how to use dns during the evolution of icn? zhiwei yan
TRANSCRIPT
中国信息社会重要的基础设施建设者、运行者和管理者
How to use DNS during the evolution of ICN?
Zhiwei Yan
中国信息社会重要的基础设施建设者、运行者和管理者 2
1 Background
2 Content Naming
3 Content Management
4 Content Addressing
5 Analysis & Conclusions
Outline
中国信息社会重要的基础设施建设者、运行者和管理者 3
1 Background
2 Content Naming
3 Content Management
4 Content Addressing
5 Analysis & Conclusions
Outline
中国信息社会重要的基础设施建设者、运行者和管理者
DNS: Domain Name System
4
DNS is used to locate the resource in the Internet.
中国信息社会重要的基础设施建设者、运行者和管理者
DNS: Resource Record
5
30 years development,
>5 million DNS servers, >100 RFCs,
>30 available RRs
http://en.wikipedia.org/wiki/List_of_DNS_record_typeshttp://www.webhosting.info/domains
中国信息社会重要的基础设施建设者、运行者和管理者
DNS: DNSSEC 1
6
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
1
2
slaves
3
4
5
Registry/Registrar
Provisioning
DNS data flow
中国信息社会重要的基础设施建设者、运行者和管理者
DNS: DNSSEC 2
7
DNS Vulnerabilities
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
1
2
slaves
3
4
5Corrupting data
Impersonating master
Unauthorized updates
Cache impersonation
Cache pollution byData spoofing
Altered zone data
Registry/Registrar
Provisioning
中国信息社会重要的基础设施建设者、运行者和管理者
DNS: DNSSEC 3
8
DNSSEC Provides Data Security
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamicupdates
slaves
Registry/Registrar
Provisioning
example.com A 10.8.0.1
example.com A 10.8.0.1
example.com A 10.8.0.1
Among the 316 TLDs in the root zone, 110 TLDs have been signed and many other are planning to do so.
http://stats.research.icann.org/dns/tld_report/
中国信息社会重要的基础设施建设者、运行者和管理者
DNS: DANE
9
Authentication of DNS names for TLS (Transport-Layer Security) endpoints is a core security challenge in many Internet protocols, most famously HTTP (Hypertext Transfer Protocol).
The DANE (DNS-based Authentication of Named Entities) working group in IETF is developing protocols that allow certificates to be bound to DNS names using DNSSEC.
RR is TLSA
Currently, there are many open source implementations of the DANE protocol and Google has implemented the DANE client in its Chrome browser.
中国信息社会重要的基础设施建设者、运行者和管理者 10
1 Background
2 Content Naming
3 Content Management
4 Content Addressing
5 Analysis & Conclusions
Outline
中国信息社会重要的基础设施建设者、运行者和管理者
Two Schemes:
1) Flat : security
2) Hierarchical : scalability
11
Naming
Scalable
Secure
Readabl
e
Content naming:
Hierarchical path: public key
Example:
cn/sina/nba/11-20/match.avi:ALG|0xf01212099abcab678ac345
中国信息社会重要的基础设施建设者、运行者和管理者 12
1 Background
2 Content Naming
3 Content Management
4 Content Addressing
5 Analysis & Conclusions
Outline
中国信息社会重要的基础设施建设者、运行者和管理者 13
Management
Cache
Receiver
Receiver
Principal
Content Publishing
Content Subscribing
Content transmission path
CMA
DNS server
In each domain, CMA (Content Management Anchor) is deployed.
1) The binding between CMA and the related prefix is stored in DNS as:
Content-Prefix—A/AAAA—TTL—IP-of-CMA
2) The binding between the resource and its location is stored in CMA.
中国信息社会重要的基础设施建设者、运行者和管理者 14
1 Background
2 Content Naming
3 Content Management
4 Content Addressing
5 Analysis & Conclusions
Outline
中国信息社会重要的基础设施建设者、运行者和管理者 15
Addressing : CCN (Interest)
A parameter like TTL (Hop limit) in Interest is used.
At each hop:
Hop limit= Hop limit-1
If the Hop limit=0
DNS resolution
else,
Flooding
Interest Arrives
Is there match in ContentStore?
Is there match in PIT?
Is there match in FIB?
Matched Data is sent out the face
where the Interest arrived
Interest’ s arrival face is added to the PIT entry’ s
Requesting-Faces list
The face where the interest arrives is removed from the face list of the FIB
entry.
Face list of FIB empty?
New PIT entry is created for the
arriving Interest
Send the DNSRequest for the
prefix-name in the Interest
Yes
No
Yes
Yes
YesRemove the FIB entry
No
No
No
End
Discard
Discard
Interest is sent out all the faces
remaining in the FIB entry
Yes
NoHop limit=Hop limit-1
Hop limit==0
中国信息社会重要的基础设施建设者、运行者和管理者 16
Addressing : CCN (Data)
Match the name with TLSA
Verify the content with L
A trade-off issue here is:
If the check is done by the router
DoS attack
If the check is done by the client
Client load
Is there match in ContentStore? Discard
Optionally added to the
ContentStore
matched PIT entry deletes the arrival
face of Data
End
Yes
No
Yes
No
Discard
Face list of FIB empty?
Remove the PIT entry
Yes
No
Discard
Passed data verification?
Yes
No
Data is sent out the remaining faces of
matched PIT
DNS resolution(TLSA)
Passed name verification?
Is there match in PIT?
No
Get Data
中国信息社会重要的基础设施建设者、运行者和管理者 17
1 Background
2 Content Naming
3 Content Management
4 Content Addressing
5 Analysis & Conclusions
Outline
中国信息社会重要的基础设施建设者、运行者和管理者
Analysis - Security
Content Private key
Public keyName
DNSSECD
AN
E
Security dependency
cn/sina/nba/11-20/match.avi:ALG|0xf01212099abcab678ac345
DANE: TLSA
Match?
Content is signed by the Private key
DNSSEC
Content source Match?
中国信息社会重要的基础设施建设者、运行者和管理者
Analysis – Scalability 1
Analyzing model
QueryingNode
Hop
limit
The Interest is propagated in this region
The Interest is noy propagated in this region
To simplify the analysis, we have made the following assumptions:
1. Nodes are distributed uniformly across the network.
2. The zone-radius of every node in the network is same.
3. The overhead induced by state maintenance is not considered.
The number of nodes in the i-hop range is 2
22
Area ( )( ) ( )
Area ( )
i hop i d iN i N N N
Total R d R
The average hit probability during every hop is Area ( ) ( 1)
( ) Area
ith hop N i N ip i
Total N
* R is used to estimate the area of the network, N is the total number of nodes in the network.
中国信息社会重要的基础设施建设者、运行者和管理者
Analysis – Scalability 2
1. When the Interest can be met within H hop range, the cost of the proposed scheme is
(1 (1)) (1)
(1 (1)) (1 (2)) [ (2) (1)]
...
[(1 (1))...(1 ( 1))] [( ( 1) ( 2)]
[(1 (1))...(1 ( 1)) ( )] [( ( ) ( 1)]
( )
newC p N
p p N N
p p x N X N X
p p x p x N X N X
x H
* ɑ is the signaling message cost per node per Interest message
2. When the Interest cannot be met in the H-hop range, the DNS resolution will be triggered after the Hth hop flooding, and then the cost is
(1 (1)) (1)
(1 (1)) (1 (2)) [ (2) (1)]
...
[(1 (1))...(1 ( ))] [(( ( ) ( 1)) ]
new
DNS
C p N
p p N N
p p H N H N H C
* CDNS denotes the DNS resolution cost
中国信息社会重要的基础设施建设者、运行者和管理者
Analysis – Stability
In order to reduce the querying latency, the source in the current CCN may need to flood the information to the network.
When the source node moves, this will cause high failure probability because the recorded FIB information is invalid.
However, our scheme can reduce the flooding range for the mobile source and support its mobility with the help of DNS dynamic update.
For fairness, we assume that the Interest message has to be met before the (H+1)-hop flooding. For the current CCN scheme, the prefix information has to be broadcasted to the (R-H)-hop range, however, our scheme only needs the DNS update.
Then their stability ratio is
[ ( )]DNS
ratio
CS
N N H
中国信息社会重要的基础设施建设者、运行者和管理者
Analysis – Security
In our scheme, the key is an essential part of the name and the name is no longer a pure human-readable string but includes a cryptographic part.
1. That the public key is directly contained in the name, which poses a challenge to usability, since humans cannot understand or remember them.
2. Any move of the content may require the reworking of the name.
3. Cryptographic algorithm upgrades will result in name changes, and careful engineering is required to manage their usability implications.
中国信息社会重要的基础设施建设者、运行者和管理者
Conclusions
Security
Stability
Shortcoming
Scalability
Establishes the complete security chain for the content addressing.
Supports the mobility of content source
Poses a challenge to usability due to the public key
Limits the signaling cost during the content addressing
DNS based ICN
中国信息社会重要的基础设施建设者、运行者和管理者
ご清聴ありがとうございました。