1 / 22

XIA: Network Deployments

XIA: Network Deployments. Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Peter Steenkiste, Hui Zhang Carnegie Mellon University Aditya Akella, University of Wisconsin John Byers, Boston University FIA PI Meeting

page
Download Presentation

XIA: Network Deployments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XIA: Network Deployments Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Peter Steenkiste, Hui Zhang Carnegie Mellon University Aditya Akella, University of Wisconsin John Byers, Boston University FIA PI Meeting March 2013, Salt Lake City

  2. Dest: Server ID Src: Client ID Today’s Internet Problem: Network does not know what user wants! Web Server

  3. Today’s Internet S S S S

  4. XIA Vision We envision a future Internet that: • Is trustworthy • Security broadly defined is a compelling research challenge • Supports long-term evolution of usage models • Including host-host, content retrieval, services, … • Supports long term technology evolution • Not just for link technologies, but also for storage and computing capabilities in the network and end-points • Provides benefits for a multiplicity of stakeholders • Despite differences in roles, goals and incentives

  5. XIA Pillars Principal types Fallback Allow using new communication types at any point (incremental deployment) Support multiple communication types(heterogeneity) Support future communication types(evolution) Intrinsic Security

  6. XIA Design: Expressiveness • Principal Types • Defines the format of the address • And its semantics, including security semantics • And what the address means • And what processing can be done • Key: Much more intentful than today’s addresses. • Use ours: Host. Service. Content. 4ID. AD. • Or, {roll your own}

  7. XIA Design: Intrinsic Security • XIA uses self-certifying identifiers that guarantee security properties for communication operation • Host ID is a hash of the host’s public key – accountability • Content ID is a hash of the content – correctness • Does not rely on external configurations • Intrinsic security is specific to the principal type • Example: retrieve content using … • Content XID: content is verifiably/unspoofably correct • Service XID: the correct ASP provided the service • Host XID: content was delivered from intended host

  8. Principal Types Current Internet XIA Intrinsically secure IDs IP address Hash of host’s public key Service Content Host Future … 0x8A37037… 0xF63C7A4… 0x47BF217… Principal type Type-specific identifier 128.2.10.162 Hash of service’s public key Hash of content

  9. XIA Design: Deployability • Fallback addressing • Allows you to use tomorrow’s principal type today • “If I can’t go directly to X, use Y...” • Example 1: • Ultimate intent: retrieve CONTENT (CID) • Fallback: contact HOST (HID) • Example 2: • Next hop not XIA-capable? Use (4ID) in address: Fallback to IPv4 encapsulation: contact IPv4(HID) • Admits incremental deployment • Not just of new ID types within XIA, but of XIA itself.

  10. Example: Secure Video Playback AD 0xF00000 XIA Name Resolution Service register nyt.com maps to NYT server Service 0xDE44444 Service 0xDE44444 Host 0xF63C7A4 4ID 5.11.2.14 AD 0xF000000 4ID 5.11.2.14 Host 0xF63C7A4 AD 0xF000000 or or

  11. Secure Video Playback AD 0xF00000 XIA Name Resolution Service S NYT replica NYT server nyt.com? Service 0xDE44444 Host 0xF63C7A4 4ID 5.11.2.14 AD 0xF000000 or or CID, signed by 0xDE44444

  12. Secure Video Playback AD 0xF00000 S NYT replica NYT server sequence of CIDs

  13. XIA top-down view • What does an XIA network look like to various stakeholders? • Who benefits from new features and why? • Who bears the costs of deployment? • Stakeholders we consider (not exhaustive): • Network operators: from testbeds to ISPs • Application providers / service providers • Application developers • End-users

  14. Benefits to Network Operators • Increased potential for value-added services (without resorting to deep-packet inspection) • Simpler middlebox deployment • On-path caching or route redirection • Principal types aligned with economic incentives • Risk mitigation via incremental deployment • More choice regarding trust domains • SCION route control

  15. Benefits to Service Providers • Added expressivity: customizable principals • Built-in support for binding, scoping, mobility. • Intrinsic security guarantees. • Access control, accounting, accountability, counter-measures for DoS • Making use of in-network optimizations furnished by network operators. • Similar benefits accrue to application developers.

  16. Benefits to End-Users • Increased choice and flexibility regarding intent: • Choice of XID principal type, i.e. how a given communication operation performed • Rich address formats add flexibility: fallback, services. • Scion offers control via edge-directed routing • Support for mobile users • Trickle-down benefits derived from better apps. • Intrinsic security: • Qualitative benefits of security guarantees is a central focus of our user studies.

  17. Costs of Deployment • New XIA protocol stack network-wide • Prototype status update next slide • Incremental deployment possible, advisable. • Management and processing overhead • Packet processing; flat address space • Tracking revisions for multiple principal types • Implications for switches, interconnect, H/W. • Additional opportunities present added complexity, new optimization problems.

  18. Basic inter-domain routing, XIA DHCP XIP Prototype Implementation POSIX style sockets for datagrams, streaming Supports HID and SID Wireshark Applications Routing XHCP BIND Chunking Xsockets XChunkP XDP XSP Cache Name Resolution Chunk, CID support Caching XIP ARP XCMP Datalink XIA ICMP, ARP Open source prototype released May 2012

  19. Extra slides, possible candidate slides follow

  20. Planned Prototype Enhancements • Prototype is available on Github • Latest release includes support for 4ID • Near term: IP application porting help, better transport protocols, permanent XIP network • Next: mobility support, expanded support for intrinsic security and accountability • Later: Scion integration, more services and applications

  21. Path Selection in SCIONArchitecture Overview • Source/destination can choose among up/down hill paths • Path control shared between ISPs, receivers, senders • Desirable security properties: • High availability, even in presence of malicious parties • Explicit trust for operations • Minimal TCB: limit number of entities that must be trusted • No single root of trust • Simplicity, efficiency, flexibility, and scalability PCB PCB PCB PCB Source Destination

  22. Flexible Addressing Intrinsic Security XIA Dataplane Concepts Directly support diverse network usage models Multiple Communicating Principal Types • Can be implemented in diverse ways • Can be deployed incrementally, e.g. in subnets Principal-specific security properties Evolution of principal types Customization DAG security Deal with routing “failures” Built in security forms basis for system level security

More Related