Download
mobility in publish subscribe networks n.
Skip this Video
Loading SlideShow in 5 Seconds..
Mobility in Publish/Subscribe Networks PowerPoint Presentation
Download Presentation
Mobility in Publish/Subscribe Networks

Mobility in Publish/Subscribe Networks

207 Views Download Presentation
Download Presentation

Mobility in Publish/Subscribe Networks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Mobility in Publish/Subscribe Networks Walter Wong HIIT & NomadicLab 24.02.2010

  2. Outline • Motivation • Background • Link Layer • Network Layer • Transport Layer • Session Layer • Information Mobility • Peer-to-peer, Content Delivery Networks • Publish/Subscribe

  3. Motivation • Original Internet design • Hosts are fixed • IP address is both end-host identifier and locator • However, the current Internet usage is:

  4. Mobility – Some problems • How does a host get a new locator (IP address)? • How does a host re-establish the connectivity in the new network? • How does a host tell the peer host its new address? • How can we find a host that moves frequently? • How can applications maintain the seamless connectivity between mobile hosts?

  5. Solutions in different layers Session SIP Mobility Transport TCP Migrate Identification Host Identity Protocol Network DHCP (static), Mobile IP (dynamic) Link Simple MAC address update

  6. Link Layer Mobility • Change MAC address • Ex. Between access points in the same subnet • (+) Transparent to higher layers (no changes in the IP address) • (–) Limited to the same subnet Mapping: IPclient–> MACA Mapping: IPclient–> MACB MACB MACA IPclient

  7. Dynamic Host Configuration Protocol (DHCP) • Provides dynamic IP addresses to end-hosts • (+) simple • (–) does not maintain ongoing connections Network A Network B 10.10.1/24 192.168.0/24 192.168.0.11 10.10.1.100

  8. IP Mobility – IP Semantic Overload Problem Application Web-browser Session socket(AF_INET, …, …) Transport socket(IPsrc/dst, portsrc/dst) connect() Network IPsrc = 192.168.0.11 IPsrc = 10.10.0.100 Link

  9. Mobile IP • Goals • Network layer solution • Applications are oblivious of the mobility event • Legacy application support • Incrementally deployable • Approach • Two IP addresses • Home Address –> stable end-host identifier • Care-of Address –> ephemeral end-host locator • “Solves” IP semantic overload problem

  10. Mobile IP – Elements • Home Agent (HA) • Responsible for location management • Tunnels traffic to the registered node when it is not in the home network • Foreign Agent (FA) • Provides Care-of address of the visited network • Represents the mobile node when it visits the network

  11. MN at Home Network Correspondent Node IPC Internet Foreign Agent Home Agent Home Network Foreign Network Direct communication between MN and CN IPA <–> IPC MN IPA

  12. MN Registration Correspondent Node IPC Internet Foreign Agent Home Agent Home Network Foreign Network Inform current CoA Registration in the FA Receive Care-of Address MN IPA MN IPB

  13. MN at Foreign Network Correspondent Node IPC Internet Foreign Agent Home Agent Home Network Foreign Network CN sends data to IPA HA tunnels packets to IPB (IP-IP tunneling) MN IPB

  14. Route Optimization Correspondent Node IPC Internet Foreign Agent Home Agent Home Network Foreign Network Avoids the triangle between CN – HA – MN MN IPB

  15. Mobile IP – Summary • Provides mobility support in the network level • Applications are oblivious about the mobility event • Supports simultaneous node mobility (uses HA and FA as anchor points) • Uses two IP addresses: • Home address: end-host identification • Care-of address: end-host location • Issues • Scalability problems (triangle) • Security

  16. Host Identity Protocol (HIP) • New namespace between network and transport layers • Host Identity (HI) • Host Identity Tags (HIT) • Security embedded • 128-bit identifier = hash from the public key • Fill the gap between end-host identification and location • Decouples end-host identification and location • Solves IP semantic overload

  17. HIP Namespace Web-browser socket(…) Application socket(HITsrc/dst, portsrc/dst) Get end-host identifier Transport Identification Network layer is free to change Network Link

  18. HIP Resolution • Two steps name resolution • Name to HIT resolution –> DNS • HIT to IP resolution –> Rendezvous Server (RVS) • HIP base exchange • 4-way handshake • Resistant against Denial-of-Service attacks • Uses cost functions • Check whether correspondent nodes are committed to the communication

  19. HIP Mobility • Rendezvous Server (RVS) • Holds all HIT-to-IP mapping • Distributed in the network • Ex: One per administrative domain • After a mobility event, mobile node engages in the locator update procedure • UPDATE message along with the verification protocol

  20. HIP Summary • New namespace composed of cryptographic identifiers • Host Identifiers (HI) and Host Identity Tags (HIT) • Detaches host identification from location • Resistant against Denial-of-service attacks • Base exchange • Supports simultaneous node mobility • RVS is the anchor point

  21. TCP Migrate • End-host mobility in the transport layer • Goal: to maintain end-host seamless connectivity during TCP sessions • Approach • Uses DNS names to provide stable end-host identifier • Saves TCP state during migration, restoring after mobility event • No new location management device • No Home Agent and Foreign Agent

  22. TCP Migrate • Mobility procedure • Inform current IP address to the peer node • After mobility event, mobile node sends a TCP SYN message to the peer node informing the new IP address • Update current IP address in order to be globally reachable • Mobile host updates its current mapping in the DNS • Ex. www.acme.org –> 69.64.156.78

  23. TCP Migrate • TCP session migration • New TCP option • TCP SYN MIGRATE • Informs to migrate to a new TCP session • Use tokens to inform to which TCP session it was associated • The mobile host opens a new socket with the new IP address and sends the TCP SYN message with MIGRATE option and a token with the current state • The peer host opens the a new TCP session to the new IP address and restores the session

  24. TCP Migrate – Summary • Benefits • Simple • No network infrastructure changes • Drawbacks • Changes in the default TCP • Security issues • Does not support simultaneous node mobility • There is no anchor point

  25. Session Initiated Protocol • Signaling protocol used for controlling multimedia sessions • Used for establishing, modifying and terminating sessions • Uses URI to identify users • Relies on two other protocols • Real-time protocol (RTP) • Carries streaming data • Session description protocol (SDP) • Session parameters, e.g, ports, protocols, etc

  26. SIP Message Flow INVITE OK Outbound Proxy DNS INVITE OK Inbound Proxy ACK ACK Resolve URI to Inbound Proxy Server IP RTP Traffic Client Client

  27. SIP Mobility Home Network Correspondent Node SIP Redirect Proxy INVITE Moved Temporarily Outbound Proxy Foreign Network INVITE ACK OK Client

  28. SIP – Summary • Signaling protocol for controlling multimedia sessions • Uses URIs to identify user agents • Mobility is handled by SIP proxies

  29. Mobility Support – Summary Session SIP Mobility – uses SIP proxies to locate user agents. End users are identified by URI and mapped to SIP Proxies, which are the anchor points. Transport TCP Migrate – adds a new option in the TCP stack, MIGRATE, to provide TCP session migration. Relies on DNS to provide correct mapping Identification Host Identity Protocol – introduces a new namespace to fill the gap between identification and location Network Mobile IP – creates a new IP address, the Home Address to be the end-host identifier, while the Care-of Address is the real locator Link Simple MAC address update – switches can be configured to handle it

  30. Information-centric Networks • What happens when we migrate to information-centric networks? • Location decoupled • Time decoupled • There is no IP end-point to locate hosts

  31. Data ‘Mobility’ in Host-centric Networks • Peer-to-peer Networks • Users search for content • Request is translated to a query in a DHT • Users receive a list of closest peers • Content Delivery Networks (CDNs) • URL links contain CDN DNS entries • Dynamic mapping of DNS name resolutions to the closest surrogate server • Dynamic mapping of content into an IP address • Content is ‘detached’ from locator (new naming system, e.g, flat identifier, etc)

  32. Data Mobility in Information-centric Networks • Native Publish/Subscribe • Each content has a unique identifier • Content is totally detached from specific location • Can be anywhere, intermediate caches, end-nodes, replicated, etc • Usually content is stored close to the consumers • Popular content is cached near to consumers • Support flash crowd events

  33. End-node Mobility in Information-centric Networks • Network Attachment procedure • During bootstrap process, subscribe re-subscribes to the publication • RVS receives notification • RVS notifies the publisher and topology manager • Publisher re-publishes the content in the new RVS • Topology manager computes new path between publisher and subscribers • Updates delivery tree

  34. End-node Mobility in Information-centric Networks • Some optimizations • Default communication model: Multicast • Multicast Assisted Mobility • Possibility to reduce handoff loss • Distribution of data around the area where the mobile user resides • Makes data available when mobile user arrives • Packet loss • Buffering and return channel (algorithmic IDs) • Delivery order • Subscription to separate IDs, e.g. algorithmic IDs

  35. Questions? • Comments? • Thanks!

  36. Content Authentication in Information-centric Networks Walter Wong HIIT & NomadicLab 24.02.2010

  37. Outline • Background • Host-centric security solutions • Merkle Hash Trees • Information-centric authentication • Skewed Hash Trees • Implementation & Evaluation • Conclusion

  38. Motivation • Current security solutions • Authentication of thecontainer/storage device/mirror • And what about the content itself? • We trust in the container! (shouldn’t we trust in the content?) • Paradigm problem • In the Internet, we want ‘what’ • And we get ‘where’

  39. Example – Content Delivery Networks Content Provider SSL Are they the same movie? Wrong trust model!

  40. Host-centric Security Solutions • SSL/TLS and IPSec • Provides host authentication (IP address) • IPSec = network layer solution => IP • SSL/TLS = transport layer solution => IP !! • Security channel between end-hosts • Mainly: data transfer between authenticated end-hosts (IP addresses) • Security data results from the connection parameters • Transient data => can’t be reused in other context • Time coupled

  41. Towards Information-centric Networking • Migration from host-centric to information-centric networking • Data is decoupled from the location (data is not part of the storage location) • Communication is decoupled in time and synchronization • Scenarios • Peer-to-peer, Content delivery networks • Publish/Subscribe

  42. Towards Information-centric Networking • Client/server model • Scenario: low resources • Services centralized in a ‘powerful’ server • Roles: well-defined clients and servers • Storage is centralized in the server • Drawbacks • Bottleneck – scalability issues • Server could be distant geographically

  43. Towards Information-centric Networking • Peer-to-peer model • Scenario: file-sharing • Distributed resources among peers • Roles: peer is both producer and consumer • Storage: distributed in the network, but in the peer storage disk • Drawbacks • Some are location oblivious – peer with highest bandwidth might not be the closest one • Paradox: consumer peers need to queue for the same resource, while the provider peer needs to send it multiple times

  44. Towards Information-centric Networking • Publish/Subscribe • Scenario: news feed delivery • Distributed resources in the network • Role: mixed between publishers and subscribers • Storage: distributed in the network along caches • Benefits • Multicast – no p2p paradox • Simpler – no scheduling algorithm for resources • Content retrieval from the closest cache • Resources arewithinthe network

  45. Motivation – Security • How do we secure content with: • Location decoupled • Data can not be authenticated with some IP • Time decoupled • Data can not be authenticated based on direct connection

  46. Information-centric Security • Original idea • Per packet signature • Sign each packet with a digital signature • Drawbacks • Costly • CPU expensive to sign and verify each signature • Requirement • Optimize signature mechanism

  47. Merkle Hash Tree • Signature amortization technique • binary tree built over a set of data blocks • Uses hash functions to authenticate data blocks • MD5, SHA-1, SHA-256 • Requires just one digital signature for an entire piece of content • Regardless of the number of data blocks! • Drawbacks • Works only on binary trees!

  48. H0 D0 H01 H1 D1 H03 H2 D2 H23 H3 D3 Internal nodes Data blocks Leaf nodes Root Hash Merkle Hash Tree File

  49. H03 H0 H23 H1 H01 H1 H23 H03 Root Hash + H1 H23 Merkle Hash Tree H01 H23 Internal nodes H0 H1 H2 H3 Leaf nodes D0 D1 D2 D3 D0 Data blocks File

  50. Skewed Hash Tree • Motivation • Many possibilities to build a skewed tree • Goal • New algorithm to support random size files • Approach • Separate balanced and unbalanced trees • Append remaining blocks under the balanced tree • Deal with each one separately • Maintain, at most, one level of difference