cs 598 mcc – advanced internetworks
Post on 24-Feb-2016
32 Views
Preview:
DESCRIPTION
TRANSCRIPT
CS 598 MCC – Advanced Internetworks
Future Internet ArchitectureLocator-/Identifier-Split
Quirin Scheitlescheitl2@illinois.edu
Significant?
• “The so-called identifier/locator split is recognized by the Internet Engineering Task Force (IETF) community as a next big change in the Internet architecture.” [Cisco Internet Protocol Journal, Volume 12, Nr 1]
Outline
• Motivation: Shortcomings of the present Internet
• How the idea of a Loc/Id-Split can solve most of these
• Detailed look at two specific approaches– LISP– HIP
Present system has lots of drawbacks
• IP address is used as Locator and as Identifier– Results in a lot of problems, concerning:• Mobility• Scalability• Security• Addressing• Multi-Homing
Locator-/Identifier-Split
• An approach followed by many researchers right now
• Common idea is to use IP addresses as Locators and introduce a new concept of Identifiers.
• User actually connects to Identifier• Identifier typically carried in packet between
IP and Transport layer.
Don’t get mixed up!
• The general research area on Locator-Identifier-Splits can be meant by the acronym LISP
• LISP is also a name of a specific LISP-approach• I try to call the idea itself “Loc/Id-Split”– Enough people angry at Cisco for interfering in
their google results for LISP programming language ;)
The concept of LocID-Split
Host A Host B
IP B1
IP B2ID 00:00:0B
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
LOOKUPuser@provider.com?www.illinois.edustream://Class-stream.illinois.educontent#f7839fd789
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
ANSWER00:00:0b
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
ANSWER00:00:0b
Looks like DNS?No, ID is actually used to
establish connection
Host A connects to User/Host/Service/Content 00:00:0B
Host A Host B
IP B1
IP B2ID 00:00:0B
Opens connection to ID
00:00:0b
So, how to send a packet to this “ID” 00:00:0B ?
Host A Host B
IP B1
IP B2ID 00:00:0B
Opens connection to ID
00:00:0b
Mapping/Lookup of Locator – Different
approaches
This is where approaches differHost-based / Network-based / Mixture
Host A Host B
IP B1
IP B2ID 00:00:0B
Packet typically looks like this:TCP/UDPIdentifier
IP
So, this looks complicated and like a lot of change?
• Change might be not that big (compare HIP implementations)
• Gains a lot of advantages!
Mobility
• Your ID does not actually change if you connect somewhere else– Right now it does most of the times, so your
connections tear down– LocID-Split enables you to keep your connections
alive while you’re moving and changing IPs (since they are bound to your ID!)
Multi-Homing, Failover, Traffic Engineering
Host A Host B
IP B1
IP B2ID 00:00:0B
50%
50%
Multi-Homing, Failover, Traffic Engineering
Host A Host B
IP B1
IP B2ID 00:00:0B
[http://www.faqs.org/photo-dict/phrase/4243/toy-digger.html]
Multi-Homing, Failover, Traffic Engineering
Host A Host B
IP B1
IP B2ID 00:00:0B
Hey guys, please send packets to <ID> from
now on to IP B2 ! Connections can stay
alive!
Security
• IDs can be authenticated– Able to provide true end-to-end security and identity– Network-Authentication approaches (HiiMAP) vs.
Host-Authentication approaches (LISP) vs. Mixed (HiiMap)
– Approaches reach from signing/encrypting each message to just validating userid on bootstrap
– New approaches like using public keys as IDs or depositing them in the Mapping system
Specific approaches
• These were some of the advantages that can be gained, let’s have a look at specific approaches
So, what are these various concepts?
• LISP – Cisco, IETF• HIP – IETF– LISP and HIP rather evolutionary and for practical
use
“LISP”
• Farinacci et al., first ideas in 2006• Developed by Cisco, aiming to provide a fix to
the routing table growth in a short time, with as little change as possible. [Hanka et al]
• Network-only approach, aiming for quick deployment
PI/PA Space• Organizations want IP addresses to be statical Identifiers
of their services– Want to keep their neat /30 prefix over multiple ISP changes
• ISPs want IP addresses to be a coherent block that gets traffic into their network– Want to allocate all their customers in a /8 prefix– Solves routing table growth problem
• Dual aims come from dual use of IP as Locator and Identifier!– Organizations want to be identified, ISPs want to make sure
their IP ranges are routed to them
Concept
• “LISP follows a network-based map-and-encapsulate scheme, this means no changes to hosts are needed, everything happens in the network. Also, in LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a Mac address.” [lisp4.net]
LISP Overview Slide 25
Why LISP was developed?• LISP originally conceived to
address Internet Scaling– What causes scaling issues?
• IP addresses denote both location and identity today
• Overloaded IP address semantic makes efficient routing impossible
• IPv6 does not fix this– Why are scaling issues bad?
• Routers require gobs of expensive memory to hold the Internet Routing Table
• It’s expensive for network builders• Replacing equipments for the wrong
reason – to hold routing table rather than implementing new features
• It’s not GREEN…
“… routing scalability is the most important problem facing the Internet today and must be solved … ”
Internet Architecture Board (IAB)October 2006 Workshop (written as RFC 4984)
Reasons for growth
• Everyone wants PI space• Multihoming• Traffic Engineering
So, what do we gain?
• Forwarding plane of routers can be very small and efficient as there is no incentive for anyone to have PI space anymore
• Lookup namespace will be more complex, but is not in forwarding path
LISP 1.x uses routable EIDs, LISP 2/3 do not. LISP 1.5 better incrementally deployable!
So, this ID Locator Lookup?• Remember: LISP wants as few changes to the current architecture as possible• Sounds like the weak point in these terms? (Scalability, Flexibility) • “In particular, although the base LISP specification defines the format of
messages to query the mapping system and to receive responses from that system, it makes no assumptions on the architecture of potential mapping systems. As a result, several mapping systems have been proposed[0,1,4,5,6,10].”– Include DHTs [draft-hu-lisp-dht-00]– “Several such databases have been proposed, among them: LISP-CONS [CONS], LISP-
NERD, [NERD] and LISP+ ALT [ALT]. “ [draft-ietf-lisp-ms-06]– LISP-ALT seems to be most popular right now
• Builds overlay network with GRE tunnels and BGP announcements• Basically, provides a network architecture to route IDs to the correct ETR
– Could not find proper discussion why this is any better than recent infrastructure? FIXME– (ID space not flat, still hierarchical, still prefixes announced via BGP?)
Aggreation!
Two similar problems out there
• DNS: Rate is very small, state possibly infinite• BGP: Rate is significant, but state is smaller– Think about which goals these databases follow• DNS provides ID-to-IP Mapping
– Not in forward path, speed less critical Full Pull• BGP provides IP-to-Locator Mapping
– Forward path, speed crucial Full Push
• ID-to-Locator Mapping somewhere in between, but where?
Available Schemes
• NERD, ALT, EMACS, CONS, DHTs…• Amount of research in this field shows that
this is one of the very big topics in Locator/Identifier-Split!
Problems with NERD?
• Remember LISP aims for O(10^10) hosts
[LISP Tutorial IETF Vancouver Dec 2007]
LISP-ALT: “Alternative Topology”
• The most popular approach, used within the global test network
• Uses a network of routers running BGP over GRE tunnels to build this “alternate topology”
• ETRs announce their EID prefixes• Massive use of aggregation to achieve small
routing tables
LISP-Alt: Details
• Still, ETRs are responsible for the EID-to-Locator mapping
• ALT topology provides only knowledge which router owns which EID prefix
• ITRs send map requests into ALT, ALT forwards this to the correct router
• Router sends answer straight back to ITR– Data probes
Why is ALT used?
• Remember, LISP aims for fast implementation with reducing the routing table size– Uses BGP and GRE technology widely in use– Decentral– Very good for incremental deployment
• Though, in my opinion, not an option for global scale deployment
LISP-DHT
• Follows main assumption: “A domain must be able to control the server that provides the authoritative mappings for the identifiers allocated to its hosts.” [LISP-DHT]
• Adapted Chord to meet this criteria
LISP-DHT using Chord
• EID is directly used as Chord-ID– Redundancy?• Usually handled by duplicating entries to neighbours,
though not acceptable here• Extended Chord to handle several entities behind one
ID, identified by <EID, RLOC> tuple
LISP-DHT using Chord
• DHTs usually require a node to join, build adjacencies etc. before they can do a lookup. Obviously, not every node can join DHT and carry load.– Concept of “stealth nodes”, which only look up but
do not announce themselves– Neat integration of security, by letting only
authenticated nodes actually join the DHT– Security concept based on certificates proposed
LISP-DHT Summary
• Full Pull approach, yet very fast by using DHTs• Fully automatic, not error prone• Highly scalable• Authority and full control of entries within
administrative boundaries of EID prefix owner
Evaluation• [Evaluating the Benefits of the Locator/Identifier Separation, Bruno Quoitin, Luigi Iannone,
Cédric de Launois, Olivier Bonaventure, ACM MobiArch 07]
• FIBs reduced to a few thousand entries• Path redundancy at least doubled• “BGP paths cannot be more than 2 since the simulated dual-homed stubs
only receive one BGP route for each destination prefix from each provider.”
LISP advantages• Improved routing scalability• BGP-free multihoming in active-active configuration• Address family traversal: IPv4 over IPv4, IPv4 over IPv6,
IPv6 over IPv6, IPv6 over IPv4• Inbound traffic engineering• Mobility• Simple deployability• No host changes are needed[http://en.wikipedia.org/wiki/Locator/Identifier_Separation_Protocol]
What else can LISP be used for?
• Scaling Internet core routing tables• Low-OpEx active-active multi-homing for Enterprises• Low-OpEx active-active multi-homing for ISPs• Provider independence (avoids site renumbering)• Data Center mobility of Virtual Machines (VMs)• Data Center Server Load Balancing (SLBs) enhancement• A/V Truck Roll (Broadcasting industry)• L2 or L3 VPNs with or without parallelism• Slow hand-set mobility in localized regions• Better residential multi-homing• IPv6-only site connectivity over existing (IPv4) Internet• Movement/reallocation of Cloud Computing Resources
Slide from Cisco’s “LISP Overview’
Global LISP Testbed
• total of 106 boxes, 18 countries• Operated by google, facebook, msn, cisco,
deutsche bank, level3, microsoft, T-Labs• [lisp4.net]
Short Wrap-up of LISP
• Network-based, no changes to hosts whatsoever
• Quick, increased deployment• Fix for routing table growth, multi homing,
traffic engineering• Available in Cisco IOS, open source solutions,
global testbed available• IETF, Cisco, UPC
HIP
• Developed at IETF since 1999, first stable version in 2007
• Inserts cryptographic namespace between Transport and Network Layer
• No changes needed in applications or routers (changes reside in network stack of host)
• Provides much more features than LISP• Aims for security, mobility, multi-homing
Achievements
• Mobility• Multi-Homing• Security• NAT / IPv4 / IPv6 traversals
Identifiers
• Are called Host Identifiers (HI) and are hashes of public keys– Host owns public/private key pair– Provide immediate, straightforward ways for
authentication, integrity and confidentiality– Look like IPv6 addresses, beginning with
2001:0010::/28 (routing “Orchid”) and completed with a 100 bit public key hash
More on Identifiers
• IPv4 offers only a 32-bit namespace– Here so called “Local Scope Identifiers (LSI)” are
used, as 32 bits do not provide a big enough namespace to anticipate collisions on a global scale. Implemented for compatibility.
HIP Mapping
• Current system proposes the usage of DNS• Not as a system to look up the Locators for a
HIT, but to provide a <HIT, Locator> tuple as answer to usual requests
• Full pull, easy to implement, generally slow to update
HIP Basic Exchange
• 4-way-handshake• In regular mode, HIT of responder is known, in
“Opportunistic mode” only IP of responder is known prone to MITM attacks
67
Protocol overviewInitiator Responder
I1: HITI, HITR or NULL
R1: HITI, {HITR, puzzle, DHR, HIR}sig
I2: {HITI, HITR, solution, DHI, HII}sig
R2: {HITI, HITR, authenticator}sig
User data messages
Control
Data
Varied hardness, can be based on ressource availabilty, level of trust, or other factors
Nothing specific to Initiator in here, so
precalculation of these messages possible
More about HIP puzzles
• Nota bene: With recent infrastructure, they protect ONLY against CPU/Memory exhaustion (attacker can still flood)
• Idea: Responder sends chunk of data (puzzle) to Initiator, plus parameter k
• Initiator has to find value J, so that the k LSB of Hash(puzzle || J) are zero. Sends J back.
• Responder quickly checks if J satisfies demands
Even more HIP puzzles
• RFC is not actually specifying a technique• Turns out hard to actually avoid keeping any
state and still be stable against attacks• Provides idea: Create a table of pre-calculated
puzzles, use HITI and RLOCI values to calculate index of this table
Details about HIP puzzles
• Several approaches for the puzzle proposed
Image from “Cost-based and Time-based Analysis of DoS-resistance in HIP”
Good reading for this topic: “Analysis of the HIP Base Exchange Protocol”Tuomas Aura1, Aarthi Nagarajan2, and Andrei Gurtov3, ACISP 2005
Effectiveness of HIP Puzzles
Image from “Cost-based and Time-based Analysis of DoS-resistance in HIP”
HIP Mobility
• Mapping system can carry several Locators• Active emission of “Readdress” packets• What about– Mobile nodes that move too fast for DNS?– If both nodes move at the same time?
HIP Rendezvous Mechanism
• RFC 5204-bis, recently expired• HIP node can register withy any “RVS” server,
and note this in the HIT’s DNS entry• Basically just relays the connection setup
packets to the nodes’ recent locators
Source: rfc5204-bis-00
HIP Mobility and Security
• Mobility updates possibly a security weakness if sending too much data to a new Locator before receiving an adequate amount of data back
Threat Scenario
YouTube
DDoS Attackers
DDoS Victim
Request big video or other ressource
Threat Scenario
YouTube
DDoS Attackers
DDoS Victim
Hey, we are all relocated!
Threat Scenario
YouTube etc.
DDoS Attackers
DDoS Victim
Hey, we are all relocated!
HIP Mobility and Security
• Use a credit algorithm for not fully trusted hosts asking for relocation
HIP Transport Security
• HIP proposes to use IPSEC’s ESP in transport mode
• Provides encryption for all layers above IP
HIP Privacy
• HITs do not have to be registered anywhere and/or kept constant over a long time
• Still, observation and correlation might reveal a lot
• “BLIND” approach uses hashes of <HIT, Random Number> to hide ID
• Other approaches use proxy servers to hide locators
Hi3
• Motivation: Puzzles only protect against CPU/Memory exhaustion attacks. Possible to protect against DDoS flood attacks?
• HIP using the “Internet Indirection Infrastructure” (i3)• i3 forms the control plane. Using i3, the four-way-handshake is
completed safely• IPSEC-aware middle boxes (“SPINATs”) are placed into the data
plane• Responder tells
– Initiator a SPINATs IP to use– SPINATs to open connections for properly authenticated source IPs
• Also provides mobility through Rendezvous service in i3
Control Plane
Data Plane
Acceptance of HIP
• Productively used at one Boeing factory• Three open source implementations– OpenHIP, HIP4BSD, HIPL
• Active, growing user community
Sources
• There is a bunch of different people working on HIP, so sometimes it is hard to tell whether a paper talks about “the real HIP”
• What is the real HIP? Wikipedia says “HIP was specified in the IETF HIP working group. An Internet Research Task Force (IRTF) HIP research group looks at the broader impacts of HIP“
• So, the RFC listed as “active” on the WG’s website are “binding”
So …
• Is LISP or HIP a better approach? What does the audience think?
• Actually, they are rather complementary than competing, as each of them is aiming for a different thing
• Yet, once one of them is wide-scale implemented it might just succeed (interim solutions hold the longest!)
Summary
• HIP: Public keys as IDs, broad support, host-only approach
• LISP: “Delegated” EIDs, broad support, network-only approach
Backup Slides
Two approaches of LISP
• Map-and-Encap– Host sends packet to IPv4-Adress (which is an ID)– egress Router looks up Locator for this ID (map)– egress Router inserts a new IP layer into the
packet containing the locators. Thereby encapsulates other IP header (which is ID)
• Address Rewriting
Map-and-Encap
The Locator Identifier Separation Protocol (LISP)by David Meyer, Cisco Systems
Two approaches of LISP
• Address Rewriting– Use top bits of IPv6 address as Locator, lower bits
as identifier– egress router maps (looks up Locator for ID) and
rewrites the top bits• However, probably due to the lack of IPv6
deployment, IPv4 compatible map-and-encap is used
Dino, Dave, Jason, VinceLISP (RID-based) 10/2006 - 102
How LISP Works
Internet
Provider A10.0.0.0/8
Provider B11.0.0.0/8
S’s ID is 1.1.1.1
R’s ID is 10.0.1.1
C D
R
S
A B1.1.1.10 1.1.1.11
On host subnet 10.0.1.0/24: C is 10.0.1.12 (PA from Provider A) D is 10.0.1.13 (PA from Provider A)On Loopback interfaces: C is 11.1.1.12 (PA from Provider B) D is 11.1.1.13 (PA from Provider B)
1) S wants to talk to R, S gets R’s ID from DNS2) S sends packet to R with SA=1.1.1.1, DA=10.0.1.13) S’s default router is router A, A does route lookup for 10.0.1.1, matches on default route,indicator to tunnel encapsulate4) A builds outer IP header with SA=1.1.1.10, DA=10.0.1.1, IP-prot=“LISP-control”5) When packets flow to C, IP-prot is “LISP-control” means to send an ICMP ID-mapping packet to SA (1.1.1.10), the ICMP packet contains Locators 10.0.1.12 & 11.1.1.126) A caches ID-mapping of 10.0.1.1->{10.0.1.12, 11.1.1.12}7) Subseqent packets from S, A will set outer DA to 10.0.1.12 (the Locator for R), IP-prot=“LISP-data”8) Packets are addressed to C, which decapsulates tunnel packet and delivers to R.9) If connectivity to 10.0.1.12 changes, due to Provider A path is down or R moves, A gets back a ICMP-host-unreachble (from any router on the path) for address 10.0.1.12. Subsequent packets from S get enapsulated by A to address 11.1.1.12.10) Periodically A can send IP-prot=“LISP-control” packets to the unreachable locator address and when the SA is that Locator address in the returning ICMP ID-mapping message, A can conclude the Locator is reachable again11) C could glean ID->Locator mapping when decapsulating and avoid the signalling step back.12) A could encapsulate packets for S with alternating SA Locator address so when C gleans, it can get all Locator addresses for S’s ID.
10.0.1.0/24
11.1.1.12 11.1.1.13
10.0.1.1210.0.1.1
1.1.1.11.0.0.0/8
10.0.1.13
top related