Trusted Next Generation Internet and Its Development

Wu Jianping,Bi Jun

(Network Research Center of Tsinghua University, Beijing 100084, China)

Abstract:The ongoing research on secure and trustworthy issues in next generation Internet technology is still insufficient.China has achieved some progress in the field of the trusted next generation Internet.Under the support of the National High Technology Research and Development Program of China(863 Program),Tsinghua University and other units have completed the program named“Research on Critical Technologies and Demonstration Applications of the Trusted Next Generation Internet”,which targets the secure and trustworthy problems existing in the current Internet.With focus on tackling the technical problem of authentic address access in the Internet,a prototype system for trusted Internet infrastructure,security service and typical applications are designed and implemented.It is expected that the trusted next generation Internet will support the trusted computer network,trusted telecom network and trusted broadcast&TV network applications.

T he Internet has a profound influence on human life,and even on social progress.Due to the inherent deficiency existing in the Internet architecture,the Internet is facing unprecedented challenges in security and trustworthiness,which has become one of the major“bottleneck”issues in the development of Internet applications.

In the coming 5-10 years,Internet technologies will enter the period of upgrade and replacement,and IPv6-based next generation Internet has become the research hotspot at home and abroad.The trusted next generation Internet,focusing on addressing the secure and trusted issues in the Internet,should have the following characteristics:

(1)Ensure the network address and its location to be authentic and trusted

·Authenticity:access based on authentic IPv6 address.

·Traceability:traceback the authentic location of the network address based on the authentic IPv6 source address.

·Controllability:monitor and control the behavior of a network user entity according to its authentic location.

(2)Enhance the authenticity and trustworthiness of network application entities

·Identity trustworthiness:the authentic IPv6 source address can enhance the trustworthiness of network user entity identities.

·Application security:support secure and trusted network applications.

In the trusted next generation internet architecture,the authentic IPv6 source addressing architecture belongs to the trusted network infrastructure layer,which is also the basis of other trusted network hierarchies.From a trustworthiness perspective,authentic IP address access is actually the address dependency issue,that is,a message sent from a user entity only carries its own address,and the message can only be sent by the entity possessing its source address.The original Internet design assumes that allnetwork equipment(including the host and routers)are trusted.However,under the current complicated network environment,no trust in host exists any more.Therefore,it must rely on the network infrastructure to guarantee the implementation of source address dependency.

In the trusted next generation Internet architecture,uniform user identifier and security service belong to the security service layer above the authentic address access.As the common security service layer provided by the infrastructure,the security service layer utilizes and encapsulates trusted functions offered by the bottom infrastructure to deliver uniform identifier and authentication service for typical applications in the trusted next generation network.Entity identity,identity authentication,trusted domain name service,and key management service based on authentic address are basic security services to realize trusted security service.

The trusted next generation Internet can address the security issues in traditional applications to implement trusted applications,including trusted email,trusted BBSand trusted SIP communication system.These trusted applications can tackle the address authenticity problem in traditional email system;improve junk mail traceback mechanism to stop junk email and email viruses;balance user accountability and user privacy protection in traditional BBS;and solve the security problem of SIP communication system in the trusted network environment.

1 International Researches

As early as in 1988,the international organization for standardization ISO/IEC JTC1 has given additional descriptions for security architecture in the open system reference model in the field of network security service architecture.Five security services(authentication,confidentiality,integrity,access control,non-repudiation)and security mechanisms to implement these security services,as well as the functional distribution of these security services and security mechanisms in different protocol layers of the Open System Interconnection(OSI)model have been introduced.Works are also in progress in Internet Research Task Force(IRTF)and Internet Engineering Task Force(IETF)on such topics.RFC1287 has pointed out the importance of the Internet security reference model;however,an integrated security architecture model has not been found.RFC2401［1］is only the security framework for the IPlayer while other related RFCs bring forward solutions targeting specific problems,unable to address the system security requirements from overallarchitecture.

Some technical researches are underway,as exemplified by Host Identity Protocol(HIP),a representative in terms of research on user,host authentication in network,and Secure Inter-Domain Routing(SIDR),a representative in terms of network routing protocol security.

USgovernment announced the initiation of Next Generation Internet(NGI)research plan in October 1996.Complementary to the NGIplan,the Internet2 research plan［2］,jointly initiated by over 100 USuniversities,targets leveraging the existing network technologies to explore new generation applications under high-speed information network environment whilst making an attempt to discover the deficiencies in current network architecture theory,thus offering requirement basis for new information network theory research.In the Internet2 next generation architecture,middleware is a set of common services provided for various applications between network and application.Internet2 Middleware Initiative(I2-MI)is initiating research and deploying middleware on Internet2,delivering identification,authentication,authorization,directories and security services,mainly security service for the upper layer.Under the funding of Defense Advanced Research Projects Agency(DARPA)of the Department of Defense of the US,the University of Southern California's Information Sciences Institute(USC/ISI),MIT's Computer Science and Artificial Intelligence Laboratory(MITLCS)and the International Computer Science Institute(ICSI)of UC Berkeley collaborated on the NewArch project［3］to carry out research on the new generation Internet architecture.The latest research achievements of the project team reconsidered the current Internet and advanced several design principles for the next generation Internet,such as change-oriented design and controllable transparency.

Main international researches on protection against source address forgery include:

(1)The IPSecurity(IPSec)communication protocol,consisting of Authentication Header(AH),Encapsulating Security Payload(ESP)and key management framework(Internet Security Association and Key Management Protocol/Internet Key Exchange(ISAKMP/IKE)),implements data origin authentication,confidentiality and data integrity.IETFspecifies that IPSec support is mandatory in IPv6 implementation.As serious problems on performance also exist in IPSec,even though the forged packets are discarded,the resulting overhead for the system is huge,making Distributed Denial-of-Service(DDoS)attacks possible.Furthermore,employing this technology as the validation method is a heavy burden to the router due to tremendous traffic between routers in the core network.

(2)Forged IPaddress filtering technology:typicalapproaches are ingress filtering［4］,unicast Reverse Path Forwarding(uRPF)［5］,Distributed Packet Filtering(DPF)［6］,Source Address Validation Enforcement(SAVE［7］,iSAVE［8］),etc.Ingress filtering requires supports from various vendors and cooperation among all Internet Service Providers(ISPs)and overall deployment;uRPFis unable to solve the problem of asymmetric routing;DPFrequires extending the Border Gateway Protocol(BGP),and may cause the normalpacket to be discarded when the routes in the network dynamically change;SAVE requires overall deployment;and the implementation of iSAVEis relatively complex.

(3)Source address traceback technology:typical approaches are Source Path Isolation Engine(SPIE)［9］,ICMPtraceback(iTrace)［10］and probabilistic packet marking［11］.With complicated traceback algorithm,traceback is unable to discover the forged source IPaddress in real time.Probabilistic packet marking algorithm cannot handle the single packet address spoofing.

(4)Network access control such as 802.1x［12］:these technologies can not fully implement source address spoofing control in the network layer.

▲Figure 1. Trusted next generation Internet architecture.

2 Trusted Next Generation Internet

Under the support of the National High Technology Research and Development Program of China(863 Program),Tsinghua University and other units undertook the program named“Research on Critical Technologies and Demonstration Applications of the trusted Next Generation Internet”,targeting major problems such as weak security,low credibility,poor mobility and bad streaming media bearer ability existing in the current Internet.With a focus on solving the technical problem of authentic address access in the Internet,the trusted Internet infrastructure,security service and typical applications are designed and implemented.IETF RFC drafts on some critical technologies have been submitted.

2.1 Trusted Next Generation Internet Architecture

As a hierarchical model,the trusted next generation Internet architecture consists of three hierarchies including trusted network infrastructure,trusted security service layer and trusted Internet applications.It utilizes the network infrastructure based on authentic IP addresses to build the trusted security services based on overall user identifier and implement trusted Internet applications,as shown in Figure 1.

The current Internet confronts the problems resulting from lack of trustworthiness.Destination address-based routing forwarding does not check source addresses,making forged source address attacks easier and more frequent.In the Internet,an address is the host identifier and the lack of verification of the source address makes it unable to establish trusted relationship at the network layer.Authentic addressing structure provides the following benefits:

(1)Solve some DDoSattacks with forged source addresses,such as Reflection attacks.

(2)Authentic address access facilitates the Internet traffic tracing,security mechanism designing and network management.

(3)Implement billing,management and measurement based on source address.

(4)Support security service and security application designing.

Based on the network's own architecture,authentic address access architecture can be divided into inter-domain,intra-domain and intra-subnet authentic address access,as shown in Figure 2.

The inter-domain authentic address approach implements authentic address validation function of Autonomous System(AS)granularity.According to the generating method of validation rule,two approaches,namely,path-based information and end-to-end-based lightweight signature,are designed.The former is applicable for adjacent deployment,and the latter is applicable for non-adjacent deployment.

The intra-domain authentic address approach implements prefix level authentic address validation function.Reverse address lookup mechanism based on path and distance and source address validation module are designed to be deployed on edge routers or intra-domain routers.

The intra-subnet authentic address approach ensures that the network packet originates from a host in the certain subnet with the ownership of the packet's source address.Targeting different deployment capabilities,there are two approaches:IPv6 authentic

▲Figure 2. Authentic IPv6 addressing structure.

2.2 Internet Infrastructure Based on Authentic IPv6 Addresses

address assignment and access switch admission controlmechanism;and end-to-end authentication mechanism between host and security gateway.

In comparison to all source address spoofing protection mechanisms abroad,these mechanisms and protocols mentioned above are simple,efficient,loose coupling,multi-defense,incremental deployable and motivating;thus,they form into an integrated system solution.

2.3 Trusted Next Generation Internet Security Service

From an architecture functional hierarchy perspective,regarded as the common security service layer provided by infrastructure for the application layer,the security service layer utilizes and encapsulates trusted function offered by the bottom infrastructure to deliver uniform identifier and authentication service for typical applications in the trusted next generation network.

The domain name system is selected as the uniform user identifier.The Remote Authentication Dial In User Service(RADIUS)and Diameter protocols are selected as the authentication standard in the management domain.The DNS Security Extensions(DNSSec)in combination with traditional Public Key Infrastructure(PKI)is selected as the key management infrastructure.Entity identity,identity authentication,trusted domain name service and key management service based on authentic address are basic security services to implement trusted security service.

In the Internet environment with authentic address and identifier,the architecture,authentication and key management methods of the application system can be simplified,manifesting the following aspects:

(1)The domain name system is used to implement uniform entity identifier and cross-management-domain distributed application.As the domain name system is a scalable and mature identifier system,the uniform entity identifier system implemented by the domain name system features good scalability,accessibility and easy-to-remember.

▲Figure 3. Trusted next generation Internet testbed based on CNGI- CERNET2.

2.4 Typical Applications of Trusted Next Generation Internet

The research and development work designs and implements trusted email,trusted BBSand trusted SIP communication system based on authentic address in typical applications in trusted next generation internet.On the basis of an infrastructure with authentic address and security services,critical problems existing in traditional application systems,such as the following,can be solved:

·Solve the address authenticity problem in traditional email system;

·Improve junk mail traceback mechanism to stop junk emailand email viruses;

·Balance user accountability and user privacy protection in traditional BBS;

·Solve the security problem of SIP communication system in the trusted network environment,as exemplified by spoofed service and teardown sessions;

·Authentic DNS-based services solve the problem of SIPcommunication system in architecture and signaling process optimization.

2.5 Trusted Next Generation Internet Testbed

(2)The security service is used to provide uniform identifier and cross-domain identity authentication,eliminating the needs for each application system to implement its own authentication system.

(3)The key management mechanism offered by domain name service may fulfill flexible and scalable key management and negotiation.

Currently,the trusted next generation Internet testbed,including 12 authentic address experimental autonomous systems,has been deployed on CNGI-CERNET2,with authentic address network equipment prototype,traffic monitoring system,trusted security service system,and applications such as trusted email,BBSand VoIPdeployed,as shown in Figure 3.

3 Development Trend of Trusted Next Generation Internet

New research plans have been carried on around the world in recent years,as exemplified by the famous Global Environment for Networking Innovations(GENI)［13］and Future Internet Design(FIND)［14］research programs initiated by the USNational Science Foundation(NSF).In an attempt to discover and evaluate the new innovative concepts,demonstrations and technologies which can be the basis of a 21st Century Internet,GENIwould build a large-scale experimental environment that will foster exploration and evaluation of a new networking architecture.The researchers hope that the future Internet will be worth the society's trust,stimulate science and engineering innovation,support integration of new technologies,enable the vision of pervasive computing,bridge the gap between the physical and virtual worlds,and support innovations in services and applications.FINDis another research program of the USNSF.USscientists have considered what the requirements should be for a global Internet 15 years from now.Based on end-to-end-oriented architecture,FIND solicits research across Networking of Sensor System(NOSS),programmable wireless communications,and wide area networking.The USattempts to maintain its leading position in the field of information technology and the Internet through these proactive research programs.Although no substantial results have been achieved,trusted Internet is the major topic among its research programs.For example,some researchers suggested the Passport structure［15］.

It can be envisioned that research on future trusted Internet involves the following aspects:

·Trusted next generation architecture and standard system,supporting“triple play”;

·Trusted next generation authentic address critical technologies and router,switch and specialized network facilities supporting authentic address;

·Security service based on overall identifier of the trusted next generation Internet;

·Trusted next generation Internet applications,including P2P,IPTVand interactive TV,wireless and mobile applications;

·Transition technology from current Internet to the trusted next generation Internet;

·Large-scale trusted next generation Internet testbed.

4 Conclusions

The IPv6-based next generation internet has become a focal point for research at home and abroad.Ongoing research on secure and trusted issues in next generation Internet technology is still insufficient.China has made some preliminary achievements in the field of next generation trusted Internet over the past few years,and is carrying out further research.Developing the trusted next generation Internet meets the requirement to ensure the security and trustworthiness of national information infrastructure and network application,follows the nation's development strategy on innovation,and gives an impetus for science and technology and industrialization development.

With the development of the Internet,especially the next generation Internet,IPv6 will be the basis of"triple play".The trusted next generation Internet willoffer support for building trusted computer network,trusted telecom network and trusted broadcast&TVnetwork applications.