Title: Privacy-Preserving Cross-Domain Network Reachability Quantification
1Privacy-Preserving Cross-Domain Network
Reachability Quantification
Fei Chen Computer Science and Engineering Michigan
State University Joint work with Bezawada
Bruhadeshwar and Alex X. Liu
2Background
- Network reachability can be defined as
- What packets can pass through a given network
path - Network reachability quantification is very
important for - Understanding end-to-end network behavior
- Detecting the violation of security policies
3Motivation (1/2)
- Many solutions have been proposed to quantify the
network reachability - The main assumption of these solutions
- All the reachability information from these
network devices is known - Collecting such information could be very
difficult - Due to the privacy and security concerns
4Motivation (2/2)
- Can we achieve the two following goals at the
same time? - Quantify the network reachability for a given
path, and - Preserve privacy of reachability information
belong to different parties
5Problem Statement
- Assumption
- For each party, the reachability information is
converted to an ACL - Static reachability information
- Employ the network reachability approach
Khakpour et al., 2010 - Let M(A) denote the set of packets that are
accepted by ACL A - We aim to design a privacy preserving protocol
which - Enables User1 to compute M(A1) n M(A2) n M(A3)
- No party can reveal the ACLs of other parties
6Threat Model
- We consider semi-honest model
- Each party must follow our protocol correctly
- Input its ACL to our protocol without cheating
- Follow the process of our protocol
- Each party may try to learn the ACL rules of
other parties - Analyze the intermediate messages when running
the protocol
7Related work
- Probing
- Current practice of verifying reachability
- Expensive to quantify network reachability
- Because it needs to generate and send significant
amount of packets. - Inaccurate
- E.g., it cannot probe the open ports with no
server listening on them. - Network reachability quantificaiton
- Estimate bounds of network reachability
- Xie et al. 2005, Ingols et al. 2006,
Matousek et al. 2008 - Quantify the network reachability
- Al-Shaer et al. 2009, Sung et al. 2009,
Khakpour et al. 2010 - Major assumption is not practical
- All reachability information is known
- No prior work studies privacy preserving
reachability quantification
8Basic building blocks (1/2)
- Prefix membership verification
P1
P2
3, 7
5
Prefix family
Prefix format
S(3,7)011, 1
T(5)101, 10,1,
Prefix numericalization
Prefix numericalization
N(S(3,7))0111, 1100
N(T(5))1011,1010, 1100,1000
If N(S(3,7))nN(T(5)) ? ?, then 5?3, 7
9Basic building blocks (2/2)
- Range intersection
- Suppose the domain of this field is 0, 7
P1
P2
3, 7
2, 5
Generate ranges
Retrieve boundaries
0, 2 , 3, 7
2, 5
Prefix family and numericalize
Prefix format and numericalize
N(S(0,2)) , N(S(3,7))
N(T(2)), N(T(5))
Because (1) N(S(0,2))nN(T(2)) ? ?, then 2?0,
2 (2) N(S(3,7))nN(T(5)) ? ?,
then 5?3, 7
From 2?0, 2 and 5?3, 7, we have 3, 7 n
2, 5 3, 5
10Privacy preserving range intersection
- Employ commutative encryption
- For a number x, ((x)K1)K2 ((x)K2)K1
- For ease of presentation, let (x) K12 denote
((x)K1)K2
P1 (K1)
P2 (K2)
3, 7
2, 5
N(S(0,2)) , N(S(3,7))
N(T(2)), N(T(5))
(1) Encrypt by P1 (2) Encrypt by P2
(1) Encrypt by P2 (2) Encrypt by P1
N(T(2)) K21 , N(T(5)) K21
N(S(0,2))K12 , N(S(3,7)) K12
If P1 does the comparison, it can conclude that
3,7 n 2, 5 3, the original number of
N(T(5)) K21
11Range intersection of multiple parties
P2 (K2)
P3 (K3)
P1 (K1)
3, 7
4, 7
2, 5
N(S(0,2)) N(S(3,7))
N(T(2)) N(T(5))
N(S(0,3)) N(S(4,7))
(1) Encrypt by P1 (2) Encrypt by P2 (3) Encrypt
by P3
(1) Encrypt by P2 (2) Encrypt by P3
(1) Encrypt by P3 (2) Encrypt by P2
N(S(0,2))K23 N(S(3,7)) K23
N(T(2)) K32 N(T(5)) K32
N(S(0,3))K123 N(S(4,7)) K123
Comparison
Prepare for further comparison
3, N(T(5)) K32
N(T(3)) K231 N(T(5)) K321
Comparison
4, N(T(5)) K321
12Decryption of the comparison result
N(T(5)) K321
Decrypt by P3
N(T(5)) K21
Decrypt by P2
N(T(5)) K1
Decrypt by P1
N(T(5))
Decode
5
4
4, 5
4, 7 n 3, 7 n 2, 5
13ACL preprocessing
- ACL consists of multi-dimensional overlapping
rules - Convert it to non-overlapping rules with accept
decision
FDD construction
Extract non-overlapping rules with the accept
decision
14Experiment Setup
- We conducted experiments on both real and
synthetic ACLs - Each ACL examine five fields,
- Source and destination IPs, source and
destination ports, protocol type - The number of rules ranges from dozens to
thousands - For effectiveness, we verified the correctness
- For efficiency, we evaluate the computation and
communication costs of the core operations - Processing each ACL
- Comparing every two ACLs
15Experimental Results (1/3)
- For real ACLs with the average number of rules
806 - Both offline and online Computation costs are
less than 2 seconds - Communication cost is less than 60 KB
- Comparison cost is less than 1 second
- Our approach is efficient for the conversion and
comparison of two real ACLs
Processing real ACLs
16Experimental Results (2/3)
- For synthetic ACLs with number of rules from 200
to 2000 - One-time offline computation cost is less than
400 seconds - The online computation cost is less than 5
seconds - Communication cost is less than 450 KB
Processing synthetic ACLs
17Experimental Results (3/3)
- For synthetic ACLs with number of rules from 200
to 2000 - The comparison time of two synthetic firewalls is
less than 4 seconds
Comparing synthetic ACLs
18Conclusion
- Investigate privacy preserving quantification of
network reachability for the first time - Propose an efficient and secure protocol to
quantify the network reachability accurately - Conduct experiments on both real and synthetic
ACLs to demonstrate the effectiveness and
efficiently of our protocol
19Future work
- Dynamic routing information
- Dynamic routing table
- Topological variations
- Links go down
- New links get added
- Malicious model
- Some party cheats its ACL
20Questions
Thank you!