XIA-PI-Meeting-2013 - NSF Future Internet Architecture Project

advertisement

XIA: Network Deployments

Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha,

Adrian Perrig, Srini Seshan, Marvin Sirbu,

Peter Steenkiste, Hui Zhang

Carnegie Mellon University

Aditya Akella, University of Wisconsin

John Byers, Boston University

FIA PI Meeting

March 2013, Salt Lake City

1

Today’s Internet

Problem:

Network does not know what user wants!

Dest: Server ID

Src: Client ID

Web

Server

2

S

Today’s Internet

S

S

S

3

XIA Vision

We envision a future Internet that:

• Is trustworthy

– Security broadly defined is a compelling research challenge

• Supports long-term evolution of usage models

– Including host-host, content retrieval, services, …

• Supports long term technology evolution

– Not just for link technologies, but also for storage and computing capabilities in the network and end-points

• Provides benefits for a multiplicity of stakeholders

– Despite differences in roles, goals and incentives

4

XIA Pillars

Principal types

Support multiple communication types

(heterogeneity)

Fallback

Support future communication types

(evolution)

Allow using new communication types at any point

(incremental deployment)

Intrinsic Security

5

XIA Design: Expressiveness

• Principal Types

– Defines the format of the address

• And its semantics, including security semantics

– And what the address means

– And what processing can be done

– Key: Much more intentful than today’s addresses.

• Use ours: Host. Service. Content. 4ID. AD.

• Or, { roll your own }

XIA Design: Intrinsic Security

• XIA uses self-certifying identifiers that guarantee security properties for communication operation

– Host ID is a hash of the host’s public key – accountability

– Content ID is a hash of the content – correctness

– Does not rely on external configurations

• Intrinsic security is specific to the principal type

• Example: retrieve content using …

– Content XID: content is verifiably/unspoofably correct

– Service XID: the correct ASP provided the service

– Host XID: content was delivered from intended host

7

Current

Internet

IP address

128.2.10.162

Principal Types

XIA

Principal type

Type-specific identifier

Intrinsically secure IDs

Host 0xF63C7A4…

Service 0x8A37037…

Content 0x47BF217…

Future …

Hash of host’s public key

Hash of service’s public key

Hash of content

8

XIA Design: Deployability

• Fallback addressing

– Allows you to use tomorrow’s principal type today

– “If I can’t go directly to X, use Y...”

• Example 1:

– Ultimate intent: retrieve CONTENT (CID)

– Fallback: contact HOST (HID)

• Example 2:

– Next hop not XIA-capable? Use (4ID) in address:

Fallback to IPv4 encapsulation: contact IPv4(HID)

• Admits incremental deployment

– Not just of new ID types within XIA, but of XIA itself.

Example: Secure Video Playback

AD 0xF00000

XIA Name

Resolution

Service register

NYT server

Service 0xDE44444

AD 0xF000000

Host 0xF63C7A4

4ID 5.11.2.14

nyt.com maps to

Service 0xDE44444 or

AD

Host or

0xF000000

0xF63C7A4

4ID 5.11.2.14

10

Secure Video Playback

XIA Name

Resolution

Service

AD 0xF00000

S

NYT server Service 0xDE44444 nyt.com?

or

AD 0xF000000

Host or

0xF63C7A4

4ID 5.11.2.14

NYT replica

CID, signed by

0xDE44444

11

Secure Video Playback

AD 0xF00000

S

NYT server sequence of CIDs

NYT replica

12

XIA top-down view

• What does an XIA network look like to various stakeholders?

• Who benefits from new features and why?

• Who bears the costs of deployment?

• Stakeholders we consider (not exhaustive):

– Network operators: from testbeds to ISPs

– Application providers / service providers

– Application developers

– End-users

13

Benefits to Network Operators

• Increased potential for value-added services

(without resorting to deep-packet inspection)

– Simpler middlebox deployment

– On-path caching or route redirection

– Principal types aligned with economic incentives

• Risk mitigation via incremental deployment

• More choice regarding trust domains

– SCION route control

14

Benefits to Service Providers

• Added expressivity: customizable principals

– Built-in support for binding, scoping, mobility.

– Intrinsic security guarantees.

• Access control, accounting, accountability, counter-measures for DoS

• Making use of in-network optimizations furnished by network operators.

• Similar benefits accrue to application developers.

15

Benefits to End-Users

• Increased choice and flexibility regarding intent:

– Choice of XID principal type, i.e. how a given communication operation performed

– Rich address formats add flexibility: fallback, services.

– Scion offers control via edge-directed routing

• Support for mobile users

• Trickle-down benefits derived from better apps.

• Intrinsic security:

– Qualitative benefits of security guarantees is a central focus of our user studies.

16

Costs of Deployment

• New XIA protocol stack network-wide

– Prototype status update next slide

– Incremental deployment possible, advisable.

• Management and processing overhead

– Packet processing; flat address space

– Tracking revisions for multiple principal types

– Implications for switches, interconnect, H/W.

• Additional opportunities present added complexity, new optimization problems.

17

Basic inter-domain

XIP Prototype Implementation

Wireshark

Routing datagrams, streaming

Applications

Supports HID and SID

XHCP

BIND

Chunking

Xsockets

XSP XChunkP Cache XDP

Name

Resolution

ARP

Chunk, CID support

Caching

XIP XCMP

Datalink

XIA ICMP, ARP

Open source prototype released May 2012

18

Extra slides, possible candidate slides follow

19

Planned Prototype Enhancements

• Prototype is available on Github

– Latest release includes support for 4ID

• Near term: IP application porting help, better transport protocols, permanent XIP network

• Next: mobility support, expanded support for intrinsic security and accountability

• Later: Scion integration, more services and applications

20

Path Selection in SCION

Architecture Overview

• Source/destination can choose among up/down hill paths

• Path control shared between

ISPs, receivers, senders

• Desirable security properties:

• High availability, even in presence of malicious parties

• Explicit trust for operations

• Minimal TCB: limit number of entities that must be trusted

• No single root of trust

• Simplicity, efficiency, flexibility, and scalability

Source

PCB

Destination

21

XIA Dataplane Concepts

Directly support diverse network usage models

Multiple

Communicating

Principal Types

Evolution of principal types

Customization

Principal-specific security properties

Flexible

Addressing

Intrinsic

Security

DAG security

Deal with routing “failures” Built in security forms basis for system level security

• Can be implemented in diverse ways

• Can be deployed incrementally, e.g. in subnets

Download