Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha,
Adrian Perrig, Srini Seshan, Marvin Sirbu,
Peter Steenkiste, Hui Zhang
Carnegie Mellon University
Aditya Akella, University of Wisconsin
John Byers, Boston University
FIA PI Meeting
March 2013, Salt Lake City
1
Problem:
Network does not know what user wants!
Dest: Server ID
Src: Client ID
Web
Server
2
S
S
S
S
3
We envision a future Internet that:
• Is trustworthy
– Security broadly defined is a compelling research challenge
• Supports long-term evolution of usage models
– Including host-host, content retrieval, services, …
• Supports long term technology evolution
– Not just for link technologies, but also for storage and computing capabilities in the network and end-points
• Provides benefits for a multiplicity of stakeholders
– Despite differences in roles, goals and incentives
4
Support multiple communication types
(heterogeneity)
Support future communication types
(evolution)
Allow using new communication types at any point
(incremental deployment)
Intrinsic Security
5
• Principal Types
– Defines the format of the address
• And its semantics, including security semantics
– And what the address means
– And what processing can be done
– Key: Much more intentful than today’s addresses.
• Use ours: Host. Service. Content. 4ID. AD.
• Or, { roll your own }
• XIA uses self-certifying identifiers that guarantee security properties for communication operation
– Host ID is a hash of the host’s public key – accountability
– Content ID is a hash of the content – correctness
– Does not rely on external configurations
• Intrinsic security is specific to the principal type
• Example: retrieve content using …
– Content XID: content is verifiably/unspoofably correct
– Service XID: the correct ASP provided the service
– Host XID: content was delivered from intended host
7
Current
Internet
IP address
128.2.10.162
XIA
Principal type
Type-specific identifier
Intrinsically secure IDs
Host 0xF63C7A4…
Service 0x8A37037…
Content 0x47BF217…
Future …
Hash of host’s public key
Hash of service’s public key
Hash of content
8
• Fallback addressing
– Allows you to use tomorrow’s principal type today
– “If I can’t go directly to X, use Y...”
• Example 1:
– Ultimate intent: retrieve CONTENT (CID)
– Fallback: contact HOST (HID)
• Example 2:
– Next hop not XIA-capable? Use (4ID) in address:
Fallback to IPv4 encapsulation: contact IPv4(HID)
• Admits incremental deployment
– Not just of new ID types within XIA, but of XIA itself.
AD 0xF00000
XIA Name
Resolution
Service register
NYT server
Service 0xDE44444
AD 0xF000000
Host 0xF63C7A4
4ID 5.11.2.14
nyt.com maps to
Service 0xDE44444 or
AD
Host or
0xF000000
0xF63C7A4
4ID 5.11.2.14
10
XIA Name
Resolution
Service
AD 0xF00000
S
NYT server Service 0xDE44444 nyt.com?
or
AD 0xF000000
Host or
0xF63C7A4
4ID 5.11.2.14
NYT replica
CID, signed by
0xDE44444
11
AD 0xF00000
S
NYT server sequence of CIDs
NYT replica
12
• What does an XIA network look like to various stakeholders?
• Who benefits from new features and why?
• Who bears the costs of deployment?
• Stakeholders we consider (not exhaustive):
– Network operators: from testbeds to ISPs
– Application providers / service providers
– Application developers
– End-users
13
• Increased potential for value-added services
(without resorting to deep-packet inspection)
– Simpler middlebox deployment
– On-path caching or route redirection
– Principal types aligned with economic incentives
• Risk mitigation via incremental deployment
• More choice regarding trust domains
– SCION route control
14
• Added expressivity: customizable principals
– Built-in support for binding, scoping, mobility.
– Intrinsic security guarantees.
• Access control, accounting, accountability, counter-measures for DoS
• Making use of in-network optimizations furnished by network operators.
• Similar benefits accrue to application developers.
15
• Increased choice and flexibility regarding intent:
– Choice of XID principal type, i.e. how a given communication operation performed
– Rich address formats add flexibility: fallback, services.
– Scion offers control via edge-directed routing
• Support for mobile users
• Trickle-down benefits derived from better apps.
• Intrinsic security:
– Qualitative benefits of security guarantees is a central focus of our user studies.
16
• New XIA protocol stack network-wide
– Prototype status update next slide
– Incremental deployment possible, advisable.
• Management and processing overhead
– Packet processing; flat address space
– Tracking revisions for multiple principal types
– Implications for switches, interconnect, H/W.
• Additional opportunities present added complexity, new optimization problems.
17
Basic inter-domain
Wireshark
Routing datagrams, streaming
Applications
Supports HID and SID
XHCP
BIND
Chunking
Xsockets
XSP XChunkP Cache XDP
Name
Resolution
ARP
Chunk, CID support
Caching
XIP XCMP
Datalink
XIA ICMP, ARP
Open source prototype released May 2012
18
19
• Prototype is available on Github
– Latest release includes support for 4ID
• Near term: IP application porting help, better transport protocols, permanent XIP network
• Next: mobility support, expanded support for intrinsic security and accountability
• Later: Scion integration, more services and applications
20
Path Selection in SCION
Architecture Overview
• Source/destination can choose among up/down hill paths
• Path control shared between
ISPs, receivers, senders
• Desirable security properties:
• High availability, even in presence of malicious parties
• Explicit trust for operations
• Minimal TCB: limit number of entities that must be trusted
• No single root of trust
• Simplicity, efficiency, flexibility, and scalability
Source
PCB
Destination
21
Directly support diverse network usage models
Multiple
Communicating
Principal Types
Evolution of principal types
Customization
Principal-specific security properties
Flexible
Addressing
Intrinsic
Security
DAG security
Deal with routing “failures” Built in security forms basis for system level security
• Can be implemented in diverse ways
• Can be deployed incrementally, e.g. in subnets