experiencing a new internet architecture
play

Experiencing a new Internet Architecture Adrian Perrig, Network - PowerPoint PPT Presentation

Jun 24, 2023 •237 likes •730 views

Experiencing a new Internet Architecture Adrian Perrig, Network Security Group The Internet is on Fire! Lack of sovereignty Frequent outages https://downdetector.com Constant DDoS attacks https://www.digitalattackmap.com

  1. Experiencing a new Internet Architecture Adrian Perrig, Network Security Group

  2. The Internet is on Fire! • Lack of sovereignty • Frequent outages ▪ https://downdetector.com • Constant DDoS attacks ▪ https://www.digitalattackmap.com • Frequent routing attacks ▪ https://bgpstream.com • Lack of communication guarantees • Expensive maintenance 2

  3. Inspirations for a New Beginning ▪ Many exciting next-generation Internet projects over the past 25 years ▪ General Future Internet Architectures (FIA) • XIA: enhance flexibility to accommodate future needs • MobilityFirst: empower rapid mobility • Nebula (ICING, SERVAL): support cloud computing • NIMROD: improved scale and flexibility • NewArch (FARA, NIRA, XCP) • RINA: clean API abstractions simplify architecture ▪ Content-centric FIAs: NDN, CCNx, PSIRP , SAIL / NETINF ▪ Routing security: BGPSEC, S-BGP , soBGP , psBGP , SPV, PGBGP , H-NPBR ▪ Path control: MIRO, Deflection, Path splicing, Pathlet, I3 ▪ Inter-domain routing proposals: ChoiceNet, HLP , HAIR, RBF , AIP , POMO, ANA, ... ▪ Intra-domain / datacenter protocols: SDN, HALO, ... 3

  4. Why attempt redesigning Internet Architecture? ▪ We started our expedition asking the question: 
 How secure can a global Internet be? • Answer: global communication guarantees can be achieved as long as a path of benign domain exists ▪ During our journey we discovered that path-aware networking and multi-path communication are powerful concepts that can provide higher efficiency than a single-path Internet • Enables path optimization depending on application needs • Simultaneous use of several paths unlocks additional bandwidth ▪ Explore new networking concepts without the constraints imposed by current infrastructure! 4

  5. 
 Discoveries on our Journey ▪ During our journey, we have encountered many interesting discoveries ▪ Several discoveries suggest new approaches for inter-domain networking 
 The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust 5

  6. SCION Ambition: A Global Next-Generation Public Internet y c n - e i i t c l u i f m f e h d t n i w a y g n t i r i k u r c o e w s t e s h g n e e i H e t r n n a o a • w i r t a a a c u - h g i n t a u n P m o i m t a • c o c i n u h m t a m p o c l a b o l G • 6

  7. SCION Architecture Principles ▪ Stateless packet forwarding (no inconsistent forwarding state) ▪ “Instant convergence” routing ▪ Path-aware networking ▪ Multi-path communication ▪ High security through design and formal verification ▪ Sovereignty and transparency for trust roots 7

  8. Insight: Formal Security Verification Necessary ▪ To achieve strong assurance for a large-scale distributed system, formal security verification is necessary ▪ Performing formal verification from the beginning avoids “difficult-to-verify” components ▪ Many design aspects of SCION facilitate formal verification ▪ Collaboration with David Basin’s and Peter Müller’s teams in the VerifiedSCION project 8

  9. Approach for Scalability: Isolation Domain (ISD) ▪ Isolation Domain (ISD): grouping of Autonomous Systems (AS) ▪ ISD core: ASes that manage the ISD and provide global connectivity ▪ Core AS: AS that is part of ISD core TRC TRC TRC TRC TRC 9

  10. SCION Overview in One Slide Path-based Network Architecture I J Packet P1 Control Plane - Routing F → C → A Constructs and Disseminates A B A → I → J → M K M Path Segments M → P → S L C E Payload D N P O Data Plane - Packet forwarding F H Q S Combine Path Segments to Path G R Packets contain Path Packet P2 Routers forward packets based on F → D → B Path B → K → L Simple routers, stateless operation L → O → S Payload 10

  11. How to Deploy SCION: ISP ▪ CORE Routers are set up at the borders of an ISP • to peer with other SCION- enabled networks • to collect customer accesses ▪ No change to the internal network infrastructure of an ISP needed! 11

  12. How to Deploy SCION: End Domain ▪ SCION IP Gateway (SIG) enables seamless integration of SCION capabilities in end- domain networks Customer location SCION ROUTER ▪ No upgrades of end hosts or SIG applications needed SCION ROUTER No significant changes to Connection(s) to SCION-Router(s) VPN / Firewall / SDWAN designs SCION-native, Ethernet, MPLS, DIA, Broadband, 4G… 12

  13. Insight: Incremental Deployment Possible ▪ Incremental deployment of a new Internet architecture is possible, operating side-by-side with BGP ▪ For ISPs, new architecture can be deployed with minimal effort ▪ For end domains, SCION-IP Gateway (SIG) offers immediate benefits without updating any end hosts ▪ Important: no reliance on BGP for inter-domain operation (“BGP-free”) ▪ Overlay / insecure underlay should be avoided not to inherit vulnerabilities ▪ Re-use of intra-domain network architecture for local communication 13

  14. SCIONLab • Global SCION research testbed: https://www.scionlab.org • Collaboration with David Hausheer’s team at University of Magdeburg • Open to everyone: create and connect your own AS within minutes • ISPs: Swisscom, SWITCH, KDDI, GEANT, DFN • Deployed 35+ permanent ASes worldwide, 600+ user ASes • Contact us to become an infrastructure AS, we can provide HW • Kwon et al., “SCIONLab: A Next-Generation Internet Testbed”, ICNP 2020 14

  15. Exciting SCIONLab Research Opportunities ▪ Next-generation Internet architecture research ▪ Users obtain real ASes with all cryptographic credentials to participate in the control plane ▪ ASes can use their own computing resources and attach at several points in the SCIONLab network ▪ Path-aware networking testbed ▪ Hidden paths for secure IoT operation ▪ Control-plane PKI in place, each AS has certificate ▪ Network availability and performance measurement (bandwidth and latency) ▪ Supported features (PKI, DDoS defense mechanisms, path selection support, end host / application support) ▪ Inter-domain routing scalability research ▪ Multi-path research ▪ Multi-path QUIC socket ▪ End-to-end PKI system that application developers can rely on to build highly secure TLS applications ▪ Colibri inter-domain resource allocation system ▪ DDoS defense research using in-network defense mechanisms ▪ Next-generation routing architecture policy definitions 15

  16. SCION Production Network ▪ Led by Anapaya Systems BGP ▪ BGP-free global communication • Fault independent from BGP protocol ▪ Deployment with international ISPs • Goal: First global public secure communication network ▪ Construction of SCION network backbone at select locations to bootstrap adoption ▪ Current deployment • ISPs: Swisscom, Sunrise, SWITCH, + others joining soon • IXPs: SwissIX offers SCION peering, + others joining soon • Bank deployment: 4 major Swiss banks, some in production use 16

  17. Global Availability of Native SCION Connectivity ▪ Native SCION (BGP-free) connectivity: no reliance / dependency on BGP communication ▪ SCION deploying ISP’s networks are reaching global data centers and IXPs, offering native SCION connectivity ▪ Anapaya Connect: native SCION connectivity to 100+ data centers in 10+ countries • Further expansion next year:

  18. Online Resources ▪ https://www.scion-architecture.net ▪ Book, papers, videos, tutorials ▪ https://www.scionlab.org ▪ SCIONLab testbed infrastructure ▪ https://www.anapaya.net ▪ SCION commercialization ▪ https://github.com/scionproto/scion ▪ Source code 18

  19. SCION Summary ▪ SCION: Next-generation Internet you can use today! ▪ High-performance • Path-aware network enables application-specific optimizations to provide enhanced efficiency • Multi-path communication enables simultaneous use of multiple paths, increasing available bandwidth ▪ Secure, high assurance, high availability • Per-packet authentication verification possible on routers • Formal verification of protocols and code • Immune against routing attacks, e.g., BGP prefix hijacking 19

  20. Interesting Encounters on our Expedition ▪ Security • Global communication guarantees are possible • High-speed crypto enables line-rate processing ▪ Networking • Multi-path routing is a necessity, not a luxury • Improved scalability over BGP • Global QoS is viable 20

  21. Global Communication Guarantees in the Presence of Adversaries ▪ Goal: If (routing policy compliant) path of benign ASes exists (with operational infrastructure), a sender can find, use, and achieve minimum bandwidth guarantees on that path ▪ Challenges • Network routing instabilities, misconfigurations, etc. • DoS attacks at various levels (control plane, data plane, end host) 21

  22. Observation: Stable Forwarding + Multi-path Necessary ▪ Single-path forwarding cannot achieve strong availability guarantees • During routing protocol convergence, no path may be available • Equipment failure on path will result in unavailability until routing protocol updates and forwarding tables are adjusted • If forwarding path experiences high packet loss, then path is not usable for practical applications ▪ Approaches • Stable forwarding: packet-carried forwarding state protects forwarding from routing instabilities • Multi-path ensures presence of several paths, so as long as a single path works, end-to-end connectivity is assured 22

Recommend

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been

5/15/2012 How do you Improve on the Internet? The eXpressive Internet Architecture: The Internet has been tremendously successful From Architecture to Network Has sustained tremendous growth g Supports very diverse set of applications

484 views • 10 slides
End-to-end principle All control in end stations by Dave Clark e.g. error and flow

End-to-end principle All control in end stations by Dave Clark e.g. error and flow

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.121 / Fall-04 / RKa, NB Internet Architecture Principles End-to-end principle All

893 views • 21 slides
Future Internet Future Internet Internet has evolved from 4-node network to ubiquituous, global

Future Internet Future Internet Internet has evolved from 4-node network to ubiquituous, global

An Architecture for An Architecture for Supporting Future Internet Supporting Future Internet Applications Applications Sebastian Mies Institute of Telematics, University of Karlsruhe (TH), Germany The SpoVNet Consortium: University of

268 views • 11 slides
Experiencing Technology Experiencing Technology before it exists: A Case Study before it Exists

Experiencing Technology Experiencing Technology before it exists: A Case Study before it Exists

Experiencing Technology Experiencing Technology before it exists: A Case Study before it Exists Perceptual and Sensory Augmented Computing Florian Michahelles (ETH Zurich) Bernt Schiele (TU Darmstadt) 1 Whats the Issue? Experiencing

539 views • 14 slides
Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture

Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture Addressing, routing principles Protocols: IPv4, ICMP, ARP (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-07 / RKa, NB Ethernet Most

635 views • 26 slides
End-to-end principle by Dave Clark Hop-by-hop control vs. End-to-end control In X.25

End-to-end principle by Dave Clark Hop-by-hop control vs. End-to-end control In X.25

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-06 / RKa, NB Internet Architecture Principles End-to-end principle by Dave

669 views • 23 slides
HAIR: Hierarchical Architecture for Internet Routing Re-Architecting the Internet ReArch 09

HAIR: Hierarchical Architecture for Internet Routing Re-Architecting the Internet ReArch 09

HAIR: Hierarchical Architecture for Internet Routing Re-Architecting the Internet ReArch 09 Wolfgang Mhlbauer ETH Zrich / TU Berlin wolfgang.muehlbauer@tik.ee.ethz.ch Anja Feldmann Luca Cittadini Randy Bush Olaf Maennel Deutsche

403 views • 21 slides
A Fully-Flexible Internet Architecture for the Next-Generation Tactile Internet Mohamed Faten

A Fully-Flexible Internet Architecture for the Next-Generation Tactile Internet Mohamed Faten

2 nd Visions for Future Communications Summit Technologies and Services Towards 6G Introducing FlexNGIA: A Fully-Flexible Internet Architecture for the Next-Generation Tactile Internet Mohamed Faten Zhani cole de technologie suprieure

827 views • 57 slides
An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley,

An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley,

An Radical but Incrementally Deployable Vision for Future Internet Architecture James McCauley, Yotam Harchol, Aurojit Panda, Barath Raghavan, Scott Shenker (UC Berkeley, NYU, USC, ICSI) The Internet architecture of today Based on IP

477 views • 44 slides
Delivering Internet-of-Things (IoT) Services in MobilityFirst Future Internet Architecture Jun

Delivering Internet-of-Things (IoT) Services in MobilityFirst Future Internet Architecture Jun

Delivering Internet-of-Things (IoT) Services in MobilityFirst Future Internet Architecture Jun Li, Y. Shvartzshnaider, J. Francisco, R. Martin, K. Nagaraja and D. Raychaudhuri WINLAB, Rutgers University October 24-26 th , 2012 October 24-26,

451 views • 21 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
The network neutrality bot architecture: a preliminary approach for self-monitoring of Internet

The network neutrality bot architecture: a preliminary approach for self-monitoring of Internet

The network neutrality bot architecture: a preliminary approach for self-monitoring of Internet access QoS Simone Basso Antonio Servetti Juan Carlos De Martin NEXA Center for Internet & Society Politecnico di Torino, Italy

522 views • 14 slides
SEDA: An Architecture for Well-Conditioned Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned Scalable Internet Services Matt Welsh, David Culler,

SEDA: An Architecture for Well-Conditioned Scalable Internet Services Matt Welsh, David Culler, and Eric Brewer presented by Ahn, Ki Yung Staged Event-Driven Architecture Designed for highly concurrent Internet services Applications are

493 views • 13 slides
Internet architecture Ov Over ervie iew Packet switching over circuit switching

Internet architecture Ov Over ervie iew Packet switching over circuit switching

Internet architecture Ov Over ervie iew Packet switching over circuit switching End-to-end principle and Hourglass design Layering of functionality Portland State University CS 430P/530 Internet, Web & Cloud Systems Pac

396 views • 22 slides
End-Middle-End Architecture for the Internet Olli-Pekka Lamminen TKK Networking Laboratory

End-Middle-End Architecture for the Internet Olli-Pekka Lamminen TKK Networking Laboratory

End-Middle-End Architecture for the Internet Olli-Pekka Lamminen TKK Networking Laboratory Outline End-Middle-End Architecture IRTF EME Research Group Requirements NUTSS Architecture Feasibility Considerations for

449 views • 14 slides
FUTURE INTERNET ARCHITECTURE Marc Mosko Palo Alto Research Center ACM ICN Panel 2016, Kyoto

FUTURE INTERNET ARCHITECTURE Marc Mosko Palo Alto Research Center ACM ICN Panel 2016, Kyoto

FUTURE INTERNET ARCHITECTURE Marc Mosko Palo Alto Research Center ACM ICN Panel 2016, Kyoto Japan 1 FUTURE INTERNET ARCHITECTURE Protocol Feature 2 FUTURE INTERNET ARCHITECTURE* Protocol Feature IPv6 Large address space,

76 views • 4 slides
Internet Architecture WG : DoS-resistant Internet Subgroup Report Mark Handley University

Internet Architecture WG : DoS-resistant Internet Subgroup Report Mark Handley University

Internet Architecture WG : DoS-resistant Internet Subgroup Report Mark Handley University College London DoS-Resistant Internet Working Group Initial meeting held January 27th in London: The objective of the initial meeting is to share

316 views • 27 slides
Internet Governance Session 27 INST 346 Technologies, Infrastructure and Architecture

Internet Governance Session 27 INST 346 Technologies, Infrastructure and Architecture

Internet Governance Session 27 INST 346 Technologies, Infrastructure and Architecture Layers of Internet Governance Physical Infrastructure Logical Layer Content Layer Agenda Jurisdiction Internet Engineering Task

560 views • 9 slides
Enabling Conferencing Applications on the Internet using an Overlay Multicast Architecture

Enabling Conferencing Applications on the Internet using an Overlay Multicast Architecture

Enabling Conferencing Applications on the Internet using an Overlay Multicast Architecture Yang-hua Chu, Sanjay Rao, Srini Seshan and Hui Zhang Carnegie Mellon University Supporting Multicast on the Internet Application ? At which layer

666 views • 32 slides
Modern Internet architecture, technology & philosophy Advanced Internet Services Dept. of

Modern Internet architecture, technology & philosophy Advanced Internet Services Dept. of

1 2/23/15 AIS 2015 Modern Internet architecture, technology & philosophy Advanced Internet Services Dept. of Computer Science Columbia University Henning Schulzrinne Spring 2015 02/23/2015 2/23/15 AIS 2015 NETWORK EVOLUTION &

684 views • 56 slides
Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R.

Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R.

An IPSec-based Host Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R. Rao, P. Rohatgi, IBM Research D. Saha Lucent Technologies Motivation In todays Internet the need for efficient and

337 views • 22 slides
Modern Internet architecture, technology & philosophy Advanced Internet Services Dept. of

Modern Internet architecture, technology & philosophy Advanced Internet Services Dept. of

1 3/2/15 AIS 2015 Modern Internet architecture, technology & philosophy Advanced Internet Services Dept. of Computer Science Columbia University Henning Schulzrinne Spring 2015 03/02/2015 2 3/2/15 AIS 2015 Objectives Why do

459 views • 41 slides
Outline The eXpressive Internet Architecture a proposal Example and concepts E l d

Outline The eXpressive Internet Architecture a proposal Example and concepts E l d

6/29/2011 XIA: An Architecture for a Trustworthy and Evolvable Internet Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon University Aditya Akella, University

678 views • 21 slides
SEDA: An Architecture for Well- Conditioned Scalable Internet Services Overview What does

SEDA: An Architecture for Well- Conditioned Scalable Internet Services Overview What does

CS533 Concepts of Operating Systems Jonathan Walpole SEDA: An Architecture for Well- Conditioned Scalable Internet Services Overview What does well-conditioned mean? Internet service architectures - thread per request - thread pools - event

534 views • 28 slides

More recommend