专栏首页魏晓蕾的专栏【NDN心得】Literature Review on Security of Named Data Networking

【NDN心得】Literature Review on Security of Named Data Networking

版权声明:本文为博主原创文章,转载请注明出处。 https://blog.csdn.net/gongxifacai_believe/article/details/51367020

Literature Review on Security of Named Data Networking

Wei Xiaolei

Computer Science College, Inner Mongolia University,

Hohhot, China

ABSTRACT

Nowadays, our network architecture is based on TCP/IP. However, TCP/IP has many disadvantages and limitations. Since our existing network architecture, TCP/IP, uses IP address to locate the source host and the destination host, its security cannot be guaranteed well. Thus, Zhang Lixia team, who comes from University of California at Los Angeles, is researching and developing a new type of network architecture, called Named Data Networking(NDN). In NDN, due to the inherent nature of cache and forwarding policy, NDN can assure security to a great degree. But these properties also bring out some new security issues. Our research is about security in Named Data Networking.

KEY WORDS: Security; NDN; DoS; Cache Snooping

1. INTRODUCTION

At the beginning of the design of TCP/IP,designers mainly thought about how to connect existed network, as Clark articulated in [1]. Designers intended to design end-to-end communication mode to connect the source host and the destination host, which Clark elaborated in [2]. But in today’s network, the goal of connecting existed network is not the main purpose. Nowadays, people care more about how to retrieve and distribute information via network, but care less about where to get it. TCP/IP is based on location, which is depended on IP address. Thus, if people want to retrieve information,they must firstly locate the information, knowing about where to get it. To achieve this goal, we must spend much cost on network bandwidth, network latency, appliance deployment, and so on. In spite of this, we still cannot achieve a good performance. The appearance of NDN resolves these problems perfectly. Since NDN is based on three structures, which are Pending Information Table(PIT), Content Store(CS), Forwarding Information Base(FIB)[3],rather via IP address, communication on NDN has a new mode. We can retrieve information from the nearby location, if the information has been stored there,rather get it from the source host, which is the communication mode of end-to-end architecture. Through this method, communication performance has been improved greatly. But this type of storing and forwarding method also brings out some new security issues. Some attackers can utilize these disadvantages to carry out attacks.

2. DENY OF SERVICE

Since NDN forwards packages through Interest and Data, records Interest in PIT, and stores Data in CS, consumers don’t need to retrieve information from the provider, if some intermediate node has the same information. However, if any intermediate nodes don’t have this information,the consumer must get this one from the provider.

Due to this property, attackers can carry out a type of attack easily, which is called Deny of Service(DoS). An attacker can pretend to be the consumer and send large numbers of different Interest,which have the same prefix, to one provider. Quickly, the provider will be overwhelmed by the flood of Interest. The bandwidth will be use up. The PIT will be occupied completely. The provider is busy at dealing with these request information and cannot provide services to the normal requests. Thereby, theDoS attack has formed.

3. COUNTERMEASURES OF DENY OF SERVICE[4]

To relieve this type of attack, we can record the number of Interest packages in intermediate nodes. If an intermediate node receives a lot of Interest which have the same prefix but are different packets, this node must note that if it has been attacked.

To protect itself from being attacked, if this intermediate node has detected this type of thing, it can limit its rate of interfaces which the probable attacker send packages from. If this is not enough, the intermediate node can even shut down the interface. Slowly, the provider will go back to the normal status, and the attack aiming at this provider will be under control.

4. CACHE SNOOPING

When the Interest which the consumer sends arrives at the provider, the provider will send Data back to the consumer. When the Data arrives at the intermediate nodes, the nodes along the route will store the Data in Content Store. Thus, CS will be filled with many important information, especially some privacy information. However, These information doesn’t have any protective measures. Any consumer who requests for these information can retrieve it. An attacker can pretend to be a normal consumer to send Interest in order to request for these privacy information. When the Interest arrives at some node which has stored this information, the privacy information will be transmitted back to the attacker. This type of attack, which is called cache snooping, causes privacy leaks.

5. COUNTERMEASURES OF CACHE SNOOPING

To avoid suffering from cache snooping, we can use encryption method. By using encryption key, the provider encrypts the privacy information. The encrypted information will be stored along the route. In this case, only the consumer who has the decryption key can decrypt the information. By this way, we can assure that the important privacy will not be let out.

6. CONCLUSION

The existing network architecture, TCP/IP, is designed to meet the demand of twentieth century. It has many inherent disadvantages and limitations, which cannot adapt to the current requirements.The appearance of NDN resolves these problems perfectly. NDN uses new cache and forwarding policy to retrieve and distribute information. This can avoid some security issues existed in TCP/IP, which is based on location, but also brings out a lot of new security issues-DoS and cache snooping are two examples. To protect the network from being attacked by DoS, the intermediate nodes can detect this situation and limit the rate of their interfaces connecting to the probable attacker. To avoid cache snooping, the provider can encrypt the privacy information,so that only the target consumer who has the decryption key can decrypt the information. By this way, security issues can be assured properly, which makes the large-scale deployment of NDN become possible.

7. REFERENCES

[1] DavidD. Clark, The design philosophy of the DARPA internet protocols, ACM SIGCOMM Computer Communication Review, 1988.

[2] Saltzer,J. H., Reed, D. P.,Clark, D. D., End-to-end arguments in system design, ACM Transactions on Computer Systems, 1984.

[3]Van Jacobson, Diana K. Smetters, James D. Thornton, Michael F. Plass,Networking Named Content, in Proc. of CoNEXT, 2009.

[4]Tobias Lauinger, Security & Scalability of Content-Centric Networking, [Master dissertation], TU Darmstadt, Schwetzingen, Germany, September 2010.

The following is the version of PPT.

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • SQL Server 2008安装报错

    本文转载自:SQL SERVER 2008 EXPRESS setup -- The specified credentials for the sql ser...

    魏晓蕾
  • 【NDN基础】Named Data Networking 学习笔记

    版权声明:本文为博主原创文章,转载请注明出处。 https://blog.csdn.net/gongxifacai_believe/artic...

    魏晓蕾
  • Windows Server 2003 组策略报错:提示不能确定应用到此机器的组策略安全性设置

    错误提示信息: 不能确定应用到此机器的组策略安全性设置。在尝试从本地安全策略数据库(%windir%\security\database\secedit.sdb...

    魏晓蕾
  • 语义分割--Global Deconvolutional Networks for Semantic Segmentation

    语义分割 Global Deconvolutional Networks for Semantic Segmentation BMVC 2016 ...

    用户1148525
  • Inception-V3论文翻译——中英文对照

    Rethinking the Inception Architecture for Computer Vision Abstract Convolutional...

    Tyan
  • Line Counter - Writing a Visual Studio 2005 Add-In

    Download original source files - 553 Kb Download new source files - 1483 Kb Do...

    张善友
  • SAP S/4 HANA新变化-FI:GL总账

    GENERAL LEDGER总账 General Ledger in S/4H is based in the Universal Journal; the l...

    SAP最佳业务实践
  • [翻译][架构设计]The Clean Architecture

    原文地址:The Clean Architecture The Clean Architecture ? Over the last several years...

    用户1172465
  • Codeforces 777C Alyona and Spreadsheet

    C. Alyona and Spreadsheet time limit per test:1 second memory limit per test:256...

    Angel_Kitty
  • Very Deep Convolutional Networks for Large-Scale Image Recognition—VGG论文翻译—中英文对照

    Very Deep Convolutional Networks for Large-Scale Image Recognition ABSTRACT In t...

    Tyan

扫码关注云+社区

领取腾讯云代金券