Description
Date depot: 1 janvier 1900
Titre: Architecture and Mechanisms for Security in the Future Internet
Directeur de thèse:
Michel RIGUIDEL (LTCI (EDMH))
Encadrant :
Artur HECKER (LTCI (EDMH))
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Non defini
Resumé:
This thesis aims at studies of security mechanisms in the framework of the security architecture for the Future Internet. Basic Internet mechanisms around the current Internet only support best effort transport without any security guarantees. Packets can be read, modified, rerouted, delayed and dropped by any entity. Previously proposed mechanisms were either limited to traffic engineering done by individual operators independently, or were targeting primarily confidentiality and integrity on top of the transport. For instance, the well-known IPSec suite creates heavy-duty, closed and separate domains on top of the IP transport and requires all participating entities to either belong to the same domain or to share keys. IPSec is therefore a solution widely used for creating virtual private links or secure overlays over the Internet, but it is hardly usable to increase the security and resilience of the traversed networks or of the Internet exchange in general.
While, at the Internet level, the previous work concentrated on the firm and deterministic security of packet content (usually for E2E connections) and full security of individual packets (also applicable hop by hop), the idea of this thesis is to rather explore the promise of lightweight, possibly probabilistic, security mechanisms when applied to the Internet flows in a typical multi-tenant setting.
More precisely, in this thesis, we switch the focus of security considerations from packets to packet flows, in a form in which they are treated by network operators. We consequently switch the security objectives from classical confidentiality and integrity of data to resilience of networks, linkability and traceability of flows and, optionally, non-repudiation of actors. In this view, changes to or forging of some specific packets are not the main focus and could be probabilistically tolerated. However, it should be difficult for an attacker to change, forge, reroute or destroy complete packet flows. This can be achieved with a mix of probabilistic protection and probabilistic detection measures; we also need means to communicate detected events beyond the network boundaries in a secure, i.e. unforgeable manner. The solution must apply to scenario settings including several operators and must respect privacy constraints of the involved principals.
Concretely, to enable consistent traffic management, in the proposed architecture, the incoming packets are tagged with structured, semantic tags. While state-of-the-art detection and identification mechanisms can be used for traffic classification, such tagging represents a progress beyond the state of the art. Current tagging mechanisms use simple numeric labels without structure or meaning. In contrast, the tagging proposed here will introduce the idea of semantic tags that follow a well-established grammar and a structure. Owing to this grammar, the semantic tags will permit to communicate rich information over the frontiers of one authority. The grammar will permit to express either simple messages or to produce complex statements, whose meaning could evolve in time. The tags will be attached (e.g. like MPLS tags) or integrated (e.g. with steganographic measures) into any protocols regardless of OSI layers or specific format structures and should, in principle, function with any protocol, assuring backwards and upwards compatibility.
To enable reasonable communication, beyond the communication channel, parties must know and understand each other. In our trust model, we presume that neighbouring operators (in both peering and transit cases) have a reasonable trust level towards each other. This trust level – expressed through Service Level Agreements (SLA) – permits them to interpret tags at least as loose hints regarding the constitution, content and requirements of flows. Regarding the understanding, different information models will be supported following the principle of need to know.
As a typical application, consider an access network operator who communicates hints or keywords regarding the nature of the traffic flow to upstream operators. This would permit to drop repetitive traffic analysis or fixed mapping agreements at every exchange point. Another application could be a content provider explicitly communicating distribution constraints to the downstream transporting operators.
Doctorant.e: Zhao Yimeng