Network systems security by mort anvari lecture10

Use of Hardware Address Need an address to send a message to receiver on same Ethernet  IP address is not usable because network layer does not listen to wire  Use hardware address

Ethernet

Network Systems Security

Mort Anvari

10Mbps, 100Mbps, Gigabit

control (MAC) address (hardware address) for every interface card

Use of Hardware Address

 Need an address to send a message

to receiver on same Ethernet

 IP address is not usable because

network layer does not listen to wire

 Use hardware address to identify

receiver’s interface

 Need to resolve receiver’s hardware address from receiver’s IP address

Address Resolution Protocol

 Protocol maps each IP address to corresponding

hardware address in subnetwork

 For computer i to get hardware address of computer j,

i broadcasts a rqst message with IP address of j to the subnetwork

Internet

i

j

r

default router switch

rqst(ipa.j)

Address Resolution

 If j sees a rqst message from i with its IP address, j sends a rply message with its

IP address and hardware address to i

Internet

i

j

r

default router switch

rply(ipa.j,hda.j)

Functions of ARP

 Resolving IP addresses

 Supporting dynamic assignment of addresses

 Detecting destination failures

ARP Spoofing Attack

 To stop traffic from i to j, an adversary sends

to i a spoofed rply message with IP address of

j and a non-existent hardware address

Internet

i

j A

r

default router switch

rply(ipa.j,hda.x)

Another ARP Spoofing Attack

 To stop traffic from i to default router r,

an adversary sends to i a spoofed rply message with IP address of r and its

own hardware address

Internet

i

j A

r

default router switch

rply(ipa.r,hda.A)

Countering ARP Spoofing

Attacks

 Proposed solutions include ARPWATCH and static ARP caches

 ARPWATCH monitors transmission of rqst

and rply messages over Ethernet and check them against a database of (IP addr,

hardware addr) pairings

 Static ARP cache stores permanent (IP addr, hardware addr) pairings of trusted hosts to avoid sending rqst and rply messages over Ethernet

Insufficiencies of Proposed

Solutions

dynamic assignment of IP

addresses

dynamic assignment of IP

addresses and detection of

destination failures

Need for Secure Address

Resolution

 When a computer receives a message

m, it needs to determine whether m was indeed sent by claimed source, or was inserted, modified, or replayed by

an adversary

 Use secure address resolution

protocol between each computer and

a secure server

Architecture of

Secure Address Resolution

Protocol

Interface

hr[i]

hn[i]

Applications

Transport

Network

Interface

sr

sn

Applications Transport Network invite-accept protocol

Ethernet

write arrays ipa, hda, valid

  

request-reply protocol

 The adversary can perform three types

of actions to disrupt communication

between server s and any computer h[i]

on the Ethernet

 Message loss

 Message modification

 Message replay

Secure Address Resolution

Protocol

adversary actions

 timeouts to counter message loss

 shared secrets to counter message modification

 nonces to counter message replay

Invite-Accept Protocol

 Periodically, server s sends out an

invt message to every computer on Ethernet

 Every up computer is required to

send back an acpt message including its IP address and hardware address

 s updates its address database

according to received acpt messages

Invite-Accept Protocol

s  h[0 n-1]: invt(nc, md)

where md=MD(nc;scr[0])||MD(nc;scr[1])||…|| MD(nc;scr[n-1])

h[i]  s: acpt(nc, ipa[i], hda[i], d)

where d=MD(nc;ipa[i];hda[i];scr[i])

Request-Reply Protocol

 When a computer needs to resolve a

destination’s hardware address, it sends

a rqst message to server s

 If destination’s hardware address is still valid, s sends back a rply message with address information

 If destination’s hardware address is not valid anymore, s sends back a rply

message with no address information

Request-Reply Protocol

h[i]  s: rqst(nc, ipa[j], d)

where d=MD(nc;ipa[j];scr[i])

If found,

s  h[i]: rply(nc, ipa[j], hda[j], d)

where d=MD(nc;ipa[j];hda[j];scr[i])

If not found,

s  h[i]: rply(nc, ipa[j], 0, d)

where d=MD(nc;ipa[j];0;scr[i])

resolution protocol

 Insecure address resolution

 Backup server

 System diagnosis

 Address resolution across multiple

Ethernets

Next Class

 Authentication Header (AH)

 Encapsulation Security Payload (ESP)

 key management