experiencing a new internet architecture
play

Experiencing a new Internet Architecture Adrian Perrig, Network - PowerPoint PPT Presentation

Jun 24, 2023 •237 likes •730 views

Experiencing a new Internet Architecture Adrian Perrig, Network Security Group The Internet is on Fire! Lack of sovereignty Frequent outages https://downdetector.com Constant DDoS attacks https://www.digitalattackmap.com

  1. Experiencing a new Internet Architecture Adrian Perrig, Network Security Group

  2. The Internet is on Fire! • Lack of sovereignty • Frequent outages ▪ https://downdetector.com • Constant DDoS attacks ▪ https://www.digitalattackmap.com • Frequent routing attacks ▪ https://bgpstream.com • Lack of communication guarantees • Expensive maintenance 2

  3. Inspirations for a New Beginning ▪ Many exciting next-generation Internet projects over the past 25 years ▪ General Future Internet Architectures (FIA) • XIA: enhance flexibility to accommodate future needs • MobilityFirst: empower rapid mobility • Nebula (ICING, SERVAL): support cloud computing • NIMROD: improved scale and flexibility • NewArch (FARA, NIRA, XCP) • RINA: clean API abstractions simplify architecture ▪ Content-centric FIAs: NDN, CCNx, PSIRP , SAIL / NETINF ▪ Routing security: BGPSEC, S-BGP , soBGP , psBGP , SPV, PGBGP , H-NPBR ▪ Path control: MIRO, Deflection, Path splicing, Pathlet, I3 ▪ Inter-domain routing proposals: ChoiceNet, HLP , HAIR, RBF , AIP , POMO, ANA, ... ▪ Intra-domain / datacenter protocols: SDN, HALO, ... 3

  4. Why attempt redesigning Internet Architecture? ▪ We started our expedition asking the question: 
 How secure can a global Internet be? • Answer: global communication guarantees can be achieved as long as a path of benign domain exists ▪ During our journey we discovered that path-aware networking and multi-path communication are powerful concepts that can provide higher efficiency than a single-path Internet • Enables path optimization depending on application needs • Simultaneous use of several paths unlocks additional bandwidth ▪ Explore new networking concepts without the constraints imposed by current infrastructure! 4

  5. 
 Discoveries on our Journey ▪ During our journey, we have encountered many interesting discoveries ▪ Several discoveries suggest new approaches for inter-domain networking 
 The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust 5

  6. SCION Ambition: A Global Next-Generation Public Internet y c n - e i i t c l u i f m f e h d t n i w a y g n t i r i k u r c o e w s t e s h g n e e i H e t r n n a o a • w i r t a a a c u - h g i n t a u n P m o i m t a • c o c i n u h m t a m p o c l a b o l G • 6

  7. SCION Architecture Principles ▪ Stateless packet forwarding (no inconsistent forwarding state) ▪ “Instant convergence” routing ▪ Path-aware networking ▪ Multi-path communication ▪ High security through design and formal verification ▪ Sovereignty and transparency for trust roots 7

  8. Insight: Formal Security Verification Necessary ▪ To achieve strong assurance for a large-scale distributed system, formal security verification is necessary ▪ Performing formal verification from the beginning avoids “difficult-to-verify” components ▪ Many design aspects of SCION facilitate formal verification ▪ Collaboration with David Basin’s and Peter Müller’s teams in the VerifiedSCION project 8

  9. Approach for Scalability: Isolation Domain (ISD) ▪ Isolation Domain (ISD): grouping of Autonomous Systems (AS) ▪ ISD core: ASes that manage the ISD and provide global connectivity ▪ Core AS: AS that is part of ISD core TRC TRC TRC TRC TRC 9

  10. SCION Overview in One Slide Path-based Network Architecture I J Packet P1 Control Plane - Routing F → C → A Constructs and Disseminates A B A → I → J → M K M Path Segments M → P → S L C E Payload D N P O Data Plane - Packet forwarding F H Q S Combine Path Segments to Path G R Packets contain Path Packet P2 Routers forward packets based on F → D → B Path B → K → L Simple routers, stateless operation L → O → S Payload 10

  11. How to Deploy SCION: ISP ▪ CORE Routers are set up at the borders of an ISP • to peer with other SCION- enabled networks • to collect customer accesses ▪ No change to the internal network infrastructure of an ISP needed! 11

  12. How to Deploy SCION: End Domain ▪ SCION IP Gateway (SIG) enables seamless integration of SCION capabilities in end- domain networks Customer location SCION ROUTER ▪ No upgrades of end hosts or SIG applications needed SCION ROUTER No significant changes to Connection(s) to SCION-Router(s) VPN / Firewall / SDWAN designs SCION-native, Ethernet, MPLS, DIA, Broadband, 4G… 12

  13. Insight: Incremental Deployment Possible ▪ Incremental deployment of a new Internet architecture is possible, operating side-by-side with BGP ▪ For ISPs, new architecture can be deployed with minimal effort ▪ For end domains, SCION-IP Gateway (SIG) offers immediate benefits without updating any end hosts ▪ Important: no reliance on BGP for inter-domain operation (“BGP-free”) ▪ Overlay / insecure underlay should be avoided not to inherit vulnerabilities ▪ Re-use of intra-domain network architecture for local communication 13

  14. SCIONLab • Global SCION research testbed: https://www.scionlab.org • Collaboration with David Hausheer’s team at University of Magdeburg • Open to everyone: create and connect your own AS within minutes • ISPs: Swisscom, SWITCH, KDDI, GEANT, DFN • Deployed 35+ permanent ASes worldwide, 600+ user ASes • Contact us to become an infrastructure AS, we can provide HW • Kwon et al., “SCIONLab: A Next-Generation Internet Testbed”, ICNP 2020 14

  15. Exciting SCIONLab Research Opportunities ▪ Next-generation Internet architecture research ▪ Users obtain real ASes with all cryptographic credentials to participate in the control plane ▪ ASes can use their own computing resources and attach at several points in the SCIONLab network ▪ Path-aware networking testbed ▪ Hidden paths for secure IoT operation ▪ Control-plane PKI in place, each AS has certificate ▪ Network availability and performance measurement (bandwidth and latency) ▪ Supported features (PKI, DDoS defense mechanisms, path selection support, end host / application support) ▪ Inter-domain routing scalability research ▪ Multi-path research ▪ Multi-path QUIC socket ▪ End-to-end PKI system that application developers can rely on to build highly secure TLS applications ▪ Colibri inter-domain resource allocation system ▪ DDoS defense research using in-network defense mechanisms ▪ Next-generation routing architecture policy definitions 15

  16. SCION Production Network ▪ Led by Anapaya Systems BGP ▪ BGP-free global communication • Fault independent from BGP protocol ▪ Deployment with international ISPs • Goal: First global public secure communication network ▪ Construction of SCION network backbone at select locations to bootstrap adoption ▪ Current deployment • ISPs: Swisscom, Sunrise, SWITCH, + others joining soon • IXPs: SwissIX offers SCION peering, + others joining soon • Bank deployment: 4 major Swiss banks, some in production use 16

  17. Global Availability of Native SCION Connectivity ▪ Native SCION (BGP-free) connectivity: no reliance / dependency on BGP communication ▪ SCION deploying ISP’s networks are reaching global data centers and IXPs, offering native SCION connectivity ▪ Anapaya Connect: native SCION connectivity to 100+ data centers in 10+ countries • Further expansion next year:

  18. Online Resources ▪ https://www.scion-architecture.net ▪ Book, papers, videos, tutorials ▪ https://www.scionlab.org ▪ SCIONLab testbed infrastructure ▪ https://www.anapaya.net ▪ SCION commercialization ▪ https://github.com/scionproto/scion ▪ Source code 18

  19. SCION Summary ▪ SCION: Next-generation Internet you can use today! ▪ High-performance • Path-aware network enables application-specific optimizations to provide enhanced efficiency • Multi-path communication enables simultaneous use of multiple paths, increasing available bandwidth ▪ Secure, high assurance, high availability • Per-packet authentication verification possible on routers • Formal verification of protocols and code • Immune against routing attacks, e.g., BGP prefix hijacking 19

  20. Interesting Encounters on our Expedition ▪ Security • Global communication guarantees are possible • High-speed crypto enables line-rate processing ▪ Networking • Multi-path routing is a necessity, not a luxury • Improved scalability over BGP • Global QoS is viable 20

  21. Global Communication Guarantees in the Presence of Adversaries ▪ Goal: If (routing policy compliant) path of benign ASes exists (with operational infrastructure), a sender can find, use, and achieve minimum bandwidth guarantees on that path ▪ Challenges • Network routing instabilities, misconfigurations, etc. • DoS attacks at various levels (control plane, data plane, end host) 21

  22. Observation: Stable Forwarding + Multi-path Necessary ▪ Single-path forwarding cannot achieve strong availability guarantees • During routing protocol convergence, no path may be available • Equipment failure on path will result in unavailability until routing protocol updates and forwarding tables are adjusted • If forwarding path experiences high packet loss, then path is not usable for practical applications ▪ Approaches • Stable forwarding: packet-carried forwarding state protects forwarding from routing instabilities • Multi-path ensures presence of several paths, so as long as a single path works, end-to-end connectivity is assured 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

5/15/2012 How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been tremendously successful From Architecture to Network Has sustained tremendous growth g Supports very diverse set of applications

484 views • 10 slides
End-to-end principle All control in end stations by Dave Clark e.g. error and flow

End-to-end principle All control in end stations by Dave Clark e.g. error and flow

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.121 / Fall-04 / RKa, NB Internet Architecture Principles End-to-end principle All

893 views • 21 slides
Future Internet Future Internet Internet has evolved from 4-node network to ubiquituous, global

Future Internet Future Internet Internet has evolved from 4-node network to ubiquituous, global

An Architecture for An Architecture for Supporting Future Internet Supporting Future Internet Applications Applications Sebastian Mies Institute of Telematics, University of Karlsruhe (TH), Germany The SpoVNet Consortium: University of

268 views • 11 slides
Experiencing Technology Experiencing Technology before it exists: A Case Study before it Exists

Experiencing Technology Experiencing Technology before it exists: A Case Study before it Exists

Experiencing Technology Experiencing Technology before it exists: A Case Study before it Exists Perceptual and Sensory Augmented Computing Florian Michahelles (ETH Zurich) Bernt Schiele (TU Darmstadt) 1 Whats the Issue? Experiencing

539 views • 14 slides
Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture Addressing, routing principles Protocols: IPv4, ICMP, ARP (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-07 / RKa, NB Ethernet Most

635 views • 26 slides
End-to-end principle by Dave Clark Hop-by-hop control vs. End-to-end control In X.25

End-to-end principle by Dave Clark Hop-by-hop control vs. End-to-end control In X.25

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-06 / RKa, NB Internet Architecture Principles End-to-end principle by Dave

669 views • 23 slides
HAIR: Hierarchical Architecture for Internet Routing Re-Architecting the Internet ReArch 09

HAIR: Hierarchical Architecture for Internet Routing Re-Architecting the Internet ReArch 09

HAIR: Hierarchical Architecture for Internet Routing Re-Architecting the Internet ReArch 09 Wolfgang Mhlbauer ETH Zrich / TU Berlin wolfgang.muehlbauer@tik.ee.ethz.ch Anja Feldmann Luca Cittadini Randy Bush Olaf Maennel Deutsche

403 views • 21 slides
A Fully-Flexible Internet Architecture for the Next-Generation Tactile Internet Mohamed Faten

A Fully-Flexible Internet Architecture for the Next-Generation Tactile Internet Mohamed Faten

2 nd Visions for Future Communications Summit Technologies and Services Towards 6G Introducing FlexNGIA: A Fully-Flexible Internet Architecture for the Next-Generation Tactile Internet Mohamed Faten Zhani cole de technologie suprieure

827 views • 57 slides
An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley,

An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley,

An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley, Yotam Harchol, Aurojit Panda, Barath Raghavan, Scott Shenker (UC Berkeley, NYU, USC, ICSI) The Internet architecture of today Based on IP

477 views • 44 slides
Delivering Internet-of-Things (IoT) Services in MobilityFirst Future Internet Architecture Jun

Delivering Internet-of-Things (IoT) Services in MobilityFirst Future Internet Architecture Jun

Delivering Internet-of-Things (IoT) Services in MobilityFirst Future Internet Architecture Jun Li, Y. Shvartzshnaider, J. Francisco, R. Martin, K. Nagaraja and D. Raychaudhuri WINLAB, Rutgers University October 24-26 th , 2012 October 24-26,

451 views • 21 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
The network neutrality bot architecture: a preliminary approach for self-monitoring of Internet

The network neutrality bot architecture: a preliminary approach for self-monitoring of Internet

The network neutrality bot architecture: a preliminary approach for self-monitoring of Internet access QoS Simone Basso Antonio Servetti Juan Carlos De Martin NEXA Center for Internet & Society Politecnico di Torino, Italy

522 views • 14 slides
SEDA: An Architecture for Well-Conditioned Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned Scalable Internet Services Matt Welsh, David Culler, and Eric Brewer presented by Ahn, Ki Yung Staged Event-Driven Architecture Designed for highly concurrent Internet services Applications are

493 views • 13 slides
Internet architecture Ov Over ervie iew Packet switching over circuit switching

Internet architecture Ov Over ervie iew Packet switching over circuit switching

Internet architecture Ov Over ervie iew Packet switching over circuit switching End-to-end principle and Hourglass design Layering of functionality Portland State University CS 430P/530 Internet, Web & Cloud Systems Pac

396 views • 22 slides
End-Middle-End Architecture for the Internet Olli-Pekka Lamminen TKK Networking Laboratory

End-Middle-End Architecture for the Internet Olli-Pekka Lamminen TKK Networking Laboratory

End-Middle-End Architecture for the Internet Olli-Pekka Lamminen TKK Networking Laboratory Outline End-Middle-End Architecture IRTF EME Research Group Requirements NUTSS Architecture Feasibility Considerations for

449 views • 14 slides
FUTURE INTERNET ARCHITECTURE Marc Mosko Palo Alto Research Center ACM ICN Panel 2016, Kyoto

FUTURE INTERNET ARCHITECTURE Marc Mosko Palo Alto Research Center ACM ICN Panel 2016, Kyoto

FUTURE INTERNET ARCHITECTURE Marc Mosko Palo Alto Research Center ACM ICN Panel 2016, Kyoto Japan 1 FUTURE INTERNET ARCHITECTURE Protocol Feature 2 FUTURE INTERNET ARCHITECTURE* Protocol Feature IPv6 Large address space,

76 views • 4 slides
The Global Fuel Economy Ini3a3ve Sheila Watson Execu3ve

The Global Fuel Economy Ini3a3ve Sheila Watson Execu3ve

The Global Fuel Economy Ini3a3ve Sheila Watson Execu3ve Director Global Fuel Economy Ini3a3ve HLPF NYC - July 18th 2016 WHAT CAN

292 views • 7 slides
MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n

MILS C Compl plete S ete Separa rati tion P n Platf tform orm P Protec ecti tion n Profi file le MILS CSP PP Viola Saftig, Dr. Igor Furgel Telekom Security - T-SYSTEMS INTERNATIONAL GmbH Content/Agenda 01 Motivation 02 MILS CSP

751 views • 23 slides
EU Research Funding (on Future Internet activities) - today and tomorrow An overview EUROVIEW

EU Research Funding (on Future Internet activities) - today and tomorrow An overview EUROVIEW

EU Research Funding (on Future Internet activities) - today and tomorrow An overview EUROVIEW 2011 02/08/11 Wrzburg Rdiger Martin European Commission Directorate General Information Society and Media Directorate D

723 views • 20 slides
Forest area, 1760-2000 Return * Since 1900, forest area in the 1,100 U.S. has remained

Forest area, 1760-2000 Return * Since 1900, forest area in the 1,100 U.S. has remained

TREND DATA TREND DATA Forest area, 1760-2000 Return * Since 1900, forest area in the 1,100 U.S. has remained statistically within 745 million acres +/-5% Primarily 1,000 agricultural with the lowest point in 1920 of clearing in 900 735

596 views • 17 slides
Random Matrix Advances in Machine Learning (Imaging and Machine Learning) Mathematics Workshop #3

Random Matrix Advances in Machine Learning (Imaging and Machine Learning) Mathematics Workshop #3

Random Matrix Advances in Machine Learning (Imaging and Machine Learning) Mathematics Workshop #3 Institut Henri Poincar e Romain COUILLET CentraleSup elec, L2S, University of ParisSaclay, France GSTATS IDEX DataScience Chair, GIPSA-lab,

1.65k views • 127 slides
Abstract Algebraic Logic 4th lesson Petr Cintula 1 and Carles Noguera 2 1 Institute of Computer

Abstract Algebraic Logic 4th lesson Petr Cintula 1 and Carles Noguera 2 1 Institute of Computer

Abstract Algebraic Logic 4th lesson Petr Cintula 1 and Carles Noguera 2 1 Institute of Computer Science, Academy of Sciences of the Czech Republic Prague, Czech Republic 2 Institute of Information Theory and Automation, Academy of Sciences of

415 views • 37 slides
How to Reconcile Symmetries and . . . Physical Theories with Case of a single particle Case of

How to Reconcile Symmetries and . . . Physical Theories with Case of a single particle Case of

The problem of free . . . Interval and fuzzy . . . What we plan to describe Symmetry How to Reconcile Symmetries and . . . Physical Theories with Case of a single particle Case of two particles the Idea of Free Will: Case of 3 particles: .

168 views • 15 slides
Comments on Green-Zhou Money as Mechanism in a Bewley Economy May 17, 2004 David K.

Comments on Green-Zhou Money as Mechanism in a Bewley Economy May 17, 2004 David K.

Comments on Green-Zhou Money as Mechanism in a Bewley Economy May 17, 2004 David K. Levine The Model dynamic pure exchange continuum economy with no aggregate risk individuals face private iid shocks perishable endowment

351 views • 8 slides

More recommend