Transcript XIA-PI-Meeting-2013 - NSF Future Internet Architecture Project

XIA: Network Deployments
Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha,
Adrian Perrig, Srini Seshan, Marvin Sirbu,
Peter Steenkiste, Hui Zhang
Carnegie Mellon University
Aditya Akella, University of Wisconsin
John Byers, Boston University
FIA PI Meeting
March 2013, Salt Lake City
1
Today’s Internet
Problem:
Network does not
know what user wants!
Web
Server
Dest: Server ID
Src: Client ID
2
Today’s Internet
S
S
S
S
3
XIA Vision
We envision a future Internet that:
• Is trustworthy
– Security broadly defined is a compelling research challenge
• Supports long-term evolution of usage models
– Including host-host, content retrieval, services, …
• Supports long term technology evolution
– Not just for link technologies, but also for storage and
computing capabilities in the network and end-points
• Provides benefits for a multiplicity of stakeholders
– Despite differences in roles, goals and incentives
4
XIA Pillars
Principal types
Support multiple
communication
types
(heterogeneity)
Fallback
Support future
communication
types
(evolution)
Allow using new
communication
types at any point
(incremental
deployment)
Intrinsic Security
5
XIA Design: Expressiveness
• Principal Types
– Defines the format of the address
• And its semantics, including security semantics
– And what the address means
– And what processing can be done
– Key: Much more intentful than today’s addresses.
• Use ours: Host. Service. Content. 4ID. AD.
• Or, {roll your own}
XIA Design: Intrinsic Security
• XIA uses self-certifying identifiers that guarantee
security properties for communication operation
– Host ID is a hash of the host’s public key – accountability
– Content ID is a hash of the content – correctness
– Does not rely on external configurations
• Intrinsic security is specific to the principal type
• Example: retrieve content using …
– Content XID: content is verifiably/unspoofably correct
– Service XID: the correct ASP provided the service
– Host XID: content was delivered from intended host
7
Principal Types
Current
Internet
XIA
IP address
Principal Type-specific
type
identifier
Intrinsically
secure IDs
Hash of host’s
public key
128.2.10.162
Host
0xF63C7A4…
Service
0x8A37037…
Content
0x47BF217…
Hash of
service’s public
key
Hash of content
Future
…
8
XIA Design: Deployability
• Fallback addressing
– Allows you to use tomorrow’s principal type today
– “If I can’t go directly to X, use Y...”
• Example 1:
– Ultimate intent: retrieve CONTENT (CID)
– Fallback: contact HOST (HID)
• Example 2:
– Next hop not XIA-capable? Use (4ID) in address:
Fallback to IPv4 encapsulation: contact IPv4(HID)
• Admits incremental deployment
– Not just of new ID types within XIA, but of XIA itself.
Example: Secure Video Playback
XIA Name
Resolution
Service
AD 0xF00000
register
NYT server
nyt.com maps to
Service
Service
0xDE44444
AD
0xF000000
Host
0xF63C7A4
0xDE44444
or
AD
0xF000000
Host
0xF63C7A4
or
4ID
5.11.2.14
4ID
5.11.2.14
10
Secure Video Playback
XIA Name
Resolution
Service
AD 0xF00000
S
NYT server
Service
0xDE44444
nyt.com? or
AD
0xF000000
Host
0xF63C7A4
or
NYT
replica
4ID
CID, signed by
0xDE44444
5.11.2.14
11
Secure Video Playback
AD 0xF00000
S
NYT server
sequence of CIDs
NYT
replica
12
XIA top-down view
• What does an XIA network look like to various
stakeholders?
• Who benefits from new features and why?
• Who bears the costs of deployment?
• Stakeholders we consider (not exhaustive):
– Network operators: from testbeds to ISPs
– Application providers / service providers
– Application developers
– End-users
13
Benefits to Network Operators
• Increased potential for value-added services
(without resorting to deep-packet inspection)
– Simpler middlebox deployment
– On-path caching or route redirection
– Principal types aligned with economic incentives
• Risk mitigation via incremental deployment
• More choice regarding trust domains
– SCION route control
14
Benefits to Service Providers
• Added expressivity: customizable principals
– Built-in support for binding, scoping, mobility.
– Intrinsic security guarantees.
• Access control, accounting, accountability,
counter-measures for DoS
• Making use of in-network optimizations
furnished by network operators.
• Similar benefits accrue to application
developers.
15
Benefits to End-Users
• Increased choice and flexibility regarding intent:
– Choice of XID principal type, i.e. how a given
communication operation performed
– Rich address formats add flexibility: fallback, services.
– Scion offers control via edge-directed routing
• Support for mobile users
• Trickle-down benefits derived from better apps.
• Intrinsic security:
– Qualitative benefits of security guarantees is a central
focus of our user studies.
16
Costs of Deployment
• New XIA protocol stack network-wide
– Prototype status update next slide
– Incremental deployment possible, advisable.
• Management and processing overhead
– Packet processing; flat address space
– Tracking revisions for multiple principal types
– Implications for switches, interconnect, H/W.
• Additional opportunities present added
complexity, new optimization problems.
17
Basic inter-domain
routing, XIA DHCP
XIP Prototype Implementation
POSIX style sockets for
datagrams, streaming
Supports HID and SID
Applications
Wireshark
Routing
XHCP
BIND
Chunking
Xsockets
XDP
XChunkP
XSP
Name
Resolution
ARP
Chunk, CID support
Caching
XIP
Datalink
Cache
XCMP
XIA ICMP, ARP
Open source prototype released May 2012
18
Extra slides, possible
candidate slides follow
19
Planned Prototype Enhancements
• Prototype is available on Github
– Latest release includes support for 4ID
• Near term: IP application porting help, better
transport protocols, permanent XIP network
• Next: mobility support, expanded support for
intrinsic security and accountability
• Later: Scion integration, more services and
applications
20
Path Selection in SCION
Architecture Overview
• Source/destination can choose
among up/down hill paths
• Path control shared between
ISPs, receivers, senders
PCB PCB
PCB
• Desirable security properties:
• High availability, even in presence
of malicious parties
• Explicit trust for operations
• Minimal TCB: limit number of
entities that must be trusted
• No single root of trust
• Simplicity, efficiency, flexibility,
and scalability
Source
Destination
21
XIA Dataplane Concepts
Directly support diverse
network usage models
Evolution of principal types
Customization
Multiple
Communicating
Principal Types
Flexible
Addressing
Deal with routing “failures”
Principal-specific
security properties
Intrinsic
Security
DAG
security
Built in security forms basis
for system level security
• Can be implemented in diverse ways
• Can be deployed incrementally, e.g. in subnets