KHIP A Scalable Protocol for Secure Multicast Routing

1
KHIP- A Scalable Protocol for Secure Multicast
Routing

• by
• Clay Shields and J.J.Garcia-Luna-Aceves
• University of California, Santa Cruz

2
Outline

• Background
• Introduction to KHIP
• KHIP features
• Secure tree construction in KHIP
• Transmission of data/control traffic
• Key management in KHIP
• Tree maintenance tasks in KHIP
• Denial of service attacks counter measures by
  KHIP
• Conclusion

3
Background

• Goals of multicast protocols
• To build a tree of routers to route multicast
  traffic
• To detect and eliminate loops during a multicast
  session
• E.g. When a user joins the group, the protocol
  must be able to add this user to the group
  without creating loops in the multicast tree

4
Background

• Classes of multicast protocols
• Sender initiated protocols
• E.g. DVMRP, PIM-DM etc
• Receiver initiated protocols
• E.g. CBT, OCBT, PIM-SM etc
• The focus in this presentation is on receiver
  initiated protocols

5
Background

• Sender initiated protocols
• There is a separate tree from each source to all
  destinations
• These protocols build optimal (least path cost)
  multicast trees, since path information is
  exchanged between the routers
• These schemes are not scalable if the number of
  users is sparse and they are widespread
• DVMRP is the current internet standard for
  multicasting. Most new protocols being proposed
  have interoperability with DVMRP

6
Background

• Receiver initiated protocols
• Each receiver wishing to participate in multicast
  sends an explicit join message towards a known
  designated central router
• A single shared tree spanning all sources and
  receivers is built, instead of a separate tree
  for each source and all destinations
• Shared trees are not optimal (least path cost)
  trees
• These schemes however scale well as the routers
  need only maintain state information of a single
  shared tree

7
Background

• CBT - Core Based Trees by A.Ballardie
• Join mechanism
• A user who wishes to join the group sends a join
  request towards a designated router called the
  core
• The join request is acknowledged by a node which
  is already part of the multicast tree
• The path taken by the acknowledgement message
  creates a new branch for the multicast tree

8
Core Router
Join Request
Join ack
Joining User
Core Based Trees , construction mechanism
9
Background

• Core Based Trees
• Failure Detection and Loop avoidance mechanisms
• If an on-tree node fails, then its descendant
  sends a "flush" message downstream to remove the
  branch
• all the removed nodes will rejoin the tree
  through different paths
• if any router receives a rejoin request that it
  had forwarded earlier, then it sends a quit
  notification to its parent and flushes its
  downstream. This way loops can be avoided

10
Failed node
descendant
Flush
Core Based Trees , flush mechanism
11
Parent, on-tree node
quit
descendant
flush
Join
Loop
Joining user
Core Based Trees , loop detection mechanism
12
Background

• OCBT - Ordered Core Based Trees by Clay Shields
  and J.J.Garcia-Luna-Aceves
• OCBT is an improved version of CBT
• The goals of OCBT are
• to eliminate loops which creep into a CBT when
  the network is in a transient state
• to eliminate denial of service caused by the loop
  detection/avoidance mechanism used in CBT protocol

13
Background

• Features of OCBT
• each node has a particular logical level
  (integer) associated with it
• the levels of primary and secondary cores are
  fixed
• any nodes level is less than or equal to its
  parents level
• any joining router includes the level it wishes
  to join
• if an on-tree router receives a request with a
  level higher than its current level, it quits its
  parent and joins the branch which the current
  join request is forming
• due to ordering of the tree, the control traffic
  is much lesser in OCBT

14
Level 1
Core Router
Level 1
Level 1
Join Request
Join ack
Level 2
Joining User
Ordered Core Based Trees
15
Background

• Some issues in OCBT
• placement of cores
• knowledge of address of the core
• knowledge of level of any core

16
Background

• HIP - A protocol for Hierarchical Multicast
  Routing by Clay Shields and J.J.Garcia-Luna-Aceves
  
• Features of HIP
• an entire domain is organized and controlled in a
  way so as to appear as one single virtual
  router
• HIP uses OCBT to create a multi-leveled hierarchy
  of virtual routers for inter-domain routing
• each virtual router simulates the output of an
  OCBT router
• HIP solves the problem of placement of cores by
  using border (or, exit) routers as cores

17
Core
On-tree router
Border Router
HIP Tree
18
KHIP-A Scalable Protocol for Secure Multicast
Routing

• KHIP (Keyed HIP) is a protocol aimed to counter
  attacks against multicast trees. Typical attacks
  include
• replay attacks
• loops caused by unauthorized branches
• flooding attacks

19
Features of Current Secure Multicasting Schemes

• Control messages are not protected, only data is
  secure
• A set of malicious routers can collaborate to
  isolate a set of multicast users
• Loops can be introduced by a malicious router
• To counter these attacks, a secure multicast
  protocol must only include those links which
  connects trusted routers

20
Core
Corrupt Router
Other Routers
a. Isolation
Core
b. Loops
Attacks on HIP
21
Issues Addressed by KHIP

• Authentication -only known participants should be
  allowed to join
• Authorization -only authorized participants can
  change routing structure of the multicast tree
• Integrity -data and control packets should not be
  altered during multicast transmissions

22
KHIP Features Overview

• KHIP creates an authentication server(s) which
  issues certificates to trusted entities
• the core signs reply messages and includes its
  certificate in all acknowledgements
• an on-tree router signs all control messages to
  prove its authority and identity to others
• the multicast tree is divided into multiple
  sub-branches
• members along each sub-branch communicate using a
  shared sub-branch key

23
SB-3
SB-2
SB-1
Core
SB-4
Border Router
KHIP Tree
24
Secure Tree Construction in KHIP

• Member authentication
• authentication is through the use of certificates
  and public/private key pairs
• a joining user obtains a certificate from the
  authentication server
• the certificate contains group or groups
  information that this user is authorized to use

25
Secure Tree Construction, contd.

• Creation of groups
• an initiator for the group obtains an appropriate
  certificate from the authentication service
• the address (or identity) of the center point
  (core) is notified to the location service
• the location service then creates a group using
  this core
• the core then serves as the root of the multicast
  tree
• any joining users send join requests to this core

26
Secure Tree Construction, contd.

• Building the Secure Tree
• KHIP introduces two additional messages, Core
  Request and Core Acknowledgement
• a joining user initially sends a signed Core
  Request to the core
• a trusted router or the core, reply with a signed
  Core Acknowledgement.
• only a trusted router replies back to any join
  message, unlike CBT or OCBT

27
Secure Transmission of Data/Control Traffic

• the data/control traffic is encrypted using a
  random key
• this random key is encrypted with the branch key
  and transmitted along the branch
• when a branch member receives this information,
  it decrypts the random key and verifies the
  sequence number, branch ID and checksum
• retransmission only requires new sequence numbers
  and branch IDs
• checksum verification is the only expensive
  operation in this process

28
Key Management in KHIP

• when a user leaves in a sub-branch the nearest
  core changes the branch key
• this key is then multicasted to all the members
  using their individual public keys
• This scheme however is not scalable, if the
  branch has hundreds of users

29
Tree Maintenance Tasks

• when a node fails then its child node will flush
  the entire downstream
• when a node receives a join request with a
  higher level number than its own, then that
  branch needs to be dissolved -this is done by
  sending a quit notice to the parent of this node

30
Denial of Service Attacks counter measures by
KHIP

• KHIP limits flooding attacks by verifying
  sequence numbers and branch numbers
• also the access to a branch is difficult due to
  the security mechanisms
• the use of the random branch key eliminates
  replay attacks, since the random key would be
  different each time
• KHIP however allows untrusted routers to drop
  control packets

31
Conclusion

• KHIP is a secure hierarchical multicast protocol
• KHIP reduces threats by replay attacks and
  flooding attacks
• KHIP uses security mechanisms to eliminate loops
  and isolation of valid users by corrupt routers
• Unsigned control messages however are subject to
  dropping by corrupt routers