Yingdi Yu

A Secure Link State Routing Protocol for NDN

The Named-data Link State Routing protocol (NLSR) is a protocol for intra-domain routing in Named Data Networking (NDN). It is an application level protocol similar to many IP routing protocols, but NLSR uses NDN’s interest/data packets to disseminate routing updates, directly benefiting from NDN’s built-in data authenticity. The NLSR design, which was first developed in 2013 and deployed on the NDN test bed in August 2014, has undergone significant changes. Following an application-driven design approach, NLSR’s development helped drive the development of the trust/security functionality of NDN libraries as well as a number of features in NDN’s forwarding daemon and ChronoSync. In this paper, we describe the current design and implementation of NLSR, with emphasis on those features that differentiate it from an IP-based link state routing protocol: 1) naming: a hierarchical naming scheme for routers, keys, and routing updates; 2) security: a hierarchical trust model for routing within a single administrative domain; 3) routing information dissemination: using ChronoSync to disseminate routing updates; and 4) multipath routing: a simple way to calculate and rank multiple forwarding options. Although NLSR is designed in the context of a single domain, its design patterns may offer a useful reference for future development of inter-domain routing protocols.

Content-based security for the web

The World Wide Web has become the most common platform for building applications and delivering content. Yet despite years of research, the web continues to face severe security challenges related to data integrity and confidentiality. Rather than continuing the exploit-and-patch cycle, we propose addressing these challenges at an architectural level, by supplementing the webs existing connection-based and server-based security models with a new approach: content-based security. With this approach, content is directly signed and encrypted at rest, enabling it to be delivered via any path and then validated by the browser. We explore how this new architectural approach can be applied to the web and analyze its security benefits. We then discuss a broad research agenda to realize this vision and the challenges that must be overcome.

The Story of ChronoShare, or How NDN Brought Distributed Secure File Sharing Back

Information sharing among a group of friends or colleagues in real life is usually a distributed process: we tell each other interesting or important news without any mandatory assistance or approval from a third party. Surprisingly, this is not what happens when sharing files among a group of friends over the Internet. While the goal of file sharing is to disseminate files among multiple parties, due to the constraints imposed by IPs point-to-point communication model, most of todays file sharing applications, such as Drop box, Google Drive, etc., resort to a centralized design paradigm: a user first uploads files to the server (cloud), and the server (cloud) re-distributes these files to other users, resulting in unnecessary tussles and inefficient data distribution paths. To bring the truly distributed file sharing back into the cyberspace, this paper presents Chrono Share, a distributed file sharing application built on top of the Named Data Networking (NDN) architecture. By walking through Chrono Share design details, we show how file sharing, as well as many other similar applications, can be effectively implemented over NDN in a truly distributed and secure manner.

Check-Repeat: A new method of measuring DNSSEC validating resolvers

As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.

NDN DeLorean: an authentication system for data archives in named data networking

Named Data Networking (NDN) enables data-centric security in network communication by mandating digital signatures on network-layer data packets. Since the lifetime of some data can extend to many years, they outlive the lifetime of their signatures. This paper introduces NDN DeLorean, an authentication framework to ensure the long-term authenticity of long-lived data. The design of DeLorean takes a publicly auditable bookkeeping service approach to keep permanent proofs of data signatures and the times when the signatures were generated. To assess DeLoreans feasibility the paper presents a set of analytical evaluations on the operational cost as a function of data archive volumes. The paper also identifies several remaining issues that must be addressed in order to make DeLorean a general solution to authenticating long-lived data.

The Second Named Data Networking Community Meeting (NDNcomm 2015)

This report is a brief summary of the second NDN Community Meeting held at UCLA in Los Angeles, California on September 28-29, 2015. The meeting provided a platform for the attendees from 49 institutions across 13 countries to exchange their recent NDN research and development results, to debate existing and proposed functionality in NDN forwarding, routing, and security, and to provide feedback to the NDN architecture design evolution.

NDNS: A DNS-Like Name Service for NDN

DNS provides a global-scale distributed lookup service to retrieve data of all types for a given name, be it IP addresses, service records, or cryptographic keys. This service has proven essential in todays operational Internet. Our experience with the design and development of Named Data Networking (NDN) suggests the need for a similar always-on lookup service. To fulfill this need we have designed the NDNS (NDN DNS) protocol, and learned several interesting lessons through the process. Although DNSs request-response operations seem closely resembling NDNs Interest-Data packet exchanges, they operate at different layers in the protocol stack. Comparing DNSs implementations over IP protocol stack with NDNSs implementation over NDN reveals several fundamental differences between applications designs for host-centric IP architecture and data-centric NDN architecture.

Tutorial: Security and Synchronization in Named Data Networking (NDN)

This full day tutorial on synchronization and security in Named Data Networking (NDN) will share important architectural concepts we are exploring in these areas, the software we have built to perform these tasks, and remaining open issues. In particular, it will emphasize how the existing open source toolset provides a platform for exploring the open research questions.

nTorrent: Peer-to-Peer File Sharing in Named Data Networking

BitTorrent is a popular application for peer-to-peer file sharing in todays Internet. To achieve robust and efficient data dissemination as an application overlay, BitTorrent implements a data-centric paradigm on top of TCP/IPs point-to-point packet delivery, which requires each peer to obtain network layer connectivity information (e.g., peer IP address, distance to each peer, routing policies) that is exclusively available at the network layer in order to select the best peers for data retrieval. This paper presents the design of nTorrent, which provides BitTorrent-like functions natively in Named Data Networking (NDN). We use simulations to examine how well the NDNs data-centric communication model can natively support such an application. Our work exposes the differences between the IP- based BitTorrent and nTorrent, and the issues and impact of moving IP-based applications to NDN-enabled networks.

NAC: name-based access control in named data networking

As a proposed Internet architecture, Named Data Networking must provide effective security support: data authenticity, confidentiality, and availability. This poster focuses on supporting data confidentiality via encryption. The main challenge is to provide an easy-to-use key management mechanism that ensures only authorized parties are given the access to protected data. We describe the design of name-based access control (NAC) which provides automated key management by developing systematic naming conventions for both data and cryptographic keys. We also discuss an enhanced version of NAC that leverages attribute-based encryption mechanisms (NAC-ABE) to improve the flexibility of data access control and reduce communication, storage, and processing overheads.