SlideShare a Scribd company logo

Pristine rina-security-icc-2016

PRISTINE RINA security presentation for IEEE ICC 2016

1 of 20
Download to read offline
From protecting protocols to layers: security policies in RINA
From protecting protocols to
layers: designing, implementing
and experimenting with security
policies in RINA
Eduard Grasa (presenter), Ondrej Lichtner, Ondrej Rysavy,
Hamid Asgari, John Day, Lou Chitkushev
FP7 PRISTINE
ICC 2016, Kuala Lumpur, May 24th 2016
WHAT IS RINA?1
2
RINA highlights
• Network architecture resulting from a fundamental theory of computer
networking
• Networking is InterProcess Communication (IPC) and only IPC. Unifies
networking and distributed computing: the network is a distributed
application that provides IPC
• There is a single type of layer with programmable functions, that repeats
as many times as needed by the network designers
• All layers provide the same service: instances or communication (flows) to
two or more application instances, with certain characteristics (delay, loss,
in-order-delivery, etc)
• There are only 3 types of systems: hosts, interior and border routers. No
middleboxes (firewalls, NATs, etc) are needed
• Deploy it over, under and next to current networking technologies
1
2
3
4
5
6
3
From the “TCP/IP” protocol suite …
• Functional layers organized for modularity, each layer provides
a different service to each other
– As the RM is applied to the real world, it proofs to be incomplete.
As a consequence, new layers are patched into the reference
model as needed (layers 2.5, VLANs, VPNs, virtual network
overlays, tunnels, MAC-in-MAC, etc.)
(Theory) (Practice)
4
… to the RINA architecture
Single type of layer, consistent API, programmable policies
Host
Border router Interior Router
DIF
DIF DIF
Border router
DIF
DIF
DIF (Distributed IPC Facility)
Host
App
A
App
B
Consistent
API through
layers
IPC API
Data Transfer Data Transfer Control Layer Management
SDU Delimiting
Data Transfer
Relaying and
Multiplexing
SDU Protection
Retransmission
Control
Flow Control
RIB
Daemon
RIB
CDAP
Parser/Generator
CACEP
Enrollment
Flow Allocation
Resource Allocation
Routing
Authentication
StateVector
StateVector
StateVector
Data TransferData Transfer
Retransmission
Control
Retransmission
Control
Flow Control
Flow Control
Increasing timescale (functions performed less often) and complexity
Namespace
Management
Security
Management
5
Deployment
Clean-slate concepts but incremental deployment
Large-scale RINA Experimentation on FIRE+ 6
• IPv6 brings very small improvements to IPv4, but requires a
clean slate deployment (not compatible to IPv4)
• RINA can be deployed incrementally where it has the right
incentives, and interoperate with current technologies (IP,
Ethernet, MPLS, etc.)
– Over IP (just like any overlay such as VXLAN, NVGRE, GTP-U, etc.)
– Below IP (just like any underlay such as MPLS or MAC-in-MAC)
– Next to IP (gateways/protocol translation such as IPv6)
IP Network
RINA Provider
RINA Network
Sockets ApplicationsRINA supported Applications
IP or Ethernet or MPLS, etc

Recommended

RINA as a Clean-Slate Approach to Software Networks
RINA as a Clean-Slate Approach to Software Networks RINA as a Clean-Slate Approach to Software Networks
RINA as a Clean-Slate Approach to Software Networks ICT PRISTINE
 
2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)ICT PRISTINE
 
PRISTINE presentation at the Net-Tech Future Coordination meeting
PRISTINE presentation at the Net-Tech Future Coordination meetingPRISTINE presentation at the Net-Tech Future Coordination meeting
PRISTINE presentation at the Net-Tech Future Coordination meetingICT PRISTINE
 
Pristine Intro SDN Concertation Workshop
Pristine Intro SDN Concertation WorkshopPristine Intro SDN Concertation Workshop
Pristine Intro SDN Concertation WorkshopICT PRISTINE
 
EU-Taiwan Workshop on 5G Research, PRISTINE introduction
EU-Taiwan Workshop on 5G Research, PRISTINE introductionEU-Taiwan Workshop on 5G Research, PRISTINE introduction
EU-Taiwan Workshop on 5G Research, PRISTINE introductionICT PRISTINE
 
PRISTINE @ FIA Athens 2014
PRISTINE @ FIA Athens 2014PRISTINE @ FIA Athens 2014
PRISTINE @ FIA Athens 2014ICT PRISTINE
 
Pristine glif 2015
Pristine glif 2015Pristine glif 2015
Pristine glif 2015ICT PRISTINE
 
Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016ICT PRISTINE
 

More Related Content

What's hot

The hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diegoThe hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diegoICT PRISTINE
 
The hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduardThe hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduardICT PRISTINE
 
Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...ICT PRISTINE
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterICT PRISTINE
 
Rina acc-icc16-stein
Rina acc-icc16-steinRina acc-icc16-stein
Rina acc-icc16-steinICT PRISTINE
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016ICT PRISTINE
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)ARCFIRE ICT
 
The hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peymanThe hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peymanICT PRISTINE
 
Th hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neilTh hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neilICT PRISTINE
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorialICT PRISTINE
 
The hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduardThe hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduardICT PRISTINE
 
The hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzoThe hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzoICT PRISTINE
 
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingMulti-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingARCFIRE ICT
 
Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...ICT PRISTINE
 
Unifying WiFi and VLANs with the RINA model
Unifying WiFi and VLANs with the RINA modelUnifying WiFi and VLANs with the RINA model
Unifying WiFi and VLANs with the RINA modelARCFIRE ICT
 
Congestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesCongestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesICT PRISTINE
 
An overview of SDN & Openflow
An overview of SDN & OpenflowAn overview of SDN & Openflow
An overview of SDN & OpenflowPeyman Faizian
 
RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017ARCFIRE ICT
 
Rina sdn-2016 mobility
Rina sdn-2016 mobilityRina sdn-2016 mobility
Rina sdn-2016 mobilityARCFIRE ICT
 
Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014Eleni Trouva
 

What's hot (20)

The hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diegoThe hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diego
 
The hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduardThe hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduard
 
Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peter
 
Rina acc-icc16-stein
Rina acc-icc16-steinRina acc-icc16-stein
Rina acc-icc16-stein
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)
 
The hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peymanThe hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peyman
 
Th hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neilTh hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neil
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorial
 
The hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduardThe hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduard
 
The hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzoThe hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzo
 
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingMulti-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
 
Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...
 
Unifying WiFi and VLANs with the RINA model
Unifying WiFi and VLANs with the RINA modelUnifying WiFi and VLANs with the RINA model
Unifying WiFi and VLANs with the RINA model
 
Congestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesCongestion Control in Recursive Network Architectures
Congestion Control in Recursive Network Architectures
 
An overview of SDN & Openflow
An overview of SDN & OpenflowAn overview of SDN & Openflow
An overview of SDN & Openflow
 
RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017
 
Rina sdn-2016 mobility
Rina sdn-2016 mobilityRina sdn-2016 mobility
Rina sdn-2016 mobility
 
Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014
 

Similar to Pristine rina-security-icc-2016

Rina converged network operator - etsi workshop
Rina converged network operator -  etsi workshopRina converged network operator -  etsi workshop
Rina converged network operator - etsi workshopARCFIRE ICT
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015ICT PRISTINE
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
2. RINA overview - TF workshop
2. RINA overview - TF workshop2. RINA overview - TF workshop
2. RINA overview - TF workshopARCFIRE ICT
 
Rina IRATI @ GLIF Singapoure -2013
Rina IRATI @ GLIF Singapoure -2013Rina IRATI @ GLIF Singapoure -2013
Rina IRATI @ GLIF Singapoure -2013i2CAT Foundation
 
Irati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA WorkshopIrati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA WorkshopEleni Trouva
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016ARCFIRE ICT
 
Implementation of intelligent wide area network(wan)- report
Implementation of intelligent wide area network(wan)- reportImplementation of intelligent wide area network(wan)- report
Implementation of intelligent wide area network(wan)- reportJatin Singh
 
IRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE WorkshopIRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE WorkshopEleni Trouva
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarDr. Shivashankar
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
Update on IRATI technical work after month 6
Update on IRATI technical work after month 6Update on IRATI technical work after month 6
Update on IRATI technical work after month 6Eleni Trouva
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
 
Aci presentation
Aci presentationAci presentation
Aci presentationJoe Ryan
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptxkarthikvcyber
 
Mobility mangement rina iwcnc
Mobility mangement rina   iwcncMobility mangement rina   iwcnc
Mobility mangement rina iwcncARCFIRE ICT
 

Similar to Pristine rina-security-icc-2016 (20)

Rina converged network operator - etsi workshop
Rina converged network operator -  etsi workshopRina converged network operator -  etsi workshop
Rina converged network operator - etsi workshop
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
2. RINA overview - TF workshop
2. RINA overview - TF workshop2. RINA overview - TF workshop
2. RINA overview - TF workshop
 
Rina IRATI @ GLIF Singapoure -2013
Rina IRATI @ GLIF Singapoure -2013Rina IRATI @ GLIF Singapoure -2013
Rina IRATI @ GLIF Singapoure -2013
 
Irati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA WorkshopIrati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA Workshop
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016
 
Implementation of intelligent wide area network(wan)- report
Implementation of intelligent wide area network(wan)- reportImplementation of intelligent wide area network(wan)- report
Implementation of intelligent wide area network(wan)- report
 
IRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE WorkshopIRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE Workshop
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
 
Vp ns
Vp nsVp ns
Vp ns
 
VPN
VPNVPN
VPN
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
RINA: Recursive Inter Network Architecture
RINA: Recursive Inter Network ArchitectureRINA: Recursive Inter Network Architecture
RINA: Recursive Inter Network Architecture
 
Update on IRATI technical work after month 6
Update on IRATI technical work after month 6Update on IRATI technical work after month 6
Update on IRATI technical work after month 6
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
Aci presentation
Aci presentationAci presentation
Aci presentation
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
V P N
V P NV P N
V P N
 
Mobility mangement rina iwcnc
Mobility mangement rina   iwcncMobility mangement rina   iwcnc
Mobility mangement rina iwcnc
 

More from ICT PRISTINE

Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQAssuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQICT PRISTINE
 
The hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelThe hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelICT PRISTINE
 
Lost layer talk 2014
Lost layer talk 2014Lost layer talk 2014
Lost layer talk 2014ICT PRISTINE
 
RINA Introduction, part II
RINA Introduction, part IIRINA Introduction, part II
RINA Introduction, part IIICT PRISTINE
 
RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part IICT PRISTINE
 
Dublin addressingtheproblem131224
Dublin addressingtheproblem131224Dublin addressingtheproblem131224
Dublin addressingtheproblem131224ICT PRISTINE
 
Dublin mngmt140120
Dublin mngmt140120Dublin mngmt140120
Dublin mngmt140120ICT PRISTINE
 
SFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed CloudsSFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed CloudsICT PRISTINE
 
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINEEC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINEICT PRISTINE
 

More from ICT PRISTINE (11)

Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQAssuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
 
The hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelThe hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguel
 
Rina sim workshop
Rina sim workshopRina sim workshop
Rina sim workshop
 
Lost layer talk 2014
Lost layer talk 2014Lost layer talk 2014
Lost layer talk 2014
 
RINA Introduction, part II
RINA Introduction, part IIRINA Introduction, part II
RINA Introduction, part II
 
RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part I
 
6 security130123
6 security1301236 security130123
6 security130123
 
Dublin addressingtheproblem131224
Dublin addressingtheproblem131224Dublin addressingtheproblem131224
Dublin addressingtheproblem131224
 
Dublin mngmt140120
Dublin mngmt140120Dublin mngmt140120
Dublin mngmt140120
 
SFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed CloudsSFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed Clouds
 
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINEEC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
 

Recently uploaded

Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPTPraveenKumarThota7
 
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Prometix Pty Ltd
 
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024  - Need for Speed: Removing speed bumps in API ProjectsConFoo 2024  - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024 - Need for Speed: Removing speed bumps in API ProjectsŁukasz Chruściel
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionŁukasz Chruściel
 

Recently uploaded (7)

Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPT
 
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
Elevate Your Business: Unleashing Collaboration and Efficiency through Expert...
 
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024  - Need for Speed: Removing speed bumps in API ProjectsConFoo 2024  - Need for Speed: Removing speed bumps in API Projects
ConFoo 2024 - Need for Speed: Removing speed bumps in API Projects
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solutionConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
ConFoo 2024 - Sylius 2.0, top-notch eCommerce for customizable solution
 

Pristine rina-security-icc-2016

  • 1. From protecting protocols to layers: security policies in RINA From protecting protocols to layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner, Ondrej Rysavy, Hamid Asgari, John Day, Lou Chitkushev FP7 PRISTINE ICC 2016, Kuala Lumpur, May 24th 2016
  • 3. RINA highlights • Network architecture resulting from a fundamental theory of computer networking • Networking is InterProcess Communication (IPC) and only IPC. Unifies networking and distributed computing: the network is a distributed application that provides IPC • There is a single type of layer with programmable functions, that repeats as many times as needed by the network designers • All layers provide the same service: instances or communication (flows) to two or more application instances, with certain characteristics (delay, loss, in-order-delivery, etc) • There are only 3 types of systems: hosts, interior and border routers. No middleboxes (firewalls, NATs, etc) are needed • Deploy it over, under and next to current networking technologies 1 2 3 4 5 6 3
  • 4. From the “TCP/IP” protocol suite … • Functional layers organized for modularity, each layer provides a different service to each other – As the RM is applied to the real world, it proofs to be incomplete. As a consequence, new layers are patched into the reference model as needed (layers 2.5, VLANs, VPNs, virtual network overlays, tunnels, MAC-in-MAC, etc.) (Theory) (Practice) 4
  • 5. … to the RINA architecture Single type of layer, consistent API, programmable policies Host Border router Interior Router DIF DIF DIF Border router DIF DIF DIF (Distributed IPC Facility) Host App A App B Consistent API through layers IPC API Data Transfer Data Transfer Control Layer Management SDU Delimiting Data Transfer Relaying and Multiplexing SDU Protection Retransmission Control Flow Control RIB Daemon RIB CDAP Parser/Generator CACEP Enrollment Flow Allocation Resource Allocation Routing Authentication StateVector StateVector StateVector Data TransferData Transfer Retransmission Control Retransmission Control Flow Control Flow Control Increasing timescale (functions performed less often) and complexity Namespace Management Security Management 5
  • 6. Deployment Clean-slate concepts but incremental deployment Large-scale RINA Experimentation on FIRE+ 6 • IPv6 brings very small improvements to IPv4, but requires a clean slate deployment (not compatible to IPv4) • RINA can be deployed incrementally where it has the right incentives, and interoperate with current technologies (IP, Ethernet, MPLS, etc.) – Over IP (just like any overlay such as VXLAN, NVGRE, GTP-U, etc.) – Below IP (just like any underlay such as MPLS or MAC-in-MAC) – Next to IP (gateways/protocol translation such as IPv6) IP Network RINA Provider RINA Network Sockets ApplicationsRINA supported Applications IP or Ethernet or MPLS, etc
  • 7. PROPERTIES OF RINA DESIGN CONTRIBUTING TO SECURITY 2 7
  • 8. Protecting layers instead of protocols All layers have the same consistent, security model 8 • Benefits of having an architecture instead of a protocol suite: the architecture tells you where security related functions are placed. – Instead of thinking protocol security (BGPsec, DNSsec, IPsec, TLS, etc.), think security of the architecture: no more ‘each protocol has its own security’, ‘add another protocol for security’ or ‘add another box that does security’ Operating on the IPCP’s RIB Access control Sending/receiving PDUs through N-1 DIF Confidentiality, integrity N DIF N-1 DIF IPC Process IPC Process IPC Process IPC Process Joining a DIF authentication, access control Sending/receiving PDUs through N-1 DIF Confidentiality, integrity Operating on the IPCP’s RIB Access control IPC Process Appl. Process Access control (DIF members) Confidentiality, integrity Authentication Access control Operations on RIB DIF Operation Logging DIF Operation Logging
  • 9. Separation of mechanism from policy 9 IPC API Data Transfer Data Transfer Control Layer Management SDU Delimiting Data Transfer Relaying and Multiplexing SDU Protection Retransmission Control Flow Control RIB Daemon RIB CDAP Parser/Generator CACEP Enrollment Flow Allocation Resource Allocation Routing Authentication StateVector StateVector StateVector Data TransferData Transfer Retransmission Control Retransmission Control Flow Control Flow Control Namespace Management Security Management • All layers have the same mechanisms and 2 protocols (EFCP for data transfer, CDAP for layer management), programmable via policies. • Don’t specify/implement security protocols, only security policies – Re-use common layer structure, re-use security policies across layers • This approach greatly simplifies the network structure, minimizing the cost of security and improving the security level – Complexity is the worst enemy of security (B. Schneier) Authentication Access control (layer mgmt operations) Access control (joining the DIF) Coordination of security functions Confidentiality, Integrity
  • 10. Separation of mechanism from policy 10 IPC API Data Transfer Data Transfer Control Layer Management SDU Delimiting Data Transfer Relaying and Multiplexing SDU Protection Retransmission Control Flow Control RIB Daemon RIB CDAP Parser/Generator CACEP Enrollment Flow Allocation Resource Allocation Routing Authentication StateVector StateVector StateVector Data TransferData Transfer Retransmission Control Retransmission Control Flow Control Flow Control Namespace Management Security Management • All layers have the same mechanisms and 2 protocols (EFCP for data transfer, CDAP for layer management), programmable via policies. • Don’t specify/implement security protocols, only security policies – Re-use common layer structure, re-use security policies across layers • This approach greatly simplifies the network structure, minimizing the cost of security and improving the security level – Complexity is the worst enemy of security (B. Schneier) Authentication Access control (layer mgmt operations) Access control (joining the DIF) Coordination of security functions Confidentiality, Integrity Source: J. Small master thesis
  • 11. Scope as a native construct Recursion provides isolation • Size each DIF to the scope supported applications need – Only allow those that really need to connect to the apps • No need for extra tools to do that: scope is built-in – DIFs are securable containers, no need for firewalls 11 Internet (TCP/IP) RINA Default model Global connectivity Controlled connectivity Control scope via Firewalls, ACLs, VLANs, Virtual Private Networks, etc.. Scope native concept in architecture (DIF) Example: Provider’s network internal layers hidden from customers and other providers
  • 12. Separating port allocation from sync. Complete application naming • With app-names no need for well- known ports. Port-ids of local scope (not in protocol headers) • CEP-ids (in protocol headers) dynamically generated for each flow 12 IPCPP A App A Port-id read/ write 1 EFCP instance, cep-id 8736 IPCPP A App B Port-id read/ write 4 EFCP instance, cep-id 9123 Synchronization • Well-known ports used to identify app endpoints; statically assigned. @s exposed to apps. • Ports used also to identify TCP instances (in protocol headers). Attacker only needs to guess source port-id RINA TCP/IP IP@: 12 Port read/ write 12 TCP instance, port 12 IP @: 78 Port read/ write 78 TCP instance, port 78 TCP PM A TCP PM A
  • 13. DESIGN AND EXPERIMENTATION WITH SECURITY POLICIES3 13
  • 14. Customer network Interior Router Customer Border Router Interior Router Border Router P2P DIF Interior Router P2P DIF Border Router P2P DIF P2P DIF Interior Router Border Router Provider 1 Backbone DIF P2P DIF Border Router Provider 1 Regional DIF Multi-provider DIF P2P DIF Access DIF P2P DIFP2P DIF Provider 1 network Provider 2 network IPCP A IPCP B IPCP C P2P DIF P2P DIF IPCP D • DIFs are securable containers, strength of authentication and SDU Protection policies depends on its operational environment • DIFs shared between provider/customer (blue DIF) may require strong authentication and encryption, specially if operating over wireless (red DIF) • DIFs internal to a provider may do with no auth.: accessing the DIF requires physically compromising the provider’s assets (green and orange DIFs). Border Router Authentication and SDU protection policies
  • 15. Authentication policy: SSH2-based (I) • Once applications (including IPCPs) have a flow allocated, go through application connection establishment phase – Negotiate app protocol (CDAP) version, RIB version, authenticate • Specified authentication policy based on SSH2 authentication (uses per IPCP public/private RSA key pairs), adapted to the RINA environment 15
  • 17. Crypto SDU protection policy • Crypto policy that encrypts/decrypts PCI and payload of EFCP PDUs – In general SDU protection is used by a DIF to protect its own data (PCIs of data transfer PDUs and full layer management PDUs) • Not assuming N-1 DIF will provide reliable and in-order-delivery -> using counter mode (as in IPsec) – AES128 and AES256 as supported encryption algorithms • HMAC code to protect integrity of PDU – SHA256 chosen as hash algorithm 17 12 IPCPP A IPCPP A N-1 flow SDU Protection SDU Protectioncounter Encrypted data HMAC
  • 18. Experimentation with IRATI 18 Provider Border Router 1 Provider Border Router 2 Customer Border Router Shim DIF over Eth Shim DIF over Eth IPCP A IPCP B access.DIF IPCP C IPCP D regional.DIF IPCP E IPCP F IPCP G multi-provider.DIF Customer network Provider network Experimental scenario • IRATI is an open source, programmable implementation of RINA for Linux, written in C/C++ • Implemented plugins with authSSH2 auth. and SDU protection policies
  • 20. Research, open source, standards • Current research projects – FP7 PRISTINE (2014-2016) http://ict-pristine-eu – H2020 ARCFIRE (2016-2017) http://ict-arcfire.eu – Norwegian project OCARINA(2016-2021) – BU RINA team http://csr.bu.edu/rina • Open source implementations – IRATI (Linux OS, C/C++, kernel components, policy framework, RINA over X) http://github.com/irati/stack – RINASim (RINA simulator, OMNeT++) – ProtoRINA (Java, RINA over UDP, quick prototyping) • Key RINA standardization activities – Pouzin Society (experimental specs) http://pouzinsociety.org – ISO SC6 WG7 (2 new projects: Future Network – Architectures, Future Network- Protocols) – ETSI Next Generation Protocols ISG 1 2 3 4 1 2 3 1 2 3 20

Editor's Notes

  1. - Complexity, complexity, complexity (unbounded, nobody knows what new combinations of layers may be needed in the future
  2. Layers are resource allocators, provide IPC services over a certain scope, they all have the same functions
  3. Core/backbone: IP/MPLS Metro aggregation: Carrier Ethernet Access: xDSL, FTTH (PON tech), WiFI, LTE Services: L2/L3 VPNs, Internet access, IMS Micro DC: C-RAN, Mobile Edge computing Metro/regional/national DCs: provider service platforms (DNS, SMTP, etc…) LTE EPC (S-GW and/or P-GW, MME), IMS, cloud hosting, NOC, etc
  4. SYN-Ack Attack: must guess which of 2^16 CEP-id. Data Transfer: must guess CEP-id and seq num within window! Reassembly attack: Reassembly only done once. No well-known ports to scan.
  5. Core/backbone: IP/MPLS Metro aggregation: Carrier Ethernet Access: xDSL, FTTH (PON tech), WiFI, LTE Services: L2/L3 VPNs, Internet access, IMS Micro DC: C-RAN, Mobile Edge computing Metro/regional/national DCs: provider service platforms (DNS, SMTP, etc…) LTE EPC (S-GW and/or P-GW, MME), IMS, cloud hosting, NOC, etc