Towards a DenialofService Resilient Design of Complex IPsec Overlays Michael Brinkmeier - PDF document

TowardsaDenial-of-ServiceResilientDesignofComplexIPsecOverlaysMichaelBrinkmeierandMichaelRossbergandGuenterSchaeferTechnischeUniversitätIlmenau[michael.brinkmeier,michael.rossberg,guenter.schaefer][at]tu-ilmenau.deAbstract—BymonitoringtheexchangedIPsectrafcanadversarycanusu-allyeasilydiscoverthelayoutofvirtualprivatenetworks(VPNs).OfevenworseextendisthedisclosureifcompromisedIPsecgatewaysareconsidered,forexampleinremoteenvironments.Thisrevelationenablesattackerstoidentifyvitalcomponentsandmayallowhimtocompromisetheavailabilityoftheoverallinfrastructurebylaunchingwell-targeteddenial-of-service(DoS)attacksagainstthem.InthisarticlewepresentaformalmodeltoanalyzetheresilienceofVPNinfrastructuresagainstDoSattacks,toestimatetheimpactofcompromisedgateways,andtoformalizetheplanningprocessofmoreresilientinfrastructures.IndexTerms—Denial-of-Service,Availability,VirtualPrivateNet-works,IPsec,Modeling.I.INTRODUCTIONFormanymajororganizationslargeIPsecinfrastructures[1],[2],[3]promiseamoresecureandyetcheaperpossibilityofcommunicationthanthepreviouslyusedleasedlines.TheseIPsecvirtualprivatenetworks(VPNs)(Fig.1)consistofthreebasictypesofcomponents:multipletrusted“red”networks(striped),oneormoreuntrustworthy“black”networks,suchastheInternet,andtwoormoreIPsecgatewaystoconnectthetrustedpartssecurelywithregardstodatacondentiality,dataintegrity,anddataauthentication.Thecomponentsmaybeconnectedtoformcomplextopologies,aseverysingleIPsecgatewaymayberesponsibleformultipleseparatetrustednetworksandmayhaveoneormoreuplinkstountrustworthynetworkparts.Trustednetworksmaybenested,forexampleallowinganadditionalprotectionofsensitivedepartments.However,theavailabilityandreliabilityoftheseVPNsdependontheinfrastructures'resistanceagainstdenial-of-service(DoS)attacks,implyingthatallvitalpartsoftheinfrastructuremustbeprotected.TheidentiedmajorthreatsareIPsecgatewaysthatareeithersituatedinanuntrustworthynetworkorthatarerelativelyuntrustworthythemselves.AnexampleisanIPsecgatewaythatisplacedinaforeigneldofceorwithinthenetworkofasubcontractor.Ontheonehand,anadversarymayobservetrafcexchangedbythosegatewaystoobtainknowledgeoftheidentities,i.e.theouterIPaddresses,ofmoreimportantpartsoftheVPN.Ontheotherhand,anadversarycouldperhapscompromiseaclientcomputerortheIPsecgatewayitself,e.g.,byphysicalactions,andstarttosendlegitimateIPsectrafctothevitalcoreoftheoverlay,causingaDoSinsideoftheVPN.AcommonprecautionagainstDoSattacksistheconclusionofaservicelevelagreement(SLA)withtheresponsible !"#"$%&'(&)*+,-. /012"&103#"(&)*+,-. 04*)-4)* $0'%#&)*+,-. !"#"$%&'(&)*+,-. 56!'750#"(&)*+,-. 56!'750#"(&)*+,-. /012"&103#"(&)*+,-. /012"&103#"(&)*+,-. /012"&103#"(&)*+,-. /858/9595:!:!9$9$8!8 56!'750#"/012"&103#"!"#"$%&'$0'%# !"#"$%&'(&)*+,-. !; Fig.1.AtopologyofthetransportnetworkinanIPsecinfrastructurescenarioInternetserviceprovider(ISP)[4],buttheapproachhasseveraldrawbacks:Itaddsbureaucraticoverheadandcosts.ItisinexibleastheinfrastructureiscommittedtothisISP,andamigrationtootherprovidersisnoteasilypossible.IthasaninsufcientcoverageastheISPmaynotoperateineverygeographicregionthatpartsoftheVPNarelocatedin,andevenwithSLAsDoSattacksmaybepossible,e.g.,bygeneratingforgedIPsecpacketsthatappeartocomefromalegitimategateway.Therefore,noupperboundfortheimpactofpossibleDoSattackscanbecalculated.Conventionalqualityofservice(QoS)systems[5],whichgiveguaranteesontheavailablenetworkcapacity,areneithersuitedforanimpactestimationofDoSattacksastheyrelyonacorrectrouterbehavior.Furthermore,astheyarehighlydynamic,complexsystemsdonotallowforastaticformalanalysis.Thus,itisverydifculttoverifytheavailabilityguaranteesinthepresenceofattackers.ForInternetenvironmentsdifferentreactiveDoScountermea-sureshavebeenproposed[6],[7],buttheydonotallowforaformalsecurityanalysisneither.Furthermore,somedependonthedynamicanalysisofowpropertiesforanomalydetection.ThisapproachisnotapplicableforVPNinfrastructuresastheowsmaybeencryptedandcovertrafcmaybeusedtopreventcovertchannelsattacks.Neitheroftheapproachesisabletogivestaticguarantees fortheimpactofDoSattacks,whichisarequirementforcriticalVPNinfrastructures.Therefore,astaticmodelisrequiredtoderiveaguaranteedupperboundfortheimpactofpotentialDoSattacks,toratetheDoSresilienceoflargeVPNinfrastructures,andtoplaninfrastructuresinaninherentDoS-resistantlayout.Hence,inthisarticlewecontribute:aformalmodeltostaticallyanalyzeandrateVPNinfras-tructuresbygivingupperboundsfortheimpactofDoSattacks,relevanceclassesforIPsecgatewaystoprotectatrustedcoreofaVPNagainstDoSattacks,andthederivationoftherequirementtoroutetrafcbetweenrelevanceclassesinmonotoneorder.Therestofthearticleisoutlinedasfollows:AfterintroducingobjectivesforamodeltomeasuretheDoSresilienceofVPNsinsectionII,arstbasicmodelispresentedinsectionIII.ThismodelisdevelopedinmoredetailwithregardstoexternalattackersinsectionIV,andwithregardstocompromisedVPNgatewaysinsectionV.Finally,wederiveguidelinestowardsamoreresilientVPNdesign(sectionVI)andgiveaconclusion.II.OBJECTIVESTheneedtoprotecttheavailabilityoftheIPsecinfrastructureleadstothefollowingsubgoals:TheresilienceoftheVPNstructureagainstDoSattacksshallbequantied.VPNcomponentsthatmaybeaffectedbyDoSattacksshallbeidentied.Thepartitions,theVPNcanbesplitinbyanadversarywithcertainquantiablecapabilities,shallbeidentied.VPNcomponentsthatlimittheeffectofDoSattacksshallbeidentied.VPNcomponentsshouldbeabletohavedifferentrel-evanceclassestotheVPNfunctionality(Somemaybemorevitalthanothers).Differentattackertypesmustbeconsidered.Thoseare:–Localobserversinuntrustworthypartsofthetrans-portnetwork–Compromiseddevicesintrustednetworks–CompromisedVPNgatewaysoflowerrelevancelev-elsIII.ABASICMODELTOESTIMATETHEIMPACTOFDOSATTACKSAcommonconceptforformaltrafcanalysisistheuseofownetworks[8],[9].ThecomputernetworkismodeledasadirectedgraphG(V;E)witheveryedge2Ehavingapositivemaximumcapacity.ForagivenVPNoverlaynetworksuchagraphcaneasilybegeneratedbyusinggatewaysasverticesandsecurityassociationsasedges.Forthesakeofsimplicty,weassumeV=fg1;:::;gng,i.e.thegatewaysarenumberedfrom1ton.Thecapacitycijofanedgee=(gi;gj)isthemaximumthroughputthatcanbetransmittedthroughtheunderlyingtransportnetworkforthisassociation.Thenthemaximumowfromagatewaystoanothergatewaytisanupperboundofthemaximumamountoftrafcthatthesourcegatewayscangeneratetowardsthetargetgatewayt[9],[10].Theactualamountoftrafcmaybelower,ifthetransportnetworkscapacityisreachedbeforethecapacityoftheoverlaynetwork.Toavoidamodelingofthistransportnetwork,weassumethatthecapacitiesoftheoverlayedgesaresettovaluesthatdonotleadtocongestioninthetransportnetwork.Thismodelassumesthatwithintheoverlayaperfectroutingispossible.I.e.amulti-pathroutingmechanismutilizesthemaximumnetworkcapacity.Theuseofcommonroutingprotocols,likeOpenShortestPathFirst(OSPF),intheVPNwillleadtolowernetworkutilizationasonlysinglepathscanbeusedtoforwardpacketsatatime.Itisimportanttonotethatthispropertymaynothold,ifadistancevectorprotocolisusedandroutingcyclesexistinthenetworkaspacketsmaythenusealinkmultipletimes.Consequently,allanalysesreferringtoaowmodelwillconsiderthestrongestpossibleattacker,sinceweconsiderthattheroutingmechanismsupportstheattack.Inadditiontotheassumption,thattheroutingisperfect,theowmodelmakesanotherimplicitassumption,whichhastobeconsideredcarefully.Ingeneral,aDoSattackerdoesnotmind,whethersomepacketsarelostduetocapacityrestrictions.Hence,itdoesnotlimititselftothemaximumow(oraroutingthatdoesnotleadtopacketlosses)andtriestooodthenetwork,instead.Duetothiscontradictionofrealityandmodel,thefragmentationclosetothesourceoftheattackcanbemuchhigherthanthemaximumowindicates.Forexamplewecanassume,thatalllinksleavingthesourcearejammedduringarealattack,butnotinthemaximumow.Nonetheless,amongallminimums-t-cutsexistsauniqueminimal1onecontainings.`Behind'thiscutatmostthetrafcpredictedbythemaximumowcanoccur.Asaconsequence,themaximumowdoesnotgiveinformationabouttheactualfragmentationthatoccurduringaDoSattack,butabout`barriers'–theminimumcuts–whichensure,thatthecausedtrafcbehindthemisboundedbythemaximumowvalue.Formoredetailsabouthowtheminimumcutscanberetrievedfromamaximumow,see[11].Nonetheless,thisquitesimplemodelalreadyallowsforabasicanalysisofDoSattacks,aslongastheattackerisboundtotheVPNconnections,i.e.anattackerthatcompromisedacomputerwithinatrustednetwork,generatingtrafctowardsothertrustednetworks.Forexampleitispossibletocalculateanupperboundofthetrafcthatacompromisedgatewayscangeneratebyoodingaspecictargetgatewaytwithmessages,bycomputingthemaximumowfromstot.IV.DOSPROTECTIONMEASURESAGAINSTEXTERNALATTACKERSHowever,inordertoestimatetheimpactofDoSattacksontheVPNinfrastructurethesimplemodelwillnotbesufcient1`Minimal'meaning,thatitdoesnotcontainanotheroneandthateveryminimums-t-cutcontainsit. ifexternalattackersareconsidered.AttackersthatareabletolearntheexternalIPaddressesofVPNgatewayswillnotobeythecapacitiesoftheoverlay.Instead,theymaylaunchclassicalDoSattacksagainstoneormoreidentiedgatewaysfromoutsideoftheVPN,e.g.byutilizingabotnet.Intheformalcontext,thiscanbeinterpretedastheremovalofcertainverticesfromanetwork,possiblyleadingtoafragmentationoftheVPNintomultiplepartitions.Ingraphtheoreticterms,thisproblemisthedetectionofvertexcuts.HenceanaturalmeasurefortheresilienceofaVPNagainstexternalDoSattacksisthe(local)vertexconnectivity(s;t),countingtheminimumnumberofverticesthathavetoberemovedinordertoseparatesfromt[12],[13].Forexample,inthenetworkinFig.2,wehave(R1;D1)=1,sincetheremovalofgatewayW3separatesR1fromD1.Similar,wehave(D1;W2)=2. !" !# $" $# %" %# %& '# '& '" '( )**+,-./0+12324-. Fig.2.Theownetworkforamulti-layeredVPNoverlaystructureInmanysystems,asinglegatewayhasmorethanoneinter-face,eachoneofthemprovidingaconnectiontodifferentothergatewaysoftheVPNusinganotherIPaddress.Ingeneral,aDoSattackcannotdestroythewholesystem,butonlyjamoneormoreinterfaces.Hence,amoredetailedmodeloftheVPNrequirestheintroductionofinterfacenodes.Onrstview,thiscanbedonebyreplacingeachgatewaybyastar,whosecentervertexisconnectedtoitsinterfacenodes.Thesecurityassociationsarethenedgesbetweenthetwocommunicatinginterfaces.Butatsecondthought,thismodelallowsadirectattackonthegatewayassuch,implyingafailureofallinterfacesatonce.Hence,anothermodelseemsmoreappropriate.Theinterfacesforeachgatewayaremodeledtoformacom-pletesubgraph,orclique,whoseedgeshaveinnitecapacity.Inthegraphmodeltheverticesaredenotedbygi;j,meaningthej-thinterfaceofgatewaygi.Furthermore,wehavetwotypesoflinks.Theintra-gatewaylinksconnectinterfacesofthesamegateway,i.e.theyareoftheform(gi;j;gi;j0),andtheyhaveinnitecapacity.Theinter-gatewaylinksconnectinterfacesofdifferentgateways,i.e.theyareoftheform(gi;j;gi0;j0)withi=i0,andhavethecapacityrestrictionc(gi;j;gi0;j0)oftheassociatedsecurityrestriction.Inaddition,thevertexgi;jhasthecapacityoftherespectivephysicalj-thinterfaceofthegatewaygi.AnexampleforthisconstructionisgivenforgatewayW2inFig.3. !" #$ #% !% !$ &" #" !"#!"#!"# Fig.3.ExampleofaownetworktoestimatetheimpactofexternalDoSattackersInordertoidentifythepartitionsanetworkissplitintobyaDoSattack,itissufcienttoremoveallinterfacesverticesthatanattackerwasabletoidentify.Thenallpartitionsarecalculatedefcientlybyndingallstronglyconnectedcomponentsinthegraph[14].Theobtainedresultcontainsallregionsofthenetworkthatarestillabletocommunicatebidirectionallyintheeventoftheprojectedattack.Ontheonehand,inlargeVPNinfrastructurestheapproachtocalculateeverypossiblesetofattackedgatewaysfailsforreasonsofcomplexityasanadministratormaynotbeabletosurveytheinuenceofeverypossiblesoneverypossibletargett.Therefore,areductionofthecomplexityisrequired,whichcanbereachedbygroupinggateways,and,evenmoreimportant,theintroductionofgroupsallowsforaformalanalysisofthepossibleinuenceofthesegroupsamongthemselves.Ontheotherhand,largeVPNscontainsystemsofdifferentrelevance,e.g.vitalcoresystemslikeacentralauthenticationdatabase,andtherearesystemswhichactsimplyasclients,notprovidingservices.Hence,itismoreimportant,toprotectthevitalcoreofthesystem,thantoensure,thateveryclientcanconnect.Onewaytoreachthisistheintroductionofzones,suchthatzonesofhighrelevanceare'protected`fromlessrelevantzones.Hence,followingtheconceptofsecuritylabels[15],anorderedsetofrelevancelevelsLcanbeused.Thus,everygatewaygisgivenarelevancelevelbyaclassicationfunctioncl(g)2L.AsanexamplethelevelsVITAL�RELEVANT�WORTHWHILE�DISPENSABLEareshowninFig.1.Usually,theserelevancelevelscanberepresentedbyasetofnaturalnumbers,orevenmoregeneralL=N.Therelevancelabelsshouldbechosentorepresenttheimpor-tanceofthegatewaysfortheVPN.Sinceinmostnetworks,vital,ormorerelevantparts,aremorethoroughlysecuredthandispensableparts,itislikelythattherelevancelabelscorrespondtothestrengthofintrusionpreventionmechanismsimplementedinthesystem.Asaconsequence,itismuchmorelikely,thatanattackertriestocompromisegatewaysoflowerrelevancelevelinordertoharmmoreimportantsystems.Therefore,weonlyconsiderDoSattacksfromlowerrelevance levelstohigherones.Oneimplicationoftheowmodeldescribedabove,isthecommunicationbetweendistinctrelevancelabelsshouldbelimited.If,forexample,aDISPENSABLEgatewaycandi-rectlycommunicatewithaVITALone,thedangerthattheIPaddressoftheVITALnodeisrevealedtolesssecuresystemsisquitehigh.Hence,werequirethatdirectcommunicationmayonlytakeplacebetweengatewaysinadjacentrelevancelevels,i.e.gatewaygmayonlycommunicatewithg0,ifjcl(g)cl(g0)j1.Thiswillcausetheoverlaynetworktoformamulti-layeredsetup,asshownforourexamplenetworkinFig.2.Themainconsequenceofthisrestrictionisthelimitedin-uenceofexternalobservers.E.g.,anobserverthatanalyzesalltrafcofaDISPENSABLEgatewaywillnotbeabletoidentifyVITALorRELEVANTgateways.HewillnotbeabletolaunchDoSattacksagainstthesemorerelevantpartsoftheVPNinfrastructure,therefore.Nonetheless,itmaystillbepossibleforanexternalattackertofragmenttheVPNintomultiplepartitionsbysaturatinglinkstoother,possiblymorerelevant,gateways.Inourex-amplenetwork(Fig.1)thegatewaysD2andW3couldbeattackedbyanexternaladversarythatcanobservetrafcfromD1,forexample.TheouterinterfacesofD2andW3wouldthenbejammed,andbothgatewayswouldonlybeabletocommunicateovertheirinternalinterfaces.There-fore,thegatewaysfD2;W1;W2;W3;R4gareseparatedfromtherest.Furthermore,thegatewayD1isseparatedfromallothergatewaysasitcannolongercommunicatewithD2andW3andadirectcommunicationtowardsR1andR2isprohibitedforsecurityreasons(otherwisetheattackerwouldbeabletoattackthose).ThethirdpartitioncontainsfR1;R2;R3;V1;V2g.Thus,thetopologyoftheexampleVPNcannotgiveavailabilityguaranteesasattackersthatareabletoobservetrafcofDISPENSABLEgatewayscanperformDoSattacksandseparateRELEVANTgateways.WesayaVPNisresilientagainexternalDoSattacks,ifanattackoninterfacesofgatewayswithcl(g)ldoesnotaffectthereachabilitybetweengatewaysoflevels�l,i.e.thesubgraphinducedbyallinterfacesofhigherrelevanceisnotpartitioned.Onewaytoachievethis,istorequireforeveryl2Lthatthesubgraphsinducedbyallinterfacesoflevellisstronglyconnected.Thentheremovalofinterfacesoflowerrelevance,doesnotaffectanyedgebetweeninterfacesofhigherrelevance.V.DOSPROTECTIONMEASURESAGAINSTCOMPROMISEDVPNCOMPONENTSThepreviousapproach,tohidetheexternallyroutableidentityofmorerelevantVPNcomponentsfromlessrelevantinternal,isnotapplicableforprotectingagainstinternalattackersasVPNgatewaysmustbeabletocommunicatewithothergatewaysofallrelevancelevels.Thisleadstotwopossibleattackscenarios:First,compromisedsystemsintrustednetworks,e.g.clientcomputers,areabletogeneratetrafctowardsothertrustednetworks.ThismeansattackersthatcontrolsuchacomputermaystartDoSattacksagainstpartsoftheVPN,theyhadpre-viouslynoaccessthroughthetransportnetworkto.However,theamountoftrafcgeneratedbyatrusteddeviceandsenttowardsanotherpartoftheVPNcanbearticiallylimitedbyeitherlteringpacketscompletelyorperformtrafcshapinginallintermediategateways.Second,oneormorecompromisedgatewaysareabletocreateavirtuallyunlimitedowofvalidIPsectrafctowardsdirectlyreachablegatewaysbyhandingthecurrentcryptographickeytoothersystemsthatareundercontroloftheattacker,i.e.byequippingabotnetwithinsiderknowledge(seeFig.4foranexample).Theseconnectionsmaybeusedtoinfusemorepacketsintothesystemthatdoseemtobeoriginatedfromoneofthecompromisedgateways.Thus,edgesfromanadversarymustbemodeledtohaveaninnitecapacity. ! "#$ "#$ $% '( '% $) Fig.4.DoSattackbyacompromisedgatewayfamplifyinghiscapacitywithanexternalbotnetThemaximalallocatablecapacitypertrafcowandgatewaycanthenbeinterpretedasatensorCwithfourindices(s;gi;j;gi0;j0;t)thatdescribehowmuchtrafcwillbeallowedtoowfromsourcestotargettifpassedfromgatewaygitogi0usingthej-thandthej0-thinterface,respectively.Thisapproachcanbemodelledformallybyamulticommodityownetworkwithcommoditywisecapacityrestrictions.Eachpair(s;t)ofgatewayscorrespondstoacommodity.Thesehavetoberoutedsimultaneouslythroughtheoverlaynetwork,resultinginamultiple,commoditywiseowfs;t(gi;j;gi0;j0)foreachedgee=(gi;j;gi0;j0).Ithastosatisfyseveralrestrictions:1)Foreverygatewaypairfs;tgandgi;j62fs;tg:Xi0=i;j0fs;t(gi0;j0;gi;j)=Xi0=i;jfs;t(gi;j;gi0;j0)2)Foreveryedgee=(gi;j;gi0;j0):Xfs;tgfs;t(gi;j;gi0;j0)c(gi;j;gi0;j0)3)Fore=(gi;j;gi0;j0)withi=i0andeverygatewaypairfs;tg:fs;t(gi;j;gi0;j0)C(s;gi;j;gi0;j0;t)Thetworstconditionsaretheusualconditionsformul-ticommodityows,ensuringthateverycommodityowis indeedaowandrestrictingthetotalowoveranedge.Thethirdconditionisanaddition,ensuring,thatthecapacityrestrictionforeachpairofgatewaysissatised.TheintegermulticommodityowproblemisknowntobeNP-complete,whiletherelaxedcontinuousversioncanbesolvedusinglinearprogramminginpolynomialtime[16],[17].Eventhoughrealworldapplicationsusuallywouldrequireintegersolutions,thecontinuousrelaxationprovidesanupperbound,leadingtomoreconservativeestimationsabouttheDoSresilience.Inthefollowing,wegiveassertionsonC,howtheycorrespondtodifferentpropertiesofDoSresistance,anddiscussimpli-cationsonoverlaynetworkmanagement.First,theroutingprotocolmaybemodiedtobetterprotecttheVPNcore.InasecondsteptheVPNgatewaysmayusetrafcshapingtoarticiallylimitthecapacityforeachowthroughtheoverlay.A.Relevance-awareRoutingIncasetheroutingprotocoloftheoverlayallowstheusageofarbitrarypaths,packetsowingbetweenanattackinggatewaytoanyothergatewaymayjamlinksofgatewaysthataremorerelevantthanbothcommunicationendpoints(liketheconnectionbetweenD1andD2inFig.5).Furthermore,packetsmayberoutedbackandforthbetweenrelevancelevels(thedashedconnectionbetweenD2andV2).Thisbehaviorisundesired,asstructuresofhigherrelevancedependonthoseoflessrelevanceandsuchtrafcmayallowanadversarytoattackVPNstructuresofhigherrelevancelevelsmoreeasily. !" #" $%%&'()*+&,-.-/() 01 23 #1 21 2" 0" Fig.5.MonotoneowsinarelevanceawarenetworkAsacountermeasureallintermediateVPNgatewaysgien-forcethattheclassicationofnextgatewaygi0intheroutingpathismonotonewithrespecttotherelevancelevels,i.e.C(s;gi;j;gi0;j0;t)�0bits s)cl(s)cl(gi)cl(gi0)cl(t)_cl(s)cl(gi)cl(gi0)cl(t)Consequently,apacketcanonlyberoutedthroughlevelsofrelevancebetweenthatofthesourceandthetarget.Further-more,aborderbetweentwoneighboringrelevancelevelscanbecrossedonlyonce,makingthesaturationofthisborder–andaresultingfragmentationofthenetwork–hardtoachieve.ThisratherstrongrequirementensuresthatcompromisedIPsecgatewayswillnotbeabletocongestanylinkabovetheleveloftheirhighestroutablecommunicationpartnerunderanycircumstances.Inmostscenariosanadditionalmorene-grainedcontrolisrequired.B.AnalyzingtheEffectsofTrafcShapingIfthetrafcisshapedbyC,asdescribedabove,theimpactthatanadversaryscancreatebysendingarbitrarytrafctoatargettwillbeboundedusingthepreviouslydescribedmulticommodityowmodel.Moreprecisely,wehavetocon-siderthedirectedgraphGs;twithcapacitiescs;t(gi;j;gi0;j0)=C(s;gi;j;gi0;j0;t).Asalreadymentionedbefore,alledgesfromstowardsdirectlyconnectedgatewayshavetobemodeledwithinnitecapacitysincetheattackermayuseabotnettoinfuseadditionaltrafcintothesystem.Amaximumowfinthisnetworkthenprovidesanupperboundofthemaximumtrafcroutablefromstot.FromtheresidualnetworkofGs;tunderthisow,onecandeduceinformationaboutcriticalpartsoftheinfrastructure,limitingthecommunicationfromstot.Firstofall,onecandecide,whetherthetargetgatewaytmaybeseparatedfromtheremainingnetwork,bycheckingwetherallofitsincominglinksaresaturated.Secondly,allminimums-t-cutscanbereconstructedfromtheresidualnetworkofGs;tunderf,leadingtoinformationaboutthepossiblefragmentationofthenetwork[11].Thisallowstoidentifysecurityassociationsandinterfaces,whosecapacityiscompletelyusedbyeverymaximumowfromstot.Forexample,asaturatedinterfacevertexshowsthatthephysicalconstraintsofagatewaylimittheimpactofaDoSattack,whileasaturatedsecurityassoci-ationiscausedbythetrafcshaping.Theidentiedgatewayscanthenbefurtherprotectedorthecapacitiesoftheidentiededgescanbeadaptedforafurtherlimitationorrelaxationoftheallowedow.Formoreadvancedattackscenarios,inwhichmanycompro-misedgatewayss1;:::;slattackmanytargetst1;:::;tk,thesituationbecomesmorecomplexaswehavetoconsidermorethanonecommodity,namelythoseofthetype(si;tj).Butsinceweonlyuseupperboundsforthepossibletrafc,wemayevensimplifyfurther,leadingtoastandardowproblemagain.Insteadofassigningacapacityforeachcommoditytoeachedge(andoneglobalcapacity),wemaysimplythinkofthemasonecommodity,forwhichtheowontheedge(gi;j;gi0;j0)isboundedbyitsphysicalcapacityc(gi;j;gi0;j0)andthetotalsumofallsecurityassociations,leadingtomin8:c(gi;j;gi0;j0);X(sx;ty)C(sx;gi;j;gi0;j0;ty)9=;:Inadditionanarticalsourcesandanarticialsinkthavetobeadded,suchthatsisconnectedtoeachsxbyaninnitycapacityedge,whileeverytyisconnectedtotbysuchanedge.Thenamaximums-t-owisanupperboundforthetrafcthatcanbegeneratedbythecompromisedgatewayssxtowardsthegatewaysty. VI.GUIDELINESFromthemodelandtheaboveconsiderations,wecandeducesomeguidelines,howaDoSresilientVPNshouldbedesigned.Oneshouldintroduceatotallyorderedsequenceofrel-evancelevelsLandensure,thatgatewayscommunicateonlywithgatewaysinadjacentlevels.Thisfeatureen-suresthattheobservationbyanexternalattackeronlyrevealsgatewaysofthenexthigherlevel,limitingitsinuenceonthemorerelevantcore.ThetrafcinsidetheVPNshouldberoutedfromstotsothatmonotonein-ordecreasingrelevancelev-elsareensuredandthatitcanbeguaranteedthatthecommunicationbetweenhighrelevancegatewaysdoesnotdependonlesssecuregateways.Furthermore,themonotonyoftheroutingensuresthataDoSattackonlypassesbordersbetweenlevelsinonedirection,reducingthecausedseparationofthelevels.Thehigherrelevancelevelsshouldbedesignedtobestronglyconnected,independentofthelowerlevels.Thisensuresthatthecorenetworkstillprovidesservice,ifattackedfromouterlevels.Thetrafcshapingshouldbedeployed,ensuringthatbottlenecks,i.e.minimumcutstohigherlevels,aremovedascloseaspossibletotheouterlevels.Thismightberealizedbymakingthelevelborderstominimumcutsbetweenverticesoflowerrelevanceandthoseofhigherrelevance,guaranteeingthataDoSattackfromlowerlevelsisblockedtoacertaindegreebytheborderlevel.Additionally,thecapacitycrossinghigherbordersshouldbegreaterthanthatcrossinglowerborders.Inthisway,itcanbeguaranteed,gatewaysofhigherlevelscancommunicatewitheachotherevenduringaDoSattack.Generally,gatewaysofthesamelevelshouldbeashighlyconnectedaspossible.Thisincludesvertex-aswellasedge-connectivity.VII.CONCLUSIONWithinthisarticleanovelapproachforthemodelingofcomplexIPsecVPNshasbeenpresented,allowingforaformalanalysisoftheinfrastructureswithregardstoavailabilitythreads.Theintroducedrelevancelevelssupportadministratorsinplanningandoperatinglargenetworks,automatingpossiblyerror-pronemanualtasks.ThederivedguidelinesaresimpletofollowrulesthatrestricttheeffectofDoSattackseffectively.Inthefuture,weplantousetheproposedmodelasabasisforfurtherDoSimpactestimations,andresearchonsuitableapproximationsschemesfortheparticularlyoccurringmulti-commodityows.Furthermore,agraphicaleditorcaneasetheunderstandingandtheplanningofcapacitytensorsforIPsecinfrastructuresandautomaticallyestimatetheimpactofdeci-sions.Fromatheoreticalpointofview,theextensiontowardsmulticastscenariosseemsaninterestingaspect,requiringtoextendthegraphmodeltoahypergraphmodel.Finally,itispossibletoreversetherelevancemodeltoestimatehowmuchdatamayowoutoftrustedpartofthenetworkintoalesstrustedone,andthereforequantifythedataleaksthatarecreatedbyacompromise.REFERENCES[1]V.Bollapragada,M.Khalid,andS.Wainner,IPSecVPNDesign.CiscoPress,2005.[2]CiscoSystems,Inc.,“DynamicMultipointVPN(DMVPN),”2006.[3]CiscoSystems,Inc.,“CiscoGroupEncryptedTransportVPN,”2007.[4]R.Ramanujan,M.Kaddoura,J.Wu,C.Sanders,andK.Millikin,“VP-Nshield:protectingVPNservicesfromdenial-of-service(DoS)attacks,”inDARPAInformationSurvivabilityConferenceandExposition,2003.Proceedings,vol.2,2003,pp.138–139.[5]M.Menth,S.Kopf,J.Charzinski,andK.Schrodi,“ResilientNetworkAdmissionControl,”ComputerNetworks,2008.[6]Y.XuandR.Guerin,“ADoubleHorizonDefenseDesignforRobustRegulationofMaliciousTrafc,”inSecurecomm,2006,pp.1–11.[7]M.WaldvogelandT.Köck,“Light-weightEnd-to-EndQoSasDoSPrevention,”in32ndIEEEConferenceonLocalComputerNetworks,2007.LCN2007.,2007,pp.246–248.[8]J.Kong,M.Mirza,J.Shu,C.Yoedhana,M.Gerla,andS.Lu,“RandomownetworkmodelingandsimulationsforDDoSattackmitigation,”inIEEEInternationalConferenceonCommunications,2003,pp.487–491.[9]R.K.Ahuja,T.L.Magnanti,andJ.B.Orlin,NetworkFlows.PrenticeHall,1993.[10]L.R.FordandD.R.Fulkerson,“Maximalowthroughanetwork,”CanadianJournalofMathematics,vol.8,pp.399–404,1956.[11]J.-C.PicardandM.Queyranne,“OnTheStructureofAllMinimumCutsinaNetworkandApplications,”MathematicalProgrammingStrudy,vol.13,pp.8–16,1980.[12]R.Diestel,Graphentheorie(GraphTheory).Berlin,Heidelberg,NewYork:Springer,2000,2.Auage.[13]M.R.Henzinger,S.Rao,andH.N.Gabow,“ComputingVertexConnectivity:NewBoundsfromOldTechniques,”inFOCS,1996,pp.462–471.[14]R.E.Tarjan,“Depth-FirstSearchandLinearGraphAlgorithms.”SIAMJ.Comput.,vol.1,no.2,pp.146–160,1972.[15]E.G.Amoroso,FundamentalsofComputerSecurityTechnology.Prentice-Hall,Inc.,1994.[16]S.Even,A.Itai,andA.Shamir,“OntheComplexityofTimetableandMulticommodityFlowProblems,”SIAMJ.Comput.,vol.5,no.4,pp.691–703,1976.[17]L.Fleischer,“ApproximatingFractionalMulticommodityFlowIndepen-dentoftheNumberofCommodities,”SIAMJ.DiscreteMath.,vol.13,no.4,pp.505–520,2000.