Using Off-Path and On-Path Signaling for Internet Security Saikat - - PowerPoint PPT Presentation

using off path and on path signaling for internet security
SMART_READER_LITE
LIVE PREVIEW

Using Off-Path and On-Path Signaling for Internet Security Saikat - - PowerPoint PPT Presentation

Mar 31, 2024 480 likes •652 views

Using Off-Path and On-Path Signaling for Internet Security Saikat Guha, Paul Francis Cornell University IETF 66 Off-path BoF Guha and Francis Using Off-path and On-Path Signaling for Internet Security Architecture Default-Off Data-Path

slide-1
SLIDE 1

Using Off-Path and On-Path Signaling for Internet Security

Saikat Guha, Paul Francis

Cornell University

IETF 66 Off-path BoF

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-2
SLIDE 2

Architecture

◮ Default-Off Data-Path

◮ Turned “on” after off-path negotiation

◮ Default-On Off-Path Signaling

◮ Rate-limited ◮ Mediated by intermediaries ◮ Heavily Secured

◮ On-Path Signaling

◮ Coupled Off-Path negotiation with Data-Path Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-3
SLIDE 3

Network Elements g

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu Internet

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-4
SLIDE 4

Discover P-Box g

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-5
SLIDE 5

Register Off-path

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu

REGISTER alice@cornell.edu app = vncserver location = office ...

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-6
SLIDE 6

Request Data-Path

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu bob@acme.com INVITE To: alice@cornell.edu; app=vncserver From: bob@acme.com; app=vncviewer

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-7
SLIDE 7

Data-Path with Keys

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu bob@acme.com OK 128.84.223.110:4111 Key-saikat: 123ABC Key-cs: 456DEF Key-cornell: 789012 Encryption: ssl

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-8
SLIDE 8

Authorized Data g

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu bob@acme.com DATA <xyz> Auth-saikat: (123ABC) Auth-cs: (456DEF) Auth-cornell: (789012)

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-9
SLIDE 9

Network Elements g

Off-path

◮ Policy ◮ Presence ◮ Messaging

On-Path

◮ Firewall ◮ TURN Relay ◮ Auditor

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu Internet

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-10
SLIDE 10

Discover P-Box g

P-Box Discovery

◮ Static ◮ DHCP (at boot) ◮ Off-Path Query ◮ On-Path Query

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-11
SLIDE 11

Register Off-path

Authenticate

◮ User, Domain ◮ Application ◮ Location

Mechanism

◮ Certificates ◮ Trusted Computing

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu

REGISTER alice@cornell.edu app = vncserver location = office ...

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-12
SLIDE 12

Request Data-Path

Request

◮ Authentication ◮ Off-Path DoS ◮ Off-Path MitM

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu bob@acme.com INVITE To: alice@cornell.edu; app=vncserver From: bob@acme.com; app=vncviewer

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-13
SLIDE 13

Data-Path with Keys

Response Token

◮ Contents

◮ IP:port ◮ Firewall Key ◮ # bytes ◮ Time valid

◮ Replay Attack

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu bob@acme.com OK 128.84.223.110:4111 Key-saikat: 123ABC Key-cs: 456DEF Key-cornell: 789012 Encryption: ssl

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-14
SLIDE 14

Authorized Data g

On-Path Signaling

◮ Out-of-Band (NSIS) ◮ In-Band (framing)

policy.cornell.edu Cornell CS alice@cornell.edu policy.cs.cornell.edu bob@acme.com DATA <xyz> Auth-saikat: (123ABC) Auth-cs: (456DEF) Auth-cornell: (789012)

Guha and Francis Using Off-path and On-Path Signaling for Internet Security

slide-15
SLIDE 15

Implementation

◮ P-Box: SER SIP Proxy, static policy rules ◮ P-Box Discovery: Static Configuration ◮ Registration: SIP REGISTER (with user

authorization)

◮ Rendezvous: SIP INVITE (with SDP) ◮ Response: 200 OK (with SDP, local address,

STUN addresses, TURN address and TURN server authorization key)

◮ Data-Path: In-band (framing inside TCP),

TURN path must include authorization

Callflows at: nutss.net/bof/cf.txt

Guha and Francis Using Off-path and On-Path Signaling for Internet Security