Docstoc

Chordates - Canton Local Schools

Document Sample
Chordates - Canton Local Schools Powered By Docstoc
					                                                                                                    www.psirp.org




                                Lecture 2:
                                Evolutionary and
                                Revolutionary Approaches

                                           D.Sc. Arto Karila
                         Helsinki Institute for Information Technology (HIIT)
                                           arto.karila@hiit.fi




25/1/2010   T-110.6120 – Special Course on Data Communications Software: Publish/Subscribe Internetworking          1
             Contents
Ø Evolutionary approaches
Ø Some more revolutionary approaches
Ø Networking Named Content –
  Van Jacobson’s CCN project
  (Content-Centric Networking)




25/1/2010                              2
            Evolutionary Approaches

Ø     IPv6
Ø     IPSEC
Ø     Mobile IP
Ø     HIP
Ø     DiffServ
Ø     DHT

25/1/2010                             3
                           IPv6
  Ø IPv6 was born in 1995 after long work
  Ø There are over 30 IPv6-related RFCs
  Ø The claimed improvements in IPv6 are:
       l    Large 128-bit address space
       l    Stateless address auto-configuration
       l    Multicast support
       l    Mandatory network layer security (IPSEC)
       l    Simplified header processing by routers
       l    Efficient mobility (no triangular routing)
       l    Extensibility (extension headers)
       l    Jumbo packets (up to 4 GB)
25/1/2010                                                4
                  IPv6
Ø Major  operating systems and many ISPs
  support IPv6
Ø The use of IPv6 is slowly increasing in
  Europe and North America but more
  rapidly in Asia
Ø In China, CERNET 2 runs IPv6,
  interconnecting 25 points of presence in
  20 cities with 2.5 and 10 Gbps links
Ø IPv6 really only solves the exhaustion of
  Internet address space
25/1/2010                                     5
                   IPSEC
  Ø IPSEC   is the IP-layer security solution of
    the Internet to be used with IPv4 and IPv6
  Ø Authentication Header (AH) only protects
    the integrity of an IP packet
  Ø Encapsulating Security Payload (ESP)
    also ensures confidentiality of the data
  Ø IPSEC works within a Security Association
    (SA) set up between two IP addresses
  Ø ISAKMP (Internet Security Association
    and Key Management Protocol) is a very
    complicated framework for SA mgmt
25/1/2010                                     6
            Encapsulating Security
               Payload (IPv4)
                              Original IPv4 Header

                          Security Parameter Index (SPI)      ESP
                               Sequence Number                Header

      Coverage of               UDP/TCP Header
      Authentication
                                                              ESP
          Coverage of                 Data                    Payload
        Confidentiality


                            Padding      Pad Len   Next Hdr
                                                              ESP
                                                              Trailer
                               Authentication Data


25/1/2010                                                               7
            Encapsulating Security
               Payload (IPv6)
                              Original IPv6 Header

                             Hop-by-Hop Extensions

                          Security Parameter Index (SPI)   ESP
                               Sequence Number             Header

      Coverage of            End-to-End Extensions
      Authentication
                                UDP/TCP Header             ESP
          Coverage of                                      Payload
        Confidentiality               Data

                                    Padding
                                                           ESP
                                                           Trailer
                               Authentication Data
25/1/2010                                                            8
                    Mobile IPv4
Ø Basic      concepts:
     l   Mobile Node (MN)
     l   Correspondent Node (CN)
     l   Home Agent (HA)
     l   Foreign Agent (FA)
     l   Care-of-Address (CoA)
Ø Problems:
     l   Firewalls and ingress filtering
     l   Triangular routing
25/1/2010                                  9
              Mobility Example:Mobile IP
                 Triangular Routing
                                              Ingress filtering causes problems for IPv4
                                              (home address as source), IPv6 uses CoA
                                                    so not a problem . Solutions:
                                Correspondent          (reverse tunnelling) or
                                    Host                  route optimization


                                                                        Foreign agent left
                                                                     out of MIPv6. No special
                                                                       support needed with
                         DELAY!                                      IPv6 autoconfiguration


            Home Agent                                  Foreign Agent




                                                     Care-of-Address (CoA)
                                     Mobile Host

25/1/2010                Source: Professor Sasu Tarkoma                                    10
                        Ingress Filtering
                                   Packet from mobile host is deemed "topologically
                                   incorrect“ (as in source address spoofing)




     Correspondent Host                                   Home Agent
            With ingress filtering, routers drop source addresses that are
            not consistent with the observed source of the packet


25/1/2010                Source: Professor Sasu Tarkoma                         11
               Reverse Tunnelling
                                                         Firewalls and ingress
                                                        Firewalls and ingress
                              Correspondent
                                                    filtering no longer problem
                                                   filtering no longer aaproblem
                                                     Two-way tunneling leads to
                                                    Two-way tunneling leads to
                                  Host                 overhead and increased
                                                      overhead and increased
                                                               congestion
                                                              congestion




                         DELAY!
            Home Agent                                Router




                                    Mobile Host   Care-of-Address (CoA)

25/1/2010           Source: Professor Sasu Tarkoma                             12
  Mobile IPv6 Route Optimization
                                                      CH sends
                                             packets using routing header

                         Correspondent
                             Host               First, a Return Routability test
                                             to CH. CH sends home test and CoA
                                             test packets. When MH receives both,
                                               It sends the BU with the Kbm key.




                       Secure tunnel (ESP)
       Home Agent                                  Router

                                                  MH sends a binding update to CH
                                                  when it receives a tunnelled packet.

                              Mobile Host

25/1/2010           Source: Professor Sasu Tarkoma                                   13
  Differences btw MIPv6 and MIPv4
Ø   In MIPv6 no FA is needed
    (no infrastructure change)
Ø   Address auto-configuration helps in acquiring CoA
Ø   MH uses CoA as the source address in foreign
    link, so no problems with ingress filtering
Ø   Option headers and neighbor discovery of IPv6
    protocol are used to perform mobility functions
Ø   128-bit IP addresses help deployment of mobile
    IP in large environments
Ø   Route optimization is supported by header options
25/1/2010      Source: Professor Sasu Tarkoma     14
                 Extension Headers
                        CN to MN                       MN to CN




                                                                      Upper Layer
                                                                                    Data
                                                               MH     headers




                                                             Mobility Header
       MH Type in Mobility Header: Binding Update,
       Binding Ack, Binding Err, Binding refresh

                                                         MN, HA, and CN for Binding
Source: Chittaranjan Hota, Computer Networks II lecture 22.10.2007
25/1/2010                                                                            15
                    HIP
Ø Host Identity Protocol (HIP, RFC4423)
  defines a new global Internet name space
Ø The Host Identity name space decouples
  the name and locator roles, both of which
  are currently served by IP addresses
Ø The transport layer now operates on Host
  Identities instead of IP addresses
Ø The network layer uses IP addresses as
  pure locators (not as names or identifiers)
25/1/2010                                   16
            HIP Architecture




25/1/2010                      17
                          HIP
Ø HIs  are self-certifying (public keys)
Ø HIP is a fairly simple technique based on
  IPSEC ESP and HITs (128-bit HI hashes)
Ø It addresses several major issues:
     l   Security
     l   Mobility
     l   Multi-homing
     l   IPv4/IPv6 interoperation
Ø HIP is ready for large-scale deployment
Ø See http://infrahip.hiit.fi for more info
25/1/2010                                     18
                      Base exchange
• Based on the SIGMA family of key exchange protocols
  Source: Dr. Pekka Nikander               Select precomputed R1. Prevent DoS.
                                              Minimal state kept at responder!
                                                  standard authenticated attacks.
                                           Does not protect against replay Diffie-
  Initiator                                                          Responder
                                                        Hellman key exchange for
              I1      HIT , HIT or NULL                  session key generation
                          I        R

              R1      HIT , [HIT , puzzle, DH , HI ]
                          I        R         R       R sig

 solve
puzzle        I2      [HIT , HIT , solution, DH ,{HI }]
                              I     R            I           I sig
                                                                           verify,
              R2      [HIT , HIT , authenticator]                       authenticate,
                              I     R                 sig             replay protection

                                  User data messages

              ESP protected TCP/UDP, no explicit HIP header
 25/1/2010                                                                         19
                HIP Mobility
Ø Mobility   is easy – retaining the SA for ESP




25/1/2010                                     20
HIP in Combining IPv4 and IPv6
Ø An   early demo seen at L.M. Ericsson
   Finland (source: Petri Jokela, LMF)

               IPv4
              access
             network                      WWW Proxy
                                          HIP CN

                               Internet




 HIP MN



                                           Music Server


25/1/2010                                                 21
                     DiffServ
Ø   Differentiated Services (DiffServ, RFC 2474)
    redefines the ToS octet of the IPv4 packet or
    Traffic Class octet of IPv6 as DS
Ø   The first 6 bits of the DS field are used as
    Differentiated Services Code Point (DSCP)
    defining the Per-Hop Behavior of the packet
Ø   DiffServ is stateless (like IP) and scales
Ø   Service Profiles can be defined by ISP for
    customers and by transit providers for ISPs
Ø   DiffServ is very easily deployable and could
    enable well working VoIP and real-time video
Ø   Unfortunately, it is not used between operators
25/1/2010                                             22
    Distributed Hash Table (DHT)
Ø   Distributed Hash Table (DHT) is a service for
    storing and retrieving key-value pairs
Ø   There is a large number of peer machines
Ø   Single machines leaving or joining the network
    have little effect on its operation
Ø   DHTs can be used to build e.g. databases (new
    DNS), or content delivery systems
Ø   BitTorrent is using a DHT
Ø   The real scalability of DHT is still unproven
Ø   All of the participating hosts need to be trusted
    (at least to some extent)
25/1/2010                                               23
                      DHT
  Ø The   principle of Distribute Hash Table
      (source: Wikipedia)




25/1/2010                                      24
            Contents
Ø Evolutionary approaches
Ø Some more revolutionary approaches
Ø Networking Named Content –
  Van Jacobson’s CCN project
  (Content-Centric Networking)




25/1/2010                          25
            Some More Revolutionary
                 Approaches
Ø     ROFL
      M. Caesar, T. Condie, J. Kannan, K. Lakshminarayanan,
      I. Stoica, and S.Shenker,
      ROFL: Routing on Flat Labels,
      In ACM SIGCOMM, Sep. 2006, pp. 363–374

Ø     DONA
      T. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy,
      K. H. Kim, S. Shenker, and I. Stoica,
      A Data-Oriented (and Beyond) Network Architecture,
      In SIGCOMM ’07: Proceedings of the 2007 conference
      on Applications, technologies, architectures, and
      protocols for computer communications,
      New York, NY, USA, 2007, pp. 181-192
25/1/2010                                               26
                        ROFL
Ø ROFL   routes directly on host identities,
  leaving aside the locations of the hosts
Ø Self-certifying identifiers (tied to public keys)
Ø Create a network layer with no locations
Ø Advantages:
    l   No new infrastructure (no name resolution)
    l   Packet delivery only depends on the data path
    l   Simpler allocation of identifiers
        (just need to ensure uniqueness)
    l   Access control based on identifiers
25/1/2010                                           27
                          ROFL
Ø   Three classes of hosts:
    l   Routers
    l   Stable hosts
    l   Ephemeral hosts
Ø   Each ID is resident to its Hosting Router (the
    host’s first-hop router)
Ø   The hosts form a two-way ring – each with
    pointers to its successor and predecessor
Ø   There can be shorter routes cached
Ø   An OSPF-like routing protocol (with network map)
    is assumed for recovering from routing failures
Ø   Global ROFL-ring for inter-domain routing
25/1/2010                                         28
                DONA
Ø DONA    replaces the hierarchical DNS
  namespace with a cryptographic, self-
  certifying namespace for naming data
Ø This enables totally distributed
  namespace control
Ø The namespace is not totally flat but
  consists of two parts: the principal’s
  identifier and a label
Ø This two-tier hierarchy helps make DONA
  scalable
Ø Clean-slate naming and name resolution
25/1/2010                               29
                 DONA
Ø Strictseparation between
  naming (persistence and authenticity) and
  name resolution (availability)
Ø Each principal has a public-key pair
Ø Each datum (or any other named entity) is
  associated with a principal
Ø Names of the form P:L (Principal:Label),
  where P is a cryptographic has os the
  principal’s public key and L is a locally
  unique label
Ø Name resolution by Resolution Handlers,
  primitives: FIND(P:L), REGISTER(P:L)
25/1/2010                                 30
             Contents
Ø Evolutionary approaches
Ø Some more revolutionary approaches
Ø Networking Named Content –
  Van Jacobson’s CCN project
  (Content-Centric Networking)




25/1/2010                              31
    Networking Named Content
Ø Based    on and pictures borrowed from:
   Jacobson, V.; Smetters, D. K.; Thornton,
   J. D.; Plass, M. F.; Briggs, N.; Braynard,
   R. Networking named content.
   Proceedings of the 5th ACM International
   Conference on Emerging Networking
   Experiments and Technologies (CoNEXT
   2009); 2009 December 1-4; Rome, Italy.
   NY: ACM; 2009; 1-12.
25/1/2010                                       32
            Host-Centric Networking
Ø In 1960’s and 1970’s – resource sharing
Ø Computers, disk drives, tape drives,
  printers etc. needed to be shared
Ø This lead into a communication model with
  two machines – one using and one
  providing resources over the network
Ø IP packets with source and destination
Ø Most of the traffic is TCP connections

25/1/2010                                 33
 Content-Centric Networking (CCN)
Ø In 2009 alone 500 exabytes (5 x 1020 B)
  of content created (source: RFC 5401)
Ø Users are interested in what content –
  not where it is
Ø CCN – a communication architecture
  built on named data
Ø “Address” names content – not location
Ø Preserve the design decisions that make
  TCP/IP simple, robust and scalable

25/1/2010                                   34
  TCP/IP and CCN Protocol Stacks
Ø From  IP to chunks of named content
Ø Only layer 3 requires universal agreement




25/1/2010                                 35
            Interest and Data packets
Ø There       are two types of CCN packets:
     l   Interest packets
     l   Data packets




25/1/2010                                     36
               CCN Node Model
Ø There      are two types of CCN packets:
     l   Interest packets
     l   Data packets
Ø Consumer    broadcasts its Interest over all
  available connectivity
Ø Data is transmitted only in response to and
  Interest and consumes that Interest
Ø Data satisfies an Interest if ContentName
  in the Interest is a prefix of that in the Data
25/1/2010                                      37
               CCN Node Model
Ø Hierarchicalname space (cmp w/ URI)
Ø When a packet arrives on a face a longest
  -match lookup is made
Ø Forwarding engine with 3 data structures:
     l   Forwarding Information Base (FIB)
     l   Content Store (buffer memory)
     l   Pending Interest Table (PIT)



25/1/2010                                    38
            CCN Node Model
Ø FIB allows a list of outgoing interfaces –
  multiple sources of data
Ø Content Store w/ LRU or LFU replacement
Ø PIT keeps track of Interest forwarded up-
  stream => Data can be sent downstream
Ø Interest packets are routed upstream –
  Data packets follow the same path down
Ø Each PIT entry is a “bread crumb” marking
  the path and is erased after it’s been used

25/1/2010                                   39
            CCN Forwarding Engine




25/1/2010                           40
                 CCN Node Model
Ø   When an Interest packet arrives, longest-match
    lookup is done on its ContentName
Ø   ContentStore match is preferred over a PIT
    match, preferred over a FIB match
     l   Matching Data packet in ContentStore => send it out
         on the Interest arrival face
     l   Else, if there is an exact-match PIT entry => add the
         arrival face to the PIT entry’s list
     l   Else, if there is a matching FIB entry =>
         send the Interest up-stream towards the data
     l   Else => discard the Interest packet
25/1/2010                                                        41
            CCN Transport
Ø CCN   transport is designed to operate on
  unreliable packet delivery services
Ø Senders are stateless
Ø Receivers keep track of unsatisfied
  Interests and ask again after a time-out
Ø The receiver’s strategy layer is responsible
  for retransmission, selecting faces, limiting
  the number of unsatisfied Interests, priority
Ø One Interest retrieves at most one Data
  packet => flow balance
25/1/2010                                    42
       Reliability and Flow Control
Ø Flow   balance allows for efficient
  communication between machines with
  highly different speeds
Ø It is possible to overlap data and requests
Ø In CCN, all communication is local and
  flow balance is maintained over each hop
Ø This leads into end-to-end flow control
  without any end-to-end mechanisms

25/1/2010                                       43
                 Naming
Ø CCN  is based on hierarchical, aggregatable
  names at least partly meaningful to humans
Ø The name notation used is like URI




25/1/2010                                  44
            Naming and Sequencing
Ø An  Interest can specify the content exactly
Ø Content names can contain automatically
  generated endings used like sequence #s
Ø The last part of the name is incremented for
  the next chunk (e.g. a video frame)
Ø The names form a tree which is traversed in
  preorder
Ø In this way, the receiver can ask for the
  next Data packet in his Interest packet
25/1/2010                                  45
            Intra-Domain Routing
Ø Like IPv4 and IPv6 addresses, CCN
  ContentNames are aggregateable and
  routed based on longest match
Ø However, ContentNames are of varying
  length and longer than IP addresses
Ø The TLV (Type Label Value) of OSPF or
  IS-IS can distribute CCN content prefixes
Ø Therefore, CCN Interest/Data forwarding
  can be built on existing infrastructure
  without any modification to the routers
25/1/2010                                     46
              Intra-Domain Routing
Ø An        example of intra-domain routing




25/1/2010                                     47
            Inter-Domain Routing
Ø The  current BGP version has the equivalent
  of the IGP TLV mechanism
Ø Through this mechanism, it is possible to
  learn which domains serve Interests in
  some prefix and what is the closest CCN-
  capable domain on the paths towards those
  domains
Ø Therefore, it is possible to deploy CCN in
  the existing BGP infrastructure
25/1/2010                                 48
            Content-Based Security
Ø In CCN, the content itself (rather than its
  path) is protected
Ø One can retrieve the content from the
  closest source and validate it
Ø All content is digitally signed
Ø Signed info includes hash of the public key
  used for signing
Ø We still need some kind of a Public Key
  Infrastructure (PKI)
25/1/2010                                   49
            Trust Establishment
Ø Associating   name spaces with public keys




25/1/2010                                  50
                Evaluation
Ø The   CCN architecture described has been
  implemented and evaluated
Ø Voice over CCN and Content Distribution
  were tested with small networks
Ø The results are interesting but don’t really
  tell us anything about the scalability of the
  design



25/1/2010                                     51
              Voice over CCN
Ø   Secure Voice over CCN was implemented using
    Linphone 3.0 and its performance evaluated
Ø   Caller encodes SIP INVITE as CCN name and
    sends it as an interest
Ø   On receipt of the INVITE, the callee generates a
    signed Data packet with the INVITE name as its
    name and the SIP response as its payload
Ø   From the SIP messages, the parties derive
    paired name prefixes under which they write
    RTP packets
Ø   There is a separate paper on Voice over CCN
25/1/2010                                          52
            Voice over CCN –
            Automatic Failover




25/1/2010                        53
            Content Distribution




25/1/2010                          54
            Throughput




25/1/2010                55
       Comparing CCN and HTTP




25/1/2010                       56
    Comparing CCN and HTTPS




25/1/2010                     57
            Merits of CCN
Ø Very  understandable scheme
Ø Shown to work also with streamed media
Ø Clever reuse of existing mechanisms
Ø Easy to implement based on current
  routing software
Ø Easy to deploy on existing routing
  protocols and IP networks
Ø Easy, human-readable naming scheme

25/1/2010                                  58
             Concerns about CCN
Ø   The simple hierarchical (URI-like)
    naming scheme is also a limitation
Ø   Will CCN scale to billions of nodes?
     l   Flooding (send out through all available faces)
     l   Flow balance – an Interest for every Data
     l   How large can the FIB grow (soft state)?
     l   Data takes the same (possibly non-optimal) path as
         Interest
Ø   Are the performance measurements made with
    only a couple of hosts convincing?
Ø   Security architecture looks very conventional
25/1/2010                                                     59
 Thank you for your attention!
   Questions? Comments?




25/1/2010                    60

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:12/23/2013
language:French
pages:60