Secure producer mobility in information-centric network Alberto - - PowerPoint PPT Presentation

secure producer mobility in information centric network
SMART_READER_LITE
LIVE PREVIEW

Secure producer mobility in information-centric network Alberto - - PowerPoint PPT Presentation

Oct 20, 2023 152 likes •428 views

Secure producer mobility in information-centric network Alberto Compagno, Xuan Zeng, Luca Muscariello, Giovanna Carofiglio, Jordan Auge Cisco, SystemX,UPMC September 25, 2017 1 Mobility in 5G 5G requirements on mobility: Seamless (low

slide-1
SLIDE 1

Secure producer mobility in information-centric network

Alberto Compagno, Xuan Zeng, Luca Muscariello, Giovanna Carofiglio, Jordan Auge

Cisco, SystemX,UPMC

September 25, 2017

1

slide-2
SLIDE 2

Mobility in 5G

§ 5G requirements on mobility:

§ Seamless (low latency, packet loss, etc) § Continuity over dense & heterogeneous access (LTE, wifi)

§ Calls for new and effective mobility solutions

2

slide-3
SLIDE 3

Support mobility in ICN

§ Consumer mobility ->naturally supported § Producer mobility -> challenging

§ Tracing-based approach(kite, Mapme), promising: § Meet 5G requirements: low latency, loss, network head § Security consideration are inadequate

3

slide-4
SLIDE 4

How does trace-based solution work?

4

producer Interest flow R3 R1 R2 Interest update(IU) R4

FIB direction § Producer updates forwarding states(PIT or FIB) of a subset of routers

slide-5
SLIDE 5

How does trace-based solution work?

5

producer Interest flow R3 R1 R2 R4

FIB direction § Producer updates forwarding states(PIT or FIB) of a subset of routers

slide-6
SLIDE 6

trace-based solution: prefix hijacking attack

Q:what if IU is from attacker?

6

Interest update Interest flow R3 R1 R2 R4

FIB direction

Interest update producer

slide-7
SLIDE 7

trace-based solution: prefix hijacking attack

7

Interest flow R3 R1 R2 R4

FIB direction

producer black-holed! privacy pollute cache!

slide-8
SLIDE 8

Challenges to protect trace-based approach from prefix hijacking?

8

slide-9
SLIDE 9

Challenges to prevent prefix hijacking (1/2)

  • 1. Distributed
  • 2. Lightweight

9

producer Interest update

slide-10
SLIDE 10

Challenges to prevent prefix hijacking (2/2)

  • 3. Deal with an attacker that can compromise

edge routers

10

R3 R1 R2 R4

FIB direction

May allow to generate valid IU

slide-11
SLIDE 11

Existing approaches

§ Signature based approach:

§ Expensive for hardware at network access § See evaluation section later

§ Session key based approach:

§ CellularIP and telemIP: shared network key stolen compromises whole network

11

slide-12
SLIDE 12

Our prefix attestation protocol?

12

slide-13
SLIDE 13

Prefix attestation protocol: high level view

§ Only entitled producer can generate valid interest updates

§ Distribute minimal crypto info to network § We call this crypto info security context § Validate IU locally

13

Registration server Sec.context Sec.context Sec.context Sec.context Registration producer

slide-14
SLIDE 14

Prefix attestation protocol: high level view

§ Only entitled producer can generate valid interest updates

§ Distribute minimal crypto info to network § We call this crypto info security context § Validate IU locally

14

Registration server Sec.context Sec.context Sec.context IU producer Sec.context

slide-15
SLIDE 15

How to design security context?

15

slide-16
SLIDE 16

Security context requirements

§ Allow fast validation -> crypto hash § Allow to validate but not generate genuine IU,

  • > hash chain

R3 R1 R2 R4

FIB direction

Prevent attacker generating valid IU

16

slide-17
SLIDE 17

Security context using hash chain

§ hash chain(originally by Lamport) A authenticates to B:

B: Hn(s) Hn-1(s) A Hash matches, OK

1st authen.

17

slide-18
SLIDE 18

Security context using hash chain

§ hash chain(originally by Lamport) A authenticates to B:

B: Hn-1(s) Hn-2(s) A Hash matches again, OK

2nd authen.

18

slide-19
SLIDE 19

prefix attestation protocol: leveraging hash chain

§ Producer: ith IU, send with Hn-i(s)

19

Hn-1(s)producer Hn-i(s) Hn-2(s) producer prefix seq. No sec. context /p 0 Hn(sp) Sec.context Sec.context Sec.context Sec.context

slide-20
SLIDE 20

Evaluation?

20

slide-21
SLIDE 21

Evaluation: computation overhead

Analytical model: goodput =

!"# !"# ∗%&'()*++,#∗%-*'./0

η = fraction of interest update(%)

21

slide-22
SLIDE 22

Evaluation: computation overhead

§ Optimal case: no verification on interest update § Goodput decreases anyway as IU take up resources

22

slide-23
SLIDE 23

Evaluation: computation overhead

§ Signature verification § Goodput drops to 0 with small percent of IU(3%)

23

slide-24
SLIDE 24

Evaluation: computation overhead

§ Hash chain: one hash per IU verification § Maintains 90% of optimal goodput (low

  • verhead)

24

slide-25
SLIDE 25

Evaluation: computation overhead

§ Hash chain: many hashes per IU verification § By ~200 hashes , similar results w.r.t signature verification.

25

slide-26
SLIDE 26

Evaluation: storage overhead

§ Storage overhead vs No. of mobile producers § Hash chain: 50MB per router needed for Millions of Mobiles. More scalable.

26

slide-27
SLIDE 27

Conclusion & future work

§ We propose an attestation protocol to secure trace-based producer mobility in ICN:

§ Initial results confirm it’s light weight § Run unchanged over different hardware

§ Future work:

§ Evaluation on real hardware and workload

§ Exploit routing to refresh sec. context.

Thanks! xuan.zeng@irt-system.fr

27