packet delivery, and thus hurt network performance. Data-plane fault localization (FL) promises to solve this problem. Regrettably, the path-based FL fails to support dynamic routing, and the neighbor-based FL requires a centralized trusted administrative controller (AC) or global clock synchronization in each router and introduces storage overhead for caching packets. To address these problems, we introduce a dynamic distributed and low-cost model, D 2 FL. Using random two-hop neighborhood authentication, D 2 FL supports volatile path without the AC or global clock synchronization. Besides, D 2 FL requires only constant tens of KB for caching which is independent of the packet transmission rate. This is much less than the cache size of DynaFL or DFL which consumes several MB. The simulations show that D 2 FL achieves low false positive and false negative rate with no more than 3 percent bandwidth overhead. We also implement an open source prototype and evaluate its effect. The result shows that the performance burden in user space is less than 10 percent with the dynamic sampling algorithm.

[1]  Stefan Savage,et al.  Fatih: detecting and isolating malicious routers , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[2]  Sheng Zhong,et al.  Sprite: a simple, cheat-proof, credit-based system for mobile ad-hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[3]  Neeraj Suri,et al.  Event Pattern Discovery on IDS Traces of Cloud Services , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[4]  Michael E. Kounavis,et al.  Encrypting the internet , 2010, SIGCOMM '10.

[5]  William Yurcik,et al.  A survey of PKI components and scalability issues , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[6]  J. Rexford,et al.  A distributed reputation approach to cooperative Internet routing protection , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[7]  Biswanath Mukherjee,et al.  Detecting disruptive routers: a distributed network monitoring approach , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[8]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[9]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2014, SIGCOMM.

[10]  Ítalo S. Cunha,et al.  LIFEGUARD: practical repair of persistent route failures , 2012, SIGCOMM '12.

[11]  Athanasios V. Vasilakos,et al.  DFL: Secure and Practical Fault Localization for Datacenter Networks , 2014, IEEE/ACM Transactions on Networking.

[12]  Amin Vahdat,et al.  PortLand: a scalable fault-tolerant layer 2 data center network fabric , 2009, SIGCOMM '09.

[13]  Xin Zhang,et al.  Network fault localization with small TCB , 2011, 2011 19th IEEE International Conference on Network Protocols.

[14]  Vidya Kadam,et al.  An Acknowledgement-Based Approach for the Detection of Routing Misbehaviour in MANETS , 2011 .

[15]  Martin Nilsson,et al.  Investigating the energy consumption of a wireless network interface in an ad hoc networking environment , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Junda Liu,et al.  Ensuring connectivity via data plane mechanisms , 2013, NSDI 2013.

[17]  Adrian Perrig,et al.  Seven cardinal properties of sensor network broadcast authentication , 2006, SASN '06.

[18]  Xin Zhang,et al.  Packet-dropping adversary identification for data plane security , 2008, CoNEXT '08.

[19]  Xin Zhang,et al.  Secure and Scalable Fault Localization under Dynamic Traffic Patterns , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  William T. Polk,et al.  Bridge Certification Authorities : Connecting B 2 B Public Key Infrastructures , 2000 .

[21]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[22]  Aditya Akella,et al.  Demystifying configuration challenges and trade-offs in network-based ISP services , 2011, SIGCOMM.

[23]  Hisashi Kobayashi,et al.  Highly secure and efficient routing , 2004, IEEE INFOCOM 2004.

[24]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[25]  Tuomas Aura,et al.  Using conservation of flow as a security mechanism in network protocols , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[26]  Xin Liu,et al.  Efficient and Secure Source Authentication with Packet Passports , 2006, SRUTI.

[27]  Ethan L. Miller,et al.  An experimental analysis of cryptographic overhead in performance-critical systems , 1999, MASCOTS '99. Proceedings of the Seventh International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[28]  Katerina J. Argyraki,et al.  Loss and Delay Accountability for the Internet , 2007, 2007 IEEE International Conference on Network Protocols.

[29]  Sharon Goldberg,et al.  Protocols and Lower Bounds for Failure Localization in the Internet , 2008, EUROCRYPT.

[30]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[31]  Ratul Mahajan,et al.  Measuring ISP topologies with Rocketfuel , 2004, IEEE/ACM Transactions on Networking.

[32]  S. Savage,et al.  Report on Dimacs * Workshop on Large-scale Internet Attacks , .

[33]  William Kozma,et al.  Dealing with Liars: Misbehavior Identification via Rényi-Ulam Games , 2009, SecureComm.

[34]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[35]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[36]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[37]  David A. Cooper A more efficient use of delta-CRLs , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[38]  Richard Nicholas,et al.  Internet X.509 Public Key Infrastructure: Certification Path Building , 2005, RFC.

[39]  Reza Curtmola,et al.  ODSBR: An on-demand secure Byzantine resilient routing protocol for wireless ad hoc networks , 2008, TSEC.

[40]  Baruch Awerbuch,et al.  An on-demand secure routing protocol resilient to byzantine failures , 2002, WiSE '02.

[41]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[42]  Ratul Mahajan,et al.  Sustaining cooperation in multi-hop wireless networks , 2005, NSDI.

[43]  Song Guo,et al.  Byzantine-Resilient Secure Software-Defined Networks with Multiple Controllers in Cloud , 2014, IEEE Transactions on Cloud Computing.

[44]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[45]  Carlisle Adams,et al.  A General, Flexible Approach to Certificate Revocation , 1998 .

[46]  Yngve N. Pettersen The Transport Layer Security (TLS) Multiple Certificate Status Request Extension , 2013, RFC.

[47]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[48]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[49]  Gail-Joon Ahn,et al.  Detecting and Resolving Firewall Policy Anomalies , 2012, IEEE Transactions on Dependable and Secure Computing.

[50]  Jean-Yves Le Boudec,et al.  Performance analysis of the CONFIDANT protocol , 2002, MobiHoc '02.

[51]  Judith A. Furlong,et al.  Public Key Infrastructure Study , 1994 .

[52]  Levente Buttyán,et al.  Enforcing service availability in mobile ad-hoc WANs , 2000, MobiHoc.