Upload
michael-tucker
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Towards a New Naming Architectures
Ion Stoica, Scott Shenker, and many others…
2
Goals
• Support – Mobility: machine, data, session– Multi-homing, multiple-interfaces
• Make middle-boxes part of architecture• Security
– Better support against DDoS– Anonymity
• …
3
Designs
• Host Identity Protocol (HIP)• Internet Indirection Infrastructure (i3)• Semantic-Free Referencing (SFR)• Layered Naming Architecture (LNA)
4
Designs
Host Identity Protocol (HIP)• Internet Indirection Infrastructure (i3)• Semantic-Free Referencing (SFR)• Layered Naming Architecture (LNA)
5
Host Identity Protocol (HIP)
• Provides: – Fast mobility– Multi-homing– Support for different addressing schemes
• Transparent IPv4 to IPv6 migration – Security
• Anonymity • Secure and authenticate datagrams
6
HIP
• A public key used to identify an end-host
• A 128-bit host identity tag (HIT) used for system calls– HIT is a hash on public key– Global scope
• A 32-bit local scope identifier (LSI) for IPv4 compatibility
HIT replaces IP address as a name of a system
HIT replaces IP address as a name of a system
7
Protocol Stack
Process
Transport
IP Layer
<IPaddr, port>
<IPaddr>
Process
Transport
HIP Layer
IP Layer
<HIT, port>
<IPaddr>
<HIT>
8
HIT
How It Works?
Client app
HIP layer
IPsec
HIPdaemon
DNSlibrary
DNSDNS request
DNS reply =
pubkey (P)
HIT=hash(P)IPaddr
Client app
HIP Layer
IPsec
HIPdaemon
4-way authenticationTransport
HIT
IPaddr, P
send(HIT)
send(HIT)
send(IPaddr)
send(IPaddr)
Transport
9
Designs
• Host Identity Protocol (HIP) Internet Indirection Infrastructure (i3)• Semantic-Free Referencing (SFR)• Layered Naming Architecture (LNA)
10
Internet Indirection Infrastructure (i3)
• Supports:– Mobility– Multi-homing– Anycast– Multicast
• Accommodate middle-boxes• Security
– Anonymity– DoS
11
Internet Indirection Infrastructure (i3)
• Each packet is associated an identifier id• To receive a packet with identifier id,
receiver R maintains a trigger (id, R) into the overlay network
Sender
id Rtrigger
iddata
Receiver (R)
iddata
Rdata
12
Integrate Middle-Boxes
• Use a stack of IDs to encode sequence of operations to be performed on data path
SenderReceiver (R)
idT Tid R
Transcoder (T)
T,iddata
iddata
Rdata
idT,iddata idT,iddata
13
i3 Identifiers
• 256-bit IDs• ID ultimately mapped to an (IPaddr:port)
– Mapping under application control• ID can represent
– A host, flow, service, etc
ID can identify any entity thatcan receive packets
ID can identify any entity thatcan receive packets
14
Sender specific
Protocol Stack
Process
Transport
IP Layer
<IPaddr, port>
<IPaddr>
Process
Transport
i3 layer(IPlocal->ID)
IP Layer
ID/<IPlocal, port>
<IPi3>
<ID>
local scope
15
How It Works?(Native i3 Applications)
Client app
i3 layer
DNSDNS request
DNS reply = id
send(IPi3)
Client app
i3 layer
IP
i3daemon
IP
Transport
id RIPi3
Receiver R
send(id)
Transportsend(id)
send(id)
16
How It Works?(Legacy Applications)
Client app
i3 layer
i3daemon
DNSlibrary
DNSDNS request
DNS reply = id
id
send(IPlocal, port)
send(IPi3)
Client app
i3 layer
IP
i3daemon
IPlocal
id,IPlocal
IP
Transport
id (r:p)IPi3
IP address: r
send(id)
send(r,p)
Transport
17
Designs
• Host Identity Protocol (HIP)• Internet Indirection Infrastructure (i3)Semantic-Free Referencing (SFR)• Layered Naming Architecture (LNA)
18
Goal: Address DNS Limitations
• DNS names identify machines and organizations not data – Data cannot be easily moved – Data cannot be easily replicated
• DNS names are brand names– Political fighting
19
SFR Solution
• Use IDs instead of DNS name• ID space is flat and IDs have no
semantics• A generalization of DNS
– Returns metadata instead of an IP address
• How to implement it?– Use distributed hash-tables (DHTs)!
20
DHT Primer
• Interface– put(id, data)– data = get(id)
• Highly scalable– O(log N) hops to execute an operation
• Highly robust– Can tolerate ~50% of nodes going down
• Highly dynamic– Entries can be changed very fast
21
Designs
• Host Identity Protocol (HIP)• Internet Indirection Infrastructure (i3)• Semantic-Free Referencing (SFR) Layered Naming Architecture (LNA)
22
Layered Naming Architecture (LNA)
• Supports:– Mobility– Multi-homing
• Integrate middle-boxes• Security (through middle-boxes)
– Anonymity– DoS– …
23
A Old Naming Taxonomy
• Four kinds of network entities (Saltzer):– Services (and data)– Hosts (endpoints)– Network attachment points– Paths
• Should name each individually:– Ignore paths (router involvement)– IP addresses name attachment points– Endpoint identifiers (EIDs) name hosts – Service identifiers (SIDs) name services/data
24
Protocol Stack
Process
Transport
IP Layer
<IPaddr, port>
<IPaddr>
Process
Transport
EID↔IP
IP Layer
<EID, port>
<IPaddr>
<EID>
SID↔EID <SID>
25
How It Works?
Client app “DNS”DNS request
DNS reply = sid
send(IPi)
Client app
LNAdaemon
IP
Transport
send(sid)
DHTeid = get(sid)SID↔EI
Dsend(eid)
EID↔IP
send(eid) IP = get(eid)
put(sid, eid)put(eid, IP)
IP
Transport
SID↔EID
EID↔IPIntermediary (IPi)
26
Principles
• Don’t bind to lower-level IDs prematurely – Host mobility and renumbering (HIP)– Service and data migration
• Resolution of name need not point to object itself, but can point to its delegate– Resolution can point to intermediaries who
process packets on behalf of the named target
27
Naming Architecture Requirements
1) There should be a layer in the protocol stack that uses IDs not IP addresses• Mobility, multi-homing, replications, …
2) IDs should be able to name arbitrary objects
3) IDs should encode as little semantics as possible
4) End-points should be able to use indirection at the ID level• Integrate middle boxes
28
How Many ID Layers?
• HIP: one layer; IDs identify machines• SFR: one layer; IDs identify data• i3: one layer; IDs identify arbitrary
objects• LNA: two layers
– EIDs identify machines– SIDs identify everything else
29
When is the Resolution IDIP Done?
• SFR: above transport• HIP: below transport, at HIP layer• i3: in the infrastructure• LNA: below transport
– But IP address can be an intermediate point
30
Security Support?
• HIP: – Authentication, data integrity– Anonymity at transport layer – Transport layer resistance to DoS attacks
• i3– Anonymity at IP layer– Some DoS defense at IP layer– Everything else can be done though middle-
boxes • LNA
– Everything can be done through middle-boxes
31
Resources
• HIP: http://homebase.htt-consult.com/~hip/
• SFR: http://nms.lcs.mit.edu/projects/sfr/• i3: http://i3.cs.berkeley.edu