IRTF ICNRG@IETF-119
The Information-Centric Networking Research Group (ICNRG) of the Internet Research Task Force (IRTF) met at IETF-119 in Brisbane. Here is my quick summary of the meeting:
Agenda:
| 1 | ICNRG Chairs’ Presentation: Status, Updates | Chairs |
| 2 | Secure Web Objects and Transactions | Dirk Kutscher |
| 3 | Transaction Manifests | Marc Mosko |
| 4 | Vanadium: Secure, Distributed Applications | Marc Mosko |
| 5 | Global vs. Scoped Namespaces | Marc Mosko |
Meeting material:
ICNRG Status
ICNRG recently published four news RFCs – great achievement by all involved authors and the whole group!
- RFC 9510: Alternative Delta Time Encoding for Content-Centric Networking (CCNx) Using Compact Floating-Point Arithmetic
- RFC 9531: Path Steering in Content-Centric Networking (CCNx) and Named Data Networking (NDN)
- RFC 9508: Information-Centric Networking (ICN) Ping Protocol Specification
- RFC 9507: Information-Centric Networking (ICN) Traceroute Protocol Specification
See my blog posting for a more detailed description.
Secure Web Objects and Transactions
One focus of this meeting was transactions in ICN, i.e., interactions with the intention to achieve some durable state change at a remote peer – which imposes some challenges in a system that is designed around accessing named data.
In my presentation I talked about different ways to realize transactions in ICN:
- ICN as a network layer
- Client-server communication between two nodes
- Implement transaction semantics on top of an ICN messaging service
- Recording state changes in shared data structures
- Shared namespace, potentially functioning as a transaction ledger
- Still need to think about atomicity etc
For 1) transactions as messaging over ICN networks, the following considerations apply:
- Client-server communication between two nodes
- Implement transaction semantics on top of an ICN messaging service
- Different approaches
- A: Traditional layering: Using NDN-like systems as a messaging layer
- Assign prefixes to client & servers
- Send messages back and forth, and implement reliability and transactions semantics on top
- B: ICN-native communication: Use Interest-Data as request-response abstraction for transactions
- Mapping transaction communication and state evolution more directly to ICN, e.g., Interest-Data in NDN
- Collapsing traditional network, transport, application layer functions
I mainly talked about variant 1B, ICN-native communication: Use InterestData as request-response abstraction for transactions and introduced the idea of "Secure Web Objects" (SWOs) for a data-oriened web as a motivation.
In such a system, not everything would be about accessing named data object – there is also a need for "client/server" state evolution, e.g., for online banking and similar use cases.
I introduced some ideas on RESTful ICN that we published in an earlier paper. The Restful ICN proposal leverages Reflexive Forwarding, for robust client-server communication and integrates elements of CCNx key exchange for security context setup and session resumption.
Summarizing, I wanted to initiate a discussion about how to realize transactions in information-centric systems? This discussion is not about mapping ICN to existing protocols, such as HTTP, but about actual distributed computing semantics, i.e., robust session setup and state evolution. Transactions with ICN-native communication are hard to provide with with basic Interest/Data. Reflexive Forwarding + CCNx Key Exchange + transaction semantics are an attempt to provide such a service in a mostly ICN-idiomatic way, with the downside that reflexive forwarding needs extensions to forwarders. This raises question on the minimal feature set of core ICN protocols, and to deal with extensions.
In the discussion, it was pointed out that lots of experience on distributed systems has shown that transactions or secure multi-interactions will generally require more than a single two-way exchange.
Others suggested that ICN and NDN has authentication carried out when the signed interest arrives which directly proves authentication, so that the authentication would in fact be done beforehand.
However, authentication may not be enough. For example, client authorization in client-server communication is a critical function which needs to be carefully designed in real-world networks. For example, forcing a server to do signature verification on initial request arrival has been shown in prior systems (e.g. TCP+TLS) to represent a serious computational DOS attack risk. Reflexive Forwarding in RICE tries to avoid exactly that problem, by enabling the server to iteratively authenticate and authorize clients before committing computing resources.
It was also said that whenever a protocol does authentication. you need to analyze in the context of specific examples to discuss, and that cannot only look at the problem at an abstract level.
Transaction Manifests
Marc Mosko presented another approach to transactions in ICN, called [Transaction Manifests](https://datatracker.ietf.org/meeting/119/materials/slides-119-icnrg-transaction-manifests-00 "Transaction Manifests "Transaction Manifests"). He explained that ICN can be transactional.
Typically, ICN is considered as a publish/subscribe or pre-publishing of named-data approach. Outside ICN, distributed transactions do exist, especially in DLTs. For example, considering a permissioned DLT with size N and K << N bookkeepers. In a DLT, they base their decision on the block hash history. In this talk, Marc discussed what would be an equivalent function in ICN, and introduced the notion of transaction manifests.
In ICN, there is a technology called FLIC (File-like collections), i.e., manifests for static objects. FLIC describes a single object that is re-constructed by traversing the manifest in order. In Marc's proposal, a transaction manifest describes a set of names that must be considered together. The transaction manifest names likely point to FLIC root manifests.
In the example above, transaction manifest entries entries point directly to objects. For a complete systems, you would also need a set of bookkeepers, e.g., systems like Hyperledger offering global ordering vis bespoke orderer nodes. Such bookkeeper would have to ensure that a transaction has current pre-conditions, current post-conditions, and no conflicts in post-conditions. Transaction manifests are a form of write-ahead logs (WAL), as used in databases, such as PostgreSQL.
Marc went on discussing a few challenges, such as interactions with repositories and caches, as well as distributed transaction manifests.
There was some discussion on the required ordering properties for this approach, i.e., whether, in a multi-bookkeeper system, livelocks and deadlocks could occur – and whether these could resolved without requiring a total order.
Marc is continueing to work on this. One of the next steps would be to design client-to-bookkepper and bookkeeper-to-bookkeeper protocols.
Vanadium: Secure, Distributed Applications
Marc Mosko introduced the Vanadium system, a secure, distributed RPC system based on distributed naming and discovery. Vanadium uses symmetrical authentication and encryption and may use private name discovery with Identity-Based-Encryption (IBE).
Vanadium has two parts:
- Principals and Blessings and Caveats (Security)
- Use a hierarchical name, e.g. alice:home:tv.
- Certificate based
- Blessings are scoped delegations from one principal to another for a namespace (e.g. alice grants Bob “watch” permissions to the TV)
- Caveats are restrictions on delegations (e.g. Bob can only watch 6pm – 9pm).
- 3rd party caveats must be discharged before authorization
- E.g. revocations or auditing
- The RPC mount tables (Object Naming)
- These describe how to locate RPC namespaces
- They provide relative naming
Vanadium is interesting because parts of its design resemble some ICN concepts, especially the security part:
- It uses prefix matching and encryption
- Namespaces work like groups
- The colon : separates the blesser from the blessed
- Authorizations match extensions.
- If Alice authorized “read” to alice:hometv to alice:houseguests, and if Bob has a blessing for alice:houseguests:bob, then Bob has “read” to alice:hometv.
- A special terminator :$ only matches the exact prefix.
- A blessing to alice:houseguest:$ only matches that exact prefix.
Marc then explain the object naming structure and the entity resolution in Vanadium.
More details can be found in Marc's presentation and on Vanadium's web page.
In summary, Vanadium is a permissioned RPC service. A Vanadium name encodes the endpoint plus name suffix. The endpoint does not need to resolve to a single mount table server, it could be any server that possesses an appropriate blessing. Authentication is done via pair-wise key exchange and blessing validations. It can be private if using IBE, otherwise server name leaks. Authorizations and Blessings and Caveats use hierarchical, prefixmatching names.
From an ICN perspective, the security approach seems interesting. Blessings and Caveats and discharges and namespaces as groups. One question is how this differs from SDSI co-signings. The Vanadium identity service provides an interesting mapping of OAuth2 app:email tokens to PKI and blessings. The RPC approach exhibits some differences to ICN, e.g., embedding the endpoint identifier in the name. ICN technologies in this context are public-key scoped names in CCNx and schematized trust anchors in NDN.
In the discusion, it was noted that it would be interesting to do an apples-to-apples comparison to the NDN trust schema approach; Vanadium's approach with the ability to create blessings and caveats on demand seems to be much more granular and dynamic.
Global vs. Scoped Namespaces
Marc Mosko discussed global vs. scoped namespaces. For example, how do you know that the key you are looking at is the key that you should be looking at? IPFS punts that to out-of-band mechanisms. CCNX on the other hand uses public key scoped names; you can put a public key, publisher ID in an interest and say you only wanyt this name if signed with the associated key.
It was suggested to re-visit some of the concepts in the RPC system of OSF distributed computing, where all namespaces were scoped, and name discovery starts out as local. You could then "attach" a local namespace to more global namespace via an explicit "graft" operation. The key here was that the authoritative pointers representing the namespace graph were from child to parent, as opposed to parent to child as it is with systems like DNS. Your local trust root identifier could become a name in a higher layer space, yielding a trust root higher in the hierarchy tha could be used instead of or in addition to your local trust root. Doing this can create progressively more global name spaces out of local ones.
Please check out the meeting video for the complete discussion at the meeting.