Download to read offline
Uploaded byICT PRISTINE
6 security130123
The document discusses security in the Recursive InterNetwork Architecture (RINA) model. It argues that RINA is inherently more secure than the current Internet architecture due to its design principles. Specifically, it notes that in RINA: 1) A Distributed Information Field (DIF) acts as a "securable container" that isolates applications and provides built-in authentication of members. 2) Attacks like port scanning are much more difficult due to decoupling of port allocation and connection synchronization. 3) Common Internet protocols like TCP/IP are not needed, removing associated vulnerabilities. Overall, RINA requires fewer protocols, security mechanisms, and complexity to achieve stronger security. 4) The model
More Related Content
6 security130123
- 1. © John Day,2013 1 Rights Reserved The Pouzin Society Security in RINA IRATI Workshop Barcelona, Spain John Day Lou Chitkushev
- 2. © John Day,2013 2 Rights Reserved The Pouzin Society First a Word on Method • When trying to work out the IPC Model absolutely no thought was given to security. All of the focus was just understanding the structure. • People kept asking, What about Security? Is there a security layer? • Didn’t Know. Hadn’t thought about it. • There was the obvious: – The recursion of the layer provided Isolation. – That only the Application Name and local port-id were exposed to the correspondents. • Interesting, but hardly an answer • But it wasn’t the time for those questions . . . • At least not yet . . .
- 3. © John Day,2013 3 Rights Reserved The Pouzin Society The Recursion Provided Isolation • Security by isolation, (not obscurity) • Hosts can not address any element of the ISP. • No user hacker can compromise ISP assets. • Unless ISP is physically compromised. ISP Hosts and ISPs do not share DIFS. (ISP may have more layers
- 4. © John Day,2013 4 Rights Reserved The Pouzin Society How Does It Work? Security • A Hacker in the Public Internet cannot connect to an Application in another DIF without either joining the DIF, or creating a new DIF spanning both. Either requires authentication and access control. – Non-IPC applications that can access two DIFs are a potential security problem. • Certainly promising Public Internet ISP 1 ISP 2 ISP 3 Internet Rodeo Drive Utility SCADA My Net Facebook Boutique Internet Mall of America
- 5. © John Day,2013 5 Rights Reserved The Pouzin Society But When It Was Time • The question was not, how to put in security? • The question was, • What does the IPC Model tell us about security? – Remember, our first task is always understanding. • Let the Problem Answer the Question! – Let the Problem Tell Us What to Do.
- 6. © John Day,2013 6 Rights Reserved The Pouzin Society The Problem Had a Lot to Say • We Already Mentioned How Little is Exposed the Layer Above. • The Original OS Model indicated where Access Control went. • Creating the Application Connection for Enrollment indicated where Authentication belonged, and that – Authentication of Applications must be done by the Applications themselves. – All members of the layer are authenticated within policy. • SDU Protection clearly provided Confidentiality and Integrity. • That implied that only Minimal trust was necessary: – Only that the lower layer will deliver something to someone. Port:=Allocate(Dest-Appl, params) Access Control Exercised
- 7. © John Day,2013 7 Rights Reserved The Pouzin Society A Very Unexpected Result • A DIF with no explicit security mechanisms is inherently more secure than the current Internet under the same conditions! • It would appear that – A DIF is a Securable Container.
- 8. © John Day,2013 8 Rights Reserved The Pouzin Society Other Things Fall Into Place • Data Transfer in RINA is based on Delta-t (Watson, 1980) • Lot has happened in 30 years, many attacks on TCP have been found: – Port scanning – Reset Attacks – SYN attacks – Reassembly Attacks • Long after delta-t was designed, what about delta-t? • Short answer: – None of them work (Boddapati, et al., 2012) • Amazing, totally unexpected – Why not? • Multiple fundamental reasons, but all inherent in the structure: – First, have to join the DIF (all members are authenticated) – Second, No Well-Known Ports • Would have to scan all possible application names! – Third and more importantly, . . .
- 9. © John Day,2013 9 Rights Reserved The Pouzin Society Decoupling Port Allocation and Synchronization • No Way to Know What CEP-ids are Being Used, Since There is No Relation Between Port-id and CEP-id. – Syn Attack: must guess which of 2^16 CEP-id. – Data Transfer: must guess CEP-id and seq num within window! – Reassembly attack: Reassembly only done once. Synchronization Connection Endpoint Port Allocation Port-id Connection
- 10. © John Day,2013 10 Rights Reserved The Pouzin Society Decoupling Port Allocation and Synchronization: No IPSec • IPsec is necessary with TCP/IP because no authentication and Sequence numbers turn over too quickly: don’t repeat sequence number with same CEP-id. • With RINA and delta-t, IPC Processes all authenticated, SDU Protection does the encryption, and packet sequence numbers slows rollover, but if it does, then simply allocate a new connection • And bind it to the same port-ids, old one disappears after 2MPL. Connection Endpoint Port Allocation Port-id Connection SDU Protection SDU Protection
- 11. © John Day,2013 11 Rights Reserved The Pouzin Society RINA is Inherently More Secure and Less Work • A DIF is a Securable Container. (Small, 2011) – What info required to mount an attack, How to get the info – Small does a threat analysis at the architecture level • Implies that Firewalls are Unnecessary, – The DIF is the Firewall! • RINA Security is considerably Less Complex than the Current Internet Security (Small, 2012) – Only do a rough estimate counting protocols and mechanisms. • See paper for details.
- 12. © John Day,2013 12 Rights Reserved The Pouzin Society 802.3 802.3 802.3 802.3 IP IP IP IP TCP TCP Browser Server MACsec MACsec MACsec MACsec EAPOL EAPOL EAPOL EAPOL IPsec IPsec IKE IKE UDP UDP TLS TLS Protocols: 15 Non-Security: 89 Security: 28 Copyright © 2012, Jeremiah Small. All Rights Reserved.
- 13. © John Day,2013 13 Rights Reserved The Pouzin Society What Does This Mean? • Protocols – We Know What That Refers To • Security Mechanisms – Authentication, Access Control, Integrity, Confidentiality, Non-Repudiation. • Non-Security Mechanisms – All the others listed in the book: delimiting, relaying, ordering, multiplexing, fragmentation/reassembly, Lost and Duplicate Detection, Flow Control, Retransmission Control, Compession, Addressing, Initial State Synchronization.
- 14. © John Day,2013 14 Rights Reserved The Pouzin Society 1-DIF 1-DIF 1-DIF 1-DIF 2-DIF 2-DIF 2-DIF 2-DIF Browser Server Backbone-DIF Backbone-DIF AppSec-DIF AppSec-DIF Protocols: 3 Non-Security: 15 Security: 5 Copyright © 2012, Jeremiah Small. All Rights Reserved.
- 15. © John Day,2013 15 Rights Reserved The Pouzin Society Internet RINA Protocols 15 3 Non-Security Mechanisms 89 15 Security Mechanisms 28 7 Totals Copyright © 2012, Jeremiah Small. All Rights Reserved.
- 16. © John Day,2013 16 Rights Reserved The Pouzin Society Internet RINA Protocols 8 0 Non-Security Mechanisms 59 0 Security Mechanisms 28 7 To Add Security Copyright © 2012, Jeremiah Small. All Rights Reserved.
- 17. © John Day,2013 17 Rights Reserved The Pouzin Society Why Is Internet Security So Bad? • The Standard Rationale One Sees is that They Didn’t Think About It at the Beginning. – Neither did We. – Nor did Watson. – But RINA and delta-t are more secure. • That Seems to Imply that – Good Design May be More Important to Security than Security Is.
- 18. © John Day,2013 18 Rights Reserved The Pouzin Society Conclusion • This is a MAJOR Improvement in Internet Security. – Not only more secure, but for less cost, with less overhead. • So is Internet Security solved? – Hardly. – Still need: to develop the plug-in policy modules – to consider DDoS (we have some ideas) – As well as protecting against Rogue IPC Processes – and much more to explore. • Most attacks are in the Applications, this does nothing about that. – But Much of this applies equally well to DAFs • Model implies that OS security reduces to Bounds Checking on Memory and IPC Security. – May also make it harder, might be able to deflect more DDoS attacks
- 19. © John Day,2013 19 Rights Reserved The Pouzin Society Questions?