Securing Information-Centric Networking without negating Middleboxes

Information-Centric Networking is a promising networking paradigm that overcomes many of the limitations of current networking architectures. Various research efforts investigate solutions for securing ICN. Nevertheless, most of these solutions relax security requirements in favor of network performance. In particular, they weaken end-user privacy and the architecture's tolerance to security breaches in order to support middleboxes that offer services such as caching and content replication. In this paper, we adapt TLS, a widely used security standard, to an ICN context. We design solutions that allow session reuse and migration among multiple stakeholders and we propose an extension that allows authorized middleboxes to lawfully and transparently intercept secured communications.Comment: 8th IFIP International Conference on New Technologies, Mobility & Security, IFIP, 201

Content-Centric Networking at Internet Scale through The Integration of Name Resolution and Routing

We introduce CCN-RAMP (Routing to Anchors Matching Prefixes), a new approach to content-centric networking. CCN-RAMP offers all the advantages of the Named Data Networking (NDN) and Content-Centric Networking (CCNx) but eliminates the need to either use Pending Interest Tables (PIT) or lookup large Forwarding Information Bases (FIB) listing name prefixes in order to forward Interests. CCN-RAMP uses small forwarding tables listing anonymous sources of Interests and the locations of name prefixes. Such tables are immune to Interest-flooding attacks and are smaller than the FIBs used to list IP address ranges in the Internet. We show that no forwarding loops can occur with CCN-RAMP, and that Interests flow over the same routes that NDN and CCNx would maintain using large FIBs. The results of simulation experiments comparing NDN with CCN-RAMP based on ndnSIM show that CCN-RAMP requires forwarding state that is orders of magnitude smaller than what NDN requires, and attains even better performance

Named Functions at the Edge

As end-user and edge-network devices are becoming ever more powerful, they are producing ever increasing amounts of data. Pulling all this data into the cloud for processing is impossible, not only due to its enormous volume, but also due to the stringent latency requirements of many applications. Instead, we argue that end-user and edge-network devices should collectively form edge computing swarms and complement the cloud with their storage and processing resources. This shift from centralized to edge clouds has the potential to open new horizons for application development, supporting new low-latency services and, ultimately, creating new markets for storage and processing resources. To realize this vision, we propose Named Functions at the Edge (NFE), a platform where functions can i) be identified through a routable name, ii) be requested and moved (as data objects) to process data on demand at edge nodes, iii) pull raw or anonymized data from sensors and devices, iv) securely and privately return their results to the invoker and v) compensate each party for use of their data, storage, communication or computing resources via tracking and accountability mechanisms. We use an emergency evacuation application to motivate the need for NFE and demonstrate its potential

A keyword-based ICN-IoT platform

Information-Centric Networking (ICN) has been proposed as a promising solution for the Internet of Things (IoT), due to its focus on naming data, rather than endpoints, which can greatly simplify applications. The hierarchical naming of the Named-Data Networking (NDN) architecture can be used to name groups of data values, for example, all temperature sensors in a building. However, the use of a single naming hierarchy for all kinds of different applications is inflexible. Moreover, IoT data are typically retrieved from multiple sources at the same time, allowing applications to aggregate similar information items, something not natively supported by NDN. To this end, in this paper we propose (a) locating IoT data using (unordered) keywords combined with NDN names and (b) processing multiple such items at the edge of the network with arbitrary functions. We describe and evaluate three different strategies for retrieving data and placing the calculations in the edge IoT network, thus combining connectivity, storage and computing

A network aware resource discovery service (a performance evaluation study)

International audienceInternet in recent years has become a huge set of channels for content distribution highlighting limits and inefficiencies of the current protocol suite originally designed for host-to-host communication. In this paper we exploit recent advances in Information Centric Networks in the attempt to reshape the actual Internet infrastructure from a host-centric to a name-centric paradigm where the focus is on named data instead of machine name hosting those data. In particular, we pro- pose a Content Name System Service that provides a new network aware Content Discovery Service. The CNS behavior and architecture uses the BGP inter-domain routing information. In particular, the service registers and discovers resource names in each Autonomous System: contents are discovered by searching through the augmented AS graph represen- tation classifying ASes into customer, provider, and peering, as the BGP protocol does.Performance of CNS can be characterized by the fraction of Autonomous Systems that successfully locate a requested content and by the average number of CNS Servers explored during the search phase. A C-based simulator of CNS is developed and is run over real ASes topologies provided by the Center for Applied Internet Data Analysis to provide estimates of both performance indexes. Preliminary performance and sensitivity results show the CNS approach is promising and can be efficiently implemented by incrementally deploying CNS Servers

IPTV Over ICN

The efficient provision of IPTV services requires support for IP multicasting and IGMP snooping, limiting such services to single operator networks. Information-Centric Networking (ICN), with its native support for multicast seems ideal for such services, but it requires operators and users to overhaul their networks and applications. The POINT project has proposed a hybrid, IP-over-ICN, architecture, preserving IP devices and applications at the edge, but interconnecting them via an SDN-based ICN core. This allows individual operators to exploit the benefits of ICN, without expecting the rest of the Internet to change. In this paper, we first outline the POINT approach and show how it can handle multicast-based IPTV services in a more efficient and resilient manner than IP. We then describe a successful trial of the POINT prototype in a production network, where real users tested actual IPTV services over both IP and POINT under regular and exceptional conditions. Results from the trial show that the POINT prototype matched or improved upon the services offered via plain IP

Improving video QoE with IP over ICN

Information-centric networking (ICN) has long been advocating for radical changes to the Internet, but the upgrade challenges that this entails have hindered its adoption. To break this loop, the POINT project proposed a hybrid, IP-over-ICN, architecture: IP networks are preserved at the edge, connected to each other over an ICN core. This exploits the key benefits of ICN, enabling individual network operators to improve the performance of their IP-based services, without changing the rest of the Internet. This paper first provides an overview of POINT and outlines how it can improve upon IP in terms of performance and resilience. It then describes a trial of the POINT prototype in a production network, where real users operated actual IPbased applications. As part of the trial, we carried out experiments to evaluate the Quality of Experience (QoE) for video services offered via either HLS or IPTV, using either IP or POINT as a substrate. The results from the trial verify that the IP-over-ICN approach of POINT offers enhanced QoE to the users of these video services, compared to traditional IP, especially under exceptional network conditions