A TCP-layer name service

Abstract

A Internet ´e hoje a maior rede mundial mas para al´em disso, ´e tamb´em e essencialmente um meio de disponibiliza¸c˜ao de acesso a conhecimento e a servi¸cos diversos. Tendo como base o protocolo de encaminhamento IP, ´e poss´ıvel endere¸car e comunicar com pessoas, servi¸cos, m´aquinas e dispositivos variados. Uma forma de comunica¸c˜ao usual assenta no protocolo TCP, que permite um di´alogo bidirecional entre servi¸cos locais e/ou remotos, com tolerˆancia e recupera¸c˜ao face a erros e perda de pacotes. No TCP, um servi¸co ´e identificado pelo n´umero do porto a que fica associado, o que tem algumas consequˆencias menos positivas. A mais ´obvia ´e o varrimento de portos (port scanning) para posteriores tentativas de ataque a vulnerabilidades nos servi¸cos identificados/associados a esses portos. Esta tese pretende extender o conceito de endere¸camento dum determinado servi¸co associando-o primordialmente a um nome, ou seja, dotar o TCP dum servi¸co pr´oprio de resolu¸c˜ao de nomes. A fase de estabelecimento da liga¸c˜ao TCP, baseada no three-way handshake, pode ser substancialmente evolu´ıda para suportar mecanismos de resolu¸c˜ao e de autentica¸c˜ao. A solu¸c˜ao encontrada tem a seguran¸ca sempre como um aspecto presente e essencial, por forma a combater diversos tipos de ataque. A resolu¸c˜ao de nomes sugerida pode ser integrada com mecanismos de autentica¸c˜ao/valida¸c˜ao atrav´es do uso de dom´ınios de interpreta¸c˜ao (DOI - domain of interpretation). Os DOIs possibilitam uma forma flex´ıvel de adicionar mecanismos de resolu¸c˜ao e autentica¸c˜ao mais ou menos complexos ao pr´oprio estabelecimento da liga¸c˜ao TCP.

ABSTRACT: Internet is the largest network deployed worldwide but besides that it’s also and essentially a way of accessing and distributing knowledge and a way to to interact with services. By using the IP routing protocol it’s possible to address and communicate with other persons, services, hosts or network enabled devices. An usual way for establishing a dialogue between internet endpoints is based on the TCP protocol, permitting a bidirectional, reliable and fault-tolerant data exchange. In TCP a service is identified by an associated port number which by itself has some less positive consequences. The obvious one consists on guessing which services are available by find out the available port numbers (port scanning) so that attacks on service vulnerabilities can take place. The purpose of this thesis is to extend the current concept used for addressing TCP services by associating them with names, or simply to provide TCP an in-band name resolution. The connection establishment phase, three-way handshake, can be improved in order to support simple name resolution mechanisms or even complex authentication. Security aspects towards avoiding attacks was a major concern that is present in the foundations of the proposed architecture. The name resolution model can be integrated with several mechanisms for authentication/validation, implemented as logic defined within domains of interpretation (DOI). DOIs allow a flexible and extensible way for adding those mechanisms to the connection establishment procedures of TCP.