how to use dns during the evolution of icn? zhiwei yan

中国信息社会重要的基础设施建设者、运行者和管理者

How to use DNS during the evolution of ICN?

Zhiwei Yan

中国信息社会重要的基础设施建设者、运行者和管理者 2

1 Background

2 Content Naming

3 Content Management

4 Content Addressing

5 Analysis & Conclusions

Outline


1 Background

2 Content Naming




Outline


DNS: Domain Name System

4

DNS is used to locate the resource in the Internet.


DNS: Resource Record

5

30 years development,

>5 million DNS servers, >100 RFCs,

>30 available RRs

http://en.wikipedia.org/wiki/List_of_DNS_record_typeshttp://www.webhosting.info/domains


DNS: DNSSEC 1

6

master Caching forwarder

resolver

Zone administrator

Zone file

Dynamicupdates

1

2

slaves

3

4

5

Registry/Registrar

Provisioning

DNS data flow


DNS: DNSSEC 2

7

DNS Vulnerabilities


resolver

Zone administrator

Zone file

Dynamicupdates

1

2

slaves

3

4

5Corrupting data

Impersonating master

Unauthorized updates

Cache impersonation

Cache pollution byData spoofing

Altered zone data

Registry/Registrar

Provisioning


DNS: DNSSEC 3

8

DNSSEC Provides Data Security


resolver

Zone administrator

Zone file

Dynamicupdates

slaves

Registry/Registrar

Provisioning

example.com A 10.8.0.1



Among the 316 TLDs in the root zone, 110 TLDs have been signed and many other are planning to do so.

http://stats.research.icann.org/dns/tld_report/


DNS: DANE

9

Authentication of DNS names for TLS (Transport-Layer Security) endpoints is a core security challenge in many Internet protocols, most famously HTTP (Hypertext Transfer Protocol).

The DANE (DNS-based Authentication of Named Entities) working group in IETF is developing protocols that allow certificates to be bound to DNS names using DNSSEC.

RR is TLSA

Currently, there are many open source implementations of the DANE protocol and Google has implemented the DANE client in its Chrome browser.


1 Background

2 Content Naming




Outline


Two Schemes:

1) Flat : security

2) Hierarchical : scalability

11

Naming

Scalable

Secure

Readabl

e

Content naming:

Hierarchical path: public key

Example:

cn/sina/nba/11-20/match.avi:ALG|0xf01212099abcab678ac345


1 Background

2 Content Naming




Outline


Management

Cache

Receiver

Receiver

Principal

Content Publishing

Content Subscribing

Content transmission path

CMA

DNS server

In each domain, CMA (Content Management Anchor) is deployed.

1) The binding between CMA and the related prefix is stored in DNS as:

Content-Prefix—A/AAAA—TTL—IP-of-CMA

2) The binding between the resource and its location is stored in CMA.


1 Background

2 Content Naming




Outline


Addressing : CCN (Interest)

A parameter like TTL (Hop limit) in Interest is used.

At each hop:

Hop limit= Hop limit-1

If the Hop limit=0

DNS resolution

else,

Flooding

Interest Arrives

Is there match in ContentStore?

Is there match in PIT?

Is there match in FIB?

Matched Data is sent out the face

where the Interest arrived

Interest’ s arrival face is added to the PIT entry’ s

Requesting-Faces list

The face where the interest arrives is removed from the face list of the FIB

entry.

Face list of FIB empty?

New PIT entry is created for the

arriving Interest

Send the DNSRequest for the

prefix-name in the Interest

Yes

No

Yes

Yes

YesRemove the FIB entry

No

No

No

End

Discard

Discard

Interest is sent out all the faces

remaining in the FIB entry

Yes

NoHop limit=Hop limit-1

Hop limit==0


Addressing : CCN (Data)

Match the name with TLSA

Verify the content with L

A trade-off issue here is:

If the check is done by the router

DoS attack

If the check is done by the client

Client load

Is there match in ContentStore? Discard

Optionally added to the

ContentStore

matched PIT entry deletes the arrival

face of Data

End

Yes

No

Yes

No

Discard

Face list of FIB empty?

Remove the PIT entry

Yes

No

Discard

Passed data verification?

Yes

No

Data is sent out the remaining faces of

matched PIT

DNS resolution(TLSA)

Passed name verification?

Is there match in PIT?

No

Get Data


1 Background

2 Content Naming




Outline


Analysis - Security

Content Private key

Public keyName

DNSSECD

AN

E

Security dependency

cn/sina/nba/11-20/match.avi:ALG|0xf01212099abcab678ac345

DANE: TLSA

Match?

Content is signed by the Private key

DNSSEC

Content source Match?


Analysis – Scalability 1

Analyzing model

QueryingNode

Hop

limit

The Interest is propagated in this region

The Interest is noy propagated in this region

To simplify the analysis, we have made the following assumptions:

1. Nodes are distributed uniformly across the network.

2. The zone-radius of every node in the network is same.

3. The overhead induced by state maintenance is not considered.

The number of nodes in the i-hop range is 2

22

Area ( )( ) ( )

Area ( )

i hop i d iN i N N N

Total R d R

The average hit probability during every hop is Area ( ) ( 1)

( ) Area

ith hop N i N ip i

Total N

* R is used to estimate the area of the network, N is the total number of nodes in the network.


Analysis – Scalability 2

1. When the Interest can be met within H hop range, the cost of the proposed scheme is

(1 (1)) (1)

(1 (1)) (1 (2)) [ (2) (1)]

...

[(1 (1))...(1 ( 1))] [( ( 1) ( 2)]

[(1 (1))...(1 ( 1)) ( )] [( ( ) ( 1)]

( )

newC p N

p p N N

p p x N X N X

p p x p x N X N X

x H

* ɑ is the signaling message cost per node per Interest message

2. When the Interest cannot be met in the H-hop range, the DNS resolution will be triggered after the Hth hop flooding, and then the cost is

(1 (1)) (1)

(1 (1)) (1 (2)) [ (2) (1)]

...

[(1 (1))...(1 ( ))] [(( ( ) ( 1)) ]

new

DNS

C p N

p p N N

p p H N H N H C

* CDNS denotes the DNS resolution cost


Analysis – Stability

In order to reduce the querying latency, the source in the current CCN may need to flood the information to the network.

When the source node moves, this will cause high failure probability because the recorded FIB information is invalid.

However, our scheme can reduce the flooding range for the mobile source and support its mobility with the help of DNS dynamic update.

For fairness, we assume that the Interest message has to be met before the (H+1)-hop flooding. For the current CCN scheme, the prefix information has to be broadcasted to the (R-H)-hop range, however, our scheme only needs the DNS update.

Then their stability ratio is

[ ( )]DNS

ratio

CS

N N H


Analysis – Security

In our scheme, the key is an essential part of the name and the name is no longer a pure human-readable string but includes a cryptographic part.

1. That the public key is directly contained in the name, which poses a challenge to usability, since humans cannot understand or remember them.

2. Any move of the content may require the reworking of the name.

3. Cryptographic algorithm upgrades will result in name changes, and careful engineering is required to manage their usability implications.


Conclusions

Security

Stability

Shortcoming

Scalability

Establishes the complete security chain for the content addressing.

Supports the mobility of content source

Poses a challenge to usability due to the public key

Limits the signaling cost during the content addressing

DNS based ICN


ご清聴ありがとうございました。

how to use dns during the evolution of icn? zhiwei yan

Documents