Application Domain: Network - Named Data Networking
Description
The Named Data Networking (NDN) is immune to most of attacks which exist in today’s internet world, but this newborn network architecture may still be subject to Distributed Denial of Service (DDOS) attacks, if quality of evaluation is less. NDN changes the internet paradigm from address based to data-based and Router chooses to cache the incoming contents for further requests to make the content distribution more efficient. There are two kinds of packets in NDN. An Interest is a request that sent by a node, named Consumer, to retrieve resources from the network. Any node in the network has or caches the resources replies the Interest with one or some Contents and this node becomes the Producer of this/these Content consequently. Comparing with the remedy like security solutions, e.g. IP-Sec, DDNS, in TCP/IP based network architecture, the security is considered at the early beginning of its design. However, there are some DDOS attack, e.g. Interest Flooding Attack (IFA), Content Poisoning Attack (CPA), which may still damage the NDN. Therefore, it is beneficial to have some form of registering of nodes (Producer and Consumer) in NDN network.
Example
In NDN, we say that a Content satisfies An Interest means the name prefix in this Content matches the name prefix in Interest and with legitimate signature and useful payload. In CPA, an attacker replies some or all incoming Interests with fake Contents which can be Contents of invalid signatures or useless payload.
In Figure 1, Consumer nodes, which are denoted as C1 and C2, want to retrieve resources from Producer P1 or P2 under the namespace /CS or /BIO, and then they send out Interests. Nodes R1, R2 and R3 are normal nodes and perform as routers for other nodes. If there is no malicious node in this network, the left half of Figure 1, most of the Interests can travel to the right destination and bring Contents back to Consumers. However, if there is malicious node, which is denoted as M, in this network, it can intercept all Interests and as easy as to reply them with fake Contents.
The Attacker behaves like a BlackHole in the network, swallows all incoming Interest. All incoming Interests cannot be satisfied, and it is hard for legitimate nodes to target malicious nodes in the network. For example, node C1 verifies and drops all fake Contents after receiving them. C1 may send warnings to neighbors or other nodes in the network. But these nodes, which have received warnings, face the problem that whether to trust or not, because there is no suitable authentication system in the network.
One possible solution is to use the public key infrastructure (PKI), but since NDN is an address free network architecture, different applications may use different trust authorities. It is impractical for a Router to retrieve certifications from a lot of trust authorities to verify all passing Contents which is arriving at line-speed.
Requirements
1) Consumer and Producers responsibility to make their Interest and Content verifiable through a solution designed at very beginning of network designing. – Which is Register first before publishing. (RFBP)
2) The whole structure of RFBF is hierarchical and consist of TrustRoot and Registration nodes (RegNodes).
3) Each Producer (node which has content under one or some namespaces) is required to register to RegNode to get binding of its public key & namespace (key & namespace hash).
4) Before requesting Contents, Consumer needs to retrieve this binding from a proper RegNode or from the TrustRoot.
5) After receiving key & name hash, Consumer sends out Interest with key & name hash for contents. Intermediate Routers on forwarding path record the key & name hashin their Pending Interest table (PIT’s).
6) Producers or intermediate routers which have requested resources in the network return contents with key & name hash.
7) Any Router (on the content return path) can check the validation of content of its own accord.
Application Domain: Network - Named Data Networking
Description
The Named Data Networking (NDN) is immune to most of attacks which exist in today’s internet world, but this newborn network architecture may still be subject to Distributed Denial of Service (DDOS) attacks, if quality of evaluation is less. NDN changes the internet paradigm from address based to data-based and Router chooses to cache the incoming contents for further requests to make the content distribution more efficient. There are two kinds of packets in NDN. An Interest is a request that sent by a node, named Consumer, to retrieve resources from the network. Any node in the network has or caches the resources replies the Interest with one or some Contents and this node becomes the Producer of this/these Content consequently. Comparing with the remedy like security solutions, e.g. IP-Sec, DDNS, in TCP/IP based network architecture, the security is considered at the early beginning of its design. However, there are some DDOS attack, e.g. Interest Flooding Attack (IFA), Content Poisoning Attack (CPA), which may still damage the NDN. Therefore, it is beneficial to have some form of registering of nodes (Producer and Consumer) in NDN network.
Example
In NDN, we say that a Content satisfies An Interest means the name prefix in this Content matches the name prefix in Interest and with legitimate signature and useful payload. In CPA, an attacker replies some or all incoming Interests with fake Contents which can be Contents of invalid signatures or useless payload. In Figure 1, Consumer nodes, which are denoted as C1 and C2, want to retrieve resources from Producer P1 or P2 under the namespace /CS or /BIO, and then they send out Interests. Nodes R1, R2 and R3 are normal nodes and perform as routers for other nodes. If there is no malicious node in this network, the left half of Figure 1, most of the Interests can travel to the right destination and bring Contents back to Consumers. However, if there is malicious node, which is denoted as M, in this network, it can intercept all Interests and as easy as to reply them with fake Contents.
The Attacker behaves like a BlackHole in the network, swallows all incoming Interest. All incoming Interests cannot be satisfied, and it is hard for legitimate nodes to target malicious nodes in the network. For example, node C1 verifies and drops all fake Contents after receiving them. C1 may send warnings to neighbors or other nodes in the network. But these nodes, which have received warnings, face the problem that whether to trust or not, because there is no suitable authentication system in the network.
One possible solution is to use the public key infrastructure (PKI), but since NDN is an address free network architecture, different applications may use different trust authorities. It is impractical for a Router to retrieve certifications from a lot of trust authorities to verify all passing Contents which is arriving at line-speed.
Requirements
1) Consumer and Producers responsibility to make their Interest and Content verifiable through a solution designed at very beginning of network designing. – Which is Register first before publishing. (RFBP)
2) The whole structure of RFBF is hierarchical and consist of TrustRoot and Registration nodes (RegNodes). 3) Each Producer (node which has content under one or some namespaces) is required to register to RegNode to get binding of its public key & namespace (key & namespace hash). 4) Before requesting Contents, Consumer needs to retrieve this binding from a proper RegNode or from the TrustRoot. 5) After receiving key & name hash, Consumer sends out Interest with key & name hash for contents. Intermediate Routers on forwarding path record the key & name hashin their Pending Interest table (PIT’s). 6) Producers or intermediate routers which have requested resources in the network return contents with key & name hash. 7) Any Router (on the content return path) can check the validation of content of its own accord.