1,462 research outputs found
Interest-Based Access Control for Content Centric Networks (extended version)
Content-Centric Networking (CCN) is an emerging network architecture designed
to overcome limitations of the current IP-based Internet. One of the
fundamental tenets of CCN is that data, or content, is a named and addressable
entity in the network. Consumers request content by issuing interest messages
with the desired content name. These interests are forwarded by routers to
producers, and the resulting content object is returned and optionally cached
at each router along the path. In-network caching makes it difficult to enforce
access control policies on sensitive content outside of the producer since
routers only use interest information for forwarding decisions. To that end, we
propose an Interest-Based Access Control (IBAC) scheme that enables access
control enforcement using only information contained in interest messages,
i.e., by making sensitive content names unpredictable to unauthorized parties.
Our IBAC scheme supports both hash- and encryption-based name obfuscation. We
address the problem of interest replay attacks by formulating a mutual trust
framework between producers and consumers that enables routers to perform
authorization checks when satisfying interests from their cache. We assess the
computational, storage, and bandwidth overhead of each IBAC variant. Our design
is flexible and allows producers to arbitrarily specify and enforce any type of
access control on content, without having to deal with the problems of content
encryption and key distribution. This is the first comprehensive design for CCN
access control using only information contained in interest messages.Comment: 11 pages, 2 figure
Modeling Data-Plane Power Consumption of Future Internet Architectures
With current efforts to design Future Internet Architectures (FIAs), the
evaluation and comparison of different proposals is an interesting research
challenge. Previously, metrics such as bandwidth or latency have commonly been
used to compare FIAs to IP networks. We suggest the use of power consumption as
a metric to compare FIAs. While low power consumption is an important goal in
its own right (as lower energy use translates to smaller environmental impact
as well as lower operating costs), power consumption can also serve as a proxy
for other metrics such as bandwidth and processor load.
Lacking power consumption statistics about either commodity FIA routers or
widely deployed FIA testbeds, we propose models for power consumption of FIA
routers. Based on our models, we simulate scenarios for measuring power
consumption of content delivery in different FIAs. Specifically, we address two
questions: 1) which of the proposed FIA candidates achieves the lowest energy
footprint; and 2) which set of design choices yields a power-efficient network
architecture? Although the lack of real-world data makes numerous assumptions
necessary for our analysis, we explore the uncertainty of our calculations
through sensitivity analysis of input parameters
Backscatter from the Data Plane --- Threats to Stability and Security in Information-Centric Networking
Information-centric networking proposals attract much attention in the
ongoing search for a future communication paradigm of the Internet. Replacing
the host-to-host connectivity by a data-oriented publish/subscribe service
eases content distribution and authentication by concept, while eliminating
threats from unwanted traffic at an end host as are common in today's Internet.
However, current approaches to content routing heavily rely on data-driven
protocol events and thereby introduce a strong coupling of the control to the
data plane in the underlying routing infrastructure. In this paper, threats to
the stability and security of the content distribution system are analyzed in
theory and practical experiments. We derive relations between state resources
and the performance of routers and demonstrate how this coupling can be misused
in practice. We discuss new attack vectors present in its current state of
development, as well as possibilities and limitations to mitigate them.Comment: 15 page
Efficient Hash-routing and Domain Clustering Techniques for Information-Centric Networks
Hash-routing is a well-known technique used in server-cluster environments to direct content requests to the responsible servers hosting the requested content. In this work, we look at hash-routing from a different angle and apply the technique to Information-Centric Networking (ICN) environments, where in-network content caches serve as temporary storage for content. In particular, edge-domain routers re-direct requests to in-network caches, more often than not off the shortest path, according to the hash-assignment function. Although the benefits of this off-path in-network caching scheme are significant (e.g., high cache hit rate with minimal co-ordination overhead), the basic scheme comes with disadvantages. That is, in case of very large domains the off-path detour of requests might increase latency to prohibitive levels. In order to deal with extensive detour delays, we investigate nodal/domain clustering techniques, according to which large domains are split in clusters, which in turn apply hash-routing in the subset of nodes of each cluster. We model and evaluate the behaviour of nodal clustering and report significant improvement in delivery latency, which comes at the cost of a slight decrease in cache hit rates (i.e., up to 50% improvement in delivery latency for less than 10% decrease in cache hit rate compared to the original hash-routing scheme applied in the whole domain)
Access Control Mechanisms in Named Data Networks:A Comprehensive Survey
Information-Centric Networking (ICN) has recently emerged as a prominent
candidate for the Future Internet Architecture (FIA) that addresses existing
issues with the host-centric communication model of the current TCP/IP-based
Internet. Named Data Networking (NDN) is one of the most recent and active ICN
architectures that provides a clean slate approach for Internet communication.
NDN provides intrinsic content security where security is directly provided to
the content instead of communication channel. Among other security aspects,
Access Control (AC) rules specify the privileges for the entities that can
access the content. In TCP/IP-based AC systems, due to the client-server
communication model, the servers control which client can access a particular
content. In contrast, ICN-based networks use content names to drive
communication and decouple the content from its original location. This
phenomenon leads to the loss of control over the content causing different
challenges for the realization of efficient AC mechanisms. To date,
considerable efforts have been made to develop various AC mechanisms in NDN. In
this paper, we provide a detailed and comprehensive survey of the AC mechanisms
in NDN. We follow a holistic approach towards AC in NDN where we first
summarize the ICN paradigm, describe the changes from channel-based security to
content-based security and highlight different cryptographic algorithms and
security protocols in NDN. We then classify the existing AC mechanisms into two
main categories: Encryption-based AC and Encryption-independent AC. Each
category has different classes based on the working principle of AC (e.g.,
Attribute-based AC, Name-based AC, Identity-based AC, etc). Finally, we present
the lessons learned from the existing AC mechanisms and identify the challenges
of NDN-based AC at large, highlighting future research directions for the
community.Comment: This paper has been accepted for publication by the ACM Computing
Surveys. The final version will be published by the AC
- …