EAGER: NDN+SCION: Toward a Global Name-Based Network Service

This project aims to combine two existing protocols, NDN and SCION, to create a scalable, secure, name-based network service. The Named-data Networking (NDN) protocol delivers data objects requested by name. It emphasizes security - in particular, origin authenticity of delivered data - unlike the legacy web, which authenticates the endpoint (server) rather than the data itself. NDN has been successful within restricted domains, but scaling it to a global service remains an open challenge, both because the namespace for data objects is many orders of magnitude larger than the legacy Internet address space, and because application names are not necessarily tied to locations, so that the same named data object might be retrieved from any number of locations in the network. SCION (Scalability, Control, and Isolation on Next-generation networks), on the other hand, is an inter-domain routing and forwarding (IDR) system designed to carry packets between autonomous systems (ASes) and overcome the shortcomings of the current legacy IDR system. Its main goal is to be a highly available and efficient inter-domain data delivery system even in the presence of denial-of-service or other attacks. In particular, SCION is designed to avoid some security flaws in current inter-AS routing, and to account for different trust regimes among network service providers. SCION does not deal with intra-AS routing and forwarding, nor does it provide end-to-end payload encryption. This project is motivated by the clear synergy between these two protocols systems. Each provides a function the other lacks: SCION provides inter-domain, and NDN intra-domain, routing and forwarding. Both emphasize security (in different parts of the system); both support multipath forwarding; and both allow for variety in their underlying trust structures (unlike the current Internet, which requires that all participants rely on the same DNS root and the IANA RPKI for security). Among the main research questions to be answered are the following: - How to limit the amount of information that is relayed between ASes. In the current Internet, between 1 and 2 million IP prefixes are propagated in the BGP system; the design of NDN+SCION must limit the number of distinct data items propagated in the global IDR system to this range. - Where and how do the NDN and SCION trust structures intersect? It is not feasible for the IDR system to know about every application''s trust structure, yet the IDR system must have some way to verify that a node that claims to be a source of data under a specific prefix can actually produce data that will be considered valid by recipients. - Since NDN and SCION use different wire protocols, where and how should the transition between protocols occur? At the end host? At the border router? Somewhere in between? The project is appropriate for EAGER funding because initial exploration is needed to determine the ultimate feasibility of a larger project. Deliverables will include an initial NDN+SCION design, and test a deployment on the FABRIC testbed. As a "by-product" of this project, access to testbeds in Europe (GEANT, etc) via SCION will be available to researchers using FABRIC.