An Accountability Architecture for the Internet

In the current Internet, senders are not accountable for the packets they send. As a result, malicious users send unwanted traffic that wastes shared resources and degrades network performance. Stopping such attacks requires identifying the responsible principal and filtering any unwanted traffic it sends. However, senders can obscure their identity: a packet identifies its sender only by the source address, but the Internet Protocol does not enforce that this address be correct. Additionally, affected destinations have no way to prevent the sender from continuing to cause harm. An accountable network binds sender identities to packets they send for the purpose of holding senders responsible for their traffic. In this dissertation, I present an accountable network-level architecture that strongly binds senders to packets and gives receivers control over who can send traffic to them. Holding senders accountable for their actions would prevent many of the attacks that disrupt the Internet today. Previous work in attack prevention proposes methods of binding packets to senders, giving receivers control over who sends what to them, or both. However, they all require trusted elements on the forwarding path, to either assist in identifying the sender or to filter unwanted packets. These elements are often not under the control of the receiver and may become corrupt. This dissertation shows that the Internet architecture can be extended to allow receivers to block traffic from unwanted senders, even in the presence of malicious devices in the forwarding path. This dissertation validates this thesis with three contributions. The first contribution is DNA, a network architecture that strongly binds packets to their sender, allowing routers to reject unaccountable traffic and recipients to block traffic from unwanted senders. Unlike prior work, which trusts on-path devices to behave correctly, the only trusted component in DNA is an identity certification authority. All other entities may misbehave and are either blocked or evicted from the network. The second contribution is NeighborhoodWatch, a secure, distributed, scalable object store that is capable of withstanding misbehavior by its constituent nodes. DNA uses NeighborhoodWatch to store receiver-specific requests block individual senders. The third contribution is VanGuard, an accountable capability architecture. Capabilities are small, receiver-generated tokens that grant the sender permission to send traffic to receiver. Existing capability architectures are not accountable, assume a protected channel for obtaining capabilities, and allow on-path devices to steal capabilities. VanGuard builds a capability architecture on top of DNA, preventing capability theft and protecting the capability request channel by allowing receivers to block senders that flood the channel. Once a sender obtains capabilities, it no longer needs to sign traffic, thus allowing greater efficiency than DNA alone. The DNA architecture demonstrates that it is possible to create an accountable network architecture in which none of the devices on the forwarding path must be trusted. DNA holds senders responsible for their traffic by allowing receivers to block senders; to store this blocking state, DNA relies on the NeighborhoodWatch DHT. VanGuard extends DNA and reduces its overhead by incorporating capabilities, which gives destinations further control over the traffic that sources send to them

Private Realm Gateway

IPv4-osoitteiden loppuminen on ollut maailmanlaajuinen huoli jo viimeisen kahden vuosikymmenen ajan. Lisääntynyt käyttäjien ja palvelujen lukumäärä on kuluttanut jo lähes kaikki mahdolliset osoitteet. Useita ratkaisuja on esitetty ongelman ratkaisemiseksi. Aikajärjestyksessä nämä ovat luokaton reititys (CIDR), osoitteenmuunnos (NAT) ja uusi versio IP protokollasta, IPv6. Osoitteenmuunnoksen käyttöönottaminen jakoi alueet yksityisiin ja julkisiin. NAT laitteet sallivat yksityisen verkon käyttäjien kommunikoida julkisen verkon käyttäjien kanssa jaetun IP osoitteen välityksellä. NAT toimii myös yksinkertaisena palomuurina estäen sisääntulevan liikenteen ja siten aiheuttaen ongelmia saavutettavuuden kanssa. Useista ratkaisuista huolimatta, yksikään ratkaisu ei ole täysin ongelmaton. Tässä työssä esitellään ratkaisu osoitteenmuutoksen aiheuttamaan saavutettavuusongelmaan. Ratkaisu on nimeltään Yksityisen Alueen Yhdyskäytävä (PRGW). Ratkaisun pääkomponentti on nimeltään kiertävä (renkaanmuotoinen) osoitevaranto joka käyttää rajoitettua määrää julkisia osoitteita mahdollistaen päästä-päähän kommunikoinnin useimmille sovelluksille. Loput sovellukset tarvitsevat sovellustason yhdyskäytävän tai välipalvelimen liitettävyyden luomiseksi. Prototyypin arviointi todistaa teorian ja toteutuksen toimivan erittäin hyvin. Yksityisen alueen yhdyskäytävä tarjoaa mekanismit saavutettavuuden ratkaisemiseksi ja samalla edistää ratkaisua osoitteiden loppumiseen.The IPv4 address exhaustion has been a global concern for the last two decades. The increased number of connected users and services has depleted almost entirely the addresses available. There have been several attempts to solve this problem. Chronologically they are Classless Inter-Domain Routing (CIDR), Network Address Translation (NAT) and a new version of the IP protocol, IPv6. The adoption of NAT introduced the separation of private and public realms. NAT devices allow the hosts located in the private realm to connect with hosts or services in the public realm by sharing a public IP address. NAT also provides the foremost kind of firewall blocking incoming connections towards the private realms and introducing the reachability problem. Although several alternatives have been developed to overcome this issue, none of them are exempt of drawbacks. This thesis introduces a new concept that solves the reachability problem introduced by NAT. The solution is called Private Realm Gateway (PRGW). The main component is called Circular Pool and it uses a limited number of public IP addresses to enable end-to-end communication to most applications. Other applications require the use of Application Layer Gateway (ALG) or proxy servers to grant connectivity. The evaluation of the prototype proves the concept and the implementation highly successful. The Private Realm Gateway provides mechanisms to overcome the reachability problem and also contributes to the solution of the address exhaustion problem

Towards More Efficient Delay Measurements on the Internet

As more applications rely on distributed systems (peer-to-peer services, content distribution networks, cloud services), it becomes necessary to identify hosts that return content to the user with minimal delay. A large scale map of delays would aid in solving this problem. Existing methods, which deploy devices to every region of the Internet or use of a single vantage point have yet to create such a map. While services such as PlanetLab offer a distributed network for measurements, they only cover 0.3% of the Internet. The focus of our research is to increase the speed of the single vantage point approach so that it becomes a feasible solution. We evaluate the feasibility of performing large scale measurements by performing an experiment using more hosts than any previous study. First, an efficient scanning algorithm is developed to perform the measurement scan. We then find that a custom Windows network driver is required to overcome bottlenecks in the operating system. After developing a custom driver, we perform a measurement scan larger than any previous study. Analysis of the results reveals previously unidentified drawbacks to the existing architectures and measurement methodologies. We propose novel meth- ods for increasing the speed of experiments, improving the accuracy of measurement results, and reducing the amount of traffic generated by the scan. Finally, we present architectures for performing an Internet scale measurement scan. We found that with custom drivers, the Windows operating system is a capable platform for performing large scale measurements. Scan results showed that in the eleven years since the original measurement technique was developed, the response patterns it relied upon had changed from what was expected. With our suggested improvements to the measurement algorithm and proposed scanning architectures, it may be possible to perform Internet scale measurement studies in the future

AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN

Campus networks have recently experienced a proliferation of devices ranging from personal use devices (e.g. smartphones, laptops, tablets), to special-purpose network equipment (e.g. firewalls, network address translation boxes, network caches, load balancers, virtual private network servers, and authentication servers), as well as special-purpose systems (badge readers, IP phones, cameras, location trackers, etc.). To establish directives and regulations regarding the ways in which these heterogeneous systems are allowed to interact with each other and the network infrastructure, organizations typically appoint policy writing committees (PWCs) to create acceptable use policy (AUP) documents describing the rules and behavioral guidelines that all campus network interactions must abide by. While users are the audience for AUP documents produced by an organization\u27s PWC, network administrators are the responsible party enforcing the contents of such policies using low-level CLI instructions and configuration files that are typically difficult to understand and are almost impossible to show that they do, in fact, enforce the AUPs. In other words, mapping the contents of imprecise unstructured sentences into technical configurations is a challenging task that relies on the interpretation and expertise of the network operator carrying out the policy enforcement. Moreover, there are multiple places where policy enforcement can take place. For example, policies governing servers (e.g., web, mail, and file servers) are often encoded into the server\u27s configuration files. However, from a security perspective, conflating policy enforcement with server configuration is a dangerous practice because minor server misconfigurations could open up avenues for security exploits. On the other hand, policies that are enforced in the network tend to rarely change over time and are often based on one-size-fits-all policies that can severely limit the fast-paced dynamics of emerging research workflows found in campus networks. This dissertation addresses the above problems by leveraging recent advances in Software-Defined Networking (SDN) to support systems that enable novel in-network approaches developed to support an organization\u27s network security policies. Namely, we introduce PoLanCO, a human-readable yet technically-precise policy language that serves as a middle-ground between the imprecise statements found in AUPs and the technical low-level mechanisms used to implement them. Real-world examples show that PoLanCO is capable of implementing a wide range of policies found in campus networks. In addition, we also present the concept of Network Security Caps, an enforcement layer that separates server/device functionality from policy enforcement. A Network Security Cap intercepts packets coming from, and going to, servers and ensures policy compliance before allowing network devices to process packets using the traditional forwarding mechanisms. Lastly, we propose the on-demand security exceptions model to cope with the dynamics of emerging research workflows that are not suited for a one-size-fits-all security approach. In the proposed model, network users and providers establish trust relationships that can be used to temporarily bypass the policy compliance checks applied to general-purpose traffic -- typically by network appliances that perform Deep Packet Inspection, thereby creating network bottlenecks. We describe the components of a prototype exception system as well as experiments showing that through short-lived exceptions researchers can realize significant improvements for their special-purpose traffic