- Simone Schilke (for administrative matters)
Dagstuhl Seminar Wiki
- Dagstuhl Seminar Wiki (Use personal credentials as created in DOOR to log in)
- Dagstuhl Materials Page (Use personal credentials as created in DOOR to log in)
In recent years, Information-centric Networking (ICN) has received a lot attention from both academic and industrial sectors. ICN offers a means of inter-networking that is radically different from today's IP-based Internet which is host- or address-centric. Security and privacy issues in ICN have become increasingly important, as ICN technology gradually matures and nears real-world deployment. As is well known, in today's Internet, security and privacy features were originally not present and had to be incrementally and individually retrofitted (with varying success) over the last 35 years. In contrast, since ICN-based architectures (e.g., NDN, CCNx, etc.) are still evolving, it is both timely and important to explore ICN security and privacy issues as well as devise and assess possible mitigation techniques. Therefore, the general purpose of this Dagstuhl seminar is to discuss and explore potential ICN security features, attacks, privacy leaks, and potential means of mitigating vulnerabilities. Candidate topics for this seminar include, but are not limited to:
- The most prominent ICN characteristic is the decoupling of information (aka data or content) from its source and allowing the former to be cached in the network. The main consequent benefits are reduced traffic load and better scalability, due to popular content being served from router caches, rather than from its source. However, indiscriminate serving of content immediately prompts the challenge of access control: how to (efficiently) make cached data accessible only to authorized users? A closely related issue is: how to securely account for content served by the network? Furthermore, how to effectively flush cached content from the network? Cached content also opens the door for powerful attacks, such as Interest Flooding and Content Poisoning. While the latter might be addressable at the expense of in-network security processing, the former remains elusive.
- From the privacy perspective, in-network caching is beneficial as it reduces observability of traffic near content sources. However, it is also detrimental to privacy since edge-router caching leaks information about nearby demand for certain content. Also, in contrast to "opaque" numeric IP addresses, ICN content requests and returned content carry meaningful names (e.g., human-readable strings in NDN) and this seeming convenience results in a loss of privacy since it becomes easy to censor communication. This triggers the need for mitigation strategies, e.g., VPN-like tunnels, network-layer anonymous communication, etc.
- Another key challenge is trust management in ICN. Since the network's currency is content, rather than IP packets, what is the role of the network layer in controlling (e.g., authenticating and/or authorizing) requests for, and returned, content? In the same vein, how do applications (that can vary greatly in terms of trust architectures and semantics) manage trust and propagate it to the network? Furthermore, given that today's DNS appears to be no longer needed in ICN, is there a role for a global DNS-like service for the purposes of trust management?
This seminar aims to gather researchers with ICN interests from both networking and security/privacy research communities. While the primary focus is on security/privacy in the ICN context, the outcomes will offer broader benefits, since in-depth exploration of ICN security and privacy concepts might benefit the current Internet, even before ICN technology is eventually deployed, e.g. how object encryption can provide an alternative to end-to-end encryption in today’s Internet.
Dagstuhl seminar 16251 "Information-centric Networking and Security" was a short workshop held June 19--21, 2016. The goal was to bring together researchers with different areas of expertise relevant to ICN to discuss security and privacy issues particular to ICN-based architectures. These problems have become increasingly important as ICN technology gradually matures and nears real-world deployment. Threat models are distinct from IP. Differentiating factors between the two include new application design patterns, trust models and management, as well as a strong emphasis on object-based, instead of channel-based, security. Therefore, it is both timely and important to explore ICN security and privacy issues as well as devise and assess possible mitigation techniques. This was the general purpose of the Dagstuhl seminar. To that end, the attendees focused on the following issues:
- What are the relevant threat models with which ICN must be concerned? How are they different from those in IP-based networks?
- To what extent is trust management a solved problem in ICN? Have we adequately identified the core elements of a trust model, e.g., with NDN trust schemas?
- How practical and realistic is object-based security when framed in the context of accepted privacy measures used in IP-based networks?
- Are there new types of cryptographic schemes or primitives ICN architectures should be using or following that will enable (a) more efficient or secure packet processing or (b) an improved security architecture?
The seminar answered (entirely or partially) some of these questions and fueled discussions for others. To begin, all participants briefly introduced themselves. This was followed by several talks on various topics, ranging from trust management and identity to privacy and anonymity. Subsequently, the attendees split into working groups to focus more intensely on specific topics. Working group topics included routing on encrypted names, ICN and IoT, non-privacy-centric aspects of ICN security, as well as trust and identity in ICN. Once the working group sessions were over, a representative from each presented outcomes to all attendees. (These are documented in the remainder of this report.) The major takeaways from the seminar were as follows.
First, the ICN community still does not have a clear answer for how to handle namespace and identity management. While trust management in ICN can be distributed and function without a global PKI, it seems difficult to break away from this model for namespace management and arbitration. This has strong implications on how names are propagated in the routing fabric. Can any producer application advertise any name, anywhere in the network? If not, how can name prefix advertisements be constrained or limited?
Second, given that ICN focuses on object security, the need for and use of transport protocols that provide forward secrecy should be deferred to higher layers. Attendees found that while most ICN-based architectures do not preclude forward secrecy, it should not be a requirement at the network layer.
Third, there is still deep uncertainty about whether ICN should embrace a content locator and identifier split. Names in architectures such as NDN and CCN serve as both a locator and identifier of data, though there are extensions that permit explicit locators (e.g., through the use of NDN LINK objects). This distinction is necessary under the common understanding that routing should concern itself with topological names. Finding data through non-topological names should not be in the data plane as part of the global routing space. However, if we revert to a distinction between topological locators and identifiers, then features unique to ICN become much more limited. One facet that is certainly unique to ICN is how software is written. Specifically, we have the opportunity to move beyond the mental model of a fixed address space and re-design existing network stacks and APIs.
Fourth, privacy seems difficult to achieve without major architectural changes to ICN-based systems. In particular, since data names reveal a great deal of information to the passive eavesdropper, privacy demands that names and payloads have no correlation. However, achieving this seems infeasible without the presence of an upper-layer service akin to one that would resolve non-topological identifiers to topological names.
Lastly, there are no compelling reasons to apply esoteric (and often untested) cryptographic techniques in ICN, at least at the network layer. Computationally bounded and "boring" cryptographic primitives, such as digital signatures, hash functions, etc., should be the extent of per-packet cryptographic processing done by routers. Anything more would become fodder for Denial-of-Service attacks that could render the entire infrastructure ineffective. However, architecture designs should not restrict themselves to specific algorithms. In other words, there must be flexibility in accommodating multiple (and evolving) cryptographic primitives. This could be useful if, for example, post-quantum digital signature schemes become necessary for the longevity of content authenticators.
We thank Schloss Dagstuhl for providing a stimulating setting for this seminar. Much progress was made over the course of the seminar and since its completion. This is mainly because of the ease of face-to-face collaboration and interaction at Dagstuhl.
- Bengt Ahlgren (Swedish Institute of Computer Science - Kista, SE) [dblp]
- Tohru Asami (University of Tokyo, JP) [dblp]
- Roland Bless (KIT - Karlsruher Institut für Technologie, DE) [dblp]
- Randy Bush (Internet Initiative Japan Inc. - Tokyo, JP) [dblp]
- Kenneth L. Calvert (University of Kentucky - Lexington, US) [dblp]
- Antonio Carzaniga (University of Lugano, CH) [dblp]
- Mauro Conti (University of Padova, IT) [dblp]
- Lars Eggert (NetApp Deutschland GmbH - Kirchheim, DE) [dblp]
- Darleen L. Fisher (NSF - Arlington, US) [dblp]
- Ashish Gehani (SRI - Menlo Park, US) [dblp]
- Jussi Kangasharju (University of Helsinki, FI) [dblp]
- Ghassan Karame (NEC Laboratories Europe - Heidelberg, DE) [dblp]
- Dirk Kutscher (NEC Laboratories Europe - Heidelberg, DE) [dblp]
- John Mattsson (Ericsson Research - Stockholm, SE) [dblp]
- Marc Mosko (Xerox PARC - Palo Alto, US) [dblp]
- Edith Ngai (Uppsala University, SE) [dblp]
- Börje Ohlman (Ericsson Research - Stockholm, SE) [dblp]
- Jörg Ott (TU München, DE) [dblp]
- Craig Partridge (BBN Technologies - Cambridge, US) [dblp]
- Fabio Pianese (Bell Labs - Nozay, FR) [dblp]
- Sanjiva Prasad (Indian Inst. of Technology - Dehli, IN) [dblp]
- Thomas C. Schmidt (HAW - Hamburg, DE) [dblp]
- Sebastian Schönberg (Intel - Santa Clara, US) [dblp]
- Christoph Schuba (Ericsson - San Jose, US) [dblp]
- Glenn Scott (Xerox PARC - Palo Alto, US) [dblp]
- Jan Seedorf (NEC Laboratories Europe - Heidelberg, DE & Hochschule für Technik - Stuttgart, DE) [dblp]
- Tim Strayer (BBN Technologies - Cambridge, US) [dblp]
- Christian Tschudin (Universität Basel, CH) [dblp]
- Gene Tsudik (University of California - Irvine, US) [dblp]
- Ersin Uzun (Xerox PARC - Palo Alto, US) [dblp]
- Matthias Wählisch (FU Berlin, DE) [dblp]
- Cedric Westphal (Huawei Technologies - Santa Clara, US) [dblp]
- Christopher A. Wood (University of California - Irvine, US) [dblp]
- Dagstuhl Seminar 10492: Information-Centric Networking (2010-12-05 - 2010-12-08) (Details)
- Dagstuhl Seminar 12361: Information-centric networking -- Ready for the real world? (2012-09-02 - 2012-09-05) (Details)
- Dagstuhl Seminar 14291: Information-Centric Networking 3 (2014-07-13 - 2014-07-16) (Details)
- security / cryptology
- world wide web / internet
- Information-centric Networking
- network architecture
- network security
- Internet legal and ethical issues