Lecure 2: Slides
Download
Report
Transcript Lecure 2: Slides
www.psirp.org
Lecture 2:
Evolutionary and
Revolutionary Approaches
D.Sc. Arto Karila
Helsinki Institute for Information Technology (HIIT)
[email protected]
25/1/2010
T-110.6120 – Special Course on Data Communications Software: Publish/Subscribe Internetworking
1
Contents
1.
2.
3.
Evolutionary approaches
Some more revolutionary approaches
Networking Named Content –
Van Jacobson’s CCN project
(Content-Centric Networking)
25/1/2010
2
Evolutionary Approaches
1.
2.
3.
4.
5.
6.
IPv6
IPSEC
Mobile IP
HIP
DiffServ
DHT
25/1/2010
3
IPv6
IPv6
was born in 1995 after long work
There are over 30 IPv6-related RFCs
The claimed improvements in IPv6 are:
25/1/2010
Large 128-bit address space
Stateless address auto-configuration
Multicast support
Mandatory network layer security (IPSEC)
Simplified header processing by routers
Efficient mobility (no triangular routing)
Extensibility (extension headers)
Jumbo packets (up to 4 GB)
4
IPv6
Major
operating systems and many ISPs
support IPv6
The use of IPv6 is slowly increasing in
Europe and North America but more
rapidly in Asia
In China, CERNET 2 runs IPv6,
interconnecting 25 points of presence in
20 cities with 2.5 and 10 Gbps links
IPv6 really only solves the exhaustion of
Internet address space
25/1/2010
5
IPSEC
IPSEC
is the IP-layer security solution of
the Internet to be used with IPv4 and IPv6
Authentication Header (AH) only protects
the integrity of an IP packet
Encapsulating Security Payload (ESP)
also ensures confidentiality of the data
IPSEC works within a Security Association
(SA) set up between two IP addresses
ISAKMP (Internet Security Association and
Key Management Protocol) is a very
complicated framework for SA mgmt
25/1/2010
6
Encapsulating Security
Payload (IPv4)
Original IPv4 Header
Security Parameter Index (SPI)
Sequence Number
Coverage of
Authentication
UDP/TCP Header
Coverage of
Confidentiality
ESP
Payload
Data
Padding
Pad Len
Next Hdr
Authentication Data
25/1/2010
ESP
Header
ESP
Trailer
7
Encapsulating Security
Payload (IPv6)
Original IPv6 Header
Hop-by-Hop Extensions
Security Parameter Index (SPI)
Sequence Number
Coverage of
Authentication
End-to-End Extensions
UDP/TCP Header
Coverage of
Confidentiality
ESP
Payload
Data
Padding
Authentication Data
25/1/2010
ESP
Header
ESP
Trailer
8
Mobile IPv4
Basic
concepts:
Mobile Node (MN)
Correspondent Node (CN)
Home Agent (HA)
Foreign Agent (FA)
Care-of-Address (CoA)
Problems:
Firewalls and ingress filtering
Triangular routing
25/1/2010
9
Mobility Example:Mobile IP
Triangular Routing
Ingress filtering causes problems for IPv4
(home address as source), IPv6 uses CoA
so not a problem . Solutions:
Correspondent
(reverse tunnelling) or
Host
route optimization
Foreign agent left
out of MIPv6. No special
support needed with
IPv6 autoconfiguration
DELAY!
Foreign Agent
Home Agent
Care-of-Address (CoA)
Mobile Host
25/1/2010
Source: Professor Sasu Tarkoma
10
Ingress Filtering
Packet from mobile host is deemed "topologically
incorrect“ (as in source address spoofing)
Correspondent Host
Home Agent
With ingress filtering, routers drop source addresses that are
not consistent with the observed source of the packet
25/1/2010
Source: Professor Sasu Tarkoma
11
Reverse Tunnelling
Correspondent
Host
Firewalls and ingress
filtering no longer a problem
Two-way tunneling leads to
overhead and increased
congestion
DELAY!
Router
Home Agent
Mobile Host
25/1/2010
Care-of-Address (CoA)
Source: Professor Sasu Tarkoma
12
Mobile IPv6 Route Optimization
CH sends
packets using routing header
Correspondent
Host
Secure tunnel (ESP)
Home Agent
First, a Return Routability test
to CH. CH sends home test and CoA
test packets. When MH receives both,
It sends the BU with the Kbm key.
Router
MH sends a binding update to CH
when it receives a tunnelled packet.
Mobile Host
25/1/2010
Source: Professor Sasu Tarkoma
13
Differences btw MIPv6 and MIPv4
In MIPv6 no FA is needed
(no infrastructure change)
Address auto-configuration helps in acquiring CoA
MH uses CoA as the source address in foreign
link, so no problems with ingress filtering
Option headers and neighbor discovery of IPv6
protocol are used to perform mobility functions
128-bit IP addresses help deployment of mobile
IP in large environments
Route optimization is supported by header options
25/1/2010
Source: Professor Sasu Tarkoma
14
Extension Headers
CN to MN
MN to CN
MH
Upper Layer
headers
Data
Mobility Header
MH Type in Mobility Header: Binding Update,
Binding Ack, Binding Err, Binding refresh
MN, HA, and CN for Binding
Source: Chittaranjan Hota, Computer Networks II lecture 22.10.2007
25/1/2010
15
HIP
Host
Identity Protocol (HIP, RFC4423)
defines a new global Internet name space
The Host Identity name space decouples
the name and locator roles, both of which
are currently served by IP addresses
The transport layer now operates on Host
Identities instead of IP addresses
The network layer uses IP addresses as
pure locators (not as names or identifiers)
25/1/2010
16
HIP Architecture
25/1/2010
17
HIP
HIs
are self-certifying (public keys)
HIP is a fairly simple technique based on
IPSEC ESP and HITs (128-bit HI hashes)
It addresses several major issues:
Security
Mobility
Multi-homing
IPv4/IPv6 interoperation
HIP
is ready for large-scale deployment
See http://infrahip.hiit.fi for more info
25/1/2010
18
Base exchange
• Based on the SIGMA family of key exchange protocols
Source: Dr. Pekka Nikander
Select precomputed R1. Prevent DoS.
Minimal state kept at responder!
Does notstandard
protect against
replay Diffieattacks.
authenticated
Initiator
solve
puzzle
Responder
Hellman key exchange for
session key generation
I1
HIT , HIT or NULL
R1
HIT , [HIT , puzzle, DH , HI ]
I2
[HIT , HIT , solution, DH ,{HI }]
R2
I
R
I
R
I
R
R
R sig
I
I sig
[HIT , HIT , authenticator]
I
R
sig
verify,
authenticate,
replay protection
User data messages
ESP protected TCP/UDP, no explicit HIP header
25/1/2010
19
HIP Mobility
Mobility
25/1/2010
is easy – retaining the SA for ESP
20
HIP in Combining IPv4 and IPv6
An
early demo seen at L.M. Ericsson
Finland (source: Petri Jokela, LMF)
IPv4
access
network
WWW Proxy
HIP CN
Internet
HIP MN
IPv6
access
network
25/1/2010
Music Server
21
DiffServ
Differentiated Services (DiffServ, RFC 2474)
redefines the ToS octet of the IPv4 packet or
Traffic Class octet of IPv6 as DS
The first 6 bits of the DS field are used as
Differentiated Services Code Point (DSCP)
defining the Per-Hop Behavior of the packet
DiffServ is stateless (like IP) and scales
Service Profiles can be defined by ISP for
customers and by transit providers for ISPs
DiffServ is very easily deployable and could
enable well working VoIP and real-time video
Unfortunately, it is not used between operators
25/1/2010
22
Distributed Hash Table (DHT)
Distributed Hash Table (DHT) is a service for
storing and retrieving key-value pairs
There is a large number of peer machines
Single machines leaving or joining the network
have little effect on its operation
DHTs can be used to build e.g. databases (new
DNS), or content delivery systems
BitTorrent is using a DHT
The real scalability of DHT is still unproven
All of the participating hosts need to be trusted
(at least to some extent)
25/1/2010
23
DHT
The
principle of Distribute Hash Table
(source: Wikipedia)
25/1/2010
24
Contents
1.
2.
3.
Evolutionary approaches
Some more revolutionary approaches
Networking Named Content –
Van Jacobson’s CCN project
(Content-Centric Networking)
25/1/2010
25
Some More Revolutionary
Approaches
1.
ROFL
M. Caesar, T. Condie, J. Kannan, K. Lakshminarayanan,
I. Stoica, and S.Shenker,
ROFL: Routing on Flat Labels,
In ACM SIGCOMM, Sep. 2006, pp. 363–374
2.
DONA
T. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy,
K. H. Kim, S. Shenker, and I. Stoica,
A Data-Oriented (and Beyond) Network Architecture,
In SIGCOMM ’07: Proceedings of the 2007 conference
on Applications, technologies, architectures, and
protocols for computer communications,
New York, NY, USA, 2007, pp. 181-192
25/1/2010
26
ROFL
ROFL
routes directly on host identities,
leaving aside the locations of the hosts
Self-certifying identifiers (tied to public keys)
Create a network layer with no locations
Advantages:
No new infrastructure (no name resolution)
Packet delivery only depends on the data path
Simpler allocation of identifiers
(just need to ensure uniqueness)
Access control based on identifiers
25/1/2010
27
ROFL
Three classes of hosts:
Routers
Stable hosts
Ephemeral hosts
Each ID is resident to its Hosting Router (the
host’s first-hop router)
The hosts form a two-way ring – each with
pointers to its successor and predecessor
There can be shorter routes cached
An OSPF-like routing protocol (with network map)
is assumed for recovering from routing failures
Global ROFL-ring for inter-domain routing
25/1/2010
28
DONA
DONA
replaces the hierarchical DNS
namespace with a cryptographic, selfcertifying namespace for naming data
This enables totally distributed
namespace control
The namespace is not totally flat but
consists of two parts: the principal’s
identifier and a label
This two-tier hierarchy helps make DONA
scalable
Clean-slate naming and name resolution
25/1/2010
29
DONA
Strict
separation between
naming (persistence and authenticity) and
name resolution (availability)
Each principal has a public-key pair
Each datum (or any other named entity) is
associated with a principal
Names of the form P:L (Principal:Label),
where P is a cryptographic has os the
principal’s public key and L is a locally
unique label
Name resolution by Resolution Handlers,
primitives: FIND(P:L), REGISTER(P:L)
25/1/2010
30
Contents
1.
2.
3.
Evolutionary approaches
Some more revolutionary approaches
Networking Named Content –
Van Jacobson’s CCN project
(Content-Centric Networking)
25/1/2010
31
Networking Named Content
Based
on and pictures borrowed from:
Jacobson, V.; Smetters, D. K.; Thornton,
J. D.; Plass, M. F.; Briggs, N.; Braynard,
R. Networking named content.
Proceedings of the 5th ACM International
Conference on Emerging Networking
Experiments and Technologies (CoNEXT
2009); 2009 December 1-4; Rome, Italy.
NY: ACM; 2009; 1-12.
25/1/2010
32
Host-Centric Networking
In
1960’s and 1970’s – resource sharing
Computers, disk drives, tape drives,
printers etc. needed to be shared
This lead into a communication model with
two machines – one using and one
providing resources over the network
IP packets with source and destination
Most of the traffic is TCP connections
25/1/2010
33
Content-Centric Networking (CCN)
2009 alone 500 exabytes (5 x 1020 B)
of content created (source: RFC 5401)
Users are interested in what content –
not where it is
CCN – a communication architecture
built on named data
“Address” names content – not location
Preserve the design decisions that make
TCP/IP simple, robust and scalable
In
25/1/2010
34
TCP/IP and CCN Protocol Stacks
From
IP to chunks of named content
Only layer 3 requires universal agreement
25/1/2010
35
Interest and Data packets
There
are two types of CCN packets:
Interest packets
Data packets
25/1/2010
36
CCN Node Model
There
are two types of CCN packets:
Interest packets
Data packets
Consumer
broadcasts its Interest over all
available connectivity
Data is transmitted only in response to and
Interest and consumes that Interest
Data satisfies an Interest if ContentName
in the Interest is a prefix of that in the Data
25/1/2010
37
CCN Node Model
Hierarchical
name space (cmp w/ URI)
When a packet arrives on a face a
longest-match lookup is made
Forwarding engine with 3 data structures:
Forwarding Information Base (FIB)
Content Store (buffer memory)
Pending Interest Table (PIT)
25/1/2010
38
CCN Node Model
allows a list of outgoing interfaces –
multiple sources of data
Content Store w/ LRU or LFU replacement
PIT keeps track of Interest forwarded upstream => Data can be sent downstream
Interest packets are routed upstream –
Data packets follow the same path down
Each PIT entry is a “bread crumb” marking
the path and is erased after it’s been used
FIB
25/1/2010
39
CCN Forwarding Engine
25/1/2010
40
CCN Node Model
When an Interest packet arrives, longest-match
lookup is done on its ContentName
ContentStore match is preferred over a PIT
match, preferred over a FIB match
Matching Data packet in ContentStore => send it out
on the Interest arrival face
Else, if there is an exact-match PIT entry => add the
arrival face to the PIT entry’s list
Else, if there is a matching FIB entry =>
send the Interest up-stream towards the data
Else => discard the Interest packet
25/1/2010
41
CCN Transport
CCN
transport is designed to operate on
unreliable packet delivery services
Senders are stateless
Receivers keep track of unsatisfied
Interests and ask again after a time-out
The receiver’s strategy layer is responsible
for retransmission, selecting faces, limiting
the number of unsatisfied Interests, priority
One Interest retrieves at most one Data
packet => flow balance
25/1/2010
42
Reliability and Flow Control
Flow
balance allows for efficient
communication between machines with
highly different speeds
It is possible to overlap data and requests
In CCN, all communication is local and
flow balance is maintained over each hop
This leads into end-to-end flow control
without any end-to-end mechanisms
25/1/2010
43
Naming
CCN
is based on hierarchical, aggregatable
names at least partly meaningful to humans
The name notation used is like URI
25/1/2010
44
Naming and Sequencing
An
Interest can specify the content exactly
Content names can contain automatically
generated endings used like sequence #s
The last part of the name is incremented for
the next chunk (e.g. a video frame)
The names form a tree which is traversed in
preorder
In this way, the receiver can ask for the
next Data packet in his Interest packet
25/1/2010
45
Intra-Domain Routing
Like
IPv4 and IPv6 addresses, CCN
ContentNames are aggregateable and
routed based on longest match
However, ContentNames are of varying
length and longer than IP addresses
The TLV (Type Label Value) of OSPF or
IS-IS can distribute CCN content prefixes
Therefore, CCN Interest/Data forwarding
can be built on existing infrastructure
without any modification to the routers
25/1/2010
46
Intra-Domain Routing
An
25/1/2010
example of intra-domain routing
47
Inter-Domain Routing
The
current BGP version has the equivalent
of the IGP TLV mechanism
Through this mechanism, it is possible to
learn which domains serve Interests in
some prefix and what is the closest CCNcapable domain on the paths towards those
domains
Therefore, it is possible to deploy CCN in
the existing BGP infrastructure
25/1/2010
48
Content-Based Security
In
CCN, the content itself (rather than its
path) is protected
One can retrieve the content from the
closest source and validate it
All content is digitally signed
Signed info includes hash of the public key
used for signing
We still need some kind of a Public Key
Infrastructure (PKI)
25/1/2010
49
Trust Establishment
Associating
25/1/2010
name spaces with public keys
50
Evaluation
The
CCN architecture described has been
implemented and evaluated
Voice over CCN and Content Distribution
were tested with small networks
The results are interesting but don’t really
tell us anything about the scalability of the
design
25/1/2010
51
Voice over CCN
Secure Voice over CCN was implemented using
Linphone 3.0 and its performance evaluated
Caller encodes SIP INVITE as CCN name and
sends it as an interest
On receipt of the INVITE, the callee generates a
signed Data packet with the INVITE name as its
name and the SIP response as its payload
From the SIP messages, the parties derive
paired name prefixes under which they write
RTP packets
There is a separate paper on Voice over CCN
25/1/2010
52
Voice over CCN –
Automatic Failover
25/1/2010
53
Content Distribution
25/1/2010
54
Throughput
25/1/2010
55
Comparing CCN and HTTP
25/1/2010
56
Comparing CCN and HTTPS
25/1/2010
57
Merits of CCN
Very
understandable scheme
Shown to work also with streamed media
Clever reuse of existing mechanisms
Easy to implement based on current
routing software
Easy to deploy on existing routing
protocols and IP networks
Easy, human-readable naming scheme
25/1/2010
58
Concerns about CCN
The simple hierarchical (URI-like)
naming scheme is also a limitation
Will CCN scale to billions of nodes?
Flooding (send out through all available faces)
Flow balance – an Interest for every Data
How large can the FIB grow (soft state)?
Data takes the same (possibly non-optimal) path as
Interest
Are the performance measurements made with
only a couple of hosts convincing?
Security architecture looks very conventional
25/1/2010
59
Thank you for your attention!
Questions? Comments?
25/1/2010
60