[Ndn-interest] Securing Data packet.

Nicolaescu, Adrian-Cristian adrian-cristian.nicolaescu.17 at ucl.ac.uk
Wed Jul 3 09:59:36 PDT 2019 

Hello Andriana, David, all,

I think the best article to look at, with regards to NDN security, would be "An Overview of Security Support in Named Data Networking". It explains the readily-available (native and some new, updated and adapted) mechanisms available for security provision in NDN and it might help you by providing a better picture of security, if not solve your problem. 

If I am not mistaken, the point here is that generally it would not be advisable to introduce that extra layer of security, unless you want to introduce a lot of latency into your system and overhead into the packet processing procedure of your routers. The difference between the two layers of encryption/security (Data - packet payload - and MetaData - or, as defined in the original NDN paper - MetaInfo - packet header) has to be taken into account, because the two encryption/decryption (or signing/verification) algorithms, for the Data and/or for the "MetaInfo" could be wildly different. Please correct me if I'm wrong with anything, David.

Thank you.

Kind regards,
Adrian-Cristian (Chris) Nicolaescu

-----Original Message-----
From: Ndn-interest <ndn-interest-bounces at lists.cs.ucla.edu> On Behalf Of David R. Oran
Sent: 03 July 2019 17:11
To: Andriana Ioannou <ioannoa at tcd.ie>
Cc: ndn-interest at lists.cs.ucla.edu
Subject: Re: [Ndn-interest] Securing Data packet.

On 3 Jul 2019, at 10:45, Andriana Ioannou wrote:

> Dear all,
>
> In my current research I have altered the Data packets to include some 
> information that will allow the routers on delivery paths to make 
> better caching decisions. This information may be updated during 
> delivery from the routers downstream.
>
It would be useful if you could elaborate a bit on what you’re trying to accomplish and what information might be added to the packet (outside the signatures’s security envelope since you say you want this to be modified hop-by-hop).

> I have been looking on the security implications for this, and so far 
> I understand that the community is mostly focused on the content 
> contained in a Data packet, and the related fields, e.g. name and key 
> locator, rather than securing the whole Data packet.
Well, since forwarding is stateful in NDN, you likely need to not only keep mutable fields in the clear so the routers can see them, eschew end-to-end integrity so you can modify them. It would be helpful if you could articulate what threats you hope to address by “securing” the entire data packet. Misbehavior by on-path routers? (note that packets can be protected on links via hop-by-hop encryption, so any vulnerabilities are ones introduced by on-path routers).

> My guess is that this would be an
> important overhead/cost since each router involved in the process will 
> have to decrypt each incoming Data packet to ensure its valid.
>
Well, you can ensure against modification with just integrity (e.g. with
SHA) so there must be some confidentiality threat you want to foil by encryption.

> The only option I could think of would be to "enforce" the publisher 
> to sign those fields of the Data packet, too. Yet, this would mean 
> that the signature would not refer only to the content requested by 
> the consumer, which I guess is fundamentally wrong since you end up 
> delivering "garbage"
> to your consumers...
>
I’m not sure I follow this. There’s a fundamental disconnect between end-to-end integrity via signatures and the ability to modify packets as they traverse the network.

> I would appreciate if you could argue on this, since my security 
> background is a bit limited. I would be happy to be pointed out on 
> some related literature too - if available.
>
It’s hard to know what to point you to without knowing in more detail what you’re trying to accomplish.

> Kind regards,
> Andriana.
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.l
> ists.cs.ucla.edu%2Fmailman%2Flistinfo%2Fndn-interest&data=02%7C01%
> 7C%7Ca016e499db0d45e9645008d6ffd1211f%7C1faf88fea9984c5b93c9210a11d9a5
> c2%7C0%7C0%7C636977671004908981&sdata=gvrHyQLtsYlLyl%2FJfyDCMnL2A9
> w93FzG6YYhLE%2FOvuw%3D&reserved=0

DaveO
_______________________________________________
Ndn-interest mailing list
Ndn-interest at lists.cs.ucla.edu
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lists.cs.ucla.edu%2Fmailman%2Flistinfo%2Fndn-interest&data=02%7C01%7C%7Ca016e499db0d45e9645008d6ffd1211f%7C1faf88fea9984c5b93c9210a11d9a5c2%7C0%7C0%7C636977671004908981&sdata=gvrHyQLtsYlLyl%2FJfyDCMnL2A9w93FzG6YYhLE%2FOvuw%3D&reserved=0

More information about the Ndn-interest mailing list