Presentation is loading. Please wait.

Presentation is loading. Please wait.

I3 Update Ion Stoica and many others… UC Berkeley January 10, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "I3 Update Ion Stoica and many others… UC Berkeley January 10, 2005."— Presentation transcript:

1 i3 Update Ion Stoica and many others… UC Berkeley January 10, 2005

2 Goal Provide seamless network support for basic communication abstractions –Multicast –Anycast –Mobility –Service composition

3 Key Observation Virtually all previous proposals use indirection, e.g., –Physical indirection point  mobile IP –Logical indirection point  IP multicast “Any problem in computer science can be solved by adding a layer of indirection”

4 Our Solution Use an overlay network to implement this layer –Incrementally deployable; don’t need to change IP Build an efficient indirection layer on top of IP IP TCP/UDP Application Indir. layer

5 Internet Indirection Infrastructure (i3) Each packet is associated an identifier id To receive a packet with identifier id, receiver R maintains a trigger ( id, R) into the overlay network Sender idR trigger iddata Receiver (R) iddata R

6 Status First (limited) release: May, 2004 –Run as a service on PlanetLab (check i3.cs.berkeley.edu) Currently used by several research groups in academia and industry: –Helsinki Institute for Information Technology (HIIT) –KDDI Labs –Purdue University –UIUC –University of Tüebingen –University of Waterloo –…

7 User Feedback: The Good News Tremendously flexible –Provide a global and flexible identifier space IDs can identify virtually anything, end-hosts, services, sessions, humans, devices, etc.. –Allow hosts to explicitly route packets through intermediate “processing points” –Abstract away the behavior of hosts (e.g., mask mobility) from each other

8 User Feedback: The Bad News Efficiency –Many users didn’t want all their packets relayed through i3 –High overhead for maintaining per-host triggers –Select nearby remote proxies Usability –Address book (name resolution), a pain to use –API, far too complex and confusing Proxy for legacy applications –Very useful, but… –… requests for using it for other overlays Transparency – Didn’t work (well) for firewalls that blocked UDP traffic

9 What We’ve Done About It? Efficiency –Many users didn’t want all their packets relayed through i3 –High overhead for maintaining per-host trigger –Select nearby remote proxies Usability –Addressbook (name resolution), a pain to use –API, far too complex and confusing Proxy for legacy applications –Very useful, but… –… requests for using it for other overlays Transparency – Didn’t work (well) for firewalls that blocked UDP traffic Shortcuts Trigger aggregation Identity based resolution >50 calls  ~15 calls Generalize proxy design Use TCP as underlying transport if needed

10 What We’ve Done About It? Efficiency –Many users didn’t want all their packets relayed through i3 –High overhead for maintaining per-host trigger –Select nearby remote proxies Usability –Addressbook (name resolution), a pain to use –API, far too complex and confusing Proxy for legacy applications –Very useful, but… –… requests for using it for other overlays Transparency – Didn’t work (well) for firewalls that blocked UDP traffic Shortcuts Trigger aggregation Identity based resolution >50 calls  ~15 calls Generalize proxy design Use TCP as underlying transport if needed

11 Shortcuts: Problem Each packet is traversing an i3 server no matter whether the user wants/needs to or not

12 Shortcuts: Solution Associate an “allow-caching” bit with both packets and triggers If both the packet and trigger have the bit set  sender can cache receiver’s address LALA LBLB id BA A 1 Host A (IP B )Host B 3 1 (id BA,data) cache=IP B 2

13 Shortcuts: Discussion Shortcuts are allowed only if both the sender and receiver agree Indirection still needed for –Simultaneous mobility –Anonymity –Firewalls & some types of NATs – … i3 becomes a lookup infrastructure

14 Shortcuts & NATs Allow shortcuts as long as the receiver is not behind a symmetric NAT –NATs which allocate port number per destination basis

15 Name Resolution Problem Local resolution (current solution) –Maintain a local address book –Secure, but inconvenient Global resolution (e.g., DNS, OpenDHT) –Requires name allocation authority –Requires infrastructure for resolution –As secure as the resolution infrastructure Limited by Zooko’s paradox –Decentralization, Security, Human readability: Pick two

16 Current Proposal: Identity Based Resolution Uses Boneh-Franklin Identity Based Encryption (IBE) Requires authority and infrastructure for name allocation only Secure, convenient, low bandwidth consumption

17 IBE: Basic Scheme Private Key Generator (M) Decrypt message using PrivKey foo Receiver R (Foo) W W W Sender S Publish Master Public Key (MPK M ) Request private key for Foo. Obtain MPK M PubKey Foo = PK(MPK M, Foo) Send PrivKey Foo message PubKey Foo

18 Identity Based Resolution: IBE Application to i3 Name allocation –FCFS policy E-mail based allocation (see poster!) –Use symmetric key exchange to secure against Eavesdropping Man-in-the-middle attack Trigger insertion Name resolution

19 Trigger Insertion PrivKey Foo i3 Host H (Foo) ID Foo = H (PubKey Foo ) PubKey Foo = PK(MPK M, Foo) ID Foo H Foo nonce PubKey foo Decrypt nonce with PrivKey Foo ID Foo H Foo nonce ID Foo H Insert trigger

20 Name Resolution i3 PrivKey Foo Send data encrypted with PubKey Foo to trigger ID Foo Decrypt sata using PrivKey Foo Sender S ID Foo = H (PubKey Foo ) PubKey Foo = PK(MPK M, Foo) data PubKey Foo ID Foo H Host H (Foo)

21 Identity Name Resolution: Discussion Pros –Local Name Resolution –Human readable and secure –Low overhead  master server contacted only at name allocation time –Secure from eavesdropping by i3 servers Cons –Requires centralized authority Hierarchical IBE has been proposed –Must trust master server(s) –Key revocation is difficult

22 Proxy: Basic Design Proxy Overlay ( i3 ) DNS reply: IP X id B Host A (id A ) Host B (id B, Foo) LALA Legacy process DNS query: Foo IP X Foo  IP X IP X  id B

23 Proxy: Redesign Before – i3 centric design –Multithreaded Now –Modular design: can be used for other overlays or ID-based networks Resolution (name  virtual IP address), packet capture and translation are overlay independent –Single-threaded: easier to port to handheld and cell phone OSes

24 Ongoing Projects Declarative routing (Boon Loo Thau) –Use i3 as a forwarding infrastructure Anonymity infrastructure (Jayanth Kannan) Load-aware location-aware server selection (Animesh Nandi, Rice University) Virtual LANs (U. of Tüebingen) …

25 Platform for COPS Architecture COPS = “Check”+“Observe”+“Protect” Systems –See Randy’s talk this evening Create logical topologies to include processing elements (located at arbitrary locations) on data path M client A server B i3 middle-box id M M id BA B id AB A (id M :id BA, data) (id BA, data) (id M :id AB, data) (id AB, data)

26 Plans For Next Six Months Release new i3 version (next few weeks) –Make it widely available –Check http://i3.cs.berkeley.edu for update Provide proxy support for other overlays –Network virtualization project Release a compelling application –Access to web servers behind NATs (?) Shape incoming traffic; provide anonymity Other applications –Anonymity, declarative queries, …

27 Moving Beyond i3 Platform for COPS Generalized proxy Other Applications… i3

28 Routing as a Service Goal: develop network architectures that –Allow end-hosts to pick their own routes –Allow third-parties to easily add new routing protocols Ideal model: –Oracles that have complete knowledge about network –Hosts query paths from oracles Path query can replace today’s DNS query –Hosts forward packets along these paths

29 Routing as a Service (cont’d) Routing service 1 Client A Client D Client B Network measurements Query/reply routing info. Setup routes Client C Routing service 2

30 Service Composition Goal: allow third-parties and end-hosts to easily insert new functionality on data path –E.g., firewalls, NATs, caching, transcoding, spam filtering, intrusion detection, etc.. Why i3? –Make middle-boxes part of the architecture –Allow end-hosts/third-parties to explicitly route through middle-boxes

31 Service Composition: Research Questions How to locate and compose services? How to distribute state across hosts and middle-boxes? How to transparently recover when a middle-box fails? How is the state recovered?

32 Conclusions i3: tremendously flexible infrastructure –Allow end-hosts to control routing and replication points in the infrastructure –Abstract away the behavior of hosts (e.g., mask mobility) form each other –Provide a global and flexible identifier space IDs can identify virtually anything, end-hosts, services, sessions, humans, devices, etc..

33 Enable Many Applications Access to machines behind NATs Transparent access to services/machines behind firewalls –Like VPNs but more secure and flexible Protection against DoS attacks Anycast Transparent switching between two interfaces …

34 What We’ve Done Since Summer? Redesign some aspects of i3 based on user feedback –New version will be released in a few weeks –Check http://i3.cs.berkeley.edu for updatehttp://i3.cs.berkeley.edu Ultimate goal: –Increase the usability –Make i3 as an enabling technology for future research projects

35 Ongoing & Future Projects Generalized proxy Routing as a service Service composition architecture

36 Collaborators Students: –Daniel Adkins –Jayanth Kannan –Karthik Lakshminarayanan –Shelley Zhuang –Sonesh Surana Postdocs: –Klaus Wehrle (U. Karlsruhe) Faculty: –Randy Katz –Scott Shenker –Klaus Wehrle (U. of Tüebingen) Visitors: –Ayumu Kubota (KDD Japan)

Download ppt "I3 Update Ion Stoica and many others… UC Berkeley January 10, 2005."

Similar presentations

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:
1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.
OCALA: An Architecture for Supporting Legacy Applications over Overlays Dilip Joseph 1, Jayanth Kannan 1, Ayumu Kubota 2, Karthik Lakshminarayanan 1, Ion.

OCALA: An Architecture for Supporting Legacy Applications over Overlays Dilip Joseph 1, Jayanth Kannan 1, Ayumu Kubota 2, Karthik Lakshminarayanan 1, Ion.
Host Mobility Using an Internet Indirection Infrastructure by Shelley Zhuang, Kevin Lai, Ion Stoica, Randy Katz, Scott Shenker presented by Essi Vehmersalo.

Host Mobility Using an Internet Indirection Infrastructure by Shelley Zhuang, Kevin Lai, Ion Stoica, Randy Katz, Scott Shenker presented by Essi Vehmersalo.
I3 Status Ion Stoica UC Berkeley Jan 13, 2003. The Problem Indirection: a key technique in implementing many network services,

I3 Status Ion Stoica UC Berkeley Jan 13, The Problem Indirection: a key technique in implementing many network services,
Supporting Legacy Applications in i3 Jayanthkumar Kannan, Ayumu Kubota, Karthik Lakshminarayanan, Ion Stoica, Klaus Wherle.

Supporting Legacy Applications in i3 Jayanthkumar Kannan, Ayumu Kubota, Karthik Lakshminarayanan, Ion Stoica, Klaus Wherle.
Supporting Legacy Applications in Associative Overlay Networks Shelley Zhuang, Ion Stoica {shelleyz, Sahara Retreat January 16-18,

Supporting Legacy Applications in Associative Overlay Networks Shelley Zhuang, Ion Stoica {shelleyz, Sahara Retreat January 16-18,
Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.

Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.

10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)

CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.

Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?

Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?
CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.

CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Rethink the design of the Internet CSCI 780, Fall 2005.

Rethink the design of the Internet CSCI 780, Fall 2005.
Internet Indirection Infrastructure (i3) Status – Summer ‘03 Ion Stoica UC Berkeley June 5, 2003.

Internet Indirection Infrastructure (i3) Status – Summer ‘03 Ion Stoica UC Berkeley June 5, 2003.
CS 268: Project Suggestions Ion Stoica February 6, 2003.

CS 268: Project Suggestions Ion Stoica February 6, 2003.

Similar presentations

Ads by Google