Physical Separation for Data Protection based on SCTP Multihoming Stefan Lindskog
Karl-Johan Grinnemo
Anna Brunstrom
Dept. of Computer Science Karlstad University SE-651 88 Karlstad, Sweden
[email protected]
TietoEnator AB Lagergrens gata 2 SE-651 15 Karlstad, Sweden
[email protected]
Dept. of Computer Science Karlstad University SE-651 88 Karlstad, Sweden
[email protected]
Abstract— Network security is an increasingly important issue. Traditional solutions for protecting data when transferred over the network are almost exclusively based on cryptography. As a complement, we propose the use of SCTP and its support for physically separate paths to accomplish protection against eavesdropping attacks near the end points.
I. I NTRODUCTION In the last few years, we have experienced a steadily growing interest in using Internet as a vehicle for ebanking, e-commerce, virtual company networks, telephony, IP-TV, and other applications requiring secure communication. To this end, network security has become pivotal for the future of Internet and Internet-based solutions. Currently, network security is almost exclusively accomplished through encryption. For example, e-banking and e-commerce typically take place over Secure Sockets Layer (SSL) [5] or Transport Layer Security (TLS) [3] connections. However, although encryption gives adequate protection, it may lead to severely degraded network performance in terms of latency and throughput. Specifically, Apostolopoulos et al. [1] demonstrated a throughput reduction of more than 90 % when TLS using RC4 and MD5 were used when accessing Netscape and Apache Web servers as compared to no encryption at all. Furthermore, Burke et al. [2] showed that applications running on high-end microprocessors are not even likely to saturate a T3 (approximately 45 Mbps) line. Various selective encryption schemes [7], [9], [10] that produce less overhead compared to ordinary encryption schemes, such as DES and AES, have lately been proposed. The basic idea with selective encryption is to offer lightweight security by only encrypting a subset of the data. Such schemes are intended to be used when the computational overhead produced by encryption and/or
decryption must be reduced and a less stringent security level is acceptable. In this paper, we suggest physical separation as a mechanism to provide lightweight security. As pointed out by Rushby and Randell [8], the basis for protection is separation, and encryption is only one way of accomplishing separation. Another way is to physically separate the information to be protected, i.e., to partition and send the information along different routes. Similar to selective encryption, physical separation can be an alternative for delay-sensitive applications such as telephony, IP-TV and other multimedia applications. That is, applications where latency and through-put requirements outweigh the importance of absolute protection against malicious attacks. In the following, we propose using the Stream Control Transmission Protocol (SCTP) [11] and its multihoming support to accomplish physical separation, and thus moderate protection for delay-sensitive applications. The remainder of the paper is organized as follows. Section II gives a brief overview of SCTP. Next, in Section III our idea of using the SCTP multihoming feature to accomplish data protection through physical separation is presented. In Section IV, the threat model is discussed. Finally, Section V concludes the paper with some final remarks and some words on future work. II. A N OVERVIEW
OF
SCTP
SCTP originates from the IETF Signaling Transport (SIGTRAN) working group [12], and was originally developed as part of an effort to standardize switched circuit signaling over IP. However, as the protocol evolved it became apparent that it could be useful in other contexts as well. Today, SCTP is considered a general transport protocol, on par with the traditional transport protocols UDP and TCP.
Like TCP, SCTP provides a reliable transport service, ensuring that data is transported across a network without error and in sequence. Furthermore like TCP, SCTP is a connection-oriented protocol. An SCTP connection or association is created between the end points prior to data transmission. An association is maintained until all data has been successfully transmitted. However unlike TCP, SCTP is message oriented and supports framing of individual message boundaries. In comparison, TCP is byte oriented and does not preserve any implicit structures within a transmitted byte stream. Additionally, SCTP provides a number of functions that are required by telephony signaling transport but which could potentially benefit other applications as well. SCTP introduces the concept of streams to decrease the impact of head-of-line blocking. In SCTP, a stream is a unidirectional channel within an association. Streams provide the ability to send separate sequences of ordered messages as independent flows. In particular, a packet loss in one stream does not inhibit the delivery of packets in other streams. Another concept introduced in SCTP is multihoming, or the ability for a single SCTP end point to support multiple IP addresses. In SCTP, multihoming was introduced as a mean to provide network fault tolerance. Each IP address is equivalent to a different path for sending and receiving data through the network. Fig. 1 illustrates how SCTP multihoming works. A1
Primary path
B1
IP network A2
Alternate path
B2
Host A
Fig. 1.
Host B
Example of SCTP multihoming support.
As illustrated in Fig. 1, one network path is selected as the primary path and as long as this path is available all data is sent this way. However, if the primary path fails SCTP starts sending all packets on the alternate path instead. Furthermore, if a packet is dropped on the primary path, e.g., due to congestion, the packet is retransmitted on the alternate path. Reassembly of data that arrives on multiple paths, belonging to the same association, is handled by the SCTP receiver. III. P HYSICAL S EPARATION
USING
SCTP
Data protection services are used to achieve data confidentiality, data integrity and/or data authenticity. Data protection for network transfers has traditionally been
implemented exclusively through cryptographic separation. Various cryptographic systems are today widely used. The major disadvantage with cryptographic separation is, however, that it requires adequate computational resources (at least) at the end points. For this reason, we propose the use of physical separation as a complement to existing cryptographic data protection services. In particular, we suggest that the multihoming feature in SCTP could be used to implement data protection through physical separation. Our primary idea is to simultaneously send messages belonging to the same association on multiple physical paths. Protection is thus provided by the geographical fragmentation and scattering of data. In Fig. 2, two multihomed hosts A and B are illustrated. Both hosts are equipped with two IP addresses A 1 and A2 , and B1 and B2 , respectively. Furthermore, in this case four different Internet Service Providers (ISPs) are involved and each packet from A to B could be routed on the following four paths: A1 − ISP1 − Core network − ISP3 − B1 A1 − ISP1 − Core network − ISP4 − B2 A2 − ISP2 − Core network − ISP3 − B1 A2 − ISP2 − Core network − ISP4 − B2
Thus, by carefully selecting ISPs, different physical paths can be achieved near the end points 1 . Over the core network, on the other hand, neither the sender nor the receiver may be able to control the path. Note that the physical separation of paths is also required for fault tolerance. While the primary reason SCTP supports multihoming is to provide network fault tolerance, SCTP also provides application-initiated changeover. In other words, it is possible during an SCTP session to change primary path and thus send traffic on one of the alternate paths. Hence, the changeover feature in SCTP could be used to achieve physical separation of data in a transfer. If frequent path changes are desirable, extended SCTP functionality may be required. Several extensions of the multihoming feature have already been suggested to make this possible. For example, it has been shown that concurrent multipath transfers using SCTP multihoming can be used to increase throughput for networked applications [6]. By extending SCTP to utilize the available paths for simultaneous transmissions of messages a Load-Sharing SCTP (LS-SCTP) has been proposed by El 1
Also with a single ISP it might be possible to accomplish different paths provided route-pinning techniques such as Multi-Protocol Label Switching (MPLS) are available.
A1
ISP1
ISP3
B1
ISP4
B2
Core network A2
ISP2
Host B
Host A
Fig. 2.
Physical separation of data at the end points.
Al et al. [4]. Thus, the problem with congestion control and reassembly of data in SCTP for multipath transfers is already addressed. These extensions could also be used as a basis to increase data protection through physical separation. IV. T HREAT M ODEL Our hypothesis is that an eavesdropper needs to acquire access to all or at least most of the data sent over the different paths. This means that to successfully perform an eavesdropping attack, an attacker must identify all used paths, gain access to the traffic, and finally decode the data. An eavesdropping attack on a particular victim is easiest performed near the victim’s physical network connection. If the wire that connects the victim’s computer is accessible, a protocol analyzer could be used to tap all traffic that pass through the wire. Another option is to use a so-called network sniffer. When a network sniffer is used in a broadcast network, such as a non-switched Ethernet network or an IEEE 802.11 wireless network, the Network Interface Card (NIC) on the computer executing the sniffer is configured in promiscuous mode. Promiscuous mode implies that all traffic sent over the broadcast network is intercepted by the NIC and forwarded to the sniffer for further processing. Interception of traffic to and/or from a particular user is much more complicated, if the point for eavesdropping is many hops away from the end nodes. In the core network, traffic from a large set of users will pass. Thus, data processing necessary for filtering out the relevant traffic will require a lot of computational resources. In addition, traffic to and/or from the victim may be routed on different paths from session to session, and could also be rerouted within a session due to network failures etc. Furthermore, if proxies or Network Address Translators (NATs) are used, it might not be evident who is actually communicating.
For the above mentioned reasons, we argue that eavesdropping attacks are easiest performed near the end points. Thus, by physically separating traffics on multiple paths near the end points eavesdropping attacks will be much more complicated to successfully accomplish. It should be noted that failures in the network may reduce the number of available paths, which in turn may impact security. To handle failures on a single path, more than two paths could be used. Another option would be to end the data transfer when a network failure occurs. V. C ONCLUSION The multihoming support in SCTP is a new feature not available in TCP and UDP. This feature is intended for fault tolerance, but can also be used for other purposes. In this paper, we have proposed that this feature can be used to provide physical separation as a mean to achieve data protection. We are currently investigating how physical separation is best implemented and its security implications. ACKNOWLEDGMENTS This research is supported in part by grants from the Knowledge Foundation of Sweden and from the CMIT research platform at Karlstad University. R EFERENCES [1] G. Apostolopoulos, V. Peris, and D. Saha. Transport layer security: How much does it really cost? In Proceedings of the Conference on Computer Communications (IEEE INFOCOM), volume 2, pages 717–725, New York, New York, USA, Mars 21-25, 1999. [2] J. Burke, J. McDonald, and T. Austin. Architectural support for fast symmetric cryptography. ACM SIGOPS Operating Systems Review, 34(5):178–189, December 2000. [3] T. Dierks and C. Allen. RFC 2246: The TLS protocol version 1.0, January 1999. Status: Standard. [4] A. A. El Al, T. Saadawi, and L. Myung. LS-SCTP: A bandwidth aggregation technique for stream control transmission protocol. Computer Communications, 27(10):1012–1024, June 20, 2004. [5] A. Frier, P. Karlton, and P. Kocher. The SSL 3.0 protocol, November 1996.
[6] J. R. Iyengar, K. C. Shah, P. D. Amer, and R. Stewart. Concurrent multipath transfer using SCTP multihoming. In Proceedings of the 2004 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS’04), pages 265–273, San Jose, California, USA, July 25–27, 2004. [7] M. Podesser, H. P. Schmidt, and A. Uhl. Selective bitplane encryption for secure transmission of image data in mobile environments. In Proceedings of the 5th IEEE Nordic Signal Processing Symposium (NORSIG’02), Tromsø/Trondheim, Norway, October 4–6, 2002. [8] J. M. Rushby and B. Randell. A distributed secure system. In Proceedings of the 1983 IEEE Symposium on Security and Privacy, pages 127–135, Oakland, California, USA, April 25– 27, 1983. [9] A. Servetti and J. C. De Martin. Perception-based selective encryption of G.729 speech. In Proceedings of the 2002 IEEE Internatinal Conference on Acoustics, Speech, and Signal Processing, volume 1, pages 621–624, Orlando, Florida, USA, May 13–17, 2002. [10] G. A. Spanos and T. B. Maples. Performance study of a selective encryption scheme for security of networked, real-time video. In Proceedings of the 4th International Conference on Computer Communications and Networks (ICCCN’95), pages 72–78, Las Vegas, Nevada, USA, September 1995. [11] R. R. Stewart, Q. Xie, K. Morneault, C. Sharp, H. J. Schwarzbauer, T. Taylor, I. Rytina, M. Kalla, L. Zhang, and V. Paxson. RFC 2960: Stream control transmission protocol, October 2000. Status: Standard. [12] The IETF signaling transport (SIGTRAN) working group homepage. http://www.ietf.org/html.charters/sigtran-charter.html, September 26, 2004.
