Literature Review on Security of Named Data Networking

Literature Review on Security of Named Data Networking

Wei Xiaolei

Computer Science College, Inner Mongolia University,

Hohhot, China

ABSTRACT

Nowadays, our network architecture is based on TCP/IP. However, TCP/IP has many disadvantages and limitations. Since our existing network architecture, TCP/IP, uses IP address to locate the source host and the destination host, its security cannot
be guaranteed well. Thus, Zhang Lixia team, who comes from University of California at Los Angeles, is researching and developing a new type of network architecture, called Named Data Networking(NDN). In NDN, due to the inherent nature of cache and forwarding
policy, NDN can assure security to a great degree. But these properties also bring out some new security issues. Our research is about security in Named Data Networking.

KEY WORDS: Security; NDN; DoS; Cache Snooping

1. INTRODUCTION

At the beginning of the design of TCP/IP,designers mainly thought about how to connect existed network, as Clark articulated in [1]. Designers intended to design end-to-end communication mode to connect the source host and the destination host, which
Clark elaborated in [2]. But in today’s network, the goal of connecting existed network is not the main purpose. Nowadays, people care more about how to retrieve and distribute information via network, but care less about where to get it. TCP/IP is based on
location, which is depended on IP address. Thus, if people want to retrieve information,they must firstly locate the information, knowing about where to get it. To achieve this goal, we must spend much cost on network bandwidth, network latency, appliance
deployment, and so on. In spite of this, we still cannot achieve a good performance. The appearance of NDN resolves these problems perfectly. Since NDN is based on three structures, which are Pending Information Table(PIT), Content Store(CS), Forwarding Information
Base(FIB)[3],rather via IP address, communication on NDN has a new mode. We can retrieve information from the nearby location, if the information has been stored there,rather get it from the source host, which is the communication mode of end-to-end architecture.
Through this method, communication performance has been improved greatly. But this type of storing and forwarding method also brings out some new security issues. Some attackers can utilize these disadvantages to carry out attacks.

2. DENY OF SERVICE

Since NDN forwards packages through Interest and Data, records Interest in PIT, and stores Data in CS, consumers don’t need to retrieve information from the provider, if some intermediate node has the same information. However, if any intermediate
nodes don’t have this information,the consumer must get this one from the provider.

Due to this property, attackers can carry out a type of attack easily, which is called Deny of Service(DoS). An attacker can pretend to be the consumer and send large numbers of different Interest,which have the same prefix, to one provider. Quickly,
the provider will be overwhelmed by the flood of Interest. The bandwidth will be use up. The PIT will be occupied completely. The provider is busy at dealing with these request information and cannot provide services to the normal requests. Thereby, theDoS
attack has formed.

3. COUNTERMEASURES OF DENY OF SERVICE[4]

To relieve this type of attack, we can record the number of Interest packages in intermediate nodes. If an intermediate node receives a lot of Interest which have the same prefix but are different packets, this node must note that if it has been attacked.

To protect itself from being attacked, if this intermediate node has detected this type of thing, it can limit its rate of interfaces which the probable attacker send packages from. If this is not enough, the intermediate node can even shut down the
interface. Slowly, the provider will go back to the normal status, and the attack aiming at this provider will be under control.

4. CACHE SNOOPING

When the Interest which the consumer sends arrives at the provider, the provider will send Data back to the consumer. When the Data arrives at the intermediate nodes, the nodes along the route will store the Data in Content Store. Thus, CS will be
filled with many important information, especially some privacy information. However, These information doesn’t have any protective measures. Any consumer who requests for these information can retrieve it. An attacker can pretend to be a normal consumer to
send Interest in order to request for these privacy information. When the Interest arrives at some node which has stored this information, the privacy information will be transmitted back to the attacker. This type of attack, which is called cache snooping,
causes privacy leaks.

5. COUNTERMEASURES OF CACHE SNOOPING

To avoid suffering from cache snooping, we can use encryption method. By using encryption key, the provider encrypts the privacy information. The encrypted information will be stored along the route. In this case, only the consumer who has the decryption
key can decrypt the information. By this way, we can assure that the important privacy will not be let out.

6. CONCLUSION

The existing network architecture, TCP/IP, is designed to meet the demand of twentieth century. It has many inherent disadvantages and limitations, which cannot adapt to the current requirements.The appearance of NDN resolves these problems perfectly.
NDN uses new cache and forwarding policy to retrieve and distribute information. This can avoid some security issues existed in TCP/IP, which is based on location, but also brings out a lot of new security issues-DoS and cache snooping are two examples. To
protect the network from being attacked by DoS, the intermediate nodes can detect this situation and limit the rate of their interfaces connecting to the probable attacker. To avoid cache snooping, the provider can encrypt the privacy information,so that only
the target consumer who has the decryption key can decrypt the information. By this way, security issues can be assured properly, which makes the large-scale deployment of NDN become possible.

7. REFERENCES

[1] DavidD. Clark, The design philosophy of the DARPA internet protocols, ACM SIGCOMM Computer Communication Review, 1988.

[2] Saltzer,J. H., Reed, D. P.,Clark, D. D., End-to-end arguments in system design, ACM Transactions on Computer Systems, 1984.

[3]Van Jacobson, Diana K. Smetters, James D. Thornton, Michael F. Plass,Networking Named Content, in Proc. of CoNEXT, 2009.

[4]Tobias Lauinger, Security & Scalability of Content-Centric Networking, [Master dissertation], TU Darmstadt, Schwetzingen, Germany, September 2010.

The following is the version of PPT.

时间: 2024-10-29 15:01:12

Literature Review on Security of Named Data Networking的相关文章

SoCC '14会议论文Literature Review (Part 2 of 7)

GentleRain: Cheap and Scalable Causal Consistency with Physical Clocks 这是一篇偏理论的文章,分布式系统中时钟是件大事. 我看到一作前些年做virtual machine performance profiling,到这一篇一下子做起来理论与算法,真是了不起. 本文的contribution在于提出了一种新的causally consistent算法,其性能可与条件更为宽松的eventual consistency相比较. 这

UML model refactoring: a systematic literature review

一.基本信息 标题:UML model refactoring: a systematic literature review 时间:2015 出版源:Empirical Software Engineering 领域分类:模型重构:模型转换:系统文献综述:UML 二.研究背景 问题定义:UML模型重构 难点:模型的转换与术语的重构: 相关工作:模型重构:审核流程 三.创新方法 1.提供了模型重构的背景,描述了用于审查的方法. 2.收集并分析了选定的研究,讨论了结果,并回答了系统评价中提出的研究

Big Data Analytics for Security(Big Data Analytics for Security Intelligence)

http://www.infoq.com/articles/bigdata-analytics-for-security This article first appeared in the IEEE Security & Privacymagazine and is brought to you by InfoQ & IEEE Computer Society. Enterprises routinely collect terabytes of security-relevant da

使用Spring Security、Spring Data Jpa实现的RBAC权限控制

正好这几天不是那么忙,所以就研究了一下Spring Security的使用,为了以后方便写篇帖子记录一下. 1.什么是Spring Security? 我想关于什么是Spring Security我都不需要在这里赘述,大家可以到网上百度一下,但是问了大家能快速的融入还是贴一下 Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架.它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转I

Literature Review: Improving Image-Based Localization by Active Correspondence Search

Abstract Input: A query image Source: A point cloud reconstruction of a large scene (有一百多万3D点) Result:pose 关键:an efficient and effective search method to establish matches between image features and scene points needed for pose estimation. 一个动态搜多额外匹配

Literature Review: 基于稀疏直接法的建图

LR: Direct Sparse Mapping Abstract Photometric bundle adjustment (PBA). 目前的PBA没法处理reobservation. 我们提出DSM(direct sparse mapping). 1. Introduction 边缘化策略通过移除旧的相机和点来减少计算量, 但是还保持系统对于不可观的自由度(绝对的位姿和pose)的一致性. 通常光度收敛半径在1-2个像素. 所以一个标准的PBA不能补偿drift. 所以, 我们提出了m

Method of packet transmission from node and content owner in content-centric networking

A method of transmitting a content reply packet from a content owner in content-centric networking (CCN) includes determining a caching capability value threshold (CCVth) for determining a candidate node for caching a content based on a policy of the

2015年下半年网规考试预测(复习参考和交流)

考试在下半年11月份进行,网络安全防范内容可能占较大比重,预测内容如下,仅供大家学习交流和复习参考: 1.上午题:可能涉及网络通信规范.Linux系统知识.IP地址转换换算及子网掩码.IPV6.路由器协议.交换机连接.VPN技术.防火墙技术.网络病毒.网络漏洞攻击.ARP攻击.密钥认证等. 2.下午案例问答题:可能涉及互联网数据中心(数据库的设备配置,如服务器.冗余设计等安全措施:数据库的优化:流量监控等).Lan-to-Lan VPN.SaaS公司级服务.Named Data Networki

NDN与TCP/IP

搬运自http://blog.csdn.net/programmer_at/article/details/49203241  当前TCP/IP协议存在哪些问题?如何改进? 当时没有回答好,然后提到了NDN可以针对TCP/IP做出改进,但是在行家面前就漏 洞百出,一是对TCP/IP网络理解不够深入,另外一方面是自己对NDN比较陌生.趁着这段时间比较得闲,在网上搜了<Named Data Networking(NDN) Project>(2010.10)和初略看了看北大出版的<信息中心网络