network architecture* architecture · 2012. 3. 8. · nsf future internet architecture • program...
TRANSCRIPT
3/8/2012
1
XIA: An Architecture for a Trustworthy and Evolvable Internet
Peter SteenkisteDave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang
Carnegie Mellon UniversityAditya Akella, University of Wisconsin
John Byers, Boston University
1
y , y
Euro‐NF Course on Future Internet ArchitectureKaiserslautern, March 8, 2012
Network Architecture*
2* As defined by Google
The Internet Architecture
host
host
routerrouter
router
–Minimum functionality a network needs to implement to connect to the Internet
email WWW phone...
SMTP HTTP RTP...
TCP UDP…
hostrouter
router router
3
to implement to connect to the Internet• Forward packets across multiple networks
–Effectively the IP narrow waist• Minimalistic definition of architecture• All other functions needed are built on top
IP
ethernet PPP…
CSMA async sonet...
copper fiber radio...
NSF Future Internet Architecture• Program focused on fundamental changes to the Internet architecture– Long‐term, multi‐phase effort
• Four teams were selected in the second phase:– Named Internet Architecture: content centric networking ‐data is a (the) first class entity
– Mobility First: mobility as the norm rather than the exception – generalizes delay tolerant networking
– Nebula: Internet centered around cloud computing data centers that are well connected
– eXpressive Internet Architecture: focus on trustworthiness, evolvability
4
3/8/2012
2
Outline
• BackgroundXIA i i l• XIA principles
• XIA architecture• Routing• Building XIA• Transport servicesp• Security and Scion• Conclusion
5
XIA VisionWe envision a future Internet that:• Is trustworthy
– Security broadly defined is the biggest challenge• Supports long‐term evolution of usage models
– Including host‐host, content retrieval, services, … • Supports long term technology evolution
– Not just for link technologies, but also for storage and computing capabilities in the network and end pointscomputing capabilities in the network and end‐points
• Allows all actors to operate effectively– Despite differences in roles, goals and incentives
6
Predicting the Future is Hard!– A lot of really smart people don’t agree:
Named Data Networking: content centric networking– Named Data Networking: content centric networking ‐ data is a first class entity
– Mobility First: mobility as the norm rather than the exception – generalizes delay tolerant networking
– Nebula: Internet centered around cloud computing data centers that are well connected
7
data centers that are well connected
We love all of them!
Today’s InternetSrc: Client IP
Dest: Server IP
• Client retrieves document from a specific web server– But client mostly cares about correctness of content timeliness
Client IPServer IP
TCP
But client mostly cares about correctness of content, timeliness– Specific server, file name, etc. are not of interest
• Transfer is between wrong principals– What if the server fails?– Optimizing transfer using local caches is hard
• Need to use application‐specific overlay or transparent proxy – bad!8
3/8/2012
3
eXpressive Internet Architecture
Src: Client ID
Dest: Content ID
• Client expresses communication intent for content explicitly– Network uses content identifier to retrieve content from appropriate
Dest: Content ID
PDA
Content
Network uses content identifier to retrieve content from appropriate location
• How does client know the content is correct? – Intrinsic security! Verify content using self‐certifying id:
hash(content) = content id• How does source know it is talking to the right client?
– Intrinsic security! Self‐certifying host identifiers9
A Bit More Detail …Dest: Service IDContent Name?
Flexible TrustManagement
Dest: Client IDContent ID
Dest: Content ID
DiverseCommunicating
Entities
Hash( ) = CID?
Anywhere
IntrinsicSecurity
10
Evolvable Set of Principals• Identifying the intended communicating entities reduces complexity and overheadentities reduces complexity and overhead– No need to force all communication at a lower level (hosts), as in today’s Internet
• Allows the network to evolveContenta581fe9 ...
11
Host
Services
FutureEntities
d9389fa …
024e881 …39c0348 …
Security as Intrinsic as Possible• Security properties are a direct result of the design of the systemg y– Do not rely on correctness of external configurations, actions, data bases
– Malicious actions can be easily identified
Contenta581fe9 ...
12
Host
Services
FutureEntities
d9389fa …
024e881 …39c0348 …
3/8/2012
4
Other XIA Principles• Narrow waist for all principals
– Defines the API between the principals and the network t l h iprotocol mechanisms
• Narrow waist for trust management– Ensure that the inputs to the intrinsically secure system match the trust assumptions and intensions of the user
– Narrow waist allows leveraging diverse mechanisms for trust management: CAs, reputation, personal, …g , p , p ,
• All other network functions are explicit services– Keeps the architecture simple and easy to reason about– XIA provides a principal type for services (visible)
13Look familiar?
XIA: eXpressive Internet Architecture
• Each communication operation expresses the intent of the operationintent of the operation– Also: explicit trust management, APIs among actors
• XIA is a single inter‐network in which all principals are connected
Not a collection of architectures implemented– Not a collection of architectures implemented through, e.g., virtualization or overlays
– Not based on a “preferred” principal (host or content), that has to support all communication
14
What ApplicationsDoes XIA Support?
• Since XIA supports host‐based communication, today’s applications continue to worktoday s applications continue to work– Will benefit from the intrinsic security properties
• New applications can express the right principal– Can also specify other principals (host based) as fallbacks– Content‐centric applicationsExplicit reliance on network services– Explicit reliance on network services
– Mobile users– As yet unknown usage models
15
XIA Components and Interactions
‐Network User‐Network
Applications
Users
Services
IntrinsicSecurity rt
hy Network Ope
ratio
n
Network‐
eXpressive Internet Protocol
HostSupport
ContentSupport
ServicesSupport
…y
16
Trustw
or
3/8/2012
5
How about the Real World?
UsersUser trust
Policyand
Economics
TrustManagement
NetworkOperations
TransparencyControlPrivacy
IncentivesProvider
Relationships
17
Core Network
VerifiableActions
ForwardingTrustPolicy
ControlPoints
Core Network
Outline• Background• XIA principlesp p• XIA architecture
– Multiple principals– DAG‐based addressing– Intrinsic securityld• Building XIA
• Transport services• Security and Scion• Conclusion
18
Developing XIA v0.1• Principles do not make an architecture!• Meet the core XIA team:
FahadDogar
AshokAnand
DongsuHan
HyeontaekLim
Meet the core XIA team:
19
BoyanLi
MichelMachadoy
WenfeiWu
• Next: multiple principals, fallbacks and DAGs, intrinsic security
Five happy professors cheering: John Byers, Aditya Akella, Dave Anderson,
Srini Seshan, Peter Steenkiste
What Do We Mean by Evolvability?
• Narrow waist of the Internet has allowed the network to evolve significantlynetwork to evolve significantly
• But need to evolve the waist as well!– Can make the waist smarter
IP: Evolvability of:
XIA adds evolvabilityat the waist:
Applications
2020
Applications
Link technologies
Applications
Evolvingset of principals
Link technologies
3/8/2012
6
Multiple Principal Types
• Hosts XIDs support host‐based communication similar to IP – who?
• Service XIDs allow the network to route to possibly replicated services – what does it do?– LAN services access, WAN replication, …
• Content XIDs allow network to retrieve content from “anywhere” – what is it?– Opportunistic caches, CDNs, …
• Autonomous domains allow scoping, hierarchy• What are conditions for adding principal types?
21
Multiple Principal TypesHostHIDSIDCIDContent
Service
HostHIDSID
HostHID
Choice involves tradeoffs:• Control• Efficiency
• Trust• Privacy
CIDContentCID
ContentCID
ContentCID
ContentCID
SIDy y
22
ServiceSIDCID
ContentCID
CID CID
ContentCID
ContentCID
ServiceSID
Supporting Evolvability• Introduction of a new principal type will be incremental – no “flag day”!– Not all routers and ISPs will provide support from day one
• Creates chicken and egg problem ‐ what comes first: network support or use in applications
• Solution is to provide an intent and fallback address
dd llCID
….
DestAD:HID
23
– Intent address allows in‐network optimizations based on user intent
– Fallback address is guaranteed to be reachable
AD:HID
….
Payload
Src
Our Solution: DAG‐Based Addressing
• Uses direct acyclic graph (DAG)N d t d ID (XID i id tifi )– Nodes: typed IDs (XID; expressive identifier)
– Outgoing edges: possible routing choices
• Simple example: Sending a packet to HIDS
Dummy source:special node indicating
packet sender
Intent:final destination of packetwith no outgoing edges
HIDS
24
3/8/2012
7
Support for Fallbacks with DAG
• A node can have multiple outgoing edges
CIDA
HIDS
Fallback edge(low priority edge)
Primary edges
Intermediate node
• Outgoing edges have priority among them– Forwarding to HIDS is attempted if forwarding to CIDA is not possible – Realization of fallbacks
25
Support for Scoping with DAGClient side Server‐side domain
hierarchy
AD0
AD1
HIDS
1
Support scalable routing, binding, migration, mobility, …26
Iterative Refinement: Scoping while Maintaining Intent
Client side Server‐side domain hierarchyhierarchy
AD0 HIDS
CIDS
AD1
S
27
Scoping Example:Service Migration & Client Mobility
Migrating a service (e.g., process, …) from one host Client attachment point
h f 3G t WiFi
SIDSHIDA
p , )to another host changes from 3G to WiFi
HIDC3G
Server rebind
Client rebind
28
SIDSHIDB HIDCWiFi
rebind rebind
Intent remains constant:End point verification through intrinsic security
3/8/2012
8
How Do We SupportIncremental Deployment?
• Experience with IPv6 shows this is hard! MatthewMukerjee
– Often involves manual configuration
• Idea is to leverage XIA address flexibility to support IPv4 as an “old” principal type– Was designed to support new principal types– I e backwards instead of “forward” compatible
j
I.e. backwards instead of forward compatible
• 4ID is an XIA principal type that represents an IPv4 address– Typically used as fallback to transit IPv4 clouds
29
4ID in Action:Partially Deployed XIA Networks
XIA Network A XIA Network BIPv4 Network
4IDS
ADS
30
Entering IPv4 network:Encapsulate XIA packet
with IP header
Entering XIA network:Remove IP header for native
XIA packet processing
No need for statically configured tunnelsWorks for arbitrary pairs of XIA networks
4ID in Action: Transition toFully Deployed XIA Networks
XIA Network A XIA Network BXIA Network CXIA Network A XIA Network BXIA Network C
4IDS
ADS
31
Use native XIA forwardingand ignore fallback
Seamless incremental deployment of XIA
DAG Addressing Research Questions
• DAG addressing supports is flexible …llb k b d b l– Fallback, binding, source routing, mobility, ..
• … but many questions remain:– Is it expensive to process?– How big will the addresses be?– How do ISPs verify policy compliance?How do ISPs verify policy compliance?– Can they be used to attack network?– Can it be deployed incrementally?
32
3/8/2012
9
Intrinsic Security in XIA• XIA uses self‐certifying identifiers that guarantee security properties for communication operationy p p p– Host ID is a hash of its public key – accountability (AIP)– Content ID is a hash of the content – correctness– Does not rely on external configurations
• Intrinsic security is specific to the principal type• Example: retrieve content using …Example: retrieve content using …
– Content XID: content is correct– Service XID: the right service provided content– Host XID: content was delivered from right host
33
Example of Secure Mobile Service AccessServer S2:HIDS2SIDBoF
Register “bof.com”-> ADBOF:SIDBOF
ADBoF:HIDS:SIDBoFADC:HIDC:SIDC
XIA Internet
ADBoF
Server S:HIDSSIDBoF
SIDBoF
ADBoF:SIDBoF
SIDBOF SX
2
ADBoF:HIDS2:SIDBoFADC:HIDC:SIDC
ADBoF:HIDS2:SIDBoFADC2:HIDC:SIDC
34
SIDResolvADC
Name Resolution ServiceClient C:HIDCSIDC
ADC2
Client C:HIDCSIDC
bof.com ADBOF:SIDBOF
Outline• Background• XIA principles• XIA architecture• Building XIA
– Forwarding packets– Building a networkP t t– Prototype
• Transport services• Security and Scion • Conclusion
35
Putting Address into Packet Headers
Per‐node viewGraphic view
CIDA
HIDS HIDSNode 0
Node ‐1
Node 1
Node 0
Node 1
S
CIDANode 1
36
3/8/2012
10
XIP Packet Header• DAGs represent source and destination addresses• Array of nodes with pointers• Maintains a LastNode field in the header
– Routers to know where to begin forwarding lookups
Version=XIP1.0 Next Header Payload length
Hop Limit #Destination nodes
#Source nodes Last node= AD1
XID type
i s
160 Bit ID
Edge0 Edge1 Edge2 Edge3
…
XID type
160 Bit ID
Edge 0 Edge 1 Edge 2 Edge 3
….
Des
tinat
on n
ode s
Sou
rce
node
s
Router’s View on Packet Forwarding
SIDS
ADS HIDS
SIDS
Last visited node (In packet header)
38
1. Forward to SIDS if possible2. Otherwise, forward to ADS
• If router is ADS itself,update last visited node to ADS
XIP Forwarding1. Find a routable edge from last visited node and select one
with highest priority2. If the next node refers to itself
1. Advance last visited node pointer2. If there is no outgoing edge, the packet has arrived at the
destination; send it to upper layer (transport)3. Otherwise, go to step 1
3. Otherwise, try to forward to next hop1. Forward if forwarding information is availableg2. Otherwise move to next node in the list
No per‐packet state in routers – high‐speed forwarding
39
Packet Processing Pipeline
Next‐DestXID Type Classifier
AD
HID
SID
RouteSuccess
?
Source XID Type Classifier
AD
HID
SIDInput Output
• Principle‐independent processing defines how to interpret the DAG• The core XIA architecture
Classifier SI
CID?Classifier SID
CID
40
The core XIA architecture• Principle‐dependent processing realizes forwarding semantics for each XID type
• Optimizations possible: fast path processing, packet level and intra‐packet parallelism
3/8/2012
11
Per‐hop DAG Processing• Iteratively examine all the outgoing edges of last node in destination DAG
LastNode
node in destination DAG• If route is found, packet is forwarded. Otherwise, try next preferred edge
? Is CID routableNo route found for CID
CID
Intent
AD1Fallback
? Is AD1routable
Route found
Processing cost depends on #edges examined
Performance Optimizations
• Packet‐level parallelism• Fast‐path processing• Intra‐packet parallelism
DongsuHan
HyeontaekLim
Packet‐level Parallelism
• Process multiple packets concurrently• Applies for AD and HID tables handled easily• Applies for AD and HID tables handled easily
– Similar to current IP forwarding• However, CID and SID tables have more frequent updates – Defer updates to parallelize lookups
• Many software routers use multiple cores to• Many software routers use multiple cores to process IP packets in parallel– Leverage these platforms for packet‐level parallelism
Fast‐path Processing
• Store results in a look‐aside cache for earlier l k f l t i it d d d it dlookups of last visited node and its edges
• For a new packet, first lookup the cache using hash of last visited node and its edges– If this lookup fails, take slow path of examining edges iterativelyg y
3/8/2012
12
Intra‐packet Parallelism• Examine all outgoing edges of last node in parallel• Combine results from all lookups and choose theCombine results from all lookups and choose the preferred one
• Processing cost no longer depends much on #edges in the DAG
Copyqueue
queue
Route-lookup
Route-lookup Synchronizemerge result
• Difficult to implement in software routers– High synchronization cost – need hardware support
queue
queue
Route-lookup
Route-lookup
merge resultAnd output
Evaluation Setup
• Router• Packet generatorSoftware:PacketShader I/O Engine (KAIST)Click modular router – multithreaded(12 threads)
H dHardware:10Gbit NIC : 4 ports (multi‐queue support)2x 6 Core Intel Xeon @ 2.26GHz
Forwarding Performance Comparison
351K FIB entries Workload Identifiers generated sing Pareto
XIP forwarding is fast!@128 byte FB0 is 8% slower than IP @192 byte FB3 is 26% slower than IP
Workload: Identifiers generated using Pareto distribution
CPU Time for Processing
With increase in number of fallbacks, the look up time increases.
3/8/2012
13
Fast Path Performance
8% drop
20% drop
Look-aside cache of 1024 entries
Using fast-path processing, the gap between FB0 and FB3 is reduced significantly !
Intra‐packet Parallelism Micro‐benchmark
• Micro bench of processing time ignoring the h i ti h dsynchronization overhead
Potential speedup using intra-packet parallelism
Summary
• XIA packet forwarding cost is comparable to IP!• Inter‐packet parallelism and fast‐path can be applied to get high‐speed XIA forwarding on software routers
• Intra‐packet parallelism can be used for further speedup in hardware implementationsspeedup in hardware implementations
Outline• Background• XIA principlesp p• XIA architecture• Building XIA
– Forwarding packets– Building a network– Prototype
• Transport services• Security and Scion • Conclusion
52
3/8/2012
14
XIP Protocol Stack
Chunking
ApplicationsRouting
XIP
XDP XSP XChunkP Cache
Chunking
Xsockets
ARP
DHCP(XUDP)
53
Datalink
XIPARP
XCMP
Prototype Platform• Click‐based prototype in progress
– Full stack for routers, caches, and end‐pointsFull stack for routers, caches, and end points– Barebones transport, routing, ...
• Ongoing research in these areas
– User‐level/in‐kernel, native/overlay
• Initial release expected end of March– Focus on GENI based experiments– Broaden set of developers
• Extend over time by integrating research 54
Some Ongoing Research Activities• Transport protocols
– Multiple principals content congestion control– Multiple principals, content, congestion control, ..
• Deployment of services and applications– Use of principal types, intrinsic security, …
• Network operations– Alternative routing strategies, e.g. Sciong g , g– Definition of DAGs, naming, diagnostics, …
• Evaluation and refinement of architecture• User studies, policy/economics collaboration
55
Outline
• BackgroundXIA i i l• XIA principles
• XIA architecture• Building XIA• Transport services
– Tapa concepts– Application examples
• Security and Scion • Conclusion
56
3/8/2012
15
The IP Abstraction Today FahadDogar
R RRR R
Can no longer hidedifferences!
57
RR
Wireless and Mobile Transport Challenges
• Increasing network heterogeneityUnbundling
FahadDogar
– Paths are no longer homogeneous
• Heterogeneous devices, usage– Relaxed end‐point synchronization
• Diverse network servicesC t t t i l bilit i
Visiblei k
Unbundlingnetworktransport
– Content retrieval, mobility services
• Topology control– Handoff, multi‐path
58
in‐networkservice
Transport Services for Challenged Networks
• Current end‐to‐end transport assumes a dumb network that is fairly homogeneousnetwork that is fairly homogeneous– Today’s network is heterogeneous and quite smart
• Unbundling the transport layer allows custom solutions for key transport functions– E.g. custom congestion control for wireless links
• Visible in network services allow insertion of diverse• Visible in‐network services allow insertion of diverse functions that coordinate with applications– Reduced synchronization … caching ... transcoding– Services visible as part of end‐to‐end semantics
• Use of ADUs key to integration of concepts 59
Transfer Access Points
• Tapa supports visible middleboxes (TAPs) that break up end‐end connections in homogeneous segments
Segment SegmentSegment
Segment
up end end connections in homogeneous segments• Segments support best effort delivery of “chunks”
– Segments can use custom solutions for congestion, flow, and error control
– Chunks are self‐certifying blocks of data (ADUs)60
3/8/2012
16
Unbundling the Transport Layer
TransferTransport
Transport
Service
• Transfer layer glues segments into e‐e path– Kind of like IP but across segments not hops
TransferTransfer
Segment SegmentSegment
SegmentService
– Kind of like IP, but across segments, not hops– Naturally supports insertion of network services
• Thin end‐to‐end transport supports e‐e semantics– Also flow, error, congestion control across segment path– Must account for failures of TAPs, segment breaks, etc.
61
Tapa Prototype
• Leverages Data‐Oriented Transport (DOT)U lf tif i h k f d t– Uses self‐certifying chunks of data
– Supports application‐independent caching
• Uses diverse protocols for wireless segment– TCP is convenient solution for wired backbone
• End‐end transport intelligence is implementedEnd end transport intelligence is implemented on mobile host and TAP– Vehicular communication– Catnap battery savings
62
Vehicular Example
Wired
Service
• Vehicle‐infrastructure suffers from frequent interruptions, short periods of connectivity
ServiceService
interruptions, short periods of connectivity• Vehicle optimizes transfers by explicitly managing server‐TAP and TAP‐vehicle transfers– Requires minimal service on TAP, e.g. caching– Leverages self‐certifying content identifiers
63
BW Discrepancy in typical end‐to‐end transfers
40 Mbps 3 MbpsWireless APClient Server
3-5 Mbps54 Mbps40 Mbps
Idle period = 3.7ms – too small for PSM
0.3ms
3 Mbps
Packet Transmission Time = 4ms
Catnap leverages this opportunity to provide
64
p g pp y pup to 2‐5x energy savings during data transfers
3/8/2012
17
Catnap Design OverviewCatnap ProxyClient Server
1. Request 2. Request
1. Decoupling of Wired and Wireless Segments
3. ResponseHINT Data DataScheduler
5. Burst
Data
4. Buffering
65
2. ADU Hint ‐‐ Length of ADU
3. Scheduler – Decides when to send data to client
How much can the NIC sleep?TCP transfers remain in active state
Transfer times do not increase with
Time (Sec) Sleep time with Catnap increases as
transfer size increases
Catnap
66Transfer Size
128kB 1MB 5MB
Tapa and XIA
• Content‐centric optimizations in Tapa can be h d “i t th t k”pushed “into the network”
– Tapa can use Content XIDs rather than host XIDs– Old APs can be listed as hints (rather than server)
• Tapa needs support from services on/near APs– Simple “decoupling services” contentSimple decoupling services , content optimization, Catnap, higher level services
• Tapa benefits from intrinsic security properties
67
Generalizing Tapa
• Tapa exposes a simple API to applications:– GetADU/SendADU to fetch/push chunks– Can provide hints on nearby TAPs to use
• API not specific for mobile/wireless applications– Can use application‐independent cachesCan use application independent caches– Can manage caches explicitly based on external information
– Insert services as part of transport layer68
3/8/2012
18
Outline
• BackgroundXIA i i l• XIA principles
• XIA architecture• Building XIA• Transport services• Security and Scion y• Conclusion
69
How about the Real World?
UsersUser trust
Policyand
Economics
TrustManagement
NetworkOperations
TransparencyControlPrivacy
IncentivesProvider
Relationships
TrustManagement
NetworkOperations
70
Core Network
VerifiableActions
ForwardingTrustPolicy
ControlPoints
Core Network
Outline Security
• Security architecture– Requirements– XIA principles and concepts– Security architecture
• Scion path selection– Principles– Principles– Architecture
71
XIA Security• A key feature of XIA is flexibility, thus, the architecture can be extended in ways we
Adrian Perrig
DaveAndersen
architecture can be extended in ways we cannot anticipate
• XIA security depends on– Underlying architecture– XIA extension principals and mechanisms– Specific extensions future designers choose
• Consequently, detailed security analysis depends on specific principal types
72
3/8/2012
19
XIA High‐Level Security Goals
• Support today's Internet‐style host‐to‐host communication with drastically improved securitycommunication with drastically improved security
• Provide improved security for two classes of communication we anticipate being important: content retrieval & accessing services
• Provide groundwork for future extensions to make good decisions w r t security and availabilitygood decisions w.r.t. security and availability
73
Main Security Properties• Availability
– Communication availability (hosts and services)– Finding nearby content and servicesg y– Defenses against DoS attacks
• Authenticity / integrity– Authentication of user, host, domain, service, content
• Accountability– For deterrence, hold actors accountableFor deterrence, hold actors accountable
• Secrecy of identity, anonymity, privacy– Sender / receiver privacy if desired
• Flexible trust management– How to set up trust relations, roots of trust
Security‐relevant XIA Mechanisms• Intrinsically secure identifiers
– XIA uses self‐certifying identifiers that guarantee security y g g yproperties for communication operation
– Security properties depend on principal type
• Multiple principal types– Allow user to express intent – gives network flexiblity
• Flexible trust managementg– Translating user recognizable names into cryptographic identifiers
– Provide rich set of mechanisms for mapping
75
Flexible Trust Management• Trust management operations
– Name resolution: name‐>XID– Shared key setup among communicating entities
• Minimal / meaningful root of trust• Narrow waist: minimal / flexible API• Need to involve user for trust decisions• Mechanisms• Mechanisms
– Scoped trust roots– PKI‐type trust management remains important mechanism– Perspectives‐style trust management adds flexibility
76
3/8/2012
20
High‐Level XIA Security Goals• Availability
– Multiple principal types• Provide diversity on how to accomplish goal, DAG‐based forwardingy p g , g• Enable principal‐specific security mechanisms, e.g., DDoS defenses
– Intrinsically secure identifiers prevent hijacking / impersonation– Inherent replication and migration
• Authenticity / integrity– Intrinsically secure identifiers enable origin verification
• Accountability– Audit trails for network events– Intrinsically secure identifiers enable origin accountability
• Privacy / anonymity: plan to support for some principals
SCION Architectural Goals
• High availability, even for networks with malicious parties• Explicit trust for network operations• Explicit trust for network operations• Minimal TCB: limit number of entities that need to be trusted
for any operation– Strong isolation from untrusted parties
• Operate with mutually distrusting entities– No single root of trust
• Enable route control for ISPs, receivers, senders• Simplicity, efficiency, flexibility, and scalability
78
Adrian Perrigand Students
Property: Isolation
… …
• Operate with mutually distrusting entities• No single root of trust • Localization of attacks
… …
PSC
I2L3
… …
D
CA B
… …
79
CMU
M
Attacks(e.g., bad routes)
D
Property: Control… …
… …… …
CMU
PSC
I2L3
D
CA B
Use Level 3 by default
Use Level 3 by default
Please reach me via A or B
Please reach me via A or B
Hide the peering link from CMU
Hide the peering link from CMU
80
• Transit ISPs: select paths to support• Destination: select paths to receive packets• Source: select paths to send packets• Support rich policies and DDoS defenses
by defaultby default
3/8/2012
21
Property: Explicit Trust
• Know who needs to be trusted
Level 3 Internet 2
• Select whom to trust X Y Z• Higher confidence in selected paths• Higher reliability in data delivery• Enforceable accountability
… … … … … …
81CMU
PSC
Who will forwardPackets on the path?
Who will forwardPackets on the path?Go through X and Z,
but not YGo through X and Z,
but not Y
SCION Architecture Overview
• Path construction• Path resolution• Route joining
(shortcuts)
PCB PCB PCBPCB
82
SourceDestination
Hierarchical Decomposition
• Global set of TD (Trust Domains) Map to geographic, political, legal boundariesMap to geographic, political, legal boundaries
• TD Core: set of top‐tier ISPs that manage TD Route to other TDs Send routing beacons Manage Address and Path Translation Servers Handle TD membership Root of trust for TD: manage root key and certificatesRoot of trust for TD: manage root key and certificates
• AD is atomic failure unit, contiguous/autonomous domainTransit AD or endpoint AD
83
Path ConstructionGoal: each endpoint learns multiple verifiable paths to its core
• Discovering paths via Path Construction Beacons (PCBs)Discovering paths via Path Construction Beacons (PCBs)
TD Core periodically initiates PCBs
Providers advertise upstream topology to peering and customer ADs
• ADs perform the following operations
Collect PCBs
For each neighbor AD, select which k PCBs to forwardFor each neighbor AD, select which k PCBs to forward
Update cryptographic information in PCBs
• Endpoint AD will receive up to k PCBs from each upstream AD, and select k down-paths and up-paths
84
3/8/2012
22
Forwarding
• Down‐path contains all forwarding decisions (AD traversed) from endpoint AD to TD corefrom endpoint AD to TD core Ingress/egress points for each AD, authenticated in opaque fields
ADs use internal routing to send traffic from ingress to egress point
• Joined end‐to‐end route contains full forwarding information from source to destinationfrom source to destination No routing / forwarding tables needed!
85
Open Challenges
• Study security interactions among principal ttypes
• Availability for content and service types• Accountability for content origin• Mechanisms for trust management
/• Privacy / anonymity: in‐network or overlay?
86
Conclusion Security• General XIA security mechanisms
– Intrinsically secure identifiers– Multiple principal types– Flexible trust management
• Specific security mechanisms– Replication, migrationSCION l d d l f h– SCION secure control and data plane for host‐to‐host communication
87
Conclusion• XIA supports evolution,
expressiveness, and trustworthy operation.– Multiple principal types, flexible
addressing, and intrinsic security
• But research has just started!– Transport protocols, applications,
services, …– Trustworthy protocols that fully utilizes
intrinsic security of XIAintrinsic security of XIA
• More information onhttp://www.cs.cmu.edu/~xia
• Interested in protype – contact me!
88