Lecure 2: Slides

Download Report

Transcript Lecure 2: Slides

www.psirp.org
Lecture 2:
Evolutionary and
Revolutionary Approaches
D.Sc. Arto Karila
Helsinki Institute for Information Technology (HIIT)
[email protected]
25/1/2010
T-110.6120 – Special Course on Data Communications Software: Publish/Subscribe Internetworking
1
Contents
1.
2.
3.
Evolutionary approaches
Some more revolutionary approaches
Networking Named Content –
Van Jacobson’s CCN project
(Content-Centric Networking)
25/1/2010
2
Evolutionary Approaches
1.
2.
3.
4.
5.
6.
IPv6
IPSEC
Mobile IP
HIP
DiffServ
DHT
25/1/2010
3
IPv6
 IPv6
was born in 1995 after long work
 There are over 30 IPv6-related RFCs
 The claimed improvements in IPv6 are:








25/1/2010
Large 128-bit address space
Stateless address auto-configuration
Multicast support
Mandatory network layer security (IPSEC)
Simplified header processing by routers
Efficient mobility (no triangular routing)
Extensibility (extension headers)
Jumbo packets (up to 4 GB)
4
IPv6
 Major
operating systems and many ISPs
support IPv6
 The use of IPv6 is slowly increasing in
Europe and North America but more
rapidly in Asia
 In China, CERNET 2 runs IPv6,
interconnecting 25 points of presence in
20 cities with 2.5 and 10 Gbps links
 IPv6 really only solves the exhaustion of
Internet address space
25/1/2010
5
IPSEC
 IPSEC
is the IP-layer security solution of
the Internet to be used with IPv4 and IPv6
 Authentication Header (AH) only protects
the integrity of an IP packet
 Encapsulating Security Payload (ESP)
also ensures confidentiality of the data
 IPSEC works within a Security Association
(SA) set up between two IP addresses
 ISAKMP (Internet Security Association and
Key Management Protocol) is a very
complicated framework for SA mgmt
25/1/2010
6
Encapsulating Security
Payload (IPv4)
Original IPv4 Header
Security Parameter Index (SPI)
Sequence Number
Coverage of
Authentication
UDP/TCP Header
Coverage of
Confidentiality
ESP
Payload
Data
Padding
Pad Len
Next Hdr
Authentication Data
25/1/2010
ESP
Header
ESP
Trailer
7
Encapsulating Security
Payload (IPv6)
Original IPv6 Header
Hop-by-Hop Extensions
Security Parameter Index (SPI)
Sequence Number
Coverage of
Authentication
End-to-End Extensions
UDP/TCP Header
Coverage of
Confidentiality
ESP
Payload
Data
Padding
Authentication Data
25/1/2010
ESP
Header
ESP
Trailer
8
Mobile IPv4
 Basic





concepts:
Mobile Node (MN)
Correspondent Node (CN)
Home Agent (HA)
Foreign Agent (FA)
Care-of-Address (CoA)
 Problems:


Firewalls and ingress filtering
Triangular routing
25/1/2010
9
Mobility Example:Mobile IP
Triangular Routing
Ingress filtering causes problems for IPv4
(home address as source), IPv6 uses CoA
so not a problem . Solutions:
Correspondent
(reverse tunnelling) or
Host
route optimization
Foreign agent left
out of MIPv6. No special
support needed with
IPv6 autoconfiguration
DELAY!
Foreign Agent
Home Agent
Care-of-Address (CoA)
Mobile Host
25/1/2010
Source: Professor Sasu Tarkoma
10
Ingress Filtering
Packet from mobile host is deemed "topologically
incorrect“ (as in source address spoofing)
Correspondent Host
Home Agent
With ingress filtering, routers drop source addresses that are
not consistent with the observed source of the packet
25/1/2010
Source: Professor Sasu Tarkoma
11
Reverse Tunnelling
Correspondent
Host
Firewalls and ingress
filtering no longer a problem
Two-way tunneling leads to
overhead and increased
congestion
DELAY!
Router
Home Agent
Mobile Host
25/1/2010
Care-of-Address (CoA)
Source: Professor Sasu Tarkoma
12
Mobile IPv6 Route Optimization
CH sends
packets using routing header
Correspondent
Host
Secure tunnel (ESP)
Home Agent
First, a Return Routability test
to CH. CH sends home test and CoA
test packets. When MH receives both,
It sends the BU with the Kbm key.
Router
MH sends a binding update to CH
when it receives a tunnelled packet.
Mobile Host
25/1/2010
Source: Professor Sasu Tarkoma
13
Differences btw MIPv6 and MIPv4






In MIPv6 no FA is needed
(no infrastructure change)
Address auto-configuration helps in acquiring CoA
MH uses CoA as the source address in foreign
link, so no problems with ingress filtering
Option headers and neighbor discovery of IPv6
protocol are used to perform mobility functions
128-bit IP addresses help deployment of mobile
IP in large environments
Route optimization is supported by header options
25/1/2010
Source: Professor Sasu Tarkoma
14
Extension Headers
CN to MN
MN to CN
MH
Upper Layer
headers
Data
Mobility Header
MH Type in Mobility Header: Binding Update,
Binding Ack, Binding Err, Binding refresh
MN, HA, and CN for Binding
Source: Chittaranjan Hota, Computer Networks II lecture 22.10.2007
25/1/2010
15
HIP
 Host
Identity Protocol (HIP, RFC4423)
defines a new global Internet name space
 The Host Identity name space decouples
the name and locator roles, both of which
are currently served by IP addresses
 The transport layer now operates on Host
Identities instead of IP addresses
 The network layer uses IP addresses as
pure locators (not as names or identifiers)
25/1/2010
16
HIP Architecture
25/1/2010
17
HIP
 HIs
are self-certifying (public keys)
 HIP is a fairly simple technique based on
IPSEC ESP and HITs (128-bit HI hashes)
 It addresses several major issues:




Security
Mobility
Multi-homing
IPv4/IPv6 interoperation
 HIP
is ready for large-scale deployment
 See http://infrahip.hiit.fi for more info
25/1/2010
18
Base exchange
• Based on the SIGMA family of key exchange protocols
Source: Dr. Pekka Nikander
Select precomputed R1. Prevent DoS.
Minimal state kept at responder!
Does notstandard
protect against
replay Diffieattacks.
authenticated
Initiator
solve
puzzle
Responder
Hellman key exchange for
session key generation
I1
HIT , HIT or NULL
R1
HIT , [HIT , puzzle, DH , HI ]
I2
[HIT , HIT , solution, DH ,{HI }]
R2
I
R
I
R
I
R
R
R sig
I
I sig
[HIT , HIT , authenticator]
I
R
sig
verify,
authenticate,
replay protection
User data messages
ESP protected TCP/UDP, no explicit HIP header
25/1/2010
19
HIP Mobility
 Mobility
25/1/2010
is easy – retaining the SA for ESP
20
HIP in Combining IPv4 and IPv6
 An
early demo seen at L.M. Ericsson
Finland (source: Petri Jokela, LMF)
IPv4
access
network
WWW Proxy
HIP CN
Internet
HIP MN
IPv6
access
network
25/1/2010
Music Server
21
DiffServ






Differentiated Services (DiffServ, RFC 2474)
redefines the ToS octet of the IPv4 packet or
Traffic Class octet of IPv6 as DS
The first 6 bits of the DS field are used as
Differentiated Services Code Point (DSCP)
defining the Per-Hop Behavior of the packet
DiffServ is stateless (like IP) and scales
Service Profiles can be defined by ISP for
customers and by transit providers for ISPs
DiffServ is very easily deployable and could
enable well working VoIP and real-time video
Unfortunately, it is not used between operators
25/1/2010
22
Distributed Hash Table (DHT)







Distributed Hash Table (DHT) is a service for
storing and retrieving key-value pairs
There is a large number of peer machines
Single machines leaving or joining the network
have little effect on its operation
DHTs can be used to build e.g. databases (new
DNS), or content delivery systems
BitTorrent is using a DHT
The real scalability of DHT is still unproven
All of the participating hosts need to be trusted
(at least to some extent)
25/1/2010
23
DHT
 The
principle of Distribute Hash Table
(source: Wikipedia)
25/1/2010
24
Contents
1.
2.
3.
Evolutionary approaches
Some more revolutionary approaches
Networking Named Content –
Van Jacobson’s CCN project
(Content-Centric Networking)
25/1/2010
25
Some More Revolutionary
Approaches
1.
ROFL
M. Caesar, T. Condie, J. Kannan, K. Lakshminarayanan,
I. Stoica, and S.Shenker,
ROFL: Routing on Flat Labels,
In ACM SIGCOMM, Sep. 2006, pp. 363–374
2.
DONA
T. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy,
K. H. Kim, S. Shenker, and I. Stoica,
A Data-Oriented (and Beyond) Network Architecture,
In SIGCOMM ’07: Proceedings of the 2007 conference
on Applications, technologies, architectures, and
protocols for computer communications,
New York, NY, USA, 2007, pp. 181-192
25/1/2010
26
ROFL
 ROFL
routes directly on host identities,
leaving aside the locations of the hosts
 Self-certifying identifiers (tied to public keys)
 Create a network layer with no locations
 Advantages:




No new infrastructure (no name resolution)
Packet delivery only depends on the data path
Simpler allocation of identifiers
(just need to ensure uniqueness)
Access control based on identifiers
25/1/2010
27
ROFL

Three classes of hosts:








Routers
Stable hosts
Ephemeral hosts
Each ID is resident to its Hosting Router (the
host’s first-hop router)
The hosts form a two-way ring – each with
pointers to its successor and predecessor
There can be shorter routes cached
An OSPF-like routing protocol (with network map)
is assumed for recovering from routing failures
Global ROFL-ring for inter-domain routing
25/1/2010
28
DONA
 DONA
replaces the hierarchical DNS
namespace with a cryptographic, selfcertifying namespace for naming data
 This enables totally distributed
namespace control
 The namespace is not totally flat but
consists of two parts: the principal’s
identifier and a label
 This two-tier hierarchy helps make DONA
scalable
 Clean-slate naming and name resolution
25/1/2010
29
DONA
 Strict
separation between
naming (persistence and authenticity) and
name resolution (availability)
 Each principal has a public-key pair
 Each datum (or any other named entity) is
associated with a principal
 Names of the form P:L (Principal:Label),
where P is a cryptographic has os the
principal’s public key and L is a locally
unique label
 Name resolution by Resolution Handlers,
primitives: FIND(P:L), REGISTER(P:L)
25/1/2010
30
Contents
1.
2.
3.
Evolutionary approaches
Some more revolutionary approaches
Networking Named Content –
Van Jacobson’s CCN project
(Content-Centric Networking)
25/1/2010
31
Networking Named Content
 Based
on and pictures borrowed from:
Jacobson, V.; Smetters, D. K.; Thornton,
J. D.; Plass, M. F.; Briggs, N.; Braynard,
R. Networking named content.
Proceedings of the 5th ACM International
Conference on Emerging Networking
Experiments and Technologies (CoNEXT
2009); 2009 December 1-4; Rome, Italy.
NY: ACM; 2009; 1-12.
25/1/2010
32
Host-Centric Networking
 In
1960’s and 1970’s – resource sharing
 Computers, disk drives, tape drives,
printers etc. needed to be shared
 This lead into a communication model with
two machines – one using and one
providing resources over the network
 IP packets with source and destination
 Most of the traffic is TCP connections
25/1/2010
33
Content-Centric Networking (CCN)
2009 alone 500 exabytes (5 x 1020 B)
of content created (source: RFC 5401)
 Users are interested in what content –
not where it is
 CCN – a communication architecture
built on named data
 “Address” names content – not location
 Preserve the design decisions that make
TCP/IP simple, robust and scalable
 In
25/1/2010
34
TCP/IP and CCN Protocol Stacks
 From
IP to chunks of named content
 Only layer 3 requires universal agreement
25/1/2010
35
Interest and Data packets
 There


are two types of CCN packets:
Interest packets
Data packets
25/1/2010
36
CCN Node Model
 There


are two types of CCN packets:
Interest packets
Data packets
 Consumer
broadcasts its Interest over all
available connectivity
 Data is transmitted only in response to and
Interest and consumes that Interest
 Data satisfies an Interest if ContentName
in the Interest is a prefix of that in the Data
25/1/2010
37
CCN Node Model
 Hierarchical
name space (cmp w/ URI)
 When a packet arrives on a face a
longest-match lookup is made
 Forwarding engine with 3 data structures:



Forwarding Information Base (FIB)
Content Store (buffer memory)
Pending Interest Table (PIT)
25/1/2010
38
CCN Node Model
allows a list of outgoing interfaces –
multiple sources of data
 Content Store w/ LRU or LFU replacement
 PIT keeps track of Interest forwarded upstream => Data can be sent downstream
 Interest packets are routed upstream –
Data packets follow the same path down
 Each PIT entry is a “bread crumb” marking
the path and is erased after it’s been used
 FIB
25/1/2010
39
CCN Forwarding Engine
25/1/2010
40
CCN Node Model

When an Interest packet arrives, longest-match
lookup is done on its ContentName
 ContentStore match is preferred over a PIT
match, preferred over a FIB match




Matching Data packet in ContentStore => send it out
on the Interest arrival face
Else, if there is an exact-match PIT entry => add the
arrival face to the PIT entry’s list
Else, if there is a matching FIB entry =>
send the Interest up-stream towards the data
Else => discard the Interest packet
25/1/2010
41
CCN Transport
 CCN
transport is designed to operate on
unreliable packet delivery services
 Senders are stateless
 Receivers keep track of unsatisfied
Interests and ask again after a time-out
 The receiver’s strategy layer is responsible
for retransmission, selecting faces, limiting
the number of unsatisfied Interests, priority
 One Interest retrieves at most one Data
packet => flow balance
25/1/2010
42
Reliability and Flow Control
 Flow
balance allows for efficient
communication between machines with
highly different speeds
 It is possible to overlap data and requests
 In CCN, all communication is local and
flow balance is maintained over each hop
 This leads into end-to-end flow control
without any end-to-end mechanisms
25/1/2010
43
Naming
 CCN
is based on hierarchical, aggregatable
names at least partly meaningful to humans
 The name notation used is like URI
25/1/2010
44
Naming and Sequencing
 An
Interest can specify the content exactly
 Content names can contain automatically
generated endings used like sequence #s
 The last part of the name is incremented for
the next chunk (e.g. a video frame)
 The names form a tree which is traversed in
preorder
 In this way, the receiver can ask for the
next Data packet in his Interest packet
25/1/2010
45
Intra-Domain Routing
 Like
IPv4 and IPv6 addresses, CCN
ContentNames are aggregateable and
routed based on longest match
 However, ContentNames are of varying
length and longer than IP addresses
 The TLV (Type Label Value) of OSPF or
IS-IS can distribute CCN content prefixes
 Therefore, CCN Interest/Data forwarding
can be built on existing infrastructure
without any modification to the routers
25/1/2010
46
Intra-Domain Routing
 An
25/1/2010
example of intra-domain routing
47
Inter-Domain Routing
 The
current BGP version has the equivalent
of the IGP TLV mechanism
 Through this mechanism, it is possible to
learn which domains serve Interests in
some prefix and what is the closest CCNcapable domain on the paths towards those
domains
 Therefore, it is possible to deploy CCN in
the existing BGP infrastructure
25/1/2010
48
Content-Based Security
 In
CCN, the content itself (rather than its
path) is protected
 One can retrieve the content from the
closest source and validate it
 All content is digitally signed
 Signed info includes hash of the public key
used for signing
 We still need some kind of a Public Key
Infrastructure (PKI)
25/1/2010
49
Trust Establishment
 Associating
25/1/2010
name spaces with public keys
50
Evaluation
 The
CCN architecture described has been
implemented and evaluated
 Voice over CCN and Content Distribution
were tested with small networks
 The results are interesting but don’t really
tell us anything about the scalability of the
design
25/1/2010
51
Voice over CCN





Secure Voice over CCN was implemented using
Linphone 3.0 and its performance evaluated
Caller encodes SIP INVITE as CCN name and
sends it as an interest
On receipt of the INVITE, the callee generates a
signed Data packet with the INVITE name as its
name and the SIP response as its payload
From the SIP messages, the parties derive
paired name prefixes under which they write
RTP packets
There is a separate paper on Voice over CCN
25/1/2010
52
Voice over CCN –
Automatic Failover
25/1/2010
53
Content Distribution
25/1/2010
54
Throughput
25/1/2010
55
Comparing CCN and HTTP
25/1/2010
56
Comparing CCN and HTTPS
25/1/2010
57
Merits of CCN
 Very
understandable scheme
 Shown to work also with streamed media
 Clever reuse of existing mechanisms
 Easy to implement based on current
routing software
 Easy to deploy on existing routing
protocols and IP networks
 Easy, human-readable naming scheme
25/1/2010
58
Concerns about CCN

The simple hierarchical (URI-like)
naming scheme is also a limitation
 Will CCN scale to billions of nodes?




Flooding (send out through all available faces)
Flow balance – an Interest for every Data
How large can the FIB grow (soft state)?
Data takes the same (possibly non-optimal) path as
Interest

Are the performance measurements made with
only a couple of hosts convincing?
 Security architecture looks very conventional
25/1/2010
59
Thank you for your attention!
Questions? Comments?
25/1/2010
60