Cesar Ghali

Interest-Based Access Control for Content Centric Networks

Content-Centric Networking (CCN) is an emerging network architecture designed to overcome limitations of the current IP-based Internet. One of the fundamental tenets of CCN is that content is named and addressable. Consumers request content by issuing interests with the desired content name. These interests are forwarded by routers to producers, and the requested content is returned and optionally cached at each router along the path. In-network caching makes it difficult to enforce access control policies on sensitive content since routers only use interest information for forwarding decisions. This motives our work on Interest-Based Access Control (IBAC) -- a scheme for access control enforcement using only information contained in interest messages. IBAC makes sensitive content names unpredictable to unauthorized parties. It supports both hash- and encryption-based name obfuscation. Interest replay attacks are addressed by formulating a mutual trust framework between producers and consumers that enables routers to perform authorization checks before satisfying interests from local caches. We assess computational, storage, and bandwidth costs of each IBAC variant. Proposed design is flexible and allows producers to arbitrarily specify and enforce any type of content access control, without having to deal with content encryption and key distribution. This is the first comprehensive CCN access control design that only uses information contained in interest messages.

Secure Fragmentation for Content-Centric Networks

Content-Centric Networking (CCN) is a communication paradigm that emphasizes content distribution. Named-Data Networking (NDN) is an instantiation of CCN, a candidate Future Internet Architecture. NDN supports human-readable content naming and router-based content caching which lends itself to efficient, secure, and scalable content distribution. Because of NDNs fundamental requirement that each content object must be signed by its producer, fragmentation has been considered incompatible with NDN since it precludes authentication of individual content fragments by routers. The alternative is to perform hop-by-hop reassembly, which incurs prohibitive delays. In this paper, we show that secure and efficient content fragmentation is both possible and even advantageous in NDN and similar content-centric network architectures that involve signed content. We design a concrete technique that facilitates efficient and secure content fragmentation in NDN, discuss its security guarantees and assess performance. We also describe a prototype implementation and compare performance of cut-through with hop-by-hop fragmentation and reassembly.

To NACK or Not to NACK? Negative Acknowledgments in Information-Centric Networking

Information-Centric Networking (ICN) is an internetworking paradigm that offers an alternative to the current IP-based Internet architecture. ICNs most distinguishing feature is its emphasis on information (content) instead of communication endpoints. One important open issue in ICN is whether negative acknowledgments (NACKs) at the network layer are useful for notifying downstream nodes about forwarding failures, or requests for incorrect or non-existent information. In benign settings, NACKs are beneficial for ICN architectures, such as CCNx and NDN, since they flush state in routers and notify consumers. In terms of security, NACKs seem useful as they can help mitigating so-called Interest Flooding attacks. However, as we show in this paper, network-layer NACKs also have some unpleasant security implications. We consider several types of NACKs and discuss their security design requirements and implications. We also demonstrate that providing secure NACKs triggers the threat of producer-bound flooding attacks. Although we discuss some potential countermeasures to these attacks, the main conclusion of this paper is that network-layer NACKs are best avoided, at least for security reasons.

(The Futility of) Data Privacy in Content-Centric Networking

Content-centric networking is an architecture designed to transfer named and addressable data from producers to consumers. Data retrieval is driven by a simple request and response protocol. A consumer issues a request for named data that is routed by the network towards the nearest location where this data is stored. Once found, the corresponding data is returned to the consumer. This data-centric model is different from the datagram- and stream-based protocols used to transport data between endpoints in IP networks: Instead of being tied to the channel through which data flows, security and privacy properties apply to data itself. Consequently, privacy issues in CCN warrant careful evaluation. In this paper, we present a comprehensive assessment of CCN privacy issues in the presence of various adversaries. We specify conditions sufficient to achieve different levels of privacy. We also show that data privacy is more dependent on requests than responses for data. We conclude that strong privacy necessitates some form of session- or channel-based communication, which strongly contradicts the data-centric nature of CCN. We also discuss how to implement proposed CCN privacy mechanisms in practice.

Practical accounting in content-centric networking

Content-Centric Networking (CCN) is a recent network paradigm designed to address some key limitations of the current IP-based Internet. One of its main features is in network content caching which allows requests for content to be served by routers. Despite the benefits of improved bandwidth utilization and lower latency of retrieving popular content, in network caching inhibits producers from collecting information about content that is requested and later served from network caches. Such information is often needed for accounting and popularity purposes. In this paper, we address accounting in CCN by varying the degree of consumer, router, and producer involvement. We also identify and analyze inherent performance and security tradeoffs. We show that fine-grained accounting is infeasible with router caches and without explicit application support. We then recommend accounting strategies that entail a few simple requirements for CCN architectures. Finally, we show, via experimental results, that network-layer CCN accounting is viable and incurs low overhead for all parties involved. approaches.

Network Names in Content-Centric Networking

Content-centric networking (CCN) is a networking paradigm that emphasizes request-response-based data transfer. A {\em consumer} issues a request explicitly referencing desired data by name. A {\em producer} assigns a name to each data it publishes. Names are used both to identify data to and route traffic between consumers and producers. The type, format, and representation of names are fundamental to CCN. Currently, names are represented as human-readable application-layer URIs. This has several important security and performance implications for the network. In this paper, we propose to transparently decouple application-layer names from their network-layer counterparts. We demonstrate a mapping between the two namespaces that can be deterministically computed by consumers and producers, using application names formatted according to the standard CCN URI scheme. Meanwhile, consumers and producers can continue to use application-layer names. We detail the computation and mapping function requirements and discuss their impact on consumers, producers, and routers. Finally, we comprehensively analyze several mapping functions to show their functional equivalence to standard application names and argue that they address several issues that stem from propagating application names into the network.

Privacy-Aware Caching in Information-Centric Networking

Information-Centric Networking (ICN) is an emerging networking paradigm where named and routable data (content) is the focal point. Users send explicit requests (interests) which specify content by name, and the network handles routing these interests to some entity capable of satisfying them with the appropriate data response (producer). One key feature of ICN is opportunistic in-network content caching. This property facilitates efficient content distribution by reducing bandwidth consumption, lessening network congestion, and improving the content retrieval latency by users (consumers). Unfortunately, the same feature is also detrimental to privacy of content consumers and producers. Simple to implement, and difficult to detect, timing attacks can exploit ICN routers as “oracles” and allow an adversary to learn whether a nearby consumer recently requested certain content. The attack leverages a timing side channel that relies on router caches and is implemented by requesting a few packets from each piece of content being probed. Similarly, probing attacks that target content producers can be used to discover whether certain content has been recently distributed. After analyzing the scope and feasibility of such attacks, we propose and evaluate some efficient countermeasures that offer quantifiable privacy guarantees while retaining the benefits of ICN.

Mitigating On-Path Adversaries in Content-Centric Networks

Content-Centric Networking (CCN) is a recently proposed Internet paradigm that focuses on scalable, secure and efficient content distribution. The main abstraction is named and addressable content. A consumer requests desired named content by generating a so-called interest, which is then routed by the network towards an in-network cached copy, or the authoritative producer, of that content. Since all CCN content must be signed by its producer, consumers and routers can cryptographically verify its correctness, authenticity, and integrity. Thus, in principle, attacks that introduce fake (poisoned) content can be detected. However, verifying content signatures is optional for CCN routers, detection of fake content only implies presence of a malicious upstream entity. A major outstanding problem in CCN is how to react to such attacks, determine their source(s), and re-route interests accordingly.,,,,In this work, we construct a technique based on efficient per-hop packet integrity checks. Routers share secrets with neighboring routers and use them to verify and generate efficient per-hop packet authenticators. An on-path attacker that tampers with content in transit is quickly detected by downstream routers. Moreover, an on-path attacker that hijacks a namespace is discoverable. Our experimental assessment indicates that the proposed technique incurs very low per-packet overhead. Furthermore, since our approach is not CCN-specific, it can be applied to IP-based networks as well.

Closing the Floodgate with Stateless Content-Centric Networking

Information-Centric Networking (ICN) is a recent paradigm that claims to mitigate some limitations of the current IP-based Internet architecture. The centerpiece of ICN is named and addressable content, rather than hosts or interfaces. Content-Centric Networking (CCN) is a prominent ICN instance that shares the fundamental architectural design with its equally popular academic sibling Named- Data Networking (NDN). CCN eschews source addresses and creates one-time virtual circuits for every content request (called an interest). As an interest is forwarded it creates state in intervening routers and the requested content back is delivered over the reverse path using that state. Although a stateful forwarding plane might be beneficial in terms of efficiency and resilience to certain types of attacks, this has not been decisively proven via realistic experiments. Since keeping per-interest state complicates router operations and makes the infrastructure susceptible to router state exhaustion attacks (e.g., there is currently no effective defense against Interest Flooding attacks), the value of the stateful forwarding plane in CCN should be re-examined. In this paper, we explore supposed benefits and various problems of the stateful forwarding plane. We then argue that its benefits are uncertain at best and it should not be a mandatory CCN feature. To this end, we propose a new stateless architecture for CCN that provides nearly all functionality of the stateful design without its headaches. We analyze performance and resource requirements of the proposed architecture via experiments.

BEAD: Best effort autonomous deletion in content-centric networking

A core feature of Content-Centric Networking (CCN) is opportunistic content caching in routers. It enables routers to satisfy content requests with in-network cached copies, thereby reducing bandwidth utilization, decreasing congestion, and improving overall content retrieval latency. One major drawback of in-network caching is that content producers have no knowledge about where their content is stored. This is problematic if a producer wishes to delete its content. In this paper, we show how to address this problem with a protocol called BEAD (Best-Effort Autonomous Deletion). It performs content deletion via small and secure packets that resemble current CCN messages. We discuss several methods of routing BEAD packets from producers to caching routers with varying levels of network overhead and efficacy. We assess BEADs performance via simulations and provide a detailed analysis of its properties.