A multifold approach to address the security issues of stateful forwarding mechanisms in Information-Centric Networks

Salvatore Signorello 1
1 MADYNES - Management of dynamic networks and services
LORIA - NSS - Department of Networks, Systems and Services, Inria Nancy - Grand Est
Abstract : This work illustrates how today's Internet dominant usage trends motivate research on more content-oriented future network architectures. Among the emerging future Internet proposals, the promising Information-Centric Networking (ICN) research paradigm is presented. ICN aims to redesign Internet's core protocols to promote a shift in focus from hosts to contents. Among the ICN architectures, the Named-Data Networking (NDN) envisions users' named content requests to be forwarded by their names in routers along the path from one consumer to 1-or-many sources. NDN's requests leave trails in traversed routers which are then followed backwards by the requested contents. The Pending Interest Table (PIT) is the NDN's data-plane component which temporarily records forwarded content requests in routers. On one hand, this work explains that the PIT stateful mechanism enables properties like requests aggregation, multicast responses delivery and native hop-by-hop control flow. On the other hand, this work illustrates how the PIT stateful forwarding behavior can be easily abused by malicious users to mount disruptive distributed denial of service attacks (DDoS), named Interest Flooding Attacks (IFAs). In IFAs, loosely coordinated botnets can flood the network with a large amount of hard to satisfy requests with the aim to overload both the network infrastructure and the content producers. This work proves that although countermeasures against IFAs have been proposed, a fair understanding of their real efficacy is missing since those have been tested under simplistic assumptions about the evaluation scenarios. Overall, the work presented in this manuscript shapes a better understanding of both the implications of IFAs and the possibilities of improving the state-of-the-art defense mechanisms against these attacks. The main contributions of this work revolves around a security analysis of the NDN's forwarding plane. In particular, this work defines a more robust attacker model for IFAs by identifying flaws in the state-of-the-art IFA countermeasures. This work introduces a new set of IFAs built upon the proposed attacker model. The novel IFAs are used to re-assess the most effective existing IFA countermeasures. Results of this evaluation disproves the universal efficacy of the state-of-the-art IFA defense mechanisms and so, call for different countermeasures to protect the NDN against this threat. To overcome the revealed issue, this work also defines proactive IFA countermeasures, which are novel defense mechanisms against IFAs inspired by the issues with the state-of-the-art ones. This work introduces Charon, a novel proactive IFA countermeasure, and tests it against the novel IFA attacks. This work shows Charon counteracts latest stealthy IFAs better than the state-of-the-art reactive countermeasures. Finally, this work illustrates the NDN.p4 design, that is, the first implementation of an ICN protocol written in the high-level language for packet processors P4. The NDN.p4 work is the first attempt in the related literature to leverage novel programmable-networks technologies to test and evaluate different NDN forwarding plane designs. This last contribution also classifies existing alternative forwarding mechanisms with respect to a set of PIT cardinal properties. The work outlines that it is worth to explore alternative forwarding mechanisms aiming to design an NDN forwarding plane less vulnerable to the IFA threat
Complete list of metadatas

Cited literature [121 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-01883287
Contributor : Abes Star <>
Submitted on : Thursday, September 27, 2018 - 11:16:15 PM
Last modification on : Tuesday, February 5, 2019 - 2:46:01 PM
Long-term archiving on : Friday, December 28, 2018 - 4:39:58 PM

File

DDOC_T_2018_0109_SIGNORELLO.pd...
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01883287, version 1

Citation

Salvatore Signorello. A multifold approach to address the security issues of stateful forwarding mechanisms in Information-Centric Networks. Networking and Internet Architecture [cs.NI]. Université de Lorraine, 2018. English. ⟨NNT : 2018LORR0109⟩. ⟨tel-01883287⟩

Share

Metrics

Record views

226

Files downloads

201