[Ndn-interest] Securing Data packet.

David R. Oran daveoran at orandom.net
Thu Jul 4 06:22:07 PDT 2019 

On 3 Jul 2019, at 12:33, Andriana Ioannou wrote:

> Hi David,
>
> Many thanks for your reply. I actually have two use-case scenarios 
> which
> modify Data packets, both somewhat related to caching.
>
> In the first scenario, I have a number of fields in the Data packet 
> that
> defines how many hops the corresponding Interest packet, that 
> triggered
> this Data packet, did traverse, as well as the number of hops that the 
> Data
> packet traversed.
There’s already been a proposal to add a “hops traversed” field to 
data packets (outside the security envelope). This turns out to be 
fairly trivial, as the hop limit field in Interests can be re-purposed 
for this in Data packets. (Aside: I think I proposed this as far back as 
2014). CCNx I think may already include it (I can check if you want); 
NDN does not currently because NDN only recently added hop limits to 
Interests to fix the long-standing bug that nonces alone don’t 
suppress loops if you allow Interest retransmissions by forwarders.

> This is used by the downstream routers to make caching
> decisions. So, at each hop one of the fields in that Data packet is
> expected to change, i.e. increased by one. This information basically 
> tells
> a router how far away a content source is and whether it would be
> beneficial to cache the content or not.
Distance from publisher may or may not be the best metric, but it is of 
course worth evaluating under what topologies and access patterns it 
helps, so your research here could be quite valuable. For amore 
comprehensive look at what metrics one might use - especially in terms 
of density and fan-out (which can possibly mirror a centrality metric), 
you might find the ideas in

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=8,874,845.PN.&OS=PN/8,874,845&RS=PN/8,874,845

worth looking at.

Aside: don’t worry about the fact that this is patented, as the patent 
holder (Cisco) has made its ICN-related patents freely available to 
people working on CCN or NDN).

> The security implication is that
> someone that "seats" between any two routers may alter this packet 
> field,
> and "enforce" the rest of the routers downstream to make wrong caching
> decisions and ultimate degrade the performance of the network.
>
Well, if it’s a MITM, the hop-by-hop protection you would get from 
link-level (or tunnel) encryption can foil this. If the someone is an 
on-path NDN forwarder, then of course all bets are off. Any on-path NDN 
forwarder can do anything it likes - drop packets, inject packets, 
modify packets, etc. Messing with caching is just one of the 
vulnerabilities, and frankly not as bad as a cache poisoning attack 
which is trivial for an on-path router to mount.

> In the second scenario, I as a border router, i.e. an edge router that
> propagates traffic externally to the Internet infrastructure, keep 
> track of
> the traffic that is propagated. My goal is to reduce the external 
> traffic
> to avoid extra costs. So, if I record too much traffic for some 
> content I
> modify one of the return Data packets to notify a consumer to act as a
> temporary content source; meaning that when the consumer gets the
> corresponding Data packet it advertises that it has a copy within the 
> local
> network.
This sounds like routing… not caching. I would think instead of 
modifying data packets you’d announce the prefix for which you are 
caching lots of stuff via the routing protocol.

> This may be used by subsequent requests to be satisfied locally
> within the network. Again, the security implication is that someone 
> could
> modify this field of the Data packet, making different consumers to
> advertise their content and prevent the ones that should advertise 
> them to
> do so.
Again, if the someone is an on-path router, all bets are off and 
achieving caching optimizations by putting stuff in data packets (like 
the above-mentioned patent) doesn’t change the equation in any 
significant way.

However, like you I’m not a security expert, so someone with a 
stronger security background might choose to differ.

Best,
DaveO.

>
> I hope that clarifies a bit my issues!
> Kind regards,
> Andriana.
>
> On Wed, 3 Jul 2019 at 19:11, David R. Oran <daveoran at orandom.net> 
> wrote:
>
>> On 3 Jul 2019, at 10:45, Andriana Ioannou wrote:
>>
>>> Dear all,
>>>
>>> In my current research I have altered the Data packets to include 
>>> some
>>> information that will allow the routers on delivery paths to make
>>> better
>>> caching decisions. This information may be updated during delivery
>>> from the
>>> routers downstream.
>>>
>> It would be useful if you could elaborate a bit on what you’re 
>> trying
>> to accomplish and what information might be added to the packet 
>> (outside
>> the signatures’s security envelope since you say you want this to 
>> be
>> modified hop-by-hop).
>>
>>> I have been looking on the security implications for this, and so 
>>> far
>>> I
>>> understand that the community is mostly focused on the content
>>> contained in
>>> a Data packet, and the related fields, e.g. name and key locator,
>>> rather
>>> than securing the whole Data packet.
>> Well, since forwarding is stateful in NDN, you likely need to not 
>> only
>> keep mutable fields in the clear so the routers can see them, eschew
>> end-to-end integrity so you can modify them. It would be helpful if 
>> you
>> could articulate what threats you hope to address by “securing” 
>> the
>> entire data packet. Misbehavior by on-path routers? (note that 
>> packets
>> can be protected on links via hop-by-hop encryption, so any
>> vulnerabilities are ones introduced by on-path routers).
>>
>>> My guess is that this would be an
>>> important overhead/cost since each router involved in the process 
>>> will
>>> have
>>> to decrypt each incoming Data packet to ensure its valid.
>>>
>> Well, you can ensure against modification with just integrity (e.g. 
>> with
>> SHA) so there must be some confidentiality threat you want to foil by
>> encryption.
>>
>>> The only option I could think of would be to "enforce" the publisher
>>> to
>>> sign those fields of the Data packet, too. Yet, this would mean that
>>> the
>>> signature would not refer only to the content requested by the
>>> consumer,
>>> which I guess is fundamentally wrong since you end up delivering
>>> "garbage"
>>> to your consumers...
>>>
>> I’m not sure I follow this. There’s a fundamental disconnect 
>> between
>> end-to-end integrity via signatures and the ability to modify packets 
>> as
>> they traverse the network.
>>
>>> I would appreciate if you could argue on this, since my security
>>> background
>>> is a bit limited. I would be happy to be pointed out on some related
>>> literature too - if available.
>>>
>> It’s hard to know what to point you to without knowing in more 
>> detail
>> what you’re trying to accomplish.
>>
>>> Kind regards,
>>> Andriana.
>>> _______________________________________________
>>> Ndn-interest mailing list
>>> Ndn-interest at lists.cs.ucla.edu
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
>>
>> DaveO
>>



DaveO

More information about the Ndn-interest mailing list