Evolved Addressing and Forwarding in Information-Centric Networks

Slide Note
Embed
Share

The content discusses Evolved Addressing and Forwarding in Information-Centric Networks, focusing on an accountable Internet protocol (AIP) that addresses vulnerabilities at the IP level, such as source spoofing, DoS attacks, and route hijacking. AIP utilizes a hierarchy of self-certifying addresses derived from public keys, aiming to enhance accountability in Internet communications. The design of AIP includes hierarchical addresses, Accountability Domains (ADs), and Endpoint IDentifiers (EIDs) to ensure global uniqueness and address scalability challenges. Overall, this approach explores novel methods to secure and streamline Internet operations.

mantooth_b
mantooth_b Follow

Uploaded on Oct 02, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Information-Centric Networks Section # 7.3: Evolved Addressing & Forwarding Instructor: George Xylomenos Department: Informatics

  2. Funding These educational materials have been developed as part of the instructors educational tasks. The Athens University of Economics and Business Open Courses project only funded the reformatting of these educational materials. The project is being implemented as part of the Operational Program Instruction and Lifelong Learning and is co- financed by the European Union (European Social Fund) and national funds.

  3. Licencing These educational materials are subject to a Creative Commons License.

  4. Week 7 / Paper 3 Accountable Internet Protocol (AIP) Michael Walfish, Hari Balakrishnan and Scott Shenker David G. Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker ACM SIGCOMM 2008 Main point Accountability at the forefront of the Internet Prevention of source spoofing, DoS, route hijacking, route forgery AIP uses a hierarchy of self-certifying addresses Each component is derived from a public key Information-Centric Networks 07c-4

  5. Introduction The Internet is rife with IP level vulnerabilities Misconfigured routers wreak havoc on packet delivery Hijacked routes used to send untraceable spam Hijacked hosts spoof source addresses DoS attacks occur on a daily basis Many solutions proposed, but all have shortcomings Complicated mechanisms that change the Internet model External sources of trust to certify BGP updates Operator vigilance to keep updating filters Maybe the fundamental architecture is at fault AIP uses self-certifying flat addresses Hosts can prove they own an address without a PKI But, flat addressing is a scalability challenge Information-Centric Networks 07c-5

  6. AIP design Basic structure and function Hierarchical addresses with two or more components Each network is divided into Accountability Domains (ADs) Each host is an Endpoint IDentifier (EID) Both AD and EID are globally unique Addresses have the form AD:EID ADs may be subdivided into units In general addresses are AD1:AD2: :ADk:EID The AD and EID is the hash of the public key of an entity Each component is 160 bits long (8+144+8) Direct link between identity (public key) and name (AD/EID) Each AD/EID has the form Version:Key Hash:Interface Version indicates the scheme used to generate the AD/EID Interface indicates one of the interfaces of a host Information-Centric Networks 07c-6

  7. AIP design Forwarding and routing Each packet contains source and destination AD:EID Multiple AD levels are treated as a stack Forwarding proceeds towards the current AD Border routers switch to the next AD in the stack Interdomain routing can use BGP or any other protocol Routers advertise reachability to ADs, not prefixes ADs can be grouped into ASes if needed DNS and mobility A multihomed host will have different ADs but the same EID Transport protocols bind to the EID, not the AD Mobile hosts need to change their AD only Changes can be authenticated since EIDs are bound to keys Information-Centric Networks 07c-7

  8. Uses of accountability Source accountability (no source spoofing) Common source spoofing variants Pretending to be a host at another network Pretending to be another host at your network Creating large numbers of unused addresses EID verification: at first hop router On reception of data from unverified host Drop packet and return verification packet V V contains source/destination addresses, packet hash and interface V is signed using a secret that changes regularly The sender returns V signed with its private key The router verifies the signature and if correct passes next packets Replay attacks at the router prevented by the secret Replay attacks at the sender prevented by inserting random packet ID Only the sender needs to cache hashes of recent packets Information-Centric Networks 07c-8

  9. Uses of accountability Source accountability (no source spoofing) AD verification (at AD boundaries) On reception of packet from AD B, AD A checks that: If B is trusted to check packets, forward it Otherwise check if the packet is on the route to the source Otherwise drop packet and verify the source as with the EID The last step allows multihoming and asymmetric paths Ensuring scalability at border routers Only packets that arrive from an unexpected route are remembered If the AD:EID pairs for the same AD are many, use a wildcard AD:* This is dangerous if an attacker controls some hosts in the AD It can force the border router to insert a wildcard Limiting address minting Routers can limit the number of new EIDs they accept per minute Similarly for ADs in border routers Information-Centric Networks 07c-9

  10. Uses of accountability Shut-off protocol Requires a smart-NIC that rate-limits transmission if needed The NIC records hashes of recently sent packets It also accepts Shut-Off Packets (SOPs) independently A SOP contains a packet hash and a TTL, signed by the destination The NIC accepts the packet if it contains a valid hash and signature Then it shuts-off traffic for the TTL The random packet ID prevents replay attacks Hashes of thousands of packet can be kept in a Bloom filter Securing BGP BGP peering sessions are encrypted with AD public keys BGP routers sign their routing announcements Routers only need to know the public keys of other ADs Information-Centric Networks 07c-10

  11. Routing scalability Routing growth estimates The AS diameter increases slowly (less than 5 hops) Routing tables grow 17% per year (about 1.6 million in 2020) Routing traffic grows linearly with table size Estimate 1.5 updates per day per prefix Effects of moving to AIP RIB/FIB size increase due to 160 bit AD and 2048 bit public key Doubles for two level ADs BUT: lookups are flat, not longest prefix Estimated 80% reduction in memory accesses The AS diameter may grow by 2-3 hops due to two level ADs CPU costs that same as those needed for S-BGP Information-Centric Networks 07c-11

  12. Routing scalability Semiconductor growth trends Assume the ITRS roadmap of density doubling every 3 years Resource requirements RIB (DRAM): Roughly triple the amount of RAM needed by IP No problem with current growth trends FIB (DR/SR/CAM): SRAM will grow much faster than FIBs CPU: Loading time of tables to memory Estimated to be less than 30 seconds Cryptography: 66 seconds for all tables May need acceleration as it is slower than the loading time Information-Centric Networks 07c-12

  13. Key management Key compromise: what if a private key is exposed? Key revocation is tricky but feasible The biggest problem is the false confidence in lost keys Therefore mechanisms for rapid loss detection are needed Public registries for ADs are needed They only store self certifying data (no PKI needed) Can be automatically populated (no human intervention) Local (per domain) and global registries possible Types of information stored in registries Identity/public key pairs Revoked public keys, signed by private keys (write once!) Peering relationships, signed by both peers Certificates binding EIDs to ADs (may be multiple) Certificates binding EIDs to first hop routers (can be multiple) Information-Centric Networks 07c-13

  14. Key management Maintaining domain registries Domains should be forced to sign AD:EID to get it into DNS Hosts check the registries of the domains hosting them Domains check the registries of their peers Key discovery: what is the destination address? Use DNS and verify keys against AD identifiers Establish out-of-band trust between peering domains Cryptographic algorithm compromise This is why version numbers are added to identities New algorithms can co-exist with older ones A version number indicates a hash/sign combination pair Information-Centric Networks 07c-14

  15. Traffic engineering and AD size Traffic engineering maps offered load to a set of paths Performed by DNS and selective prefix advertising ADs cannot be split to smaller prefixes for control But they can be split hierarchically AD granularity: a set of hosts under common administration Splitting ADs for traffic engineering can be done It is aggregating these prefixes that is impossible! Experiments show that such aggregation is quite rare Another possibility is to use the interface bits Each interface could be advertised separately Allows aggregation by zeroing out the interface bits DNS load balancing does not change The interface bits can make it easier Information-Centric Networks 07c-15

  16. End of Section # 7.3 Course: Information-Centric Networks, Section # 7.3: Evolved Addressing & Forwarding Instructor: George Xylomenos, Department: Informatics

Related


PEEK: Proactive Producer Mobility Management Scheme for ICN

PEEK: Proactive Producer Mobility Management Scheme for ICN

kamahr
Understanding Network Analysis: Whole Networks vs. Ego Networks

Understanding Network Analysis: Whole Networks vs. Ego Networks

kayliee
Efficient DocuSign Document Forwarding Process

Efficient DocuSign Document Forwarding Process

mckenzie
Investigating SDN Forwarding with RuleScope

Investigating SDN Forwarding with RuleScope

mourning_b
Understanding Router Routing Tables in Computer Networks

Understanding Router Routing Tables in Computer Networks

jtisd
Understanding Artificial Neural Networks From Scratch

Understanding Artificial Neural Networks From Scratch

inara
P-Rank: A Comprehensive Structural Similarity Measure over Information Networks

P-Rank: A Comprehensive Structural Similarity Measure over Information Networks

exes507
Vertex-Centric Programming for Graph Neural Networks

Vertex-Centric Programming for Graph Neural Networks

jaccobr
Diverse Social Entities Mining from Linked Data in Social Networks

Diverse Social Entities Mining from Linked Data in Social Networks

vlar
Understanding WAN Technologies and Routing in Large Networks

Understanding WAN Technologies and Routing in Large Networks

dpetr
Introduction to Neural Networks in IBM SPSS Modeler 14.2

Introduction to Neural Networks in IBM SPSS Modeler 14.2

anouk
Understanding Greedy Distributed Spanning Tree Routing in Wireless Sensor Networks

Understanding Greedy Distributed Spanning Tree Routing in Wireless Sensor Networks

sprio
A.Z.A.D Freight Forwarding & Door-to-Door Services Overview

A.Z.A.D Freight Forwarding & Door-to-Door Services Overview

canaan
International Freight Forwarding Company - Andina Freight SAC

International Freight Forwarding Company - Andina Freight SAC

pimienta_r
Virtual Labs on SDN and P4 Programmable Switches

Virtual Labs on SDN and P4 Programmable Switches

everly
Understanding NFV and SDN Controllers in Networking Architecture

Understanding NFV and SDN Controllers in Networking Architecture

mjerr
Understanding Network Layer Concepts in Router Design Lecture

Understanding Network Layer Concepts in Router Design Lecture

dviv
Freight Forwarding Services in Belgium and West Africa

Freight Forwarding Services in Belgium and West Africa

ezrah
TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

rayl_9
Extending OVN Forwarding Pipeline for Topology-based Service Injection

Extending OVN Forwarding Pipeline for Topology-based Service Injection

zyke_659
Computer Networks CMSC 417 : Spring 2022

Computer Networks CMSC 417 : Spring 2022

danger
Enhancing Agriculture Through Global Knowledge Networks and Information Management Systems

Enhancing Agriculture Through Global Knowledge Networks and Information Management Systems

asriel
JSM Logistic Services - Redefining the Logistics Market with Passion and Innovation

JSM Logistic Services - Redefining the Logistics Market with Passion and Innovation

averie
Understanding IPv4 Addresses and Classful Addressing in Computer Networks

Understanding IPv4 Addresses and Classful Addressing in Computer Networks

tarak

More Related Content

Understanding Overlay Networks and Distributed Hash Tables
Understanding Overlay Networks and Distributed Hash Tables
Understanding Computer Networks: Types and Characteristics
Understanding Computer Networks: Types and Characteristics
Understanding Interconnection Networks in Multiprocessor Systems
Understanding Interconnection Networks in Multiprocessor Systems
Evolution of Networking: Embracing Software-Defined Networks
Evolution of Networking: Embracing Software-Defined Networks
Understanding Networks: An Introduction to the World of Connections
Understanding Networks: An Introduction to the World of Connections
Computational Physics (Lecture 18)
Computational Physics (Lecture 18)
Meaningful and inclusive curriculum design conversations
Meaningful and inclusive curriculum design conversations
Understanding Addressing Modes in 8051 Microcontroller
Understanding Addressing Modes in 8051 Microcontroller
Understanding Computer Communication Networks at Anjuman College
Understanding Computer Communication Networks at Anjuman College
Evolution of Neural Networks through Neuroevolution by Ken Stanley
Evolution of Neural Networks through Neuroevolution by Ken Stanley
Evolution of Customer Roles in Sustainable Business Development
Evolution of Customer Roles in Sustainable Business Development
Master Programmes in Artificial Intelligence for Human-Centric AI Careers
Master Programmes in Artificial Intelligence for Human-Centric AI Careers
Enhancing Industrial Heritage Through Customer-Centric Service Design
Enhancing Industrial Heritage Through Customer-Centric Service Design
User-Centric Parameters for Call Handling in Cellular Mobile Voice Service
User-Centric Parameters for Call Handling in Cellular Mobile Voice Service
Influence of Personal Demographic and Institutional Variables on Venture Creation in Small Technology-Oriented Ventures
Influence of Personal Demographic and Institutional Variables on Venture Creation in Small Technology-Oriented Ventures
Evolution of Data Center Networks Towards Scalable and Seamless Connectivity
Evolution of Data Center Networks Towards Scalable and Seamless Connectivity
Student-Centric Outcome-Based Education
Student-Centric Outcome-Based Education
Success Stories: Empowering People-Centric IT in Various Industries
Success Stories: Empowering People-Centric IT in Various Industries
Understanding Networking Principles and Routing Algorithms in Distributed Systems
Understanding Networking Principles and Routing Algorithms in Distributed Systems
Understanding IP Addressing and Routing in Networking
Understanding IP Addressing and Routing in Networking
Understanding Graph Theory and Networks: Concepts and Applications
Understanding Graph Theory and Networks: Concepts and Applications
Evolution and Potential of 5G Technology
Evolution and Potential of 5G Technology
Exploring Samsung SmartThings Hub and Zigbee/Zwave Networks
Exploring Samsung SmartThings Hub and Zigbee/Zwave Networks
Parallel Prefix Networks in Divide-and-Conquer Algorithms
Parallel Prefix Networks in Divide-and-Conquer Algorithms