Charon: size of the summary, optimizations and future work

scenario illustrated by the plots in Fig. 4.7), then the mitigation is applied to a prex name which does not carry anymore malicious trac. Among the attacks proposed in [111], the cIFA is the one degrading the most the performance of the tested reactive countermeasures. Conversely, Charon is also immune to this IFA variant since its forwarding decisions are not driven by any detection threshold. Therefore, Charon keeps average ISR and PUR values close the baseline even during the attack.

In summary, the attack variants proposed in [111] revealed the inecacy of existing defense mechanisms to neutralize a certain type of stealthy IFAs. Charon, instead, neutralizes those attacks as soon as they enter the network, so it preserves the quality of service perceived by legitimate clients and ooads the rest of the network infrastructure from dealing with loads of unsatisable requests.

4.4 Charon: size of the summary, optimizations and future work

This section introduces some design aspects of Charon which deserve immediate attention to assess the feasibility of the proposed approach and target specic improvements as subject of any future work.

First, it is important to estimate the size of a BF-based content summary since that could be queried by routers at link-speed per every Interest packet. For that purpose, a BF-based content summary is required to be stored on a memory technology fast enough to sustain the necessary network throughput (the reader should remember that Charon is supposed to be deployed at the edge of network whose throughput requirements can be read in [84]). The size m of a BF-based content summary may be tuned according to the desired false probability rate p and the number of hash functions k, where the number of elements n in the set is known. Considering a content list of one million elements (this is not uncommon since, for example, the wikipedia page titles content list used for the evaluations presented in Sec. 3.2.3 of chapter 3 and in Sec. 4.3.3 of this chapter holds almost 13 million of dierent content identiers), a false positive probability of 0.01 and using between 2 and 5 hash functions would require a bloom lter of a few MB [136]. A lter of that size could be easily stored on today's SRAM memory technology (whose today's maximum capacity is 210MB [137]). Hence, multiple lters could be contemporaneously stored in fast on-chip memory.

Second, even though large size BF-based content summaries can be stored in fast main memories and meet the packet processing speed requirements, the architectural framework of Charon in Fig. 4.3 envisions the content summaries to be fetched by routers and potentially cached in the network as Data packets. Concerning the implementation of these system features, it is also important to understand whether bloom lter compression techniques [138] could be used to shrink the size of a summary and ease its transmission over and caching in the network.

Third, even if a pure Charon design turned to be prohibitive because of the impossibility of storing all the lters in a router's main memory, content summaries could still be loaded and queried only when under attack. This would translate into a hybrid proactive/reactive design where the detection of an attack still relies on the monitoring of trac statistics, while the mitigation loads in main memory and queries the content summaries. The mitigation based on content summaries has the advantage of never dropping any legitimate trac compared to the canonical reactive rate-limiting applied to name prexes and/or interfaces. By design, this hybrid technique is expected to respond ecaciously to a pIFA but not to the bIFA and cIFA attacks which circumvent the classical detection metrics. However, in those latter cases the detection

could be simply triggered by an unusual load on the router since loading and querying the lter would not introduce the same overhead as the canonical monitoring techniques.

4.5 Summary

This chapter has introduced a novel approach to the defense against Interest Flooding Attacks (IFAs) in NDN. This new approach stems from the observation of certain pitfalls in the state-of- the-art countermeasures, which can be exploited by potential attackers to mount very eective IFAs as shown in Chapter 3. The reactive nature of the existing defense mechanisms is the root cause of the inecacy to defend against stealthy IFAs. Thus, the here-proposed defense approach departs from the usual reactive defense approach and proposes a proactive strategy to identify and counteract an IFA instead. Proactiveness is based only on the analysis of an Interest packet elds to determine its either malicious or benign nature. Therefore, an ideal proactive defense requires no monitoring of previous trac to be performed to make forwarding decisions. The absence of monitoring, typically used across reactive defense mechanisms, eliminates the vulnerabilities which are exploited by the stealthy attacks introduced in Chapter 3.

This chapter has also designed a specic proactive defense schema, called Charon, and shown its ecacy against the latest stealthy IFAs. Nevertheless, Charon, specically, and proactive defense, in general, are only applicable under certain attack scenarios. Thus, the IFA threat persists in the NDN. Therefore, the next chapter advocates for the investigation of dierent forwarding mechanisms for the NDN with the aim to preserve the main PIT properties without exposing the IFA-related security issue.

Chapter 5

Alternative "defense" mechanisms

The Interest Flooding Attack (IFA) represents a severe security threat to Named-Data Networks (NDNs). In fact, the state-of-the-art IFA countermeasures prove to be eective only against naive attackers. Yet, as thoroughly analyzed in chapter 3, eective IFAs built upon realistic attacker models can be easily mounted to disrupt even the most robust defense mechanism. Chapter 4 has introduced the concept of proactiveness in the design space of IFA countermeasures. Later, that theoretical framework is leveraged to instantiate a defense mechanism of that sort to coun- teract ecaciously the latest proposed IFAs [111]. Proactive countermeasures eliminate serious drawbacks experienced by their reactive counterparts. Neither monitoring overhead is required nor delayed reaction is introduced by proactive countermeasures. Nevertheless, proactive defense is not the panacea for IFAs, since this class of defense mechanisms applies well under certain conditions of static content names and publicly available content lists. Provisioning of dynamic contents, a very common scenario nowadays, breaks the assumptions proactive countermeasures are designed upon. Overall, the uncertainty about the ecacy of existing defense mechanisms as well as the poor understanding of the real implications of IFAs for an operational network raise the legitimate question whether or not dierent forwarding mechanisms should be considered at this early stage of design of the NDN architecture.

The root cause of the IFA attack is the per-Interest state kept by the Pending Interest Table. As a consequence, both works proposing more lightweight PIT designs [139, 140] and works ques- tioning the PIT existence by proposing alternative forwarding mechanisms [141, 142] have been recently emerging. Nevertheless, replacing the PIT forwarding mechanism in NDNs has several implications. In fact, the PIT guarantees several properties which may be inevitably lost with a dierent data-plane design. Beyond the basic Interest-Data design, the PIT enables, among others, Interest aggregation, Data multicast delivery, sender anonymity and adaptive forwarding behaviors. Further, the PIT has been leveraged to detect network problems [47] and has inu- enced the design of routing protocols for the NDN architecture [60]. Or yet, the PIT has been used for the design of hop-by-hop Interest shapers to achieve congestion control [143] and for tracking producers in mobility schemas [70].

Moreover, the lack of a common easy-to-access platform for testing and comparing alternative forwarding plane designs makes hard to get a solid understanding of pros and cons of the dier- ent available approaches. For the above reasons, this chapter's contribution is two-fold. First, a taxonomy of the main alternative forwarding mechanisms for CCN/NDNs is presented in Section 5.1. The presented taxonomy classies the existing dierent approaches with respect to a set of PIT's cardinal properties here identied. Second, by acknowledging that the current state of aairs does not contribute to compare and evaluate alternative forwarding mechanisms, emerging

technologies for programming the data-plane have also been explored in the context of this work. Thus, Sec. 5.2 introduces the P4 language, a novel high-level programming language for packet processors, which has been used to implement the high-level description of an NDN data-plane, NDN.p4, which is presented in Sec. 5.3.