Threats in Optical Burst Switched Network

Threats in Optical Burst Switched Network

P. Siva Subramanian, K. Muthuraj Department of Computer Science & Engineering, Pondicherry Engineering College, Pondicherry, India

[email protected], [email protected]

Abstract

Optical network is a viable network for future communication, which transmits data at an average rate of 50Tb/s. Optical Burst Switching is a trusted mechanism used for Optical network. There is a good amount of research done in the area of security in Optical networks. In addition, the issues related to physical network security has been dealt with respect to Optical networks. Our proposed work is intend to find the possible security threats that may happen in Optical Burst Switched Networks and the counter measures are examined separately. The NS-2 simulator with modified OBS patch is used to verify and validate the proposed mechanism. 1. Introduction

Today’s internet requires huge bandwidth for accessing and downloading data. Optical network supports huge bandwidth and provides transmission of data at a faster rate than the conventional networks. But we need to exploit the fiber’s huge bandwidth. This can be achieved through Time Division Multiplexing (TDM), Code Division Multiplexing (CDM) or Wavelength Division Multiplexing (WDM). CDM chip rate and TDM bit rate are very high when compared to electronic processing speed of an end user’s network interface. Therefore WDM is more attractive than CDM and TDM because of no such requirement. For long haul communication, WDM is the current favourite multiplexing technology in Optical communication networks [1-2].

Figure 1: WDM Technology

Wavelength Division Multiplexing (WDM) divides the available wavelength of a fiber into number of non overlapping wavelength channels each operating at electronic speed. Using the WDM technology, multiple WDM channels from different end-users may be multiplexed on the same fiber as shown in Figure 1. 2. Optical Burst Switching

Optical burst switching (OBS) is the next generation optical Internet with IP over WDM as the core architecture. It can achieve a balance between Optical Circuit Switching (OCS) and Optical Packet Switching (OPS). OBS requires limited delay of the data at intermediate nodes as in OCS, and ensures efficient bandwidth utilization on a fiber link just as in OPS. Comparison of the OCS, OPS and OBS switching technologies [3] is given in the below Table 1.

Table 1: Comparison among OCS, OPS and OBS

Technique Bandwidth Latency Buffering Overhead

OCS Low High No Low

OPS High Low Yes High

OBS High Low Yes Low

In OBS, two types of routers exists namely edge

routers and core routers [4]. Ingress edge routers are responsible for assembling the IP packets into burst, scheduling, routing and wavelength assignment. Egress edge routers are responsible for disassembling the burst into IP packets and packet forwarding. Core routers are responsible for scheduling, signaling and contention resolution [5]. The functional diagram is given in the Figure 2.

Mux Demux

P.Siva Subramanian,K.Muthuraj, Int. J. Comp. Tech. Appl., Vol 2 (3), 510-514

510

ISSN:2229-6093

Ingress Edge Node Core Node Egress Edge

Node

Burst Assembly Signaling Burst disassembly

Wavelength Assignment Scheduling Packet

forwarding Edge Scheduling

Contention Resolution

Figure 2: Functional Diagram of OBS

In optical burst switching (Figure 3), IP packets

with the same destination are buffered in the edge routers to form a data burst. Then edge routers will generate the control burst for the corresponding data burst. The control packet is sent prior to its corresponding data burst. The time difference between control packet and data burst is called as offset time. The offset time is used for reservation and utilization of the required resources. In transmission of data, control burst is responsible for signaling and forwarding its corresponding data burst. If the control burst and data burst are using the same wavelength for transmitting the data, it is named as in-band signaling (Figure 4). If the control burst and data burst uses different wavelength it is named as out-of-band signaling (Figure 5) [6-10].

Figure 3: Optical Burst Switching Architecture

Figure 4: In-Band Signaling

Figure 5: Out-of-Band Signaling

There are two kinds of burst assembly process named as timer and threshold based. In timer based approach, a timer will be started in the source ingress node. All the IP packets which are collected and reach the same destination are formed as data burst. Once the timer gets expired, a control burst will be generated and sent ahead of data burst. In a threshold based, a burst is created and sent into the Optical Burst Switched network when the total size of the IP packets reaches a threshold value. Wavelength reservation scheme is followed to reserve the wavelength for data burst. The three popular wavelength reservation methods are tell and go, just in time and just enough time. In tell and go method, data burst will be transmitted after the control burst with a small offset. Just in time is a direct reservation method. Here, nodes reserve the resources as soon as the control signal processing gets over. Just enough time is a delayed reservation method. Here, the size of the data burst is decided before the control signal is transmitted by the source. The offset between control signal and data burst is also calculated based on the hop count between source and destination. In OBS network, there is a degree of security vulnerability exists which is explained in the next section. 3. Proposed Work 3.1. Burst Duplication Attack In OBS network, for every data burst a corresponding control burst will be generated by the ingress source node and sent ahead with an offset time interval. It will travel through the intermediate core nodes and finally reach the egress edge node. The reservation of required resources will be done by the intermediate core nodes using the control burst. There is a possibility of some intermediate core router to create a duplicate copy of the control burst and modify its value to create a path between the attacker and the compromised node. In


511

ISSN:2229-6093

such a case, the data burst which will be coming transparently after an offset time will be sent to the original destination as well as to the attacker. Thus attacker compromises the integrity of the data burst. This attack can be named as burst duplication attack. In Figure 6, intermediate core router duplicates a control burst and modifies its value to create a path between itself and attacker. Therefore data burst which will be coming after an offset time, will be send to the original destination and attacker as shown in Figure 7.

Figure 6: Intermediate node duplicates Control Packet

Figure 7: Attacker obtains the Data Burst

3.2. Countermeasure In this work, burst duplication attack can be detected and removed in 2 possible ways. First method makes use of digital signature to detect and remove the attack. In the second method trusted node will be used to detect and remove the attack. These two methods are dealt separately in the next section.

3.2.1 Based on Digital Signature If the control burst is secured from unauthorized modification, burst duplication attack can be prevented. It is performed using per hop burst header authentication in every intermediate core router. The source id, destination id and burst id of control burst are encrypted using the private key of the sender and the encrypted signed message is attached with the CB and forwarded to the intermediate core router. Core router verifies whether the encrypted message is tampered or not using the public key of the sender. If the message is tampered, it discards the CB without forwarding to the next router. Thus the burst duplication attack can be prevented. The algorithm is given below. recvPacket(packet) { node = packet->node; if (node == ‘ingress node’) { Step 1 - Extract source id, destination id and burst id from Control Burst. Step 2 - Calculate the signature for the above fields using the RSA algorithm and by using the private key of the ingress node. Step 3 – The encrypted signed code is stored in the ‘Signature’ field in CB. } else if (node == ‘intermediate core router’ || node == ‘egress node’) { Step 1 - Extract source id, destination id and burst id from Burst Control Header. Step 2 – Calculate the signature for the above fields using the RSA algorithm and by using the public key of the ingress node. Step 3 – Extract the ‘Signature’ from CB. Step 4 – Compare both the signatures. Step 5 – If both the signatures are equal, then forward the burst to the next node. Step 6 – Else drop the burst. } } 3.2.2 Based on Trusted Node Digital signature method is accurate in attack detection and removal. But it will create an additional overhead since ingress node creates a signature and every intermediate core router should verify whether the signature is tampered or not using RSA algorithm. Second approach will be better than first approach in


512

ISSN:2229-6093

terms of additional overhead, but time taken for attack detection will be more. In the second approach, trusted node will be used to determine the behavior of core nodes. Here once every core node receives a control packet it will send the log information like burst size, number of packets to the trusted node. Trusted node will collect the log information and compare it with other core nodes log information to detect which optical node is compromised. So trusted node will have a trust value for every core router and if any optical nodes trust value reaches below the threshold value, it detects that it is compromised. To prevent the attack, every time source ingress node should select a different route to send the burst to the destination egress node. Thus even if an attacker obtains a burst, he will not get the complete information. Thus he will not obtain any meaningful information from it. Thus burst duplication attack can be prevented. 4. Simulation Results NS2 simulator with modified OBS patch [11] is used to demonstrate the effect of burst duplication attack. NSFNet topology as shown in Figure 8 is used to simulate the attack. Figure 9 shows the simulation parameters. In the normal scenario, there will be no compromised node as shown in Figure 10. So the number of burst sent is almost same as number of burst received. But if there exists some compromised nodes in the network, there will a duplication of burst as shown in Figure 11. After some time, the attacker will be detected based on log analysis, so source will select a different path every time to send the burst to the destination. Thereby the effect of burst duplication will get reduced as shown in the same Figure 11.

Figure 8: NSFNet Topology

Topology: NSFNet Number of optical nodes: 14 Number of electronic nodes: 28 Number of TCP/IP connection: 10 Max number of attacker nodes: 3 Max number of packets: 200 Max lambda: 20 Link Speed: 1GB Switch Time: 0.000005

Figure 9: Simulation Parameters

Figure 10: Normal Scenario

Figure 11: Detection of burst duplication attack and

removal of attack using trusted node approach

5. Conclusion and Future Enhancement Optical burst switching technology has the potential to be deployed today on a commercial scale to speed up the provisioning of end-to-end optical paths between and among communicating entities. Because of the unique characteristics of OBS networks, there is a degree of security vulnerability associated with the


513

ISSN:2229-6093

burst. In this paper, we have identified the burst duplication attack since some core nodes can be compromised to duplicate the control signal which results in stealing of data burst. We have found two ways to mitigate the burst stealing attack such as digital signature method and trusted node method. Then we discussed about both the approach separately. We simulated the results with NS2 simulator with the modified OBS patch. In the future, some more attacks may be identified in OBS technology and possible countermeasure will be provided for those attacks. 6. References [1] B. Mukherjee, “WDM Optical Communication

Networks: Progress and Challenges,” IEEE Journal on Selected Areas in Communications, pp.1810-1823, October 2000.

[2] M. Yoo and C. Qiao, “A Novel Switching Paradigm for Buffer-Less WDM Networks,” Optical Fiber Communication Conference (OFC), pp. 177-179, February 1999.

[3] J. Teng and G. N. Rouskas, “A Comparison of the JIT, JET, and Horizon Wavelength Reservation Schemes on a Single OBS Node,” Proceedings of the First Workshop on Optical Burst Switching, October 2003.

[4] C. Siva Ram Murthy and Mohan Gurusamy, “WDM Optical Networks: Concepts, Design and Algorithms,” Prentice Hall PTR, November 2001.

[5] Pushpendra Kumar Chandra, Ashok Kumar Turuk, and Bibhudatta Sahoo, “Survey on Optical Burst Switching in WDM Networks,” Proceedings of IEEE communications magazine, December 2009.

[6] Guray Gurel and Ezhan Karasan, “Effect of Number of Burst Assemblies on TCP Performance in Optical Burst Switching Networks,” Proceedings of the IEEE BROADNETS, October 2006.

[7] J. Turner, “Terabit Burst Switching,” Journal of High Speed Networks, vol.8, pp. 3-16, January 1999.

[8] S. Yoo, S. J. B. Yoo, and B.Mukherjee, “All-Optical Packet Switching for Metropolitan Area Networks: Opportunities and Challenges,” IEEE Communications Magazine, vol. 39, pp. 142-148, March 2001.

[9] M. Yoo and C. Qiao, “Choices, Features and Issues in Optical Burst Switching (OBS),” Optical Networking Magazine, vol. 1, pp. 36-44, April 1999.

[10] B. Lannoo, Jan Cheyns, Erik Van Breusegem, Ann Ackaert, Mario Pickavet, and Piet Demeester, “A Performance Study of Different OBS Scheduler Implementations,” Proceedings of Symposium IEEE/LEOS Benelux Chapter, Amsterdam, October 2002.

[11] Guray Gurel, Onur Alparslan and Ezhan Karasan, “nOBS: an ns2 based simulation tool for performance evaluation of TCP traffic in OBS networks,” Annals of Telecommunications, vol. 62, no. 5-6, pp. 618-632, May-June 2007.


514

ISSN:2229-6093

Documents

Threats in Optical Burst Switched Network