[email protected] · nebula is supported by the nsf under its future internet architecture...
TRANSCRIPT
Verifiable Network Pathsfor the Nebula Data Plane
Antonio R. [email protected]
Based on joint work with J.Naous (MIT), M. Walfish, M. Miller, A.Seehra
(UT-Austin), and D.Mazières (Stanford)
CCW’11 (Hyannis, Cape Cod, MA) 10 Oct 2011
Outline
• Project Nebula
• Nebula Control/Data Plane (NVENT/NDP)
• Path Verification in NDP: Mechanism Details
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Project Nebula
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Nebula—Motivation:Trustworthy Cloud Computing
• Realizing olden-golden ‘computing utility’
• Why didn’t it happen in the 60’s?- Computing technology (HW / OS / SW ); HCI;
Networking
• Today: Lots of progress, but still inadequate n/w3 Pervasive, mobile, broadband connectivity
7 Five 9’s availability / reliability
7 In general, assurances other than raw reachability
• And tomorrow?+ Future-proofing via extensibility / evolvability
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
The Nebula Vision
Make cloud computing trustworthy
Elaborating a bit:
Provide secure, highly available, and robustcommunication services to critical applications inthe emerging cloud and mobile environment
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Overview of the Nebula Architecture
Three components:
• NCore: Nebula Core network
• NVENT: Nebula Virtual & Extensible Networking Techniques
• NDP: Nebula Data Plane
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Enabling the Nebula Vision
Secure, highly available, and robust communication
• Ncore, NVENT, and NDP tackle above challengefrom complimentary and redundant angles
• E.g., availability and robustness
- NCore tolerates failures of core routers
- NVENT+NDP enable path diversity
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NVENT+NDP
Q: How do NVENT and NDP enable path diversity?
• NVENT allows parties to express routingpreferences and retrieve suitable paths
- E.g., “Need ≥ 3 node-disjoint paths from A to B”
• NDP constrains the network paths that datapackets actually take
NVENT+NDP ‘thesis’Policy Routing + Path Verification together providemeaningful assurances about network traffic
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NVENT/NDP Interface
Main principles:
• Separate decision-making from enforcement
- Policy decisions in (evolvable) control plane
- Enforcement in high-speed data plane
• Establish n/w paths prior to communication
+ Crucially, only negligible state overhead at forwarders
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NVENT/NDP Interface (cont’d)NVENT
NDP
policyengine
consent engine
pathreq
pathspec
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NDP Forwarding: OverviewNVENT
NDP
policyengine
consent engine
pathreq
pathspec SLA
1
SLA2 gst
employeeslan
data
data
data
data
data d
ata
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Outline of NVENT RoutingNVENT
NDP
policyengine
policyengine
policyengine
policyengine
consent engine
consent engine
consent engine
consent engine
pathreq SLA
1
SLA2 gst
employeeslan
policyengine
policyengine
policyengine
policyengine
1
2
2
3
consent engine
consent engine
consent engine
consent engine
4
consent engine
5
pathspec
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NDP Forwarding: Main Challenge
Path VerificationAssume an adversarial, decentralized, andhigh-speed environment. How can a forwarderverify, upon arrival of a packet, that the packetfollowed an approved network path?
Our approach
¶ Path Consent: Before communication, all nodeson path approve its usage (based on policy)
· Path Compliance: On pkt ingress, can ascertainthat path is approved, and pkt is following path
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Path Verification in NDP
• Map path consent and path compliance tocryptographic tokens (MAC’s):
- PoC: Proof of Consent
- PoP: Proof of Path
• PoCs minted in control plane (consent engines)and checked in data plane
- Based on symmetric keys shared within a realm (AS)
• PoPs minted by upstream forwarders andchecked by downstream forwarders
- Based on symmetric keys derived via NIDH and SCNs
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Naming in NDP• NDP realms use self-certifying names (SCNs)
- Realm name is a (short) PK, generated by node itself
+ No need for a central naming authority
• NDP nodes use non-interactive Diffie-Hellman(NIDH) to establish pairwise PoP keys k,j’s
- Node in realm N uses its realm’s secret key to deriveshared key k,j simply from realm Nj’s name
• Realm names are ‘multiplexed’ using tags
- Opaque identifiers whose meaning is local to realm
- E.g, specific actions to perform on packet upon arrival
- ‘Generalized’ MPLS label of sort
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Path Verification in NDP (cont’d)
Receiver
Server 1
Consent
Server 3
Consent
Server 2
node 2node 1Sender
Consent
1 1
2 3 4
1
42
⊕
N2 N3
PoP2,3
⊕
Payload Payload
P
V1V2V3
A2 PoP0,2PoP1,2
⊕⊕A1 PoP0,1
A2⊕ PoP0,2⊕A3 PoP0,3 ⊕
PoP0,1A1
⊕
⊕
A3 PoP0,3PoP1,3
N0 N1 N2 N3 N0 N1
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NDP Header
• Two main parts: path P and verifiers Vj’s
• Sender (N0) initializes Vj’s with PoCs and PoPs
• Each N checks its verifier (V) and updatesdownstream verifiers (Vj for j > )
- Checking V ensures both path consent (via PoC) andinterim path compliance (via the PoPs)
- Updating PoPs in Vj (j > ) “tells” Nj that packet hasgone through N (enabling Nj to check compliance)
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Path Verification in NDP: Costs
• Space overhead: ≈ 20%- Average header: ≈ 250 bytes
- Average packet size: ≈ 1,300 bytes
• Hardware cost: ≈ 2× IP router
- Gate count on NetFPGA: IP 8.7M, NDP-like 13.4M
- NDP-forwarding good-put: ≈ 80% of IP
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Summary
• Nebula’s vision: Trustworthy cloud computing
• Evolvability and assurance in NVENT+NDP
• Securing n/w forwarding w/ verifiable paths
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Caveats / Open Problems
• Path compliance doesn’t protect pkt’s future
- Feasible to encrypt/decrypt at each hop (i.e., ON)?
• P. compliance can’t prove where pkt didn’t go
- Preventing surreptitious tunneling by nodes on path?
• Cheaper verification via probabilistic checking?
- Or are NDP assurances all-or-nothing?
• Withholding consent and net-neutrality
- Is transparency enough to foster consumer choice?
• Privacy implications of full paths in headers
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Acknowledgments
• Nebula is supported by the NSF under itsFuture Internet Architecture program
- All opinions reported are those of the author and do notnecessarily reflect the views of the NSF
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
Thank You!
Questions?
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
The Nebula Team
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
The Nebula Team
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NDP Header
other fields payload ...
hop 1info
hop ninfo
hop#counter
Proof ofConsent
Proof ofPathDomain ID MPLS-style
token
42n bytes6 bytes 1 byte 6 bytes
42 bytes
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011
NVENT+NDPNVENT
NDP
policyengine
policyengine
policyengine
policyengine
consent engine
consent engine
consent engine
consent engine
pathreq SLA
1
SLA2 gst
employeeslan
policyengine
policyengine
policyengine
policyengine
1
2
2
3
consent engine
consent engine
consent engine
consent engine
4
consent engine
5
pathspec
datad
ata
10
data
data d
ata
8 96 7
CCW’11 (Hyannis, Cape Cod, MA) Antonio R. Nicolosi 10 Oct 2011