Named Data Networking
-
Upload
aquila-sanford -
Category
Documents
-
view
26 -
download
3
description
Transcript of Named Data Networking
![Page 1: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/1.jpg)
Named Data Networking
IEEE CCWOct 10, 2011
www.named-data.net
1
![Page 2: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/2.jpg)
Agenda
A. NDN Overview
B. NDN Security
1) Architecture Basics
2) Privacy
3) Routing and Application Security
C. Summary
2
![Page 3: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/3.jpg)
The problem
3
ISP
ISP
![Page 4: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/4.jpg)
Communication v. Distribution
4
Communication Distribution
Naming Endpoints Content
Security Secure Process Secure Content
![Page 5: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/5.jpg)
Today
5
srcsrc
dstdst
Path determined by global routing, not local choice
Structural asymmetry precludes market mechanisms and encourages monopoly formation
X
![Page 6: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/6.jpg)
6
ProducerProducer
ConsumerConsumer
? a/b/c
NDN approach
![Page 7: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/7.jpg)
7
ProducerProducer
ConsumerConsumer
a/b/c/d
Dataa/b/c/d
? a/b/c
NDN approach
![Page 8: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/8.jpg)
8
ProducerProducer
ConsumerConsumer
a/b
• Packets say ‘what’ not ‘where’ (no src or dst)
• Forwarding decision is local
• Upstream performance is measurable
? a/b/c/e
NDN approach
![Page 9: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/9.jpg)
We envision replacing this:
9
ISP
ISP
![Page 10: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/10.jpg)
10
ISP
ISP
With THIS:
![Page 11: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/11.jpg)
AgendaA. NDN Overview
B. NDN Security
1) Architecture Basics
2) Privacy
3) Routing and Application Security
C. Summary
11
![Page 12: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/12.jpg)
Securing Content
•Integrity: is data intact and complete?
•Origin: who asserts this data is an answer?
•Correctness: is this an answer to my question?
12
Any consumer can ascertain:
Content Packet = 〈 name, data, signature 〉
![Page 13: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/13.jpg)
13
Evidentiary Trust
Content↕
Key
Content↕
Key
Name Hierarchy & Links
Key Certification Graph
Content↕
KeyContent↕
Key
Content↕
KeyContent
↕ Key
A web of trust gradually & organically arises from named and signed content:
![Page 14: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/14.jpg)
DoS Resistance
Many current DoS + DDoS attacks/threats become irrelevant because of NDN architecture
• A few notable features:• Content caching mitigates targeted DoS
• Content not forwarded w/out prior state set up by interests
• Multiple interests for same content are collapsed
• One copy of content per “interested” interface is returned
• Stateful routing helps to fight/push back attacks
Some (new) attack opportunities (e.g., signatures) may be possible, but it is much more resistant to DoS attacks than what we have today.
14
![Page 15: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/15.jpg)
Data plane resilience• IP data delivery strictly follows FIB direction:
• One-way data flow -- cannot detect failures
• Has no effect on routing decisions
• NDN content delivery is a 2-step process:
• Interest forwarding to set up state
• Content traversal of interest path in reverse
• Interest forwarding state eliminates looping, allows exploitation of topological redundancies and multipath forwarding
• Content packets measure quality of selected (interest) paths lets forwarding plane incorporate congestion and fault mitigation into path decisions
15
![Page 16: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/16.jpg)
Agenda
A. NDN Overview
B. NDN Security
1) Architecture Basics
2) Privacy
3) Routing and Application Security
C. Summary
16
![Page 17: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/17.jpg)
Privacy Challenges in NDN• Lack of source addresses in NDN packets provide much better
privacy than IP. However, there are still challenges if the attacker is can monitor the traffic close to the user (e.g., in the same LAN):
• Name Privacy: semantically related names
• Interested in “/healthonline/STDs/..”
• Content Privacy: unencrypted public content.
• Retrieved content is an “.mp3” file
• Signature Privacy: leaked signer(publisher) identity
• Retrieved content is signed by “match.com”
• Cache privacy: detectable cache hits/misses
• Interests from this user usually misses caches -- it is for Russian content.
17
![Page 18: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/18.jpg)
Named Data Onion Routing
•Consists of client and anonymizing router (AR) software
•Layers of encrypted Interests reside inside the name component of interests
• E.g.,: /anonymizer/Enc(Timestamp || key || Interest)
•Content is encrypted with the client-provided key on its way back
• Encapsulation is published under the requested name and signed by ARs.
18
![Page 19: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/19.jpg)
Example
/OR1 /OR2
/nytimes.com/today
/nytimes.com/today
19
OR2/ /OR1/ nytimes.com/today
nytimes.com/today /OR2/
![Page 20: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/20.jpg)
Agenda
A. NDN Overview
B. NDN Security
1) Architecture Basics
2) Privacy
3) Routing and Application Security
C. Summary
20
![Page 21: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/21.jpg)
Using NDN Features to Secure Routing
• Need to protect routing updates (where content prefix is reachable)
• Router names follow network management hierarchy
• Names associated with signing keys (not only 1:1)
• Keys are authenticat-able:
• Network operator configures trust anchor for each router, e.g., public key for /ndn/ucla.edu/
• Router key (e.g., /ndn/ucla.edu/bb1) certified by anchor key
• Each interface has a name, (e.g., /ndn/ucla.edu/bb1/f1); router key certifies each interface key
• Updates from each interface signed by that interface key
21
![Page 22: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/22.jpg)
Testbed: UCLA Film & TV Studio #1
NDN Lighting Control Application
22
Special case of actuators in an instrumented environment Rich set of use cases (e.g., entertainment)
![Page 23: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/23.jpg)
IP in Lighting Systems?
• Security currently achieved by:
• Physical network segregation, or
• VLANs + firewalls
• Devices increasingly receive over-the-air upgrades & updates
• Not clear how to accommodate with above in scalable manner
• IP-based addressing irrelevant to applications
• Easier to address fixtures in application-specific terms without having to know through/to which gateway they connect
• IP configuration particularly brittle for dynamic systems
• Lighting devices (fixtures) can come & go frequently
• Certain building systems incorporate mobile devices
23
![Page 24: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/24.jpg)
Bootstrapping
24
![Page 25: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/25.jpg)
Subsequent Control
• After bootstrapping, configuration manager grants permissions to
applications by publishing their keys under names representing
(authorized) capabilities
• Fixture checks if application signing key is in:
(1) its cache of authorized keys, or (2) built-in trust anchor list
created at bootstrap time, or (3) it is published (signed) by a key
that satisfies (1) or (2)
• To minimize delay, signed commands are expressed as part of name within interest
25
![Page 26: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/26.jpg)
Other applications in the works
•Audio conferencing
•Participatory sensing
•Personal data cloud
•Media distribution/streaming
•VPN server/client
•Network monitor/management tools
26
![Page 27: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/27.jpg)
Agenda
A. NDN Overview
B. NDN Security
1) Architecture Basics
2) Privacy
3) Routing and Application Security
C. Summary
27
![Page 28: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/28.jpg)
SUMMARY
•Lots of work underway
•Much of what was presented not “cast in stone”
•Didn’t cover:
• Signature schemes (e.g., batch operations, streaming content)
• Trust establishment / Trust frameworks
• Usability of S&P
• Security in other apps, e.g., sensing, conferencing
28
![Page 29: Named Data Networking](https://reader035.fdocuments.in/reader035/viewer/2022062517/5681352a550346895d9c9362/html5/thumbnails/29.jpg)
29
Thanks!