SlideShare ist ein Scribd-Unternehmen logo

Signpost at FOCI 2013

Amir Chaudhry
Amir Chaudhry

Anil presented the Signpost project at the Usenix Security workshop in Free and Open Communication on the Internet

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
Lost in the Edge: Finding Your Way with Signposts Charalampos Rotsos, Heidi Howard, David Sheets, Richard Mortier,† Anil Madhavapeddy, Amir Chaudhry, Jon Crowcroft http://anil.recoil.org/papers/2013-foci-slides.pdf University of Cambridge, UK † University of Nottingham, UK anil@recoil.org 13th August, 2013
Introduction Signposts Conclusions Challenge & Constraints Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons)
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments Our Approach Use DNS to enable personal clouds, making it easy to deploy apps that function securely and efficiently across our own device network, across the Internet edge.
Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available.
Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available. Data vs Orchestration What’s the minimal network infrastructure that we can deploy to represent individual users on the core Internet?
Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?)
Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal
Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal Multipath is increasingly available (e.g., 3G + Wifi)
Introduction Signposts Conclusions Building on DNS Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Building on DNS DNS DNS is THE Internet naming standard: Supported in almost every embedded device. Naturally hierarchical and cacheable. Flexible and ”extensible”. Resolver infrastructure exists almost everywhere (including censorship).
Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com.
Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com. Why can’t we have stronger DNS bindings between edge devices? # host ipad.home.anil.recoil.org ipad.home.anil.recoil.org has address 192.168.1.19
Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234
Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234 Names for The Average Joe But there’s nowhere for individuals to easily host their own little name services online. Change this, and everything improves.
Introduction Signposts Conclusions Building on DNS DNS Security Authentication. DNSSEC provides a standard, deployed security model where identity chains are established by trusting the registrars or other trust anchors Confidentiality. DNSCurve adds confidentiality, repudiability, integrity, and authentication to name resolution through an Elliptic Curve Cryptographic tunnel; can trade compatibility against overhead, with 255-bit Curve25519 keys offering complexity equivalent to 3072-bit RSA
Introduction Signposts Conclusions Architecture Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device DNS Resolver Applications Signpost (home) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device Edge DNS Resolver Applications Signpost (home) Signpost (laptop) Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
Introduction Signposts Conclusions Architecture Architecture DNSSEC DNSCurve IP,TCP, UDP, ... Signpost Device Edge Internet Bob's Device Cloud DNS Resolver Applications Signpost (home) Signpost (laptop) Alice's Device Cloud Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
Introduction Signposts Conclusions Components Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results.
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution.
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider.
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS Seamless operation with extra host support (e.g., OpenFlow)
Introduction Signposts Conclusions Components Identity Management Automatic, internal key management in a personal trust hierarchy simplifies hygiene. TSIG/SIG0 DNSSEC signatures used to demonstrate subnamespace authority. Manage keys for SSH, PGP, *Curve in parallel. Provides low-friction revocation, making rollover usable by mortals (?)
Introduction Signposts Conclusions Components Programming Model Currently: Sockets API decouples getaddrinfo(3) from connect(2), so less powerful. With Signposts: Applications bind names to flows in one call, separating connection establishment from data transfer, Signpost nodes select environmentally optimal routes via long-poll DNSCurve updates Signpost resolver proxies DNS on localhost, late-binding lookups only when traffic is sent (e.g., TCP SYN)
Introduction Signposts Conclusions Components Work-in-Progress Resolution. Looking to more efficient path establishment than “try everything at once” Identity. Automating key derivation & management Programming. Exploring details, e.g., need to patch OpenSSL, provide local OpenFlow switch; more in The Case for Reconfigurable I/O Channels, RESoLVE 2012 (http://anil.recoil.org/papers/) Implementation. May be easier to support applications that use sockets via lightweight VMs (e.g., http://openmirage.org with Message Switch, http://github.com/djs55/message-switch)
Introduction Signposts Conclusions Implications Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Implications Alternatives & Possibilities Signpost uses DNS as a device-facing interface for compatibility – but could support alternative mechanisms for upstream resolution: Perspectives (http://perspectives-project.org/) offers a P2P trust network Namecoin (http://namecoin.info/) provides decentralized naming but has economic issues. When widely deployed, a set of Signposts could help with: Tor. Constructing a mix zone, perhaps using Dustclounds (http://anil.recoil.org/papers/2010-iswp-dustclouds.pdf) Dissent (http://dedis.cs.yale.edu/2010/anon/), simplifying its use by Average Joe.
Introduction Signposts Conclusions Questions Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Questions Thank you! Questions? https://github.com/signposts https://github.com/mirage

Empfohlen

Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2pDavide Carboni
 
50120140507006
5012014050700650120140507006
50120140507006IAEME Publication
 
Approaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsApproaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsReal-Time Innovations (RTI)
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextYekini Nureni
 
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...Mattia Campana
 
DDS Security
DDS SecurityDDS Security
DDS SecurityReal-Time Innovations (RTI)
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation TutorialAPNIC
 

Empfohlen

Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2pDavide Carboni
 
50120140507006
5012014050700650120140507006
50120140507006IAEME Publication
 
Approaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsApproaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsReal-Time Innovations (RTI)
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextYekini Nureni
 
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...Mattia Campana
 
DDS Security
DDS SecurityDDS Security
DDS SecurityReal-Time Innovations (RTI)
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation TutorialAPNIC
 
zenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computezenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computeAngelo Corsaro
 
APAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationAPAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationSteve Smith
 
Security analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imagesSecurity analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imageseSAT Journals
 
A1803020108
A1803020108A1803020108
A1803020108IOSR Journals
 
82 86
82 8682 86
82 86Editor IJARCET
 
G43053847
G43053847G43053847
G43053847IJERA Editor
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_PrateekPrateek Mathur
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve LambInformation Security Awareness Group
 
Hacking 05 2011
Hacking 05 2011Hacking 05 2011
Hacking 05 2011Felipe Prado
 
Image Cryptography using RSA Algorithm
Image Cryptography using RSA AlgorithmImage Cryptography using RSA Algorithm
Image Cryptography using RSA Algorithmijtsrd
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
IRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET Journal
 
eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 Jaime Martin Losa
 
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIJCNCJournal
 
Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.igede tirtanata
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101Christian Götz
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...IGEEKS TECHNOLOGIES
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for DevicesJorgen Thelin
 
A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)Tuan Yang
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNGerardo Pardo-Castellote
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsSleek International
 

Weitere ähnliche Inhalte

Was ist angesagt?

zenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computezenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computeAngelo Corsaro
 
APAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationAPAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationSteve Smith
 
Security analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imagesSecurity analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imageseSAT Journals
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkIRJET Journal
 
Image Cryptography using RSA Algorithm
Image Cryptography using RSA AlgorithmImage Cryptography using RSA Algorithm
Image Cryptography using RSA Algorithmijtsrd
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
IRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET Journal
 
eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 Jaime Martin Losa
 
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIJCNCJournal
 
Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.igede tirtanata
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101Christian Götz
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...IGEEKS TECHNOLOGIES
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for DevicesJorgen Thelin
 

Was ist angesagt? (19)

zenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computezenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query compute
 
APAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationAPAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentation
 
Security analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imagesSecurity analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital images
 
A1803020108
A1803020108A1803020108
A1803020108
 
82 86
82 8682 86
82 86
 
G43053847
G43053847G43053847
G43053847
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_Prateek
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
Hacking 05 2011
Hacking 05 2011Hacking 05 2011
Hacking 05 2011
 
Image Cryptography using RSA Algorithm
Image Cryptography using RSA AlgorithmImage Cryptography using RSA Algorithm
Image Cryptography using RSA Algorithm
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
IRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA Algorithm
 
eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015
 
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
 
Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
 

Ähnlich wie Signpost at FOCI 2013

A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)Tuan Yang
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNGerardo Pardo-Castellote
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsSleek International
 
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010Gerardo Pardo-Castellote
 
12 Understanding V P Ns
12 Understanding V P Ns12 Understanding V P Ns
12 Understanding V P NsAamirAziz
 
DDS 2010 Interoperability Demo
DDS 2010 Interoperability DemoDDS 2010 Interoperability Demo
DDS 2010 Interoperability DemoAngelo Corsaro
 
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoTReal-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoTDMC, Inc.
 
Basic Network Support Certification
Basic Network Support CertificationBasic Network Support Certification
Basic Network Support CertificationVskills
 
Innovation in SDN Tools and Platforms
Innovation in SDN Tools and PlatformsInnovation in SDN Tools and Platforms
Innovation in SDN Tools and PlatformsUmesh Krishnaswamy
 
Videoconferencing Technology
Videoconferencing TechnologyVideoconferencing Technology
Videoconferencing TechnologyVideoguy
 
Data Center Design Guide 4 1
Data Center Design Guide 4 1Data Center Design Guide 4 1
Data Center Design Guide 4 1Fiyaz Syed
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o... "How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...Cohesive Networks
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpnRajesh Porwal
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyCourtland Smith
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperLINE Corporation
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013Ryan Koop
 

Ähnlich wie Signpost at FOCI 2013 (20)

A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
 
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
 
12 Understanding V P Ns
12 Understanding V P Ns12 Understanding V P Ns
12 Understanding V P Ns
 
DDS 2010 Interoperability Demo
DDS 2010 Interoperability DemoDDS 2010 Interoperability Demo
DDS 2010 Interoperability Demo
 
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoTReal-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
 
Basic Network Support Certification
Basic Network Support CertificationBasic Network Support Certification
Basic Network Support Certification
 
Innovation in SDN Tools and Platforms
Innovation in SDN Tools and PlatformsInnovation in SDN Tools and Platforms
Innovation in SDN Tools and Platforms
 
Videoconferencing Technology
Videoconferencing TechnologyVideoconferencing Technology
Videoconferencing Technology
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
 
Data Center Design Guide 4 1
Data Center Design Guide 4 1Data Center Design Guide 4 1
Data Center Design Guide 4 1
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o... "How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Signpost at FOCI 2013

  • 1. Lost in the Edge: Finding Your Way with Signposts Charalampos Rotsos, Heidi Howard, David Sheets, Richard Mortier,† Anil Madhavapeddy, Amir Chaudhry, Jon Crowcroft http://anil.recoil.org/papers/2013-foci-slides.pdf University of Cambridge, UK † University of Nottingham, UK anil@recoil.org 13th August, 2013
  • 2. Introduction Signposts Conclusions Challenge & Constraints Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 3. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons)
  • 4. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic
  • 5. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments
  • 6. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments Our Approach Use DNS to enable personal clouds, making it easy to deploy apps that function securely and efficiently across our own device network, across the Internet edge.
  • 7. Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available.
  • 8. Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available. Data vs Orchestration What’s the minimal network infrastructure that we can deploy to represent individual users on the core Internet?
  • 9. Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?)
  • 10. Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal
  • 11. Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal Multipath is increasingly available (e.g., 3G + Wifi)
  • 12. Introduction Signposts Conclusions Building on DNS Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 13. Introduction Signposts Conclusions Building on DNS DNS DNS is THE Internet naming standard: Supported in almost every embedded device. Naturally hierarchical and cacheable. Flexible and ”extensible”. Resolver infrastructure exists almost everywhere (including censorship).
  • 14. Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com.
  • 15. Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com. Why can’t we have stronger DNS bindings between edge devices? # host ipad.home.anil.recoil.org ipad.home.anil.recoil.org has address 192.168.1.19
  • 16. Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234
  • 17. Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234 Names for The Average Joe But there’s nowhere for individuals to easily host their own little name services online. Change this, and everything improves.
  • 18. Introduction Signposts Conclusions Building on DNS DNS Security Authentication. DNSSEC provides a standard, deployed security model where identity chains are established by trusting the registrars or other trust anchors Confidentiality. DNSCurve adds confidentiality, repudiability, integrity, and authentication to name resolution through an Elliptic Curve Cryptographic tunnel; can trade compatibility against overhead, with 255-bit Curve25519 keys offering complexity equivalent to 3072-bit RSA
  • 19. Introduction Signposts Conclusions Architecture Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 20. Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device DNS Resolver Applications Signpost (home) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
  • 21. Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device Edge DNS Resolver Applications Signpost (home) Signpost (laptop) Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
  • 22. Introduction Signposts Conclusions Architecture Architecture DNSSEC DNSCurve IP,TCP, UDP, ... Signpost Device Edge Internet Bob's Device Cloud DNS Resolver Applications Signpost (home) Signpost (laptop) Alice's Device Cloud Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
  • 23. Introduction Signposts Conclusions Components Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 24. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results.
  • 25. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution.
  • 26. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider.
  • 27. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS
  • 28. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS Seamless operation with extra host support (e.g., OpenFlow)
  • 29. Introduction Signposts Conclusions Components Identity Management Automatic, internal key management in a personal trust hierarchy simplifies hygiene. TSIG/SIG0 DNSSEC signatures used to demonstrate subnamespace authority. Manage keys for SSH, PGP, *Curve in parallel. Provides low-friction revocation, making rollover usable by mortals (?)
  • 30. Introduction Signposts Conclusions Components Programming Model Currently: Sockets API decouples getaddrinfo(3) from connect(2), so less powerful. With Signposts: Applications bind names to flows in one call, separating connection establishment from data transfer, Signpost nodes select environmentally optimal routes via long-poll DNSCurve updates Signpost resolver proxies DNS on localhost, late-binding lookups only when traffic is sent (e.g., TCP SYN)
  • 31. Introduction Signposts Conclusions Components Work-in-Progress Resolution. Looking to more efficient path establishment than “try everything at once” Identity. Automating key derivation & management Programming. Exploring details, e.g., need to patch OpenSSL, provide local OpenFlow switch; more in The Case for Reconfigurable I/O Channels, RESoLVE 2012 (http://anil.recoil.org/papers/) Implementation. May be easier to support applications that use sockets via lightweight VMs (e.g., http://openmirage.org with Message Switch, http://github.com/djs55/message-switch)
  • 32. Introduction Signposts Conclusions Implications Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 33. Introduction Signposts Conclusions Implications Alternatives & Possibilities Signpost uses DNS as a device-facing interface for compatibility – but could support alternative mechanisms for upstream resolution: Perspectives (http://perspectives-project.org/) offers a P2P trust network Namecoin (http://namecoin.info/) provides decentralized naming but has economic issues. When widely deployed, a set of Signposts could help with: Tor. Constructing a mix zone, perhaps using Dustclounds (http://anil.recoil.org/papers/2010-iswp-dustclouds.pdf) Dissent (http://dedis.cs.yale.edu/2010/anon/), simplifying its use by Average Joe.
  • 34. Introduction Signposts Conclusions Questions Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 35. Introduction Signposts Conclusions Questions Thank you! Questions? https://github.com/signposts https://github.com/mirage