Outline : Computer Networking. Narrow Waist of the Internet Key to its Success. NSF Future Internet Architecture

Transcription

1 Outline : Computer Networking L-15 Future Internet Architecture 2 Motivation and discussion Some proposals: CCN Nebula Mobility First XIA XIA overview AIP Scion 2 NSF Future Internet Architecture Narrow Waist of the Internet Key to its Success Program focuses on new architectural Internet features - address challenges in fundamental way Want to keep the good features of today s network Four teams were selected in the second phase: Named Data Networking: content centric networking - data is a (the) first class entity Mobility First: mobility as the norm rather than the exception generalizes delay tolerant networking Nebula: Internet centered around cloud computing data centers that are well connected expressive Internet Architecture: focus on trustworthiness, evolvability 3 Has allowed Internet to evolve dramatically But now an obstacle to addressing challenges: No built-in security New usage models a challenge Limited interactions edge-core Applications Internet Protocol Link Technologies XIA exploring three concepts to address issues: Diverse types of end-points Intrinsic security Flexible addressing 1

2 Today s Internet expressive Internet Architecture Src: Client IP Dest: Server IP Src: Client ID Dest: ID TCP Client IP Server IP Client retrieves document from a specific web server But client mostly cares about correctness of content, timeliness Specific server, file name, etc. are not of interest Transfer is between wrong principals What if the server fails? Optimizing transfer using local caches is hard Need to use application-specific overlay or transparent proxy bad! 5 PDA Client expresses communication intent for content explicitly Network uses content identifier to retrieve content from appropriate location How does client know the content is correct? Intrinsic security! Verify content using self-certifying id: hash(content) = content id How does source know it is talking to the right client? Intrinsic security! Self-certifying host identifiers 6 Three Key Principles An set of principals allows direct identification of the intended communicating entities Not having to force communication at a lower level (hosts in today s Internet) reduces complexity and overhead Set up principals can evolve over time Adapt to changes in usage models Support custom requirements of specific deployments Intrinsic security guarantees security properties as a direct result of the design of the system Do not rely on external configurations, actions, data bases 7 Other XIA Principles Narrow waist for all principals Defines the API between the principals and the network protocol mechanisms Narrow waist for trust management Ensure that the inputs to the intrinsically secure system match the trust assumptions and intensions of the user Narrow waist allows leveraging diverse mechanisms for trust management: CAs, reputation, personal, All other network functions are explicit services Keeps the architecture simple, easy to reason about XIA provides a principal type for services (visible) 8 2

3 XIA: expressive Internet Architecture Each communication operation expresses the intent of the operation Also: explicit trust management, APIs among actors XIA is a single inter-network in which all principals are connected Not a collection of architectures implemented through, e.g., virtualization or overlays Not based on a preferred principal (host or content), that has to support all communication 9 Multiple Principal Types Associated with different forwarding semantics Support heterogeneity in usage and deployment models Set of principal types can evolve over time Host XIDs support host-based communication who? Service XIDs allow the network to route to possibly replicated services what does it do? LAN services access, WAN replication, XIDs allow network to retrieve content from anywhere what is it? Opportunistic caches, CDNs, Autonomous domains allow scoping, hierarchy 10 Multiple Principal Types -centric Optimizations Choice involves tradeoffs: Control Trust Efficiency Privacy Service Host HID Service Host HID HTML Cached Service 11 Service HID 12 3

4 What Do We Mean by Evolvability? Narrow waist of the Internet has allowed the network to evolve significantly But need to evolve the waist as well! Can make the waist smarter IP: Evolvability of: Applications Link technologies XIA adds evolvability at the waist: Applications Evolving set of principals Link technologies Supporting Evolvability Introduction of a new principal type will be incremental no flag day! Not all routers and ISPs will have support from day one Creates chicken and egg problem - what comes first: network support or use in applications Solution is to provide an intent and fallback address Intent address allows innetwork optimizations based on user intent Fallback address is guaranteed to be reachable. AD:HID AD:HID. Payload Dest Src 14 Addressing Requirements Our Solution: DAG-Based Addressing Fallback: intent that may not be globally understood must include a backwards compatible address Incremental introduction of new XID types Scoping: support reachability for non-globally routable XID types or XIDs Needed for scalability Generalize scoping based on network identifiers But we do not want to give up leveraging intent Iterative refinement: give each XID in the hierarchy option of using intent 15 Uses direct acyclic graph (DAG) Nodes: typed IDs (XID; expressive identifier) Outgoing edges: possible routing choices Simple example: Sending a packet to HID S Dummy source: special node indicating packet sender HID S Intent: final destination of packet with no outgoing edges 16 4

5 Support for Fallbacks with DAG DAGs Support Scoping and Iterative Refinement A node can have multiple outgoing edges Fallback edge HID S Primary edges A Client side Server-side domain hierarchy S Outgoing edges have priority among them Forwarding to HID S is attempted if forwarding to A is not possible Realization of fallbacks AD 0 HID S Intrinsic Security in XIA Example: Secure Mobile Service Access XIA uses self-certifying identifiers that guarantee security properties for communication operation Host ID is a hash of its public key accountability (AIP) ID is a hash of the content correctness Does not rely on external configurations Intrinsic security is specific to the principal type Example: retrieve content using XID: content is correct Service XID: the right service provided content Host XID: content was delivered from right host 19 X AD BoF BOF S2 Server S: HID S BoF AD BoF : BoF Client C: HID C C AD C Server S2: HID S2 BoF Register bof.com -> AD BOF : BOF XIA Internet AD C2 Client C: HID C C AD BoF :HID S : BoF AD C :HID C : C AD BoF :HID S2 : BoF AD C :HID C : C AD BoF :HID S2 : BoF AD C2 :HID C : C Resolv bof.com AD BOF : BOF Name Resolution Service 20 5

6 XIA Dataplane Concepts Also in the Paper Directly support diverse network usage models Evolution of principal types Customization Multiple Communicating Principal Types Principal-specific security properties How to build an XIA forwarding engine XIA forwarding performance and comparison with IP Flexible Addressing Deal with routing failures DAG security Intrinsic Security Built in security forms basis for system level security Discussion on scalability of content caching 22 Outline Motivation and discussion Some proposals: CCN Nebula Mobility First XIA XIA overview AIP Scion AIP Motivation Many security challenges are a result of not being able to unambiguously determine who is responsible for a specific action Source spoofing, denial-of-service attacks, untraceable spam,.. Add accountability to the Internet architecture Key idea is to use self-certifying addresses for both hosts and domains Avoid dependence on external configurations E.g. global trust authority

7 Addressing and Routing Self-Certifying Identifiers ADe ADe:EID9 ADx ADy Addresses are hierarchical, similar to today s Internet But each level has a flat address, i.e. no R ADa ADb Until packet reaches destination AD, intermediate routers use only destination AD to forward packet Effectively uses a pointer in a stack of domain identifiers Upon reaching destination AD, forward based on EID ADa:ADb:EID1 Identifier of object is public key of object Convenient to use hash of key (e.g. fixed size) Need way of securely mapping user readable name into the identifier AD is hash of public key of domain EID is hash of public key of host Provides a means of verifying the correctness of the source identifiers in a packet Effectively by sending a challenge to the source that it must sign with its private key Example: AD verification Verification Packet Receive packet source AD:X Forward packet Drop packet Send V to source In accept cache? Trust neighboring AD? Pass urpf? Router sends a packet V to Source containing: Source and destination identifier Hash of the packet P Interface of the router A secret signed by R Source signs V with its private key and send it back to R But only if it recognizes the hash R verifies that it was signed correctly using the public key from the source field If they match, R add S to its cache

8 AIP Discussion AIP adds complexity to routers Crypto support, caches, larger forwarding tables,.. but accountability helps address number of security challenges Reduces complexity and cost in rest of networks Research question Fast look up in large tables of flat identifiers Managing keys (revocation, minting, ) Evolving of the crypto Outline Motivation and discussion Some proposals: CCN Nebula Mobility First XIA XIA overview AIP Scion SCION Architectural Goals Wish List (1): Isolation Scalability, Control, and Isolation on Next-generation networks (SCION) High availability, even for networks with malicious parties Explicit trust for network operations Minimal TCB: limit number of entities that need to be trusted for any operation Strong isolation from untrusted parties Operate with mutually distrusting entities No single root of trust Enable route control for ISPs, receivers, senders Simplicity, efficiency, flexibility, and scalability Localization of attacks Scalable and reliable routing updates Operate with mutually distrusting entities without a global single root of trust A B D C Attacks (e.g., bad routes) M L3 PSC CMU I

9 Wish List (2): Balanced Control Wish List (3): Explicit Trust Source: select paths to send packets Destination: select paths to receive packets Transit ISPs: select paths to support Support rich policies and DDoS defenses A B D C Please reach me via A or B Hide the peering link from CMU Use Level 3 by default L3 I2 PSC CMU 33 Know who needs to be trusted Select whom to trust Confidence in selected paths Enforceable accountability Level 3 Who Go through will forward X and Z, Packets but not Y on the path? X Y Z Internet I2 PSC CMU 34 SCION Architectural Goals SCION Architecture Overview High availability, even for networks with malicious parties Explicit trust for network operations Minimal TCB: limit number of entities that need to be trusted for any operation Strong isolation from untrusted parties Operate with mutually distrusting entities No single root of trust Enable route control for ISPs, receivers, senders Simplicity, efficiency, flexibility, and scalability Trust domain (TD)s Isolation and scalability Path construction Path construction beacons (PCBs) Path resolution Control Explicit trust Route joining (shortcuts) Efficiency, flexibility PCB PCB PCB Source TD TD Core path srv S: blue paths D: red paths Destination

10 Hierarchical Decomposition Path Construction Split the network into a set of trust domains (TD) : interface : Opaque field : expiration time : signature TD: isolation of route computation core TD cores: interconnected large ISPs core = MAC( ) = SIG( ) = MAC( ) TD Core PCB PCB A Down paths Up paths = SIG( ) AD: atomic failure unit Destination Source 37 = MAC( ) = SIG( ) Embed into pkts PCB PCB B C 38 SCION Security Benefits Isolation Scalability, freshness Path replay attack Collusion attack Single root of trust Trusted Computing Base Path Control S-BGP etc Whole Internet SCION TD Core and on-path ADs Source End-to-end control Only up-path Destination No control Inbound paths DDoS Open attacks Enable defenses Choice Points in XIA Customers have choices: Choice of XID type, i.e. how is communication operation performed; different tradeoffs DAGs add flexibility: fallback, services, Scion offers some control over path selection Flexible trust management Distributed XID assignment (no single point of control) Service providers have choices as well Use of XID types to optimize new services Scion allows new path optimization options Use DAGs for binding, scoping, mobility,