IPclip: An Architecture to Restore Trust-by-Wire in … · IPoE MTU Adaptation Option Verification Module – MAM PPPoE MTU Adaptation Module – PAM Module – OVM Additional Information

IPclip: An Architecture to Restore Trust-by-Wire in Restore Trust by Wire in Packet-switched Networks

Thomas Bahls, Daniel DuchowHarald Widiger, Stephan Kubisch,Peter Danielis, Jens Schulz,

Dirk Timmermann

Nokia Siemens NetworksBroadband Access Division

University of RostockInstitute of Applied Microelectronics

and Computer Engineering

Outline

Trust-by-WireTrust by WireIPclip – The MechanismHardware RealizationPrototypeypConclusion

19.10.2008 University of Rostock 2

Challengesg

VoIP (Emergency Calls)

SPAM

Phishingg

P2P supportP2P support


3

Trust-by-Wirey

Fixed line telephony vs InternetFixed line telephony vs. InternetFixed line telephony

Circuit switchedTelephone number for identification

Trust-by-Wire

Direct relation between location and line

InternetInternetPacket switchedIP addresses not disitinct for identification

Trust-by-WireIP addresses not disitinct for identificationNo (trustable) location information

y


Outline



IPclip - Mechanismp

IPclip is used to provide a useful degree of TbW in IP networks

IPclip = IP Calling Line Identification PresentationLocation information (e g GPS) is added to each IP

p p g

Location information (e.g., GPS) is added to each IP packet as IP option Location information in IP

Either by the user or by the access node of an access y ynetwork

GPS

A N d ith Internet

Verified Location Information

UserUnverified Location Information

GPS

Access Node with IPclip @ Pos (x,y)

Internet

Verified Location Information

GPS

Unverified Location Information

No Location Information


IPclip - Optionp p

What kind of location information do we use?

IP header can contain IP optionsIP Header

IP Options...

IP Header

IP options show a type-length-value structure

UDP, TCP, ...

p yp gLocation information as value part of an IP option

IP Type IP Length LatitudeIPclip Type Status FieldLatitude (cont.) Longitude

Port Access Node ID

yp g p ypAccessPadding


IPclip - Positionp

Access Network most reasonable place for adding/verifying LI

Access node is the 1st trustworthy network element

p g/ y g

User provided location information solely verified hereAccess port + access node ID as complementary informationinformation

Access NetworkBroadband

Metro/Core Network

User

Linecards

AccessServer

ISP

UserAccess Node (ID = 0xab)

...Access Ports

Aggregation

ISP

IPclip


IPclip

IPclip – Trustable LIp

Using IPclip for ensuring trustworthy LI in IP

User provided LI trustworthy if within access node‘s

(0;1) (1;1)

if within access node s subscriber catchment area (SCA)

Alice sends Position (0.2;0.7)

Alice’s Flags = user provided, trusted

IPclip on access node sets flags in status field depending on LI‘s trustworthiness

Eve’s Flags = network provided, untrusted

Access Node @ Position (0.5;0.5)

Alice @ Position (0.2;0.7)

on LI s trustworthiness

(0;0) (1;0)

Eve sends Position (1.2;1.4)

Eve @ Position(0.3;0.2)

Status Field

Access Node's SCA (normalized coords)

( ) ( )

Removal Flag

Peering Flag

Source Flag

Trustabi-lity Flag


Outline



IPclip Architecturep

IPoE MTU Adaptation Option Verification Module – MAMPPPoE MTU Adaptation Module – PAM

Module – OVMAdditional Information Adder – AIAModule PAM

Packet Classifier – PC Adder AIAAdditional Information Remover – AIR

LocationMemoryOption LocationInformation

Memory Interface

Option SizeMTU

AIAOVMPC Core

Upstream

PAM

AIR

Port NumberCore

Network

Downstream

MAMCPE


MAM & PAM

PPPoE MTU Adaptation IPoE MTU Adaptation

MTU Negotiation in PPP session phase

p

Path MTU Discovery session phaseUpstreamMTU=MTU-Option Size

for dynamic MTU adaptationMTU to big after option MTU MTU Option_Size

DownstreamMTU=MTU+Option_Size

MTU to big after option insertion ICMP message to origing gAdaption of ICMP messages from d tdonwstream


Packet Classifier

Assignment of physical user port to Assignment of physical user port to each incoming packetKey: SRC IP and VLAN TagKey: SRC-IP and VLAN-TagResult: User Port (16 Bit)Search in a sorted memory O(log(N))O(log(N))

1.5 clock cycles per mem accessInsertion and Deletion O(N+log(N))Insertion and Deletion O(N+log(N))


OVM

Check if frame’s origin is within an rectangle of g gwhich linecard is the center (SCA)Both GPS LI and GLI can be used

Width of SCA

Length of SCA

LI Option sizeSCA SCA

Valid IP Opt

Discard

YES

GPS GLI

LI

CALC

Frame OUTFrame InReadState

Machine

IPclipoption

SendState

Machine

NO


OVM

Conversion factor between linear and Conversion factor between linear and angular measurement constant for longitudelongitudeConversion factor for latitude d d l it ddepends on longitude

1’’ in polar regions = 0.54 m1’’ in equatorial regions = 31.0 m

Width and length calculated in [ams]Width and length calculated in [ams]


AIA

Add IPclip option to each packetp p pAdd only AN ID and port to existing IPclip options

AddLI OptionSize

DiscardUnconfigured

Frame in Frame outI

Discard+

Discard

Port Exists

Is IP? No

DiscardYes

Port Exists

Port Number

Valid IP Opt

Add/Remove

LI


p

AIR

Optional submodule in downstream to Optional submodule in downstream to strip IPclip options from packetsAss ance that co ect IHL Total Assurance that correct IHL, Total Length and Checksum fields are

t drecomputedMay be required for security reasonsy q y


Outline



Prototypeyp

Xilinx Virtex ML405 FPGA development Xilinx Virtex ML405 FPGA development board – Virtex-4 FX20FPGA fairly utilized (7486 Slices, 55 BRAMs)FPGA fairly utilized (7486 Slices, 55 BRAMs)


Resource Consumptionp

Module Slices BRAMs

MAM 786 1

PAM 163 0

PC 832 11

AIA 1019 4AIA 1019 4

OVM 2491 2

AIR 519 6

EMAC; Glue;Prototype related

1700 31

IP li P t t 7486 55IPclip Prototype 7486 55


Performance

IPclip Troughput (1 Gbps)

100120

%]

IPclip Troughput (1 Gbps)

6080

100

hput

[%

2040

hrou

gh

064 128 256 512 1024 1280 1518

Th

FramesizeFramesize

Packets without LI Packets with LI


Performance

Realistic Data35% 64 Byte

Delay with LI690 to 1200 cycles35% 64 Byte

10% 594 Byte11% 1518 Byte44% Random

690 to 1200 cyclesDelay without LI

700 to 1900 cycles

7

Loss rate with realistic traffic

4567

rate

[%]

0123

Loss

r

00 25 50 75 100

Fraction of traffic containing LI from CPE [%]


Conclusion

IPclip establishes TbW in IP-based IPclip establishes TbW in IP based networksImplemented on an AN IPclip can insert Implemented on an AN, IPclip can insert or validate location informationHW prototype is capable to serve 1 GbpsHW prototype is capable to serve 1 GbpsIPclip enables interesting new

l d lapplications and solutionsVoIP emergency callsFighting SPAM and PhishingImprove P2P traffic


Documents

IPclip: An Architecture to Restore Trust-by-Wire in … · IPoE MTU Adaptation Option Verification Module – MAM PPPoE MTU Adaptation Module – PAM Module – OVM Additional Information