Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to use DNS during the evolution of ICN? Zhiwei Yan.

Published byNigel Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "How to use DNS during the evolution of ICN? Zhiwei Yan."— Presentation transcript:

1 How to use DNS during the evolution of ICN? Zhiwei Yan

2 2 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

3 3 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

4 DNS: Domain Name System 4 DNS is used to locate the resource in the Internet.

5 DNS: Resource Record 5 30 years development, >5 million DNS servers, >100 RFCs, >30 available RRs http://en.wikipedia.org/wiki/List_of_DNS_record_types http://www.webhosting.info/domains

6 DNS: DNSSEC 1 6 master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Registry/Registrar Provisioning DNS data flow

7 DNS: DNSSEC 2 7 DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Altered zone data Registry/Registrar Provisioning

8 DNS: DNSSEC 3 8 DNSSEC Provides Data Security master Caching forwarder resolver Zone administrator Zone file Dynamic updates slaves Registry/Registrar Provisioning example.com A 10.8.0.1 Among the 316 TLDs in the root zone, 110 TLDs have been signed and many other are planning to do so. http://stats.research.icann.org/dns/tld_report/

9 DNS: DANE 9 Authentication of DNS names for TLS (Transport-Layer Security) endpoints is a core security challenge in many Internet protocols, most famously HTTP (Hypertext Transfer Protocol). The DANE (DNS-based Authentication of Named Entities) working group in IETF is developing protocols that allow certificates to be bound to DNS names using DNSSEC. RR is TLSA Currently, there are many open source implementations of the DANE protocol and Google has implemented the DANE client in its Chrome browser.

10 10 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

11 Two Schemes: 1)Flat : security 2)Hierarchical : scalability 11 Naming Scalable Secure Readable Content naming: Hierarchical path: public key Example: cn/sina/nba/11-20/match.avi:ALG|0xf01212099abcab678ac345

12 12 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

13 13 Management In each domain, CMA (Content Management Anchor) is deployed. 1) The binding between CMA and the related prefix is stored in DNS as: Content-Prefix—A/AAAA—TTL—IP-of-CMA 2) The binding between the resource and its location is stored in CMA.

14 14 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

15 15 Addressing : CCN (Interest) A parameter like TTL (Hop limit) in Interest is used. At each hop: Hop limit= Hop limit-1 If the Hop limit=0 DNS resolution else, Flooding

16 16 Addressing : CCN (Data) Match the name with TLSA Verify the content with L A trade-off issue here is: If the check is done by the router DoS attack If the check is done by the client Client load

17 17 1 Background 2 Content Naming 3 Content Management 4 Content Addressing 5 Analysis & Conclusions Outline

18 Analysis - Security Security dependency cn/sina/nba/11-20/match.avi:ALG|0xf01212099abcab678ac345 DANE: TLSA Match? Content is signed by the Private key DNSSEC Content source Match?

19 Analysis – Scalability 1 Analyzing model To simplify the analysis, we have made the following assumptions: 1. Nodes are distributed uniformly across the network. 2. The zone-radius of every node in the network is same. 3. The overhead induced by state maintenance is not considered. The number of nodes in the i-hop range is The average hit probability during every hop is * R is used to estimate the area of the network, N is the total number of nodes in the network.

20 Analysis – Scalability 2 1. When the Interest can be met within H hop range, the cost of the proposed scheme is * ɑ i s the signaling message cost per node per Interest message 2. When the Interest cannot be met in the H-hop range, the DNS resolution will be triggered after the Hth hop flooding, and then the cost is * C DNS denotes the DNS resolution cost

21 Analysis – Stability In order to reduce the querying latency, the source in the current CCN may need to flood the information to the network. When the source node moves, this will cause high failure probability because the recorded FIB information is invalid. However, our scheme can reduce the flooding range for the mobile source and support its mobility with the help of DNS dynamic update. For fairness, we assume that the Interest message has to be met before the (H+1)-hop flooding. For the current CCN scheme, the prefix information has to be broadcasted to the (R-H)-hop range, however, our scheme only needs the DNS update. Then their stability ratio is

22 Analysis – Security In our scheme, the key is an essential part of the name and the name is no longer a pure human-readable string but includes a cryptographic part. 1. That the public key is directly contained in the name, which poses a challenge to usability, since humans cannot understand or remember them. 2. Any move of the content may require the reworking of the name. 3. Cryptographic algorithm upgrades will result in name changes, and careful engineering is required to manage their usability implications.

23 Conclusions Security Stability Shortcoming Scalability Establishes the complete security chain for the content addressing. Supports the mobility of content source Poses a challenge to usability due to the public key Limits the signaling cost during the content addressing DNS based ICN

24 ご清聴ありがとうございまし た。

Download ppt "How to use DNS during the evolution of ICN? Zhiwei Yan."

Similar presentations

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Scalable Content-Addressable Network Lintao Liu 2001.11.19.

Scalable Content-Addressable Network Lintao Liu
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Location vs. Identities in Internet Content: Applying Information-Centric Principles in Today’s Networks Instructor: Assoc. Prof. Chung-Horng Lung Group.

Location vs. Identities in Internet Content: Applying Information-Centric Principles in Today’s Networks Instructor: Assoc. Prof. Chung-Horng Lung Group.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.

Information-Centric Networks03c-1 Week 3 / Paper 3 The design and implementation of a next generation name service for the Internet –Venugopalan Ramasubramanian.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Routing Security in Ad Hoc Networks

Routing Security in Ad Hoc Networks
Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Anycast Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
Reliable Distributed Systems Naming (Communication Basics Part II) Slide set based on one by Prof. Paul Francis, Cornell University. Updated by Bina Ramamurthy.

Reliable Distributed Systems Naming (Communication Basics Part II) Slide set based on one by Prof. Paul Francis, Cornell University. Updated by Bina Ramamurthy.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Similar presentations

Ads by Google