Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 XIA: Network Deployments Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Peter Steenkiste, Hui Zhang.

Published byJohnathon McCormick Modified over 9 years ago

Similar presentations

Presentation on theme: "1 XIA: Network Deployments Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Peter Steenkiste, Hui Zhang."— Presentation transcript:

1 1 XIA: Network Deployments Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Peter Steenkiste, Hui Zhang Carnegie Mellon University Aditya Akella, University of Wisconsin John Byers, Boston University FIA PI Meeting March 2013, Salt Lake City

2 Today’s Internet 2 Web Server Problem: Network does not know what user wants! Dest: Server ID Src: Client ID

3 Today’s Internet 3 S S SS

4 XIA Vision We envision a future Internet that: Is trustworthy – Security broadly defined is a compelling research challenge Supports long-term evolution of usage models – Including host-host, content retrieval, services, … Supports long term technology evolution – Not just for link technologies, but also for storage and computing capabilities in the network and end-points Provides benefits for a multiplicity of stakeholders – Despite differences in roles, goals and incentives 4

5 5 Support multiple communication types (heterogeneity) Support future communication types (evolution) Allow using new communication types at any point (incremental deployment) Principal typesFallback XIA Pillars Intrinsic Security

6 XIA Design: Expressiveness Principal Types – Defines the format of the address And its semantics, including security semantics – And what the address means – And what processing can be done – Key: Much more intentful than today’s addresses. Use ours: Host. Service. Content. 4ID. AD. Or, {roll your own}

7 XIA Design: Intrinsic Security XIA uses self-certifying identifiers that guarantee security properties for communication operation – Host ID is a hash of the host’s public key – accountability – Content ID is a hash of the content – correctness – Does not rely on external configurations Intrinsic security is specific to the principal type Example: retrieve content using … – Content XID: content is verifiably/unspoofably correct – Service XID: the correct ASP provided the service – Host XID: content was delivered from intended host 7

8 8 128.2.10.162 Current Internet XIA IP address Host0xF63C7A4… Principal type Type-specific identifier Service0x8A37037…Content0x47BF217… Future… Hash of host’s public key Hash of content Hash of service’s public key Principal Types Intrinsically secure IDs

9 XIA Design: Deployability Fallback addressing – Allows you to use tomorrow’s principal type today – “If I can’t go directly to X, use Y...” Example 1: – Ultimate intent: retrieve CONTENT (CID) – Fallback: contact HOST (HID) Example 2: – Next hop not XIA-capable? Use (4ID) in address: Fallback to IPv4 encapsulation: contact IPv4(HID) Admits incremental deployment – Not just of new ID types within XIA, but of XIA itself.

10 Example: Secure Video Playback 10 AD 0xF00000 NYT server Host0xF63C7A4 Service0xDE44444 AD0xF000000 4ID5.11.2.14 XIA Name Resolution Service nyt.com maps to Service0xDE44444 AD0xF000000 Host0xF63C7A4 4ID5.11.2.14 or register

11 Secure Video Playback 11 S AD 0xF00000 NYT server XIA Name Resolution Service nyt.com? Service0xDE44444 AD0xF000000 Host0xF63C7A4 4ID5.11.2.14 or NYT replica CID, signed by 0xDE44444

12 Secure Video Playback 12 S AD 0xF00000 NYT server NYT replica sequence of CIDs

13 XIA top-down view What does an XIA network look like to various stakeholders? Who benefits from new features and why? Who bears the costs of deployment? Stakeholders we consider (not exhaustive): – Network operators: from testbeds to ISPs – Application providers / service providers – Application developers – End-users 13

14 Benefits to Network Operators Increased potential for value-added services (without resorting to deep-packet inspection) – Simpler middlebox deployment – On-path caching or route redirection – Principal types aligned with economic incentives Risk mitigation via incremental deployment More choice regarding trust domains – SCION route control 14

15 Benefits to Service Providers Added expressivity: customizable principals – Built-in support for binding, scoping, mobility. – Intrinsic security guarantees. Access control, accounting, accountability, counter-measures for DoS Making use of in-network optimizations furnished by network operators. Similar benefits accrue to application developers. 15

16 Benefits to End-Users Increased choice and flexibility regarding intent: – Choice of XID principal type, i.e. how a given communication operation performed – Rich address formats add flexibility: fallback, services. – Scion offers control via edge-directed routing Support for mobile users Trickle-down benefits derived from better apps. Intrinsic security: – Qualitative benefits of security guarantees is a central focus of our user studies. 16

17 Costs of Deployment New XIA protocol stack network-wide – Prototype status update next slide – Incremental deployment possible, advisable. Management and processing overhead – Packet processing; flat address space – Tracking revisions for multiple principal types – Implications for switches, interconnect, H/W. Additional opportunities present added complexity, new optimization problems. 17

18 XIP Prototype Implementation 18 Datalink XIP XDPXSP XChunkP Cache Chunking Xsockets Applications XHCP XCMPARP BINDRouting Open source prototype released May 2012 Wireshark XIA ICMP, ARP Basic inter-domain routing, XIA DHCP POSIX style sockets for datagrams, streaming Supports HID and SID POSIX style sockets for datagrams, streaming Supports HID and SID Chunk, CID support Caching Chunk, CID support Caching Name Resolution Name Resolution

19 Extra slides, possible candidate slides follow 19

20 Planned Prototype Enhancements Prototype is available on Github – Latest release includes support for 4ID Near term: IP application porting help, better transport protocols, permanent XIP network Next: mobility support, expanded support for intrinsic security and accountability Later: Scion integration, more services and applications 20

21 Path Selection in SCION Architecture Overview 21 Source/destination can choose among up/down hill paths Path control shared between ISPs, receivers, senders Desirable security properties: High availability, even in presence of malicious parties Explicit trust for operations Minimal TCB: limit number of entities that must be trusted No single root of trust Simplicity, efficiency, flexibility, and scalability Source Destination PCB

22 XIA Dataplane Concepts Can be implemented in diverse ways Can be deployed incrementally, e.g. in subnets Intrinsic Security Flexible Addressing Multiple Communicating Principal Types Deal with routing “failures”Built in security forms basis for system level security Directly support diverse network usage models Evolution of principal types Customization Principal-specific security properties DAG security

Download ppt "1 XIA: Network Deployments Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Peter Steenkiste, Hui Zhang."

Similar presentations

MCT620 – Distributed Systems

MCT620 – Distributed Systems
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
Virtual Trunk Protocol

Virtual Trunk Protocol
ITU IP & Telecoms Interworking Workshop, Jan 2000 1 Interworking Between Public Data Networks and the Internet A numbering perspective ITU IP and Telecoms.

ITU IP & Telecoms Interworking Workshop, Jan Interworking Between Public Data Networks and the Internet A numbering perspective ITU IP and Telecoms.
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.
1 Mata Architecture for the Future Network APAN2008 January 23 2008 Myung-Ki SHIN, ETRI

1 Mata Architecture for the Future Network APAN2008 January Myung-Ki SHIN, ETRI
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Interconnection: Switching and Bridging

Interconnection: Switching and Bridging
Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.

Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Interconnection: Switching and Bridging CS 4251: Computer Networking II Nick Feamster Fall 2008.

Interconnection: Switching and Bridging CS 4251: Computer Networking II Nick Feamster Fall 2008.
Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.

Introduction to Product Family Engineering. 11 Oct 2002 Ver 2.0 ©Copyright 2002 Vortex System Concepts 2 Product Family Engineering Overview Project Engineering.
M2M Architecture Inge Grønbæk, Telenor R&I ETSI Workshop on RFID and The Internet Of Things, 3rd and 4th December 2007.

M2M Architecture Inge Grønbæk, Telenor R&I ETSI Workshop on RFID and The Internet Of Things, 3rd and 4th December 2007.
M2M middleware service Inge Grønbæk, Telenor R&I ETSI Workshop on RFID and The Internet Of Things, 3rd and 4th December 2007.

M2M middleware service Inge Grønbæk, Telenor R&I ETSI Workshop on RFID and The Internet Of Things, 3rd and 4th December 2007.
Addition Facts 1 - 20.

Addition Facts
HotNets-VI 1 Architecting Citywide Ubiquitous Wi-Fi Access Nishanth Sastry Jon Crowcroft, Karen Sollins.

HotNets-VI 1 Architecting Citywide Ubiquitous Wi-Fi Access Nishanth Sastry Jon Crowcroft, Karen Sollins.
Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:

Similar presentations

Ads by Google