Upload
rocio-core
View
225
Download
3
Tags:
Embed Size (px)
Citation preview
Cryptographically Protected Prefixesfor Location Privacy in IPv6
Jonathan Trostle, Hosei Matsuoka*,
Muhammad Mukarram Bin Tariq, James Kempf,
Toshiro Kawahara and Ravi Jain
DoCoMo Communications Laboratories USA, Inc.* Multimedia Laboratories, NTT DoCoMo, Inc.
Outline
Location Privacy Problem in IP networks Related Works Proposal of Cryptographically Protected Prefixes (CPP)
Simple Architecture (easily understandable) Secure Architecture
Security Considerations Implementation and Performance Measurements Conclusions
Location Privacy Problems in IP Networks
Prefix (es) Suffix
IP networks use prefix based routingIP networks use prefix based routing
All hosts in a subnet have same subnet
prefix
All hosts in a subnet have same subnet
prefix
Subnets often have
geographical correspondence
Subnets often have
geographical correspondence
IP address shows your
geographical location
IP address shows your
geographical location
IP address shows whom
you are together with
IP address shows whom
you are together with
Just as our postal addresses arehierarchically arranged with country, state, city, …, the IP addresses are also structured for routing efficiency.
Related Works
Network Layer Solutions Mobile IPv6 Hierarchical Mobile IPv6 (HMIPv6)
Application Layer (Overlay) Solutions Onion Routing Freedom Network Crowds, Tarzan, etc.
How do they provide Location Privacy
Mobile IP with Home AgentOverlay Approaches(Onion routing, Freedom)
Both approaches cannot provide communications with the optimal route between two endpoints
HAForeign Network
Home Network
Home Address Care-of-Address
This user does not know the correspondent’s care-of-address which shows the user’s actual location.
Internet Internet
Onion/FreedomOverlay Routers
Mobile IP with Route Optimization
Qualitative Comparison of Related Works
Degree of Location Privacy
Qua
lity
of
Ser
vice
Mobile IP Home Agent
App Overlay (Onion, Freedom)
Mobile IPv6 Route Optimization
HMIPv6
Desired Location Privacy, Comparable with today’s CS Telecom
No Additional Routing Delay
Subnet Level
Several Subnets
Visited Domain
Home Domain
Global
Optimal
Limited Triangular
Routing
Triangular
Huge Routing/ Performance
Overhead
Goal of our project
Design Policies of Our Approach (CPP)
Provide Location Privacy within a domain
Optimal Routing (No additional Routing Delay)It is important for some real-time applications.
Full Compatibility with other Internet Protocols (Mobile IP, IPsec, Diffserv, etc.)
No Single Point of Failure
Structure of IP address
Network Prefix
IPv4 Address
Host Suffix
32bits
IPv6 Address
Network Prefix Host Suffix
128bits
typically 64bits typically 64bits
Both IPv4 and IPv6 addresses have the similar structure consisting ofNetwork Prefix and Host Suffix,and the Network Prefix is related tothe geographical location.
Advantages of applying to IPv6 Large space of network prefix provides strong anonymity of the location. The fixed boundary between prefix and suffix can simplify the system.
Basic Concept
Replacing the actual prefix with a host-specific encrypted prefix
P`(R,i) Mi
P0 PR Mi
),(' ),( iRiR MKeyEncryptPP
),(' ),( iiRR MKeyEncryptPP
PrefixEncryption
PrefixDecryption
Routable IPv6 address
End-hosts use prefix-encrypted IPv6 address for their communications.
Routers obtain the routable IPv6 address through the decryption of theencrypted prefix. (Routers have the key for decryption.)
Prefix-encrypted IPv6 address
Routable IPv6 address
P0
P0 PR Mi
Simple Architecture (easily understandable)
Privacy Domain
Routers outside Privacy Domain look at the prefix P0 and route the packet to the privacy domain, there are no longer matches than P0 outside privacy domain
P0 P’(R,i) Mi
0
1
Routers inside Privacy Domain decrypt the secondary prefix P`(R, i) to find the actual routing prefix and route the packet accordingly until the packet reaches the desired destination
2
3
4
5
Routers inside Privacy Domain share the secret key and obtain the routable prefix prior to routing table searches.
P0 P’(R,i) Mi
P0 P’(R,i) MiP0 P’(R,i) Mi
P0 P’(R,i) Mi
P0 P’(R,i) Mi
PR
PR
PR
PR
What changes in the Routers
Pre
Processin
g
Destination Address
Packet
Longest Prefix Match
Prefix Of Destination
DestinationRoute
Packet
Disp
atcher
Extract
Prefix
Packet
Destination Address
Packet
Prefix ofDestination
DestinationRoute
Packet
Dispatche
r
Decrypt Packet
Key
Conventional Routers
Longest Prefix Match
Pre
Processing
Small change, can be implemented in hardware
for acceleration
Routers Modifiedfor Location Privacy
There is no change in conventional routing protocols (RIP, OSPF, etc.)
Secure Architecture
R1
R7
R8
R2
R3
R5 R6
R4
Host
Router
Border GatewayRouters are assigned levels based on their “hop-count” from the border router.
Routers are assigned levels based on their “hop-count” from the border router.
Level 1
Level 2
Level 3
Level 4
Routers at different level use different key and decrypt different part of prefix which is necessary and sufficient for routing table searches.
Routers at different level use different key and decrypt different part of prefix which is necessary and sufficient for routing table searches.
A compromised router cannot get all user’s location.
Structure of IP addresses with CPP
M (the suffix)P0 V
P1 H(L1, M)P1 H(L1, M)
The Prefix consists of several small encrypted components – one corresponding to each level
Key version bit for key rotation
Common Prefix for Global Routing
Pk H(Ln, M) Pk H(Ln, M) Any router at level “k” can use its level key Lk to decrypt Pk and given P1,…Pk-1 from the upper level router with hop-by-hop option, it obtains routable prefix and forward packets correctly to next hop.
128 Bits
X1 X2 X3 …… Xn
H( ) is a encryption orhash function
Security Considerations Eavesdropping on the same link
Eavesdroppers can realize the location of the other hostson the same network link by snooping the traffic of the link. CPP should use some other techniques to prevent traffic analysis.
Guessing AttackAttackers use connection trials in various subnets and guess H(Li, M)using plain prefixes of the location where the response is received. Privacy Domain changes the secret key for some interval. CPP Extended Address (to be explained next)
ICMP packetsICMP packets from a router in the middle of the connectiongive the sender the hints of the receiver’s location. Router must not use the real source address for ICMP packets. No Traceroute
Guessing Attacks and CPP Extended Address
))0()2((2
1 2 xpsx s
Guessing AttacksAttackers try to obtain H(Li, Mv) for tracking the victim who has the suffix Mv,because once they obtain H(Li, Mv), they can easily track the victim.Reason behind this attack is that H(Li, Mv) is a constant value regardless of its location.
CPP Extended AddressUsing H(Li, <Mv, P1, … , Pi-1, Xi+1, … Xk>) instead of H(Li, Mv) provides more robust security against Guessing Attacks.
Probability that the adversary obtains the prefix components P1 … Pj of the victim’s address is
where
},...,max{ 21 jpppp
j
iip
1
)1(
012
2)( xaxaxax )1/()2(),1/()23(),1/(1 120212 ppxpxxppxxpx
,s is the number of subnets searched
with
Implementation
input queue output queue
ip6intr
ip6_input ip6_forward ip6_output
nd6_output
TransportProtocol
Network Interfaces
routingtable
decrypt & lookup
FreeBSD 4.8 Kernel Structure
start ofmeasure
end ofmeasure
Modified ip6_input() function
Time measurement ofone packet forwarding
Cryptographic Functions used:
AES, SHA-1
Performance Results
Type of Router Unmodified Using SHA-1 Using AES
One Packet Forwarding Time 6 micro sec 11 micro sec 9 micro sec
Packet Rate 166,666 pps 90,909 pps 111, 111 pps
Data Rate
(1Kbyte per packet)
1300 Mbps 727 Mbps 888 Mbps
Software Router Specification:OS: FreeBSD 4.8CPU: 1GHzMemory: 512MB
Conclusions
CPP alleviates IPv6 location privacy problem
Traditional Approaches
Routing Overhead
Stateful and Per-packet processing
CPP
No state, Good Performance
No Routing Overhead
Full Compatibility with otherInternet protocols
Require Small Changes in Routers
Poor Compatibility with otherInternet protocols
Rekey (Backup slides)
Timeline
Key(A) Key(A)
Key(B) Key(B)
Key(A)rekey
rekey
rekey
Scambledaddress (A)
Scambledaddress (B)
Scambledaddress (A)
Scambledaddress (B)
Scambledaddress (A)
Advertised Addresses (encrypted with the newer key)
more thanprefix lifetime
more thanprefix lifetime
more thanprefix lifetime
Routers change the key(A) and the key(B) alternately, and encrypt prefixes with the newer key. The duration from finishing changing the key to startingchanging the other key must be more then the lifetime of prefixes.
rekey is long enough to rekey on all routers even if it is done manually.
Implementation (backup slide)P0(48 bits) Q(16 bits) M(64 bits)
128 bits input message adding zero-padding of 64 bits to M
router’s secret key(128 bits)
128 bits output message
offset targetprefix
Exclusive-ORprefix componentsof higher routers
hop-by-hopoption
concatenation
real prefix componentsneeded for routing table searches
AES or SHA-1(block cipher or Hash)
Inter-domain Extension (Backup slide)
Domain B Domain A
Domain C
Europe USA
Asia
P0 prefix: 2001:1234::AS number: 2
P0 prefix: 2001:1234::AS number: 1
P0 prefix: 2001:1234::AS number: 3
Prefix: 2001:1234AS number: 2
BGP messagePrefix: 2001:1234
AS number: 1
BGP message
Prefix: 2001:1234AS number: 3
BGP message
All domains use the same P0 (2001:1234:). P0 does not reveal the user’s domain. All domains use the different global AS numbers.
Given the multiple BGP messages of the same set of destinations, the one with the highest degree of preference is selected.
Packets destined to P0 would be delivered to the nearest CPP domain
Inter-Domain Extension (Backup slide)
),( MikeyHX1
Domain B Domain A
Domain C
Europe USA
Asia
shows which domain the host(i) resides in.
tunneling
host(i)
Nearestborder gateway
P0 X1 X2 X3 X4 M (Host Suffix)
P1 P2 P3 P4
CPP address
Domestic traffic isalways optimal route
International traffic isslightly triangle route
A little more about CPP (Backup slide)
For optimal routing, the suffix is computed such that any router can determine if it is a cross over router
We use it for optimal routing, but can also be used for other techniques. How do we do this
Each router R in Privacy Domain has a unique key KR
M is chosen for subnet of router “r” such that:
H(KR, M) equals ZERO if R C
H(KR, M) not equals ZERO if R C
Where C is set of all cross over routers for router “r”
Fine Detail: No two cross over routers can have same level,
if they are directly connected
“r”
R1
R2
R3
R4
Set of all cross over routers: ={R1, R2, R3, R4}
R5
R6
R7R8
R9