The Missing Piece: On Namespace Management in NDN and...

56
The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help Pouyan Fotouhi Tehrani 1 , Eric Osterweil 2 , Jochen Schiller 3 , Thomas C. Schmidt 4 , Mahias W¨ ahlisch 3 1 Weizenbaum Institut / Fraunhofer FOKUS 2 George Mason University 3 Freie Universit¨ at Berlin 4 Hamburg University of Applied Sciences September 25, 2019 1 / 11

Transcript of The Missing Piece: On Namespace Management in NDN and...

The Missing Piece: On Namespace Management in NDN andHow DNSSEC Might Help

Pouyan Fotouhi Tehrani1, Eric Osterweil2, Jochen Schiller3,Thomas C. Schmidt4, Ma�hias Wahlisch3

1Weizenbaum Institut / Fraunhofer FOKUS 2George Mason University 3Freie Universitat Berlin 4Hamburg University of Applied Sciences

September 25, 2019

1 / 11

Benjam

in Fran

klin

usatoday.com.cobloomberg.ma

Benjam

in Fran

klin

usatoday.com.cobloomberg.ma

Benjam

in Fran

klin

usatoday.com.cobloomberg.ma

Oh, what a tangled web we weave,when first we practice to deceive!

– William Shakespeare

Benjam

in Fran

klin

usatoday.com.cobloomberg.ma

Oh, what a tangled web we weave,when first we practice to deceive!

– William ShakespeareWalter Sco�

HOLD UP!

Isn’t that what NDN DNS (NDNS) [Afanasyev, 2013] does?

. . . or even CCN Key Resolution Service (CCN-KRS) [Mahadevan, 2014]?

HOLD UP!

Isn’t that what NDN DNS (NDNS) [Afanasyev, 2013] does?

. . . or even CCN Key Resolution Service (CCN-KRS) [Mahadevan, 2014]?

HOLD UP!

Isn’t that what NDN DNS (NDNS) [Afanasyev, 2013] does?

. . . or even CCN Key Resolution Service (CCN-KRS) [Mahadevan, 2014]?

HOLD UP!

Isn’t that what NDN DNS (NDNS) [Afanasyev, 2013] does?

. . . or even CCN Key Resolution Service (CCN-KRS) [Mahadevan, 2014]?

JAIN!

HOLD UP!

Isn’t that what NDN DNS (NDNS) [Afanasyev, 2013] does?

. . . or even CCN Key Resolution Service (CCN-KRS) [Mahadevan, 2014]?

JAIN!

YES.Technical aspects:- Self-certifying names- Trusted third parties (TTP)- . . .

HOLD UP!

Isn’t that what NDN DNS (NDNS) [Afanasyev, 2013] does?

. . . or even CCN Key Resolution Service (CCN-KRS) [Mahadevan, 2014]?

JAIN!

YES.Technical aspects:- Self-certifying names- Trusted third parties (TTP)- . . .

NO.Non-technical aspects:- Trademarks- Legal disputes- . . .

* Graphics licensed under CC-BY 4.0 – Twi�er, Inc and other contributors

Internet Phone Book

How entries are enteredand read from phonebook.

IETF for DNS

How to decide whatnames should be entered

in the phonebook.ICANN for DNS

O�en contentious. . .

* Graphics licensed under CC-BY 4.0 – Twi�er, Inc and other contributors

Internet Phone Book

How entries are enteredand read from phonebook.

IETF for DNS

How to decide whatnames should be entered

in the phonebook.ICANN for DNS

O�en contentious. . .

* Graphics licensed under CC-BY 4.0 – Twi�er, Inc and other contributors

Internet Phone Book

How entries are enteredand read from phonebook.

IETF for DNS

How to decide whatnames should be entered

in the phonebook.ICANN for DNS

O�en contentious. . .

* Graphics licensed under CC-BY 4.0 – Twi�er, Inc and other contributors

Internet Phone Book

How entries are enteredand read from phonebook.

IETF for DNS

How to decide whatnames should be entered

in the phonebook.ICANN for DNS

O�en contentious. . .

* Graphics licensed under CC-BY 4.0 – Twi�er, Inc and other contributors

But, why did we wind up needing this (for DNS)?

Internet Phone Book

How entries are enteredand read from phonebook.

IETF for DNS

How to decide whatnames should be entered

in the phonebook.ICANN for DNS

O�en contentious. . .

But, why did we wind upneeding this for (global) naming?

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882 year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1994: RFC 1591“It is up to the requestor to be surehe is not violating anyone else’s Trademark.”

year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

year

domainna

mes

(#)

1996: First court ruling in GermanyDomain names are comparable to “telephonenumbers, bank routing numbers or postal codes.”

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

1997: Court ruling in GermanyDomain names indicate origin andcan be related to natural and legal persons.

year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1999: UDRP Launch

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

5 / 11

1998: ICANN Green/White Paper

1999: UDRP Launch

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

0

1000

2000

3000

4000RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

disputecasesbefore

WIPO(#)

5 / 11

1998: ICANN Green/White Paper

1999: UDRP Launch

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

0

1000

2000

3000

4000RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

disputecasesbefore

WIPO(#)

2003: RFC 3467“Increasing commercialization of the Internet, and visibility ofdomain names that are assumed to match names of companies orproducts, has turned the DNS and DNS names into a trademarkba�leground.”

5 / 11

1998: ICANN Green/White Paper

1999: UDRP Launch

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

0

1000

2000

3000

4000RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

disputecasesbefore

WIPO(#)

2006: RFC 4367“[. . . ] there has been a strong demand to acquire names thathave significance to people, through equivalence toregistered trademarks, company names, types ofservices, and so on. There is a danger in this trend [. . . ]”

5 / 11

1998: ICANN Green/White Paper

1999: UDRP Launch

1985 1990 1995 2000 2005 2010 2015 2020

103

104

105

106

107

108

109

1010

0

1000

2000

3000

4000RFC 1296 ISC

1983: RFC 882

1987: RFC 1034

.com boom

1997: Initiating DNS Privatization

year

domainna

mes

(#)

disputecasesbefore

WIPO(#)

Lessons learnt:1. Names are not just labels used to identify things,

they require policy and context.2. If ICN is to experience its own boom, holistic

namespace management is required.

5 / 11

Agenda

Introduction

Namespace Management in ICN

NDNSSEC: NDN + DNSSEC

Conclusion and Research Roadmap

6 / 11

Agenda

Introduction

Namespace Management in ICN

NDNSSEC: NDN + DNSSEC

Conclusion and Research Roadmap

6 / 11

Namespace Management ConceptGeneric ICN

ICN Namespace N

Zone Zi ∈ Z

Divided Into Zones

g Zone Ownermanages

� Producers

authorizes

provision under

7 / 11

Namespace Management ConceptGeneric ICN

ICN Namespace N

Zone Zi ∈ Z

Divided Into Zones

g Zone Ownermanages

� Producers

authorizes

provision under

7 / 11

Namespace Management ConceptGeneric ICN

ICN Namespace N

Zone Zi ∈ Z

Divided Into Zones

g Zone Ownermanages

� Producers

authorizes

provision under

7 / 11

Namespace Management ConceptGeneric ICN

ICN Namespace N

Zone Zi ∈ Z

Divided Into Zones

g Zone Ownermanages

� Producers

authorizes

provision under

7 / 11

Agenda

Introduction

Namespace Management in ICN

NDNSSEC: NDN + DNSSEC

Conclusion and Research Roadmap

8 / 11

NDNSSEC

DNS Zone Space

.

com. org.

ietf.org.

tools.ietf.org.

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Data Packet

g Producer

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: DNS Zone Appropriation for NDN

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Data Packet

g Producer

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authorization

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...

Excerpt of DNS zone records

g Producer g Zone Owner

provides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Data Packet

g Producer

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authorization

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Data Packet

g Producer

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authorization

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Data Packet

g Producer

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Data Publishing

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/html/rfc882

Meta Info

Content

Data Packet

g Producer

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Data Publishing

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Data Packet

g Producer

prefix w/ zone apex

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Data Publishing

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Producer

prefix w/ zone apex

sign

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Data Publishing

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Producer

prefix w/ zone apex

sign

register

on NDN

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authentication

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Producer

prefix w/ zone apex

sign

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authentication

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Producer

prefix w/ zone apex

sign

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authentication

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Producer

prefix w/ zone apex

sign

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

NDNSSEC: Producer Authentication

ndnified DNS Zone Space

/

/com /org

/org/ietf

/org/ietf/tools

tools.ietf.org 1800 IN RRSIG DNSKEY 7 2 1800 ...tools.ietf.org 1800 IN DNSKEY 256 3 6 ...tools.ietf.org 1800 IN DNSKEY 257 3 7 ...tools.ietf.org 1800 IN DNSKEY XXX X X ...

Excerpt of DNS zone records

g Producer g Zone Ownerprovides

credentials

enlistscredentials

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Producer

prefix w/ zone apex

sign

/org/ietf/tools/html/rfc882

Meta Info

Content

Signature

Data Packet

g Consumer

retrieves

fetche

scredentials

verifies signature

9 / 11

Conclusion and Research Roadmap

Multi-stakeholder scenarios require namespace management.

Where we are

4 Ecosystem to globally manage andsecure names (based on DNS)

4 Prototype to synergize with NDN

Where we want to be

Ü DNS data w/o DNS transport

Ü Evaluate performance and feasibility(synchronization disparities, etc.)

10 / 11

Conclusion and Research Roadmap

Multi-stakeholder scenarios require namespace management.

Where we are4 Ecosystem to globally manage and

secure names (based on DNS)

4 Prototype to synergize with NDN

Where we want to be

Ü DNS data w/o DNS transport

Ü Evaluate performance and feasibility(synchronization disparities, etc.)

10 / 11

Conclusion and Research Roadmap

Multi-stakeholder scenarios require namespace management.

Where we are4 Ecosystem to globally manage and

secure names (based on DNS)

4 Prototype to synergize with NDN

Where we want to be

Ü DNS data w/o DNS transport

Ü Evaluate performance and feasibility(synchronization disparities, etc.)

10 / 11

Conclusion and Research Roadmap

Multi-stakeholder scenarios require namespace management.

Where we are4 Ecosystem to globally manage and

secure names (based on DNS)

4 Prototype to synergize with NDN

Where we want to be

Ü DNS data w/o DNS transport

Ü Evaluate performance and feasibility(synchronization disparities, etc.)

10 / 11

Conclusion and Research Roadmap

Multi-stakeholder scenarios require namespace management.

Where we are4 Ecosystem to globally manage and

secure names (based on DNS)

4 Prototype to synergize with NDN

Where we want to beÜ DNS data w/o DNS transport

Ü Evaluate performance and feasibility(synchronization disparities, etc.)

10 / 11

Conclusion and Research Roadmap

Multi-stakeholder scenarios require namespace management.

Where we are4 Ecosystem to globally manage and

secure names (based on DNS)

4 Prototype to synergize with NDN

Where we want to beÜ DNS data w/o DNS transport

Ü Evaluate performance and feasibility(synchronization disparities, etc.)

10 / 11

Thanks! It’s time for

�estions, Comments, and Criticisms.

11 / 11