CS 598 MCC – Advanced Internetworks
description
Transcript of CS 598 MCC – Advanced Internetworks
![Page 1: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/1.jpg)
CS 598 MCC – Advanced Internetworks
Future Internet ArchitectureLocator-/Identifier-Split
Quirin [email protected]
![Page 2: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/2.jpg)
Significant?
• “The so-called identifier/locator split is recognized by the Internet Engineering Task Force (IETF) community as a next big change in the Internet architecture.” [Cisco Internet Protocol Journal, Volume 12, Nr 1]
![Page 3: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/3.jpg)
Outline
• Motivation: Shortcomings of the present Internet
• How the idea of a Loc/Id-Split can solve most of these
• Detailed look at two specific approaches– LISP– HIP
![Page 4: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/4.jpg)
Present system has lots of drawbacks
• IP address is used as Locator and as Identifier– Results in a lot of problems, concerning:• Mobility• Scalability• Security• Addressing• Multi-Homing
![Page 5: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/5.jpg)
Locator-/Identifier-Split
• An approach followed by many researchers right now
• Common idea is to use IP addresses as Locators and introduce a new concept of Identifiers.
• User actually connects to Identifier• Identifier typically carried in packet between
IP and Transport layer.
![Page 6: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/6.jpg)
Don’t get mixed up!
• The general research area on Locator-Identifier-Splits can be meant by the acronym LISP
• LISP is also a name of a specific LISP-approach• I try to call the idea itself “Loc/Id-Split”– Enough people angry at Cisco for interfering in
their google results for LISP programming language ;)
![Page 7: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/7.jpg)
The concept of LocID-Split
Host A Host B
IP B1
IP B2ID 00:00:0B
![Page 8: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/8.jpg)
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
[email protected]?www.illinois.edustream://Class-stream.illinois.educontent#f7839fd789
![Page 9: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/9.jpg)
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
ANSWER00:00:0b
![Page 10: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/10.jpg)
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
ANSWER00:00:0b
Looks like DNS?No, ID is actually used to
establish connection
![Page 11: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/11.jpg)
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
Opens connection to ID
00:00:0b
![Page 12: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/12.jpg)
So, how to send a packet to this “ID” 00:00:0B ?
Host A Host B
IP B1
IP B2ID 00:00:0B
Opens connection to ID
00:00:0b
Mapping/Lookup of Locator – Different
approaches
![Page 13: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/13.jpg)
This is where approaches differHost-based / Network-based / Mixture
Host A Host B
IP B1
IP B2ID 00:00:0B
Packet typically looks like this:TCP/UDPIdentifier
IP
![Page 14: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/14.jpg)
So, this looks complicated and like a lot of change?
• Change might be not that big (compare HIP implementations)
• Gains a lot of advantages!
![Page 15: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/15.jpg)
Mobility
• Your ID does not actually change if you connect somewhere else– Right now it does most of the times, so your
connections tear down– LocID-Split enables you to keep your connections
alive while you’re moving and changing IPs (since they are bound to your ID!)
![Page 16: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/16.jpg)
Multi-Homing, Failover, Traffic Engineering
Host A Host B
IP B1
IP B2ID 00:00:0B
50%
50%
![Page 17: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/17.jpg)
Multi-Homing, Failover, Traffic Engineering
Host A Host B
IP B1
IP B2ID 00:00:0B
[http://www.faqs.org/photo-dict/phrase/4243/toy-digger.html]
![Page 18: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/18.jpg)
Multi-Homing, Failover, Traffic Engineering
Host A Host B
IP B1
IP B2ID 00:00:0B
Hey guys, please send packets to <ID> from
now on to IP B2 ! Connections can stay
alive!
![Page 19: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/19.jpg)
Security
• IDs can be authenticated– Able to provide true end-to-end security and identity– Network-Authentication approaches (HiiMAP) vs.
Host-Authentication approaches (LISP) vs. Mixed (HiiMap)
– Approaches reach from signing/encrypting each message to just validating userid on bootstrap
– New approaches like using public keys as IDs or depositing them in the Mapping system
![Page 20: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/20.jpg)
Specific approaches
• These were some of the advantages that can be gained, let’s have a look at specific approaches
![Page 21: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/21.jpg)
So, what are these various concepts?
• LISP – Cisco, IETF• HIP – IETF– LISP and HIP rather evolutionary and for practical
use
![Page 22: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/22.jpg)
“LISP”
• Farinacci et al., first ideas in 2006• Developed by Cisco, aiming to provide a fix to
the routing table growth in a short time, with as little change as possible. [Hanka et al]
• Network-only approach, aiming for quick deployment
![Page 23: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/23.jpg)
PI/PA Space• Organizations want IP addresses to be statical Identifiers
of their services– Want to keep their neat /30 prefix over multiple ISP changes
• ISPs want IP addresses to be a coherent block that gets traffic into their network– Want to allocate all their customers in a /8 prefix– Solves routing table growth problem
• Dual aims come from dual use of IP as Locator and Identifier!– Organizations want to be identified, ISPs want to make sure
their IP ranges are routed to them
![Page 24: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/24.jpg)
Concept
• “LISP follows a network-based map-and-encapsulate scheme, this means no changes to hosts are needed, everything happens in the network. Also, in LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a Mac address.” [lisp4.net]
![Page 25: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/25.jpg)
LISP Overview Slide 25
Why LISP was developed?• LISP originally conceived to
address Internet Scaling– What causes scaling issues?
• IP addresses denote both location and identity today
• Overloaded IP address semantic makes efficient routing impossible
• IPv6 does not fix this– Why are scaling issues bad?
• Routers require gobs of expensive memory to hold the Internet Routing Table
• It’s expensive for network builders• Replacing equipments for the wrong
reason – to hold routing table rather than implementing new features
• It’s not GREEN…
“… routing scalability is the most important problem facing the Internet today and must be solved … ”
Internet Architecture Board (IAB)October 2006 Workshop (written as RFC 4984)
![Page 26: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/26.jpg)
![Page 27: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/27.jpg)
Reasons for growth
• Everyone wants PI space• Multihoming• Traffic Engineering
![Page 28: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/28.jpg)
![Page 29: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/29.jpg)
![Page 30: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/30.jpg)
![Page 31: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/31.jpg)
![Page 32: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/32.jpg)
![Page 33: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/33.jpg)
![Page 34: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/34.jpg)
So, what do we gain?
• Forwarding plane of routers can be very small and efficient as there is no incentive for anyone to have PI space anymore
• Lookup namespace will be more complex, but is not in forwarding path
![Page 35: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/35.jpg)
LISP 1.x uses routable EIDs, LISP 2/3 do not. LISP 1.5 better incrementally deployable!
![Page 36: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/36.jpg)
![Page 37: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/37.jpg)
![Page 38: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/38.jpg)
So, this ID Locator Lookup?• Remember: LISP wants as few changes to the current architecture as possible• Sounds like the weak point in these terms? (Scalability, Flexibility) • “In particular, although the base LISP specification defines the format of
messages to query the mapping system and to receive responses from that system, it makes no assumptions on the architecture of potential mapping systems. As a result, several mapping systems have been proposed[0,1,4,5,6,10].”– Include DHTs [draft-hu-lisp-dht-00]– “Several such databases have been proposed, among them: LISP-CONS [CONS], LISP-
NERD, [NERD] and LISP+ ALT [ALT]. “ [draft-ietf-lisp-ms-06]– LISP-ALT seems to be most popular right now
• Builds overlay network with GRE tunnels and BGP announcements• Basically, provides a network architecture to route IDs to the correct ETR
– Could not find proper discussion why this is any better than recent infrastructure? FIXME– (ID space not flat, still hierarchical, still prefixes announced via BGP?)
Aggreation!
![Page 39: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/39.jpg)
![Page 40: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/40.jpg)
![Page 41: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/41.jpg)
![Page 42: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/42.jpg)
Two similar problems out there
• DNS: Rate is very small, state possibly infinite• BGP: Rate is significant, but state is smaller– Think about which goals these databases follow• DNS provides ID-to-IP Mapping
– Not in forward path, speed less critical Full Pull• BGP provides IP-to-Locator Mapping
– Forward path, speed crucial Full Push
• ID-to-Locator Mapping somewhere in between, but where?
![Page 43: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/43.jpg)
Available Schemes
• NERD, ALT, EMACS, CONS, DHTs…• Amount of research in this field shows that
this is one of the very big topics in Locator/Identifier-Split!
![Page 44: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/44.jpg)
![Page 45: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/45.jpg)
Problems with NERD?
• Remember LISP aims for O(10^10) hosts
[LISP Tutorial IETF Vancouver Dec 2007]
![Page 46: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/46.jpg)
LISP-ALT: “Alternative Topology”
• The most popular approach, used within the global test network
• Uses a network of routers running BGP over GRE tunnels to build this “alternate topology”
• ETRs announce their EID prefixes• Massive use of aggregation to achieve small
routing tables
![Page 47: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/47.jpg)
LISP-Alt: Details
• Still, ETRs are responsible for the EID-to-Locator mapping
• ALT topology provides only knowledge which router owns which EID prefix
• ITRs send map requests into ALT, ALT forwards this to the correct router
• Router sends answer straight back to ITR– Data probes
![Page 48: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/48.jpg)
![Page 49: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/49.jpg)
![Page 50: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/50.jpg)
Why is ALT used?
• Remember, LISP aims for fast implementation with reducing the routing table size– Uses BGP and GRE technology widely in use– Decentral– Very good for incremental deployment
• Though, in my opinion, not an option for global scale deployment
![Page 51: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/51.jpg)
LISP-DHT
• Follows main assumption: “A domain must be able to control the server that provides the authoritative mappings for the identifiers allocated to its hosts.” [LISP-DHT]
• Adapted Chord to meet this criteria
![Page 52: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/52.jpg)
LISP-DHT using Chord
• EID is directly used as Chord-ID– Redundancy?• Usually handled by duplicating entries to neighbours,
though not acceptable here• Extended Chord to handle several entities behind one
ID, identified by <EID, RLOC> tuple
![Page 53: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/53.jpg)
LISP-DHT using Chord
• DHTs usually require a node to join, build adjacencies etc. before they can do a lookup. Obviously, not every node can join DHT and carry load.– Concept of “stealth nodes”, which only look up but
do not announce themselves– Neat integration of security, by letting only
authenticated nodes actually join the DHT– Security concept based on certificates proposed
![Page 54: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/54.jpg)
LISP-DHT Summary
• Full Pull approach, yet very fast by using DHTs• Fully automatic, not error prone• Highly scalable• Authority and full control of entries within
administrative boundaries of EID prefix owner
![Page 55: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/55.jpg)
![Page 56: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/56.jpg)
Evaluation• [Evaluating the Benefits of the Locator/Identifier Separation, Bruno Quoitin, Luigi Iannone,
Cédric de Launois, Olivier Bonaventure, ACM MobiArch 07]
• FIBs reduced to a few thousand entries• Path redundancy at least doubled• “BGP paths cannot be more than 2 since the simulated dual-homed stubs
only receive one BGP route for each destination prefix from each provider.”
![Page 57: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/57.jpg)
LISP advantages• Improved routing scalability• BGP-free multihoming in active-active configuration• Address family traversal: IPv4 over IPv4, IPv4 over IPv6,
IPv6 over IPv6, IPv6 over IPv4• Inbound traffic engineering• Mobility• Simple deployability• No host changes are needed[http://en.wikipedia.org/wiki/Locator/Identifier_Separation_Protocol]
![Page 58: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/58.jpg)
What else can LISP be used for?
• Scaling Internet core routing tables• Low-OpEx active-active multi-homing for Enterprises• Low-OpEx active-active multi-homing for ISPs• Provider independence (avoids site renumbering)• Data Center mobility of Virtual Machines (VMs)• Data Center Server Load Balancing (SLBs) enhancement• A/V Truck Roll (Broadcasting industry)• L2 or L3 VPNs with or without parallelism• Slow hand-set mobility in localized regions• Better residential multi-homing• IPv6-only site connectivity over existing (IPv4) Internet• Movement/reallocation of Cloud Computing Resources
Slide from Cisco’s “LISP Overview’
![Page 59: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/59.jpg)
Global LISP Testbed
• total of 106 boxes, 18 countries• Operated by google, facebook, msn, cisco,
deutsche bank, level3, microsoft, T-Labs• [lisp4.net]
![Page 60: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/60.jpg)
Short Wrap-up of LISP
• Network-based, no changes to hosts whatsoever
• Quick, increased deployment• Fix for routing table growth, multi homing,
traffic engineering• Available in Cisco IOS, open source solutions,
global testbed available• IETF, Cisco, UPC
![Page 61: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/61.jpg)
HIP
• Developed at IETF since 1999, first stable version in 2007
• Inserts cryptographic namespace between Transport and Network Layer
• No changes needed in applications or routers (changes reside in network stack of host)
• Provides much more features than LISP• Aims for security, mobility, multi-homing
![Page 62: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/62.jpg)
Achievements
• Mobility• Multi-Homing• Security• NAT / IPv4 / IPv6 traversals
![Page 63: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/63.jpg)
Identifiers
• Are called Host Identifiers (HI) and are hashes of public keys– Host owns public/private key pair– Provide immediate, straightforward ways for
authentication, integrity and confidentiality– Look like IPv6 addresses, beginning with
2001:0010::/28 (routing “Orchid”) and completed with a 100 bit public key hash
![Page 64: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/64.jpg)
More on Identifiers
• IPv4 offers only a 32-bit namespace– Here so called “Local Scope Identifiers (LSI)” are
used, as 32 bits do not provide a big enough namespace to anticipate collisions on a global scale. Implemented for compatibility.
![Page 65: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/65.jpg)
HIP Mapping
• Current system proposes the usage of DNS• Not as a system to look up the Locators for a
HIT, but to provide a <HIT, Locator> tuple as answer to usual requests
• Full pull, easy to implement, generally slow to update
![Page 66: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/66.jpg)
HIP Basic Exchange
• 4-way-handshake• In regular mode, HIT of responder is known, in
“Opportunistic mode” only IP of responder is known prone to MITM attacks
![Page 67: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/67.jpg)
67
Protocol overviewInitiator Responder
I1: HITI, HITR or NULL
R1: HITI, {HITR, puzzle, DHR, HIR}sig
I2: {HITI, HITR, solution, DHI, HII}sig
R2: {HITI, HITR, authenticator}sig
User data messages
Control
Data
Varied hardness, can be based on ressource availabilty, level of trust, or other factors
Nothing specific to Initiator in here, so
precalculation of these messages possible
![Page 68: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/68.jpg)
More about HIP puzzles
• Nota bene: With recent infrastructure, they protect ONLY against CPU/Memory exhaustion (attacker can still flood)
• Idea: Responder sends chunk of data (puzzle) to Initiator, plus parameter k
• Initiator has to find value J, so that the k LSB of Hash(puzzle || J) are zero. Sends J back.
• Responder quickly checks if J satisfies demands
![Page 69: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/69.jpg)
Even more HIP puzzles
• RFC is not actually specifying a technique• Turns out hard to actually avoid keeping any
state and still be stable against attacks• Provides idea: Create a table of pre-calculated
puzzles, use HITI and RLOCI values to calculate index of this table
![Page 70: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/70.jpg)
Details about HIP puzzles
• Several approaches for the puzzle proposed
Image from “Cost-based and Time-based Analysis of DoS-resistance in HIP”
Good reading for this topic: “Analysis of the HIP Base Exchange Protocol”Tuomas Aura1, Aarthi Nagarajan2, and Andrei Gurtov3, ACISP 2005
![Page 71: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/71.jpg)
Effectiveness of HIP Puzzles
Image from “Cost-based and Time-based Analysis of DoS-resistance in HIP”
![Page 72: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/72.jpg)
HIP Mobility
• Mapping system can carry several Locators• Active emission of “Readdress” packets• What about– Mobile nodes that move too fast for DNS?– If both nodes move at the same time?
![Page 73: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/73.jpg)
HIP Rendezvous Mechanism
• RFC 5204-bis, recently expired• HIP node can register withy any “RVS” server,
and note this in the HIT’s DNS entry• Basically just relays the connection setup
packets to the nodes’ recent locators
Source: rfc5204-bis-00
![Page 74: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/74.jpg)
HIP Mobility and Security
• Mobility updates possibly a security weakness if sending too much data to a new Locator before receiving an adequate amount of data back
![Page 75: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/75.jpg)
Threat Scenario
YouTube
DDoS Attackers
DDoS Victim
Request big video or other ressource
![Page 76: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/76.jpg)
Threat Scenario
YouTube
DDoS Attackers
DDoS Victim
Hey, we are all relocated!
![Page 77: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/77.jpg)
Threat Scenario
YouTube etc.
DDoS Attackers
DDoS Victim
Hey, we are all relocated!
![Page 78: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/78.jpg)
HIP Mobility and Security
• Use a credit algorithm for not fully trusted hosts asking for relocation
![Page 79: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/79.jpg)
HIP Transport Security
• HIP proposes to use IPSEC’s ESP in transport mode
• Provides encryption for all layers above IP
![Page 80: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/80.jpg)
HIP Privacy
• HITs do not have to be registered anywhere and/or kept constant over a long time
• Still, observation and correlation might reveal a lot
• “BLIND” approach uses hashes of <HIT, Random Number> to hide ID
• Other approaches use proxy servers to hide locators
![Page 81: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/81.jpg)
Hi3
• Motivation: Puzzles only protect against CPU/Memory exhaustion attacks. Possible to protect against DDoS flood attacks?
• HIP using the “Internet Indirection Infrastructure” (i3)• i3 forms the control plane. Using i3, the four-way-handshake is
completed safely• IPSEC-aware middle boxes (“SPINATs”) are placed into the data
plane• Responder tells
– Initiator a SPINATs IP to use– SPINATs to open connections for properly authenticated source IPs
• Also provides mobility through Rendezvous service in i3
![Page 82: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/82.jpg)
Control Plane
![Page 83: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/83.jpg)
Data Plane
![Page 84: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/84.jpg)
Acceptance of HIP
• Productively used at one Boeing factory• Three open source implementations– OpenHIP, HIP4BSD, HIPL
• Active, growing user community
![Page 85: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/85.jpg)
Sources
• There is a bunch of different people working on HIP, so sometimes it is hard to tell whether a paper talks about “the real HIP”
• What is the real HIP? Wikipedia says “HIP was specified in the IETF HIP working group. An Internet Research Task Force (IRTF) HIP research group looks at the broader impacts of HIP“
• So, the RFC listed as “active” on the WG’s website are “binding”
![Page 86: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/86.jpg)
So …
• Is LISP or HIP a better approach? What does the audience think?
• Actually, they are rather complementary than competing, as each of them is aiming for a different thing
• Yet, once one of them is wide-scale implemented it might just succeed (interim solutions hold the longest!)
![Page 87: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/87.jpg)
Summary
• HIP: Public keys as IDs, broad support, host-only approach
• LISP: “Delegated” EIDs, broad support, network-only approach
![Page 88: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/88.jpg)
![Page 89: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/89.jpg)
Backup Slides
![Page 90: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/90.jpg)
Two approaches of LISP
• Map-and-Encap– Host sends packet to IPv4-Adress (which is an ID)– egress Router looks up Locator for this ID (map)– egress Router inserts a new IP layer into the
packet containing the locators. Thereby encapsulates other IP header (which is ID)
• Address Rewriting
![Page 91: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/91.jpg)
Map-and-Encap
The Locator Identifier Separation Protocol (LISP)by David Meyer, Cisco Systems
![Page 92: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/92.jpg)
Two approaches of LISP
• Address Rewriting– Use top bits of IPv6 address as Locator, lower bits
as identifier– egress router maps (looks up Locator for ID) and
rewrites the top bits• However, probably due to the lack of IPv6
deployment, IPv4 compatible map-and-encap is used
![Page 93: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/93.jpg)
![Page 94: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/94.jpg)
![Page 95: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/95.jpg)
![Page 96: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/96.jpg)
Dino, Dave, Jason, VinceLISP (RID-based) 10/2006 - 102
How LISP Works
Internet
Provider A10.0.0.0/8
Provider B11.0.0.0/8
S’s ID is 1.1.1.1
R’s ID is 10.0.1.1
C D
R
S
A B1.1.1.10 1.1.1.11
On host subnet 10.0.1.0/24: C is 10.0.1.12 (PA from Provider A) D is 10.0.1.13 (PA from Provider A)On Loopback interfaces: C is 11.1.1.12 (PA from Provider B) D is 11.1.1.13 (PA from Provider B)
1) S wants to talk to R, S gets R’s ID from DNS2) S sends packet to R with SA=1.1.1.1, DA=10.0.1.13) S’s default router is router A, A does route lookup for 10.0.1.1, matches on default route,indicator to tunnel encapsulate4) A builds outer IP header with SA=1.1.1.10, DA=10.0.1.1, IP-prot=“LISP-control”5) When packets flow to C, IP-prot is “LISP-control” means to send an ICMP ID-mapping packet to SA (1.1.1.10), the ICMP packet contains Locators 10.0.1.12 & 11.1.1.126) A caches ID-mapping of 10.0.1.1->{10.0.1.12, 11.1.1.12}7) Subseqent packets from S, A will set outer DA to 10.0.1.12 (the Locator for R), IP-prot=“LISP-data”8) Packets are addressed to C, which decapsulates tunnel packet and delivers to R.9) If connectivity to 10.0.1.12 changes, due to Provider A path is down or R moves, A gets back a ICMP-host-unreachble (from any router on the path) for address 10.0.1.12. Subsequent packets from S get enapsulated by A to address 11.1.1.12.10) Periodically A can send IP-prot=“LISP-control” packets to the unreachable locator address and when the SA is that Locator address in the returning ICMP ID-mapping message, A can conclude the Locator is reachable again11) C could glean ID->Locator mapping when decapsulating and avoid the signalling step back.12) A could encapsulate packets for S with alternating SA Locator address so when C gleans, it can get all Locator addresses for S’s ID.
10.0.1.0/24
11.1.1.12 11.1.1.13
10.0.1.1210.0.1.1
1.1.1.11.0.0.0/8
10.0.1.13
![Page 97: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/97.jpg)
![Page 98: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/98.jpg)
![Page 99: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/99.jpg)
![Page 100: CS 598 MCC – Advanced Internetworks](https://reader035.fdocuments.us/reader035/viewer/2022062410/5681653b550346895dd7bc97/html5/thumbnails/100.jpg)