1 / 60

Lecture 2: Evolutionary and Revolutionary Approaches

Lecture 2: Evolutionary and Revolutionary Approaches. www.psirp.org. D.Sc. Arto Karila Helsinki Institute for Information Technology (HIIT) arto.karila@hiit.fi. T-110.6120 – Special Course on Data Communications Software: Publish/Subscribe Internetworking. Contents. Evolutionary approaches

aerona
Télécharger la présentation

Lecture 2: Evolutionary and Revolutionary Approaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2:Evolutionary and Revolutionary Approaches www.psirp.org D.Sc. Arto Karila Helsinki Institute for Information Technology (HIIT) arto.karila@hiit.fi T-110.6120 – Special Course on Data Communications Software: Publish/Subscribe Internetworking

  2. Contents • Evolutionary approaches • Some more revolutionary approaches • Networking Named Content – Van Jacobson’s CCN project(Content-Centric Networking)

  3. Evolutionary Approaches • IPv6 • IPSEC • Mobile IP • HIP • DiffServ • DHT

  4. IPv6 • IPv6 was born in 1995 after long work • There are over 30 IPv6-related RFCs • The claimed improvements in IPv6 are: • Large 128-bit address space • Stateless address auto-configuration • Multicast support • Mandatory network layer security (IPSEC) • Simplified header processing by routers • Efficient mobility (no triangular routing) • Extensibility (extension headers) • Jumbo packets (up to 4 GB)

  5. IPv6 • Major operating systems and many ISPs support IPv6 • The use of IPv6 is slowly increasing in Europe and North America but more rapidly in Asia • In China, CERNET 2 runs IPv6, interconnecting 25 points of presence in 20 cities with 2.5 and 10 Gbps links • IPv6 really only solves the exhaustion of Internet address space

  6. IPSEC • IPSEC is the IP-layer security solution of the Internet to be used with IPv4 and IPv6 • Authentication Header (AH) only protects the integrity of an IP packet • Encapsulating Security Payload (ESP) also ensures confidentiality of the data • IPSEC works within a Security Association (SA) set up between two IP addresses • ISAKMP (Internet Security Association and Key Management Protocol) is a very complicated framework for SA mgmt

  7. Original IPv4 Header Security Parameter Index (SPI) ESP Header Sequence Number Coverage of Authentication UDP/TCP Header ESP Payload Coverage ofConfidentiality Data Padding Pad Len Next Hdr ESP Trailer Authentication Data Encapsulating Security Payload (IPv4)

  8. Original IPv6 Header Hop-by-Hop Extensions Security Parameter Index (SPI) ESP Header Sequence Number Coverage of Authentication End-to-End Extensions UDP/TCP Header ESP Payload Coverage ofConfidentiality Data Padding ESP Trailer Authentication Data Encapsulating Security Payload (IPv6)

  9. Mobile IPv4 • Basic concepts: • Mobile Node (MN) • Correspondent Node (CN) • Home Agent (HA) • Foreign Agent (FA) • Care-of-Address (CoA) • Problems: • Firewalls and ingress filtering • Triangular routing

  10. DELAY! Mobility Example:Mobile IP Triangular Routing Ingress filtering causes problems for IPv4 (home address as source), IPv6 uses CoA so not a problem . Solutions: (reverse tunnelling) or route optimization Correspondent Host Foreign agent left out of MIPv6. No special support needed with IPv6 autoconfiguration Foreign Agent Home Agent Care-of-Address (CoA) Mobile Host • Source: Professor Sasu Tarkoma

  11. Ingress Filtering Packet from mobile host is deemed "topologically incorrect“ (as in source address spoofing) Correspondent Host Home Agent • With ingress filtering, routers drop source addresses that are not consistent with the observed source of the packet • Source: Professor Sasu Tarkoma

  12. DELAY! Reverse Tunnelling Firewalls and ingress filtering no longer a problem Two-way tunneling leads to overhead and increased congestion Correspondent Host Router Home Agent Mobile Host Care-of-Address (CoA) • Source: Professor Sasu Tarkoma

  13. Mobile IPv6 Route Optimization CH sends packets using routing header Correspondent Host First, a Return Routability test to CH. CH sends home test and CoA test packets. When MH receives both, It sends the BU with the Kbm key. Router Secure tunnel (ESP) Home Agent MH sends a binding update to CH when it receives a tunnelled packet. Mobile Host • Source: Professor Sasu Tarkoma

  14. Differences btw MIPv6 and MIPv4 • In MIPv6 no FA is needed (no infrastructure change) • Address auto-configuration helps in acquiring CoA • MH uses CoA as the source address in foreign link, so no problems with ingress filtering • Option headers and neighbor discovery of IPv6 protocol are used to perform mobility functions • 128-bit IP addresses help deployment of mobile IP in large environments • Route optimization is supported by header options • Source: Professor Sasu Tarkoma

  15. Extension Headers CN to MN MN to CN Upper Layer headers Data MH Mobility Header MH Type in Mobility Header: Binding Update, Binding Ack, Binding Err, Binding refresh MN, HA, and CN for Binding Source: Chittaranjan Hota, Computer Networks II lecture 22.10.2007

  16. HIP • Host Identity Protocol (HIP, RFC4423) defines a new global Internet name space • The Host Identity name space decouples the name and locator roles, both of which are currently served by IP addresses • The transport layer now operates on Host Identities instead of IP addresses • The network layer uses IP addresses as pure locators (not as names or identifiers)

  17. HIP Architecture

  18. HIP • HIs are self-certifying (public keys) • HIP is a fairly simple technique based on IPSEC ESP and HITs (128-bit HI hashes) • It addresses several major issues: • Security • Mobility • Multi-homing • IPv4/IPv6 interoperation • HIP is ready for large-scale deployment • See http://infrahip.hiit.fi for more info

  19. I1 HITI, HITR or NULL R1 HITI, [HITR, puzzle, DHR, HIR]sig I2 [HITI, HITR, solution, DHI,{HII}]sig R2 [HITI, HITR, authenticator]sig ESP protected TCP/UDP, no explicit HIP header Base exchange • Based on the SIGMA family of key exchange protocols Source: Dr. Pekka Nikander Select precomputed R1. Prevent DoS. Minimal state kept at responder! Does not protect against replay attacks. Initiator Responder standard authenticated Diffie-Hellman key exchange for session key generation solve puzzle verify, authenticate, replay protection User data messages draft-ietf-hip-base-02.txt, draft-jokela-hip-esp-00.txt

  20. HIP Mobility • Mobility is easy – retaining the SA for ESP

  21. IPv4 access Internet network WWW Proxy HIP CN HIP MN Music Server HIP in Combining IPv4 and IPv6 • An early demo seen at L.M. Ericsson Finland (source: Petri Jokela, LMF)

  22. DiffServ • Differentiated Services (DiffServ, RFC 2474) redefines the ToS octet of the IPv4 packet or Traffic Class octet of IPv6 as DS • The first 6 bits of the DS field are used as Differentiated Services Code Point (DSCP) defining the Per-Hop Behavior of the packet • DiffServ is stateless (like IP) and scales • Service Profiles can be defined by ISP for customers and by transit providers for ISPs • DiffServ is very easily deployable and could enable well working VoIP and real-time video • Unfortunately, it is not used between operators

  23. Distributed Hash Table (DHT) • Distributed Hash Table (DHT) is a service for storing and retrieving key-value pairs • There is a large number of peer machines • Single machines leaving or joining the network have little effect on its operation • DHTs can be used to build e.g. databases (new DNS), or content delivery systems • BitTorrent is using a DHT • The real scalability of DHT is still unproven • All of the participating hosts need to be trusted (at least to some extent)

  24. DHT • The principle of Distribute Hash Table (source: Wikipedia)

  25. Contents • Evolutionary approaches • Some more revolutionary approaches • Networking Named Content – Van Jacobson’s CCN project(Content-Centric Networking)

  26. Some More Revolutionary Approaches • ROFLM. Caesar, T. Condie, J. Kannan, K. Lakshminarayanan, I. Stoica, and S.Shenker, ROFL: Routing on Flat Labels, In ACM SIGCOMM, Sep. 2006, pp. 363–374 • DONAT. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy, K. H. Kim, S. Shenker, and I. Stoica, A Data-Oriented (and Beyond) Network Architecture, In SIGCOMM ’07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, New York, NY, USA, 2007, pp. 181-192

  27. ROFL • ROFL routes directly on host identities, leaving aside the locations of the hosts • Self-certifying identifiers (tied to public keys) • Create a network layer with no locations • Advantages: • No new infrastructure (no name resolution) • Packet delivery only depends on the data path • Simpler allocation of identifiers (just need to ensure uniqueness) • Access control based on identifiers

  28. ROFL • Three classes of hosts: • Routers • Stable hosts • Ephemeral hosts • Each ID is resident to its Hosting Router (the host’s first-hop router) • The hosts form a two-way ring – each with pointers to its successor and predecessor • There can be shorter routes cached • An OSPF-like routing protocol (with network map) is assumed for recovering from routing failures • Global ROFL-ring for inter-domain routing

  29. DONA • DONA replaces the hierarchical DNS namespace with a cryptographic, self-certifying namespace for naming data • This enables totally distributed namespace control • The namespace is not totally flat but consists of two parts: the principal’s identifier and a label • This two-tier hierarchy helps make DONA scalable • Clean-slate naming and name resolution

  30. DONA • Strict separation between naming (persistence and authenticity) and name resolution (availability) • Each principal has a public-key pair • Each datum (or any other named entity) is associated with a principal • Names of the form P:L (Principal:Label), where P is a cryptographic has os the principal’s public key and L is a locally unique label • Name resolution by Resolution Handlers, primitives: FIND(P:L), REGISTER(P:L)

  31. Contents • Evolutionary approaches • Some more revolutionary approaches • Networking Named Content – Van Jacobson’s CCN project(Content-Centric Networking)

  32. Networking Named Content • Based on and pictures borrowed from: Jacobson, V.; Smetters, D. K.; Thornton, J. D.; Plass, M. F.; Briggs, N.; Braynard, R. Networking named content. Proceedings of the 5th ACM International Conference on Emerging Networking Experiments and Technologies (CoNEXT 2009); 2009 December 1-4; Rome, Italy. NY: ACM; 2009; 1-12.

  33. Host-Centric Networking • In 1960’s and 1970’s – resource sharing • Computers, disk drives, tape drives, printers etc. needed to be shared • This lead into a communication model with two machines – one using and one providing resources over the network • IP packets with source and destination • Most of the traffic is TCP connections

  34. Content-Centric Networking (CCN) • In 2009 alone 500 exabytes (5 x 1020 B) of content created (source: RFC 5401) • Users are interested in what content – not where it is • CCN – a communication architecture built on named data • “Address” names content – not location • Preserve the design decisions that make TCP/IP simple, robust and scalable

  35. TCP/IP and CCN Protocol Stacks • From IP to chunks of named content • Only layer 3 requires universal agreement

  36. Interest and Data packets • There are two types of CCN packets: • Interest packets • Data packets

  37. CCN Node Model • There are two types of CCN packets: • Interest packets • Data packets • Consumer broadcasts its Interest over all available connectivity • Data is transmitted only in response to and Interest and consumes that Interest • Data satisfies an Interest if ContentName in the Interest is a prefix of that in the Data

  38. CCN Node Model • Hierarchical name space (cmp w/ URI) • When a packet arrives on a face a longest-match lookup is made • Forwarding engine with 3 data structures: • Forwarding Information Base (FIB) • Content Store (buffer memory) • Pending Interest Table (PIT)

  39. CCN Node Model • FIB allows a list of outgoing interfaces – multiple sources of data • Content Store w/ LRU or LFU replacement • PIT keeps track of Interest forwarded up-stream => Data can be sent downstream • Interest packets are routed upstream – Data packets follow the same path down • Each PIT entry is a “bread crumb” marking the path and is erased after it’s been used

  40. CCN Forwarding Engine

  41. CCN Node Model • When an Interest packet arrives, longest-match lookup is done on its ContentName • ContentStore match is preferred over a PIT match, preferred over a FIB match • Matching Data packet in ContentStore => send it out on the Interest arrival face • Else, if there is an exact-match PIT entry => add the arrival face to the PIT entry’s list • Else, if there is a matching FIB entry => send the Interest up-stream towards the data • Else => discard the Interest packet

  42. CCN Transport • CCN transport is designed to operate on unreliable packet delivery services • Senders are stateless • Receivers keep track of unsatisfied Interests and ask again after a time-out • The receiver’s strategy layer is responsible for retransmission, selecting faces, limiting the number of unsatisfied Interests, priority • One Interest retrieves at most one Data packet => flow balance

  43. Reliability and Flow Control • Flow balance allows for efficient communication between machines with highly different speeds • It is possible to overlap data and requests • In CCN, all communication is local and flow balance is maintained over each hop • This leads into end-to-end flow control without any end-to-end mechanisms

  44. Naming • CCN is based on hierarchical, aggregatable names at least partly meaningful to humans • The name notation used is like URI

  45. Naming and Sequencing • An Interest can specify the content exactly • Content names can contain automatically generated endings used like sequence #s • The last part of the name is incremented for the next chunk (e.g. a video frame) • The names form a tree which is traversed in preorder • In this way, the receiver can ask for the next Data packet in his Interest packet

  46. Intra-Domain Routing • Like IPv4 and IPv6 addresses, CCN ContentNames are aggregateable and routed based on longest match • However, ContentNames are of varying length and longer than IP addresses • The TLV (Type Label Value) of OSPF or IS-IS can distribute CCN content prefixes • Therefore, CCN Interest/Data forwarding can be built on existing infrastructure without any modification to the routers

  47. Intra-Domain Routing • An example of intra-domain routing

  48. Inter-Domain Routing • The current BGP version has the equivalent of the IGP TLV mechanism • Through this mechanism, it is possible to learn which domains serve Interests in some prefix and what is the closest CCN-capable domain on the paths towards those domains • Therefore, it is possible to deploy CCN in the existing BGP infrastructure

  49. Content-Based Security • In CCN, the content itself (rather than its path) is protected • One can retrieve the content from the closest source and validate it • All content is digitally signed • Signed info includes hash of the public key used for signing • We still need some kind of a Public Key Infrastructure (PKI)

  50. Trust Establishment • Associating name spaces with public keys

More Related