This is an English translation of the research paper "一种基于路由扩散的大规模网络控管方法", published in the Journal on Communications, .

Liu2003a.en.html
This HTML file for offline reading
Liu2003a.pdf
Original Chinese PDF
Liu2003a.en.zip
Source code for this HTML version of the English translation

Discussion thread

Posted .

A route propagation–based access control method for large-scale networks

Journal on Communications
Vol. 24 No. 10
October 2003

(Department of Computer Science and Engineering, Harbin Institute of Technology, Harbin, Heilongjiang, China 150001)

Keywords
access control for large-scale networks; route propagation; routing protocols; access control; OSPF; BGP
CLC category number
TP393.08
Document code
A
Article ID number
1000-436X(2003)10-0159-06

Date received: 2002-01-21; date revised: 2003-03-14
Author bios: 刘刚 (Liu Gang) (1975–), male, from Shenyang, Liaoning, Ph.D. student of Harbin Institute of Technology. His main research interest is cybersecurity. 云晓春 (Yun Xiaochun) (1971–), male, from Mudanjiang, Heilongjiang, Ph.D., professor of Harbin Institute of Technology. His main research interest is cybersecurity. 方滨兴 (Fang Binxing) (1960–), male, from Wannian, Jiangxi, Ph.D., professor and doctoral supervisor of Harbin Institute of Technology. His main research interests are cybersecurity and parallel processing. 胡铭曾 (Hu Mingzeng) (1935–), male, from Shanghai, professor and doctoral supervisor of Harbin Institute of Technology. His main research interests are architecture and cybersecurity.

Abstract

To address the shortcomings of existing network access control methods, this paper presents a new access control method for large-scale networks based on route propagation. This paper elaborates on issues such as its basic network topology and the selection and configuration of dynamic routing protocols, and compares this method with existing methods in detail. This method has the advantages of a small router burden, a large control rule capacity, intelligence, scalability, and configuration in one location taking effect in multiple locations, and it is adapted to access control for large-scale networks.

1 Introduction

With the rapid development of computer network technology and the vigorous promotion of the informatization of the national economy and society, all administrative units, enterprises, and public institutions have established network information systems, and the applications of e-government, e-banking, e-commerce, online securities, telemedicine, distance education, and so on, are becoming more and more widespread. However, the issue of network information security has also arisen. The recent proliferation of the “Code Red” and “Nimda” viruses and the increasing number of hacker intrusions have made people fully realize the importance and urgency of network information security management. In order to prevent the spread of all kinds of harmful information on the network, it is necessary to filter and analyze the information on the network and take effective measures to block the spread of harmful information. This requires the management of key points on the network through certain network access control methods to control the stream of network-specific information. Especially in a large-scale network environment, an efficient and feasible network access control method is needed to filter and effectively control harmful information in real time without affecting the normal stream of information.

Network access control is an important means of securing network information. Access control can be divided into two types: host-oriented and network-oriented. Host-oriented access control is aimed at the users of the operating system or application system, and the goal of control is to prevent unauthorized users from entering the system and illegal use of system resources by authorized users. Network-oriented access control refers to the control of network traffic on network devices at all levels, the object of control is the stream of packets through network devices, and the goal is to block the passage of harmful information (packets). Functionally, you can match multiple elements (such as the source and destination IP addresses, source and destination ports, and so on) for packets streaming through the network according to the configuration of access control rules by the network administrator, and choose to receive, discard, and forward packets according to the matching results. The key point of implementation is to implement the control function while ensuring that normal traffic and system efficiency are not affected. Network-oriented access control can be divided into access control for LANs and access control for large-scale networks according to the size of the network where it is applied. The egress/ingress routers of LANs generally have relatively low bandwidth, and real-time filtering is easy to realize. In the case of complex access control rules, it can still achieve wire speed matching without causing packet loss in the system, so rich control functions can be accomplished on networks of this size. By access control for large-scale networks, we mean access control on the core routers of large-scale autonomous systems (ASes) managed by Internet Service Providers (ISPs). These routers usually have a core switching capacity of tens or even hundreds of Gbit/s, hundreds of thousands of routing table entries, a packet throughput of tens or even hundreds of Mpps, and other technical indicators. It is difficult to implement access control on these routers in the conventional way without affecting the high-speed data exchange between them.

However, access control for large-scale networks is of great significance for the realization of national-level network information security management, and this paper is devoted to giving a solution. At present, there are several ways to implement network access control[12], but they all have certain defects and are not adapted to access control in large-scale network environments. Routing table matching is a great way to control traffic on existing routers without having a big impact on the switching rate of the router and the original network topology. This is because the routing table matching algorithm is mature and efficient, does not take up too much processor resources and has little impact on the performance of the router, and the routing table has a large capacity for routing information; i.e., it supports a large number of access control rules. In this paper, we propose a new route propagation–based access control method for large-scale networks by utilizing the efficient routing table matching function.

2 A route propagation–based access control method for large-scale networks

The route propagation–based network access control method is to connect a new subnet or AS domain that serves as a control to the egress/ingress routers of a large-scale autonomous system, and configure the network addresses to be controlled in the router in this subnet or AS domain, so that the automatic network topology identification feature of dynamic routing protocols is utilized to generate the routing information of the controlled network addresses on the egress/ingress router, and transfer access to these controlled network addresses to the network of this control subnet or AS domain, so as to enable traffic control on the controlled network addresses.

2.1 Network architecture for route propagation–based network access control

In this paper, we focus on methods for network access control in large-scale network environments. Figure 1 is the network architecture used for route propagation–based network access control in a large ISP. ISP0 is the ISP who has implemented network access control. Because the ISP’s egress/ingress routers are the router that exchange data between different ISPs, the ISP egress/ingress routers, as the control point routers, are a valid choice for ISP-level network access control. The route propagation link from the sample router (sr) to each egress/ingress router (or) can be connected directly, or reach each or through one or more levels of propagation routers (kr). If conditions permit, a dual link can be established for backup (e.g., from sr to or4), and each kr can be connected to more than one or (e.g., kr1). Diffusion links can be established in two main ways: 1) using dedicated lines, which have high propagation speed and stability, but also higher costs; 2) using encrypted tunnels on public data networks to establish virtual link connections, which have lower costs, but relatively poor propagation speed and stability. Different forms of implementation can be selected on a case-by-case basis, and the type of dynamic routing protocol to be used on these links is described in the next section.

A “sample router” sr, in white, at the center of ISP0, is connected to a “sample server” ss and a “blackhole server” fs. “Egress/ingress routers” or1, or2, or3, or4, in black, connect to ISP1, ISP2, ISP3, ISP4. The sample router is connected to the egress/ingress routers either directly or via “propagation routers” kr, in gray. There are two links between sr and or4, to indicate redundancy.
Figure 1: Network architecture for route propagation–based network access control in an ISP

The sample server (ss) is connected to the sr’s console. The network administrator enters the controlled network address IP1 on the ss, and the running program on the ss generates a corresponding static route according to the controlled network address IP1. The destination network address of the route is the controlled network address IP1. The next hop points to the IP address of the blackhole server (fs) and writes this static route from the console to the sr, from which it spreads through the propagation link cascading to individual ors. In this way, all packets that pass through each or and whose destination network address is the controlled network address IP1 are forwarded to the sr, and then forwarded to the blackhole server by the sr. The blackhole server can choose to discard these packets directly or do something else with them, and can also accordingly compile statistics on and analyze the traffic accessed by various controlled network addresses. In this way, by configuring controlled network addresses on the sample server, access control for these controlled addresses on each egress/ingress router is generated at the same time, so this method has the advantage of configuration in one location taking effect in multiple locations. The same is true for the effect of the de-control operation.

On the one hand, access to controlled network addresses outside the ISP from network addresses inside the ISP will be routed to the blackhole server; on the other hand, when a controlled network address outside the ISP accesses a user within the ISP, although request packets from the controlled network address can reach the user, the user’s response packets are also routed to the blackhole server when passing through the ISP’s egress/ingress router, preventing a connection from being established. Most cyber attacks and cyber viruses are based on connection-oriented protocols, so as long as they can be traffic-controlled in a single direction, the connection can be destroyed to stop the spread of cyber attacks or viruses. From these two aspects, it can be seen that the method can utilize the routing function at the network layer to achieve traffic control for controlled addresses.

2.2 Selection and configuration of dynamic routing protocols

The selection and configuration of dynamic routing protocols is a key to the implementation of the network access control method proposed in this paper. Whether the sample router and the propagation router are connected to each egress/ingress router through a dedicated line or a virtual line, it is equivalent to adding one or more network branches for the ISP. According to the actual connection situation, this paper proposes two dynamic routing protocol selection schemes:

  1. Each propagation link from the sample router to each egress/ingress router is regarded as a network branch within the AS domain, as shown in Figure 2, so the use of dynamic routing protocols within the domain should be considered. At present, the commonly used intra-domain dynamic routing protocols are RIP, OSPF[3] and IS-IS[4]. RIP is a distance vector–based routing protocol, and OSPF is a link state–based routing protocol. In practical applications, link-state protocols always converge faster than distance-vector protocols. Faster response time is important for network access control systems, and OSPF has an advantage in terms of support for IP service types, traffic balancing, and super-subnetting. IS-IS is not as well supported as OSPF. Based on the above, the OSPF dynamic routing protocol is selected for this scheme.

    There are three overlapping circles representing ASes. The only node in the intersection of the circles is a white sr. One circle otherwise contains two black or nodes connected to a gray kr node and then connected to sr; another circle contains one black or node connected to a gray kr node and then connected to sr; and the third circle contains one black or node connected directly to sr. Text on the side says “All links use OSPF”.

    Figure 2: Each propagation branch belongs to a different AS domain

  2. If the network consisting of the sample router and all the propagation routers is regarded as an independent AS domain, and the individual egress/ingress routers are in other AS domains, then the exchange of routing information between the sample router or the propagation router and the egress/ingress router becomes the exchange of routing information between domains, as shown in Figure 3. Inter-domain routing protocols should be used on domain boundaries. At present, BGP is used as the inter-domain routing protocol of most ISP egress/ingress routers[56]. Therefore, the scheme is to use the OSPF protocol within the AS domain consisting of the sample router and propagation routers and the BGP between domains.

    There are five disjoint circles representing ASes. The four circles around the periphery each contain only a single black or node. In the central circle there is a white sr node connected to two gray kr nodes, with the edges between them labeled “OSPF”. One of the kr nodes is connected to the or nodes in two other AS circles; another kr node is connected to the or node in another AS circle; and the sr node is additionally connected directly to the or node in the final AS circle. The links that go from sr or kr nodes to or nodes in other ASes are labeled “BGP”.

    Figure 3: The sample router and propagation router form a separate domain

Regardless of which dynamic routing protocol selection scheme is ultimately used, the following should be kept in mind when configuring protocols:

  1. When configuring a dynamic routing protocol on the sample router, be sure to redistribute the static routing table entries written by the sample server on the interfaces connected to the propagation router or the egress/ingress router using the dynamic routing protocol. If the second dynamic routing protocol selection scheme is adopted, the OSPF routing table entries must also be redistributed using BGP on the interfaces of the propagation router on which BGP has been configured. This is because both static routes and various dynamic routing protocols maintain only their own routing table entries, and they cannot obtain routing table entries for other protocols without actively setting up redistribution.

  2. Sending routing information announcements to propagation routers or sample routers is prohibited on the egress/ingress router; i.e., routing information learning is unidirectional. There are two reasons for this:

    1. The routing table entries of the egress/ingress router are both numerous and complex, and there is no use for propagation routers and sample routers to learn these table entries, but rather it will affect their propagation efficiency;
    2. If bidirectional routing information learning is allowed, individual egress/ingress routers will propagate routing information amongst themselves via propagation links, which will result in confusing routing information on the backbone network.

  3. The priority of propagated controlled routing information should be increased on the egress/ingress router, so that they can be matched first, thus effectively implementing network access control.

2.3 Comparison with existing access control methods

The main methods of implementing network access control today use a router access control list and firewall technology. The traditional way is to use an access control list[78]. However, the implementation of an access control list by the router depends on the software system to a large extent, which will take up a considerable amount of processor resources, and the implementation of access control in a large-scale network environment will inevitably generate an excessively long access control list. As a result, the processor is overloaded and the packet forwarding rate of the system is greatly reduced, which affects the normal traffic and system stability. Another way is to use a specialized firewall[9] to block special traffic, but firewalls are not suitable for network egress where the network is tightly structured and has a lot of data traffic. Even for hardware implementations, it is difficult to guarantee wire speed matching in high traffic situations. For example, no firewall product with wire-speed matching at 2.5 Gbit/s bandwidth has yet appeared. Table 1 gives a comparison between the route propagation–based access control method and these two conventional methods.

Table 1: Comparison of three network access control methods
Aspect compared Access control list Firewall Route propagation method
Efficiency (large-scale applications) moderate moderate high
Stability fairly good fairly good good
Richness of control rules fairly rich rich moderate
Actual control rule capacity moderate moderate large
Intelligence no no yes
Operational simplicity complex complex simple
Impact on the original structure no large small
Scalability poor poor good

The most critical aspect of implementing access control on a large-scale network is not to affect the high-speed data exchange between egress/ingress routers. This is difficult to achieve by the access control list and firewall methods, but is achievable by the route propagation–based access control method, because it uses the routing table matching function for traffic control. The routing table matching algorithm is mature and efficient, and generally runs on a dedicated chip, which doesn’t use much processor resources and has little impact on the performance of the router. This is where the key advantage of the route propagation–based method lies.

In other respects, the advantages of the route propagation–based method are also reflected in that: 1) It can actually support a large control rule capacity, because adding control rules has little impact on the router, while for the other two methods, adding control rules will have an impact on performance, which makes it impossible for them to configure a lot of rules in practical applications; 2) By compiling statistics on and analyzing the data obtained by the blackhole server and feeding the results back to the sample server according to certain principles, it helps the sample server decide to control or de-control the network address, so it has the advantage of intelligence; 3) It is simple to operate. The administrator is only required to enter or delete the controlled network address, and does not have to configure complex access control rules; 4) It has little impact on the original network architecture, while the firewall needs to be set up at the periphery of the egress/ingress router, which has an impact on the original network architecture; and 5) It is scalable. Because each propagation branch is responsible for propagation to an egress/ingress router. As a result, if you want to add egress/ingress routers, just add propagation branches accordingly. The disadvantage of the route propagation–based method is that the access control rules are not rich enough. Both firewalls and access control lists have rich access control rules that can match multiple elements of a packet, while the route propagation–based method can only match the destination address of a packet, but the current situation is not suitable for setting up complex access control rules on large-scale networks.

The network administrator can also write static routes directly on the egress/ingress router to accomplish the control task. This control method can be referred to as direct control. The advantage of direct control is that the control takes effect the fastest, and the static route itself has a high matching priority. However, a large ISP may have multiple egress/ingress routers, and a large number of manual entries will inevitably lead to a higher probability of error and inefficiencies in the input link, while the route propagation–based method has the advantage of configuration in one location taking effect in multiple locations. At the same time, because most egress/ingress routers mainly rely on dynamic routing protocols to understand network topology information, the flash memory used to store configuration information and permanent static routes is generally small and can not write too many static routes. If a static route is written to memory only, the written static route will be lost after the router restarts. Therefore, direct control is not suitable for large-scale network environments.

3 Conclusion

This paper presents a method to implement access control for large-scale networks by using dynamic routing protocols to propagate controlled routing information to the egress/ingress routers of large-scale networks. This method has the advantages of a small router burden, a large control rule capacity, intelligence, scalability, and configuration in one location taking effect in multiple locations. The practice of several ISPs has shown that the route propagation–based access control method presented in this paper can implement access control for large-scale networks, and can configure up to tens of thousands of access control rules without affecting the high-speed data exchange between core routers, with the whole system working stably.

References

[1]
SAMPEMANE G, NALDURG P, CAMPBELL R H. Access control for active spaces[A]. 18th Annual Computer Security Applications Conference (ACSAC2002)[C]. Las Vegas, Nevada, 2002. 343-352.
[2]
DUAN H X, WU J P, LI X. Policy based access control framework for large networks[A]. 8th International Conference on Networks (ICON 2000)[C]. Singapore, 2000. 267-272.
[3]
RASTOGI R, BREITBART Y, GAROFALAKIS M et al. Optimal configuration of OSPF aggregates[J]. IEEE/ACM Trans on Networking, 2003, 11(2):181-194.
[4]
FORTZ B, THORUP M. Optimizing OSPF/IS-IS weights in a changing world[J]. IEEE Journal on Selected Areas in Communications, 2002, 20(4):756-767.
[5]
TIMOTHY G., GORDON WILFONG. An analysis of BGP convergence properties[A]. Proceedings of ACM SIGCOMM’ 99[C]. Boston, 1999. 277-288.
[6]
XU K, WANG A P, WU J P, et al. Research on routing policy and routing information propagation of boarder gateway protocol version 4 (BGP-4)[A]. IEEE TENCOM’02[C] Beijing, 2002. 850-854.
[7]
GAO J, STEENKISTE P. An access control architecture for programmable routers[A]. 2001 IEEE Open Architectures and Network Programming Proceedings[C]. Alaska, 2001. 15-24.
[8]
SLATTERY T. Advanced IP Routing in Cisco Networks (苏金苏 (Su Jinshu), Trans.)[M]. Beijing: China Machine Press, 1999.
[9]
VERWOERD T, HUNT R. Policy and implementation of an adaptive firewall[A]. 10th International Conference on Networks (ICON 2002)[C]. Singapore, 2002. 434-439.