Lightweight Opportunistic Tunneling (LOT)

  • Yossi Gilad
  • Amir Herzberg
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)

Abstract

We present LOT, a lightweight ’plug and play’ tunneling protocol installed (only) at edge gateways. Two communicating gateways A and B running LOT would automatically and securely establish efficient tunnel, encapsulating packets sent between them. This allows B to discard packets which use A’s network addresses but were not sent via A (i.e. are spoofed) and vice verse.

LOT is practical: it is easy to manage (‘plug and play’, no coordination between gateways), deployed incrementally and only at edge gateways (no change to core routers or hosts), and has negligible overhead in terms of bandwidth and processing, as we validate by experiments on a prototype implementation. LOT storage requirements are also modest. LOT can be used alone, providing protection against blind (spoofing) attackers, or to opportunistically setup IPsec tunnels, providing protection against Man In The Middle (MITM) attackers.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aharoni, M., Hidalgo, W.M.: Cisco SNMP configuration attack with a GRE tunnel (2005), http://www.securityfocus.com/infocus/1847
  2. 2.
    Badishi, G., Herzberg, A., Keidar, I.: Keeping denial-of-service attackers in the dark. IEEE Trans. Dependable Sec. Comput. 4(3), 191–204 (2007)CrossRefMATHGoogle Scholar
  3. 3.
    Badishi, G., Herzberg, A., Keidar, I., Romanov, O., Yachin, A.: An empirical study of denial of service mitigation techniques. In: IEEE Symposium on Reliable Distributed Systems, pp. 115–124 (2008), http://doi.ieeecomputersociety.org/10.1109/SRDS.2008.27 ISSN 1060-9857
  4. 4.
    Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice) (March 2004), http://www.ietf.org/rfc/rfc3704.txt
  5. 5.
    Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19(2), 32–48 (1989)CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J.: TCP SYN cookies (1996), http://cr.yp.to/syncookies.html
  7. 7.
    Beverly, R., Bauer, S.: The spoofer project: Inferring the extent of source address filtering on the Internet. In: Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop table of contents, p. 8. USENIX Association, Berkeley (2005)Google Scholar
  8. 8.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August. 2008), http://www.ietf.org/rfc/rfc5246.txt
  9. 9.
    Dommety, G.: Key and Sequence Number Extensions to GRE. RFC 2890 (Proposed Standard) (September 2000), http://www.ietf.org/rfc/rfc2890.txt
  10. 10.
    Eddy, W.: TCP SYN Flooding Attacks and Common Mitigations. RFC 4987 (Informational) (August 2007), http://www.ietf.org/rfc/rfc4987.txt
  11. 11.
    Farinacci, D., Li, T., Hanks, S., Meyer, D., Traina, P.: Generic Routing Encapsulation (GRE). RFC 2784 (Proposed Standard) (March 2000), http://www.ietf.org/rfc/rfc2784.txt (Updated by RFC 2890)
  12. 12.
    Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice) (May 2000), http://www.ietf.org/rfc/rfc2827.txt (Updated by RFC 3704)
  13. 13.
    Harris, B., Hunt, R.: TCP/IP security threats and attack methods. Computer Communications 22, 885–897 (1999)CrossRefGoogle Scholar
  14. 14.
    IANA. Special-Use IPv4 Addresses. RFC 3330 (Informational) (September 2002), http://www.ietf.org/rfc/rfc3330.txt
  15. 15.
    Jiang, G.: Multiple vulnerabilities in SNMP. Computer 35(4), 2–4 (2002)CrossRefGoogle Scholar
  16. 16.
    Kaufman, C.: Internet Key Exchange (IKEv2) Protocol. RFC 4306 (Proposed Standard) (December 2005), http://www.ietf.org/rfc/rfc4306.txt (Updated by RFC 5282)
  17. 17.
    Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard) (December 2005), http://www.ietf.org/rfc/rfc4301.txt
  18. 18.
    Killalea, T.: Recommended Internet Service Provider Security Services and Procedures. RFC 3013 (Best Current Practice) (November 2000), http://www.ietf.org/rfc/rfc3013.txt
  19. 19.
    Lemon, J.: Resisting SYN flood doS attacks with a SYN cache. In: Leffler, S.J. (ed.) BSDCon, pp. 89–97. USENIX (2002), http://www.usenix.org/publications/library/proceedings/bsdcon02/lemon.html ISBN 1-880446-02-2
  20. 20.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pp. 27–40. ACM, New York (2004)CrossRefGoogle Scholar
  21. 21.
    Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the doS and DDoS problems. ACM Comput. Surv. 39(1) (2007), http://doi.acm.org/10.1145/1216370.1216373
  22. 22.
    Rescorla, E., Modadugu, N.: Datagram Transport Layer Security. RFC 4347 (Proposed Standard) (April 2006), http://www.ietf.org/rfc/rfc4347.txt
  23. 23.
    Richardson, M., Redelmeier, D.H.: Opportunistic Encryption using the Internet Key Exchange (IKE). RFC 4322 (Informational) (December 2005), http://www.ietf.org/rfc/rfc4322.txt
  24. 24.
    Wouters, P., Bantoft, K.: Building and Integrating Virtual Private Networks with Openswan. Packt Publishing (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yossi Gilad
    • 1
  • Amir Herzberg
    • 1
  1. 1.Computer Science DepartmentBar Ilan UniversityRamat GanIsrael

Personalised recommendations