How to use DNS during the evolution of ICN? Zhiwei Yan.

Slides:

Advertisements

Similar presentations

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Advertisements

Scalable Content-Addressable Network Lintao Liu

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Location vs. Identities in Internet Content: Applying Information-Centric Principles in Today’s Networks Instructor: Assoc. Prof. Chung-Horng Lung Group.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

Routing Security in Ad Hoc Networks

Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

Reliable Distributed Systems Naming (Communication Basics Part II) Slide set based on one by Prof. Paul Francis, Cornell University. Updated by Bina Ramamurthy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:

SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Information-Centric Networks07c-1 Week 7 / Paper 3 Accountable Internet Protocol (AIP) –Michael Walfish, Hari Balakrishnan and Scott Shenker David G. Andersen,

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

Domain Name System CH 25 Aseel Alturki

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

The Network of Information: Architecture and Applications SAIL – Scalable and Adaptable Internet Solutions Bengt Ahlgren et. al Presented by wshin.

The Inter-network is a big network of networks.. The five-layer networking model for the internet.

ECO-DNS: Expected Consistency Optimization for DNS Chen Stephanos Matsumoto Adrian Perrig © 2013 Stephanos Matsumoto1.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Information-Centric Networks Section # 3.3: DNS Issues Instructor: George Xylomenos Department: Informatics.

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

ECE 544 Project3 Group 9 Brien Range Sidhika Varshney Sanhitha Rao Puskuru.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

The Design and Implementation of a Next Generation Name Service for the Internet V. Ramasubramanian, E. Gun Sirer Cornell Univ. SIGCOMM 2004 Ciprian Tutu.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

Internet Networking recitation #12

DNSSEC Basics, Risks and Benefits

A New Approach to DNS Security (DNSSEC)

Chapter 25 Domain Name System

Chapter 25 Domain Name System

Computer Networks Presentation

Presentation transcript:

How to use DNS during the evolution of ICN? Zhiwei Yan

2 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

3 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

DNS: Domain Name System 4 DNS is used to locate the resource in the Internet.

DNS: Resource Record 5 30 years development, >5 million DNS servers, >100 RFCs, >30 available RRs

DNS: DNSSEC 1 6 master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Registry/Registrar Provisioning DNS data flow

DNS: DNSSEC 2 7 DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Altered zone data Registry/Registrar Provisioning

DNS: DNSSEC 3 8 DNSSEC Provides Data Security master Caching forwarder resolver Zone administrator Zone file Dynamic updates slaves Registry/Registrar Provisioning example.com A Among the 316 TLDs in the root zone, 110 TLDs have been signed and many other are planning to do so.

DNS: DANE 9 Authentication of DNS names for TLS (Transport-Layer Security) endpoints is a core security challenge in many Internet protocols, most famously HTTP (Hypertext Transfer Protocol). The DANE (DNS-based Authentication of Named Entities) working group in IETF is developing protocols that allow certificates to be bound to DNS names using DNSSEC. RR is TLSA Currently, there are many open source implementations of the DANE protocol and Google has implemented the DANE client in its Chrome browser.

10 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

Two Schemes: 1)Flat : security 2)Hierarchical : scalability 11 Naming Scalable Secure Readable Content naming: Hierarchical path: public key Example: cn/sina/nba/11-20/match.avi:ALG|0xf abcab678ac345

12 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

13 Management In each domain, CMA (Content Management Anchor) is deployed. 1) The binding between CMA and the related prefix is stored in DNS as: Content-Prefix—A/AAAA—TTL—IP-of-CMA 2) The binding between the resource and its location is stored in CMA.

14 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

15 Addressing : CCN (Interest) A parameter like TTL (Hop limit) in Interest is used. At each hop: Hop limit= Hop limit-1 If the Hop limit=0 DNS resolution else, Flooding

16 Addressing : CCN (Data) Match the name with TLSA Verify the content with L A trade-off issue here is: If the check is done by the router DoS attack If the check is done by the client Client load

17 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

Analysis - Security Security dependency cn/sina/nba/11-20/match.avi:ALG|0xf abcab678ac345 DANE: TLSA Match? Content is signed by the Private key DNSSEC Content source Match?

Analysis – Scalability 1 Analyzing model To simplify the analysis, we have made the following assumptions: 1. Nodes are distributed uniformly across the network. 2. The zone-radius of every node in the network is same. 3. The overhead induced by state maintenance is not considered. The number of nodes in the i-hop range is The average hit probability during every hop is * R is used to estimate the area of the network, N is the total number of nodes in the network.

Analysis – Scalability 2 1. When the Interest can be met within H hop range, the cost of the proposed scheme is * ɑ i s the signaling message cost per node per Interest message 2. When the Interest cannot be met in the H-hop range, the DNS resolution will be triggered after the Hth hop flooding, and then the cost is * C DNS denotes the DNS resolution cost

Analysis – Stability In order to reduce the querying latency, the source in the current CCN may need to flood the information to the network. When the source node moves, this will cause high failure probability because the recorded FIB information is invalid. However, our scheme can reduce the flooding range for the mobile source and support its mobility with the help of DNS dynamic update. For fairness, we assume that the Interest message has to be met before the (H+1)-hop flooding. For the current CCN scheme, the prefix information has to be broadcasted to the (R-H)-hop range, however, our scheme only needs the DNS update. Then their stability ratio is

Analysis – Security In our scheme, the key is an essential part of the name and the name is no longer a pure human-readable string but includes a cryptographic part. 1. That the public key is directly contained in the name, which poses a challenge to usability, since humans cannot understand or remember them. 2. Any move of the content may require the reworking of the name. 3. Cryptographic algorithm upgrades will result in name changes, and careful engineering is required to manage their usability implications.

Conclusions Security Stability Shortcoming Scalability Establishes the complete security chain for the content addressing. Supports the mobility of content source Poses a challenge to usability due to the public key Limits the signaling cost during the content addressing DNS based ICN

ご清聴ありがとうございました。