A Flow-Based Approach to Datagram Security

A Flow-Based Approach to Datagram Security

A Flow-Based Approach to Datagram Security Suvo Mittra Thomas Y.C. Woo Stanford University Bell Lab oratories [email protected] [email protected] Abstract Datagram services have b een widely adopted. Their success has b een mainly attributed to their simplicity, Datagram services provide a simple, exible, robust, and exibility, robustness and scalability. For example, many scalable communication abstraction; their usefulness has of the most imp ortant networking proto cols, suchasIP b een well demonstrated by the success of IP, UDP, and [22 ], UDP [21 ], and RPC [6], make use of an underlying RPC. Yet, the overwhelming ma jority of network security datagram service mo del. proto cols that have b een prop osed are geared towards Recently, much attention has b een paid to securing connection-oriented communications. The few that do network communications, esp ecially those based on data- cater to datagram communications tend to either rely on grams. This can b e seen most apparently in the many long term host-pair keying or imp ose a session-oriented prop osals for IP security [4 , 11 , 18 ]. In addition, b oth (i.e., requiring connection setup) semantics. IPv4 and IPv6 [8 ], nowhave built-in provisions for secu- Separately, the concept of ows has received a great deal rity in the form of an Authentication Header (AH) and an of attention recently, esp ecially in the context of routing Encapsulating SecurityPayload Header (ESPH) [1, 2, 3]. and QoS. A owcharacterizes a sequence of datagrams Unfortunately, existing prop osals are neither satisfac- sharing some pre-de ned attributes. In this pap er, we tory nor completely address the problem of datagram advo cate the use of ows as a basis for structuring secure security. For example: datagram communications. We supp ort this by prop os- They tend to adopt a connection-based session mo del inganovel proto col for datagram security based on ows. for adding security. That is, they require extrane- Our proto col achieves zero-message keying, thus preserv- ous message exchange for setting up security as- ing the connectionless nature of datagram, and makes use so ciations and the creation of \hard" state for se- of soft state, thus providing the p er-packet pro cessing e- curity pro cessing in the two communicating prin- ciency of session-oriented schemes. Wehave implemented cipals. The key advantages of a connection-based an instantiation for IP in the 4.4BSD kernel, and we mo del are its well-de ned unit of protection based provide a description of our implementation along with on a connection, and the p ossible eciency gain p erformance results. from the use of \hard" state. We b elieve, however, that the sacri ce of datagram semantics (and its de- 1 Intro duction sirable features as a result) may b e to o exp ensivea price to pay. In addition, as we shall describ e, it is A datagram service is one in which self-contained mes- 1 not necessary for providing security. sages, or datagrams, are transmitted from one principal to another, and whereby each datagram is transmitted They fo cus only on sp eci c proto col layers, e.g., IP, and received atomically and indep endently, in isolation instead of presenting general solutions that apply of others. No prior setup is needed b etween the source across proto col layers or stacks. We b elieve that se- and destination principals, nor is there any required state curity solutions are subtle enough to get righteven maintained b etween the two. once, thus any solution that we design should be 1 We use the term principal here to avoid referring to a sp eci c consistently applicable across proto col layers. In proto col layer. In general, a principal can b e a host, a pro cess or a addition, there is a great deal of debate regarding user. The term principal is commonly used in security literature. the correct placement of security functions in a pro- App ears in Proceedings of the ACM SIGCOMM '97, Septemb er 14-18, 1997, Cannes, France. to col stack. A solution committed to any particular layer or stackmay b ecome obsolete b efore it ever c Copyright 1997 by the Asso ciation for Computing Machinery, Inc. Permission to make digital orhard copies of part or all of this work for p ersonal or classro om use is granted without fee provided that copies gains p opularity. are not made or distributed forpro t or direct commercial advantage and that copies b ear this notice and the full citation on the rst page. Copyrights for comp onents of this work owned by others than ACM must b e honored. Abstracting with credit is p ermitted. To copy otherwise, to republish, to p ost on servers, orto They concentrate mostly on sp eci c mechanisms redistribute to lists, requires prior sp eci c p ermission and/or a fee. Request p ermissions from Publications Dept., ACM Inc., fax +1 (212) 869-0481, or [email protected]. without reference to p olicy issues. Separation of mechanism and p olicy is go o d system practice; but 1 the design of certain mechanisms are heavily in- 2.1 Session-based Keying uenced by the typ es of p olicies that are to be Session-based keying takes many forms, some rely on a enforced. We b elieve it is critical to make explicit third party suchasakey distribution center (KDC) and and investigate the coupling b etween the two. others agree on a key b etween the two corresp onding prin- cipals. What is needed is a unifying abstraction that o ers In a KDC-based approach, b efore a source sends a a unit of protection and eciency similar to that of a datagram, it contacts the KDC to request a session key connection-based mo del, is meaningful across di erent and an authentication ticket. The ticket, encrypted with proto col layers, and is amenable to p olicy control. A par- the destination's secret key, allows the destination (and ticularly tting candidate for this is the notion of ows. only the destination) to authenticate and decrypt trans- Lo osely sp eaking, a ow is a sequence of datagrams missions from the source. To send a datagram, the source satisfying some pre-de ned attributes. It characterizes encrypts the payload with the session key and sends the communications that are b etween that of datagram and encrypted payload together with the ticket. The destina- connection. That is, a ow is neither datagram nor con- tion recovers the session key from the ticket, and uses it nection | it has the avor of b oth. to decrypt the payload. Proto cols that use this approach The ow notion can b e applied across di erent proto- include Kerb eros [25 ], Sun RPC [26 ] and DCE [24 ]. col layers. At the application layer, datagrams b elonging In session-based keying without a third party, a dy- to the same application \conversation" constitute a ow. namic key exchange is p erformed b etween the source and At the transp ort layer, datagrams in a connection can b e destination principals. This establishes a shared secret, considered a ow. which can be used to derive a session key. The ses- The b oundary of a ow is dynamically adjustable, by sion key is stored as part of the security asso ciation, and varying the set of attributes of interest. A p olicy can b e is used in securing ensuing communications. Proto cols used to sp ecify the set of attributes of interest and the supp orting this metho d include Oakley [18 ] and Photuris corresp onding security requirements. [11 ]. In this pap er, we prop ose a new proto col for datagram The key advantage of session-based keying is the p os- security, called the Flow-Based Security Proto col (FBS), sible eciency gain with explicit state setup, esp ecially based on the concept of ows. FBS makes use of zero- in case of long-lived communications. However, this is message keying and soft states. The former allows it to achieved at the exp ense of datagram semantics. maintain datagram semantics, while the latter makes its eciency comparable to a connection-based approach. FBS is not de ned for any sp eci c proto col layer. It 2.2 Host-Pair Keying assumes only the availability of an underlying (insecure) The basic idea b ehind host-pair keying is that each pair datagram transp ort. As an example of its application, of hosts have an implicit key, called the pair-based mas- wehave de ned a mapping to IP and implemented the ter key, that can be computed only by that host pair. mapping in the 4.4BSD kernel. The implicit key exists a priori, thus allowing a message The balance of this pap er is organized as follows. In encrypted using this key to be sent without arranging the next section, we give a brief overview of existing work. anything in advance. An immediate consequence of this In Section 3, we present the requirements and constraints is that proto cols based on host-pair keying supp ort data- for the design of our proto col. In Section 4, we elab orate gram semantics. That is, no extra message exchange is on the concept of the ow and its application to security. required to set up secure communication, nor is there a In Section 5, we describ e our prop osed FBS proto col. In need for hard state to b e maintained.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us