【NDN心得】Literature Review on Security of Named Data Networking

Literature Review on Security of Named Data Networking

Wei Xiaolei

Computer Science College, Inner Mongolia University,

Hohhot, China

 

ABSTRACT

      Nowadays, our network architecture is based on TCP/IP. However, TCP/IP has many disadvantages and limitations. Since our existing network architecture, TCP/IP, uses IP address to locate the source host and the destination host, its security cannot be guaranteed well. Thus, Zhang Lixia team, who comes from University of California at Los Angeles, is researching and developing a new type of network architecture, called Named Data Networking(NDN). In NDN, due to the inherent nature of cache and forwarding policy, NDN can assure security to a great degree. But these properties also bring out some new security issues. Our research is about security in Named Data Networking.

 

KEY WORDS: Security; NDN; DoS; Cache Snooping

 

1. INTRODUCTION

      At the beginning of the design of TCP/IP,designers mainly thought about how to connect existed network, as Clark articulated in [1]. Designers intended to design end-to-end communication mode to connect the source host and the destination host, which Clark elaborated in [2]. But in today’s network, the goal of connecting existed network is not the main purpose. Nowadays, people care more about how to retrieve and distribute information via network, but care less about where to get it. TCP/IP is based on location, which is depended on IP address. Thus, if people want to retrieve information,they must firstly locate the information, knowing about where to get it. To achieve this goal, we must spend much cost on network bandwidth, network latency, appliance deployment, and so on. In spite of this, we still cannot achieve a good performance. The appearance of NDN resolves these problems perfectly. Since NDN is based on three structures, which are Pending Information Table(PIT), Content Store(CS), Forwarding Information Base(FIB)[3],rather via IP address, communication on NDN has a new mode. We can retrieve information from the nearby location, if the information has been stored there,rather get it from the source host, which is the communication mode of end-to-end architecture. Through this method, communication performance has been improved greatly. But this type of storing and forwarding method also brings out some new security issues. Some attackers can utilize these disadvantages to carry out attacks.

 

2. DENY OF SERVICE

      Since NDN forwards packages through Interest and Data, records Interest in PIT, and stores Data in CS, consumers don’t need to retrieve information from the provider, if some intermediate node has the same information. However, if any intermediate nodes don’t have this information,the consumer must get this one from the provider.

      Due to this property, attackers can carry out a type of attack easily, which is called Deny of Service(DoS). An attacker can pretend to be the consumer and send large numbers of different Interest,which have the same prefix, to one provider. Quickly, the provider will be overwhelmed by the flood of Interest. The bandwidth will be use up. The PIT will be occupied completely. The provider is busy at dealing with these request information and cannot provide services to the normal requests. Thereby, theDoS attack has formed.

 

3. COUNTERMEASURES OF DENY OF SERVICE[4]

      To relieve this type of attack, we can record the number of Interest packages in intermediate nodes. If an intermediate node receives a lot of Interest which have the same prefix but are different packets, this node must note that if it has been attacked.

      To protect itself from being attacked, if this intermediate node has detected this type of thing, it can limit its rate of interfaces which the probable attacker send packages from. If this is not enough, the intermediate node can even shut down the interface. Slowly, the provider will go back to the normal status, and the attack aiming at this provider will be under control.

 

4. CACHE SNOOPING

      When the Interest which the consumer sends arrives at the provider, the provider will send Data back to the consumer. When the Data arrives at the intermediate nodes, the nodes along the route will store the Data in Content Store. Thus, CS will be filled with many important information, especially some privacy information. However, These information doesn’t have any protective measures. Any consumer who requests for these information can retrieve it. An attacker can pretend to be a normal consumer to send Interest in order to request for these privacy information. When the Interest arrives at some node which has stored this information, the privacy information will be transmitted back to the attacker. This type of attack, which is called cache snooping, causes privacy leaks.

 

5. COUNTERMEASURES OF CACHE SNOOPING

      To avoid suffering from cache snooping, we can use encryption method. By using encryption key, the provider encrypts the privacy information. The encrypted information will be stored along the route. In this case, only the consumer who has the decryption key can decrypt the information. By this way, we can assure that the important privacy will not be let out.

 

6. CONCLUSION

      The existing network architecture, TCP/IP, is designed to meet the demand of twentieth century. It has many inherent disadvantages and limitations, which cannot adapt to the current requirements.The appearance of NDN resolves these problems perfectly. NDN uses new cache and forwarding policy to retrieve and distribute information. This can avoid some security issues existed in TCP/IP, which is based on location, but also brings out a lot of new security issues-DoS and cache snooping are two examples. To protect the network from being attacked by DoS, the intermediate nodes can detect this situation and limit the rate of their interfaces connecting to the probable attacker. To avoid cache snooping, the provider can encrypt the privacy information,so that only the target consumer who has the decryption key can decrypt the information. By this way, security issues can be assured properly, which makes the large-scale deployment of NDN become possible.

 

7. REFERENCES

[1] DavidD. Clark, The design philosophy of the DARPA internet protocols, ACM SIGCOMM Computer Communication Review, 1988.

[2] Saltzer,J. H., Reed, D. P.,Clark, D. D., End-to-end arguments in system design, ACM Transactions on Computer Systems, 1984.

[3]Van Jacobson, Diana K. Smetters, James D. Thornton, Michael F. Plass,Networking Named Content, in Proc. of CoNEXT, 2009.

[4]Tobias Lauinger, Security & Scalability of Content-Centric Networking, [Master dissertation], TU Darmstadt, Schwetzingen, Germany, September 2010.

The following is the version of PPT.