Paper Menu >>
Journal Menu >>
![]() Int. J. Communications, Network and System Sciences, 2009, 7, 641-644 doi:10.4236/ijcns.2009.27072 Published Online October 2009 (http://www.SciRP.org/journal/ijcns/). Copyright © 2009 SciRes. IJCNS An Identifier-Based Network Access Control Mechanism Based on Locator/Identifier Split Rui TU1, Jinshu SU1, Ruoshan KONG2 1School of Computer Science, National University of Defense Technology, Changsha, China. 2International School of Software, Wuhan University, Wuhan, China Email: ruitu@nudt.edu.cn, krs1024@126.com Received January 5, 2009; revised May 15, 2009; accepted July 12, 200 9 ABSTRACT Legacy IP address-based access control has met many challenges, because the network nodes cannot be identified accurately based on their variable IP addresses. “Locator/Identifier Split” has made it possible to build a network access control mechanism based on the permanent identifier. With the support of “Loca- tor/Identifier Split” routing and addressing concept, the Identifier-based Access Control (IBAC) makes net- work access control more accurate and efficient, and fits for mobile nodes’ access control quite well. More- over, Self-verifying Identifier makes it possible for the receiver to verify the packet sender’s identity without the third part authentication, which greatly reduces the probability of “Identifier Spoofing”. Keywords: Access Control, Locator/Identifier Split, IBAC, Self-Verifying Identifier, Identifier Spoofing 1. Introduction In the current TCP/IP architecture, IP address has dual semantic functions, which indicates both the network node’s routing locator and its endpoint identifier [1]. It means that the IP address is a variable label related to the location. Because of the “IP Overload” [1], IP address- based access control has met many challenges. Firstly, IP address-based access control limits the re- source access when a node changes its location. Network services often distinguish users by their IP addresses, so many services are bound with the clients’ locations. As a result, when a user of an authorized organization moves to another location (and so the IP address is changed.), he will lose the access ability of the service. Secondly, “IP Overload” makes IP address-based ac- cess control even more complex, and greatly affects its defense efficiency: 1) Because IP address is a variable label, it can’t be used as an accurate identifier of the nodes. Moreover, “IP Spoofing” has made it even more critical. So it is diffi- cult to identify the access source in the network layer, and the attackers can anonymously attack the network devices and services. 2) IP address can’t match users precisely [2]. One IP address can represent different nodes at different time. On the other hand, one IP address can also represent multiple nodes simultaneously (e.g. NAT). As a result, the attacker can hide his true identity easily. For the above reasons, the efficiency of IP ad- dress-based access control is greatly declined, and some misuses will harm the valid users. Finally, the changes of the network topology and the ISP policies will lead to the reconfiguration of the IP addresses. Thus, many access control rules and configu- rations based on IP addresses have to be modified. Un- doubtedly, this will make the access control management more c omplex. The reason of the above drawbacks lies in that there is no accurate, unique and permanent identifier to describe a network node. So the key problem is to r esolve the “IP Overload” problem. IAB announced that in order to re- solve the “IP Overload”, two name spaces should be in- troduced to denote a network node’s locator and identi- fier separately, which is called “Locator/Identifier Split” [3]. The communication session is based on the perma- nent Identifier, and the routing is based on the variable Locator. In this paper, we propose LISA Network Access Con- trol (LISA-NAC) which is a new network access control mechanism based on the Locator Identifier Separation Architecture (LISA) [4]. The main contributions of LISA-NAC are the Identifier Based Access Control (IBAC) model and the Self-Verifying Identifier, which will make network access control more efficient. The rest of this paper is organized as follows. Section 2 presents an Overview of LISA Architecture. Section 3 ![]() T. RUI ET AL. 642 describes some new characters of LISA-NAC, including IBAC model and Self-Verifying Identifier. Section 4 gives an outline of our future work. Finally, we conclude with a summary of the main research result in Section 5. 2. LISA Overview LISA is a network-based “Locator/Identifier Split” nam- ing and addressing architecture, which borrowed come ideas of LISP [5]. As Figure 1 shows, the network is di- vided into two parts: kernel network and edge network. The kernel network uses Locator name space, while the edge network uses permanent Identifier name space. The communication session is built on permanent Identifier, but the mapped Locator is variable. LISA adopts “Mapping + Encapsulation” method to process packets. LISA Router (Edge router) maps the Identifier space into Locator space by querying distrib- uted mapping service system based on one-hop hash (LISA-Mapping). Moreover, LISA Router can update the mapping record in the LISA-Mapping. The Identifier space is a new name space (see Subsection 3.2). The Locator space can reuse the legacy IP address space (IPv4/v6), which will avoid updating network devices in the kernel network. When a LISA Route receives the packet from host, it queries the LISA-Mapping for the matched Locator ac- cording to the packet’s Identifier. After receiving the mapped Locator, the LISA Router adds a new packet header (including the Locator) to the original packet. So in the encapsulated packet, the inner address is an Identi- fier, and the outer address is a Locator. LISA uses Iden- tifier to denote the node identity, and uses Locator to forward packet in the kernel network. When the encap- sulated packet arrives at the destination (the LISA Router), the LISA Router decapsulates the packet, and forwards the original packet to the destination host ac- cording to the Identifier. 3. LISA-NAC In order to improve the efficiency of network access control, network accountability should be mentioned. Network accountability is the capability to identify net- work entity (user, host and device) and distinguish mal- traffic. However, limited by the “dumb” network infra- structure, it is difficult to achieve accountability in the Internet. There is no accurate, unique and permanent identifier to identify network entity. IP header is too simple, more state information (e.g. identifier) should be added to satisfy the needs of security, QoS and network management. In the LISA, LISA-NAC runs on the permanent Iden- tifier name space, and provides an accurate and efficient fine-grained access control mechanism for the edge net- work. The main features of LISA-NAC are the IBAC model and the Self-Verifying Identifier. 3.1. IBAC Model Different from the traditional network access control, IBAC makes access control policies based on the net- work node’s true permanent Identifier, not IP address or device port. IBAC includes three entities: Identifier (I), Object (O) and Permission (P). There are two types of Identifiers: Individual Identifier (I2) and Identifier Affiliation (IA). Figure 1. LISA architecture. Copyright © 2009 SciRes. IJCNS ![]() R. TU ET AL. 643 I2 denotes the single network node, and IA denotes a group of network nod es. IBAC uses three-tuple (I, O, P) to describe an author- ity. If there exists a (I, O, P), it indicates that I can per- form P on the O. Particularly, (I2, O, P) indicates that single I can perform P on the O, and (IA, O, P) indicates that a group of I can perform P on the O. IBAC provides end to end security mechanism and fine-grained access control. For example, if several users share a locator (e.g. IP address), IBAC can make inde- pendent security policy for everyon e. In order to simplify the format of the access control policy and reduce the ACL’s size, IBAC uses the IA to classify Identifiers, and adopts unified operation on the Identifiers which have the same IA. IA is not directly in the packet header, and is stored in the LISA-Mapping system. The destination should query the LISA-Mapping system for the matched IA. IBAC guarantees the access control policy’s long term stability. Although the network entities’ Locators are variable, the access control policies based on the perma- nent Identifier are unchanged, so the valid users can al- ways use their services. So IBAC can fit for the mobile node’s access control. IBAC avoids the policy updates due to the Locators’ changes, and greatly reduces the workload of maintaining the access control policy. In current network, in order to achieve end to end au- thority control, network access control should collaborate with the access control mechanisms of the system or ap- plication software. Since IBAC guarantees the end to end access control and provides network accountability, it is possible to simplify the upper layer’s access control. If the Identifier can be combined with the user’s biology properties in the future, the network will be aware of the user’s identity and behaviors, and thus no more needs of user’s accounts and passwords. 3.2. Self-Verifying Identifier True Identifier is the basis of IBAC. Similarly, IBAC also meets the potential threat of “Identifier Spoofing”. So we introduce “Self-verifying Identifier” in the LISA- NAC. With Self-verifying Identifier, the receiver can verify the sender’s identity based on the packet’s Iden- tifier without the participation of third part authentica- tion. In the LISA, every network node gets a pair of asym- metry keys from the CA. The node holds the private key, and makes the public key as the node’s globe unique identifier. In other words, the identifier name space is a public key space. LISA-NAC ensures the consistency between the Identifier and th e nod e’s id entity th ro ugh the digital signature mechanism. Self-verifying Identifier simplifies packet’s source Identifier verification, and strengthen the scalability be- cause there is no need for the third part authentication. At present, we adopt 1 60 -bit Self-verifying Identifier. Since the Identifier is actually a public key, we should choose an appropriate asymmetry keys generation algo- rithm. Traditional asymmetry keys algorithms such as RSA, DSA and Diffie-Hellman often choose long keys to guarantee the key’s safety. For example, a normal RSA key is 1024-bit. However, such long key is unfit for the Identifier. Firstly, long identifier increases the packet’s size, which may lead to packet fragment and consumes additional bandwidth. On the other hand, since 128-bit Identifier space is enough for current IPv6 network size, it is useless to make a huge Identifier name space. In the LISA-NAC, we use ECC (Elliptic curve cryp- tography) algorithm to create a pair of 160-bit asymme- try keys for every network node. ECC’s advantages lie in: 1) ECC offers security equivalent to RSA using much smaller key size. For example, ECC 160-bit key offers security equivalent to RSA 1024-bit key [6]. This prop- erty will reduce the engineering challenges brought by long key. 2) ECC generates asymmetry keys pair faster than RSA does for the comparable length [7 ]. Considering the signature generation and verification, ECC’s processing speed is much faster than that of RSA [8]. This makes it possible to implement packet digital signature verifica- tion with limited packet delay. At present, 109-bit ECC key has knocked over with brute force. However, the secure 160-bit ECC key is ap- proximately one hundred million times harder to crack than 109-bit ECC key [9]. So we think that 160-bit ECC key can fit the Identifier length, as well as satisfy the basic security requirements. Figure 2 shows the verification process of Self-veri- fying Identifier. IDs and IDd denote the packet’s source and destination Identifier separately. In fact, IDs and IDd are the sender and receiver’s public key. Dig is the packet’s digest. Sig is the digital signature. The receiver identifies the true sender though verifying packet’s sig- nature. If an attacker disguises as the sender and sends a packet, he must have the sender’s private key to generate Figure 2. Self-verifying identifier verification. Copyright © 2009 SciRes. IJCNS ![]() T. RUI ET AL. Copyright © 2009 SciRes. IJCNS 644 the correct encrypted signature. Since the attacker doesn’t have the sender’s private key, when the receiver generates a new packet digest (Dig’), it must be different from the decrypted original packet digest (Dig). So the “Identifier Spoofing” can be detected. The packet carries the public key, and there is no key exchange during the node identity verification. Obvi- ously, it will simplify the identity verification process. Since network access control is deployed to protect the important services, it is unnecessary to include signature verification in the general packet processing. Most of the network nodes can choose the packet signature verifica- tion as an option, but the packet signature is imperative. Moreover, a node can publish its Iden tifier to the DNS so that all the other nodes can get its public key to encrypt data. 4. Future Work In the LISA-NAC, verifying signature on every packet will undoubtedly add packet delay. The transmission performance degradation is what we are concerning about. A prototype is under development, and we will measure the main transmission performance (delay, loss and throughput) changes to test the feasibility of LISA- NAC. At present, Identifier only indicates the network node’s property not including the user’s property. Next step, we will try to combine the Identifier with th e user’s biology properties. Then the network will be aware of users’ identity and behaviors. 5. Conclusions LISA separates the network node’s identity from location, which makes it possible to build a network access control mechanism based on the identifier. IBAC makes network access control more accurate and efficient. Moreover, IBAC fits for the mobile node’s access control. Since true Identifier is the basis of IBAC, “Identifier Spoofing” must be avoided. Self-verifying Identifier makes it pos- sible for the receiver to verify packet sender’s identity without the third part auth enticatio n , which si mplifies the packet source verification. We think that LISA-NAC is a concrete step to strengthen network security through the “Locator/Identifier Split”. 6. Acknowledgements This work was supported by China “863” Project (No. 2008AA01A325) and China National Grand Fundamen- tal Research “973” Project (No. 2009CB320503). 7. References [1] J. Scudder, “Routing/addressing problem solution space,” 2007, http://www.arin.net/meetings/minutes/ARIN_XX/ PDF/wednesday/SolutionSpace_Scudder.pdf [2] R. Tu, J. S. Su, Z. W. Meng, and F. Zhao, “UCEN: User centric enterprise network,” in Proceedings IEEE ICACT’08, Phoenix Park, Korea, pp. 66–71, Feb 2008. [3] D. Meyer and K. Fall, “Report from the IAB workshop on routing and addressing,” Internet Draft, 2006. [4] R. Tu and J. S. Su, “A hash-based locator/ID mapping mechanism,” The Computer Engineering and Science, No. 1, pp. 9–12, 2009. [5] D. Meyer, “The locator identity separation protocol (LISP),” The Internet Protocol Journal, Vol. 11, No. 1, pp. 23, 2008 [6] A. J. Menezes, “Elliptic curve public key crytosystems,” Kluwer International Series in Engineering and Computer Science, 1993. [7] N. Jansma and B. Arrendondo, “Performance comparison of elliptic curve and RSA digital signature,” Technical Report, 2004. http://www.nicj.net/files/498termpaper.pdf. [8] Certicom Corp, “The elliptic curve crypto system for smart cards,” Certicom White Paper, 1998, http://www. comms.scitech.susx.ac.uk/fft/crypto/ECC_SC.pdf. [9] W. Chou and Laerence, “Elliptic curve cryptography and its applications to mobile device,” Project Report, Uni- versity of Maryland, 2003, http://www.cs.umd.edu/Hon- ors/reports/ECCpaper.pdf. |