SecurityIssuesinaDifferentiatedServicesInternet
A.Striegel
DepartmentofComputerScienceandEngineering
UniversityofNotreDame,USA
striegel@cse.nd.edu
representsAbstract—acrossahighlyTheDifferentiatedscalablearchitectureServicesfor(DiffServ)architecturehasrepresentseveralthenext-generationInternet.However,deploymenttheDiffServofmodelQoStrustmodel.andhowsecuritykeyareastheyconcerns.oftrustcriticaltoitscorrectoperationwhichapplytosecurityThispaperexaminesthoseareasofdresstheseFinally,concerns.
thepaperexaminestheconcernsproposedundersolutionstheDiffServtoad-I.INTRODUCTION
marilyTheInternetiscontinuallyevolvingfromnessforresearchandacademiatoamediumamediumusedusedpri-munities,anduserquirethecommunities.Forthesebusinessanduserbycom-busi-However,differentapplicationsnotiontheInternetqualitiesinofbeingitsserviceusedcurrent(QoS)bythesecommunitiesre-formtodoesbeprovidedtothem.allparadigmofQoS.suchRather,thattheallInternetpacketsfollowsreceivethethesame-service-to-notsupportthesamequalityofservice.isThisbest-effortmodeluserinadequatetomeetingthegrowingthatInternetdemandscurrentlyofbusinessemploysnetTherefore,applications.
andseveralmodelshavebeenproposedbytheInter-acrossEngineeringinvicesthenexttheInternet,TaskgenerationsomeForceInternet.ofwhich(IETF)toprovideQoSassurancesThearefirstlikelymodel,tobeimplementedQoS(IntServ)[1]aimstoprovideanabsoluteIntegratedguaranteeSer-ofbroadforflowscategorieseachflowofacrossthenetwork.Thismodelprovidestwoloadservicerequiring[3]strictservice,fornon-real-timelatencyguaranteedandflowsjitterservicebounds,[2]forreal-timewhichareandinsensitivecontrolledtocongestion.
absoluteThestrengthsitoringspectivethatserviceeachguaranteeoftheIntServmodelarethatitprovidesanflowinandthatitprovidesawayofmon-hasallocationofresources.thenetworkHowever,doesthenotviolateitsre-amountseveralmaintainofprocessingkeyweaknesses.EachrouterrequiresIntServasignificantmodelmillionscalabilityflowsstatemayinformationoverheadbeflowingforeachandacrossflow.eachrouterisrequiredtoarouter,InthethusInternet,severalisoverheadimpracticalproblemsaisoftenforintheIntServmodel.Inaddition,introducingIntServgreatershort-livedthanflowsthetransmissionsincetheconnectionofsetupasflow.Consequently,theDiffServmodel[4],[5]wasallpacketsproposedinovercomesanalternativethemodelforprovidingQoSovertheInternetthatentThelevelsgoalofofshortcomingsQoSDiffServwhileavoidingwasoftotheprovideIntServthelimitationsthemodel.
benefitsoftheofIntServ
differ-model.trafficdoesthusnotwithThemaintainsimilarDiffServanyQoSmodelaccomplishesthisbyaggregatingper-flowrequirementsinformationintoacrossclasses.theDiffServinformationeliminatingThus,senceofshort-livedandalsotheoverheadofmaintainingper-flownetwork,stateconnectionflowseliminatingsetupbenefitcosts.
fromthethisconnectionmodelduesetuptothecosts.ab-II.DIFFERENTIATEDSERVICES
ofDifferentiatedServaddressingofServices,orDiffServ[4],[5],wastheresultavoidingwastomodeltheprovidethelimitationsofIntServ.ThegoalofDiff-limitationsthebenefitsoftheofdifferentlevelsofQoSwhileberaccomplishesthisbyreducingIntServthemodel.traffictoTheDiffServdoesofthusnotaggregationsmaintainwithsimilarQoSrequirements.someDiffServnum-alsoonlyeliminatingeliminatingthetheanyconnectionoverheadperflowofinformationacrossthenetwork,setupperflowcosts.stateDiffServinformationmaintainsandshort-livedinformationconnectionflowspertainingweaknesses.setupbenefitcosts.fromtotheaggregation(classes).Thus,However,thismodelDiffServduedoestotheabsenceofcontrolofdynamicunpredictabilityorresourceSinceDiffServdoesnotemployanyhaveadmissionseveraltoreservation,thenetwork,DiffServthusresultingaddssomemeasuredynamictrafficlevels.Becauseofthispotentialforinextremelyextremelyanyofserviceleveltrafficofforservice,levels,DiffServdoesnotattempttoguaranteeanaggregationDiffServversussimplythestrivesotherforaggregations.arelativelevelA.AbsoluteDifferentiatedServices
tionsWiththeintroductionofthedifferentiatedofDiffServhavebeenproposedDiffServ[6],model,[7],severalvaria-manceinofferedservicesattemptstoprovidethelevels[8].ofAbsoluteperfor-profilethenetworkbyfile(i.e.,acertainrouters.IntServbandwidth)Thewithoutusertheper-flowstatesrequiredfromreceivestheannetwork.absoluteserviceAssuredcanbeofoneoftwotypesofservices,Thispro-toService.Thefirst,PremiumServicePremium[6]isServiceequivalentorThealeasedlineprovidedthatservicestaysbelowacertainlevel.regardingsecond,aretheirAssureddropService,preference,classifies’In’packetsintotwolevelsingdiscardedwithahigherprobabilityorthan’Out’.’In’’Out’packetsexpandsnetworkfourthecongestion[7].Athird,AssuredForwardingpacketsdur-[8]theremainaretradeoffsclasses.levelsInofdropprecedenceintothreelevelsbeneathbetweentheabsoluteachievingdifferentiatedhighserviceservicesassurance
model,versusevenallcoarsenetworkspatialpaths)granularitywhichis(certaindiscussedbandwidthin[9].
inmanyorB.RelativeDifferentiatedServices
vices.ThesecondintoForrelativevariationofDiffServisrelativedifferentiatedser-toclassNclassesiwillofbeservice.differentiatedbetter(orForateachservices,leastclassnoworse)i,allthetrafficserviceisgroupedthantheprovidedserviceprovidedtoclass(i-1),where1 becomearevariationsofDiffServfollowseveralkeyadominantdiscussedforceinSectionintheInternetIII.DiffServandbecause isex-2 ofoutlinesthis,theareasV,someofconcern,thesecurityareasconcludingandofconcernstrustmustbeaddressed.SectionIVremarkstheproposedintheDiffServaremade. solutions.model,Finally,theinpotentialSectionIII.DIFFSERVCONCEPTS frastructureInordertomaintaincompatibilitywiththeexistingIPv4in-changeandIPv6,DiffServrepresentsarelativelyminoractualchangedesigntothechange,actualIPDiffServpacket.incorporatesRatherthanincorporatingonlyaannamedbitsfield,byredefiningDifferentiatedtheuseoftheTOSfield.Thenewlysemanticre-futureoftheTOSfieldwhiletheServicesremaining(DS)2field,bitsareusesreservedthefirstfor6(DSCP)Eachuse. valueintheDSfield,knownasaDiffServcodepointEachhaviordifferent[4],isresponsibleclassisassociatedforaggregatingwithapacketsintoclasses.fortransmission(PHB)[5]whichdefineshowapacketspecificwillbePer-HopprioritizedBe-routersTheDiffServandandcoremodeldroppingrouterscontainsdue.Corerouterstwotobuffertypesoverflow. areofrelativelyrouters,simpleedgeroutersnetworkdesignedforthepurposeofhigh-speedroutingstatefinedinformationbackbone.andCorescheduleroutersthedonotmaintainanyper-flowovertheedgeInDiffServ,withineachpacketsasperthePHBde-thepacket. intelligenceofthecriticalofthenetworkattheedgerouters.networkTheisedgemigratedroutertotheResponsibilitieskeytothenon-DiffServ-awareofcorrecttheedgeoperationisaroutersoftheDiffServnetwork.Itmaintainingistheseedgeroutertraffic,trafficpolicing,includeandpropertrafficmarkingshaping.ofinthenetworkpropertrafficresponsibilitieslevelstoachievethatQoSareresponsibledifferentiationforServIfatothebenetwork,networkcore. policed.thesendingtraffictotheDiffServdomainisaDiff-However,trafficisifalreadyanetworkmarkedisandthusonlyneedsingedgeaccordingpacketsrouterforthemustDiffServberesponsiblefornotappropriatelyDiffServ-aware,mark-sourceandandtoaServiceLeveldomain.AgreementThe(SLA)packetsbetweenaremarkedtheregardsasourceedgethetobothtotheoutlinerouter.quantitylimitationsASLAexistsoftrafficforbetweenanedgerouteraseachwellasclasstheofburstinessserviceinmaytraffic.ASLAeitherFormaybebedemotedtrafficthatviolatesaSLA,theoffendingpacketsofeitherstatictoaorlowerdynamic. classofserviceordropped.transmitsTheDiffServDiffServ-aware,itpacketsmodeltoisanshownISP’sedgeinFigurerouter.1.AIfLANtheLANorMLANistothepacketisappropriatelymarkedaccordingnotLANtheuled/droppedisSLApolicedbetweenthepacket. onaccordingtheLANtheDiffServtotheandISP.ThetrafficfromthedomainSLA.accordingPacketsaretothenthePHBsched-inIV.SECURITYANDDIFFSERV A.AreasofTrust areSeveralfundamentalareasoftotrustthecorrectexistinoperationtheDiffServofDiffServ.networkwhichThese 3 To InternetTo InternetISP DSDomain- Stateful, Intelligent- Policing, MarkingEdgeRoutersMANCoreRouters- Stateless, High-speed- Act on DSCP onlyBandwidthBroker (BB)Company LANSLAUser AUser BClass Rate ViolateAF11 2.5 Mbps AF12AF12 1.25 Mbps BEEF0.25 Mbps DropWirelessNetworkFig.1.DiffServmodel areasoftrustincludetrustbetweenedgerouterandsource,trustbetweencoreandedgerouters,andtrustofSLAintegrity. 1)TrustbetweenEdgeRouterandSource:Packetsarepo-licedonaper-sourcebasisattheedgerouter.Thus,inordertopoliceapacketormarkapacket,thesourceofapacketmustbematchedtoanSLAintheedgerouter.SourcetoSLAmatch-ingcanoccuroneitherthephysicallayer(lesslikely)oratthenetworklayer(likely).TheedgerouterstrustthatthesourcetoSLAmatchingisdonecorrectlyinordertocorrectlypolicetraffic. 2)TrustbetweenCoreandEdgeRouter:TheprimarygoalofDiffServistosimplifythecorerouterstoallowforhigh-speedroutingofpacketsaccordingtothePHBsofthepack-ets.Thus,thecoreroutershavealeveloftrustwiththeedgerouterssuchthatthecorerouterstrustthatthepacketshavebeenmarkedcorrectlyandalsotrustthatthepacketshaveal-readybeenappropriatelypoliced. 3)TrustofSLAIntegrity:SeveralservicessuchasExpe-ditedForwarding[6]andAssuredForwarding[8]dependonSLAintegrityinorderforthemtofunctioncorrectly.Iftheclassesareoverloadedwithexcessivetraffic,performancetolowerclassesoreventheperformanceofthehigherpriorityclassescoulddegrade.Thus,aleveloftrustexistswiththeintegrityofSLAsacrossedgerouterssuchthatthenetworkre-sourcesarenotoverallocatedtocauseperformancedegradationofstricterQoSclasses.B.PotentialSecurityConcerns TheareasoftrustthatarecriticaltotheDiffServmodelrep-resentseveralpotentialsecurityconcerns.Thesesecuritycon-cernsincludeboththeftofresourcesaswellasDenialofSer-vice(DoS)attacks.1)TheftofResources:Theftofresourcescanoccurinsev-eralformsunderDiffServ.TheftintermsofDiffServcanbeex-pandedtoincludetheftofnetworkbandwidthaswellasillegalpromotionofpacket’sPHB.Thefirst,theftofbandwidth,canoccuratboththeedgerouterandcorerouterlevel.Attheedgerouterlevel,ifapacketisabletosuccessfullyspoofitssource,thepacketwillhavestolenpartoftheactualsource’sSLAal-locatedbandwidth.TheftofbandwidthatthecorerouterlevelcanoccurifanedgeroutertransmitstrafficbeyondtheSLAsortrafficbypassesedgeroutersistransmitteddirectlyontothecore. Thesecondtypeoftheft,illegalpromotionofapacket’sPHBcanoccuratboththeedgeandcorerouter.Attheedgerouter,illegalpromotioncanoccurifapacketispolicedincorrectlyornotatall.Atthecorerouter,illegalpromotioncanoccurifthecorrectPHBbehaviorisnotenforced,i.e.aroguecorerouterormalfunctioningcorerouter. 2)DenialofService:DenialofServiceinthecontextofDiffServrepresentsacompletetheftofresourcesovertheDiff-Servnetwork.DenialofServiceisamajorsecurityrisktoDiff-Servandcanoccuronseveralfronts. First,aDenialofServiceattackcanoccurattheedgerouterwithoutgoingtraffic.ThepolicingofflowsrepresentsanattackpointthatcanbeexploitedtoissueaDenialofServiceattack.Becausetheedgerouterpolicesonaper-sourcebasis,asim-pleDenialofServiceattackwouldbetofloodtheedgerouterwithaspoofedsourceinordertopenalizelegitimatetrafficaris-ingfromthesource.ThisrequiresonlyknowledgeoftheSLAtosourcematchingmethodologybeingemployedattheedgerouter(physicalornetworklayermatching). AsecondpointforaDenialofServiceattackcanoccuragainattheedgerouter.However,inthiscasetheedgerouterrefers tomains.theedgeISP,edgetheAsISPwithrouteralsotheattheedgeoftheISP’snetworktootherdo-maintainsedgeroutersanSLAtothewithLANsotherconnecteddomainstotheDenialofforofitsServicenetwork.attackThus,itwouldbepossibletoconductattheatrafficoutgoingcausebytrafficoroutsidefromofeithertheISPsinsidenetworktheISPsforincomingnetworkrequiresexcessiveoverloadingpenalizationtheedgeoftheroutertarget’stoviolatepackets.theThisSLAattackandthemselvesThethirdknowledgeattackpointofthefornetworkDoSoccursinfrastructure. withinthecoreroutersoverloadingandtheaclassisrootedoverwiththenetwork,theSLAsitforisthenetwork.Byverselyclassviceaffecttoexperiencetrafficfrommuchotherworsepossibletocauseclassesperformanceandevenad-curorfirstdueduedifferentiationtotoexcessiveeitherannormallyofferedbyasDiffServ.well,denyingThisthecanser-oc-congestionover-allocationaroundofspecificSLAsatcoretheedgerouters.routersThesecondrequiresrequiresbypassingknowledgeoftheofthenedgenetworkrouterpolicinginfrastructure.whiletheC.ProposedSolutions DiffServAsaresultwithworkingofthesegrouppotentialhasoutlinedsecurityseveralconcerns,methodstheIETFArchitectureDiffServ1)Auditing:RFCinorderAuditing[4]considerstoaddressisincludedonlythoseforuseauditingconcerns.Currently,theasawayandtomonitorIPSec. suspi-ciousparteventsintheDiffServdomain.inampleasystemofaDiffServdomainbutisrecommendedAuditingisnotwhenrequiredincludedaspointofan(overallauditableframework)eventwouldthatbesupportstrafficonauditing.anunusedAncode-ex-securityatapotentialandcorerobustnessrouter.AuditingofthecanbeusedtoincreaseboththenodeDoSattack,thereisnonetwork.requirementHowever,atanytotimeavoidforaapurportedthatdetectsanauditableeventtotransmitamessage2)IPSec:sender. totheIPSec,outlinedin[18],[19],isanextensiontoIPtoIPSecallowforsecureIPbasedtransmission.Initsdefaultmode,tion.toThus,doesnottheincludedefaultmodetheDSisfieldnotsuitedinitscryptographiccalcula-videDiffServmodesecuritydomains.thatisofHowever,directuseIPSectunnelforprovidingmodedoessecuritypro-versionincludession.notHoweverofthetwoheaderversionsofthetoIPaheader,DiffServandomain.innerencryptedTunnelaswithanddefaultanoutermode,versiontheouterusedIPheaderfortransmis-vulnerableincludedinthecryptographiccalculation,thusstillisconsidered.Inordertotoaman-in-the-middleattack. renderingitheader.First,useIPSec’sthecoretunnelroutersmode,examineseveralonlypointsthemustbeingressTheuseoregressinnerIPnodeheadercanonlybeexaminedateitheroutertheIPwhileIPSectocorrectlymatchofthethedomain.sourcetoTheitsingressappropriatenodeSLAcanintegritytheuponofegressthepacket.nodeThecansecurityuseIPSecofthistochecktheend-to-endcurrently,Afinalthestrengthpointtoconsideroftheintegrityschemeisdependentarisesatchecktheused. lowedditioning.tomodifytheegressnodebetweenDiffServegressdomainsnode.Asisitnotstandsal-However,theinnerifmodificationDSfieldinisorderallowed,toapplyitincreasestrafficcon-net- 4 workbetweenadaptivenessatetwoDiffServatthedomainscostofmustsecurity.Thus,theegressnodethesecuritytially,complexityfoundoftheinaningressnode,nowthusincludegreatlytheincreasingappropri-nothenetworkmaynodesbeviewedbetweeneitherDiffServasa’virtualdomains.wire’Essen-withallowsinnerinnerDSfieldDSfieldmodificationmodification. orasamultihopnetworkwhichV.CONCLUSION scalableInconclusion,theDiffServarchitecturerepresentsahighlygenerationarchitecturefordeploymentofQoSacrossthenext-keytheareasofInternet.trustwhichHowever,representthesecurityDiffServconcernsmodelhascriticalseveraltoaddressedcorrectisstillroombyoperationfortheinvestigationIETFofinDiffServ.DiffServintoDiffServArchitectureTheseconcernssecurity. RFChavebuttherebeenREFERENCES [1]R.Braden,D.Clark,andS.Shenkar,“Integrated[2]architecture:S.Shenkar,C.Anoverview,”IETFRFC1633,JuneServices1994. intheInternet [3]QualityJ.ofService,”Partridge,IETF,RFCandR.2212Guerin,,Sept.“Specification1997. ofGuaranteed [4]service,”Wroclawski,“Specificationofthecontrolled-loadnetworkelement K.ferentiatedNichols,IETFRFC2211,Sept.1997. ServicesS.Blake,fieldF.Baker,(DSField)andD.L.intheBlack,“DefinitionoftheDif-[5]RFCS.Blake2474et.,Dec.IPv4andIPv6headers,”IETFal,“An1998. ArchitectureforDifferentiatedServices,”IETFRFC [6]2475B.W.Davie,,Dec.1998. A.Charny,J.C.R.Bennet,K.Benson,J.Y[7]wardingCourtney,D.D.liveryClarkPHBS.Davari,V.Firoiu,andD.Stiliadis,“An.expeditedLeBoudec, for-and(per-hopW.Farang,behavior),”“ExplicitIETFallocationRFC3246of,bestMar.2002. [8]373,J.Aug.service,”1998. IEEE/ACMTransactionsonNetworking,effortvol.6,packetpp.362–de-[9]PHBHeinanen,I.group,”F.IETFBaker,RFCW.2597Weiss,,andJ.Wroclawski,“Assuredforwarding [10]onStoicaC.theinternet,”andH.Zhang,in“LIRA:JuneAn1999. approachforservicedifferentiation vicesDovrolisandtheandproportionalP.Proc.Ramanathan,ofNOSS-DAVdifferentiation“Acase,1998. formodel,”relativeIEEEdifferentiatedNetwork,ser-pp.[11]26–34,A.M.vicesOdlyzko,Sept.-Oct.“Paris1999. metropricing:[12]ofA.Servicesolution,”(IWQoS)in,Proc.JuneIEEE/IFIPInternationalTheminimalistWorkshopDifferentiatedonQualitySer-[13]QueuingDemers,A.K.AlgorithmS.Keshav,,and1999. S.Shenker,AnalysisandSimulationofaFair proachParekhNodetoFlowandControlR.G.1990. Gallager,inIntegrated“AGeneralizedProcessorSharingAp-[14]357,J.C.R.JuneCase,”1993. IEEE/ACMTransactionsServicesonNetworkingNetworks:,vol.The1,pp.Single-344–rithms,”BennettIEEE/ACMandH.TransactionsZhang,“HierarchicalonNetworkingPacket,vol.FairQueuingAlgo-[15]Oct.5,pp.675–6,D.analysisStiliadis1997. andA.Varma,“Latency-rateservers:Ageneralmodelfor [16]NetworkingofC.Services:Dovrolis,,trafficvol.6,schedulingpp.611–625,algorithms,”Oct.1998. IEEE/ACMTransactionson[17]1999,A.pp.DelayD.Stiliadis,DifferentiationandP.Ramanathan,andPacketScheduling,”“ProportionalinDifferentiated SIGCOMM,differentiation,”Striegel109–120. andG.ComputerManimaran,Communications“Packetscheduling,vol.25,withno.delay1,pp.andloss [18]Jan.21–31,S.Kent2002. andR.Atkinson,“IPEncapsulatingSecurityPayload(ESP),” [19]IETFR.Atkinson,RFC2406“IP,Nov.Authentication1998. Header,”IETFRFC1826,Aug.1995. 因篇幅问题不能全部显示,请点此查看更多更全内容
Copyright © 2019- ovod.cn 版权所有 湘ICP备2023023988号-4
违法及侵权请联系:TEL:199 1889 7713 E-MAIL:2724546146@qq.com
本站由北京市万商天勤律师事务所王兴未律师提供法律服务