Embed Size (px)
Citation preview
Mobility in Publish/Subscribe
NetworksWalter Wong
HIIT & NomadicLab24.02.2010
OutlineMotivation
BackgroundLink LayerNetwork LayerTransport LayerSession Layer
Information MobilityPeer-to-peer, Content Delivery NetworksPublish/Subscribe
MotivationOriginal Internet design
Hosts are fixed IP address is both end-host identifier and locator
However, the current Internet usage is:
Mobility – Some problemsHow does a host get a new locator (IP address)?
How does a host re-establish the connectivity in the new network?
How does a host tell the peer host its new address?
How can we find a host that moves frequently?
How can applications maintain the seamless connectivity between mobile hosts?
Solutions in different layers
Link
Network
Transport
Session
Identification
Simple MAC address update
DHCP (static), Mobile IP (dynamic)
Host Identity Protocol
TCP Migrate
SIP Mobility
Link Layer MobilityChange MAC address
Ex. Between access points in the same subnet
(+) Transparent to higher layers (no changes in the IP address)
(–) Limited to the same subnet
MACA
MACB
IPclient
Mapping: IPclient –> MACAMapping: IPclient –> MACB
Dynamic Host Configuration Protocol (DHCP)
Provides dynamic IP addresses to end-hosts
(+) simple
(–) does not maintain ongoing connections
Network A Network B10.10.1/24 192.168.0/24
10.10.1.100192.168.0.11
IP Mobility – IP Semantic Overload Problem
Link
Network
Transport
Session
Application
IPsrc = 10.10.0.100
Web-browser
socket(AF_INET, …, …)
connect()socket(IPsrc/dst, portsrc/dst)
IPsrc = 192.168.0.11
Mobile IPGoals
Network layer solutionApplications are oblivious of the mobility eventLegacy application support Incrementally deployable
ApproachTwo IP addressesHome Address –> stable end-host identifierCare-of Address –> ephemeral end-host locator“Solves” IP semantic overload problem
Mobile IP – ElementsHome Agent (HA)
Responsible for location managementTunnels traffic to the registered node when it is not
in the home network
Foreign Agent (FA)Provides Care-of address of the visited networkRepresents the mobile node when it visits the
network
MN at Home Network
Internet
Home Network
Foreign Network
HomeAgent
ForeignAgent
MN IPA
CorrespondentNode
Direct communicationbetween MN and CN
IPA <–> IPC
IPC
MN Registration
Internet
Home Network
Foreign Network
HomeAgent
ForeignAgent
MN IPA
CorrespondentNode
Registration in the FAReceive Care-of Address
Inform current CoA
IPC
MN IPB
MN at Foreign Network
Internet
Home Network
Foreign Network
HomeAgent
ForeignAgent
MN IPB
CorrespondentNode
IPC
CN sends data to IPA
HA tunnels packets to IPB
(IP-IP tunneling)
Route Optimization
Internet
Home Network
Foreign Network
HomeAgent
ForeignAgent
MN IPB
CorrespondentNode
IPC
Avoids the triangle between CN – HA – MN
Mobile IP – SummaryProvides mobility support in the network level
Applications are oblivious about the mobility event
Supports simultaneous node mobility (uses HA and FA as anchor points)
Uses two IP addresses: Home address: end-host identification Care-of address: end-host location
Issues Scalability problems (triangle) Security
Host Identity Protocol (HIP)
New namespace between network and transport layersHost Identity (HI)Host Identity Tags (HIT)Security embedded128-bit identifier = hash from the public key
Fill the gap between end-host identification and location
Decouples end-host identification and locationSolves IP semantic overload
HIP Namespace
Network
Transport
Application
Identification
Link
Web-browsersocket(…)
Get end-host identifiersocket(HITsrc/dst, portsrc/dst)
Network layer is free to change
HIP ResolutionTwo steps name resolution
Name to HIT resolution –> DNSHIT to IP resolution –> Rendezvous Server (RVS)
HIP base exchange4-way handshakeResistant against Denial-of-Service attacks
Uses cost functionsCheck whether correspondent nodes are committed
to the communication
HIP MobilityRendezvous Server (RVS)
Holds all HIT-to-IP mapping
Distributed in the networkEx: One per administrative domain
After a mobility event, mobile node engages in the locator update procedureUPDATE message along with the verification
protocol
HIP SummaryNew namespace composed of cryptographic
identifiersHost Identifiers (HI) and Host Identity Tags (HIT)
Detaches host identification from location
Resistant against Denial-of-service attacksBase exchange
Supports simultaneous node mobilityRVS is the anchor point
TCP MigrateEnd-host mobility in the transport layer
Goal: to maintain end-host seamless connectivity during TCP sessions
ApproachUses DNS names to provide stable end-host
identifierSaves TCP state during migration, restoring after
mobility eventNo new location management device
No Home Agent and Foreign Agent
TCP MigrateMobility procedure
Inform current IP address to the peer nodeAfter mobility event, mobile node sends a TCP SYN
message to the peer node informing the new IP address
Update current IP address in order to be globally reachableMobile host updates its current mapping in the DNSEx. www.acme.org –> 69.64.156.78
TCP MigrateTCP session migration
New TCP optionTCP SYN MIGRATEInforms to migrate to a new TCP sessionUse tokens to inform to which TCP session it was
associatedThe mobile host opens a new socket with the new
IP address and sends the TCP SYN message with MIGRATE option and a token with the current state
The peer host opens the a new TCP session to the new IP address and restores the session
TCP Migrate – SummaryBenefits
SimpleNo network infrastructure changes
DrawbacksChanges in the default TCPSecurity issuesDoes not support simultaneous node mobility
There is no anchor point
Session Initiated ProtocolSignaling protocol used for controlling
multimedia sessionsUsed for establishing, modifying and terminating
sessionsUses URI to identify users
Relies on two other protocolsReal-time protocol (RTP)
Carries streaming dataSession description protocol (SDP)
Session parameters, e.g, ports, protocols, etc
SIP Message Flow
DNSOutboundProxy
InboundProxy
Client Client
INVITE
Resolve URI to Inbound Proxy Server IP
INVITEOK OKACK ACK
RTP Traffic
Home Network
Foreign Network
SIP Mobility
OutboundProxy
Client
SIP Redirect ProxyCorrespondent
Node INVITE
Moved Temporarily
INVITE
OK
ACK
SIP – SummarySignaling protocol for controlling multimedia
sessions
Uses URIs to identify user agents
Mobility is handled by SIP proxies
Mobility Support – Summary
Link
Network
Transport
Session
Identification
Simple MAC address update – switches can beconfigured to handle it
Mobile IP – creates a new IP address, the HomeAddress to be the end-host identifier, while theCare-of Address is the real locator
Host Identity Protocol – introduces a new namespaceto fill the gap between identification and location
TCP Migrate – adds a new option in the TCP stack,MIGRATE, to provide TCP session migration. Relieson DNS to provide correct mapping
SIP Mobility – uses SIP proxies to locate user agents.End users are identified by URI and mapped to SIPProxies, which are the anchor points.
Information-centric NetworksWhat happens when we migrate to information-
centric networks?Location decoupledTime decoupled
There is no IP end-point to locate hosts
Data ‘Mobility’ in Host-centric Networks
Peer-to-peer Networks Users search for content Request is translated to a query in a DHT Users receive a list of closest peers
Content Delivery Networks (CDNs) URL links contain CDN DNS entries Dynamic mapping of DNS name resolutions to the closest
surrogate server
Dynamic mapping of content into an IP address
Content is ‘detached’ from locator (new naming system, e.g, flat identifier, etc)
Data Mobility in Information-centric Networks
Native Publish/SubscribeEach content has a unique identifierContent is totally detached from specific location
Can be anywhere, intermediate caches, end-nodes, replicated, etc
Usually content is stored close to the consumersPopular content is cached near to consumersSupport flash crowd events
End-node Mobility in Information-centric Networks
Network Attachment procedureDuring bootstrap process, subscribe re-subscribes
to the publicationRVS receives notificationRVS notifies the publisher and topology manager
Publisher re-publishes the content in the new RVSTopology manager computes new path between
publisher and subscribers Updates delivery tree
End-node Mobility in Information-centric Networks
Some optimizationsDefault communication model: MulticastMulticast Assisted Mobility
Possibility to reduce handoff lossDistribution of data around the area where the mobile
user residesMakes data available when mobile user arrives
Packet lossBuffering and return channel (algorithmic IDs)
Delivery orderSubscription to separate IDs, e.g. algorithmic IDs
Questions?Comments?
Thanks!
Content Authentication in Information-centric Networks
Walter WongHIIT & NomadicLab
24.02.2010
OutlineBackground
Host-centric security solutionsMerkle Hash Trees
Information-centric authenticationSkewed Hash Trees
Implementation & Evaluation
Conclusion
MotivationCurrent security solutions
Authentication of the container/storage device/mirror
And what about the content itself?We trust in the container! (shouldn’t we trust in
the content?)
Paradigm problem In the Internet, we want ‘what’And we get ‘where’
Example – Content Delivery Networks
ContentProvider
SSL
Are they the same movie?Wrong trust model!
Host-centric Security Solutions
SSL/TLS and IPSec Provides host authentication (IP address) IPSec = network layer solution => IP SSL/TLS = transport layer solution => IP !! Security channel between end-hosts
Mainly: data transfer between authenticated end-hosts (IP addresses)
Security data results from the connection parameters Transient data => can’t be reused in other context Time coupled
Towards Information-centric Networking
Migration from host-centric to information-centric networking
Data is decoupled from the location (data is not part of the storage location)
Communication is decoupled in time and synchronization
Scenarios
Peer-to-peer, Content delivery networks
Publish/Subscribe
Towards Information-centric Networking
Client/server modelScenario: low resourcesServices centralized in a ‘powerful’ serverRoles: well-defined clients and serversStorage is centralized in the serverDrawbacks
Bottleneck – scalability issuesServer could be distant geographically
Towards Information-centric Networking
Peer-to-peer modelScenario: file-sharingDistributed resources among peersRoles: peer is both producer and consumerStorage: distributed in the network, but in the peer
storage diskDrawbacks
Some are location oblivious – peer with highest bandwidth might not be the closest one
Paradox: consumer peers need to queue for the same resource, while the provider peer needs to send it multiple times
Towards Information-centric Networking
Publish/SubscribeScenario: news feed deliveryDistributed resources in the networkRole: mixed between publishers and subscribersStorage: distributed in the network along cachesBenefits
Multicast – no p2p paradoxSimpler – no scheduling algorithm for resourcesContent retrieval from the closest cache
Resources are within the network
Motivation – SecurityHow do we secure content with:
Location decoupledData can not be authenticated with some IP
Time decoupledData can not be authenticated based on direct
connection
Information-centric Security
Original ideaPer packet signatureSign each packet with a digital signature
DrawbacksCostly
CPU expensive to sign and verify each signature
RequirementOptimize signature mechanism
Merkle Hash TreeSignature amortization technique
binary tree built over a set of data blocks
Uses hash functions to authenticate data blocksMD5, SHA-1, SHA-256
Requires just one digital signature for an entire piece of contentRegardless of the number of data blocks!
DrawbacksWorks only on binary trees!
Merkle Hash Tree
File
D0 D1 D2 D3Data blocks
H0 H1 H2 H3Leaf nodes
H01 H23Internal nodes
H03Root Hash
Merkle Hash Tree
File
D0 D1 D2 D3Data blocks
H0 H1 H2 H3Leaf nodes
H01 H23Internal nodes
H03Root Hash
D0
H1
H1
H23
H23
H0 H1
H23H01 +
H03
Skewed Hash TreeMotivation
Many possibilities to build a skewed tree
GoalNew algorithm to support random size files
ApproachSeparate balanced and unbalanced treesAppend remaining blocks under the balanced treeDeal with each one separatelyMaintain, at most, one level of difference
Skewed Hash Tree – Overview
File
D0 D1 D2 D3
H0 H1 H2 H3
H01 H23
H03h = 0
D4 D5
H4 H5
H45
H05
h = – 1
1 level diff
BenefitsAmortized signature scheme
Based on hash functions (efficiency)
Data carries its own proof of authenticity
Data and authentication information can come separately
Any sequence authentication
Time decoupling (no interaction between producers/consumers - asynchronous)
Random size file authentication
On-path network verification
Application Scenario On-path Authentication
Application ScenarioContent Delivery Networks
Evaluation (1/3)
Evaluation (2/3)
Evaluation (3/3)
ConclusionCurrent security solutions (TLS/IPSec) do not fit in information-centric networks
Skewed Hash Tree provides:
amortized signature
independent packet authentication
random file size authentication
time decoupled
On average, 8 and 3 times faster than RSA, while preserving the same level of security
Questions?Comments?
Thanks!
