Named Data Networking IEEE CCW Oct 10, 2011 www.named-data.net 1.

Slides:

Advertisements

Similar presentations

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

Advertisements

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

Virtual Trunk Protocol

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.

Distributed Systems Architectures

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Zhongxing Ming Dan Li Chumei Xia Mingwei Xu Tsinghua University.

Challenges in Making Tomography Practical

Multihoming and Multi-path Routing

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Multihoming and Multi-path Routing

1 IEEE Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin Liaison officer to 3GPP2.

Encrypting Wireless Data with VPN Techniques

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Communicating over the Network

Video Services over Software-Defined Networks

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Chapter 1: Introduction to Scaling Networks

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 The OSI Model and the TCP/IP.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Distance Vector Routing Protocols Routing Protocols and Concepts –

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Spring 2014 RMS/EOC Proctor Caching Training. Agenda 2 Proctor caching overview Downloading & installing Cache test content.

IP Multicast Information management 2 Groep T Leuven – Information department 2/14 Agenda •Why IP Multicast ? •Multicast fundamentals •Intradomain.

1 Breadth First Search s s Undiscovered Discovered Finished Queue: s Top of queue 2 1 Shortest path from s.

IONA Technologies Position Paper Constraints and Capabilities for Web Services

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

1 Wireless and Mobile Networks Part 2 November 25, 2008 Department of Electrical and Computer Engineering University of Western Ontario ECE 436a Networking:

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I NETWORK LAYER AND IP Derived From CCNA Network Fundamentals.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 2 Networking Fundamentals.

Executional Architecture

PSIRP Publish-Subscribe Internet Routing Paradigm 08-Oct /27.

25 seconds left…...

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.

Copyright 2001 Advanced Strategies, Inc. 1 Data Bridging An Overview Prepared for DIGIT By Advanced Strategies, Inc.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 12/18/ :21 Chapter 12Bridges1 Rivier College CS575: Advanced LANs Chapter 12: Bridges.

Connecting LANs, Backbone Networks, and Virtual LANs

VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.

Introduction to Ad-hoc & Sensor Networks Security In The Name of God ISC Student Branch in KNTU 4 th Workshop Ad-hoc & Sensor Networks.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 Chapter 16 Integrated Services Digital Network (ISDN)

TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.

Secure Network Bootstrapping Infrastructure May 15, 2014.

NDN in Local Area Networks Junxiao Shi The University of Arizona

Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,

Multimedia & Mobile Communications Lab.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Virtual Private Networks

IS4680 Security Auditing for Compliance

Presentation transcript:

Named Data Networking IEEE CCW Oct 10,

Agenda A.NDN Overview B.NDN Security 1)Architecture Basics 2)Privacy 3)Routing and Application Security C.Summary 2

The problem 3 ISP

Communication v. Distribution 4 CommunicationDistribution Naming EndpointsContent Security Secure ProcessSecure Content

Today 5 src dst Path determined by global routing, not local choice Structural asymmetry precludes market mechanisms and encourages monopoly formation X

6 Producer Consumer ? a/b/c NDN approach

7 Producer Consumer a/b/c/d Data a/b/c/d ? a/b/c NDN approach

8 Producer Consumer a/b Packets say what not where (no src or dst) Forwarding decision is local Upstream performance is measurable ? a/b/c/e NDN approach

We envision replacing this: 9 ISP

10 ISP With THIS:

Agenda A.NDN Overview B.NDN Security 1)Architecture Basics 2)Privacy 3)Routing and Application Security C.Summary 11

Securing Content Integrity: is data intact and complete? Origin: who asserts this data is an answer? Correctness: is this an answer to my question? 12 Any consumer can ascertain: Content Packet = name, data, signature

13 Evidentiary Trust Content Key Content Key Name Hierarchy & Links Key Certification Graph Content Key Content Key Content Key Content Key A web of trust gradually & organically arises from named and signed content:

DoS Resistance Many current DoS + DDoS attacks/threats become irrelevant because of NDN architecture A few notable features: Content caching mitigates targeted DoS Content not forwarded w/out prior state set up by interests Multiple interests for same content are collapsed One copy of content per interested interface is returned Stateful routing helps to fight/push back attacks Some (new) attack opportunities (e.g., signatures) may be possible, but it is much more resistant to DoS attacks than what we have today. 14

Data plane resilience IP data delivery strictly follows FIB direction: One-way data flow -- cannot detect failures Has no effect on routing decisions NDN content delivery is a 2-step process: Interest forwarding to set up state Content traversal of interest path in reverse Interest forwarding state eliminates looping, allows exploitation of topological redundancies and multipath forwarding Content packets measure quality of selected (interest) paths lets forwarding plane incorporate congestion and fault mitigation into path decisions 15

Agenda A.NDN Overview B.NDN Security 1)Architecture Basics 2)Privacy 3)Routing and Application Security C.Summary 16

Privacy Challenges in NDN Lack of source addresses in NDN packets provide much better privacy than IP. However, there are still challenges if the attacker is can monitor the traffic close to the user (e.g., in the same LAN): Name Privacy: semantically related names Interested in /healthonline/STDs/.. Content Privacy: unencrypted public content. Retrieved content is an.mp3 file Signature Privacy: leaked signer(publisher) identity Retrieved content is signed by match.com Cache privacy: detectable cache hits/misses Interests from this user usually misses caches -- it is for Russian content. 17

Named Data Onion Routing Consists of client and anonymizing router (AR) software Layers of encrypted Interests reside inside the name component of interests E.g.,: /anonymizer/Enc(Timestamp || key || Interest) Content is encrypted with the client-provided key on its way back Encapsulation is published under the requested name and signed by ARs. 18

Example /OR1 /OR2 /nytimes.com/today 19 OR2/ /OR1/ nytimes.com/today /OR2/

Agenda A.NDN Overview B.NDN Security 1)Architecture Basics 2)Privacy 3)Routing and Application Security C.Summary 20

Using NDN Features to Secure Routing Need to protect routing updates (where content prefix is reachable) Router names follow network management hierarchy Names associated with signing keys (not only 1:1) Keys are authenticat-able: Network operator configures trust anchor for each router, e.g., public key for /ndn/ucla.edu/ Router key (e.g., /ndn/ucla.edu/bb1) certified by anchor key Each interface has a name, (e.g., /ndn/ucla.edu/bb1/f1); router key certifies each interface key Updates from each interface signed by that interface key 21

Testbed: UCLA Film & TV Studio #1 NDN Lighting Control Application 22 Special case of actuators in an instrumented environment Rich set of use cases (e.g., entertainment)

IP in Lighting Systems? Security currently achieved by: Physical network segregation, or VLANs + firewalls Devices increasingly receive over-the-air upgrades & updates Not clear how to accommodate with above in scalable manner IP-based addressing irrelevant to applications Easier to address fixtures in application-specific terms without having to know through/to which gateway they connect IP configuration particularly brittle for dynamic systems Lighting devices (fixtures) can come & go frequently Certain building systems incorporate mobile devices 23

Bootstrapping No preconfigured information in fixture, other than manufacturer-supplied: Public/Private key-pair and initial authenticator Standard mechanisms used for lighting interface to connect to NDN on one side and discover fixtures on another Fixture starts with pre-configured name: /ndn//lighting/ / To discover fixtures, configuration manager sends interests for: /ndn/lighting/ Once located new fixture, retrieves (via interest) its public key data: /ndn/lighting/ / /key Out of band, configuration manager obtains initial authenticator & fingerprint of public key per fixture Configuration manager issues signed interest authorizing its public key to configure fixture Contains KeyLocator for configuration manager public key Includes initial authenticator of fixture, encrypted with latters public key 24

Subsequent Control After bootstrapping, configuration manager grants permissions to applications by publishing their keys under names representing (authorized) capabilities Fixture checks if application signing key is in: (1) its cache of authorized keys, or (2) built-in trust anchor list created at bootstrap time, or (3) it is published (signed) by a key that satisfies (1) or (2) To minimize delay, signed commands are expressed as part of name within interest 25

Other applications in the works Audio conferencing Participatory sensing Personal data cloud Media distribution/streaming VPN server/client Network monitor/management tools 26

Agenda A.NDN Overview B.NDN Security 1)Architecture Basics 2)Privacy 3)Routing and Application Security C.Summary 27

SUMMARY Lots of work underway Much of what was presented not cast in stone Didnt cover: Signature schemes (e.g., batch operations, streaming content) Trust establishment / Trust frameworks Usability of S&P Security in other apps, e.g., sensing, conferencing 28

29 Thanks!