Threats In Information-Centric Networking - HAW Hamburg
Threats in Information-Centric NetworkingSeminarMarkus VahlenkampHamburg University of Applied SciencesMaster of ScienceComputer ScienceNovember 14, 2012Markus VahlenkampThreats in ICN1/35
AgendaIntroductionResearch QuestionsGeneral QuestionsProblem SpaceDetailed ess, Conclusion & OutlookMarkus VahlenkampThreats in ICN2/35
IntroductionMarkus VahlenkampThreats in ICN3/35
BackgroundInternet use cases shiftà From host-centricCommunicate via end-points (host/port)à To information-centricAccess content via the network itselfà The network should probably account stronger for contentdistributionTargetà Designing a scalable and e cient content-aware networkinfrastructureMarkus VahlenkampThreats in ICN4/35
NDN / CCNxNDN / CCNx Overviewà Most Popular Information-Centric Networking approach so farà Research project of Palo Alto Research Center (PARC)à Named Data Networking (NDN)[1]à Prototype implementation named CCNx[4]Markus VahlenkampThreats in ICN5/35
NDN / CCNxFundamental paradigmsà Publish / SubscribeI Publish data In-networkI Receive data through subscriptionI Matching publication and subscription in networkà In-network content addressing by nameà Cache content everywhereMarkus VahlenkampThreats in ICN6/35
NDN / CCNxOriented Network Architecture (DONA).4.1.1CCNinterest)clientidataroutereKKK interestKKKKKdata KK router9t Wtinterestttttttttdatadataclient rinterest originFigure2: CCNoverviewFigure:AbstractCCNxoverview[2]The main idea of CCN is that a request for an information object is routedtowardsàthelocationin the networkwherethat informationobject (IO) has beenInterestpacketsare routedtowardssourcespublished. At the nodes traversed on the way towards the source the caches ofà Longest pre x match on content namesthe nodes are checked for copies of the requested IO. As soon as an instanceof IO is found (a cached copy or the source IO) it is returned to the requesteralong the path the request came from. All the nodes along that path caches aMarkus VahlenkampThreats in ICN7/35
NDN / igureForwardingCCNxProcessat anNDN Node.data producers and consumers, e.g., name conventions indicatingventionsareVahlenkampspecific to applications andopaqueMarkusThreatsin ICN to networks.8/35
NDN / CCNxName resolution & routingà Routing on content namesà Multiple distributed origins possibleà Interest packets create soft-state (PIT entries)à Reverse Path Forwarding through use of Pending InterestTable (PIT)à Soft-states time out or are cleared by corresponding datapacketsMarkus VahlenkampThreats in ICN9/35
NDN / CCNxSecurityà Secure content instead of communication channelsI Data integrity (e.g. self-certi ability)I Author & origin authenticationà Data transfer purely receiver initiatedI No data receipt w/o previous subscriptionSubsumptionà Underlying paradigm is entirely di erent from today's Internetà NDN / CCNx claims protection against many networkattacks[3]Markus VahlenkampThreats in ICN10/35
Research QuestionsFFFMarkus VahlenkampGeneral QuestionsProblem SpaceDetailed QuestionsThreats in ICN11/35
General QuestionsCentral Research Questionà Relating to the NDN / CCNx approachI Which security issues do still exist?I Which new attack vectors arise?Markus VahlenkampThreats in ICN12/35
Research QuestionFMarkus VahlenkampProblem SpaceThreats in ICN13/35
Problem SpaceAnticipated vulnerabilities[6] Ià Resource ExhaustionExhaustion of FIB / PIT table space or CPU capacityà State DecorrelationUnwanted tra c ows through failures in distributed statecoherenceà Path & Name In ltrationMalicious attraction of name pre xesMarkus VahlenkampThreats in ICN14/35
Problem SpaceAnticipated vulnerabilities[6] IIà Cache PollutionDegrade regular cache performance through content hotnessmanipulatingà Cryptographic BreachesLarge amounts of data & long lived signing keys provideincreased attack surfaceMarkus VahlenkampThreats in ICN15/35
Research QuestionFMarkus VahlenkampDetailed QuestionThreats in ICN16/35
Detailed QuestionsFurthermore focus onà Resource Exhaustion caseDetailed Questionsà Do the anticipated issues exist?à System behaviour in case of appearance?à Counter measures to eliminate or mitigate impact?Markus VahlenkampThreats in ICN17/35
MethodologyFFFMarkus VahlenkampScenariosMetricsApproachesThreats in ICN18/35
MethodologyProcedure1. Develop threatening scenarios2. De ne metrics to be collected during measurement3. Select appropriate environment / approach to runmeasurementMarkus VahlenkampThreats in ICN19/35
ScenariosThreatening ScenariosIPIT attackCreate bulks of InterestsIExisting contentPIT entry removed by arriving dataINon-existing contentPIT entry removed by timeoutIFIB attackCreate bulks of routing informationIICPU stress through continuous SPF runsMemory exhaustion through amount of routing entriesMarkus VahlenkampThreats in ICN20/35
MethodologyFMarkus VahlenkampMetricsThreats in ICN21/35
MetricsMetrics of Interest Ià PIT CountNumber of Pending Interests per nodeà Interest Retransmission rateNumber of Interests su ering retransmissionà FIB-Entry CountNumber of name-based routing entriesMarkus VahlenkampThreats in ICN22/35
MetricsMetrics of Interest IIà Memory ConsumptionAmount of memory consumedà CPU UtilisationAmount of utilized CPU resourcesà Network ThroughputAmount of data that was transmitted per secondMarkus VahlenkampThreats in ICN23/35
MethodologyFMarkus VahlenkampApproachesThreats in ICN24/35
ApproachesApproachesà SimulationsSetup simulation tool, meter relevant dataà TestbedSetup network of CCNx nodes, meter relevant dataà Theoretical considerationsConsider limitations, aws and issues on theoretical basisMarkus VahlenkampThreats in ICN25/35
ApproachesCharacteristicsSimulationTestbedà Deterministicà Non-deterministicà Single node emulatesnetworkà Large number of nodesrequiredà No real code execution1à Real code execution1traditionally; see DCEMarkus VahlenkampThreats in ICN26/35
ApproachesEnvironmentSimulationTestbedà Barely dependent onexecution environmentà Environment dependentexecutionà In-memory executionà Communication withother nodesMarkus VahlenkampThreats in ICN27/35
ApproachesHandlingSimulationTestbedà Simple scenario de nitionby code or descriptiveà Distributed node & statemanagement requiredà Simple linear eventcorrelationà Clock sync to obtaincausal relationMarkus VahlenkampThreats in ICN28/35
ApproachesResource Utilisation & ScalingSimulationTestbedà Light-weightimplementationà Increased resourcerequirementsà Analysis based onemulation of large,real-world topologiesà Actual node and networkutilisationà Limited by simulationnode capacityà Limited by number ofavailable testbed nodesMarkus VahlenkampThreats in ICN29/35
Progress, Conclusion & OutlookMarkus VahlenkampThreats in ICN30/35
Progress, Conclusion & OutlookActual progress(3) Testbed implementationI PIT attackI Up to 5 nodesI Results presented in [5, 7, 6]2( ) Simulation implementationI PIT attackI Hundreds of nodes(-) Problem solutionConclusion & OutlookILot's of work forthcomingIStill many threat analysis pending2work in progressMarkus VahlenkampThreats in ICN31/35
Thanks for your attention!Markus VahlenkampThreats in ICN32/35
References I[1] The Named Data Networking Homepage.http://www.named-data.net, 2012.[2] Ahlgren, B., Dannewitz, C., Imbrenda, C., Kutscher, D., andOhlmann, B.A Survey of Information-Centric Networking (Draft).Tech. Rep. 10492, Dagstuhl Seminar Proceedings, 2011.[3] Jacobson, V., Smetters, D. K., Thornton, J. D., and Plass,M. F.Networking Named Content.In Proc. of the 5th Int. Conf. on emerging NetworkingEXperiments and Technologies (ACM CoNEXT'09) (New York,NY, USA, Dec. 2009), ACM, pp. 1 12.Markus VahlenkampThreats in ICN33/35
References II[4] PARC.The CCNx Homepage.http://www.ccnx.org, 2012.[5] Vahlenkamp, M.Ccnx meassurement testbed implementation.Tech. rep., HAW Hamburg, 2012.[6] Wählisch, M., Schmidt, T. C., and Vahlenkamp, M.Backscatter from the Data Plane Threats to Stability andSecurity in Information-Centric Networking.Technical Report arXiv:1205.4778, Open Archive: arXiv.org,2012.Markus VahlenkampThreats in ICN34/35
References III[7] Wählisch, M., Schmidt, T. C., and Vahlenkamp, M.Bulk of Interest: Performance Measurement of Content-CentricRouting.In Proc. of ACM SIGCOMM, Poster Session (New York,August 2012), ACM, pp. 99 100.[8] Zhang, L., Estrin, D., Burke, J., Jacobson, V., and Thornton,J. D.Named Data Networking (NDN) Project.Tech.report ndn-0001, PARC, 2010.Markus VahlenkampThreats in ICN35/35
Draft for Dagstuhl seminar on Information-Centric Networking 4 Discussing Information-centric Network Ar-chitectures Based on the identi ed building blocks in section 3, we will now discuss the instantiation of these blocks for the speci c approaches. In subsection 4.1, we rst provide an overview of CCN, PSIRP, 4WARD-NetInf, and DONA before
Content-based networking, publish/subscribe, information-centric networking, content-centric networking, named-data networking Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies
"A survey of Information-entric Networking", IEEE Communications Magazine, 2012 - G. Carofiglio et al. "From content delivery today to information centric networking", omputer Networks, 2013, in press - G. Xylomenos et al (G. Polyzos), "A survey of information-centric networking research", IEEE ommunications Surveys and Tutorials,
Information-Centric Networking (ICN) research direction raised by Van Jacobson. ICN represents a general trend of future Internet architecture that evolves from the today's host centric, end-to-end, IP focused architecture to a content centric and distributed one. CCN and Named Date Networking(NDN) [24] are the typical instances of the broad
Information-Centric Networking (ICN) architectures [4, 5, 41] have been proposed to improve the quality of information perceived by consumers compared to the current IP Internet. The Named Data Networking (NDN) [25] and the Content-Centric Networking (CCNx) [9] architectures advocate the use of what has been called a "stateful forwarding .
This information asymmetry often leads to a suboptimal system operation. Information-centric Networking (ICN) postulates a fundamental paradigm shift away from a host-centric model towards an information-centric one. ICN focuses on information item discovery and transmission and not on the connection of end-points that exchange data.
Pro:Centric Direct interactive features are available with IP connectivity. Easy Code Editing with HCAP API Customized UI & Interactive Service Pro:Centric Smart TV API SI Application IP Pro:Centric (Middleware Platform) Pro:Centric Hotel Management Solution The WU960H is the latest in the line of Pro:Centric TVs that provide a unique and .
Abstract - Information Centric Networking (ICN) is a new networking paradigm in which the network provides users with content instead of communication channels between hosts. Software Defined Networking (SDN) is an approach that promises to enable the continuous evolution of networking architectures. In this paper we propose and discuss .
Persistent pervasive identification, information centric networking 1 INTRODUCTION At the core of an information or content centric networking design are identifiers, because, without some form of identification, re-ferring to and accessing information is impossible. We focus on identifiers in this work as a target of the design process, because,
