25/1/2010 1

Lecture 2:Lecture 2:Evolutionary and Evolutionary and Revolutionary ApproachesRevolutionary Approaches

D.Sc. Arto Karila

Helsinki Institute for Information Technology (HIIT)

arto.karila@hiit.fi

T-110.6120 – Special Course on Data Communications Software: Publish/Subscribe Internetworking

www.psirp.org

25/1/201025/1/2010 22

ContentsContents

1. Evolutionary approaches

2. Some more revolutionary approaches

3. Networking Named Content – Van Jacobson’s CCN project(Content-Centric Networking)

25/1/201025/1/2010 33

Evolutionary Approaches

1. IPv6

2. IPSEC

3. Mobile IP

4. HIP

5. DiffServ

6. DHT

25/1/201025/1/2010 44

IPv6IPv6 IPv6 was born in 1995 after long work There are over 30 IPv6-related RFCs The claimed improvements in IPv6 are:

Large 128-bit address space Stateless address auto-configuration Multicast support Mandatory network layer security (IPSEC) Simplified header processing by routers Efficient mobility (no triangular routing) Extensibility (extension headers) Jumbo packets (up to 4 GB)

25/1/201025/1/2010 55

IPv6IPv6 Major operating systems and many ISPs

support IPv6 The use of IPv6 is slowly increasing in

Europe and North America but more rapidly in Asia

In China, CERNET 2 runs IPv6, interconnecting 25 points of presence in 20 cities with 2.5 and 10 Gbps links

IPv6 really only solves the exhaustion of Internet address space

25/1/201025/1/2010 66

IPSECIPSEC IPSEC is the IP-layer security solution of

the Internet to be used with IPv4 and IPv6 Authentication Header (AH) only protects

the integrity of an IP packet Encapsulating Security Payload (ESP)

also ensures confidentiality of the data IPSEC works within a Security Association

(SA) set up between two IP addresses ISAKMP (Internet Security Association

and Key Management Protocol) is a very complicated framework for SA mgmt

25/1/201025/1/2010 77

Encapsulating Security Payload (IPv4)

Original IPv4 Header

Security Parameter Index (SPI)

Sequence Number

Coverage of Authentication

UDP/TCP Header

Data

Padding Pad Len Next Hdr

Authentication Data

Coverage ofConfidentiality

ESP Header

ESP Payload

ESP Trailer

25/1/201025/1/2010 88

Encapsulating Security Payload (IPv6)

ESP Payload

Hop-by-Hop Extensions

Security Parameter Index (SPI)

Sequence Number

Coverage of Authentication

End-to-End Extensions

Data

Padding

Authentication Data

Coverage ofConfidentiality

ESP Header

ESP Trailer

Original IPv6 Header

UDP/TCP Header

25/1/201025/1/2010 99

Mobile IPv4Mobile IPv4 Basic concepts:

Mobile Node (MN) Correspondent Node (CN) Home Agent (HA) Foreign Agent (FA) Care-of-Address (CoA)

Problems: Firewalls and ingress filtering Triangular routing

25/1/201025/1/2010 1010

Mobility Example:Mobile IP Triangular Routing

Home Agent

CorrespondentHost

Foreign Agent

Mobile Host

Ingress filtering causes problems for IPv4 (home address as source), IPv6 uses CoA

so not a problem . Solutions:(reverse tunnelling) or

route optimization

Foreign agent left out of MIPv6. No special

support needed withIPv6 autoconfigurationDELAY!

Care-of-Address (CoA)

Source: Professor Sasu Tarkoma

25/1/201025/1/2010 1111

Ingress Filtering

Home AgentCorrespondent Host

Packet from mobile host is deemed "topologically incorrect“ (as in source address spoofing)

With ingress filtering, routers drop source addresses that are not consistent with the observed source of the packet

Source: Professor Sasu Tarkoma

25/1/201025/1/2010 1212

Reverse Tunnelling

Home Agent

CorrespondentHost

Router

Mobile Host

DELAY!

Firewalls and ingress filtering no longer a problemTwo-way tunneling leads to

overhead and increased congestion

Firewalls and ingress filtering no longer a problemTwo-way tunneling leads to

overhead and increased congestion

Source: Professor Sasu Tarkoma

Care-of-Address (CoA)

25/1/201025/1/2010 1313

Mobile IPv6 Route Optimization

Home Agent

CorrespondentHost

Router

Mobile Host

MH sends a binding update to CHwhen it receives a tunnelled packet.

CH sends packets using routing header

First, a Return Routability test to CH. CH sends home test and CoA test packets. When MH receives both,

It sends the BU with the Kbm key.

Secure tunnel (ESP)

Source: Professor Sasu Tarkoma

25/1/201025/1/2010 1414

Differences btw MIPv6 and MIPv4 In MIPv6 no FA is needed

(no infrastructure change) Address auto-configuration helps in acquiring CoA MH uses CoA as the source address in foreign

link, so no problems with ingress filtering Option headers and neighbor discovery of IPv6

protocol are used to perform mobility functions 128-bit IP addresses help deployment of mobile

IP in large environments Route optimization is supported by header options

Source: Professor Sasu Tarkoma

25/1/201025/1/2010 1515

Extension Headers

Mobility Header

Upper Layer headers

DataMH

CN to MN MN to CN

MN, HA, and CN for Binding

MH Type in Mobility Header: Binding Update, Binding Ack, Binding Err, Binding refresh

Source: Chittaranjan Hota, Computer Networks II lecture 22.10.2007

25/1/201025/1/2010 1616

HIPHIP Host Identity Protocol (HIP, RFC4423)

defines a new global Internet name space The Host Identity name space decouples

the name and locator roles, both of which are currently served by IP addresses

The transport layer now operates on Host Identities instead of IP addresses

The network layer uses IP addresses as pure locators (not as names or identifiers)

25/1/201025/1/2010 1717

HIP ArchitectureHIP Architecture

25/1/201025/1/2010 1818

HIPHIP HIs are self-certifying (public keys) HIP is a fairly simple technique based on

IPSEC ESP and HITs (128-bit HI hashes) It addresses several major issues:

Security Mobility Multi-homing IPv4/IPv6 interoperation

HIP is ready for large-scale deployment See http://infrahip.hiit.fi for more info

25/1/201025/1/2010 1919

Base exchange

Initiator

ResponderI1 HIT

I, HIT

R or NULL

R1 HITI, [HIT

R, puzzle, DH

R, HI

R]

sig

I2 [HITI, HIT

R, solution, DH

I,{HI

I}]

sig

R2 [HITI, HIT

R, authenticator]

sig

ESP protected TCP/UDP, ESP protected TCP/UDP, nono explicit HIP explicit HIP headerheader

ESP protected TCP/UDP, ESP protected TCP/UDP, nono explicit HIP explicit HIP headerheader

User data messagesUser data messages

solve puzzle

verify, authenticate,

replay protection

• Based on the SIGMA family of key exchange protocols

standard authenticated Diffie-Hellman key exchange

for session key generation

Select precomputed R1. Prevent DoS. Minimal state kept at

responder!Does not protect against replay

attacks.

Source: Dr. Pekka Nikander

25/1/201025/1/2010 2020

HIP MobilityHIP Mobility Mobility is easy – retaining the SA for ESP

25/1/201025/1/2010 2121

HIP in Combining IPv4 and IPv6

IPv6 access

network

IPv4 access

network

Internet

HIP MN

Music Server

WWW ProxyHIP CN

An early demo seen at L.M. Ericsson Finland (source: Petri Jokela, LMF)

25/1/201025/1/2010 2222

DiffServ Differentiated Services (DiffServ, RFC 2474)

redefines the ToS octet of the IPv4 packet or Traffic Class octet of IPv6 as DS

The first 6 bits of the DS field are used as Differentiated Services Code Point (DSCP) defining the Per-Hop Behavior of the packet

DiffServ is stateless (like IP) and scales Service Profiles can be defined by ISP for

customers and by transit providers for ISPs DiffServ is very easily deployable and could

enable well working VoIP and real-time video Unfortunately, it is not used between operators

25/1/201025/1/2010 2323

Distributed Hash Table (DHT)DHT) Distributed Hash Table (DHT) is a service for

storing and retrieving key-value pairs There is a large number of peer machines Single machines leaving or joining the network

have little effect on its operation DHTs can be used to build e.g. databases (new

DNS), or content delivery systems BitTorrent is using a DHT The real scalability of DHT is still unproven All of the participating hosts need to be trusted

(at least to some extent)

25/1/201025/1/2010 2424

DHTDHT The principle of Distribute Hash Table

(source: Wikipedia)

25/1/201025/1/2010 2525

ContentsContents

1. Evolutionary approaches

2. Some more revolutionary approaches

3. Networking Named Content – Van Jacobson’s CCN project(Content-Centric Networking)

25/1/201025/1/2010 2626

Some More Revolutionary Approaches

1. ROFLM. Caesar, T. Condie, J. Kannan, K. Lakshminarayanan, I. Stoica, and S.Shenker, ROFL: Routing on Flat Labels, In ACM SIGCOMM, Sep. 2006, pp. 363–374

2. DONAT. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy, K. H. Kim, S. Shenker, and I. Stoica, A Data-Oriented (and Beyond) Network Architecture, In SIGCOMM ’07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, New York, NY, USA, 2007, pp. 181-192

25/1/201025/1/2010 2727

ROFL ROFL routes directly on host identities,

leaving aside the locations of the hosts Self-certifying identifiers (tied to public keys) Create a network layer with no locations Advantages:

No new infrastructure (no name resolution) Packet delivery only depends on the data path Simpler allocation of identifiers

(just need to ensure uniqueness) Access control based on identifiers

25/1/201025/1/2010 2828

ROFL Three classes of hosts:

Routers Stable hosts Ephemeral hosts

Each ID is resident to its Hosting Router (the host’s first-hop router)

The hosts form a two-way ring – each with pointers to its successor and predecessor

There can be shorter routes cached An OSPF-like routing protocol (with network map)

is assumed for recovering from routing failures Global ROFL-ring for inter-domain routing

25/1/201025/1/2010 2929

DONA DONA replaces the hierarchical DNS

namespace with a cryptographic, self-certifying namespace for naming data

This enables totally distributed namespace control

The namespace is not totally flat but consists of two parts: the principal’s identifier and a label

This two-tier hierarchy helps make DONA scalable

Clean-slate naming and name resolution

25/1/201025/1/2010 3030

DONA Strict separation between

naming (persistence and authenticity) and name resolution (availability)

Each principal has a public-key pair Each datum (or any other named entity) is

associated with a principal Names of the form P:L (Principal:Label),

where P is a cryptographic has os the principal’s public key and L is a locally unique label

Name resolution by Resolution Handlers, primitives: FIND(P:L), REGISTER(P:L)

25/1/201025/1/2010 3131

ContentsContents

1. Evolutionary approaches

2. Some more revolutionary approaches

3. Networking Named Content – Van Jacobson’s CCN project(Content-Centric Networking)

25/1/201025/1/2010 3232

Networking Named ContentNetworking Named Content

Based on and pictures borrowed from: Jacobson, V.; Smetters, D. K.; Thornton, J. D.; Plass, M. F.; Briggs, N.; Braynard, R. Networking named content. Proceedings of the 5th ACM International Conference on Emerging Networking Experiments and Technologies (CoNEXT 2009); 2009 December 1-4; Rome, Italy. NY: ACM; 2009; 1-12.

25/1/201025/1/2010 3333

Host-Centric Networking

In 1960’s and 1970’s – resource sharing Computers, disk drives, tape drives,

printers etc. needed to be shared This lead into a communication model with

two machines – one using and one providing resources over the network

IP packets with source and destination Most of the traffic is TCP connections

25/1/201025/1/2010 3434

Content-Centric Networking (CCN)

In 2009 alone 500 exabytes (5 x 1020 B) of content created (source: RFC 5401)

Users are interested in what content – not where it is

CCN – a communication architecture built on named data

“Address” names content – not location Preserve the design decisions that make

TCP/IP simple, robust and scalable

25/1/201025/1/2010 3535

TCP/IP and CCN Protocol Stacks From IP to chunks of named content Only layer 3 requires universal agreement

25/1/201025/1/2010 3636

Interest and Data packets There are two types of CCN packets:

Interest packets Data packets

25/1/201025/1/2010 3737

CCN Node Model There are two types of CCN packets:

Interest packets Data packets

Consumer broadcasts its Interest over all available connectivity

Data is transmitted only in response to and Interest and consumes that Interest

Data satisfies an Interest if ContentName in the Interest is a prefix of that in the Data

25/1/201025/1/2010 3838

CCN Node Model Hierarchical name space (cmp w/ URI) When a packet arrives on a face a

longest-match lookup is made Forwarding engine with 3 data structures:

Forwarding Information Base (FIB) Content Store (buffer memory) Pending Interest Table (PIT)

25/1/201025/1/2010 3939

CCN Node Model FIB allows a list of outgoing interfaces –

multiple sources of data Content Store w/ LRU or LFU replacement PIT keeps track of Interest forwarded up-

stream => Data can be sent downstream Interest packets are routed upstream –

Data packets follow the same path down Each PIT entry is a “bread crumb” marking

the path and is erased after it’s been used

25/1/201025/1/2010 4040

CCN Forwarding Engine

25/1/201025/1/2010 4141

CCN Node Model When an Interest packet arrives, longest-match

lookup is done on its ContentName ContentStore match is preferred over a PIT

match, preferred over a FIB match Matching Data packet in ContentStore => send it out

on the Interest arrival face Else, if there is an exact-match PIT entry => add the

arrival face to the PIT entry’s list Else, if there is a matching FIB entry =>

send the Interest up-stream towards the data Else => discard the Interest packet

25/1/201025/1/2010 4242

CCN Transport CCN transport is designed to operate on

unreliable packet delivery services Senders are stateless Receivers keep track of unsatisfied

Interests and ask again after a time-out The receiver’s strategy layer is responsible

for retransmission, selecting faces, limiting the number of unsatisfied Interests, priority

One Interest retrieves at most one Data packet => flow balance

25/1/201025/1/2010 4343

Reliability and Flow Control Flow balance allows for efficient

communication between machines with highly different speeds

It is possible to overlap data and requests In CCN, all communication is local and

flow balance is maintained over each hop This leads into end-to-end flow control

without any end-to-end mechanisms

25/1/201025/1/2010 4444

Naming CCN is based on hierarchical, aggregatable

names at least partly meaningful to humans The name notation used is like URI

25/1/201025/1/2010 4545

Naming and Sequencing An Interest can specify the content exactly Content names can contain automatically

generated endings used like sequence #s The last part of the name is incremented for

the next chunk (e.g. a video frame) The names form a tree which is traversed in

preorder In this way, the receiver can ask for the

next Data packet in his Interest packet

25/1/201025/1/2010 4646

Intra-Domain Routing Like IPv4 and IPv6 addresses, CCN

ContentNames are aggregateable and routed based on longest match

However, ContentNames are of varying length and longer than IP addresses

The TLV (Type Label Value) of OSPF or IS-IS can distribute CCN content prefixes

Therefore, CCN Interest/Data forwarding can be built on existing infrastructure without any modification to the routers

25/1/201025/1/2010 4747

Intra-Domain Routing An example of intra-domain routing

25/1/201025/1/2010 4848

Inter-Domain Routing The current BGP version has the equivalent

of the IGP TLV mechanism Through this mechanism, it is possible to

learn which domains serve Interests in some prefix and what is the closest CCN-capable domain on the paths towards those domains

Therefore, it is possible to deploy CCN in the existing BGP infrastructure

25/1/201025/1/2010 4949

Content-Based Security In CCN, the content itself (rather than its

path) is protected One can retrieve the content from the

closest source and validate it All content is digitally signed Signed info includes hash of the public key

used for signing We still need some kind of a Public Key

Infrastructure (PKI)

25/1/201025/1/2010 5050

Trust Establishment Associating name spaces with public keys

25/1/201025/1/2010 5151

Evaluation The CCN architecture described has been

implemented and evaluated Voice over CCN and Content Distribution

were tested with small networks The results are interesting but don’t really

tell us anything about the scalability of the design

25/1/201025/1/2010 5252

Voice over CCN Secure Voice over CCN was implemented using

Linphone 3.0 and its performance evaluated Caller encodes SIP INVITE as CCN name and

sends it as an interest On receipt of the INVITE, the callee generates a

signed Data packet with the INVITE name as its name and the SIP response as its payload

From the SIP messages, the parties derive paired name prefixes under which they write RTP packets

There is a separate paper on Voice over CCN

25/1/201025/1/2010 5353

Voice over CCN – Automatic Failover

25/1/201025/1/2010 5454

Content Distribution

25/1/201025/1/2010 5555

Throughput

25/1/201025/1/2010 5656

Comparing CCN and HTTP

25/1/201025/1/2010 5757

Comparing CCN and HTTPS

25/1/201025/1/2010 5858

Merits of CCN

Very understandable scheme Shown to work also with streamed media Clever reuse of existing mechanisms Easy to implement based on current

routing software Easy to deploy on existing routing

protocols and IP networks Easy, human-readable naming scheme

25/1/201025/1/2010 5959

Concerns about CCN The simple hierarchical (URI-like)

naming scheme is also a limitation Will CCN scale to billions of nodes?

Flooding (send out through all available faces) Flow balance – an Interest for every Data How large can the FIB grow (soft state)? Data takes the same (possibly non-optimal) path as

Interest

Are the performance measurements made with only a couple of hosts convincing?

Security architecture looks very conventional

25/1/201025/1/2010 6060

Thank you for your attention!Thank you for your attention!

Questions? Comments?Questions? Comments?