On Information Hiding and Network Management

1
On Information Hiding and Network Management
(A Position Paper)

• Kenneth L. Calvert and James Griffioen
• Laboratory for Advanced Networking
• Department of Computer Science
• University of Kentucky

Thanks Cisco, Kentucky Science and Eng.
Foundation
2
The Network Management Tussle

• Service Providers have to
• compete with each other
• cooperate with each other
• Network Management requires information
• About the network being managed
• About the rest of the Internet
• Providers want to hide information about their
  networks

3
Why Hide Information?

• Competitive Pressures
• Reveal as little as possible about business
  practices, customer relationships
• Customer Privacy
• Concerns about possible repercussions of
  revealing, e.g. communication patterns
• Safety and Security
• Detailed information about a providers system
  may make it easier to attack.

4
Why Not Hide Information?

• It is useful for network management
• Where are the packets being dropped?
• What is the maximum number of dropped packets in
  this part of the network?
• How many routers have seen packets sent to
  strange ports?
• It is also useful for applications/users
  generally
• Where are the packets being dropped?
• Which end-to-end paths share congested links?
• What is the maximum 5-sec average queue length
  along this path?
• What is the maximum loss rate experienced by any
  receiver?

5
Existing Network Mgmt (SNMP)

• Low-level interface to available information
• Get/Set
• One-to-one communication model
• Higher-level functions tend to be vendor-specific
• Inadequate trust model
• Choose between insecure or heavyweight
  authentication
• Signature verification overhead opens DoS
  possibilities
• Scalability issues (See also IAB 2004)
• No convenient way to probe a group of nodes
• Hard to manage policies for large numbers of
  nodes

SNMP cannot support a NM paradigm shift!
6
Granting Access to Information

• Per Session (well-known approach)
• Establish a session (a heavyweight operation)
• Authenticate party at other end (at an additional
  cost)
• Determine authorization of that party for each
  operation based on identity
• Can support multiple privilege levels
• But group operations are very expensive
• Per Packet (not yet supported)
• Lightweight determination of packet authorization
  class
• Based on geometry of the system
• Not on packet contents
• Read information from multiple nodes with a
  single packet

7
What is needed? (aka our position)

• Per-packet Access Any packet should be able to
  request (read) information from any router.
• Minimal Policy Minimize distinctions among
  packets regarding access to information
  facilities.
• Processed Information Needs to be possible to
  collect and process data (e.g., perform
  aggregation/summarization) to hide information
  and/or improve scalability.
• Information Hiding Information may be modified
  as it crosses a providers boundary, allowing
  providers to control how data is made available
  (exposed) to the outside world.

For Users
For Providers
Note Existing heavyweight mechanisms can still
be used when needed.
8
Assumptions
The rest of the World

• Providers manage domains
• Domains define information hiding boundaries
• Nodes (routers/end systems) are either inside or
  outside a given domain
• Nodes inside the domain with links to one or more
  nodes outside the domain are border routers
• Links connecting border routers in different
  domains are known border links
• Packets get lower authorization if they cross a
  border link

9
Techniques for Hiding while Exposing

• Aggregation
• Anonymization
• Abstraction
• Implementation Context Ephemeral State
  Processing (ESP)
• Supports simple distributed computations w/state
• Operates at line-speed (per-packet processing,
  near the fast path)
• ESP-NM read-access to (some) MIB variables

10
Ephemeral State Store

• Information persists for a fixed time ?, then
  vanishes
• ? ? a few seconds
• Stored information cannot be refreshed
• An associative store
• Binds tags to values (partial function ƒ)
• Semantics
• put(t, v) establishes ƒ.t v
• get(t) if ƒ defined at t, return ƒ.t else
  return null
• Users choose tags randomly

11
Aggregation

• Goal Hide individual values collected from a set
  of nodes
• Idea use an aggregation function to compute a
  representative value
• Example Functions Max, Min, Avg, Sum, etc
• Example Uses
• Identify the receiver with max loss rate in a
  group
• Find the path with shortest average queue length
• Compute the overall network load
• Advantages
• Hides information
• Simplifies the interface less information to
  deal with
• Distributes processing

12
Aggregation Implementation (using ESP-NM)

• Two (triggered) phases
• Establish child counts at every router on the
  path to the monitor node
• Send individual values along with aggregation
  operation (e.g., max, min, sum, etc)
• Example Collect minimum value from a set of
  receivers

13
Feedback Aggregation (Phase 1)
Operands Counter tag c Threshold
value 1
COUNT
B
A
D
S
r1
r2
r3
C
E
Time1
14
Feedback Aggregation (Phase 1)
COUNT
B
A
D
S
r1
r2
r3
(c,1)
C
E
Time2
15
Feedback Aggregation (Phase 1)
COUNT
B
A
D
S
r1
r2
r3
(c,1)
(c,1)
(c,1)
C
E
Time3
16
Feedback Aggregation (Phase 1)
COUNT
B
A
(c,1)
D
S
r1
r2
r3
(c,1)
(c,2)
(c,1)
C
E
Time4
17
Feedback Aggregation (Phase 1)
COUNT
B
A
(c,2)
D
S
r1
r2
r3
(c,1)
(c,2)
(c,2)
C
E
Time5
18
Feedback Aggregation (Phase 1)
B
A
(c,3)
D
S
r1
r2
r3
(c,1)
(c,2)
(c,2)
C
E
Time6
19
Feedback Aggregation (Phase 2)
B
A
(c,3)
D
S
r1
r2
r3
(c,1)
(c,2)
(c,2)
C
E
Time7
20
Feedback Aggregation (Phase 2)
B
A
(c,3)
D
S
r1
r2
r3
(c,1)
(c,2)
(c,2)
C
E
Time8
21
Feedback Aggregation (Phase 2)
COLLECT
B
A
(c,3)
D
S
r1
r2
r3
(c,1)
(c,2)
(c,2)
C
E
Time9
22
Feedback Aggregation (Phase 2)
B
A
(c,3)
D
S
r1
r2
r3
(c,1)
(c,1) (v,3)
(c,2)
C
E
Time10
23
Feedback Aggregation (Phase 2)
B
A
5
(c,3)
D
S
r1
r2
r3
(c,1)
(c,1) (v,3)
(c,1) (v,2)
C
E
Time11
24
Feedback Aggregation (Phase 2)
B
A
(c,2) (v,5)
D
2
S
r1
r2
r3
(c,1)
(c,1) (v,3)
(c,1) (v,2)
C
E
Time12
25
Feedback Aggregation (Phase 2)
B
A
(c,1) (v,2)
D
S
r1
r2
r3
(c,1)
4
(c,1) (v,3)
(c,1) (v,2)
C
E
Time13
26
Feedback Aggregation (Phase 2)
B
A
(c,0) (v,2)
D
S
r1
r2
r3
(c,1)
(c,1) (v,3)
(c,1) (v,2)
C
E
Time14
27
Feedback Aggregation (Phase 2)
B
A
(c,0) (v,2)
D
S
r1
r2
r3
(c,1)
(c,1) (v,3)
(c,0) (v,2)
C
E
Time15
28
Feedback Aggregation (Phase 2)
B
A
(c,0) (v,2)
D
S
r1
r2
r3
(c,1)
(c,0) (v,2)
(c,0) (v,2)
C
E
Time16
29
Feedback Aggregation (Result)
B
A
(c,0) (v,2)
D
S
r1
r2
r3
(c,0) (v,2)
2
(c,0) (v,2)
(c,0) (v,2)
C
E
Time17
30
Anonymization

• Goal Obscure the identity of network elements
  while maintaining the ability to differentiate
  among nodes, domains, etc.
• Idea Return anonymized data, but maintain
  (locally) the mapping between anonymized values
  and real values
• Think cookies
• Example Uses
• Find most heavily loaded router along a path
  (without revealing its identity), then query that
  router for additional info
• Determine whether two paths traverse the same
  domain without revealing which domain
• Advantages
• Allows providers to hide private information
  while releasing enough information for users to
  differentiate/compare/query internal nodes

31
Anonymization Implementation(using ESP-NM)

• Anonymization can occur
• At the node that creates the response, OR
• At a border router (similar to NAT)
• Similarly, identity instantiation occurs
• At the node that anonymized value
• At the border router that anonymized the value
• Issue routing to anonymized nodes
• Send to same destination as the original
  information request so the packet follows the
  same path, OR
• Border routers replace source address with their
  address

32
Abstraction

• Goal View a group of nodes as a single entity
• Idea Domain administrator defines virtual
  entities, border routers create the illusion of a
  single entity
• Example Entities Virtual path from the ingress
  to egress of a domain, or the domain looks like a
  virtual node
• Example Uses
• Return the loss rate of the internal path across
  a domain as if it were a single link
• Compute the delay across the virtual path
  connecting the ingress and egress points of a
  domain
• Advantages
• Hides identities of group members
• Allows set of network elements to be treated as a
  single element

33
Abstraction Implementation(using ESP-NM)

• "Push" a new ESP computation on entry to a
  domain, and "Pop"/use the result on exit from the
  domain
• Routers know when a packet is entering and
  exiting a domain
• Example packet finds max link delay
• Upon entry, border router pushes add ltdelaygt
  operation to sum delays of links inside the
  domain
• Upon exit, border router pops computed delay
  value for the path, and uses it as one value in
  the original ESP request for link delay

34
Dangers/Concerns

• Are additional techniques required?
• How can exposed information be misused?
• Can border transformations be implemented
  efficiently (DoS-free)?
• Do network management packets really need
  fast-path processing?
• Is read-only sufficiently useful?

35
Summary

• A tussle now exists among providers and (other)
  potential users of network information
• Network information is not just for network
  administrators
• NM paradigm shift demands new capabilities
  (per-packet access, simple processing, info
  hiding)
• Proposed solution based on Ephemeral State
  Processing
• Make (some) management information available to
  all
• Processing functions Aggregation, Anonymization,
  Abstraction
• Some (ESP) operations implemented in every
  router, on or near fast path
• Sanitizing operations implemented at domain
  borders

36
Questions?
37
Filtering(special form of aggregation?)

• Goal Hide unimportant (filtered) values
• Idea Report individual values from a group of
  nodes that pass a filter test.
• Example Filters Value gt (Threshold 0.5)
• Example Uses
• Identify/monitor heavily loaded routers
• Load balance across lightly loaded links or
  servers
• Benefits same as Aggregation

38
Fundamental Paradigm Shifts

• Openness E2E Applications and providers need
  global access to network information.
• Convenient Interfaces Users want convenient
  methods for accessing information across a set of
  nodes, not just a single node.
• Scalable Mechanisms Users want to efficiently
  access information across a set of nodes
• Read Access Only Users want to see the
  information under the covers, not change it.