Spencer Sevilla

CCN-KRS: a key resolution service for CCN

A key feature of the Content Centric Networking (CCN) architecture is the requirement for each piece of content to be individually signed by its publisher. Thus, CCN should, in principle, be immune to distributing fake content. However, in practice, the network cannot easily detect and drop fake content as the trust context (i.e., the public keys that need to be trusted for verifying the content signature) is an application-dependent concept. CCN provides mechanisms for consumers to request a piece of content restricted by its signers public key or the cryptographic digest of the content object to avoid receiving fake content. However, it does not provide any mechanisms to learn this critical information prior to requesting the content. In this paper, we introduce a scalable Key Resolution Service (KRS) that can securely store and serve security information (e.g., public key certificates of publishers) for a namespace in CCN. We implement KRS as a service for CCN in ndnSIM, a ns-3 module, and discuss and evaluate such a distributed service. We demonstrate the feasibility and scalability of our design via simulations driven by real-traffic traces.

iDNS: Enabling information centric networking through The DNS

Information centric networking (ICN) architectures represent a conceptual shift from naming end-hosts in the Internet to naming content directly, and require either significant changes to the existing IP infrastructure or replacing it entirely. We present iDNS (information-centric DNS), an evolutionary path towards deploying ICN at Internet scale based on modifications to the DNS that leave the current routing infrastructure unmodified. We build and evaluate an iDNS prototype, and use it to show that iDNS achieves the benefits associated with ICN (i.e. location-independent naming, nearest-replica-routing) in a manner that both leverages current infrastructure, including content delivery protocols and caches, and supports future evolution towards other network-layer ICN architectures.

HIDRA: Hiding mobility, multiplexing, and multi-homing from internet applications

Todays socket API requires an application to bind a socket to a transport-layer identifier (e.g., TCP80) and network-layer identifier (e.g., an IP address). These early bindings create significant bottlenecks, reliability issues, and force applications to manage complex lower-layer issues. Many approaches have been proposed to address these problems; however, all of them introduce additional identifiers, modify applications, or require additional protocols in the protocol stack. We introduce HIDRA (Hidden Identifiers for Demultiplexing and Resolution Architecture), an approach based on hidden identifiers used internally at end systems and intermediate systems. HIDRA enables sockets to evolve with the Internet by hiding all mobility, multihoming, and multiplexing issues from applications; does not induce significant overhead in the protocol stack; preserves backwards compatibility with todays Internet and applications; and does not require or preclude any additional identifiers or protocols to be used in the protocol stack.

Allowing applications to evolve with the Internet: The case for Internet Resource Descriptors

Todays socket API requires an application to bind a socket to a network address before it can use the socket to communicate. Early bindings of names to addresses create significant bottlenecks, reliability problems, and force applications to manage complex lower-layer issues. Many approaches have been introduced to address this problem; however, all prior proposals introduce additional identifiers, modify applications, or require additional protocols in the protocol stack. In contrast, we propose a generalized socket API based on Internet Resource Descriptors (IRDs), which are opaque identifiers used by applications to refer to network resources and are known only within the hosts in which the applications run. IRDs enable sockets to evolve with the Internet by hiding mobility, multihoming, and multiplexing issues from applications, do not induce significant overhead in the protocol stack, preserve backwards compatibility with todays networks and applications, and do not require additional identifiers or protocols to be used in the protocol stack.

Freeing the IP Internet Architecture from Fixed IP Addresses

The IP Internet architecture is such that applications must bind fixed IP addresses and ports before any other operations can be executed. These early bindings cause bottlenecks, reliability issues, and force applications and protocols to manage complex lower-layer issues. This poses a big challenge to the future of the IP Internet, given the large and growing numbers of nomadic Internet users, the shift in Internet usage from centralized servers to peer-to-peer content sharing, and the popularity of service replication and virtualization. To address these issues, we introduce and evaluate HIDRA (Hidden Identifiers for Demultiplexing and Resolution Architecture), a novel architecture that creates indirection between layers of any network stack. HIDRA enables sockets and protocols to evolve with the IP Internet by hiding all mobility, multihoming, and multiplexing issues from applications, does not induce significant overhead in the protocol stack, preserves backwards compatibility with todays Internet and applications, and does not require or preclude any additional identifiers or protocols to be used in the protocol stack.

GroupSec: A new security model for the web

The de facto approach to Web security today is HTTPS. While HTTPS ensures complete security for clients and servers, it also interferes with transparent content-caching at middleboxes. To address this problem and support both security and caching, we propose a new approach to Web security and privacy called GroupSec. The key innovation of GroupSec is that it replaces the traditional session-based security model with a new model based on content group membership. We introduce the GroupSec security model and show how HTTP can be easily adapted to support GroupSec without requiring changes to browsers, servers, or middleboxes. Finally, we present results of a threat analysis and performance experiments which show that GroupSec achieves notable performance benefits at the client and server while remaining as secure as HTTPS.

A Simple Solution to Scale-Free Internet Host Mobility

We introduce a simple solution for the support of host mobility in the Internet called DIME (Dynamic Internet Mobility for End- Systems). DIME is based on dynamic address translation between the transport and network layers of end hosts, combined with a new out-of-band protocol that updates host-address bindings between communicating hosts opportunistically. It does not require modifications to the end-host operating systems, end-user applications, existing communication protocols or hardware, or the domain name system and any host-identifier namespace. A number of experiments based on a Linux daemon implementation of DIME are used to show that DIME is deployable on a wide range of hardware, and that it outperforms existing mobility proposals such as MIPv6 and HIP across a wide range of performance metrics.

Design and Benefits of a Hidden-Identifier Network Architecture

All currently-implemented and proposed future architectures assume a layered design wherein the identifiers used by a particular layer are propagated up the stack and exposed to higher layers. We argue that these higher-layer exposures and bindings are the root of a large number of problems today, and present significant roadblocks to the evolution and deployment of future network architectures tomorrow. We address these problems by proposing a novel network architecture based around identifier indirection and translation between layers of the stack, and show how such an architecture (1) provides an attractive solution to problems today such as mobility and multi-homing by injecting additional flexibility into the existing network stack, (2) can be used to support the goals of future internet architecture (i.e. service-or information-centricity) within the existing network stack, and (3) relieves the ossification of the network stack and enables the incremental deployment of new protocols and layers.