SlideShare a Scribd company logo

Signpost at FOCI 2013

Amir Chaudhry
Amir Chaudhry

Anil presented the Signpost project at the Usenix Security workshop in Free and Open Communication on the Internet

Technology
1 of 35
Download to read offline
Lost in the Edge: Finding Your Way with Signposts Charalampos Rotsos, Heidi Howard, David Sheets, Richard Mortier,† Anil Madhavapeddy, Amir Chaudhry, Jon Crowcroft http://anil.recoil.org/papers/2013-foci-slides.pdf University of Cambridge, UK † University of Nottingham, UK anil@recoil.org 13th August, 2013
Introduction Signposts Conclusions Challenge & Constraints Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons)
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments
Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments Our Approach Use DNS to enable personal clouds, making it easy to deploy apps that function securely and efficiently across our own device network, across the Internet edge.
Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available.
Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available. Data vs Orchestration What’s the minimal network infrastructure that we can deploy to represent individual users on the core Internet?
Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?)
Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal
Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal Multipath is increasingly available (e.g., 3G + Wifi)
Introduction Signposts Conclusions Building on DNS Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Building on DNS DNS DNS is THE Internet naming standard: Supported in almost every embedded device. Naturally hierarchical and cacheable. Flexible and ”extensible”. Resolver infrastructure exists almost everywhere (including censorship).
Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com.
Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com. Why can’t we have stronger DNS bindings between edge devices? # host ipad.home.anil.recoil.org ipad.home.anil.recoil.org has address 192.168.1.19
Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234
Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234 Names for The Average Joe But there’s nowhere for individuals to easily host their own little name services online. Change this, and everything improves.
Introduction Signposts Conclusions Building on DNS DNS Security Authentication. DNSSEC provides a standard, deployed security model where identity chains are established by trusting the registrars or other trust anchors Confidentiality. DNSCurve adds confidentiality, repudiability, integrity, and authentication to name resolution through an Elliptic Curve Cryptographic tunnel; can trade compatibility against overhead, with 255-bit Curve25519 keys offering complexity equivalent to 3072-bit RSA
Introduction Signposts Conclusions Architecture Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device DNS Resolver Applications Signpost (home) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device Edge DNS Resolver Applications Signpost (home) Signpost (laptop) Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
Introduction Signposts Conclusions Architecture Architecture DNSSEC DNSCurve IP,TCP, UDP, ... Signpost Device Edge Internet Bob's Device Cloud DNS Resolver Applications Signpost (home) Signpost (laptop) Alice's Device Cloud Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
Introduction Signposts Conclusions Components Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results.
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution.
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider.
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS
Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS Seamless operation with extra host support (e.g., OpenFlow)
Introduction Signposts Conclusions Components Identity Management Automatic, internal key management in a personal trust hierarchy simplifies hygiene. TSIG/SIG0 DNSSEC signatures used to demonstrate subnamespace authority. Manage keys for SSH, PGP, *Curve in parallel. Provides low-friction revocation, making rollover usable by mortals (?)
Introduction Signposts Conclusions Components Programming Model Currently: Sockets API decouples getaddrinfo(3) from connect(2), so less powerful. With Signposts: Applications bind names to flows in one call, separating connection establishment from data transfer, Signpost nodes select environmentally optimal routes via long-poll DNSCurve updates Signpost resolver proxies DNS on localhost, late-binding lookups only when traffic is sent (e.g., TCP SYN)
Introduction Signposts Conclusions Components Work-in-Progress Resolution. Looking to more efficient path establishment than “try everything at once” Identity. Automating key derivation & management Programming. Exploring details, e.g., need to patch OpenSSL, provide local OpenFlow switch; more in The Case for Reconfigurable I/O Channels, RESoLVE 2012 (http://anil.recoil.org/papers/) Implementation. May be easier to support applications that use sockets via lightweight VMs (e.g., http://openmirage.org with Message Switch, http://github.com/djs55/message-switch)
Introduction Signposts Conclusions Implications Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Implications Alternatives & Possibilities Signpost uses DNS as a device-facing interface for compatibility – but could support alternative mechanisms for upstream resolution: Perspectives (http://perspectives-project.org/) offers a P2P trust network Namecoin (http://namecoin.info/) provides decentralized naming but has economic issues. When widely deployed, a set of Signposts could help with: Tor. Constructing a mix zone, perhaps using Dustclounds (http://anil.recoil.org/papers/2010-iswp-dustclouds.pdf) Dissent (http://dedis.cs.yale.edu/2010/anon/), simplifying its use by Average Joe.
Introduction Signposts Conclusions Questions Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
Introduction Signposts Conclusions Questions Thank you! Questions? https://github.com/signposts https://github.com/mirage

Recommended

Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
Fred Bovy
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2p
Davide Carboni
 
50120140507006
5012014050700650120140507006
50120140507006
IAEME Publication
 
Approaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsApproaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger Systems
Real-Time Innovations (RTI)
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
Yekini Nureni
 
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Mattia Campana
 
DDS Security
DDS SecurityDDS Security
DDS Security
Real-Time Innovations (RTI)
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 

Recommended

Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
Fred Bovy
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2p
Davide Carboni
 
50120140507006
5012014050700650120140507006
50120140507006
IAEME Publication
 
Approaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger SystemsApproaches for Mitigating Discovery Problems in Larger Systems
Approaches for Mitigating Discovery Problems in Larger Systems
Real-Time Innovations (RTI)
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
Yekini Nureni
 
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Context-Aware Configuration and Management of WiFi Direct Groups for Real Opp...
Mattia Campana
 
DDS Security
DDS SecurityDDS Security
DDS Security
Real-Time Innovations (RTI)
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
zenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computezenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query compute
Angelo Corsaro
 
APAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationAPAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentation
Steve Smith
 
Security analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imagesSecurity analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital images
eSAT Journals
 
A1803020108
A1803020108A1803020108
A1803020108
IOSR Journals
 
82 86
82 8682 86
82 86
Editor IJARCET
 
G43053847
G43053847G43053847
G43053847
IJERA Editor
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_Prateek
Prateek Mathur
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
IRJET Journal
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group
 
Hacking 05 2011
Hacking 05 2011Hacking 05 2011
Hacking 05 2011
Felipe Prado
 
Image Cryptography using RSA Algorithm
Image Cryptography using RSA AlgorithmImage Cryptography using RSA Algorithm
Image Cryptography using RSA Algorithm
ijtsrd
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
IRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA Algorithm
IRJET Journal
 
eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015
Jaime Martin Losa
 
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IJCNCJournal
 
Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.
igede tirtanata
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101
Christian Götz
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
IGEEKS TECHNOLOGIES
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
Jorgen Thelin
 
A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
Tuan Yang
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
Gerardo Pardo-Castellote
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
Sleek International
 

More Related Content

What's hot

zenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computezenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query compute
Angelo Corsaro
 
APAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationAPAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentation
Steve Smith
 
Security analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imagesSecurity analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital images
eSAT Journals
 
A1803020108
A1803020108A1803020108
A1803020108
IOSR Journals
 
82 86
82 8682 86
82 86
Editor IJARCET
 
G43053847
G43053847G43053847
G43053847
IJERA Editor
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_Prateek
Prateek Mathur
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
IRJET Journal
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
Information Security Awareness Group
 
Hacking 05 2011
Hacking 05 2011Hacking 05 2011
Hacking 05 2011
Felipe Prado
 
Image Cryptography using RSA Algorithm
Image Cryptography using RSA AlgorithmImage Cryptography using RSA Algorithm
Image Cryptography using RSA Algorithm
ijtsrd
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
IRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA Algorithm
IRJET Journal
 
eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015
Jaime Martin Losa
 
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IJCNCJournal
 
Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.
igede tirtanata
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101
Christian Götz
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
IGEEKS TECHNOLOGIES
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
Jorgen Thelin
 

What's hot (19)

zenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query computezenoh: zero overhead pub/sub store/query compute
zenoh: zero overhead pub/sub store/query compute
 
APAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentationAPAC-05 XMPP AccessGrid presentation
APAC-05 XMPP AccessGrid presentation
 
Security analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital imagesSecurity analysis of fbdk block cipher for digital images
Security analysis of fbdk block cipher for digital images
 
A1803020108
A1803020108A1803020108
A1803020108
 
82 86
82 8682 86
82 86
 
G43053847
G43053847G43053847
G43053847
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_Prateek
 
Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
Hacking 05 2011
Hacking 05 2011Hacking 05 2011
Hacking 05 2011
 
Image Cryptography using RSA Algorithm
Image Cryptography using RSA AlgorithmImage Cryptography using RSA Algorithm
Image Cryptography using RSA Algorithm
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
IRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA AlgorithmIRJET- Data Transmission using RSA Algorithm
IRJET- Data Transmission using RSA Algorithm
 
eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015 eProsima RPC over DDS - Connext Conf London October 2015
eProsima RPC over DDS - Connext Conf London October 2015
 
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZEIMPROVING IPV6 ADDRESSING TYPES AND SIZE
IMPROVING IPV6 ADDRESSING TYPES AND SIZE
 
Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.Cisco discovery d homesb module 10 final exam - v.4 in english.
Cisco discovery d homesb module 10 final exam - v.4 in english.
 
How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101How do Things talk? IoT Application Protocols 101
How do Things talk? IoT Application Protocols 101
 
Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...Access control in decentralized online social networks applying a policy hidi...
Access control in decentralized online social networks applying a policy hidi...
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
 

Similar to Signpost at FOCI 2013

A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
Tuan Yang
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
Gerardo Pardo-Castellote
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
Sleek International
 
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
Gerardo Pardo-Castellote
 
12 Understanding V P Ns
12 Understanding V P Ns12 Understanding V P Ns
12 Understanding V P Ns
AamirAziz
 
DDS 2010 Interoperability Demo
DDS 2010 Interoperability DemoDDS 2010 Interoperability Demo
DDS 2010 Interoperability Demo
Angelo Corsaro
 
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoTReal-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
DMC, Inc.
 
Basic Network Support Certification
Basic Network Support CertificationBasic Network Support Certification
Basic Network Support Certification
Vskills
 
Innovation in SDN Tools and Platforms
Innovation in SDN Tools and PlatformsInnovation in SDN Tools and Platforms
Innovation in SDN Tools and Platforms
Umesh Krishnaswamy
 
Videoconferencing Technology
Videoconferencing TechnologyVideoconferencing Technology
Videoconferencing Technology
Videoguy
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
DAVID RAUDALES
 
Data Center Design Guide 4 1
Data Center Design Guide 4 1Data Center Design Guide 4 1
Data Center Design Guide 4 1
Fiyaz Syed
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o... "How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
Cohesive Networks
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
Rajesh Porwal
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
LINE Corporation
 
VPN
VPNVPN
VPN
Swarup Kumar Mall
 
Vp ns
Vp nsVp ns
Vp ns
Swarup Kumar Mall
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
Ryan Koop
 

Similar to Signpost at FOCI 2013 (20)

A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
 
Protocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDNProtocol and Integration Challenges for SDN
Protocol and Integration Challenges for SDN
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
 
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
DDS Interoperability Demo using the DDS-RTPS standard protocol 2010
 
12 Understanding V P Ns
12 Understanding V P Ns12 Understanding V P Ns
12 Understanding V P Ns
 
DDS 2010 Interoperability Demo
DDS 2010 Interoperability DemoDDS 2010 Interoperability Demo
DDS 2010 Interoperability Demo
 
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoTReal-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
Real-World Case Study: For Connecting CompactRIO's to Microsoft Azure IoT
 
Basic Network Support Certification
Basic Network Support CertificationBasic Network Support Certification
Basic Network Support Certification
 
Innovation in SDN Tools and Platforms
Innovation in SDN Tools and PlatformsInnovation in SDN Tools and Platforms
Innovation in SDN Tools and Platforms
 
Videoconferencing Technology
Videoconferencing TechnologyVideoconferencing Technology
Videoconferencing Technology
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
 
Data Center Design Guide 4 1
Data Center Design Guide 4 1Data Center Design Guide 4 1
Data Center Design Guide 4 1
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o... "How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
 
OpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform TechnologyOpenDNS Whitepaper: Platform Technology
OpenDNS Whitepaper: Platform Technology
 
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White PaperShedding Light on LINE Token Economy You Won't Find in Our White Paper
Shedding Light on LINE Token Economy You Won't Find in Our White Paper
 
VPN
VPNVPN
VPN
 
Vp ns
Vp nsVp ns
Vp ns
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
 

Recently uploaded

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 

Recently uploaded (20)

20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 

Signpost at FOCI 2013

  • 1. Lost in the Edge: Finding Your Way with Signposts Charalampos Rotsos, Heidi Howard, David Sheets, Richard Mortier,† Anil Madhavapeddy, Amir Chaudhry, Jon Crowcroft http://anil.recoil.org/papers/2013-foci-slides.pdf University of Cambridge, UK † University of Nottingham, UK anil@recoil.org 13th August, 2013
  • 2. Introduction Signposts Conclusions Challenge & Constraints Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 3. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons)
  • 4. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic
  • 5. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments
  • 6. Introduction Signposts Conclusions Challenge & Constraints The Challenge Centralised cloud-hosted services are convenient but create risks: Loss of data and services due to service shutdown (whether for commercial or political reasons) Global passive observers recording all 1.6% traffic Inefficient and inconvenient synchronisation in mobile and offline environments Our Approach Use DNS to enable personal clouds, making it easy to deploy apps that function securely and efficiently across our own device network, across the Internet edge.
  • 7. Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available.
  • 8. Introduction Signposts Conclusions Challenge & Constraints Constraints Compatibility. Can’t require users to change all their apps. Security. Need to control access to our personal devices: requires authentication and confidentiality. Connectivity. Need to be able to interconnect devices whatever network is available. Data vs Orchestration What’s the minimal network infrastructure that we can deploy to represent individual users on the core Internet?
  • 9. Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?)
  • 10. Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal
  • 11. Introduction Signposts Conclusions Challenge & Constraints Regaining Connectivity Network Address Translation (NAT) killed end-to-end IP addressing 192.168.1.2 192.168.1.1 / 89.16.177.154 192.168.1.2 86.30.244.239 / 192.168.1.1 Packet filtering makes tunnel setup dynamic (Full-cone NAT? Is UDP blocked? IPSec?) Redirection and proxies (e.g., Wifi hotspots) require traversal Multipath is increasingly available (e.g., 3G + Wifi)
  • 12. Introduction Signposts Conclusions Building on DNS Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 13. Introduction Signposts Conclusions Building on DNS DNS DNS is THE Internet naming standard: Supported in almost every embedded device. Naturally hierarchical and cacheable. Flexible and ”extensible”. Resolver infrastructure exists almost everywhere (including censorship).
  • 14. Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com.
  • 15. Introduction Signposts Conclusions Building on DNS DNS Today # host recoil.org recoil.org has address 89.16.177.154 recoil.org mail is handled by 10 dark.recoil.org. recoil.org mail is handled by 20 mx-caprica.easydns.com. Why can’t we have stronger DNS bindings between edge devices? # host ipad.home.anil.recoil.org ipad.home.anil.recoil.org has address 192.168.1.19
  • 16. Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234
  • 17. Introduction Signposts Conclusions Building on DNS DNS Manipulation DNS is already manipulated: content networks differentiate results by the query source so the nearest CDN node can serve data Indeed, “DNS servers can play games. As long as they appear to deliver a syntactically correct response to every query, they can fiddle the semantics.” — RFC3234 Names for The Average Joe But there’s nowhere for individuals to easily host their own little name services online. Change this, and everything improves.
  • 18. Introduction Signposts Conclusions Building on DNS DNS Security Authentication. DNSSEC provides a standard, deployed security model where identity chains are established by trusting the registrars or other trust anchors Confidentiality. DNSCurve adds confidentiality, repudiability, integrity, and authentication to name resolution through an Elliptic Curve Cryptographic tunnel; can trade compatibility against overhead, with 255-bit Curve25519 keys offering complexity equivalent to 3072-bit RSA
  • 19. Introduction Signposts Conclusions Architecture Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 20. Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device DNS Resolver Applications Signpost (home) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
  • 21. Introduction Signposts Conclusions Architecture Architecture DNSCurve IP,TCP, UDP, ... Signpost Device Edge DNS Resolver Applications Signpost (home) Signpost (laptop) Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
  • 22. Introduction Signposts Conclusions Architecture Architecture DNSSEC DNSCurve IP,TCP, UDP, ... Signpost Device Edge Internet Bob's Device Cloud DNS Resolver Applications Signpost (home) Signpost (laptop) Alice's Device Cloud Signpost (cloud) gethostbyname() DynamicTunnels At the edge, devices interconnect using tunnels created in response to authenticated, confidential DNSCurve queries. Connections access-controlled via authenticated query source.
  • 23. Introduction Signposts Conclusions Components Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 24. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results.
  • 25. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution.
  • 26. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider.
  • 27. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS
  • 28. Introduction Signposts Conclusions Components Active Edge Resolution Incremental, parallel resolution via 0 TTL responses containing multiple results. Bootstrap trusted public keys between devices via resurrecting duckling. No passwords during resolution. Degrade gracefully from P2P to personal cloud service to shared provider. Resolution triggers tunnel establishment scripts; currently support (L2) Tuntap/SSH, OpenVPN, (L3) IPSec, (L4+) Privoxy/Tor via SOCKS Seamless operation with extra host support (e.g., OpenFlow)
  • 29. Introduction Signposts Conclusions Components Identity Management Automatic, internal key management in a personal trust hierarchy simplifies hygiene. TSIG/SIG0 DNSSEC signatures used to demonstrate subnamespace authority. Manage keys for SSH, PGP, *Curve in parallel. Provides low-friction revocation, making rollover usable by mortals (?)
  • 30. Introduction Signposts Conclusions Components Programming Model Currently: Sockets API decouples getaddrinfo(3) from connect(2), so less powerful. With Signposts: Applications bind names to flows in one call, separating connection establishment from data transfer, Signpost nodes select environmentally optimal routes via long-poll DNSCurve updates Signpost resolver proxies DNS on localhost, late-binding lookups only when traffic is sent (e.g., TCP SYN)
  • 31. Introduction Signposts Conclusions Components Work-in-Progress Resolution. Looking to more efficient path establishment than “try everything at once” Identity. Automating key derivation & management Programming. Exploring details, e.g., need to patch OpenSSL, provide local OpenFlow switch; more in The Case for Reconfigurable I/O Channels, RESoLVE 2012 (http://anil.recoil.org/papers/) Implementation. May be easier to support applications that use sockets via lightweight VMs (e.g., http://openmirage.org with Message Switch, http://github.com/djs55/message-switch)
  • 32. Introduction Signposts Conclusions Implications Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 33. Introduction Signposts Conclusions Implications Alternatives & Possibilities Signpost uses DNS as a device-facing interface for compatibility – but could support alternative mechanisms for upstream resolution: Perspectives (http://perspectives-project.org/) offers a P2P trust network Namecoin (http://namecoin.info/) provides decentralized naming but has economic issues. When widely deployed, a set of Signposts could help with: Tor. Constructing a mix zone, perhaps using Dustclounds (http://anil.recoil.org/papers/2010-iswp-dustclouds.pdf) Dissent (http://dedis.cs.yale.edu/2010/anon/), simplifying its use by Average Joe.
  • 34. Introduction Signposts Conclusions Questions Contents 1 Introduction Challenge & Constraints Building on DNS 2 Signposts Architecture Components 3 Conclusions Implications Questions
  • 35. Introduction Signposts Conclusions Questions Thank you! Questions? https://github.com/signposts https://github.com/mirage