Quo Vadis, Virtual Private Network?
Dr.-Ing. Michael Roßberg Fachgebiet Telematik/Rechnernetze Technische Universität Ilmenau
Overview
• Configuration of VPN infrastructures • Objectives to auto-configuration • Existing approaches & systems • The SOLID system
– Problems & basic approach – Achieved goals & properties – Selected features of our prototype
• Résumé & outlook 6
Constructing global VPN infrastructures • Security gateways and road warriors
connect internal networks over untrustworthy networks
• Usually IPsec or SSL/TLS • Smartcards used as
trust anchors • Public & private IP
address ranges (IPv4 or IPv6)
• Nested networks • Multiple networks per gateway • Multiple gateways per network • Cycles in the network ⇢ High complexity
7
Private Network
10.2.0.0/24
Private Network
10.1.0.0/16
Internet
Private Network
172.16.0.0/16
Private Network
10.2.5.0/24
Private Network
10.2.4.0/24
Private Network
10.2.3.0/24 Private Network
10.2.2.0/24
Private Network
10.2.0.0/24
Private Network
172.16.1.0/16
Private Network
10.2.1.0/24
Problems with the configuration of large VPNs (I) • Usually infrastructures configured statically &
manually � Problems with scalability
– Required labor increases – Susceptibility to errors increases
� Problems with agility – No direct connections between mobile users – No reaction to failures and attacks
8
Problems with the configuration of large VPNs (II)
9
Objectives to automatic VPN configuration • Self-configuration • Support for
– Nested networks – Private IP address ranges
• Scalability & Agility • Confidentiality, integrity & authentication • DoS-resistance / resilience • ... ⇢ Development of a number of very different
approaches 10
Example 1: Tunnel Endpoint Discovery (TED) • Reactive search of IPsec
gateways by IKE messages with destination address of target client
• Shortcomings – Requires public IP addresses
for all clients – No nested networks – Covert channel to arbitrary
hosts possible – Addresses not attested
BlackNetwork
Red Net 1
Red Net 2
11
Example 2: Group Encrypted Transport VPN (GET) • Central servers distribute symmetric keys • All IPsec gateways use the same security association
(incl. traffic keys) • (Some) Shortcomings:
– No protection against internal attackers
– No Perfect-Forward- Secrecy
– Availability hard to guarantee
12
PrivateNetwork
PublicTransportNetwork
PrivateNetwork
CentralKey Server
PrivateNetwork
Backup Key Server
[RoSc09] Rossberg, Michael; Schaefer, Guenter: Ciscos Group Encrypted Transport VPN – Eine kritische Analyse, DACH security, 2009
Example 3: Dynamic Multipoint VPN (DMVPN) • VPNs consist of „Hubs” and „Spokes“ • OSPF-Routing between static hubs • Dynamic spokes contact pre-configured hub • Additionally “Spoke-to-Spoke”-connections • Shortcomings:
– Configuration- overhead
– Internal attackers – Fixed hubs critical
for DoS-resistance
13
Private Network
Private Network
Private Network Private
Network
Private Network
Private Network
Related work
14 [RoSc11] Rossberg, Michael; Schaefer, Guenter: A Survey on Automatic
Configuration of Virtual Private Networks, Computer Networks, June 2011
TopologyTopology centralizedcentralizedcentralized decentralizeddecentralizeddecentralizeddecentralizeddecentralized distributeddistributeddistributeddistributeddistributeddistributeddistributeddistributeddistributed
ApproachApproach
Protocol Layer of VPNProtocol Layer of VPN
3 3 4 3 4 4 4 3 3 3 3 3 3 7 4 4 4
Protocol Layer of Forwarded DataProtocol Layer of Forwarded Data
3 3 3 3 3 3 2 3 3 3 3 3 3 4 3 2/3 2/3
Simple Config.Simple Config. Ø Ø + + + + Ø - + + Ø Ø Ø + + - Ø
Gateway FunctionGateway Function n n 1 0 0 0 n n 0 0 n n n 0 0 n 0Private AddressesPrivate Addresses + - + - + + + - - - - + + + + +NestingNesting - - - - - 1 1 1/n - - - - - - n n nUni-/MulticastUni-/Multicast u u u/m u u u u u u u u u m u u u uNAT TraversalNAT Traversal Ø - + - + + Ø Ø - - - - - - Ø + Ø
RobustnessRobustness - - - - - + + Ø Ø Ø Ø Ø Ø Ø + Ø Ø
ScalabilityScalability - + Ø + Ø + - Ø + + + + Ø - - - -
EfficiencyEfficiency + + Ø + Ø + + + + + + + - - - - -
E2E- Protection
- - + + + + + - - Ø + + + - - - -
PFS + - + + - + - + + + + + + - - - +Covert-Channel Resistance
+ - + NA NA NA + + NA NA Ø Ø + NA NA + +
Infrastruc-ture Hiding
- - - - - + - Ø NA NA Ø Ø - + Ø + +
Entity AuthenticationEntity Authentication
+ - ? + - + - Ø - Ø + + Ø Ø - + Ø
Data Integrity/ AuthenticationData Integrity/ Authentication
Ø - ? + ? + - Ø + + + + + - - Ø Ø
Static Access ControlStatic Access Control
+ + + - + + Ø + - - + + + Ø Ø + +
Dynamic Access ControlDynamic Access Control
+ - - - - + - Ø - - + + - + - - -
DoS-Resistance
- - Ø - - Ø - Ø + + + + - Ø Ø Ø Ø
GracefulDegradation
- - - + + + - - + + + + - - - Ø -
DoS-Recovery
- - - - - - - - + Ø - - - + + - Ø
Gen
eral
Pro
per
ties
Func
tio
nal
Ob
ject
ives
No
n-
func
tio
nal
Ob
ject
ives
Sec
urit
y
Co
nfid
enti
alit
yA
vaila
bili
ty
Eas
y V
PN
Gro
up E
ncry
pte
d
Tran
spo
rt (G
ET
)
Ham
achi
2
Key
dis
trib
utio
n vi
a D
NS
SE
C
Wip
pie
n
So
cial
VP
N
N2N DM
VP
N
Op
po
rtun
isti
cE
ncry
pti
on
Cry
pto
gra
phi
cally
G
ener
ated
A
dd
ress
es
Tunn
el E
ndp
oin
tD
isco
very
Sec
urit
y P
olic
y P
roto
col
Pro
acti
ve M
ulti
-ca
st IP
SE
C D
is-
cove
ry P
roto
col
WA
ST
E
P2P
VP
N
tinc
Clo
udV
PN
• Survey of 17 approaches
• All tailored for a special scenario
• Many weaken security
• None address – Nested tunnels – DoS-resistance – Internal
attackers
Secure OverLay for IPsec Discovery (SOLID) Derived research questions: • How can a scalable and robust VPN be
constructed automatically? • How can we construct efficient VPN structures
with as few associations as possible? • How can topology knowledge be kept local? • How can security challenges like internal
attackers be encountered? • How can DoS-resistance be achieved?
15
Main approach • Routing by a structured
overlay network • Gateways ordered by
internal addresses • Gateways may be
inserted multiple times • Routing information
is held within the topology
⇢ Combination of routing and dynamic topology control
Private Network 110.2.0.0/24
Private Network 210.1.0.0/16
Private Network 6
172.16.1.0/16
Private Network 310.2.1.0/24
Private Network 410.2.2.0/24
Private Network 5
172.16.0.0/16
Private Network 910.2.5.0/24
Private Network 810.2.4.0/24 Private
Network 710.2.3.0/24
16
[RSS10] Rossberg, Michael; Strufe, Thorsten; Schaefer, Guenter: Distributed Automatic Configuration of Complex IPsec-Infrastructures. Journal of Network and Systems Management, Volume 18, Issue 3, pp. 300-326, 2010
10.5.0.0/16
10.4.0.0/1610.3.0.0/16
10.0.0.0/16
10.31.0.0/16
10.30.0.0/16
17
Ring topology Guarantees discovery in O(n) steps
Net 6
Net 2
Public Network
Net 5
Net 4
Net 3
Net 1
Net 7
Net 8
Net 9
Embedding of the overlay structure
18
• Embedding of the ring into the transport network
⇢ Efficient embedding with local knowledge?
10.5.0.0/16
10.4.0.0/1610.3.0.0/16
10.0.0.0/16
10.31.0.0/16
10.30.0.0/16
19
10.2.0.0/16
Ring topology
Guarantees discovery in O(n) steps
• Tunnels are indirect at first
• Later optimization
Public or Private Network Private
Network
Optimization of forwarding paths
• Indirect connections will be optimized:
20
⇢ Optimal path in common transport networks ⇢ Only usage of local knowledge
Overlay path lengths
21
• HOT router topology with cycles
⇢ Optimization algorithms might find only local minima
• Despite extreme assumption: – Average influence
barely measureable with significance
– Worst-case: sub-linear increase
Cross-connections (aka fingers) Discovery in O(log n) steps
22
⇢ Scalable VPN with very few connections
Efficiency of fingers (I)
23
Direct scenario • Comparison between
Sample-based and SkipGraphs
• Efficiency of SkipGraph asymptotically equal
• But sample based better as more exact
Search E�ciency =Ø Overlay–Hops with Random Fingers
Ø Overlay–Hops with Network under Test
Efficiency of fingers (II)
24
HOT graph • Comparison nested vs. direct scenario: – Sample-based a little bit
worse – SkipGraphs way worse
• Main cause: Samples allow more flexible selection of targets
⇢ Much more efficiency especially in nested scenarios
Non-functional properties
• Minimal configuration: Only a certificate with IP addresses and bootstrapping information required
• Scalability: Support for many thousand nodes expected
• Robustness: Tolerates partitioning, partial connectivity problems, and high packet loss rates
• Agile: Dynamic actions cause local effects only, MOBIKE support
25
Level of security Dynamic contruction of associations leads to new threats? � External attackers: always IPsec protection � Internal attackers: end-to-end security
26
Intermediate 1Source TargetIntermediate 2
Assessment of security against internal attackers
• Only thing possible: attacker does not optimize routes & initiates many security associations � Attacker controls more connections � Traffic flow analysis, grey- & blackhole
attacks • However: attack difficult to coordinate & a
general problem of todays routing algorithms ⇢ High resistance against internal attackers
27
DoS-resistance
28
DoS-attacks
Resource Destruction
ResourceExhaustion
CPU
Memory
Bandwidth
✔
✔
✔
?
• No exposed instances • Fast repair process with possibility to re-route • Proactive planning of backup paths • VPN tunnels reduce attack vector
0.5
0.3
0.1
0.4
0.60.9
0.8
0.2
0.7
Basic bandwidth-attacker model
29
• Attacker observes node set • Attacks identified neighbors by bandwidth exhaustion • Possibly different probabilities of observation
X
pv
�
Planning attacks
• Assumptions: – Attackers know topology – Only network addresses unknown – Independent observations
• Attacker may choose observation points: – Randomly – Greedy – Optimally
30
Planning optimal attacks (I)
• Optimal attack for a “budget” :
• Vulnerability against optimal attackers
31
D
opt
(G,P
min
) =
max
(D
G
(X)
��� X ✓ V,
X
x2X
log p
x
� logP
min
)
Pmin
Eopt
(G) =
Z 1
Pmin=0D
opt
(G,Pmin
)
Planning optimal attacks (II)
32
0
20
40
60
80
100
0.0 0.2 0.4 0.6 0.8 1.0
P(X) of Attack
Affe
cted
End
-to-E
nd C
onne
ctio
ns [%
]
Vulnerability
Resistance
Planning optimal attacks (III)
• Finding optimal attacks is NP-hard ! – Reduction to Vertex Cover – Without relying on different probabilities
• But: – May be approximated (even though not well) – For smaller networks possible optimally "
• Used binary linear optimization, e.g., by branch-and-cut
• Runtime heavily depends on graph structure
33
Constructing resilient topologies
• Optimal topologies � Bi-level Optimization Problem
• Operator:
• Attacker:
• Only solvable for very small instances ⇢ Heuristics & simple rules required
34
min
x
{attackGain(x, y) + c · costs(x),
for feasible topologies x}max
y
{attackGain(x(y), y),
for feasible attacks y}
[RGS12] Rossberg, Michael; Girlich, Franz; Schaefer, Guenter: Analyzing and Improving the Resistance of Overlay-Networks against Bandwidth Exhaustion Attacks, RNDM 2012.
Availability zones
35
[BRS09] Brinkmeier, Michael; Rossberg, Michael; Schaefer, Guenter: Towards a Denial-of-Service Resilient Design of Complex IPsec Overlays, International Conference on Communications (ICC), 2009
• Arrange nodes in zones
• Only neighboring zones may communicate
• Reduces observability ⇢ Constrains external &
internal DoS attacks ⇢ Requires support from
key exchange protocol
Increase of DoS-resistance • Direct scenario • 50 nodes, p uniform
(0,1) • Monotone zone
distribution by probabiltiy
• 24h observation ⇢ Despite the strong
attacker significant increase
36
[RSSM09] Rossberg, Michael; Steudel, Wolfgang; Schaefer, Guenter; Martius, Kai: Eine Software-Architektur zur Konstruktion flexibler IPsec-Infrastrukturen. 11. Deutscher IT-Sicherheitskongress, 2009
INET
OMNeT++
simLib
Architecture of the prototype
37
netfilter
uDHCPd
libnet
Charon
XFRM rtnetlinkioctl
strongDaemon
TUN
iptables
ipt_solid
IPIP TunnelD
evice
Routing
IPsec Monitoring
DBusstroke
UD
P
init
Packetreinjection
UDPUDPPackets without
active SA
Dynam
icFirew
alling
Sockets
libnlC
reation of C
UG
associations
Linux Kernel
coreLib posixLib
soLib
⇢ Same base system in simulator und prototype
Inserting a new node Simulation Lab experiment
38
⇢ Reusage makes simulation extremely significant
Conclusion • SOLID is a
• A distributed auto-configuration approach for complex IPsec-VPN that
• Does not reduce the achievable level of security in comparison to a manual configuration and that
• Uses dynamic topology reconfiguration to cope with failures and attacks and that
• Is implemented and evaluated in both - a prototypic and a simulative - environments
39
Outlook • Further development of the prototype
– Optimizations – Stabilization – Resolve kernel IPv6 issues "
• Management aspects – Monitoring data:
• Collection? • Querying? • Visualization?
– Deployment of certificates & keys?
40