1 xia: network deployments dave andersen, david eckhardt, sara kiesler, jon peha, adrian perrig,...
TRANSCRIPT
1
XIA: Network Deployments
Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu,
Peter Steenkiste, Hui ZhangCarnegie Mellon University
Aditya Akella, University of WisconsinJohn Byers, Boston University
FIA PI MeetingMarch 2013, Salt Lake City
Today’s Internet
2
WebServer
Problem: Network does not
know what user wants!
Dest: Server ID
Src: Client ID
Today’s Internet
3
S
S
S S
XIA VisionWe envision a future Internet that:• Is trustworthy
– Security broadly defined is a compelling research challenge
• Supports long-term evolution of usage models– Including host-host, content retrieval, services, …
• Supports long term technology evolution– Not just for link technologies, but also for storage and
computing capabilities in the network and end-points• Provides benefits for a multiplicity of stakeholders
– Despite differences in roles, goals and incentives
4
5
Support multiple communication
types(heterogeneity)
Support future communication
types(evolution)
Allow using new communication
types at any point (incremental deployment)
Principal types Fallback
XIA Pillars
Intrinsic Security
XIA Design: Expressiveness
• Principal Types– Defines the format of the address
• And its semantics, including security semantics
– And what the address means– And what processing can be done– Key: Much more intentful than today’s
addresses.
• Use ours: Host. Service. Content. 4ID. AD. • Or, {roll your own}
XIA Design: Intrinsic Security• XIA uses self-certifying identifiers that guarantee
security properties for communication operation– Host ID is a hash of the host’s public key – accountability– Content ID is a hash of the content – correctness– Does not rely on external configurations
• Intrinsic security is specific to the principal type• Example: retrieve content using …
– Content XID: content is verifiably/unspoofably correct– Service XID: the correct ASP provided the service– Host XID: content was delivered from intended host
7
8
128.2.10.162
Current Internet
XIA
IP address
Host 0xF63C7A4…
Principal type
Type-specific identifier
Service 0x8A37037…
Content 0x47BF217…
Future …
Hash of host’s public key
Hash of content
Hash of service’s public
key
Principal Types
Intrinsically secure IDs
XIA Design: Deployability• Fallback addressing
– Allows you to use tomorrow’s principal type today– “If I can’t go directly to X, use Y...”
• Example 1:– Ultimate intent: retrieve CONTENT (CID)– Fallback: contact HOST (HID)
• Example 2:– Next hop not XIA-capable? Use (4ID) in address:
Fallback to IPv4 encapsulation: contact IPv4(HID)• Admits incremental deployment
– Not just of new ID types within XIA, but of XIA itself.
Example: Secure Video Playback
10
AD 0xF00000 AD 0xF00000
NYT server
Host 0xF63C7A4
Service 0xDE44444
AD 0xF000000
4ID 5.11.2.14
XIA Name Resolution
Service
XIA Name Resolution
Service
nyt.com maps to
Service 0xDE44444
AD 0xF000000
Host 0xF63C7A4
4ID 5.11.2.14
or
or
register
Secure Video Playback
11
S
AD 0xF00000 AD 0xF00000
NYT server
XIA Name Resolution
Service
XIA Name Resolution
Service
nyt.com?
Service 0xDE44444
AD 0xF000000
Host 0xF63C7A4
4ID 5.11.2.14
or
or
NYT replica CID, signed by
0xDE44444
Secure Video Playback
12
S
AD 0xF00000 AD 0xF00000
NYT server
NYT replica
sequence of CIDs
XIA top-down view
• What does an XIA network look like to various stakeholders?
• Who benefits from new features and why? • Who bears the costs of deployment?• Stakeholders we consider (not exhaustive):
– Network operators: from testbeds to ISPs– Application providers / service providers– Application developers– End-users
13
Benefits to Network Operators
• Increased potential for value-added services (without resorting to deep-packet inspection)– Simpler middlebox deployment– On-path caching or route redirection– Principal types aligned with economic incentives
• Risk mitigation via incremental deployment• More choice regarding trust domains
– SCION route control
14
Benefits to Service Providers
• Added expressivity: customizable principals– Built-in support for binding, scoping, mobility.– Intrinsic security guarantees.
• Access control, accounting, accountability, counter-measures for DoS
• Making use of in-network optimizations furnished by network operators.
• Similar benefits accrue to application developers.
15
Benefits to End-Users
• Increased choice and flexibility regarding intent:– Choice of XID principal type, i.e. how a given communication
operation performed– Rich address formats add flexibility: fallback, services. – Scion offers control via edge-directed routing
• Support for mobile users• Trickle-down benefits derived from better apps.• Intrinsic security:
– Qualitative benefits of security guarantees is a central focus of our user studies.
16
Costs of Deployment
• New XIA protocol stack network-wide– Prototype status update next slide– Incremental deployment possible, advisable.
• Management and processing overhead– Packet processing; flat address space – Tracking revisions for multiple principal types– Implications for switches, interconnect, H/W.
• Additional opportunities present added complexity, new optimization problems.
17
XIP Prototype Implementation
18
Datalink
XIP
XDP XSP XChunkP Cache
Chunking
Xsockets
ApplicationsXHCP
XCMPARP
BIND
Routing
Open source prototype released May 2012
Wireshark
XIA ICMP, ARPXIA ICMP, ARP
Basic inter-domain routing, XIA DHCPBasic inter-domain routing, XIA DHCP
POSIX style sockets for datagrams, streamingSupports HID and SID
POSIX style sockets for datagrams, streamingSupports HID and SID
Chunk, CID support Caching
Chunk, CID support Caching
NameResolution
NameResolution
Extra slides, possible candidate slides follow
19
Planned Prototype Enhancements
• Prototype is available on Github– Latest release includes support for 4ID
• Near term: IP application porting help, better transport protocols, permanent XIP network
• Next: mobility support, expanded support for intrinsic security and accountability
• Later: Scion integration, more services and applications
20
Path Selection in SCIONArchitecture Overview
21
• Source/destination can choose among up/down hill paths
• Path control shared between ISPs, receivers, senders
• Desirable security properties:• High availability, even in presence
of malicious parties• Explicit trust for operations• Minimal TCB: limit number of
entities that must be trusted• No single root of trust• Simplicity, efficiency, flexibility,
and scalability
Source
Destination
PCB PCB PCBPCB
XIA Dataplane Concepts
• Can be implemented in diverse ways• Can be deployed incrementally, e.g. in subnets
Intrinsic Security
Flexible Addressing
Multiple Communicating Principal Types
Deal with routing “failures” Built in security forms basisfor system level security
Directly support diversenetwork usage models
Evolution of principal typesCustomization
Principal-specificsecurity properties
DAGsecurity