3/8/2012

1

XIA: An Architecture for a Trustworthy and Evolvable Internet

Peter SteenkisteDave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang

Carnegie Mellon UniversityAditya Akella, University of Wisconsin

John Byers, Boston University

1

y , y

Euro‐NF Course on Future Internet ArchitectureKaiserslautern,  March 8, 2012

Network Architecture*

2* As defined by Google

The Internet Architecture

host

host

routerrouter

router

–Minimum functionality a network needs to implement to connect to the Internet

email WWW phone...

SMTP HTTP RTP...

TCP UDP…

hostrouter

router router

3

to implement to connect to the Internet• Forward packets across multiple networks

–Effectively the IP narrow waist• Minimalistic definition of architecture• All other functions needed are built on top

IP

ethernet PPP…

CSMA async sonet...

copper fiber radio...

NSF Future Internet Architecture• Program focused on fundamental changes to the Internet architecture– Long‐term, multi‐phase effort

• Four teams were selected in the second phase:– Named Internet Architecture: content centric networking ‐data is a (the) first class entity

– Mobility First: mobility as the norm rather than the exception – generalizes delay tolerant networking

– Nebula: Internet centered around cloud computing data centers that are well connected

– eXpressive Internet Architecture: focus on trustworthiness, evolvability

4

3/8/2012

2

Outline

• BackgroundXIA i i l• XIA principles

• XIA architecture• Routing• Building XIA• Transport servicesp• Security and Scion• Conclusion

5

XIA VisionWe envision a future Internet that:• Is trustworthy

– Security broadly defined is the biggest challenge• Supports long‐term evolution of usage models

– Including host‐host, content retrieval, services, … • Supports long term technology evolution

– Not just for link technologies, but also for storage and computing capabilities in the network and end pointscomputing capabilities in the network and end‐points

• Allows all actors to operate effectively– Despite differences in roles, goals and incentives

6

Predicting the Future is Hard!– A lot of really smart people don’t agree:

Named Data Networking: content centric networking– Named Data Networking: content centric networking ‐ data is a first class entity

– Mobility First: mobility as the norm rather than the exception – generalizes delay tolerant networking

– Nebula: Internet centered around cloud computing data centers that are well connected

7

data centers that are well connected

We love all of them!

Today’s InternetSrc: Client IP

Dest: Server IP

• Client retrieves document from a specific web server– But client mostly cares about correctness of content timeliness

Client IPServer IP

TCP

But client mostly cares about correctness of content, timeliness– Specific server, file name, etc. are not of interest

• Transfer is between wrong principals– What if the server fails?– Optimizing transfer using local caches is hard

• Need to use application‐specific overlay or transparent proxy – bad!8

3/8/2012

3

eXpressive Internet Architecture

Src: Client ID

Dest: Content ID

• Client expresses communication intent for content explicitly– Network uses content identifier to retrieve content from appropriate

Dest: Content ID

PDA

Content

Network uses content identifier to retrieve content from appropriate location

• How does client know the content is correct? – Intrinsic security! Verify content using self‐certifying id: 

hash(content) = content id• How does source know it is talking to the right client?

– Intrinsic security! Self‐certifying host identifiers9

A Bit More Detail …Dest: Service IDContent Name?

Flexible TrustManagement

Dest: Client IDContent ID

Dest: Content ID

DiverseCommunicating

Entities

Hash( ) = CID?

Anywhere

IntrinsicSecurity

10

Evolvable Set of Principals• Identifying the intended communicating entities reduces complexity and overheadentities reduces complexity and overhead– No need to force all communication at a lower level (hosts), as in today’s Internet

• Allows the network to evolveContenta581fe9 ...

11

Host

Services

FutureEntities

d9389fa …

024e881 …39c0348 …

Security as Intrinsic as Possible• Security properties are a direct result of the design of the systemg y– Do not rely on correctness of external configurations, actions, data bases

– Malicious actions can be easily identified

Contenta581fe9 ...

12

Host

Services

FutureEntities

d9389fa …

024e881 …39c0348 …

3/8/2012

4

Other XIA Principles• Narrow waist for all principals

– Defines the API between the principals and the network t l h iprotocol mechanisms

• Narrow waist for trust management– Ensure that the inputs to the intrinsically secure system match the trust assumptions and intensions of the user

– Narrow waist allows leveraging diverse mechanisms for trust management: CAs, reputation, personal, …g , p , p ,

• All other network functions are explicit services– Keeps the architecture simple and easy to reason about– XIA provides a principal type for services (visible)

13Look familiar?

XIA: eXpressive Internet Architecture

• Each communication operation expresses the intent of the operationintent of the operation– Also: explicit trust management, APIs among actors

• XIA is a single inter‐network in which all principals are connected

Not a collection of architectures implemented– Not a collection of architectures implemented through, e.g., virtualization or overlays

– Not based on a “preferred” principal (host or content), that has to support all communication

14

What ApplicationsDoes XIA Support?

• Since XIA supports host‐based communication, today’s applications continue to worktoday s applications continue to work– Will benefit from the intrinsic security properties

• New applications can express the right principal– Can also specify other principals (host based) as fallbacks– Content‐centric applicationsExplicit reliance on network services– Explicit reliance on network services

– Mobile users– As yet unknown usage models

15

XIA Components and Interactions

‐Network  User‐Network

Applications

Users

Services

IntrinsicSecurity rt

hy Network Ope

ratio

n

Network‐

eXpressive Internet Protocol

HostSupport

ContentSupport

ServicesSupport

…y

16

Trustw

or

3/8/2012

5

How about the Real World?

UsersUser trust

Policyand 

Economics

TrustManagement

NetworkOperations

TransparencyControlPrivacy

IncentivesProvider

Relationships

17

Core  Network

VerifiableActions

ForwardingTrustPolicy

ControlPoints

Core  Network

Outline• Background• XIA principlesp p• XIA architecture

– Multiple principals– DAG‐based addressing– Intrinsic securityld• Building XIA

• Transport services• Security and Scion• Conclusion

18

Developing XIA v0.1• Principles do not make an architecture!• Meet the core XIA team:

FahadDogar

AshokAnand

DongsuHan

HyeontaekLim

Meet the core XIA team:

19

BoyanLi

MichelMachadoy

WenfeiWu

• Next: multiple principals, fallbacks and DAGs, intrinsic security

Five happy professors cheering: John Byers, Aditya Akella, Dave Anderson,

Srini Seshan, Peter Steenkiste

What Do We Mean by Evolvability?

• Narrow waist of the Internet has allowed the network to evolve significantlynetwork to evolve significantly

• But need to evolve the waist as well!– Can make the waist smarter

IP: Evolvability of:

XIA adds evolvabilityat the waist:

Applications

2020

Applications

Link technologies

Applications

Evolvingset of principals

Link technologies

3/8/2012

6

Multiple Principal Types

• Hosts XIDs support host‐based communication similar to IP – who?

• Service XIDs allow the network to route to possibly replicated services – what does it do?– LAN services access, WAN replication, …

• Content XIDs allow network to retrieve content from “anywhere” – what is it?– Opportunistic caches, CDNs, …

• Autonomous domains allow scoping, hierarchy• What are conditions for adding principal types?

21

Multiple Principal TypesHostHIDSIDCIDContent

Service

HostHIDSID

HostHID

Choice involves tradeoffs:• Control• Efficiency

• Trust• Privacy

CIDContentCID

ContentCID

ContentCID

ContentCID

SIDy y

22

ServiceSIDCID

ContentCID

CID CID

ContentCID

ContentCID

ServiceSID

Supporting Evolvability• Introduction of a new principal type will be incremental – no “flag day”!– Not all routers and ISPs will provide support from day one

• Creates chicken and egg problem ‐ what comes first: network support or use in applications

• Solution is to provide an intent and fallback address

dd llCID

….

DestAD:HID

23

– Intent address allows in‐network  optimizations based on user intent

– Fallback address is guaranteed to be reachable

AD:HID

….

Payload

Src

Our Solution: DAG‐Based Addressing

• Uses direct acyclic graph (DAG)N d t d ID (XID i id tifi )– Nodes: typed IDs (XID; expressive identifier)

– Outgoing edges: possible routing choices

• Simple example: Sending a packet to HIDS

Dummy source:special node indicating 

packet sender

Intent:final destination of packetwith no outgoing edges

HIDS

24

3/8/2012

7

Support for Fallbacks with DAG

• A node can have multiple outgoing edges

CIDA

HIDS

Fallback edge(low priority edge)

Primary edges

Intermediate node

• Outgoing edges have priority among them– Forwarding to HIDS is attempted if forwarding to CIDA is not possible – Realization of fallbacks

25

Support for Scoping with DAGClient side Server‐side domain 

hierarchy

AD0

AD1

HIDS

1

Support scalable routing, binding, migration, mobility, …26

Iterative Refinement: Scoping while Maintaining Intent

Client side Server‐side domain hierarchyhierarchy

AD0 HIDS

CIDS

AD1

S

27

Scoping Example:Service Migration & Client Mobility

Migrating a service (e.g., process, …) from one host  Client attachment point 

h f 3G t WiFi

SIDSHIDA

p , )to another host changes from 3G to WiFi

HIDC3G

Server rebind

Client rebind

28

SIDSHIDB HIDCWiFi

rebind rebind

Intent remains constant:End point verification through intrinsic security

3/8/2012

8

How Do We SupportIncremental Deployment?

• Experience with IPv6 shows this is hard! MatthewMukerjee

– Often involves manual configuration

• Idea is to leverage XIA address flexibility to support IPv4 as an “old” principal type– Was designed to support new principal types– I e backwards instead of “forward” compatible

j

I.e. backwards instead of  forward  compatible

• 4ID is an XIA principal type that represents an IPv4 address– Typically used as fallback to transit IPv4 clouds

29

4ID in Action:Partially Deployed XIA Networks

XIA Network A XIA Network BIPv4 Network

4IDS

ADS

30

Entering IPv4 network:Encapsulate XIA packet 

with IP header

Entering XIA network:Remove IP header for native 

XIA packet processing

No need for statically configured tunnelsWorks for arbitrary pairs of XIA networks

4ID in Action:  Transition toFully Deployed XIA Networks

XIA Network A XIA Network BXIA Network CXIA Network A XIA Network BXIA Network C

4IDS

ADS

31

Use native XIA forwardingand ignore fallback

Seamless incremental deployment of XIA

DAG Addressing Research Questions

• DAG addressing supports is flexible …llb k b d b l– Fallback, binding, source routing, mobility, ..

• … but many questions remain:– Is it expensive to process?– How big will the addresses be?– How do ISPs verify policy compliance?How do ISPs verify policy compliance?– Can they be used to attack network?– Can it be deployed incrementally?

32

3/8/2012

9

Intrinsic Security in XIA• XIA uses self‐certifying identifiers that guarantee security properties for communication operationy p p p– Host ID is a hash of its public key – accountability (AIP)– Content ID is a hash of the content – correctness– Does not rely on external configurations

• Intrinsic security is specific to the principal type• Example: retrieve content using …Example: retrieve content using …

– Content XID: content is correct– Service XID: the right service provided content– Host XID: content was delivered from right host

33

Example of Secure Mobile Service AccessServer S2:HIDS2SIDBoF

Register “bof.com”-> ADBOF:SIDBOF

ADBoF:HIDS:SIDBoFADC:HIDC:SIDC

XIA Internet

ADBoF

Server S:HIDSSIDBoF

SIDBoF

ADBoF:SIDBoF

SIDBOF SX

2

ADBoF:HIDS2:SIDBoFADC:HIDC:SIDC

ADBoF:HIDS2:SIDBoFADC2:HIDC:SIDC

34

SIDResolvADC

Name Resolution ServiceClient C:HIDCSIDC

ADC2

Client C:HIDCSIDC

bof.com ADBOF:SIDBOF

Outline• Background• XIA principles• XIA architecture• Building XIA

– Forwarding packets– Building a networkP t t– Prototype

• Transport services• Security and Scion • Conclusion

35

Putting Address into Packet Headers

Per‐node viewGraphic view

CIDA

HIDS HIDSNode 0

Node ‐1

Node 1

Node 0

Node 1

S

CIDANode 1

36

3/8/2012

10

XIP Packet Header• DAGs represent source and destination addresses• Array of nodes with pointers• Maintains a LastNode field in the header

– Routers to know where to begin forwarding lookups

Version=XIP1.0 Next Header Payload length

Hop Limit #Destination nodes 

#Source nodes Last  node= AD1

XID type

i s

160 Bit ID

Edge0 Edge1 Edge2 Edge3

…

XID type

160 Bit ID

Edge 0 Edge 1 Edge 2 Edge 3

….

Des

tinat

on n

ode s

Sou

rce

node

s

Router’s View on Packet Forwarding

SIDS

ADS HIDS

SIDS

Last visited node (In packet header)

38

1. Forward to SIDS if possible2. Otherwise, forward to ADS

• If router is ADS itself,update last visited node to ADS

XIP Forwarding1. Find a routable edge from last visited node and select one 

with highest priority2. If the next node refers to itself

1. Advance last visited node pointer2. If there is no outgoing edge, the packet has arrived at the 

destination; send it to upper layer (transport)3. Otherwise, go to step 1

3. Otherwise, try to forward to next hop1. Forward if forwarding information is availableg2. Otherwise move to next node in the list

No per‐packet state in routers – high‐speed forwarding

39

Packet Processing Pipeline

Next‐DestXID Type Classifier

AD

HID

SID

RouteSuccess

?

Source XID Type Classifier

AD

HID

SIDInput Output

• Principle‐independent processing defines how to interpret the DAG• The core XIA architecture

Classifier SI

CID?Classifier SID

CID

40

The core XIA architecture• Principle‐dependent processing  realizes forwarding semantics for each XID type

• Optimizations possible: fast path processing, packet level and intra‐packet parallelism

3/8/2012

11

Per‐hop DAG Processing• Iteratively examine all the outgoing edges of last node in destination DAG

LastNode

node in destination DAG• If route is found, packet is forwarded. Otherwise, try next preferred edge

? Is CID routableNo route found for CID

CID

Intent

AD1Fallback

? Is AD1routable

Route found

Processing cost depends on #edges examined

Performance Optimizations

• Packet‐level parallelism• Fast‐path processing• Intra‐packet parallelism

DongsuHan

HyeontaekLim

Packet‐level Parallelism

• Process multiple packets concurrently• Applies for AD and HID tables handled easily• Applies for AD and HID tables handled easily

– Similar to current IP forwarding• However, CID and SID tables have more frequent updates – Defer updates to parallelize lookups

• Many software routers use multiple cores to• Many software routers use multiple cores to process IP packets in parallel– Leverage these platforms for packet‐level parallelism

Fast‐path Processing

• Store results in a look‐aside cache for earlier l k f l t i it d d d it dlookups of last visited node and its edges

• For a new packet, first lookup the cache using hash of last visited node and its edges– If this lookup fails, take slow path of examining edges iterativelyg y

3/8/2012

12

Intra‐packet Parallelism• Examine all outgoing edges of last node in parallel• Combine results from all lookups and choose theCombine  results from all lookups and choose the preferred one

• Processing cost no longer depends much on #edges in the DAG

Copyqueue

queue

Route-lookup

Route-lookup Synchronizemerge result

• Difficult to implement in software routers– High synchronization cost – need hardware support

queue

queue

Route-lookup

Route-lookup

merge resultAnd output

Evaluation Setup

• Router• Packet generatorSoftware:PacketShader I/O Engine (KAIST)Click modular router – multithreaded(12 threads)

H dHardware:10Gbit NIC : 4 ports (multi‐queue support)2x 6 Core Intel Xeon @ 2.26GHz

Forwarding Performance Comparison

351K FIB entries Workload Identifiers generated sing Pareto

XIP forwarding is fast!@128 byte FB0 is 8% slower than IP @192 byte FB3 is 26% slower than IP

Workload: Identifiers generated using Pareto distribution

CPU Time for Processing

With increase in number of fallbacks, the look up time increases.

3/8/2012

13

Fast Path Performance

8% drop

20% drop

Look-aside cache of 1024 entries

Using fast-path processing, the gap between FB0 and FB3 is reduced significantly !

Intra‐packet Parallelism Micro‐benchmark

• Micro bench of processing time ignoring the h i ti h dsynchronization overhead

Potential speedup using intra-packet parallelism

Summary

• XIA packet forwarding cost is comparable to IP!• Inter‐packet parallelism and fast‐path can be applied to get high‐speed XIA forwarding on software routers

• Intra‐packet parallelism can be used for further speedup in hardware implementationsspeedup in hardware implementations

Outline• Background• XIA principlesp p• XIA architecture• Building XIA

– Forwarding packets– Building a network– Prototype

• Transport services• Security and Scion • Conclusion

52

3/8/2012

14

XIP Protocol Stack

Chunking

ApplicationsRouting

XIP

XDP XSP XChunkP Cache

Chunking

Xsockets

ARP

DHCP(XUDP)

53

Datalink

XIPARP

XCMP

Prototype Platform• Click‐based prototype in progress

– Full stack for routers, caches, and end‐pointsFull stack for routers, caches, and end points– Barebones transport, routing, ...

• Ongoing research in these areas

– User‐level/in‐kernel, native/overlay

• Initial release expected end of March– Focus on GENI based experiments– Broaden set of developers

• Extend over time by integrating research 54

Some Ongoing Research Activities• Transport protocols

– Multiple principals content congestion control– Multiple principals, content, congestion control, ..

• Deployment of services and applications– Use of principal types, intrinsic security, …

• Network operations– Alternative routing strategies, e.g. Sciong g , g– Definition of DAGs, naming, diagnostics, …

• Evaluation and refinement of architecture• User studies, policy/economics collaboration

55

Outline

• BackgroundXIA i i l• XIA principles

• XIA architecture• Building XIA• Transport services

– Tapa concepts– Application examples

• Security and Scion • Conclusion

56

3/8/2012

15

The IP Abstraction Today FahadDogar

R RRR R

Can no longer hidedifferences!

57

RR

Wireless and Mobile Transport Challenges

• Increasing network heterogeneityUnbundling

FahadDogar

– Paths are no longer homogeneous

• Heterogeneous devices, usage– Relaxed end‐point synchronization

• Diverse network servicesC t t t i l bilit i

Visiblei k

Unbundlingnetworktransport

– Content retrieval, mobility services

• Topology control– Handoff, multi‐path

58

in‐networkservice

Transport Services for Challenged Networks

• Current end‐to‐end transport assumes a dumb network that is fairly homogeneousnetwork that is fairly homogeneous– Today’s network is heterogeneous and quite smart

• Unbundling the transport layer allows custom solutions for key transport functions– E.g. custom congestion control for wireless links

• Visible in network services allow insertion of diverse• Visible in‐network services allow insertion of diverse functions that coordinate with applications– Reduced synchronization … caching ... transcoding– Services visible as part of end‐to‐end semantics

• Use of ADUs key to integration of concepts  59

Transfer Access Points

• Tapa supports visible middleboxes (TAPs) that break up end‐end connections in homogeneous segments

Segment SegmentSegment

Segment

up end end connections in homogeneous segments• Segments support best effort delivery of “chunks”

– Segments can use custom solutions for congestion, flow, and error control

– Chunks are self‐certifying blocks of data (ADUs)60

3/8/2012

16

Unbundling the Transport Layer

TransferTransport

Transport

Service

• Transfer layer glues segments into e‐e path– Kind of like IP but across segments not hops

TransferTransfer

Segment SegmentSegment

SegmentService

– Kind of like IP, but across segments, not hops– Naturally supports insertion of network services

• Thin end‐to‐end transport supports e‐e semantics– Also flow, error, congestion control across segment path– Must account for failures of TAPs, segment breaks, etc.

61

Tapa Prototype

• Leverages Data‐Oriented Transport (DOT)U lf tif i h k f d t– Uses self‐certifying chunks of data

– Supports application‐independent caching

• Uses diverse protocols for wireless segment– TCP is convenient solution for wired backbone

• End‐end transport intelligence is implementedEnd end transport intelligence is implemented on mobile host and TAP– Vehicular communication– Catnap battery savings 

62

Vehicular Example

Wired

Service

• Vehicle‐infrastructure suffers from frequent interruptions, short periods of connectivity

ServiceService

interruptions, short periods of connectivity• Vehicle optimizes transfers by explicitly managing server‐TAP and TAP‐vehicle transfers– Requires minimal service on TAP, e.g. caching– Leverages self‐certifying content identifiers

63

BW Discrepancy in typical end‐to‐end transfers

40 Mbps 3 MbpsWireless APClient Server

3-5 Mbps54 Mbps40 Mbps

Idle period = 3.7ms – too small for PSM

0.3ms

3 Mbps

Packet Transmission Time = 4ms

Catnap leverages this opportunity to provide

64

p g pp y pup to 2‐5x energy savings during data transfers

3/8/2012

17

Catnap Design OverviewCatnap ProxyClient Server

1. Request 2. Request

1. Decoupling of Wired and Wireless Segments

3. ResponseHINT Data DataScheduler

5. Burst

Data

4. Buffering

65

2. ADU Hint ‐‐ Length of ADU

3. Scheduler – Decides when to send data to client

How much can the NIC sleep?TCP transfers remain in active state

Transfer times do not increase with 

Time (Sec) Sleep time with Catnap increases as 

transfer size increases

Catnap

66Transfer Size

128kB 1MB 5MB

Tapa and XIA

• Content‐centric optimizations in Tapa can be h d “i t th t k”pushed “into the network”

– Tapa can use Content XIDs rather than host XIDs– Old APs can be listed as hints (rather than server)

• Tapa needs support from services on/near APs– Simple “decoupling services” contentSimple  decoupling services , content optimization, Catnap, higher level services

• Tapa benefits from intrinsic security properties

67

Generalizing Tapa

• Tapa exposes a simple API to applications:– GetADU/SendADU to fetch/push chunks– Can provide hints on nearby TAPs to use

• API not specific for mobile/wireless applications– Can use application‐independent cachesCan use application independent caches– Can manage caches explicitly based on external information

– Insert services as part of transport layer68

3/8/2012

18

Outline

• BackgroundXIA i i l• XIA principles

• XIA architecture• Building XIA• Transport services• Security and Scion y• Conclusion

69

How about the Real World?

UsersUser trust

Policyand 

Economics

TrustManagement

NetworkOperations

TransparencyControlPrivacy

IncentivesProvider

Relationships

TrustManagement

NetworkOperations

70

Core  Network

VerifiableActions

ForwardingTrustPolicy

ControlPoints

Core  Network

Outline Security

• Security architecture– Requirements– XIA principles and concepts– Security architecture

• Scion path selection– Principles– Principles– Architecture

71

XIA Security• A key feature of XIA is flexibility, thus, the architecture can be extended in ways we

Adrian Perrig

DaveAndersen

architecture can be extended in ways we cannot anticipate

• XIA security depends on– Underlying architecture– XIA extension principals and mechanisms– Specific extensions future designers choose

• Consequently, detailed security analysis depends on specific principal types

72

3/8/2012

19

XIA High‐Level Security Goals

• Support today's Internet‐style host‐to‐host communication with drastically improved securitycommunication with drastically improved security

• Provide improved security for two classes of communication we anticipate being important: content retrieval & accessing services

• Provide groundwork for future extensions to make good decisions w r t security and availabilitygood decisions w.r.t. security and availability

73

Main Security Properties• Availability

– Communication availability (hosts and services)– Finding nearby content and servicesg y– Defenses against DoS attacks

• Authenticity / integrity– Authentication of user, host, domain, service, content

• Accountability– For deterrence, hold actors accountableFor deterrence, hold actors accountable

• Secrecy of identity, anonymity, privacy– Sender / receiver privacy if desired

• Flexible trust management– How to set up trust relations, roots of trust

Security‐relevant XIA Mechanisms• Intrinsically secure identifiers

– XIA uses self‐certifying identifiers that guarantee security y g g yproperties for communication operation

– Security properties depend on principal type

• Multiple principal types– Allow user to express intent – gives network flexiblity

• Flexible trust managementg– Translating user recognizable names into cryptographic identifiers

– Provide rich set of mechanisms for mapping

75

Flexible Trust Management• Trust management operations

– Name resolution: name‐>XID– Shared key setup among communicating entities

• Minimal / meaningful root of trust• Narrow waist: minimal / flexible API• Need to involve user for trust decisions• Mechanisms• Mechanisms

– Scoped trust roots– PKI‐type trust management remains important mechanism– Perspectives‐style trust management adds flexibility

76

3/8/2012

20

High‐Level XIA Security Goals• Availability

– Multiple principal types• Provide diversity on how to accomplish goal, DAG‐based forwardingy p g , g• Enable principal‐specific security mechanisms, e.g., DDoS defenses

– Intrinsically secure identifiers prevent hijacking / impersonation– Inherent replication and migration

• Authenticity / integrity– Intrinsically secure identifiers enable origin verification

• Accountability– Audit trails for network events– Intrinsically secure identifiers enable origin accountability

• Privacy / anonymity: plan to support for some principals

SCION Architectural Goals

• High availability, even for networks with malicious parties• Explicit trust for network operations• Explicit trust for network operations• Minimal TCB: limit number of entities that need to be trusted 

for any operation– Strong isolation from untrusted parties

• Operate with mutually distrusting entities– No single root of trust

• Enable route control for ISPs, receivers, senders• Simplicity, efficiency, flexibility, and scalability

78

Adrian Perrigand Students

Property: Isolation

… …

• Operate with mutually distrusting entities• No single root of trust • Localization of attacks

… …

PSC

I2L3

… …

D

CA B

… …

79

CMU

M

Attacks(e.g., bad routes)

D

Property: Control… …

… …… …

CMU

PSC

I2L3

D

CA B

Use Level 3 by default

Use Level 3 by default

Please reach me via A or B

Please reach me via A or B

Hide the peering link from CMU

Hide the peering link from CMU

80

• Transit ISPs: select paths to support• Destination: select paths to receive packets• Source: select paths to send packets• Support rich policies and DDoS defenses

by defaultby default

3/8/2012

21

Property: Explicit Trust

• Know who needs to be trusted

Level 3 Internet 2

• Select whom to trust X Y Z• Higher confidence in selected paths• Higher reliability in data delivery• Enforceable accountability

… … … … … …

81CMU

PSC

Who will forwardPackets on the path?

Who will forwardPackets on the path?Go through X and Z,

but not YGo through X and Z,

but not Y

SCION Architecture Overview

• Path construction• Path resolution• Route joining

(shortcuts)

PCB PCB PCBPCB

82

SourceDestination

Hierarchical Decomposition

• Global set of TD (Trust Domains) Map to geographic, political, legal boundariesMap to geographic, political, legal boundaries

• TD Core: set of top‐tier ISPs that manage TD Route to other TDs Send routing beacons Manage Address and Path Translation Servers Handle TD membership Root of trust for TD: manage root key and certificatesRoot of trust for TD: manage root key and certificates

• AD is atomic failure unit, contiguous/autonomous domainTransit AD or endpoint AD

83

Path ConstructionGoal: each endpoint learns multiple verifiable paths to its core

• Discovering paths via Path Construction Beacons (PCBs)Discovering paths via Path Construction Beacons (PCBs)

TD Core periodically initiates PCBs

Providers advertise upstream topology to peering and customer ADs

• ADs perform the following operations

Collect PCBs

For each neighbor AD, select which k PCBs to forwardFor each neighbor AD, select which k PCBs to forward

Update cryptographic information in PCBs

• Endpoint AD will receive up to k PCBs from each upstream AD, and select k down-paths and up-paths

84

3/8/2012

22

Forwarding

• Down‐path contains all forwarding decisions (AD traversed) from endpoint AD to TD corefrom endpoint AD to TD core Ingress/egress points for each AD, authenticated in opaque fields

ADs use internal routing to send traffic from ingress to egress point

• Joined end‐to‐end route contains full forwarding information from source to destinationfrom source to destination No routing / forwarding tables needed!

85

Open Challenges

• Study security interactions among principal ttypes

• Availability for content and service types• Accountability for content origin• Mechanisms for trust management

/• Privacy / anonymity: in‐network or overlay?

86

Conclusion Security• General XIA security mechanisms

– Intrinsically secure identifiers– Multiple principal types– Flexible trust management

• Specific security mechanisms– Replication, migrationSCION l d d l f h– SCION secure control and data plane for host‐to‐host communication

87

Conclusion• XIA supports evolution, 

expressiveness, and trustworthy operation.– Multiple principal types, flexible 

addressing, and intrinsic security 

• But research has just started!– Transport protocols, applications, 

services, …– Trustworthy protocols that fully utilizes 

intrinsic security of XIAintrinsic security of XIA

• More information onhttp://www.cs.cmu.edu/~xia

• Interested in protype – contact me!

88