Download ppt - Computer Science Division - University of California, Berkeley

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
Document related concepts

Net bias wikipedia , lookup

Low-voltage differential signaling wikipedia , lookup

CAN bus wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

IEEE 1355 wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
CS 268: Lecture 24
Internet Architectures:
i3, DOA, HIP,…
Scott Shenker and Ion Stoica
Computer Science Division
Department of Electrical Engineering and Computer Sciences
University of California, Berkeley
Berkeley, CA 94720-1776
Outline
 Internet Indirection Infrastructure (i3)
• Design comparison
–
–
–
–
Host Identity Protocol
i3
Semantic Free References (SFR)
Delegation Oriented Architecture (DOA)
• Another view of indirection/delegation
2
Motivations
• Today’s Internet is built around a unicast point-to-point
communication abstraction:
– Send packet “p” from host “A” to host “B”
• This abstraction allows Internet to be highly scalable
and efficient, but…
• … not appropriate for applications that require other
communications primitives:
–
–
–
–
–
Multicast
Anycast
Mobility
Service composition (Middleboxes)
…
3
Why?
• Point-to-point communication  implicitly
assumes there is one sender and one receiver,
and that they are placed at fixed and well-known
locations
– E.g., a host identified by the IP address 128.32.xxx.xxx
is located in Berkeley
4
IP Solutions
• Extend IP to support new communication
primitives, e.g.,
– Mobile IP
– IP multicast
– IP anycast
• Disadvantages:
– Difficult to implement while maintaining Internet’s
scalability (e.g., multicast)
– Require community wide consensus -- hard to achieve
in practice
5
Application Level Solutions
• Implement the required functionality at the
application level, e.g.,
– Application level multicast (e.g., Fastforward,
Narada, Overcast, Scattercast…)
– Application level mobility
• Disadvantages:
– Efficiency hard to achieve
– Redundancy: each application implements the
same functionality over and over again
– No synergy: each application implements usually
only one service; services hard to combine
6
Key Observation
• Virtually all previous proposals use indirection!
“Any problem in computer science can
be solved by adding a layer of indirection”
7
Indirection is Everywhere!
DNS Server
“foo.org”
Home Agent
(IPhome,data)
foo.org IPfoo
IPhome IPmobile
IPfoo
(IPmobile,data)
(IPfoot,data)
DNS
IPfoo
Mobile IP
NAT Box
(IPnat:Pnat,data)
(IPM,data)
IPnat:Pnat IPdst:Pdst
Internet
(IPMIPR1)
(IPMIPR2)
(IPdst:Pdst,data)
IPdst
NAT
IPmofile
(IPR2,data)
(IPR1,data)
IPR1
IP Multicast
IPR2
8
Internet Indirection Infrastructure (i3)
Build an efficient indirection layer
on top of IP
• Use an overlay network to implement this layer
– Incrementally deployable; don’t need to change IP
Application
Indir.
TCP/UDP
layer
IP
9
Internet Indirection Infrastructure (i3)
• Each packet is associated an identifier id
• To receive a packet with identifier id, receiver R
maintains a trigger (id, R) into the overlay
network
data id
Sender
Receiver (R)
data R
id R
trigger
10
Service Model
• API
– sendPacket(p);
– insertTrigger(t);
– removeTrigger(t) // optional
• Best-effort service model (like IP)
• Triggers periodically refreshed by end-hosts
• ID length: 256 bits
11
Mobility
• Host just needs to update its trigger as it moves
from one subnet to another
Sender
id R2
R1
Receiver
(R1)
Receiver
(R2)
12
Multicast
• Receivers insert triggers with same identifier
• Can dynamically switch between multicast and
unicast
data id
Sender
data R1
id R1
Receiver (R1)
id R2
data R2
Receiver (R2)
13
Anycast
• Use longest prefix matching instead of exact
matching
– Prefix p: anycast group identifier
– Suffix si: encode application semantics, e.g., location
data p|a
Sender
data R1
p|s1 R1
p|s2 R2
Receiver (R1)
Receiver (R2)
p|s3 R3
Receiver (R3)
14
Service Composition: Sender Initiated
• Use a stack of IDs to encode sequence of
operations to be performed on data path
• Advantages
– Don’t need to configure path
– Load balancing and robustness easy to achieve
Transcoder (T)
data idT,id
Sender
data id
data T,id
idT T
data R
id R
Receiver (R)
15
Service Composition: Receiver
Initiated
• Receiver can also specify the operations to be
performed on data
data id
Sender
Firewall (F)
data R
data F,R
idF F
Receiver (R)
data idF,R
id idF,R
16
Outline
 Implementation
• Examples
• Security
• Architecture Optimizations
• Applications
17
Quick Implementation Overview
• i3 is implemented on top of Chord
• Each trigger t = (id, R) is stored on the node
responsible for id
• Use Chord recursive routing to find best
matching trigger for packet p = (id, data)
18
Routing Example
• R inserts trigger t = (37, R); S sends packet p = (37, data)
• An end-host needs to know only one i3 node to use i3
– E.g., S knows node 3, R knows node 35
S
2m-1 0
S
3
send(37, data)
20
7
7
Chord circle
3
35
41
41
20
37 R
37 R
trigger(37,R)
35
send(R, data)
R
R
19
Optimization #1: Path Length
• Sender/receiver caches i3 node mapping a specific
ID
• Subsequent packets are sent via one i3 node
[8..20]
[4..7]
data 37
[42..3]
Sender (S)
cache node
[21..35]
[36..41]
data R
37 R
Receiver (R)
20
Optimization #2: Triangular Routing
• Use well-known trigger for initial rendezvous
• Exchange a pair of (private) triggers well-located
• Use private triggers to send data traffic
[8..20]
[4..7]
37
data
[2] 30
2 S
Sender (S)
[42..3]
S
[30]
[21..35]
[36..41]
[2] R
37 R
data
R
2
[30]
30 R
Receiver (R)
21
Outline
• Implementation
 Examples
–
–
–
–
Heterogeneous multicast
Scalable Multicast
Load balancing
Proximity
22
Example 1: Heterogeneous
Multicast
• Sender not aware of transformations
S_MPEG/JPEG
send(R1, data)
send(id, data)
id_MPEG/JPEG S_MPEG/JPEG
Sender
(MPEG)
Receiver R1
(JPEG)
send((id_MPEG/JPEG, R1), data)
id
(id_MPEG/JPEG, R1)
id
R2
send(R2, data)
Receiver R2
(MPEG)
23
Example 2: Scalable Multicast
• i3 doesn’t provide direct support for scalable multicast
– Triggers with same identifier are mapped onto the same i3 node
• Solution: have end-hosts build an hierarchy of trigger of
bounded degree
(g, data)
g
x
g g
R1 R2
R2
(x, data)
x
R3
R3
x
R4
R1
R4
24
Example 2: Scalable Multicast
(Discussion)
Unlike IP multicast, i3
1. Implement only small scale replication  allow
infrastructure to remain simple, robust, and
scalable
2. Gives end-hosts control on routing  enable endhosts to
– Achieve scalability, and
– Optimize tree construction to match their needs, e.g.,
delay, bandwidth
25
Example 3: Load Balancing
• Servers insert triggers with IDs that have random suffixes
• Clients send packets with IDs that have random suffixes
send(1010 0110,data)
S1
1010 0010 S1
A
S2
1010 0101 S2
1010 1010 S3
S3
send(1010 1110,data)
B
1010 1101 S4
S4
26
Example 4: Proximity
• Suffixes of trigger and packet IDs encode the
server and client locations
S2
S3
S1
send(1000 0011,data)
1000 0010
1000 1010 S2
1000 1101 S3
S1
27
Example 5: Protection against DOS
Attacks
• Problem scenario: attacker floods the incoming
link of the victim
• Solution: stop attacking traffic before it arrives
at the incoming link
– Today: call the ISP to stop the traffic, and hope for
the best!
• Approach: give end-host control on what
packets they receive
– Enable end-hosts to stop the attacks in the network
28
Example 5: Why End-Hosts (and
not Network)?
• End-hosts can better react to an attack
– Aware of semantics of traffic they receive
– Know what traffic they want to protect
• End-hosts may be in a better position to
detect an attack
– Flash-crowd vs. DoS
29
Example 5: Some Useful Defenses
1. White-listing: avoid receiving packets on arbitrary
ports
2. Traffic isolation:
– Contain the traffic of an application under attack
– Protect the traffic of established connections
3. Throttling new connections: control the rate at
which new connections are opened (per sender)
30
Example 5: (1) White-listing
• Packets not addressed to open ports are dropped in
the network
– Create a public trigger for each port in the white list
– Allocate a private trigger for each new connection
IDR
data
[ID
P
S] ID
IDS S
Sender (S)
S
[IDR]
[IDS] R
IDP R
IDP – public trigger
data
R
IDS [IDR]
IDR R
Receiver (R)
IDS, IDR – private triggers
31
Example 5: (2) Traffic Isolation
• Drop triggers being flooded without affecting
other triggers
– Protect ongoing connections from new connection
requests
– Protect a service from an attack on another
services
Transaction server
Legitimate client
(C)
ID1 V
ID2 V
Victim (V)
Web server
Attacker
(A)
32
Example 5: (2) Traffic Isolation
• Drop triggers being flooded without affecting
other triggers
– Protect ongoing connections from new connection
requests
– Protect a service from an attack on another
services
Transaction server
Legitimate client
(C)
ID1 V
Victim (V)
Web server
Attacker
(A)
Traffic of transaction server
protected from attack on web server
33
Example 5: (3) Throttling New
Connections
• Redirect new connection requests to a gatekeeper
– Gatekeeper has more resources than victim
– Can be provided as a 3rd party service
Gatekeeper (A)
IDC C
Client (C)
X S
Server (S)
IDP A
34
Outline
• Internet Indirection Infrastructure (i3)
 Design comparison
 Host Identity Protocol
– i3
– Semantic Free References (SFR)
– Delegation Oriented Architecture (DOA)
• Another view of indirection/delegation
35
Host Identity Protocol (HIP)
• Provides:
– Fast mobility
– Multi-homing
– Support for different addressing schemes
• Transparent IPv4 to IPv6 migration
– Security
• Anonymity
• Secure and authenticate datagrams
36
HIP
• A public key used to identify an end-host
• A 128-bit host identity tag (HIT) used for
system calls
– HIT is a hash on public key
– Global scope
• A 32-bit local scope identifier (LSI) for IPv4
compatibility
HIT replaces IP address as a name
of a system
37
Protocol Stack
Process
Process
Transport
<IPaddr, port>
Transport
IP Layer
<IPaddr>
HIP Layer
IP Layer
<HIT, port>
<HIT>
<IPaddr>
38
How It Works?
HIT
Client app
DNS
library
DNS
Client app
send(HIT)
HIT=hash(P)
IPaddr
4-way authentication
Transport
HIP
daemon
send(HIT)
HIT
HIP layer
Transport
HIP
daemon
HIP Layer
IPaddr, P
send(IPaddr)
IPsec
send(IPaddr)
IPsec
39
Outline
• Internet Indirection Infrastructure (i3)
 Design comparison
– Host Identity Protocol
 i3
– Semantic Free References (SFR)
– Delegation Oriented Architecture (DOA)
• Another view of indirection/delegation
40
i3 Identifiers
• 256-bit IDs
• ID maps to another ID or to an (IPaddr:Port)
– (IPaddr:Port) points to an application layer demultiplexer
• ID can represent
– A host, flow, service, etc
ID can identify any entity
41
Protocol Stack
Process
local scope
Process
Transport
Transport
IP Layer
ID/<IPlocal, port>
<IPaddr, port>
<IPaddr>
i3 layer
(IPlocal->ID)
IP Layer
<ID>
<IPi3>
Sender specific
42
How It Works?
Receiver R
DNS
Client app
Client app
send(id)
Transport
Transport
i3
daemon
send(id)
i3 layer
i3 layer
send(IPi3)
IP
IPi3
id R
send(id)
IP
43
Outline
• Internet Indirection Infrastructure (i3)
 Design comparison
– Host Identity Protocol
– i3
 Semantic Free References (SFR)
– Delegation Oriented Architecture (DOA)
• Another view of indirection/delegation
44
Goal: Address DNS Limitations
• DNS names identify machines and organizations
not data
– Data cannot be easily moved
– Data cannot be easily replicated
• DNS names are brand names
– Political fighting
45
SFR Solution
• Use IDs instead of DNS name
• ID space is flat and IDs have no semantics
• A generalization of DNS
– Returns metadata instead of an IP address
• How to implement it?
– Use distributed hash-tables (DHTs)
46
Outline
• Internet Indirection Infrastructure (i3)
 Design comparison
– Host Identity Protocol
– i3
– Semantic Free References (SFR)
 Delegation Oriented Architecture (DOA)
• Another view of indirection/delegation
47
Delegation Oriented Architecture
(DOA)
• Supports:
– Mobility
– Multi-homing
• Integrate middle-boxes
• Security (through middle-boxes)
– Anonymity
– DoS
–…
48
An Old Naming Taxonomy
• Four kinds of network entities (Saltzer):
– Services (and data)
– Hosts (endpoints)
– Network attachment points
– Paths
• Should name each individually:
– Ignore paths (router involvement)
– IP addresses name attachment points
– Endpoint identifiers (EIDs) name hosts
– Service identifiers (SIDs) name services/data
49
Protocol Stack
Process
Process
Transport
<IPaddr, port>
IP Layer
<IPaddr>
SID↔EID
<SID>
Transport
<EID, port>
EID↔IP
<EID>
IP Layer
<IPaddr>
50
How It Works?
“DNS”
Client app
Client app
send(sid)
SID↔EID
eim = get(sid)
DHT
put(sid, eim)
put(eid, IP)
send(eim)
DOA
daemon
SID↔EID
Transport
Transport
put(eim, IPm)
send(eim)
EID↔IP
send(IPm)
IP
Middlebox (IPm)
EID↔IP
IP
51
Principles
• Don’t bind to lower-level IDs prematurely
– Host mobility and renumbering (HIP)
– Service and data migration
• Resolution of name need not point to object
itself, but can point to its delegate
– Resolution can point to intermediaries who
process packets on behalf of the named target
52
Naming (Indirection) Architecture
Requirements
1) There should be a layer in the protocol stack that
uses IDs not IP addresses
•
Mobility, multi-homing, replications, …
2) IDs should be able to name arbitrary objects
3) IDs should encode as little semantics as possible
4) End-points should be able to use indirection at
the ID level
•
Integrate middle boxes
53
How Many ID Layers?
•
•
•
•
HIP: one layer; IDs identify machines
SFR: one layer; IDs identify data
i3: one layer; IDs identify arbitrary objects
DOA: two layers
– EIDs identify machines
– SIDs identify everything else
54
Where is the Resolution IDIP Done?
•
•
•
•
SFR: above transport
HIP: below transport, at HIP layer
i3: in the infrastructure
DOA: above & below transport
– But IP address can be an intermediate point
55
Security Support?
• HIP:
– Authentication, data integrity
– Anonymity at transport layer
– Transport layer resistance to DoS attacks
• i3
– Anonymity at IP layer
– Some DoS defense at IP layer
– Everything else can be done though middle-boxes
• DOA
– Everything can be done through middle-boxes
56
Outline
• Internet Indirection Infrastructure (i3)
• Design comparison
–
–
–
–
Host Identity Protocol
i3
Semantic Free References (SFR)
Delegation Oriented Architecture (DOA)
 Another view of indirection/delegation
57
Another View of Indirection/Delegation
• Indirection point  point where control is
transferred from sender to receiver
– Translation/forwarding entry usually controlled by
receiver
58
End-host Empowerment
• Both the sender and receiver are able to
explicitly control the service-path
– Note: multiple indirection points possible
Internet
Middlebox 1
(M1)
M2
M3
M4
Receiver
Indirection point
(tussle boundary)
Sender
sender control
receiver control
59
Realization: i3 vs DOA
M2
M1
([idS1,idR], data)
i3
idM1 M1
idR [idM2,R]
idM2 S2
R
Internet
i3
Name resolution infrastructure (e.g., OpenDHT)
idS1
S1
idM1 M1
idR R
idS2
R
S2
([idS1,idS2], data)
idM2 M2
idR
idM2 idR
R
M1
DOA
Internet
M2
60
Related documents
Communication in Business
Communication in Business
Oral Communication - An-Najah National University
Oral Communication - An-Najah National University
International Management
International Management
HR Objectives - Econbus
HR Objectives - Econbus
Chapter 1 Glossary - Fundamentals of Business Communication 2012
Chapter 1 Glossary - Fundamentals of Business Communication 2012
What is Communication?
What is Communication?
Successful Communication
Successful Communication
Communication Process
Communication Process
ITS_11_Business Ethics and Multicultural Communication
ITS_11_Business Ethics and Multicultural Communication
Basic Communication Theory
Basic Communication Theory