Post on 12-Jan-2016
description
11.09.2012 1
Lecture 2Lecture 2- Internet evolution (part 2)- Internet evolution (part 2)
D.Sc. Arto Karila
Helsinki Institute for Information Technology (HIIT)
arto.karila@hiit.fi
T-110.6120 – Special Course in Future Internet Technologies
M.Sc. Mark Ain
Helsinki Institute for Information Technology (HIIT)
mark.ain@hiit.fi
Evolutionary approachesEvolutionary approaches
Architectural
1.DNS (~1982)2.EGP (precursor to BGP, ~1982)3.TCP congestion control (mid-late 1980’s)4.CIDR (~1993)5.NAT (early 1990’s)6.IPv6 (first RFC 1995, Internet standard 1998)7.IPSEC (1995)8.Mobile IP (~1996)9.MPLS (~1996)10.DiffServ / IntServ (~1998)11.HIP (~1999, first RFC 2006)12.BGPSec (mid 2000s)13.DNSSec (~2004, first deployed at root level ~2010)
11.09.2012 2
Network Address Network Address Translation (NAT) – 4 Translation (NAT) – 4 typestypes Problem: address space exhaustion
11.09.2012 3
Network Address Network Address Translation (NAT) – 4 Translation (NAT) – 4 typestypes
11.09.2012 4
Network Address Network Address Translation (NAT) – 4 Translation (NAT) – 4 typestypes
11.09.2012 5
Network Address Network Address Translation (NAT) – 4 Translation (NAT) – 4 typestypes
NAT is ugly, breaks E2E… but it works.
11.09.2012 6
IPv6IPv6
11.09.2012 7
Problem: address space exhaustion IPv6 was born in 1995 after long work There are over 30 IPv6-related RFCs The claimed improvements in IPv6 are:
Large 128-bit address space Stateless address auto-configuration Multicast support Mandatory network layer security (IPSEC) Simplified header processing by routers Efficient mobility (no triangular routing) Extensibility (extension headers) Jumbo packets (up to 4 GB)
IPv6IPv6
11.09.2012 8
Major operating systems and many ISPs support IPv6
The use of IPv6 is slowly increasing in Europe and North America but more rapidly in Asia
In China, CERNET 2 runs IPv6, interconnecting 25 points of presence in 20 cities with 2.5 and 10 Gbps links
IPv6 really only solves the exhaustion of Internet address space
IPv6IPv6
11.09.2012 9
Planned Actual
?
IPSecIPSec
11.09.2012 10
Problem: security IPSec is the IP-layer security solution of
the Internet to be used with IPv4 and IPv6 Authentication Header (AH) only protects
the integrity of an IP packet Encapsulating Security Payload (ESP)
also ensures confidentiality of the data IPSec works within a Security Association
(SA) set up between two IP addresses ISAKMP (Internet Security Association
and Key Management Protocol) is a very complicated framework for SA mgmt
Encapsulating Security Encapsulating Security Payload (IPv4)Payload (IPv4)
11.09.2012 11
Original IPv4 Header
Security Parameter Index (SPI)
Sequence Number
Coverage of Authentication
UDP/TCP Header
Data
Padding Pad Len Next Hdr
Authentication Data
Coverage ofConfidentiality
ESP Header
ESP Payload
ESP Trailer
Encapsulating Security Encapsulating Security Payload (IPv6) Payload (IPv6)
11.09.2012 12
ESP Payload
Hop-by-Hop Extensions
Security Parameter Index (SPI)
Sequence Number
Coverage of Authentication
End-to-End Extensions
Data
Padding
Authentication Data
Coverage ofConfidentiality
ESP Header
ESP Trailer
Original IPv6 Header
UDP/TCP Header
Mobile IPv4Mobile IPv4
11.09.2012 13
Problem: mobility Basic concepts:
Mobile Node (MN) Correspondent Node (CN) Home Agent (HA) Foreign Agent (FA) Care-of-Address (CoA)
The following can be problematic: Firewalls and ingress filtering Triangular routing
Mobility Example:Mobile IP Mobility Example:Mobile IP Triangular RoutingTriangular Routing
11.09.2012 14
Home Agent
CorrespondentHost
Foreign Agent
Mobile Host
Ingress filtering causes problems for IPv4 (home address as source), IPv6 uses CoA
so not a problem . Solutions:(reverse tunnelling) or
route optimization
Foreign agent left out of MIPv6. No special
support needed withIPv6 autoconfigurationDELAY!
Care-of-Address (CoA)
Source: Professor Sasu Tarkoma
Ingress FilteringIngress Filtering
11.09.2012 15
Home AgentCorrespondent Host
Packet from mobile host is deemed "topologically incorrect“ (as in source address spoofing)
With ingress filtering, routers drop source addresses that are not consistent with the observed source of the packet
Source: Professor Sasu Tarkoma
Reverse TunnellingReverse Tunnelling
11.09.2012 16
Home Agent
CorrespondentHost
Router
Mobile Host
DELAY!
Firewalls and ingress filtering no longer a problemTwo-way tunneling leads to
overhead and increased congestion
Firewalls and ingress filtering no longer a problemTwo-way tunneling leads to
overhead and increased congestion
Source: Professor Sasu Tarkoma
Care-of-Address (CoA)
11.09.2012 17
Mobile IPv6 Route OptimizationMobile IPv6 Route Optimization
Home Agent
CorrespondentHost
Router
Mobile Host
MH sends a binding update to CHwhen it receives a tunnelled packet.
CH sends packets using routing header
First, a Return Routability test to CH. CH sends home test and CoA test packets. When MH receives both,
It sends the BU with the Kbm key.
Secure tunnel (ESP)
Source: Professor Sasu Tarkoma
Differences btw MIPv6 and Differences btw MIPv6 and MIPv4MIPv4 In MIPv6 no FA is needed
(no infrastructure change) Address auto-configuration helps in acquiring
CoA MH uses CoA as the source address in foreign
link, so no problems with ingress filtering Option headers and neighbor discovery of IPv6
protocol are used to perform mobility functions 128-bit IP addresses help deployment of mobile
IP in large environments Route optimization is supported by header
options
11.09.2012 18Source: Professor Sasu Tarkoma
Extension HeadersExtension Headers
11.09.2012 19
Mobility Header
Upper Layer headers
DataMH
CN to MN MN to CN
MN, HA, and CN for Binding
MH Type in Mobility Header: Binding Update, Binding Ack, Binding Err, Binding refresh
Source: Chittaranjan Hota, Computer Networks II lecture 22.10.2007
(G)MPLS(G)MPLS
Problems: scalable transport, QoS, resource usage, business incentives etc.
(Generalized) Multi-Protocol Label Switching Layer 2.5 protocol High-performance transport of any layer 3 protocol
over any layer 2 data link over any layer 1 medium Routing via short path labels (path switching)
Layer 2 and layer 3 services (e.g. PtP and PtMP VPN) Routing implemented in hardware (i.e. switching);
much faster than IP longest-prefix matching
11.09.2012 20
(G)MPLS(G)MPLS
11.09.2012 21
QoSQoS Problem: need better traffic control,
satisfy business incentives, better services etc.
11.09.2012 22
DiffServDiffServ Differentiated Services (DiffServ, RFC 2474)
redefines the ToS octet of the IPv4 packet or Traffic Class octet of IPv6 as DS
Allows operators to control treatment of packets but does not guarantee any particular level of service or policy adherence across network boundaries.
The first 6 bits of the DS field are used as Differentiated Services Code Point (DSCP) defining the Per-Hop Behavior of the packet
DiffServ is stateless (like IP) and scales Service Profiles can be defined by ISP for
customers and by transit providers for ISPs DiffServ is very easily deployable and could
enable well working VoIP and real-time video Unfortunately, it is not used between
operators11.09.2012 23
IntServIntServ
Integrated Services Unlike DiffServ, IntServ reserves
network resources and attempts to guarantee conditions of network flow end-to-end However, the process is complex,
resource intensive, and requires supportive cooperating routers across all AS’s from source to sink.
11.09.2012 24
HIPHIP
11.09.2012 25
Problems: mobility, security, multihoming, IPv4/IPv6 interoperation etc.
Host Identity Protocol (HIP, RFC4423) defines a new global Internet name space
The Host Identity name space decouples the name and locator roles, both of which are currently served by IP addresses
The transport layer now operates on Host Identities instead of IP addresses
The network layer uses IP addresses as pure locators (not as names or identifiers)
HIP ArchitectureHIP Architecture
11.09.2012 26
HIPHIP
11.09.2012 27
HIs are self-certifying (public keys) HIP is a fairly simple technique based on
IPSEC ESP and HITs (128-bit HI hashes) HIP is ready for large-scale deployment See http://infrahip.hiit.fi for more info
Base exchangeBase exchange
11.09.2012 28
Initiator
ResponderI1 HIT
I, HIT
R or NULL
R1 HITI, [HIT
R, puzzle, DH
R, HI
R]
sig
I2 [HITI, HIT
R, solution, DH
I,{HI
I}]
sig
R2 [HITI, HIT
R, authenticator]
sig
ESP protected TCP/UDP, ESP protected TCP/UDP, nono explicit HIP explicit HIP headerheader
ESP protected TCP/UDP, ESP protected TCP/UDP, nono explicit HIP explicit HIP headerheader
User data messagesUser data messages
solve puzzle
verify, authenticate,
replay protection
• Based on SIGMA family of key exchange protocols
standard authenticated Diffie-Hellman key exchange
for session key generation
Select precomputed R1. Prevent DoS. Minimal state kept at
responder!Does not protect against replay
attacks.
HIP MobilityHIP Mobility
11.09.2012 29
Mobility is easy – retaining the SA for ESP
HIP in Combining IPv4 and HIP in Combining IPv4 and IPv6 IPv6
11.09.2012 30
IPv6 access
network
IPv4 access
network
Internet
HIP MN
Music Server
WWW ProxyHIP CN
An early demo seen at L.M. Ericsson Finland (source: Petri Jokela, LMF)
BGPSec and DNSSecBGPSec and DNSSec Problem: security (within two critical
architectural solutions) BGP Security Extensions:
Authentication of inter-AS BGP data via Resource Public Key Infrastructure (RPKI) i.e. digital signatures
Does NOT provide confidentiality or guaranteed availability
Provides limited protection against certain mis-origination attacks
Not widely implemented
11.09.2012 31
BGPSec and DNSSecBGPSec and DNSSec
DNS Security Extensions: Authentication and integrity (of DNS
query results) via digital signatures Does NOT provide confidentiality or
guaranteed availability Protects against e.g. cache poisoning
and other forgeries Not widely implemented
11.09.2012 32
Key limitations, Key limitations, solutions, underlying solutions, underlying ossificationsossifications
11.09.2012 33
Limitation(s) Solution(s) Key underlying ossification(s)
Name-address translation DNS Network vs. human-friendly naming
dichotomy
Scalability, routing inflexibility,
combined addressing and
transport
TCP/IP, MPLS Endpoint-centrism Rigid core protocol stack
Congestion TCP congestion
control
Lack of built-in protocol-independent QoS Rigid core protocol stack
Traffic control BGP, IGPs + EGPs Endpoint-centrism Send-receive communication paradigm
Address space exhaustion CIDR, NAT, DHCP
etc.
IPv4
Mobility, multihoming MIP, HIP Endpoint-centrism Rigid core protocol stack
QoS Diffserv + Intserv Lack of built-in protocol-independent QoS Rigid core protocol stack
Security Various (e.g.
DNSSec, BGPSec,
and many others!)
Endpoint-centrism Send-receive communication paradigm Rigid core protocol stack
Evolutionary approachesEvolutionary approachesApplication-level
1.Scalable content delivery1. DHTs (~2001)2. P2P networks3. CDNs (e.g. Akamai)
2.Security (confidentiality, anonymity, authentication etc.)1. Asymmetric crypto (e.g. RSA ~1977 or ~1973, DH ~1976)2. PGP (~1991)3. SSL/TLS (mid-1990’s, late-1990’s)4. PKI (1990’s)5. VPNs E.g. PPTP (~1999)6. Wireless security e.g. WPA/WPA2/EAP (late 1990’s and
beyond)7. Tor (mid 2000’s)
3.Cloud computing11.09.2012 34
Distributed Hash Table Distributed Hash Table (DHT)(DHT) Distributed Hash Table (DHT) is a service for storing and retrieving key-value pairs
There is a large number of peer machines Single machines leaving or joining the
network have little effect on its operation DHTs can be used to build e.g. databases
(new DNS), or content delivery systems BitTorrent is using a DHT The real scalability of DHT is still unproven All of the participating hosts need to be
trusted (at least to some extent)
11.09.2012 35
DHTDHT
11.09.2012 36
The principle of Distribute Hash Table (source: Wikipedia)
27/1/2010 37
Overlay RoutingOverlay Routing In overlay routing the topology is formed
over an underlying (usually IP) network DHTs are examples of overlay routing DHT techniques can be utilized e.g. in
implementing non-hierarchical rendezvous
An example of DHT-based solutions is the Content Addressable Network (CAN)
CAN is based on a d-dimensional Cartesian space, each node having a coordinate zone that it is responsible for
27/1/2010 38
CANCAN A two-dimensional example
27/1/2010 39
Chord RingChord Ring Greedy forwarding (cmp w/ ROFL)
27/1/2010 40
Pastry DHTPastry DHT An example with hexadecimal identifiers
P2P networks & CDNs P2P networks & CDNs
Napster, Gnutella, BitTorrent (also utilizes DHT) etc.
Akamai CDN
11.09.2012 41
SecuritySecurity
Confidentiality, anonymity, authentication etc.1. Asymmetric crypto (e.g. RSA ~1977 or
~1973, Diffie-Hellman ~1976)2. PGP (~1991)3. SSL/TLS (mid-1990’s, late-1990’s)4. PKI (1990’s)5. VPNs e.g. PPTP (~1999)6. Wireless security e.g. WPA/WPA2/EAP
(late 1990’s and beyond)7. Tor (mid 2000’s)
11.09.2012 42
Cloud computingCloud computing Computing resources are delivered
via the network “x”aaS i.e. “x” as a service
E.g. software, storage, processing etc. Goal is to achieve resourcefulness
and efficiency via computing economies of scale
Examples: Amazon, Apple, Google etc.
11.09.2012 43
For next week…For next week…
READ (lecture 3): M. Handley. 2006. Why the Internet only just works.
BT Technology Journal 24, 3 (July 2006), 119-129. DOI=10.1007/s10550-006-0084-z http://dx.doi.org/10.1007/s10550-006-0084-z
READ (lecture 4): Van Jacobson, Diana K. Smetters, James D. Thornton,
Michael F. Plass, Nicholas H. Briggs, and Rebecca L. Braynard. 2009. Networking named content. In Proceedings of the 5th international conference on Emerging networking experiments and technologies (CoNEXT '09). ACM, New York, NY, USA, 1-12. DOI=10.1145/1658939.1658941 http://doi.acm.org/10.1145/1658939.1658941
11.09.2012 44
11.09.2012 45
Thank you for your attention!Thank you for your attention!Questions? Comments?Questions? Comments?