使用定位標識分離技術在P4交換機中防禦竊聽與竄改攻擊

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：174

、訪客IP：18.119.102.149

姓名

陳碩偉(Shuo-Wei Chen) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

使用定位標識分離技術在P4交換機中防禦竊聽與竄改攻擊
(Using Locator Identifier Separation Technology to Defense Eavesdropping and Tampering Attacks in P4 Switches)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

在現代網路環境中，攻擊者能夠利用受汙染的網路設備進行竊聽和竄改攻擊，以獲取隱私資料或導致主機做出錯誤決策。為了有效監控和管理網路流量，軟體定義網路（Software Defined Network, SDN）提供了一個集中式的控制平台。然而，由於SDN在封包處理方面的靈活性不足，因此Programming Protocol-independent Packet Processors（P4）被提出，P4允許網路管理人員定義封包的標頭（Header）以及處理流程，從而實現更靈活和可定制的網路功能。
為了防止竊聽與竄改攻擊對網路環境的危害，本論文提出了Locator/Identifier Separation with Message Authentication Code（LISMAC）的機制與標頭，透過P4交換機將原始IP位址進行加密，對流量進行混淆，防止攻擊者透過竊聽攻擊和聚合封包來獲取隱私資訊。LISMAC使用定位標示分離技術作為IP位址加密後封包的路由依據，同時能夠減少中間網路節點儲存的路由表大小。此外LISMAC標頭中還包含封包的訊息鑑別碼（Message Authentication Code, MAC）值，可以透過檢驗MAC值來判斷封包在傳送過程中是否發生錯誤或被竄改。在實驗中，將LISMAC機制引入到3個中繼段（Hop）的環境中，在往返時間（Round-Trip Time, RTT）的部分，使平均RTT上升了1.19 ms，在沒有設置鏈路延遲時，平均RTT增加了53.43%，而在鏈路延遲設為1 ms時，平均RTT僅增加了1.55%，因此在真實世界存在鏈路延遲的情況下，引入LISMAC對平均RTT的上升幅度並不大。吞吐量（Throughput）部分則在引入LISMAC機制後下降了42.97%。儘管如此，在與SPINE與SR-TPP的比較中，LISMAC仍然具有較低的平均RTT和較高的throughput。

摘要(英)

In the modern networking environment, attackers can exploit compromised network devices for eavesdropping and tampering attacks to obtain private data or cause the host to make erroneous decisions. To effectively monitor and manage network traffic, Software Defined Networking (SDN) provides a centralized control platform. However, due to the limited flexibility in packet processing, Programming Protocol-independent Packet Processors (P4) have been proposed. P4 allows network administrators to define packet headers and processing workflows, enabling more flexible and customizable network functionalities.
To mitigate the risks of eavesdropping and tampering attacks in the network environment, this paper proposes the Locator/Identifier Separation with Message Authentication Code (LISMAC). Through P4 switches, LISMAC encrypts the original IP addresses and confuses the traffic, preventing attackers from obtaining sensitive information through eavesdropping attacks and packet aggregation. LISMAC utilizes the technique of locator/identifier separation as the routing basis for encrypted packets, while also reducing the size of routing tables stored in intermediate network nodes. Additionally, LISMAC headers include a Message Authentication Code (MAC) value, which allows the verification of packet integrity and detection of potential errors or tampering during transmission.
In the experiment, the LISMAC mechanism was introduced into a three-hop environment. Regarding Round-Trip Time (RTT), without setting any link delay, the average RTT increased by 53.43%. However, when the link delay was set to 1 ms, the average RTT only increased by 1.55%. Therefore, in real-world scenarios with existing link delays, LISMAC shows a relatively small increase in average RTT. The throughput decreased by 42.97% after introducing the LISMAC mechanism. Nevertheless, when compared to SPINE and SR-TPP, LISMAC still exhibits lower average RTT and higher throughput.

關鍵字(中)

★ 軟體定義網路
★ P4
★ 竊聽攻擊
★ 竄改攻擊
★ 定位標示分離
★ 訊息鑑別碼

關鍵字(英)

★ Software Defined Networking
★ Programming Protocol-Independent Packet Processors
★ Eavesdropping Attack
★ Tampering Attack
★ Locator/Identifier Separation
★ Message Authentication Code

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vii
表目錄 x
第一章緒論 1
1.1. 概要 1
1.2. 研究動機 2
1.3. 研究目的 2
1.4. 章節架構 3
第二章背景知識與相關研究 4
2.1. P4: Programming Protocol-independent Packet Processors 4
2.2. 定位標示分離技術 7
2.3. 訊息鑑別碼 9
2.4. 相關研究 10
第三章 LISMAC 13
3.1. 系統架構與設計 13
3.1.1. LISMAC標頭設計 16
3.1.2. 使用2EM加密 18
3.2. 系統運作流程與實作 19
3.2.1. 初始化階段 20
3.2.2. 封包學習階段 21
3.2.3. 封包修改 25
3.2.4. 封包還原 29
3.3. 系統環境 33
第四章實驗與討論 35
4.1. 情境一：LISMAC功能性驗證 35
4.1.1. 實驗一：IPv4環境中混淆功能的驗證 35
4.1.2. 實驗二：IPv6環境中混淆功能的驗證 37
4.1.3. 實驗三：LISMAC中防竄改機制驗證 40
4.2. 情境二：效能比較 43
4.2.1. 實驗四：LISMAC、SPINE和SR-TPP在RTT的效能比較 43
4.2.1. 實驗五：LISMAC、SPINE和SR-TPP在throughput的效能比較 46
4.2.2. 實驗六：LISMAC與SR-TPP在controller的CPU使用率比較 49
4.3. 情境三：衡量LISMAC標中的設計對效能的影響 50
4.3.1. 實驗七：不同加密演算法對RTT與throughput的效能比較 51
4.3.2. 實驗八：不同MAC大小對RTT與throughput的效能比較 54
4.3.1. 實驗九：Packet loss對LISMAC的影響 57
第五章結論與未來研究方向 62
5.1. 結論 62
5.2. 研究限制 63
5.3. 未來研究 63
參考文獻 66
附錄 72

參考文獻

[1] X. Xu, J. Li, Y. Yang and F. Shen, "Toward Effective Intrusion Detection Using Log-Cosh Conditional Variational Autoencoder," IEEE Internet of Things Journal, vol. 8, no. 8, pp. 6187-6196, April, 2021, doi: 10.1109/JIOT.2020.3034621.
[2] M. Russo, N. Šrndić, and P. Laskov, "Detection of Illicit Cryptomining Using Network Metadata," EURASIP Journal on Information Security, vol. 2021, no. 1, pp. 1-20, 2021.
[3] M. Carugi and D. McDysan, "Service Requirements for Layer 3 Provider Provisioned Virtual Private Networks (PPVPNs)," RFC 4031, Apr. 2005.
[4] P. Bosshart et al., "P4: Programming Protocol-Independent Packet Processors," SIGCOMM Comput. Commun. Rev., vol. 44, no. 3, pp. 87-95, Jul. 2014, doi: 10.1145/2656877.2656890.
[5] B. Charyyev and M. H. Gunes, "Locality-Sensitive IoT Network Traffic Fingerprinting for Device Identification," IEEE Internet of Things Journal, vol. 8, no. 3, pp. 1272-1281, Feb, 2021, doi: 10.1109/JIOT.2020.3035087.
[6] J. Kotak and Y. Elovici, "Adversarial Attacks Against IoT Identification Systems," in IEEE Internet of Things Journal, vol. 10, no. 9, pp. 7868-7883, May, 2023, doi: 10.1109/JIOT.2022.3229906.
[7] T. Datta, N. Feamster, J. Rexford, and L. Wang, "SPINE: Surveillance Protection in the Network Elements," the 9th USENIX Workshop on Free and Open Communications on the Internet, 2019.
[8] N. McKeown et al., "OpenFlow: Enabling Innovation in Campus Networks," SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Apr, 2008, doi: 10.1145/1355734.1355746.
[9] ONF Solution Brief, "OpenFlow-Enabled SDN and Network Functions Virtualization," Open Netw. Found, vol. 17, pp. 1-12, 2014.
[10] "P4 Language Tutorial" Accessed on: May 23, 2023. [Online]. Available: https://docs.google.com/presentation/d/1zliBqsS8IOD4nQUboRRmF_19poeLLDLadD5zLzrTkVc/edit
[11] "P4: Programming Networks Forwarding Plane" Accessed on: May 23, 2023. [Online]. Available: https://www.volansys.com/blog/p4-programming-networks-forwarding-plane/
[12] J. S. da Silva, F. -R. Boyer, L. -O. Chiquette and J. M. P. Langlois, "Extern Objects in P4: an ROHC Header Compression Scheme Case Study," the 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), Montreal, QC, Canada, pp. 517-522, 2018, doi: 10.1109/NETSOFT.2018.8460108.
[13] Y. Yuan et al., "Unlocking the Power of Inline Floating-Point Operations on Programmable Switches," the 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), Renton, WA, pp. 683-700, Apr. 2022.
[14] A. d. S. Ilha, Â. C. Lapolli, J. A. Marques and L. P. Gaspary, "Euclid: A Fully In-Network, P4-Based Approach for Real-Time DDoS Attack Detection and Mitigation," IEEE Transactions on Network and Service Management, vol. 18, no. 3, pp. 3121-3139, Sept. 2021, doi: 10.1109/TNSM.2020.3048265.
[15] F. Musumeci, A. C. Fidanci, F. Paolucci, F. Cugini, and M. Tornatore, "Machine-Learning-Enabled DDoS Attacks Detection in P4 Programmable Networks," Journal of Network and Systems Management, vol. 30, pp. 1-27, 2022.
[16] M. V. B. da Silva, J. A. Marques, L. P. Gaspary, and L. Z. Granville, "Identifying Elephant Flows Using Dynamic Thresholds in Programmable IXP Networks," Journal of Internet Services and Applications, vol. 11, pp. 1-12, 2020.
[17] L. X. Liao, H.-C. Chao, and M.-Y. Chen, "Intelligently Modeling, Detecting, and Scheduling Elephant Flows in Software Defined Energy Cloud: A Survey," Journal of Parallel and Distributed Computing, vol. 146, pp. 64-78, 2020.
[18] A. Sapio et al., "Scaling Distributed Machine Learning with In-Network Aggregation," the 18th USENIX Symposium on Networked Systems Design and Implementation (NSDI 21), pp. 785-808, Apr. 2021.
[19] F. Cugini, D. Scano, A. Giorgetti, A. Sgambelluri, L. De Marinis, P. Castoldi, and F. Paolucci, "Telemetry and AI-based Security P4 Applications for Optical Networks," Journal of Optical Communications and Networking, vol. 15, no. 1, pp. A1-A10, 2023
[20] D. Bhamare, A. Kassler, J. Vestin, M. A. Khoshkholghi, J. Taheri, T. Mahmoodi, P. Öhlén, and C. Curescu, "IntOpt: In-band Network Telemetry Optimization Framework to Monitor Network Slices Using P4," Computer Networks, vol. 216, pp. 109214, 2022.
[21] "Google Cloud using P4Runtime to build smart networks" Accessed on: May 23, 2023. [Online]. Available: https://cloud.google.com/blog/products/gcp/google-cloud-using-p4runtime-to-build-smart-networks
[22] "Cisco Locator ID Separation Protocol (LISP)" Accessed on May 23, 2023. [Online]. Available: https://networklessons.com/cisco/ccnp-encor-350-401/cisco-locator-id-separation-protocol-lisp
[23] K. Sun and Y. Kim, "LISP-based Hierarchical Service Mobility Management for the Tactical Edge Computing," 2020 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Korea, pp. 520-522, 2020, doi: 10.1109/ICTC49870.2020.9289539.
[24] K. Sun and Y. Kim, "Enhanced LISP Mapping System for Optimizing Service Path in Edge Computing Environment," IEEE Access, vol. 8, pp. 190559-190571, 2020, doi: 10.1109/ACCESS.2020.3031915.
[25] D. Farinacci, V. Fuller, D. Meyer, and D. Lewis, "The Locator/ID Separation Protocol (LISP)," RFC 6830, Jan, 2013.
[26] J. Sun et al., "Improving Bandwidth Utilization by Compressing Small-Payload Traffic for Vehicular Networks," International Journal of Distributed Sensor Networks, vol. 15, no. 4, pp. 1550147719843050, 2019.
[27] K. Sun, J. Lee and Y. Kim, "LISP-Based Control Plane for Service Connectivity in Multi-Cluster Cloud Systems," IEEE Access, vol. 10, pp. 24786-24796, 2022, doi: 10.1109/ACCESS.2022.3155113.
[28] "kubernetes" Accessed on June 20, 2023. [Online]. Available: https://kubernetes.io/
[29] "What are the differences between a digital signature, a MAC and a hash?" Accessed on May 23, 2023. [Online]. Available: https://crypto.stackexchange.com/questions/5646/what-are-the-differences-between-a-digital-signature-a-mac-and-a-hash
[30] B. Hinden and S. E. Deering, "Internet Protocol, Version 6 (IPv6) Specification," RFC 2460, Dec, 1998.
[31] H. Moghaddam and A. Mosenia, "Anonymizing Masses: Practical Light-weight Anonymity at the Network Level," arXiv preprint arXiv:1911.09642, 2019.
[32] Y. Govil, L. Wang, and J. Rexford, "MIMIQ: Masking IPs with Migration in QUIC," the 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2020.
[33] G. Carlucci, L. De Cicco, and S. Mascolo, "HTTP over UDP: An Experimental Investigation of QUIC," the 30th Annual ACM Symposium on Applied Computing, Salamanca, Spain, pp. 609-614, April, 2015.
[34] J. Zhou, H. Li, Q. Wu, Z. Lai and J. Liu, "SR-TPP: Extending IPv6 Segment Routing to Enable Trusted and Private Network Paths," 2020 IEEE Symposium on Computers and Communications (ISCC), Rennes, France, pp. 1-6, 2020, doi: 10.1109/ISCC50000.2020.9219705.
[35] C. Filsfils, P. Camarillo, J. Leddy, D. Voyer, S. Matsushima, and Z. Li, "Segment Routing over IPv6 (SRv6) Network Programming," RFC 8986, Feb, 2021
[36] K. Kaur, M. Kaur, K. Kaur, and A. Madaan, "A Comparative Study of OSI and TCP/IP Models," International Journal of Engineering and Management Research, vol. 13, no. 2, pp. 127-135, 2023.
[37] "Protocol Numbers", Accessed on May 29, 2023. [Online]. Available: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
[38] L. Wang, H. Kim, P. Mittal, and J. Rexford, "Programmable In-network Obfuscation of DNS Traffic," NDSS: DNS Privacy Workshop, 2021.
[39] F. Mendel, V. Rijmen, D. Toz, and K. Varıcı, "Differential Analysis of the LED Block Cipher," Advances in Cryptology--ASIACRYPT 2012: 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, pp. 190-207, Dec, 2012.
[40] S. Chen, R. Lampe, J. Lee, Y. Seurin, and J. Steinberger, "Minimizing the Two-Round Even-Mansour Cipher," Journal of Cryptology, vol. 31, pp. 1064-1119, 2018.
[41] I. Isewon, O. Adare, and J. Oyelade, "Implementation of a File Encryption Software ′Hyde′ using RIJNDAEL Algorithm (AES)," International Journal of Computer Science and Information Security (IJCSIS), vol. 20, no. 4, 2022.
[42] "BMv2", Accessed on June 2, 2023. [Online]. Available: https://github.com/p4lang/behavioral-model
[43] "p4-utils", Accessed on June 2, 2023. [Online]. Available: https://github.com/nsg-ethz/p4-utils
[44] "mininet", Accessed on June 2, 2023. [Online]. Available: http://mininet.org/
[45] "Scapy", Accessed on June 2, 2023. [Online]. Available: https://scapy.readthedocs.io/en/latest/
[46] "Ping", Accessed on June 12, 2023. [Online]. Available: https://www.man7.org/linux/man-pages/man8/ping.8.html
[47] "iperf3", Accessed on June 12, 2023. [Online]. Available: https://iperf.fr/
[48] "Intel Tofino 2", Accessed on June 8, 2023. [Online]. Available: https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/tofino-2-series.html
[49] G. C. Sankaran, K. M. Sivalingam and H. Gondaliya, "P4 and NetFPGA-Based Secure In-Network Computing Architecture for AI-Enabled Industrial Internet of Things," IEEE Internet of Things Journal, vol. 10, no. 4, pp. 2979-2994, Feb, 2023, doi: 10.1109/JIOT.2021.3125862.
[50] "SmartNICs with P4 support" Accessed on June 8, 2023. [Online]. Available: https://codilime.com/blog/smartnics-with-p4-support/

指導教授

周立德(Li-Der Chou)

審核日期

2023-8-8

推文