Mobility in publish subscribe networks
This presentation is the property of its rightful owner.
Sponsored Links
1 / 59

Mobility in Publish/Subscribe Networks PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on
  • Presentation posted in: General

Mobility in Publish/Subscribe Networks. Walter Wong HIIT & NomadicLab 24.02.2010. Outline. Motivation Background Link Layer Network Layer Transport Layer Session Layer Information Mobility Peer-to-peer, Content Delivery Networks Publish/Subscribe. Motivation.

Download Presentation

Mobility in Publish/Subscribe Networks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Mobility in publish subscribe networks

Mobility in Publish/Subscribe Networks

Walter Wong

HIIT & NomadicLab

24.02.2010


Outline

Outline

  • Motivation

  • Background

    • Link Layer

    • Network Layer

    • Transport Layer

    • Session Layer

  • Information Mobility

    • Peer-to-peer, Content Delivery Networks

    • Publish/Subscribe


Motivation

Motivation

  • Original Internet design

    • Hosts are fixed

    • IP address is both end-host identifier and locator

  • However, the current Internet usage is:


Mobility some problems

Mobility – Some problems

  • How does a host get a new locator (IP address)?

  • How does a host re-establish the connectivity in the new network?

  • How does a host tell the peer host its new address?

  • How can we find a host that moves frequently?

  • How can applications maintain the seamless connectivity between mobile hosts?


Solutions in different layers

Solutions in different layers

Session

SIP Mobility

Transport

TCP Migrate

Identification

Host Identity Protocol

Network

DHCP (static), Mobile IP (dynamic)

Link

Simple MAC address update


Link layer mobility

Link Layer Mobility

  • Change MAC address

    • Ex. Between access points in the same subnet

  • (+) Transparent to higher layers (no changes in the IP address)

  • (–) Limited to the same subnet

Mapping: IPclient–> MACA

Mapping: IPclient–> MACB

MACB

MACA

IPclient


Dynamic host configuration protocol dhcp

Dynamic Host Configuration Protocol (DHCP)

  • Provides dynamic IP addresses to end-hosts

  • (+) simple

  • (–) does not maintain ongoing connections

Network A

Network B

10.10.1/24

192.168.0/24

192.168.0.11

10.10.1.100


Ip mobility ip semantic overload problem

IP Mobility – IP Semantic Overload Problem

Application

Web-browser

Session

socket(AF_INET, …, …)

Transport

socket(IPsrc/dst, portsrc/dst)

connect()

Network

IPsrc = 192.168.0.11

IPsrc = 10.10.0.100

Link


Mobile ip

Mobile IP

  • Goals

    • Network layer solution

    • Applications are oblivious of the mobility event

    • Legacy application support

    • Incrementally deployable

  • Approach

    • Two IP addresses

    • Home Address –> stable end-host identifier

    • Care-of Address –> ephemeral end-host locator

    • “Solves” IP semantic overload problem


Mobile ip elements

Mobile IP – Elements

  • Home Agent (HA)

    • Responsible for location management

    • Tunnels traffic to the registered node when it is not in the home network

  • Foreign Agent (FA)

    • Provides Care-of address of the visited network

    • Represents the mobile node when it visits the network


Mn at home network

MN at Home Network

Correspondent

Node

IPC

Internet

Foreign

Agent

Home

Agent

Home Network

Foreign Network

Direct communication

between MN and CN

IPA <–> IPC

MN IPA


Mn registration

MN Registration

Correspondent

Node

IPC

Internet

Foreign

Agent

Home

Agent

Home Network

Foreign Network

Inform current CoA

Registration in the FA

Receive Care-of Address

MN IPA

MN IPB


Mn at foreign network

MN at Foreign Network

Correspondent

Node

IPC

Internet

Foreign

Agent

Home

Agent

Home Network

Foreign Network

CN sends data to IPA

HA tunnels packets to IPB

(IP-IP tunneling)

MN IPB


Route optimization

Route Optimization

Correspondent

Node

IPC

Internet

Foreign

Agent

Home

Agent

Home Network

Foreign Network

Avoids the triangle

between CN – HA – MN

MN IPB


Mobile ip summary

Mobile IP – Summary

  • Provides mobility support in the network level

  • Applications are oblivious about the mobility event

  • Supports simultaneous node mobility (uses HA and FA as anchor points)

  • Uses two IP addresses:

    • Home address: end-host identification

    • Care-of address: end-host location

  • Issues

    • Scalability problems (triangle)

    • Security


Host identity protocol hip

Host Identity Protocol (HIP)

  • New namespace between network and transport layers

    • Host Identity (HI)

    • Host Identity Tags (HIT)

    • Security embedded

    • 128-bit identifier = hash from the public key

  • Fill the gap between end-host identification and location

  • Decouples end-host identification and location

    • Solves IP semantic overload


Hip namespace

HIP Namespace

Web-browser

socket(…)

Application

socket(HITsrc/dst, portsrc/dst)

Get end-host identifier

Transport

Identification

Network layer is free to change

Network

Link


Hip resolution

HIP Resolution

  • Two steps name resolution

    • Name to HIT resolution –> DNS

    • HIT to IP resolution –> Rendezvous Server (RVS)

  • HIP base exchange

    • 4-way handshake

    • Resistant against Denial-of-Service attacks

      • Uses cost functions

      • Check whether correspondent nodes are committed to the communication


Hip mobility

HIP Mobility

  • Rendezvous Server (RVS)

  • Holds all HIT-to-IP mapping

  • Distributed in the network

    • Ex: One per administrative domain

  • After a mobility event, mobile node engages in the locator update procedure

    • UPDATE message along with the verification protocol


Hip summary

HIP Summary

  • New namespace composed of cryptographic identifiers

    • Host Identifiers (HI) and Host Identity Tags (HIT)

  • Detaches host identification from location

  • Resistant against Denial-of-service attacks

    • Base exchange

  • Supports simultaneous node mobility

    • RVS is the anchor point


Tcp migrate

TCP Migrate

  • End-host mobility in the transport layer

  • Goal: to maintain end-host seamless connectivity during TCP sessions

  • Approach

    • Uses DNS names to provide stable end-host identifier

    • Saves TCP state during migration, restoring after mobility event

    • No new location management device

      • No Home Agent and Foreign Agent


Tcp migrate1

TCP Migrate

  • Mobility procedure

    • Inform current IP address to the peer node

      • After mobility event, mobile node sends a TCP SYN message to the peer node informing the new IP address

    • Update current IP address in order to be globally reachable

      • Mobile host updates its current mapping in the DNS

      • Ex. www.acme.org –> 69.64.156.78


Tcp migrate2

TCP Migrate

  • TCP session migration

    • New TCP option

      • TCP SYN MIGRATE

      • Informs to migrate to a new TCP session

      • Use tokens to inform to which TCP session it was associated

    • The mobile host opens a new socket with the new IP address and sends the TCP SYN message with MIGRATE option and a token with the current state

    • The peer host opens the a new TCP session to the new IP address and restores the session


Tcp migrate summary

TCP Migrate – Summary

  • Benefits

    • Simple

    • No network infrastructure changes

  • Drawbacks

    • Changes in the default TCP

    • Security issues

    • Does not support simultaneous node mobility

      • There is no anchor point


Session initiated protocol

Session Initiated Protocol

  • Signaling protocol used for controlling multimedia sessions

    • Used for establishing, modifying and terminating sessions

    • Uses URI to identify users

  • Relies on two other protocols

    • Real-time protocol (RTP)

      • Carries streaming data

    • Session description protocol (SDP)

      • Session parameters, e.g, ports, protocols, etc


Sip message flow

SIP Message Flow

INVITE

OK

Outbound

Proxy

DNS

INVITE

OK

Inbound

Proxy

ACK

ACK

Resolve URI to Inbound

Proxy Server IP

RTP Traffic

Client

Client


Sip mobility

SIP Mobility

Home Network

Correspondent

Node

SIP Redirect Proxy

INVITE

Moved Temporarily

Outbound

Proxy

Foreign Network

INVITE

ACK

OK

Client


Sip summary

SIP – Summary

  • Signaling protocol for controlling multimedia sessions

  • Uses URIs to identify user agents

  • Mobility is handled by SIP proxies


Mobility support summary

Mobility Support – Summary

Session

SIP Mobility – uses SIP proxies to locate user agents.

End users are identified by URI and mapped to SIP

Proxies, which are the anchor points.

Transport

TCP Migrate – adds a new option in the TCP stack,

MIGRATE, to provide TCP session migration. Relies

on DNS to provide correct mapping

Identification

Host Identity Protocol – introduces a new namespace

to fill the gap between identification and location

Network

Mobile IP – creates a new IP address, the Home

Address to be the end-host identifier, while the

Care-of Address is the real locator

Link

Simple MAC address update – switches can be

configured to handle it


Information centric networks

Information-centric Networks

  • What happens when we migrate to information-centric networks?

    • Location decoupled

    • Time decoupled

  • There is no IP end-point to locate hosts


Data mobility in host centric networks

Data ‘Mobility’ in Host-centric Networks

  • Peer-to-peer Networks

    • Users search for content

    • Request is translated to a query in a DHT

    • Users receive a list of closest peers

  • Content Delivery Networks (CDNs)

    • URL links contain CDN DNS entries

    • Dynamic mapping of DNS name resolutions to the closest surrogate server

  • Dynamic mapping of content into an IP address

  • Content is ‘detached’ from locator (new naming system, e.g, flat identifier, etc)


Data mobility in information centric networks

Data Mobility in Information-centric Networks

  • Native Publish/Subscribe

    • Each content has a unique identifier

    • Content is totally detached from specific location

      • Can be anywhere, intermediate caches, end-nodes, replicated, etc

    • Usually content is stored close to the consumers

      • Popular content is cached near to consumers

      • Support flash crowd events


End node mobility in information centric networks

End-node Mobility in Information-centric Networks

  • Network Attachment procedure

    • During bootstrap process, subscribe re-subscribes to the publication

    • RVS receives notification

    • RVS notifies the publisher and topology manager

      • Publisher re-publishes the content in the new RVS

      • Topology manager computes new path between publisher and subscribers

        • Updates delivery tree


End node mobility in information centric networks1

End-node Mobility in Information-centric Networks

  • Some optimizations

    • Default communication model: Multicast

    • Multicast Assisted Mobility

      • Possibility to reduce handoff loss

      • Distribution of data around the area where the mobile user resides

      • Makes data available when mobile user arrives

    • Packet loss

      • Buffering and return channel (algorithmic IDs)

    • Delivery order

      • Subscription to separate IDs, e.g. algorithmic IDs


Questions

Questions?

  • Comments?

  • Thanks!


Content authentication in information centric networks

Content Authentication in Information-centric Networks

Walter Wong

HIIT & NomadicLab

24.02.2010


Outline1

Outline

  • Background

    • Host-centric security solutions

    • Merkle Hash Trees

  • Information-centric authentication

    • Skewed Hash Trees

  • Implementation & Evaluation

  • Conclusion


Motivation1

Motivation

  • Current security solutions

    • Authentication of thecontainer/storage device/mirror

    • And what about the content itself?

    • We trust in the container! (shouldn’t we trust in the content?)

  • Paradigm problem

    • In the Internet, we want ‘what’

    • And we get ‘where’


Example content delivery networks

Example – Content Delivery Networks

Content

Provider

SSL

Are they the same movie?

Wrong trust model!


Host centric security solutions

Host-centric Security Solutions

  • SSL/TLS and IPSec

    • Provides host authentication (IP address)

    • IPSec = network layer solution => IP

    • SSL/TLS = transport layer solution => IP !!

    • Security channel between end-hosts

  • Mainly: data transfer between authenticated end-hosts (IP addresses)

  • Security data results from the connection parameters

    • Transient data => can’t be reused in other context

    • Time coupled


Towards information centric networking

Towards Information-centric Networking

  • Migration from host-centric to information-centric networking

  • Data is decoupled from the location (data is not part of the storage location)

  • Communication is decoupled in time and synchronization

  • Scenarios

    • Peer-to-peer, Content delivery networks

    • Publish/Subscribe


Towards information centric networking1

Towards Information-centric Networking

  • Client/server model

    • Scenario: low resources

    • Services centralized in a ‘powerful’ server

    • Roles: well-defined clients and servers

    • Storage is centralized in the server

    • Drawbacks

      • Bottleneck – scalability issues

      • Server could be distant geographically


Towards information centric networking2

Towards Information-centric Networking

  • Peer-to-peer model

    • Scenario: file-sharing

    • Distributed resources among peers

    • Roles: peer is both producer and consumer

    • Storage: distributed in the network, but in the peer storage disk

    • Drawbacks

      • Some are location oblivious – peer with highest bandwidth might not be the closest one

      • Paradox: consumer peers need to queue for the same resource, while the provider peer needs to send it multiple times


Towards information centric networking3

Towards Information-centric Networking

  • Publish/Subscribe

    • Scenario: news feed delivery

    • Distributed resources in the network

    • Role: mixed between publishers and subscribers

    • Storage: distributed in the network along caches

    • Benefits

      • Multicast – no p2p paradox

      • Simpler – no scheduling algorithm for resources

      • Content retrieval from the closest cache

        • Resources arewithinthe network


Motivation security

Motivation – Security

  • How do we secure content with:

    • Location decoupled

      • Data can not be authenticated with some IP

    • Time decoupled

      • Data can not be authenticated based on direct connection


Information centric security

Information-centric Security

  • Original idea

    • Per packet signature

    • Sign each packet with a digital signature

  • Drawbacks

    • Costly

      • CPU expensive to sign and verify each signature

  • Requirement

    • Optimize signature mechanism


Merkle hash tree

Merkle Hash Tree

  • Signature amortization technique

    • binary tree built over a set of data blocks

  • Uses hash functions to authenticate data blocks

    • MD5, SHA-1, SHA-256

  • Requires just one digital signature for an entire piece of content

    • Regardless of the number of data blocks!

  • Drawbacks

    • Works only on binary trees!


Merkle hash tree1

H0

D0

H01

H1

D1

H03

H2

D2

H23

H3

D3

Internal nodes

Data blocks

Leaf nodes

Root Hash

Merkle Hash Tree

File


Merkle hash tree2

H03

H0

H23

H1

H01

H1

H23

H03

Root Hash

+

H1

H23

Merkle Hash Tree

H01

H23

Internal nodes

H0

H1

H2

H3

Leaf nodes

D0

D1

D2

D3

D0

Data blocks

File


Skewed hash tree

Skewed Hash Tree

  • Motivation

    • Many possibilities to build a skewed tree

  • Goal

    • New algorithm to support random size files

  • Approach

    • Separate balanced and unbalanced trees

    • Append remaining blocks under the balanced tree

    • Deal with each one separately

    • Maintain, at most, one level of difference


Skewed hash tree overview

Skewed Hash Tree – Overview

H05

H03

H45

h = 0

H01

H23

H4

H5

1 level diff

H0

H1

H2

H3

h = – 1

D0

D1

D2

D3

D4

D5

File


Benefits

Benefits

  • Amortized signature scheme

  • Based on hash functions (efficiency)

  • Data carries its own proof of authenticity

    • Data and authentication information can come separately

  • Any sequence authentication

  • Time decoupling (no interaction between producers/consumers - asynchronous)

  • Random size file authentication

  • On-path network verification


Application scenario on path authentication

Application Scenario On-path Authentication


Application scenario content delivery networks

Application ScenarioContent Delivery Networks


Evaluation 1 3

Evaluation (1/3)


Evaluation 2 3

Evaluation (2/3)


Evaluation 3 3

Evaluation (3/3)


Conclusion

Conclusion

  • Current security solutions (TLS/IPSec) do not fit in information-centric networks

  • Skewed Hash Tree provides:

    • amortized signature

    • independent packet authentication

    • random file size authentication

    • time decoupled

  • On average, 8 and 3 times faster than RSA, while preserving the same level of security


Questions1

Questions?

  • Comments?

  • Thanks!


  • Login