Security and Transport Performance in 5G

Security & Transport Performance in 5G
Dr.-Ing. Dirk Kutscher
Chief Researcher Networking
NEC Laboratories Europe

2 © NEC Corporation 2015
Performance and Security Today
User
Equipment
Access
Network
Core/Service
Network
Application
Servers

User
Equipment
Access
Network
Core/Service
Network
Application
Servers
TCP Proxies

User
Equipment
Access
Network
Core/Service
Network
Application
Servers
TCP Proxies
Traffic Management Systems

User
Equipment
Access
Network
Core/Service
Network
Application
Servers
TCP Proxies
Application (Video) Optimizers

User
Equipment
Access
Network
Core/Service
Network
Application
Servers
TCP Proxies
Application (Video) Optimizers
Mobile
Throughput
Guidance

Motivation
▌TCP proxies
Lack of AQM and ECN deployment
Sub-optimal performance: e2e control loop over heterogenous networks
▌Traffic management systems
Lack of AQM and ECN deployment
Lack of incentives for adaptive applications
Perceived need for policing applications depending on access network conditions
▌Application optimizers
Operator resource conservation and performance concerns
Access to user data for analytics
▌Mobile Throughput Guidance
All of the above

CDN Today
Mainstream CDN

CDN Tomorrow
Mainstream CDN

CDN Tomorrow: Silo Danger
Mainstream CDN
VOD CDN
Social Network
CDN

Motivation
▌TCP proxies
 Lack of AQM and ECN deployment
 Sub-optimal performance: e2e control loop over heterogenous networks
▌Traffic management systems
 Lack of AQM and ECN deployment
 Lack of incentives for adaptive applications
 Perceived need for policing applications depending on access network conditions
▌Application optimizers
 Operator resource conservation and performance concerns
 Access to user data for analytics
▌Mobile Throughput Guidance
 All of the above
▌CDN
 Network offloading
 QoE improvement through latency reduction
 Moving data and computation closer to the edge
 Application-layer request/content routing policies

Observations
▌Significant infrastructure required to make things „only work“ today
Overcoming TCP e2e performance issues in heterogenous networks
▌Caching deemed important for scalable, low-latency data access
Deployment likely going to increase in next generation networks (edge caching)
General CDN and application-specific CDN deployments (new OTT services)
How many different CDN-like overlays will you have to run as an ISP?
▌What does that mean for 5G networks?

NGMN 5G Use Cases
Low latency,
local loop communication
Optimized Forwarding
for Heterogenous Access
Decentralized
Communication
Security,
User Privacy

NGMN 5G Use Cases
Security,
User Privacy

Security & User Privacy
▌HTTP/2 is here to stay
▌Connection-based encryption on transport layer (TLS)
Encrypt connection (and authenticate endpoints)
Encrypted channel for all communication
▌De-facto ubiquitous (client implementations...)
▌No (easy) way for traffic management (based on
flow/application information)
▌Major concerns with network operators
See recent GSMA/IAB workshop on Managing Radio Networks in an
Encrypted World (MaRNEW)
Many of the previously mentioned optimization become
difficult/expensive/impossible

TLS and Future Deep CDN
▌CDN and TLS
CDN nodes maintain certificates on keying material on behalf of publishers
Managing those certificates/keys is an important function of any CDN
Protecting those certificates/keys is an important security requirement
▌Scaling CDNs
More attack surfaces
More challenges to
certificate/key management
User-privacy only guaranteed
for connection to CDN proxy
▌Are there better ways?
Object-based security
Generic object caching
& forwarding infrastructure
Mainstream CDN

Optimized Forwarding for Heterogenous Access
▌Low latency, high-bandwidth
Fiber, new radios
▌Slow, ad-hoc, unpredictable
Low-power radios, sleep/duty cycles
Constrained devices
▌Massively scalable distribution
Server-push or pub/sub style
Possibly in-network adaptation
▌Variable performance
Dynamically changing network conditions
Disruptions and delays
On-board caching for all applications & protocols

Optimized Forwarding for Heterogenous Access
▌Will be difficult to implement with TCP as is
▌Remember: reduced deployment options for
application-layer gateways
▌Network of TCP proxies does not sound convincing
▌Need more powerful forwarding layer and
transport services
Potential for hop-by-hop forwarding strategies
Caching for local retransmissions
User
Equipment
Access
Network
Core/Service
Network
Application
Servers

Information-Centric Networking
▌Accessing Named Data Objects (NDOs) in the network
ADUs, chunks, fragments
▌Data-centric security approach
Disentangled means for name-content binding validation, publisher
authentication, confidentiality
▌Name-Content binding validation:
Public-Key and hash-based schemes
▌Publisher authentication
One approach: publishers to sign NDOs, signature part of NDO meta data; trust
model a la PKI
▌Confidentiality and access control
Payload encryption

ICN Overview
Requestor 1 Original
Content “XY1”
Owner
“Joe”
Content
Repository
Requestor 2
• Request Response, Receiver-driven
• Pending Interesting Tables
• Forward-by-name (prefix)
• Per-node forwarding strategies
• Object-based security
• Ubiquitous caching
/com/netflix/video/starwars

ICN Performance and Resource Management
▌Key ICN properties
Requesting individual Named Data Objects
Ubiquituous Caching
▌Implicit caching
Every router can store NDO – depending on configuration, policy etc.
Even with encrypted traffic, caching can help with local retransmissions, media re-
play etc.
▌Simplified mobility management
Request/Response model – eliminates need for tunnels
▌Flexible multipath communication
Powerful forwarding layer
Every router can make forwarding decisions depending on strategy, network
characteristics, name prefix, policy
▌Easy policing and filtering
Requestors, publishers and requestors see ICN requests and responses
Policing without DPI
Enabling other optimizations: in-network pre-fetching etc.

Proof-of-Concept
▌ICN for managing multi-path connectivity in Hybrid Access scenarios
HGW HAG
LTE
DSL
Core Network Internet Cloud Services
▌State of the art
Connection Bundling over IP tunnels (GRE): poor performance with transport
protocols
MPTCP: better from transport perspective, but problematic interaction with CDN
(DNS redirection per interface) and lack of policy control

Proof-of-Concept
▌ICN for managing multi-path connectivity in Hybrid Access scenarios
HGW HAG
LTE
DSL
Core Network Internet Cloud Services
▌ICN approach
 Routers have better visibility of interface performance (can continously measure
latency between requests and responses on a name-prefix basis)
 Easy to implement policy based on request prefixes
 Our implementation: prioritizing critical applications by constantly assessing
interface performance and by assigning best interfaces to prioritized applications
 Works with high degree of dynamicity (mobile networks)
▌First results
 Extremely fast response to congestion – on all nodes of a heterogenous path
 Constantly high capacity utilization
 Effective prioritization
/com/netflix/video/starwars
/com/os/updates

Other Recent Results
http://www.ietf.org/proceedings/interim/2014/09/27/icnrg/proceedings.html

Orange/ALU/SystemX Testbed Measurement Results
http://www.ietf.org/proceedings/interim/2014/09/27/icnrg/proceedings.html

5G Blueprint
Ctrl.
HA Load
Balancer
Ctrl.
…Internet
RNC IW3G
WiFi
4G
5G
xDSL
Cable
IW
vPoPs
Transport
Data Center
DB
auth. services
Minimal IPv6 connectivity
Baseline
IP e2e
applications
Mobility-managed, seamless IP connectivity
IM,
server
applications
M2M
applications
In-network
processing
Interactive
real-time
Low-latency, transport-
enhanced service
Caching,
multicast
Video
streaming,
VOD

5G Multitenancy
Ctrl.
HA Load
Balancer
Ctrl.
…
Internet
RNC IW3G
WiFi
4G
5G
xDSL
Cable
IW
vPoPs
Transport
Data Center
DB
auth.
services
Baseline
IP e2e
applications
Mobility-managed, seamless IP connectivity
IM,
server
applications
M2M
applications
In-network
processing
Interactive
real-time
Low-latency, transport-
enhanced service
Caching,
multicast
Video
streaming,
VOD
Telco
IaaS
ISP
A
Mobile
TV
service

Possible 5G ICN Deployment Option
Ctrl.
HA Load
Balancer
Ctrl.
…
Internet
RNC IW3G
WiFi
4G
5G
xDSL
Cable
IW
vPoPs
Transport
Data Center
DB
auth.
services
Telco
IaaS
ISP
A Information-Centric Networking
Infrastructure
Mobility-managed,
seamless IP
connectivity
In-network
caching
In-network
execution
Mobile
TV
service
Video
streaming,
VOD
IoT
Service
In-network
IoT
platforms
Interactive
Multi-
media
service
WebRTC
Platform

Conclusions: 5G has challenges beyond SDN/NFV
▌Security
User-privacy concerns one of the drivers for HTTP/2 (TLS) adoption
Will reduce leverage for operators for „value-added service“, application-layer
optimizations etc.
Security challenges for TLS and (Deep) CDN
▌Performance
5G has potential for better performance due to new link layers and backhaul
architectures
But: heterogenous access and diverse use cases also imply new challenges
▌Information-Centric Networking
Data-centric communication approach more
suitable for secure and efficient communication
Powerful forwarding layer: node-specific forwarding
strategies thanks to better visibility of forwarding performance
Common infrastructure for different types of
applications: enabling efficient multi-tenancy operation without silos

IRTF ICNRG
▌Cross-project research community
Not limited to a specific funding authority, project, protocol
Sharing of research results, new ideas
Documenting ICN scenarios, challenges, state-of-the-art solutions, gaps
Specifying protocols and semantics for ICN
Sharing implementation, experience from experiments
▌ICNRG and standards
Not setting standards...
But: helping to understand what needs to be standardized
And: working on specifications
▌ICNRG Administrivia
Web: http://irtf.org/icnrg
Chairs
• Börje Ohlman (Ericsson Research)
• Dave Oran (Cisco Systems)
• Dirk Kutscher (NEC Laboratories)

ICNRG Work Items
▌Scenarios, use cases
 Baseline scenarios (RFC 7476)
 Video distribution
 IoT
 Challenged networks and disaster scenarios
▌Challenges, evaluation
 Research challenges
 Evaluation Methodology
▌Protocol specifications
 CCNx Messages in TLV format
 CCNx Semantics
▌Newly proposed topics
 Manifests, chunking, fragmentation, versioning
 User privacy, access control
 Name resolution
 Named function networking
Documenting use
cases &
opportunities
Evolving research
agenda &
evaluation
approaches
Creating
interoperable
platforms for
experimentation
Evolving ICN
concepts and
technologies

Running Code
▌CCNx-1.0 (PARC)
PARC license
Developed by PARC
Implements ccnx-messages
and ccnx-semantics
▌CCN-lite (University of Basel)
Open Source, free to use without restrictions
Implements ccnx protocol
Used by RIOT project
▌NDN NFD (NDN project)
GPL-3.0
Maintained by NDN project
Implemented NDN protocol

Security and Transport Performance in 5G

Security and Transport Performance in 5G

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Security and Transport Performance in 5G (20)

Recently uploaded (20)

Security and Transport Performance in 5G

Editor's Notes