CS 598 MCC – Advanced Internetworks

Future Internet ArchitectureLocator-/Identifier-Split

Quirin Scheitlescheitl2@illinois.edu

Significant?

• “The so-called identifier/locator split is recognized by the Internet Engineering Task Force (IETF) community as a next big change in the Internet architecture.” [Cisco Internet Protocol Journal, Volume 12, Nr 1]

Outline

• Motivation: Shortcomings of the present Internet

• How the idea of a Loc/Id-Split can solve most of these

• Detailed look at two specific approaches– LISP– HIP

Present system has lots of drawbacks

• IP address is used as Locator and as Identifier– Results in a lot of problems, concerning:• Mobility• Scalability• Security• Addressing• Multi-Homing

Locator-/Identifier-Split

• An approach followed by many researchers right now

• Common idea is to use IP addresses as Locators and introduce a new concept of Identifiers.

• User actually connects to Identifier• Identifier typically carried in packet between

IP and Transport layer.

Don’t get mixed up!

• The general research area on Locator-Identifier-Splits can be meant by the acronym LISP

• LISP is also a name of a specific LISP-approach• I try to call the idea itself “Loc/Id-Split”– Enough people angry at Cisco for interfering in

their google results for LISP programming language ;)

The concept of LocID-Split

Host A Host B

IP B1

IP B2ID 00:00:0B

Host A connects to User/Host/Service/Content 00:00:0B

Host A Host B

IP B1

IP B2ID 00:00:0B

LOOKUPuser@provider.com?www.illinois.edustream://Class-stream.illinois.educontent#f7839fd789

Host A connects to User/Host/Service/Content 00:00:0B

Host A Host B

IP B1

IP B2ID 00:00:0B

ANSWER00:00:0b

Host A connects to User/Host/Service/Content 00:00:0B

Host A Host B

IP B1

IP B2ID 00:00:0B

ANSWER00:00:0b

Looks like DNS?No, ID is actually used to

establish connection

Host A connects to User/Host/Service/Content 00:00:0B

Host A Host B

IP B1

IP B2ID 00:00:0B

Opens connection to ID

00:00:0b

So, how to send a packet to this “ID” 00:00:0B ?

Host A Host B

IP B1

IP B2ID 00:00:0B

Opens connection to ID

00:00:0b

Mapping/Lookup of Locator – Different

approaches

This is where approaches differHost-based / Network-based / Mixture

Host A Host B

IP B1

IP B2ID 00:00:0B

Packet typically looks like this:TCP/UDPIdentifier

IP

So, this looks complicated and like a lot of change?

• Change might be not that big (compare HIP implementations)

• Gains a lot of advantages!

Mobility

• Your ID does not actually change if you connect somewhere else– Right now it does most of the times, so your

connections tear down– LocID-Split enables you to keep your connections

alive while you’re moving and changing IPs (since they are bound to your ID!)

Multi-Homing, Failover, Traffic Engineering

Host A Host B

IP B1

IP B2ID 00:00:0B

50%

50%

Multi-Homing, Failover, Traffic Engineering

Host A Host B

IP B1

IP B2ID 00:00:0B

[http://www.faqs.org/photo-dict/phrase/4243/toy-digger.html]

Multi-Homing, Failover, Traffic Engineering

Host A Host B

IP B1

IP B2ID 00:00:0B

Hey guys, please send packets to <ID> from

now on to IP B2 ! Connections can stay

alive!

Security

• IDs can be authenticated– Able to provide true end-to-end security and identity– Network-Authentication approaches (HiiMAP) vs.

Host-Authentication approaches (LISP) vs. Mixed (HiiMap)

– Approaches reach from signing/encrypting each message to just validating userid on bootstrap

– New approaches like using public keys as IDs or depositing them in the Mapping system

Specific approaches

• These were some of the advantages that can be gained, let’s have a look at specific approaches

So, what are these various concepts?

• LISP – Cisco, IETF• HIP – IETF– LISP and HIP rather evolutionary and for practical

use

“LISP”

• Farinacci et al., first ideas in 2006• Developed by Cisco, aiming to provide a fix to

the routing table growth in a short time, with as little change as possible. [Hanka et al]

• Network-only approach, aiming for quick deployment

PI/PA Space• Organizations want IP addresses to be statical Identifiers

of their services– Want to keep their neat /30 prefix over multiple ISP changes

• ISPs want IP addresses to be a coherent block that gets traffic into their network– Want to allocate all their customers in a /8 prefix– Solves routing table growth problem

• Dual aims come from dual use of IP as Locator and Identifier!– Organizations want to be identified, ISPs want to make sure

their IP ranges are routed to them

Concept

• “LISP follows a network-based map-and-encapsulate scheme, this means no changes to hosts are needed, everything happens in the network. Also, in LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a Mac address.” [lisp4.net]

LISP Overview Slide 25

Why LISP was developed?• LISP originally conceived to

address Internet Scaling– What causes scaling issues?

• IP addresses denote both location and identity today

• Overloaded IP address semantic makes efficient routing impossible

• IPv6 does not fix this– Why are scaling issues bad?

• Routers require gobs of expensive memory to hold the Internet Routing Table

• It’s expensive for network builders• Replacing equipments for the wrong

reason – to hold routing table rather than implementing new features

• It’s not GREEN…

“… routing scalability is the most important problem facing the Internet today and must be solved … ”

Internet Architecture Board (IAB)October 2006 Workshop (written as RFC 4984)

Reasons for growth

• Everyone wants PI space• Multihoming• Traffic Engineering

So, what do we gain?

• Forwarding plane of routers can be very small and efficient as there is no incentive for anyone to have PI space anymore

• Lookup namespace will be more complex, but is not in forwarding path

LISP 1.x uses routable EIDs, LISP 2/3 do not. LISP 1.5 better incrementally deployable!

So, this ID Locator Lookup?• Remember: LISP wants as few changes to the current architecture as possible• Sounds like the weak point in these terms? (Scalability, Flexibility) • “In particular, although the base LISP specification defines the format of

messages to query the mapping system and to receive responses from that system, it makes no assumptions on the architecture of potential mapping systems. As a result, several mapping systems have been proposed[0,1,4,5,6,10].”– Include DHTs [draft-hu-lisp-dht-00]– “Several such databases have been proposed, among them: LISP-CONS [CONS], LISP-

NERD, [NERD] and LISP+ ALT [ALT]. “ [draft-ietf-lisp-ms-06]– LISP-ALT seems to be most popular right now

• Builds overlay network with GRE tunnels and BGP announcements• Basically, provides a network architecture to route IDs to the correct ETR

– Could not find proper discussion why this is any better than recent infrastructure? FIXME– (ID space not flat, still hierarchical, still prefixes announced via BGP?)

Aggreation!

Two similar problems out there

• DNS: Rate is very small, state possibly infinite• BGP: Rate is significant, but state is smaller– Think about which goals these databases follow• DNS provides ID-to-IP Mapping

– Not in forward path, speed less critical Full Pull• BGP provides IP-to-Locator Mapping

– Forward path, speed crucial Full Push

• ID-to-Locator Mapping somewhere in between, but where?

Available Schemes

• NERD, ALT, EMACS, CONS, DHTs…• Amount of research in this field shows that

this is one of the very big topics in Locator/Identifier-Split!

Problems with NERD?

• Remember LISP aims for O(10^10) hosts

[LISP Tutorial IETF Vancouver Dec 2007]

LISP-ALT: “Alternative Topology”

• The most popular approach, used within the global test network

• Uses a network of routers running BGP over GRE tunnels to build this “alternate topology”

• ETRs announce their EID prefixes• Massive use of aggregation to achieve small

routing tables

LISP-Alt: Details

• Still, ETRs are responsible for the EID-to-Locator mapping

• ALT topology provides only knowledge which router owns which EID prefix

• ITRs send map requests into ALT, ALT forwards this to the correct router

• Router sends answer straight back to ITR– Data probes

Why is ALT used?

• Remember, LISP aims for fast implementation with reducing the routing table size– Uses BGP and GRE technology widely in use– Decentral– Very good for incremental deployment

• Though, in my opinion, not an option for global scale deployment

LISP-DHT

• Follows main assumption: “A domain must be able to control the server that provides the authoritative mappings for the identifiers allocated to its hosts.” [LISP-DHT]

• Adapted Chord to meet this criteria

LISP-DHT using Chord

• EID is directly used as Chord-ID– Redundancy?• Usually handled by duplicating entries to neighbours,

though not acceptable here• Extended Chord to handle several entities behind one

ID, identified by <EID, RLOC> tuple

LISP-DHT using Chord

• DHTs usually require a node to join, build adjacencies etc. before they can do a lookup. Obviously, not every node can join DHT and carry load.– Concept of “stealth nodes”, which only look up but

do not announce themselves– Neat integration of security, by letting only

authenticated nodes actually join the DHT– Security concept based on certificates proposed

LISP-DHT Summary

• Full Pull approach, yet very fast by using DHTs• Fully automatic, not error prone• Highly scalable• Authority and full control of entries within

administrative boundaries of EID prefix owner

Evaluation• [Evaluating the Benefits of the Locator/Identifier Separation, Bruno Quoitin, Luigi Iannone,

Cédric de Launois, Olivier Bonaventure, ACM MobiArch 07]

• FIBs reduced to a few thousand entries• Path redundancy at least doubled• “BGP paths cannot be more than 2 since the simulated dual-homed stubs

only receive one BGP route for each destination prefix from each provider.”

LISP advantages• Improved routing scalability• BGP-free multihoming in active-active configuration• Address family traversal: IPv4 over IPv4, IPv4 over IPv6,

IPv6 over IPv6, IPv6 over IPv4• Inbound traffic engineering• Mobility• Simple deployability• No host changes are needed[http://en.wikipedia.org/wiki/Locator/Identifier_Separation_Protocol]

What else can LISP be used for?

• Scaling Internet core routing tables• Low-OpEx active-active multi-homing for Enterprises• Low-OpEx active-active multi-homing for ISPs• Provider independence (avoids site renumbering)• Data Center mobility of Virtual Machines (VMs)• Data Center Server Load Balancing (SLBs) enhancement• A/V Truck Roll (Broadcasting industry)• L2 or L3 VPNs with or without parallelism• Slow hand-set mobility in localized regions• Better residential multi-homing• IPv6-only site connectivity over existing (IPv4) Internet• Movement/reallocation of Cloud Computing Resources

Slide from Cisco’s “LISP Overview’

Global LISP Testbed

• total of 106 boxes, 18 countries• Operated by google, facebook, msn, cisco,

deutsche bank, level3, microsoft, T-Labs• [lisp4.net]

Short Wrap-up of LISP

• Network-based, no changes to hosts whatsoever

• Quick, increased deployment• Fix for routing table growth, multi homing,

traffic engineering• Available in Cisco IOS, open source solutions,

global testbed available• IETF, Cisco, UPC

HIP

• Developed at IETF since 1999, first stable version in 2007

• Inserts cryptographic namespace between Transport and Network Layer

• No changes needed in applications or routers (changes reside in network stack of host)

• Provides much more features than LISP• Aims for security, mobility, multi-homing

Achievements

• Mobility• Multi-Homing• Security• NAT / IPv4 / IPv6 traversals

Identifiers

• Are called Host Identifiers (HI) and are hashes of public keys– Host owns public/private key pair– Provide immediate, straightforward ways for

authentication, integrity and confidentiality– Look like IPv6 addresses, beginning with

2001:0010::/28 (routing “Orchid”) and completed with a 100 bit public key hash

More on Identifiers

• IPv4 offers only a 32-bit namespace– Here so called “Local Scope Identifiers (LSI)” are

used, as 32 bits do not provide a big enough namespace to anticipate collisions on a global scale. Implemented for compatibility.

HIP Mapping

• Current system proposes the usage of DNS• Not as a system to look up the Locators for a

HIT, but to provide a <HIT, Locator> tuple as answer to usual requests

• Full pull, easy to implement, generally slow to update

HIP Basic Exchange

• 4-way-handshake• In regular mode, HIT of responder is known, in

“Opportunistic mode” only IP of responder is known prone to MITM attacks

67

Protocol overviewInitiator Responder

I1: HITI, HITR or NULL

R1: HITI, {HITR, puzzle, DHR, HIR}sig

I2: {HITI, HITR, solution, DHI, HII}sig

R2: {HITI, HITR, authenticator}sig

User data messages

Control

Data

Varied hardness, can be based on ressource availabilty, level of trust, or other factors

Nothing specific to Initiator in here, so

precalculation of these messages possible

More about HIP puzzles

• Nota bene: With recent infrastructure, they protect ONLY against CPU/Memory exhaustion (attacker can still flood)

• Idea: Responder sends chunk of data (puzzle) to Initiator, plus parameter k

• Initiator has to find value J, so that the k LSB of Hash(puzzle || J) are zero. Sends J back.

• Responder quickly checks if J satisfies demands

Even more HIP puzzles

• RFC is not actually specifying a technique• Turns out hard to actually avoid keeping any

state and still be stable against attacks• Provides idea: Create a table of pre-calculated

puzzles, use HITI and RLOCI values to calculate index of this table

Details about HIP puzzles

• Several approaches for the puzzle proposed

Image from “Cost-based and Time-based Analysis of DoS-resistance in HIP”

Good reading for this topic: “Analysis of the HIP Base Exchange Protocol”Tuomas Aura1, Aarthi Nagarajan2, and Andrei Gurtov3, ACISP 2005

Effectiveness of HIP Puzzles

Image from “Cost-based and Time-based Analysis of DoS-resistance in HIP”

HIP Mobility

• Mapping system can carry several Locators• Active emission of “Readdress” packets• What about– Mobile nodes that move too fast for DNS?– If both nodes move at the same time?

HIP Rendezvous Mechanism

• RFC 5204-bis, recently expired• HIP node can register withy any “RVS” server,

and note this in the HIT’s DNS entry• Basically just relays the connection setup

packets to the nodes’ recent locators

Source: rfc5204-bis-00

HIP Mobility and Security

• Mobility updates possibly a security weakness if sending too much data to a new Locator before receiving an adequate amount of data back

Threat Scenario

YouTube

DDoS Attackers

DDoS Victim

Request big video or other ressource

Threat Scenario

YouTube

DDoS Attackers

DDoS Victim

Hey, we are all relocated!

Threat Scenario

YouTube etc.

DDoS Attackers

DDoS Victim

Hey, we are all relocated!

HIP Mobility and Security

• Use a credit algorithm for not fully trusted hosts asking for relocation

HIP Transport Security

• HIP proposes to use IPSEC’s ESP in transport mode

• Provides encryption for all layers above IP

HIP Privacy

• HITs do not have to be registered anywhere and/or kept constant over a long time

• Still, observation and correlation might reveal a lot

• “BLIND” approach uses hashes of <HIT, Random Number> to hide ID

• Other approaches use proxy servers to hide locators

Hi3

• Motivation: Puzzles only protect against CPU/Memory exhaustion attacks. Possible to protect against DDoS flood attacks?

• HIP using the “Internet Indirection Infrastructure” (i3)• i3 forms the control plane. Using i3, the four-way-handshake is

completed safely• IPSEC-aware middle boxes (“SPINATs”) are placed into the data

plane• Responder tells

– Initiator a SPINATs IP to use– SPINATs to open connections for properly authenticated source IPs

• Also provides mobility through Rendezvous service in i3

Control Plane

Data Plane

Acceptance of HIP

• Productively used at one Boeing factory• Three open source implementations– OpenHIP, HIP4BSD, HIPL

• Active, growing user community

Sources

• There is a bunch of different people working on HIP, so sometimes it is hard to tell whether a paper talks about “the real HIP”

• What is the real HIP? Wikipedia says “HIP was specified in the IETF HIP working group. An Internet Research Task Force (IRTF) HIP research group looks at the broader impacts of HIP“

• So, the RFC listed as “active” on the WG’s website are “binding”

So …

• Is LISP or HIP a better approach? What does the audience think?

• Actually, they are rather complementary than competing, as each of them is aiming for a different thing

• Yet, once one of them is wide-scale implemented it might just succeed (interim solutions hold the longest!)

Summary

• HIP: Public keys as IDs, broad support, host-only approach

• LISP: “Delegated” EIDs, broad support, network-only approach

Backup Slides

Two approaches of LISP

• Map-and-Encap– Host sends packet to IPv4-Adress (which is an ID)– egress Router looks up Locator for this ID (map)– egress Router inserts a new IP layer into the

packet containing the locators. Thereby encapsulates other IP header (which is ID)

• Address Rewriting

Map-and-Encap

The Locator Identifier Separation Protocol (LISP)by David Meyer, Cisco Systems

Two approaches of LISP

• Address Rewriting– Use top bits of IPv6 address as Locator, lower bits

as identifier– egress router maps (looks up Locator for ID) and

rewrites the top bits• However, probably due to the lack of IPv6

deployment, IPv4 compatible map-and-encap is used

Dino, Dave, Jason, VinceLISP (RID-based) 10/2006 - 102

How LISP Works

Internet

Provider A10.0.0.0/8

Provider B11.0.0.0/8

S’s ID is 1.1.1.1

R’s ID is 10.0.1.1

C D

R

S

A B1.1.1.10 1.1.1.11

On host subnet 10.0.1.0/24: C is 10.0.1.12 (PA from Provider A) D is 10.0.1.13 (PA from Provider A)On Loopback interfaces: C is 11.1.1.12 (PA from Provider B) D is 11.1.1.13 (PA from Provider B)

1) S wants to talk to R, S gets R’s ID from DNS2) S sends packet to R with SA=1.1.1.1, DA=10.0.1.13) S’s default router is router A, A does route lookup for 10.0.1.1, matches on default route,indicator to tunnel encapsulate4) A builds outer IP header with SA=1.1.1.10, DA=10.0.1.1, IP-prot=“LISP-control”5) When packets flow to C, IP-prot is “LISP-control” means to send an ICMP ID-mapping packet to SA (1.1.1.10), the ICMP packet contains Locators 10.0.1.12 & 11.1.1.126) A caches ID-mapping of 10.0.1.1->{10.0.1.12, 11.1.1.12}7) Subseqent packets from S, A will set outer DA to 10.0.1.12 (the Locator for R), IP-prot=“LISP-data”8) Packets are addressed to C, which decapsulates tunnel packet and delivers to R.9) If connectivity to 10.0.1.12 changes, due to Provider A path is down or R moves, A gets back a ICMP-host-unreachble (from any router on the path) for address 10.0.1.12. Subsequent packets from S get enapsulated by A to address 11.1.1.12.10) Periodically A can send IP-prot=“LISP-control” packets to the unreachable locator address and when the SA is that Locator address in the returning ICMP ID-mapping message, A can conclude the Locator is reachable again11) C could glean ID->Locator mapping when decapsulating and avoid the signalling step back.12) A could encapsulate packets for S with alternating SA Locator address so when C gleans, it can get all Locator addresses for S’s ID.

10.0.1.0/24

11.1.1.12 11.1.1.13

10.0.1.1210.0.1.1

1.1.1.11.0.0.0/8

10.0.1.13