Скачать презентацию Lecture 2 — Internet evolution part 2 D
f1dd73d30dcb49d7834115b58722e67d.ppt
- Количество слайдов: 45
Lecture 2 - Internet evolution (part 2) D. Sc. Arto Karila Helsinki Institute for Information Technology (HIIT) arto. karila@hiit. fi 11. 09. 2012 M. Sc. Mark Ain Helsinki Institute for Information Technology (HIIT) mark. ain@hiit. fi T-110. 6120 – Special Course in Future Internet Technologies 1
Evolutionary approaches Architectural 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. DNS (~1982) EGP (precursor to BGP, ~1982) TCP congestion control (mid-late 1980’s) CIDR (~1993) NAT (early 1990’s) IPv 6 (first RFC 1995, Internet standard 1998) IPSEC (1995) Mobile IP (~1996) MPLS (~1996) Diff. Serv / Int. Serv (~1998) HIP (~1999, first RFC 2006) BGPSec (mid 2000 s) DNSSec (~2004, first deployed at root level ~2010) 11. 09. 2012 2
Network Address Translation (NAT) – 4 types Problem: address space exhaustion 11. 09. 2012 3
Network Address Translation (NAT) – 4 types 11. 09. 2012 4
Network Address Translation (NAT) – 4 types 11. 09. 2012 5
Network Address Translation (NAT) – 4 types NAT is ugly, breaks E 2 E… but it works. 11. 09. 2012 6
IPv 6 Ø Problem: address space exhaustion Ø IPv 6 was born in 1995 after long work Ø There are over 30 IPv 6 -related RFCs Ø The claimed improvements in IPv 6 are: l l l l Large 128 -bit address space Stateless address auto-configuration Multicast support Mandatory network layer security (IPSEC) Simplified header processing by routers Efficient mobility (no triangular routing) Extensibility (extension headers) Jumbo packets (up to 4 GB) 11. 09. 2012 7
IPv 6 Ø Major operating systems and many ISPs support IPv 6 Ø The use of IPv 6 is slowly increasing in Europe and North America but more rapidly in Asia Ø In China, CERNET 2 runs IPv 6, interconnecting 25 points of presence in 20 cities with 2. 5 and 10 Gbps links Ø IPv 6 really only solves the exhaustion of Internet address space 11. 09. 2012 8
IPv 6 ? Planned Actual 11. 09. 2012 9
IPSec Ø Problem: security Ø IPSec is the IP-layer security solution of the Internet to be used with IPv 4 and IPv 6 Ø Authentication Header (AH) only protects the integrity of an IP packet Ø Encapsulating Security Payload (ESP) also ensures confidentiality of the data Ø IPSec works within a Security Association (SA) set up between two IP addresses Ø ISAKMP (Internet Security Association and Key Management Protocol) is a very complicated framework for SA mgmt 11. 09. 2012 10
Encapsulating Security Payload (IPv 4) Original IPv 4 Header Security Parameter Index (SPI) Sequence Number Coverage of Authentication ESP Header UDP/TCP Header Coverage of Confidentiality ESP Payload Data Padding Pad Len Next Hdr Authentication Data 11. 09. 2012 ESP Trailer 11
Encapsulating Security Payload (IPv 6) Original IPv 6 Header Hop-by-Hop Extensions Security Parameter Index (SPI) Sequence Number Coverage of Authentication Coverage of Confidentiality ESP Header End-to-End Extensions UDP/TCP Header ESP Payload Data Padding ESP Trailer Authentication Data 11. 09. 2012 12
Mobile IPv 4 Ø Problem: mobility Ø Basic concepts: l l l Mobile Node (MN) Correspondent Node (CN) Home Agent (HA) Foreign Agent (FA) Care-of-Address (Co. A) Ø The l l following can be problematic: Firewalls and ingress filtering Triangular routing 11. 09. 2012 13
Mobility Example: Mobile IP Triangular Routing Ingress filtering causes problems for IPv 4 (home address as source), IPv 6 uses Co. A so not a problem. Solutions: Correspondent (reverse tunnelling) or Host route optimization Foreign agent left out of MIPv 6. No special support needed with IPv 6 autoconfiguration DELAY! Foreign Agent Home Agent Mobile Host Care-of-Address (Co. A) Source: Professor Sasu Tarkoma 11. 09. 2012 14
Ingress Filtering Packet from mobile host is deemed "topologically incorrect“ (as in source address spoofing) Correspondent Host Home Agent With ingress filtering, routers drop source addresses that are not consistent with the observed source of the packet Source: Professor Sasu Tarkoma 11. 09. 2012 15
Reverse Tunnelling Correspondent Host Firewalls and ingress filtering no longer a problem Two-way tunneling leads to overhead and increased congestion DELAY! Router Home Agent Mobile Host Care-of-Address (Co. A) Source: Professor Sasu Tarkoma 11. 09. 2012 16
Mobile IPv 6 Route Optimization CH sends packets using routing header Correspondent Host Home Agent Secure tunnel (ESP) First, a Return Routability test to CH. CH sends home test and Co. A test packets. When MH receives both, It sends the BU with the Kbm key. Router MH sends a binding update to CH when it receives a tunnelled packet. Mobile Host Source: Professor Sasu Tarkoma 11. 09. 2012 17
Differences btw MIPv 6 and MIPv 4 In MIPv 6 no FA is needed (no infrastructure change) Address auto-configuration helps in acquiring Co. A MH uses Co. A as the source address in foreign link, so no problems with ingress filtering Option headers and neighbor discovery of IPv 6 protocol are used to perform mobility functions 128 -bit IP addresses help deployment of mobile IP in large environments Route optimization is supported by header options Source: Professor Sasu Tarkoma 11. 09. 2012 18
Extension Headers CN to MN MN to CN MH Upper Layer headers Data Mobility Header MH Type in Mobility Header: Binding Update, Binding Ack, Binding Err, Binding refresh MN, HA, and CN for Binding Source: Chittaranjan Hota, Computer Networks II lecture 22. 10. 2007 11. 09. 2012 19
(G)MPLS Problems: scalable transport, Qo. S, resource usage, business incentives etc. (Generalized) Multi-Protocol Label Switching Layer 2. 5 protocol High-performance transport of any layer 3 protocol over any layer 2 data link over any layer 1 medium Routing via short path labels (path switching) Layer 2 and layer 3 services (e. g. Pt. P and Pt. MP VPN) Routing implemented in hardware (i. e. switching); much faster than IP longest-prefix matching 11. 09. 2012 20
(G)MPLS 11. 09. 2012 21
Qo. S Problem: need better traffic control, satisfy business incentives, better services etc. 11. 09. 2012 22
Diff. Serv Differentiated Services (Diff. Serv, RFC 2474) redefines the To. S octet of the IPv 4 packet or Traffic Class octet of IPv 6 as DS Allows operators to control treatment of packets but does not guarantee any particular level of service or policy adherence across network boundaries. The first 6 bits of the DS field are used as Differentiated Services Code Point (DSCP) defining the Per-Hop Behavior of the packet Diff. Serv is stateless (like IP) and scales Service Profiles can be defined by ISP for customers and by transit providers for ISPs Diff. Serv is very easily deployable and could enable well working Vo. IP and real-time video Unfortunately, it is not used between operators 11. 09. 2012 23
Int. Serv Integrated Services Unlike Diff. Serv, Int. Serv reserves network resources and attempts to guarantee conditions of network flow end-to-end However, the process is complex, resource intensive, and requires supportive cooperating routers across all AS’s from source to sink. 11. 09. 2012 24
HIP Ø Ø Ø Problems: mobility, security, multihoming, IPv 4/IPv 6 interoperation etc. Host Identity Protocol (HIP, RFC 4423) defines a new global Internet name space The Host Identity name space decouples the name and locator roles, both of which are currently served by IP addresses The transport layer now operates on Host Identities instead of IP addresses The network layer uses IP addresses as pure locators (not as names or identifiers) 11. 09. 2012 25
HIP Architecture 11. 09. 2012 26
HIP Ø HIs are self-certifying (public keys) Ø HIP is a fairly simple technique based on IPSEC ESP and HITs (128 -bit HI hashes) Ø HIP is ready for large-scale deployment Ø See http: //infrahip. hiit. fi for more info 11. 09. 2012 27
Base exchange • Based on SIGMA family of key exchange protocols Select precomputed R 1. Prevent Do. S. Minimal state kept at responder! Does not protect against replay Diffiestandard authenticated attacks. Initiator Responder Hellman key exchange for session key generation I 1 R 1 solve puzzle HIT , HIT or NULL HIT , [HIT , puzzle, DH , HI ] I 2 [HIT , solution, DH , {HI }] R 2 I R I R R R sig I [HIT , authenticator] I R I sig verify, authenticate, replay protection User data messages ESP protected TCP/UDP, no explicit HIP header 11. 09. 2012 28
HIP Mobility Ø Mobility is easy – retaining the SA for ESP 11. 09. 2012 29
HIP in Combining IPv 4 and IPv 6 Ø An early demo seen at L. M. Ericsson Finland (source: Petri Jokela, LMF) IPv 4 access network WWW Proxy HIP CN Internet HIP MN Music Server 11. 09. 2012 30
BGPSec and DNSSec Problem: security (within two critical architectural solutions) BGP Security Extensions: Authentication of inter-AS BGP data via Resource Public Key Infrastructure (RPKI) i. e. digital signatures Does NOT provide confidentiality or guaranteed availability Provides limited protection against certain misorigination attacks Not widely implemented 11. 09. 2012 31
BGPSec and DNSSec DNS Security Extensions: Authentication and integrity (of DNS query results) via digital signatures Does NOT provide confidentiality or guaranteed availability Protects against e. g. cache poisoning and other forgeries Not widely implemented 11. 09. 2012 32
Key limitations, solutions, underlying ossifications Limitation(s) Name-address translation Solution(s) DNS Key underlying ossification(s) Network vs. human-friendly naming dichotomy Scalability, routing inflexibility, TCP/IP, MPLS Endpoint-centrism Lack of built-in protocol-independent Qo. S Endpoint-centrism combined addressing and transport Congestion Traffic control TCP congestion control BGP, IGPs + EGPs Rigid core protocol stack Send-receive communication paradigm Address space exhaustion CIDR, NAT, DHCP etc. IPv 4 Mobility, multihoming MIP, HIP Endpoint-centrism Lack of built-in protocol-independent Qo. S Endpoint-centrism Qo. S Security Diffserv + Intserv Various (e. g. DNSSec, BGPSec, and many others!) Rigid core protocol stack Send-receive communication paradigm Rigid core protocol stack 11. 09. 2012 33
Evolutionary approaches Application-level Scalable content delivery 1. 1. 2. 3. Security (confidentiality, anonymity, authentication etc. ) 2. 1. 2. 3. 4. 5. 6. 7. 3. DHTs (~2001) P 2 P networks CDNs (e. g. Akamai) Asymmetric crypto (e. g. RSA ~1977 or ~1973, DH ~1976) PGP (~1991) SSL/TLS (mid-1990’s, late-1990’s) PKI (1990’s) VPNs E. g. PPTP (~1999) Wireless security e. g. WPA/WPA 2/EAP (late 1990’s and beyond) Tor (mid 2000’s) Cloud computing 11. 09. 2012 34
Distributed Hash Table (DHT) is a service for storing and retrieving key-value pairs There is a large number of peer machines Single machines leaving or joining the network have little effect on its operation DHTs can be used to build e. g. databases (new DNS), or content delivery systems Bit. Torrent is using a DHT The real scalability of DHT is still unproven All of the participating hosts need to be trusted (at least to some extent) 11. 09. 2012 35
DHT Ø The principle of Distribute Hash Table (source: Wikipedia) 11. 09. 2012 36
Overlay Routing In overlay routing the topology is formed over an underlying (usually IP) network DHTs are examples of overlay routing DHT techniques can be utilized e. g. in implementing non-hierarchical rendezvous An example of DHT-based solutions is the Content Addressable Network (CAN) CAN is based on a d-dimensional Cartesian space, each node having a coordinate zone that it is responsible for 27/1/2010 37
CAN A two-dimensional example 27/1/2010 38
Chord Ring Greedy forwarding (cmp w/ ROFL) 27/1/2010 39
Pastry DHT An example with hexadecimal identifiers 27/1/2010 40
P 2 P networks & CDNs Napster, Gnutella, Bit. Torrent (also utilizes DHT) etc. Akamai CDN 11. 09. 2012 41
Security Confidentiality, anonymity, authentication etc. 1. 2. 3. 4. 5. 6. 7. Asymmetric crypto (e. g. RSA ~1977 or ~1973, Diffie-Hellman ~1976) PGP (~1991) SSL/TLS (mid-1990’s, late-1990’s) PKI (1990’s) VPNs e. g. PPTP (~1999) Wireless security e. g. WPA/WPA 2/EAP (late 1990’s and beyond) Tor (mid 2000’s) 11. 09. 2012 42
Cloud computing Computing resources are delivered via the network “x”aa. S i. e. “x” as a service E. g. software, storage, processing etc. Goal is to achieve resourcefulness and efficiency via computing economies of scale Examples: Amazon, Apple, Google etc. 11. 09. 2012 43
For next week… READ (lecture 3): M. Handley. 2006. Why the Internet only just works. BT Technology Journal 24, 3 (July 2006), 119 -129. DOI=10. 1007/s 10550 -006 -0084 -z http: //dx. doi. org/10. 1007/s 10550 -006 -0084 -z READ (lecture 4): Van Jacobson, Diana K. Smetters, James D. Thornton, Michael F. Plass, Nicholas H. Briggs, and Rebecca L. Braynard. 2009. Networking named content. In Proceedings of the 5 th international conference on Emerging networking experiments and technologies (Co. NEXT '09). ACM, New York, NY, USA, 1 -12. DOI=10. 1145/1658939. 1658941 http: //doi. acm. org/10. 1145/1658939. 1658941 11. 09. 2012 44
Thank you for your attention! Questions? Comments? 11. 09. 2012 45