This invention relates to a method for monitoring the establishment of a label-switched path (LSP) through a global domain of label-switched nodes, such as, for example label-switched routers (LSRs). It provides for the detection of adversarial or accidental alterations of the label-switched path during its set-up.
As rapid Internet growth continues, global communications becomes more dependent on Internet availability for information transfer. Recently, the Internet Engineering Task Force (IETF) introduced a new protocol, Multiple Protocol Label Switching (MPLS), to provide high-performance data flows within the Internet. MPLS emulates two major aspects of the Asynchronous Transfer Mode (ATM) technology. First, each initial IP packet is “routed” to its destination based on previously known delay and congestion avoidance mechanisms. This allows for effective distribution of network resources and reduces the probability of congestion. Second, after route selection each subsequent packet is assigned a label at each hop, which determines the output port for the packet to reach its final destination. These labels guide the forwarding of each packet at routing nodes more efficiently and with more control than traditional IP forwarding (based on complete address information in each packet) for high-performance data flows.
Label assignment is critical in the prompt and accurate delivery of user data. However, the protocols for label distribution were not adequately secured. Thus, if an adversary compromises a node by intercepting and modifying, or more simply injecting false labels into the packet-forwarding engine, the propagation of improperly labeled data flows could create instability in the entire network. In addition, some Virtual Private Network (VPN) solutions take advantage of this “virtual channel” configuration to eliminate the need for user data encryption to provide privacy. VPN's relying on MPLS require accurate label assignment to maintain user data protection.
A number of patents exist concerning MPLS networks. They do not address the need for monitoring the establishment of a label-switched path (LSP) through a global domain of label switched routers (LSRs) to allow the detection of adversarial or accidental alterations of the label-switched path during its set-up.
Casey et al. (U.S. Pat. No. 6,205,488) reports a virtual private network that enables private communications between two or more private networks over a shared MPLS network. The virtual private network disclosed includes multiple routers connected to the shared MPLS network and configured to dynamically distribute VPN information across the shared MPLS network. The VPN information distributed by a router includes a VPN identifier assigned to that router, which identifies a VPN with which that router is associated. The router includes a first table which stores a map of the label switched paths from the router in question to all other routers connected to the shared MPLS network. The router also includes a second table which stores a map of label switched paths from the router in question to all other routers connected to the shared MPLS network which share a common VPN identifier.
Schuster et al. (U.S. Pat. No. 6,363,053) reports a method and apparatus for measurement-based conformance testing of service level agreements in networks. The method includes first collecting quality of service information from network traffic over a plurality of network nodes. Then, the collected quality of service information is compared to a plurality of specified quality of service levels. A plurality of possible virtual quality of service pathways through a plurality of network nodes is provided, based on the compared quality of service information. One embodiment of the method includes the additional step of creating a virtual connection using the compared quality of service information. In another embodiment of the method, the step of collecting quality of service information from network traffic over a plurality of network nodes includes first transmitting test traffic from a source to a destination over a plurality of network nodes. The transmitted test traffic is then received at the destination, and quality of service information is identified by comparing characteristics of the test traffic transmitted by the source to characteristics of the test traffic received by the destination.
Armitage et al. (U.S. Pat. No. 6,374,303) reports an arrangement of label augmented, multi-protocol routing of data packets in a network utilizing fixed length labels that are negotiated between adjacent label routing routers in the network. Portions of each routing label may be assigned by both upstream and downstream routers in the network. Routing labels are used in lieu of conventional address headers to route data packets through said network; and by using routing labels the routers have more flexibility in routing data packets through said network and can use network links between routers that normally carry less traffic.
Stacey et al. (U.S. Pat. No. 6,765,921) reports a communications multi-service network arrangement for transporting information packets from a user station to a destination that comprises a label switched core network constituted by a plurality of abstract nodes interconnected by tunnels. Each abstract node comprises one or more real nodes. An access network provides user access to the core network. A route across the core network comprises a plurality of label switched path sections specified in terms of a sequence of abstract nodes, the route being identified by a label stack identifying a quality of service capable connection from the end station via the access network to the core network and across the core network to a destination.
Fleig et al. (U.S. Pat. No. 6,748,431) reports systems and methods for monitoring exchanges between a client and a server across a network. Implementation of the Fleig et al. invention takes place in association with a client and server that use standard Internet protocol to exchange requests and responses over a network. An extendable network monitor is employed to obtain a network monitor trace. Entire requests and responses are rebuilt. Chunked information is coalesced. Interleaved packets are collected. Bodies of data written in extensible markup language are reformatted by including white space and highlighting important data. Bodies of data written in hyper-text markup language are optionally removed from the requests and responses. As such, and in accordance with the present invention, the requests and responses exchanged by a client and a server across a network are made easily readable to a user, thereby allowing the user to read, interpret, and analyze the exchanges to ensure that the exchanges occurred correctly and as expected.
Hulyakar et al. (U.S. Pat. No. 6,751,196) reports a method and apparatus for assessing the quality of the communication paths among all stations in a network. This assessment is useful as a continual monitor of the quality of the network, and can be utilized to select an alternative central control station based upon the quality of communication paths to and from this station. Additionally, the quality assessment can be utilized to establish relay communication paths, as required.
The following is not an MPLS-based patent.
Lewis et al. (U.S. Pat. No. 6,026,442) reports how control of network surveillance in communications networks is accomplished by dividing the surveillance task into two sub-tasks. The first sub-task automatically identifies communications within the network which are to be monitored. Such identification is accomplished by the application of a reasoning system to data received from the network. The identification of the data to be monitored is received by the second sub-task along with network topology information. The second sub-task also applies a reasoning system to this data in order to configure probes and switches within the network so that the identified data can be captured.
The preceding do not enable a network administrator to detect and identify the location of an adversary who is tampering with the passage of data through a network in an attempt to degrade network performance or to obtain user data in an unauthorized manner. There is a pressing need for a tamper-detection method such as that implemented by this invention due to the range of adversarial threats to proper transfer of information through a network. The following is a list of some possible adversarial threats that are addressed by the tamper-detection method of this invention.
The network under consideration is owned and controlled by a single entity. The ingress and egress nodes are the nodes that are in physical communication with nodes in another network. The transit nodes can only communicate with other nodes within the network.
The adversary may have three goals for the manipulation of signaling messages.                a) The adversary wishes to obtain network messages because the data content has value to the adversary.        b) The adversary wishes to do traffic analysis.        c) The adversary wishes to degrade the capability of the network, for example, by harming the overall throughput.        
Typically, the control channel is secured through some sort of link-by-link security feature. It is generally impractical to implement a link-by-link encryption scheme within a network domain. Such implementation entails providing a crypto key management function for every potential link traversed by a control message. This would increase unacceptably the complexity and processing overhead of each participating network node. An adversary may view and/or delete any control message, but any altered message will be discarded. As such, the adversary may sever physically or logically any control link that appears in the network that he can gain access to. Further manipulation of the control messages by an adversary requires compromise one or more nodes. However, that if one only monitors the two end nodes, it may not be possible to tell if a disruption is generated at one end of a series of linked nodes, in the middle of the link, or the other end of the linked nodes.
A particular compromised node may not have the resources to process the desired data. It may need to forward the data to another compromised node or some other node outside the network so that it can be saved and/or processed there. This can be accomplished by forwarding a label switch path request toward a more accessible location within the network. This can be accomplished by changing the hop-by-hop assignment in the explicit route table within the LSP message unit, redirecting a flow through a compromised node or link that is accessible for monitoring. Such rerouting can also be accomplished by a compromised node forwarding the LSP unit request through a port that may be less desirable as a legitimate route selection, but which allows the flow to traverse part of the network that is less secure and more amenable to unauthorized monitoring.
As long as control-plane data remains unprotected, there may be an adversary motivated to manipulate the control-plane data in order to acquire user data. Any such manipulations are likely to degrade the overall throughput of the network, which in turn affects the bottom line of the network. It may seem that a good way to remove the temptation for an adversary to acquire user data would be to encrypt the control-plane data from ingress node to egress node. However, such encryption comes at a cost in overall network performance. This encryption must be administered link by link throughout the entire domain; an end-to-end VPN tunnel cannot be implemented because the control-plane data is changed as it is processed throughout its node-by-node traversed path from the ingress of the network to the egress. A network must weigh that cost against the expected degradation in performance associated with reroutes because an adversary desires data content.
An adversary that desires to harm the network by degrading its performance has many options. These options include physical attacks on the equipment, user-plane attacks, and control plane attacks.
Because the intent of MPLS is to efficiently switch datagrams through the network, cryptographic security means generally will not be applied to the switching information in the packet headers due to the great reduction in efficiency that would result. This means that an adversary with access to the control-plane channel would be able to modify the switching information to send packets down unauthorized LSPs. The adversary may modify information deeper in the packet that only the egress node would be able to detect, or information that only the end user would be able to detect. In any of these cases, the corrupt information may pass through the network before its corruption is detected. This corruption may initiate a resending of the information, thereby degrading the network's overall performance. The effects of such attacks are felt throughout the network as corrupt packets are forwarded through the network.
Since the switched packets are not authenticated en route, the adversary with channel access may generate locally valid looking packets to the full capacity of the channel. The falsely generated packets may progress through the network in a number of ways.
The preceding methods of network disruption have not required compromising a node. Furthermore, the denial-of-service (DoS) mechanisms described above are independent of the security features applied at the control-plane. For such types of attacks, a secure control plane will not be able to prevent all denial or degradation of service attacks. Therefore, it is especially important to understand the impacts on overall network performance that may result from the application of a particular security method to the control-plane.
If a node is compromised, the adversary will have the ability to accomplish any of the DoS attacks describe thus far, but he will also have additional abilities. If an ingress node is compromised, it may generate traffic of any sort. It may flood the control plane of the entire network with bogus messages. It may reserve very high bandwidth, very high priority, and very explicit circuitous routes. On the more subtle side, a compromised ingress node may just bump up the bandwidth reservation requirements of all valid flows by a certain percentage. It may choose the worst paths that are still within-tolerance paths. One compromised ingress node may completely shut down the entire network. Network degradation due to a compromised ingress node is generally independent of any additional control-plane security methods that may be applied. Ingress nodes should be independently hardened to the highest level to protect the network.
Compromised transit nodes within the network may cause serious problems. If the route set-up messages are not globally authenticated, a transit node may mimic an ingress node and generate very high bandwidth, very high priority, and very explicit circuitous routes. This will have as serious an effect on the network as when an ingress node generates the false requests. However, a control-plane security method such as use of the control plane tamper detection method of this invention can be applied to detect and stop this behavior.