Network-Layer Trust in Named-Data Networking

By: 
C. Ghali, G. Tsudik, E. Uzun
Appears in: 
CCR October 2014

In contrast to today’s IP-based host-oriented Internet architecture, Information-Centric Networking (ICN) emphasizes content by making it directly addressable and routable. Named Data Networking (NDN) architecture is an instance of ICN that is being developed as a candidate next-generation Internet architecture. By opportunistically caching content within the network, NDN appears to be well-suited for large-scale content distribution and for meeting the needs of increasingly mobile and bandwidth-hungry applications that dominate today’s Internet. One key feature of NDN is the requirement for each content object to be digitally signed by its producer. Thus, NDN should be, in principle, immune to distributing fake (aka "poisoned") content. However, in practice, this poses two challenges for detecting fake content in NDN routers: (1) overhead due to signature verification and certificate chain traversal, and (2) lack of trust context, i.e., determining which public keys are trusted to verify which content. Because of these issues, NDN does not force routers to verify content signatures, which makes the architecture susceptible to content poisoning attacks. This paper explores root causes of, and some cures for, content poisoning attacks in NDN. In the process, it becomes apparent that meaningful mitigation of content poisoning is contingent upon a network-layer trust management architecture, elements of which we construct, while carefully justifying specific design choices. This work represents the initial effort towards comprehensive trust management for NDN.

Public Review By: 
Phillipa Gill

Public Review for Elements of Trust in Named-Data Networking Cesar Ghali, Gene Tsudik, & Ersin Uzun Named-Data Networking (NDN) is an instance of Content-Centric Networking (CCN). NDN proposes naming of content rather than communication endpoints, along with opportunistic caching by routers and having content signed by its corresponding content creator. However, while opportunistic in-network caching can lead to potential scalability gains, NDN routers are not required to validate content signatures leaving them vulnerable to cache poisoning. This paper provides an overview of NDN and surveys the potential for cache poisoning attacks. These attacks arise for multiple reasons beyond just computational overheads. First, NDN interests are not required to contain digest or PPKD fields which means they may be satisfied by multiple content objects including those with untrusted or unverifiable signatures. Second, there is no unified trust model in NDN, thus a router would need insights into an application’s trust model to determine validity of certificates and signatures. To resolve the cache poisoning problem, the authors propose the “Interest Key Binding’’ (IKB) rule which binds the public key of the producer with the interest expressed by the consumer. This reduces the router’s role to simply verifying the signature based on the public key registered in the interest. The authors present optimizations such as using self certifying names (SCNs) on the content and having only AS border routers perform verification. The reviewers agree that this paper presents a more in-depth and specific view of cache poisoning attacks (initially discussed by Ghodsi et al. in ICN 2011). It also raises interesting questions for future work on using SCNs to help alleviate the cache poisoning problem. Namely, there are open questions about how to deal with applications which may use multiple keys for their content, and further investigation of techniques to reduce the overhead of verification (e.g., probabilistic verification).