<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Cesar,</p>
<p>If the PIT were to be added to IP then I would agree with what
you say below. But this is NDN. You cannot just pick on the PIT
ignoring the rest of the architecture.</p>
<p>Christos.</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 09/27/2016 09:31 PM, Cesar Ghali
wrote:<br>
</div>
<blockquote
cite="mid:CAAj99Km7nvumbRwMOhqgZFLjCMbCFtqJ=f5PhGhjFQq5CdY_KA@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div>This is an interesting topic and I'm sure Chris read Luca's
message before he responded. Exhausting link bandwidth or
computing resource is a problem in today's network, and, as
far as I know, all proposed future Internet architectures.
Since the PIT is a new player here (this doesn't mean it is
the bad guy or the only bad guy) and it introduces a new
problem that didn't exist before, it might be helpful to take
a step back and reassess design decisions. Especially that
proposed countermeasures do not solve the problem and can be
bypassed by smart adversaries.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep 27, 2016 at 7:49 PM,
Christos Papadopoulos <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:christos@colostate.edu" target="_blank">christos@colostate.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><span class="gmail-"><br>
<br>
On 09/27/2016 07:47 PM, <a moz-do-not-send="true"
href="mailto:christopherwood07@gmail.com"
target="_blank">christopherwood07@gmail.com</a> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
On September 27, 2016 at 5:14:14 PM, Christos
Papadopoulos<br>
(<a moz-do-not-send="true"
href="mailto:christos@colostate.edu" target="_blank">christos@colostate.edu</a>)
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
On 09/27/2016 04:59 PM, <a moz-do-not-send="true"
href="mailto:woodc1@uci.edu" target="_blank">woodc1@uci.edu</a>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
To re-iterate Cesar’s point, as of now, there is
no truly effective<br>
interest flooding mitigation. However, one
concrete way to minimize<br>
the attack surface (for routers) is to get rid of
the attack's root<br>
cause: the PIT. (Producers could still be hosed
with bogus interests.)<br>
And since the PIT enables several important
functions, other<br>
architecture changes will probably have to follow
in its wake.<br>
</blockquote>
You start with what I believe to be the wrong
premise: protecting the<br>
router. In NDN we care about communication, not a
single router.<br>
Protecting a router is winning the battle but losing
the war.<br>
</blockquote>
I respectfully disagree. If the adversary takes out
the producer,<br>
there is no communication. If the adversary takes out
the routers<br>
adjacent or otherwise on the path to the producer,
there is no<br>
communication. Protecting the router(s) is equally
important,<br>
especially since it may impact more than just a single
producer.<br>
</blockquote>
<br>
</span>
You are still thinking in IP terms. In NDN data follows
demand; data diffuses in the network pulled by Interests
over all available faces. If an attacker manages to attack
all available paths to your content without attacking the
entire infrastructure, then I claim you deployed a bad
defense system.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
I don't understand your statement that the root
cause of DDoS attacks is<br>
the PIT. The root cause of DDoS is resource
exhaustion.<br>
</blockquote>
In these attack scenarios, the PIT *is* the resource
being exhausted.<br>
</blockquote>
<br>
</span>
Then you are looking at a subset of DDoS attacks. There
are others that exhaust link bandwidth or compute
resources. Why is the PIT the only bad guy here? </blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
Personally, I don’t think we should settle with an
architectural<br>
element that has a known (and quite severe)
weakness simply because it<br>
enables some nice features in practice. The more
serious design<br>
problems must be dealt with first, not last.<br>
</blockquote>
You are underestimating the importance of the signal
the PIT provides.<br>
It is an important insight into the status of
communication. The PIT<br>
does not simply enable some "nice features". Think a
bit harder about<br>
the things you can do with this signal.<br>
</blockquote>
In most attack scenarios, yes, it tells you when bogus
interests are<br>
flooding a particular prefix and otherwise when
communication is<br>
failing. But consider this scenario. Suppose you have
a malicious<br>
producer cooperating with one or more malicious
consumers. The<br>
consumers are quickly sending interests to this
legitimate producer,<br>
who responds with legitimate data. The communication
is not failing.<br>
Their goal is to do nothing other than saturate the
PIT of some<br>
intermediate router. Per Spyros’ follow-up suggestion,
that router<br>
might kick out old, legitimate interests in favor of
these malicious<br>
ones. Of course, this is fundamentally how we would
expect one to deal<br>
with and manage a limited resource. So preventing this
attack seems<br>
difficult for any approach. But the point is that this
resource, the<br>
PIT, is easily abused in CCN/NDN.<br>
</blockquote>
<br>
</span>
I am not sure where you are going here. All public
resources can be abused. The question is how do you build
a good resource management system to detect and mitigate
resource abuse. Luca put it nicely, i suggest you read his
message.<span class="gmail-HOEnZb"><font color="#888888"><br>
<br>
Christos.</font></span>
<div class="gmail-HOEnZb">
<div class="gmail-h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
Chris<br>
</blockquote>
<br>
______________________________<wbr>_________________<br>
Ndn-interest mailing list<br>
<a moz-do-not-send="true"
href="mailto:Ndn-interest@lists.cs.ucla.edu"
target="_blank">Ndn-interest@lists.cs.ucla.edu</a><br>
<a moz-do-not-send="true"
href="http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest"
rel="noreferrer" target="_blank">http://www.lists.cs.ucla.edu/m<wbr>ailman/listinfo/ndn-interest</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>