A foundation for tunnel-complex protocols

Quantified Score

Visualization

Abstract

Tunnel-complex protocols construct different tunnel topologies by directing tunnel-establishment protocols to set up pair-wise tunnels between different nodes, where the resulting tunnel complex satisfies some security requirement such as negotiating a defense in depth. Such protocols ease the burden on network managers deploying innovative solutions involving tunnel complexes to secure communication and protect networks. Tunnel-complex protocols exhibit subtleties relating to functional correctness and Denial of Service (DoS) that can benefit from formal analysis. We introduce a formalism called the tunnel calculus, which provides an operational semantics for a protocol stack incorporating the structures that maintain tunnel state as well the packet header transformations carried out by security tunnels. All subsequent analysis is based on this formalism. The tunnel calculus is applied to analyzing functional properties of both tunnel-establishment protocols and tunnel-complex protocols. The formalism is used to exhibit a situation where establishment protocol execution interacts with the state being installed so as to cause a deadlock. Non-interference and progress properties are formulated and proved in our framework showing the absence of this deadlock in a revised protocol. The utility of the tunnel calculus is illustrated in a number of case studies of discovery protocols that discover security gateways and set up tunnels to negotiate their traversal. For each protocol, we prove a functional completeness property that characterizes how the protocol delivers credentials to gateways as part of the negotiation process. We consider the the effectiveness of specific DoS protections for discovery protocols using a cost model for the tunnel calculus. In addition, we formulate and prove a theorem that says a particular class of attackers cannot induce the DoS-resistant protocol to perform high-cost activities.