Capability-Based Security Enforcement in Named Data Networking

Named data networking (NDN) enhances traditional IP networking by supporting in-network content caching for better bandwidth usage and location-independent data accesses for multi-path forwarding. However, NDN also brings new security challenges. For example, an adversary can arbitrarily inject packets to NDN to poison content cache, or access content packets without any restrictions. We propose capability-based security enforcement architecture (CSEA), a capability-based security enforcement architecture that enables data authenticity in NDN in a distributed manner. CSEA leverages capabilities to specify the access rights of forwarded packets. It allows NDN routers to verify the authenticity of forwarded packets, and throttles flooding-based DoS attacks from unsolicited packets. We further develop a lightweight one-time signature scheme for CSEA to ensure the timeliness of packets and support efficient verification. We prototype CSEA on the open-source CCNx platform, and evaluate CSEA via testbed and Planetlab experiments. Our experimental results show that CSEA only incurs around 4% of additional delays in retrieving data packets.

[1]  Mauro Conti,et al.  Poseidon: Mitigating interest flooding DDoS attacks in Named Data Networking , 2013, 38th Annual IEEE Conference on Local Computer Networks.

[2]  Gene Tsudik,et al.  ANDaNA: Anonymous Named Data Networking Application , 2011, NDSS.

[3]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[4]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[5]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[6]  Luigi V. Mancini,et al.  Violating Consumer Anonymity: Geo-Locating Nodes in Named Data Networking , 2015, ACNS.

[7]  Saurabh Bagchi,et al.  v-CAPS: A Confidentiality and Anonymity Preserving Routing Protocol for Content-Based Publish-Subscribe Networks , 2011, SecureComm.

[8]  Christopher A. Wood,et al.  Flexible end-to-end content security in CCN , 2014, 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC).

[9]  Alexander Afanasyev,et al.  Tutorial: Security and Synchronization in Named Data Networking (NDN) , 2015, ICN.

[10]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[11]  Elisa Bertino,et al.  Efficient privacy preserving content based publish subscribe systems , 2012, SACMAT '12.

[12]  Kurt Rothermel,et al.  Securing Broker-Less Publish/Subscribe Systems Using Identity-Based Encryption , 2014, IEEE Transactions on Parallel and Distributed Systems.

[13]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[14]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[15]  Ravi S. Sandhu,et al.  LIVE: Lightweight Integrity Verification and Content Access Control for Named Data Networking , 2015, IEEE Transactions on Information Forensics and Security.

[16]  Van Jacobson,et al.  Networking named content , 2009, CoNEXT '09.

[17]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[18]  Gene Tsudik,et al.  Network-Layer Trust in Named-Data Networking , 2014, CCRV.

[19]  David Wetherall,et al.  TVA: a DoS-limiting network architecture , 2008, TNET.

[20]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[21]  Kan Zhang,et al.  Efficient Protocols for Signing Routing Messages , 1998, NDSS.

[22]  Alexander Afanasyev,et al.  journal homepage: www.elsevier.com/locate/comcom , 2022 .

[23]  Mauro Conti,et al.  Cache Privacy in Named-Data Networking , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems.

[24]  Alexander Afanasyev,et al.  Adaptive forwarding in named data networking , 2012, CCRV.

[25]  Giannis F. Marias,et al.  Access control enforcement delegation for information-centric networking architectures , 2012, CCRV.

[26]  Gene Tsudik,et al.  DoS and DDoS in Named Data Networking , 2012, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[27]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[28]  Mudhakar Srivatsa,et al.  EventGuard: A System Architecture for Securing Publish-Subscribe Networks , 2011, TOCS.

[29]  Van Jacobson,et al.  Schematizing Trust in Named Data Networking , 2015, ICN.

[30]  Argyraki,et al.  Network Capabilities : The Good , the Bad and the Ugly Katerina , 2022 .