SlideShare une entreprise Scribd logo

RINA Introduction, part II

ICT PRISTINE
ICT PRISTINE

RINA Introduction, part II

Internet
1  sur  69
Télécharger pour lire hors ligne
The Pouzin Society © John Day, 2013 All Rights Reserved 1 Welcome to the RINAissance! An Introduction to the RINA Architecture Part 2 3rd Annual International RINA Workshop John Day Ghent 2015 In a network of devices why would we route between processes? - Toni Stoey, RRG 2009
The Pouzin Society © John Day, 2013 All Rights Reserved 2 2 What a Layer Looks Like •  Processing at 3 timescales, decoupled by either a State Vector or a Resource Information Base –  IPC Transfer actually moves the data ( ≈ IP + UDP) –  IPC Control (optional) for retransmission (ack) and flow control, etc. –  IPC Layer Management for routing, resource allocation, locating applications, access control, monitoring lower layer, etc. •  Remember that within a scope if there is a partitioning of functions, it will be orthogonal? Well, here it is. IPC Transfer IPC Control IPC Management Delimiting Transfer Relaying/ Muxing PDU Protection Common Application Protocol Applications, e.g., routing, resource allocation, access control, etc. Application-entities Application Process
The Pouzin Society © John Day, 2013 All Rights Reserved 3 What are the Protocols? •  Only two –  A data transfer protocol, EFCP, based on delta-t with mechanism and policy separated. This provides both unreliable and reliable flows. –  The common application protocol based on CDAP. IPC Management CDAP Resource Allocation RIB Daemon IRM RMT EFCP Flow Allocator
The Pouzin Society © John Day, 2013 All Rights Reserved 4 Error and Flow Control Protocol* (EFCP) •  There is one DTP (and possibly one DTCP) per flow •  One Relaying and Multiplexing Task per IPC Process •  At most, one SDU Protection per (N-1)-flow/DIF. •  Delimiting is a function with an inverse that converts SDUs to User-Data Fields for PDUs. •  DTP is a bit like IP/UDP (if you don’t look too close) •  See the EFCP Specification Delimiting, Fragmentation/ Reassembly Relaying and Multiplexing Task SDU Protection State Vector DTP- Sequencing/PDU Identification, Data Transfer DTCP - Retransmission and Flow Control
The Pouzin Society © John Day, 2013 All Rights Reserved 5 *A Bit More to Say About Error and Flow Control Protocols •  This has been a subject of intense research since the early 70s. You would think we had pretty much exhausted the subject. Not so. First there was: –  Separating mechanism and policy revealed that the protocol naturally cleaved into data and control and –  that there was no distinct relaying protocol and –  SDU Protection wasn’t really part of the protocol and –  Heavy weight solutions like IPsec were unnecessary •  Recently we have also found that: –  Fragmentation/Reassembly is part of Delimiting –  The A-Timer has a role in DTP. –  Finer grained flow control across connections is possible external to EFCP. –  Can one dynamically shift from using DTCP without affecting a connection? •  Very likely. Set DRF and just do it. •  Why are we finding these new results? –  Because we are acting scientifically: we are trying to understand the nature of the problem.
The Pouzin Society © John Day, 2013 All Rights Reserved 6 Common Distributed Application Protocol •  Common Application Connection Establishment (CACE) is the common procedure for establishing application connections. It ensures that there is a known first exchange. –  Based on the OSI ACSE which was defined to be used recursively and has hooks for. . . •  An authentication module, which is a policy of whatever strength required. •  CACE and an authentication module can be wrapped around any existing application protocol, e.g. HTTP. (See the CACE specification.) •  CDAP provides the minimal six operations and a basic object-oriented functionality scope and filter. (See the CDAP specification.) –  Would other programming paradigms lead to different functions? CACE Authentication CDAP
The Pouzin Society © John Day, 2013 All Rights Reserved 7 Only Three Kinds of Systems •  Middleboxes? We don’t need no stinking middleboxes! •  NATs: either no where or everywhere, •  NATs only break broken architectures •  The Architecture may have more layers, but no box need have more than the usual complement. –  Hosts may have more layers, depending on what they do. Hosts Interior Routers Border Routers
The Pouzin Society © John Day, 2013 All Rights Reserved 8 All Communication goes through Three Phases •  Enrollment –  Operations to create sufficient state within the network to allow an instance of communication to be created. •  Allocation (also known as Establishment) –  Operations required to allocate an instance of communication creating sufficient shared state among instances to support the functions of the data transfer phase. •  Data Transfer –  Operations to provide the actual transfer of data and functions which support it. •  Most of our attention has been on the last two. The first has often been ignored and is usually seen as necessarily ad-hoc. But enrollment turns out to be key.
The Pouzin Society © John Day, 2013 All Rights Reserved 9 How Does It Work? Enrollment or Joining a Layer •  Nothing more than Applications establishing communication (for management) –  Authenticating that A is a valid member of the (N)-DIF –  Initializing it with the current information on the DIF –  Assigning it a synonym to facilitate finding IPC Processes in the DIF, i.e. an address –  (see the Enrollment specification for an example.) (N-1)-DIF (N)-DIF A
The Pouzin Society © John Day, 2013 All Rights Reserved 10 Enrollment Details: The Naïve Approach •  First, create a flow with the lower layer. •  Then, create an application connection with a member of the DIF at this layer, then authenticate each other. If successful, proceed to enroll. Allocate (N-1)-flow Connect Connect Response Start Enrollment Write New Synonym Initialize New Member With static info and some dynamic info. Write Responses • • • Stop Enrollment Cause RIB Update to update dynamic info. Authentication Exchange
The Pouzin Society © John Day, 2013 All Rights Reserved 11 Enrollment Resource Allocation Layers •  If a member fails and reappears (router crash), can’t assume all is well. –  OTOH, the naïve approach would be onerous. •  Assume that most Enrollment requests are members dropping out and coming back. •  Assume that state information they have (including addresses assigned to them) has a lifetime. If gone a short amount of time, then assume it is still good; otherwise, upload. (But still has to authenticate) •  But to save time, let the new member decide what to upload. •  See Enrollment Specification for details
The Pouzin Society © John Day, 2013 All Rights Reserved 12 Enrollment A Pragmatic Approach for Resource Sharing Layers •  First part is the same. Allocate (N-1)-flow Connect Connect Response Start Enrollment Write New Synonym Initialize New Member Write Responses Authentication Exchange
The Pouzin Society © John Day, 2013 All Rights Reserved 13 Enrollment Procedure I •  When the New Member receives the M_Connect Response, the New Member copies Current_Address to Saved_Address, it sends –  ! M_Start Enrollment(address, Address_expiration_time, other data about New Member) •  /* The New Member is telling the Existing Member what it knows. Primarily this is derived from the address (NULL or not), and the expiration life-time of the address if non-NULL. Since addresses are generally assigned for hours or minutes, tight time synchronization is not required. (Even for DIFs with fast turnover, fairly long assignment times are still prudent.)*/ •  The Member sends –  ! M_Start_R Enrollment(address (potentially different), Application Process Name, Current_Address, Address_Expiration).
The Pouzin Society © John Day, 2013 All Rights Reserved 14 Enrollment Procedure II •  Using the information, provided by the New Member, the Existing Member sends –  ! M_Create (zero or more) to initialize the Static and Near Static information required. When finished and the New Member has sent all necessary –  M_Create_Rs •  The Existing Member sends a –  ! M_Stop Enrollment (Immediate:Boolean) •  The New Member may Read any additional information not provided by the Existing Member. –  M_Read (zero or more) –  M_Stop_R Enrollment •  If the Immediate Boolean is True, the New Member is free to transition to the Operational state. •  If the Boolean Immediate is False, then the New Member can not transition to the Operational state until an M_Start Operation is received.
The Pouzin Society © John Day, 2013 All Rights Reserved 15 Enrollment Procedure III •  The New Member is free to Read any information not provided by the Existing Member. Once these are completed, the Existing Member sends: –  ! M_Start Operation •  The New Member sends –  M_Start_R Operation •  Invoke RIB Update of dynamic information which will cause others to send data to the New Member.
The Pouzin Society © John Day, 2013 All Rights Reserved 16 How Does It Work? Establishing Communication •  Simple: do what IPC tells us to do. –  A asks IPC to allocate comm resources to B –  Determine that B is not local to A use search rules to find B –  Keep looking until we find an entry for it. –  Then go see if it is really there and whether we have access. –  Then tell A the result. –  (See Flow Allocator specification) •  This has multiple advantages. –  We know it is really there. –  We can enforce access control –  We can return B’s policy and port-id choices –  If B has moved, we find out and keep searching A BAhh, look there!
The Pouzin Society © John Day, 2013 All Rights Reserved 17 Flow Allocator •  The Flow Allocator contains a Name Space Management function which registers applications, allocates new addresses within the DIF, and allocates flows. •  Most IPC Processes will maintain a cache of recent name to address mappings from flow allocate requests. Larger DIFs may dedicate IPC Processes to repositories (partially replicated databases) to facilitate flow allocation. Repositories Flow  Allocator Flow  Allocation   Requestors Enrollment Request
© John Day, All Rights Reserved, 2009 9 February 2015 . 18 What about IPC Naming? •  An IPC Process has an Application Process Name, but give it a synonym of scope limited to the layer. •  Commonly called an address •  There are three local identifiers: –  A Flow Allocator Instance Identifier, •  Commonly called a port-id –  A Data Transfer Instance Identifier, and •  Commonly called a connection-endpoint-identifier Address CEP-ids Connections Port-ids bindings Application Process Name
© John Day, All Rights Reserved, 2009 9 February 2015 . 19 To Summarize •  All identifiers except address and connection-id are local to the IPC Process. –  Scope of the address is the Layer. –  Scope of the connection-id is the participants in the connection. •  None has more scope than it needs. Common Term Scope Application Term Application Process Name Global (unambiguous) Application Process Name Address Layer (unambiguous) Synonym for IPC Process’ Application Process Name Port-id IPC Process (unique) Flow-Allocator-Instance- Identifier Connection-endpoint-identifier IPC Process (unique) Data Transfer Instance-Identifier Connection-id Src/Dest Data Transfer (unique) Concatentation of data-transfer- instance-identifiers DIF Management Updates IPC Process (unambiguous) AE-identifier
© John Day, 2013 20 Rights Reserved The Pouzin Society Names Implications of the Model (Basics) •  We have made a big deal of node and point of attachment, but they are relative, not absolutes. –  An (N)-IPC-Process is a node in the (N)-DIF. •  An (N-1)-IPC-Process is a node in the (N-1)-DIF –  An (N-1)-IPC-Process is a point of attachment to an (N)-IPC-Process. –  An (N)-address is a synonym for an (N)-IPC-Process. •  So as long as we keep that straight, there is no point to making the distinction. •  Note that it is the port-id that creates layer independence. With a port-id, No Protocol-Id Field is Necessary, or if there is such a field something is wrong. Address Port -id (N)-IPC-Process (N-1)-IPC-Process
This Bounds Router Table Size •  There will be Natural Subnets within a layer around the Central Hole. •  Each can be a routing domain; Each Subnet is one hop across the Hole. –  The hole is crossed in the layer below. •  A Topological Space is imposed on the Address Space of Each Layer Backbone Regionals Metros (N)-Routing Domains (N-1)-Routing Domains
Example of Topological Address Assignment Regionals Metros W N S E •   •   E3920   S4729   Possible Address Space For Regional Networks N and S would be similar Possible Address Space For Metro Networks •   ESE8399   W N S E WW NW SW NE SE EE • WWW7428 Note that strictly speaking the address spaces are independent Similarityintheupperpartoftheaddress hierarchycanbeleveragedtosimplifyrouter calculations.
© John Day, 2013 23 Rights Reserved The Pouzin Society Names Implications of the Model (Multihoming) •  Yea, so? What is the big deal? –  It just works •  PDU arrives at the (N-1)-IPC Process. If the address designates this IPC Process, the CEP-id is bound to the port-id, so after stripping off (N-1)-PCI, it passes it up. •  The process repeats. If the address in the (N)-PCI is this IPC-Process, it looks at the CEP-id and pass it up as appropriate. •  Normal operation. Yes, the (N-1)-bindings may fail from time to time. •  Not a big deal. Address Port -id (N)-IPC-Process (N-1)-IPC-Process
© John Day, 2013 24 Rights Reserved The Pouzin Society Names Implications of the Model (Mobility) •  Yea, so? What is the big deal? –  It just works just like multihoming only the (N-1)-port-ids come and go a bit more frequently. •  O, worried about having to change address if it moves too far? Easy. •  Assign a new synonym to it. Put it in the source address field on all outgoing traffic. Stop advertising the old address as a route to this IPC-Process. •  Want to renumber the DIF for some reason? Same procedure. •  Again, no special cases. No special protocols. No concept of a home router. Okay, policies in the DIF may be a bit different to accommodate faster changing points of attachment, but that is it. Address Port -id (N)-IPC-Process (N-1)-IPC-Process New Address
© John Day, 2013 25 Rights Reserved The Pouzin Society The Skewed Necklace (DIF view) •  Clearly more layers could be used to ensure the scope allows sufficient time for updating relative to the time to cross the scope of the layer. –  Space does not permit drawing networks. •  It appears that one could make the mobile host appear stationary to the top layer, i.e. the top layer addresses don’t change because all the routing is handled in the lower layers. Base Station Metro Subnet Regional Subnet Mobile Infrastructure Network Traditional ISP Provider Network with normal necklace with an e-mall top layer.
© John Day, 2013 26 Rights Reserved The Pouzin Society What New Is Needed? •  Nothing –  Enrollment in a new DIF follows normal procedures –  Allocation of a flow follows normal procedures –  Changing the address of an IPC Process with in a DIF follows the normal procedure. –  New points of attachments, i.e. new lower layer DIFs, are acquired in the normal way. •  There are specific cases to work out here. In general, expect that a wireless device will be probing for new PoAs. But then a system with a down wireline interface should be doing the same thing. –  Current points of attachment are discarded when they can no longer provide an acceptable QoS (criteria and measurement is policy as it is in the wireline case).
© John Day, 2013 27 Rights Reserved The Pouzin Society Even the Shim DIF was Enlightening •  A Shim DIF creates the thinnest possible veneer to make a legacy layer service look like a DIF. •  Both IP and Ethernet (without LLC) have a ‘protocol-id’ field –  Historically (1982) a problem: (N+1)-protocol identified in an (N)-protocol •  Without port-ids, there is no isolation and this implies that for each protocol type, there can only be one “user” of the “flow.” –  There can be only one QoS-cube. •  Conclusion: Port-ids are necessary to a well-formed layer/DIF. These are ill- formed layers. –  Ethernet with LLC is well-formed. –  Port-ids provide isolation. Dest Src Protocol-id Stuff User-Data DIF Boundary
Why Can WiFi Have 4 MAC Addresses? BSS- id Laptop Access Point Router/ Cable Modem Sndr/Rcvr “Ethernet” btwn SRC/DEST IP Laptop Access Point Access Point Router/ Cable Modem Sndr/Rcvr Sndr/Rcvr “Ethernet” btwn SRC/DEST IP •  Because it is really two layers! •  In general, there is forwarding across access points. First two addresses would be SNDR/RCVR addresses and would change at every hop, while . . . •  Over the top is a logical Ethernet with Src/Dest addresses constant, continuous with the Wired Ethernet connecting the last Access Point to the Router. •  The most common configuration is a Star Network connected to a Router/Cable Modem. In this case, the SRC and SNDR addresses are the same, so only 3 addresses are necessary. •  VLANs are doing the same thing: Multiple Layers of the Same Rank over a Common Media
WiLAN Model •  The Wired Media DIF is point-to-point between a station or bridge and another bridge. –  Hence, this DIF does not need addresses, but does need CEP-ids and port-ids. •  OTOH, the wireless-media DIF is also point-to-point but needs both addresses and CEP-ids. –  Because multiple wireless networks may exist in the same physical space. •  Over the top is any ordinary DIF. Station Bridges Access Point Wired Media DIFs Wireless Media DIF Station
© John Day, 2013 30 Rights Reserved The Pouzin Society Implications of the Model Names (Choosing a Layer) •  In building the IPC Model, the first time there were multiple DIFs (data link layers in that case), to maintain the API a task was needed to determine which DIF to use. I A P D i r Mux Flow Mgr – User didn’t have to see all of the wires –  But the User shouldn’t have to see all of the “Nets” either. •  This not only generalizes but has major implications.
© John Day, 2013 31 Rights Reserved The Pouzin Society Implications of the Model Names (A DIF Allocator) •  A DIF-Allocator incorporating a Name Space Management function determines via what DIFs applications are available. –  If this system is a not member, it either joins the DIF as before –  or creates a new one. •  Which Implies that the largest address space has to be only large enough for the largest e-mall. •  Given the structure, 32 or 48 bits is probably more than enough. •  You mean? •  Right. IPv6 was a waste of time . . . •  Twice. DIF-Allocator
© John Day, 2013 32 Rights Reserved The Pouzin SocietySo a Global Address Space is Not Required but Neither is a Global Application Name Space Inter-DIF Directory To Peers In Oher DIFs Actually one could still have distinct names spaces within a DIFs (synonyms) with its own directory database. •  Not all names need be in one Global Directory. •  Coexisting application name spaces and directory of distributed databases are not only possible, but useful. •  Needless to say, a global name space can be useful, but not a requirement imposed by the architecture. •  The scope of the name space is defined by the chain of databases that point to each other.
© John Day, 2013 33 Rights Reserved The Pouzin SocietyScope is Determined by the Chain of Places to Look •  The chain of databases to look for names determines the scope of the name space. –  Here there are 2 non-intersecting chains of systems, that could be using the same wires, but would be entirely oblivious to the other.
© John Day, 2013 34 Rights Reserved The Pouzin SocietyName Space Management •  There is a common functional required to manage name spaces. It handles registration, query, and delegation of names and is incorporated found in both DIFs and DAFs. •  There are two major uses: the DIF-Allocator and the Flow Allocator, as well as in many distributed database applications, etc. Repositories Registration   Server Query   Servers Registration   Client Query  Client
© John Day, 2013 35 Rights Reserved The Pouzin Society DIF Allocator •  A DIF Allocator is very similar to the Flow Allocator, both contain a NSM function for application names and addresses, respectively and operate at different granularities creating either DIFs or connections. Registration Server Query Servers Registration Client Query IRM DA-DAP NSM Repositories DIF Creation and RelayNSM- DAP DA-DAF
How It Works •  There is a repeating structure of name mappings. •  The DIF Allocator has an NSM of Application-Names with scope greater than any one DIF. Associated with each name is the name of the processing system on which it resides, and a list of supporting DIFs. From this information, the DA is able to project the application-names into the Flow Allocator of supporting DIFs and the IPC Processes of that DIF. •  The Flow Allocator keeps the mapping of each application-name to the synonym of the IPC Process in the same processing system. •  The Resource Allocator contains an NSM for the synonyms for each IPC Process, i.e. addresses, in this DIF and the (N-1)- DIFs supporting the synonym. The Resource Allocator is consulted during Enrollment to get appropriate synonyms assigned. The Resource Allocator also injects information for the (N-1)-Flow Allocator, serving the analogous service as the DIF Allocator. •  Needless to say, that this mapping information may be acquired from bottom up as well as top down. •  Supporting DIF-name and access control information might only be stored “near” the object named for security reasons, to keep databases small, or accommodate frequent changes. •  There may be a topological relation between synonym spaces of (N)- and (N-1)-DIFs. •  It is highly unlikely that there will be a topological relation between the Application Name Space and the Synonyms of a DIF. –  A topological relation between Name Spaces of DAFs is a different matter. DIF Allocator Flow Alloc Res-Alloc DA-NSM: Application-names - DIF/DAF names, Processing Systems FA: (N+1)-names - (N)-names RA: (N)-names- (N-1)-names, (N-1)-DIFs
© John Day, 2013 37 Rights Reserved The Pouzin Society Multicast and Anycast are Simpler Too •  Generalized to Whatevercast: –  A set and a rule that returns as many members of the set that satisfy the rule. •  Unicast becomes a degenerate case of whatevercast. –  Forwarding table entry maps Destination Address to a list of next hops. For unicast, the list has one element. •  Primarily handled by hosts or border routers, where all whatevercast traffic is either: •  On this subnet (only do spanning tree within subnet if there is a lot) or •  Transit to another subnet, (both cases degenerate to point-to-point). •  So we see Whatevercast devolves into Unicast.
© John Day, 2013 38 Rights Reserved The Pouzin Society Multicast and Anycast are Simpler Too •  Information in topological addresses imply an approximate spanning tree, which can be used to identify the border routers. Thus, in most cases obviating the need for a separate spanning tree (multicast) routing algorithm. •  And also making it straightforward to multiplex whatevercasts with common sub-trees which will allow even greater efficiency. –  Note that the common sub-trees do not have to be strict sub-trees but simply have a reasonable degree of commonality to be worthwhile.
© John Day, 2013 39 Rights Reserved The Pouzin SocietyBut Another Surprise (Allocating a Group) •  Start with a set of Application Names (or something similar) •  Need to Allocate a Group •  Now we need to find the addresses and create a spanning tree. •  Shall we just do what the model says? •  Doesn’t sound promising, send out Create Flows for all of the addresses in the set? Okay lets try it. Flow Allocator Allocate (. . . .)
© John Day, 2013 40 Rights Reserved The Pouzin SocietyBut Another Surprise (Allocating a Group) •  We found the addresses, and then the Responses get forwarded back through the Border Routers. •  Wow! It generates the spanning tree! –  There is much to explore here. •  Just follow the Model. Allocate (. . . .) FA
The Pouzin Society © John Day, 2013 All Rights Reserved 41 “Internet” Congestion Control •  Congestion Control has been a known issue since 1972. –  Except in the Internet who only discovered it when it crashed around their ears in 86 •  The effectiveness of any congestion control is directly related to the time to effect a change. –  The longer it takes the less effective the congestion control •  End-to-end implicit notification is predatory. –  Longest response time. Will work against any attempt to do it at a lower level with shorter scope and better response time. •  The Internet has network congestion control, –  not internet congestion control
The Pouzin Society © John Day, 2013 All Rights Reserved 42 What is the Difference Between Flow Control and Congestion Control? Data Control Control Data Data Notify Flow Control is a feedback mechanism co-located with the resource being controlled. Congestion Control is a feedback mechanism not co-located with the resource being controlled.
The Pouzin Society © John Day, 2013 All Rights Reserved 43 How Does It Work? “Congestion Control” •  Congestion Control in TCP was always known to be a stop-gap. •  A DIF always has the potential for the full capability of functions. •  Do flow control (without retransmissions) between intermediate points. –  Better congestion control, really flow control –  Allocate different resources to different e-malls. –  Allows provider much more effective management of resources. –  Provides means to throttle flows being used for denial of service attacks –  All of these places? Probably not all in the same DIF. Major Area for Research
The Pouzin Society © John Day, 2013 All Rights Reserved 44 How Does It Work? The Internet and ISPs •  ISPs have as many layers as they need to best manage their resources. Backbone Regionals Metros
The Pouzin Society © John Day, 2013 All Rights Reserved 45 How Does It Work? The Internet and ISPs •  The Internet floats on top of ISPs, a “e-mall.” –  One in the seedy part of town, but an “e-mall” –  Not the only emall and not one you always have to be connected to. Public Internet ISP 1 ISP 2 ISP 3
The Pouzin Society © John Day, 2013 All Rights Reserved 46 How Does It Work? The Internet and ISPs •  But there does not need to be ONE e-mall. –  You mean! •  Yes, it is really an INTERnet! Public Internet ISP 1 ISP 2 ISP 3 Internet Rodeo Drive Utility SCADAMy NetFacebook Boutique Internet Mall of America
The Pouzin Society © John Day, 2013 All Rights Reserved 47 How Does It Work? The User’s Perspective In this case, one host on the local network chooses to join one of the available e-malls. e-common DIFs Provider Network Local Customer Network Peering DIF A Customer Network has a border router that makes several e-malls available. A choice can be made whether the entire local network joins, a single host or a single application. e-common DIFs Provider Network Local Customer Network Peering DIF
© John Day, 2013 48 Rights Reserved The Pouzin Society Before Tackling Security A Word on Method (hardly news by now) •  When trying to work out the IPC Model absolutely no thought was given to security. All of the focus was just understanding the structure. •  People kept asking, What about Security? Is there a security layer? •  Didn’t Know. Hadn’t thought about it. •  There was the obvious: –  The recursion of the layer provided Isolation. –  That only the Application Name and local port-id were exposed to the correspondents. •  Interesting, but hardly an answer •  But it wasn’t the time for those questions . . . •  At least not yet . . .
© John Day, 2013 49 Rights Reserved The Pouzin SocietyThe Recursion Provided Isolation •  Security by isolation, (not obscurity) •  Hosts can not address any element of the ISP. •  No user hacker can compromise ISP assets. •  Unless ISP is physically compromised. ISP Hosts and ISPs do not share DIFS. (ISP may have more layers
© John Day, 2013 50 Rights Reserved The Pouzin Society How Does It Work? Security •  A Hacker in the Public Internet cannot connect to an Application in another DIF without either joining the DIF, or creating a new DIF spanning both. Either requires authentication and access control. –  Non-IPC applications that can access two DIFs are a potential security problem. •  Certainly promising Public Internet ISP 1 ISP 2 ISP 3 Internet Rodeo Drive Utility SCADAMy NetFacebook Boutique Internet Mall of America
© John Day, 2013 51 Rights Reserved The Pouzin Society But When It Was Time •  The question was not, how to put in security? •  The question was, •  What does the IPC Model tell us about security? –  Remember, our first task is always understanding. •  Let the Problem Answer the Question! –  Let the Problem Tell Us What to Do.
© John Day, 2013 52 Rights Reserved The Pouzin Society The Problem Had a Lot to Say •  We Already Mentioned How Little is Exposed the Layer Above. •  The Original OS Model indicated where Access Control went. •  Creating the Application Connection for Enrollment indicated where Authentication belonged, and that –  Authentication of Applications must be done by the Applications themselves. –  All members of the layer are authenticated within policy. •  SDU Protection clearly provided Confidentiality and Integrity. •  That implied that only Minimal trust was necessary: –  Only that the lower layer will deliver something to someone. Port:=Allocate(Dest-Appl, params) Access Control Exercised
© John Day, 2013 53 Rights Reserved The Pouzin Society A Very Unexpected Result •  A DIF with no explicit security mechanisms is inherently more secure than the current Internet under the same conditions! •  It would appear that –  A DIF is a Securable Container.
© John Day, 2013 54 Rights Reserved The Pouzin SocietyOther Things Fall Into Place •  Data Transfer in RINA is based on Delta-t (Watson, 1980) •  Lot has happened in 30 years, many attacks on TCP have been found: –  Port scanning – Reset Attacks –  SYN attacks – Reassembly Attacks •  Long after delta-t was designed, what about delta-t? •  Short answer: –  None of them work (Boddapati, et al., 2012) •  Amazing, totally unexpected –  Why not? •  Multiple fundamental reasons, but all inherent in the structure: –  First, have to join the DIF (all members are authenticated) –  Second, No Well-Known Ports •  Would have to scan all possible application names! –  Third and more importantly, . . .
© John Day, 2013 55 Rights Reserved The Pouzin Society Decoupling Port Allocation and Synchronization •  No Way to Know What CEP-ids are Being Used, Since There is No Relation Between Port-id and CEP-id. –  SYN-Ack Attack: must guess which of 2^16 CEP-id. –  Data Transfer: must guess CEP-id and seq num within window! –  Reassembly attack: Reassembly only done once. –  No well-known ports to scan. Synchronization Connection Endpoint Port Allocation Port-id Connection
© John Day, 2013 56 Rights Reserved The Pouzin Society Decoupling Port Allocation and Synchronization: No IPSec •  IPsec is necessary with TCP/IP because no authentication and Sequence numbers turn over too quickly: don’t repeat sequence number with same CEP-id. •  With RINA and delta-t, IPC Processes all authenticated, SDU Protection does the encryption, and packet sequence numbers slows rollover, but if it does, then simply allocate a new connection •  And bind it to the same port-ids, old one disappears after 2MPL. Connection Endpoint Port Allocation Port-id Connection SDU Protection SDU Protection
© John Day, 2013 57 Rights Reserved The Pouzin Society RINA is Inherently More Secure and Less Work •  A DIF is a Securable Container. (Small, 2011) –  What info required to mount an attack, How to get the info –  Small does a threat analysis at the architecture level •  Implies that Firewalls are Unnecessary, –  The DIF is the Firewall! •  RINA Security is considerably Less Complex than the Current Internet Security (Small, 2012) –  Only do a rough estimate counting protocols and mechanisms. •  See paper for details.
© John Day, 2013 58 Rights Reserved The Pouzin Society Internet RINA Protocols 8 0 Non-Security Mechanisms 59 0 Security Mechanisms 28 7 To Add Security Copyright © 2012, Jeremiah Small. All Rights Reserved.
© John Day, 2013 59 Rights Reserved The Pouzin Society Summing Up Security •  This is a MAJOR Improvement in Internet Security. –  Not only more secure, but for less cost, with less overhead. •  So is Internet Security solved? –  Hardly. –  Still need: to develop the plug-in policy modules –  to consider DDoS (we have some ideas) –  As well as protecting against Rogue IPC Processes –  and much more to explore and who knows what general principles will fall out. •  Most attacks are in the Applications, this does nothing about that. –  But Much of this applies equally well to DAFs •  Model implies that OS security reduces to Bounds Checking on Memory and IPC Security. –  May also make it harder, might be able to deflect more DDoS attacks
The Pouzin Society © John Day, 2013 60 Rights Reserved Management DAFs
The Pouzin Society © John Day, 2013 61 Rights Reserved An Important Class of DAFs: DAF Management Systems •  There are four major kinds of distributed management systems (DMS): –  Operating System – Network Management –  Distributed Applications – Name Space Management •  The Most Important Property of Management –  Commonality, Commonality, Commonality. Reduce the Parts Count. •  Not Necessarily make everything look alike, but –  Effectively separating the like from the unlike •  Maximizing invariance and minimizing discontinuities •  This is what the principles we have uncovered do, and have been •  Embodied in RINA. –  RINA was not designed to do this. We worked out the principles and then did what they said. (There wasn’t that much leeway.) –  We aren’t done. We have pushed commonality into major parts of the model but there are more principles, invariances to find. •  It is subtle, greatest generality with least constraint, often requires shift in POV
The Pouzin Society © John Day, 2013 62 Rights Reserved DAF Management Systems •  There is a commonality to their structure and •  A range in their complexity from distributed to centralized •  Each DAF/DIF has a DAF Management Task. These constitute data collection and autonomic functions, what IEEE calls layer management. •  The DAF Manager can be considered the nervous system of a DAF. –  A DAF Manager might manage more than one DAF or –  In a degenerate case, the DAF Management Tasks might constitute the DAF Manager. DAF Manager
The Pouzin Society © John Day, 2013 63 Rights Reserved The General Model •  And down the side were the labels •  This became the core of our approach to Network Management Cerebellum Cerebrum Hypothalamus (Ganglia) Peripheral Increasing Aggregation Sensor Agent Manager Coordinator Raw Data Filtered Processed Data Planning Data Increasing “Cycle” Time
The Pouzin Society © John Day, 2013 64 Rights Reserved But More Importantly It was Clear that Network Management is •  The whole point is that events are happening too fast for humans to be in the loop. They can manage, but not control. •  Control must be autonomic. Monitor and Repair But not Control
The Pouzin Society © John Day, 2013 65 Rights Reserved The Management Architecture Central Nervous System •  While there might be managers for distinct subnets (domains) and the subnets might be a hierarchy, the managers were peers. –  Many talked about managers of managers but there is really nothing for second level managers to do. (that generalizes?) •  Then Realized what was missing: Where’s the Homunculus? Agent Event ConfigPerf Fault Agent Agent Agent Agent Reliable Req/Resp Best Effort Telemetry Agent MIB Network Management System (NMS) Devices to be Managed NMS Agent Agent Agent Agent autonomic
The Pouzin Society © John Day, 2013 66 Rights Reserved The Relation Among Management Applications •  Configuration Management – is the primary “action” a management system should take. –  Security Management is a subset of Configuration Management. •  Performance Management monitors the autonomic functions, e.g. routing and congestion, and provides input to the Coordination Level for improving policies. –  It should seldom result in direct action. Although some policies might provide tunable parameters. This is dangerous. •  Accounting Management is a Coordination Level function. It’s data is a subset of Performance data. •  Fault Management isn’t an app, but a management system with a small domain for diagnosing, testing, and repairing network elements.
The Pouzin Society © John Day, 2013 67 Rights Reserved Note of Practicality •  We have identified 4 kinds of management systems: Systems, Applications, Network, and Name Space. •  While they can all be stand-alone (and there will be cases where they should be), they will often occur as symbiotic, i.e. incorporated into another Management system. •  Many of the confusions today are because these 4 are not clearly recognized. –  For example, in a corporate environment, it would not be unusual for all four to be combined. But even here, different groups might have their own application management or even system management systems within that. –  In a data center, the data center would manage its systems and network resources and allocate them to users who would use their application management systems to manage the applications running on the datacenter. –  Etc.
The Pouzin Society © John Day, 2013 68 Rights Reserved On Autonomic vs Centralized •  In nature, a central nervous system appears in fairly primitive organisms, such as Platyhelminthes (flatworms). –  Clearly monitoring and reporting must be centralized. •  Some actions can be done without a central nervous system, see coelenterate locomotion and tentacles. –  Some rhythmic behaviors as well, where reacting to neighbors suffice. •  However, complex actions across the organism may require more coordination, as will finding true optima rather than local optima. –  In nature, we find that ganglia suffice for this much of the time with ganglia often being larger than the “brain.” •  Food for thought for management.
The Pouzin Society © John Day, 2013 All Rights Reserved 69 Questions?

Recommandé

RINA detailed components overview and implementation discussion
RINA detailed components overview and implementation discussionRINA detailed components overview and implementation discussion
RINA detailed components overview and implementation discussionEleni Trouva
 
CCNA project-report
CCNA project-reportCCNA project-report
CCNA project-reportSagar Shashank
 
Dhcp
DhcpDhcp
DhcpSandeep Kamath
 
IS-IS Protocol Adjacency
IS-IS Protocol Adjacency IS-IS Protocol Adjacency
IS-IS Protocol Adjacency NetProtocol Xpert
 
DHCP
DHCPDHCP
DHCPNitin Bhasin
 
CCNA Report
CCNA ReportCCNA Report
CCNA ReportAbhishek Parihari
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
Sdn and open flow tutorial 4
Sdn and open flow tutorial 4Sdn and open flow tutorial 4
Sdn and open flow tutorial 4UmaMahesh Sistu
 

Recommandé

RINA detailed components overview and implementation discussion
RINA detailed components overview and implementation discussionRINA detailed components overview and implementation discussion
RINA detailed components overview and implementation discussionEleni Trouva
 
CCNA project-report
CCNA project-reportCCNA project-report
CCNA project-reportSagar Shashank
 
Dhcp
DhcpDhcp
DhcpSandeep Kamath
 
IS-IS Protocol Adjacency
IS-IS Protocol Adjacency IS-IS Protocol Adjacency
IS-IS Protocol Adjacency NetProtocol Xpert
 
DHCP
DHCPDHCP
DHCPNitin Bhasin
 
CCNA Report
CCNA ReportCCNA Report
CCNA ReportAbhishek Parihari
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.pptEdgardo Scrimaglia
 
Sdn and open flow tutorial 4
Sdn and open flow tutorial 4Sdn and open flow tutorial 4
Sdn and open flow tutorial 4UmaMahesh Sistu
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 FundamentalsMatt Bynum
 
Bgp
BgpBgp
BgpRaghu Kiran
 
Cisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerCisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerHamed Moghaddam
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
IPv6
IPv6IPv6
IPv6Peter R. Egli
 
IS-IS Protocol Introduction
IS-IS Protocol IntroductionIS-IS Protocol Introduction
IS-IS Protocol IntroductionNetProtocol Xpert
 
SOMEIP-protocol.pptx
SOMEIP-protocol.pptxSOMEIP-protocol.pptx
SOMEIP-protocol.pptxPushkarBaheti1
 
Icmp
IcmpIcmp
IcmpPrincipal,Guru Nanak Institute of Technology, Nagpur
 
BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)NetProtocol Xpert
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesSegment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesCisco Canada
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT RoutingBangladesh Network Operators Group
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing Heba_a
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
 
Inter as vpn option c
Inter as vpn option c Inter as vpn option c
Inter as vpn option c Goerge Micheal Gerges
 
Simple Mail Transfer Protocol
Simple Mail Transfer ProtocolSimple Mail Transfer Protocol
Simple Mail Transfer ProtocolRajan Pandey
 
Conceptos y Protocolos de Enrutamiento (Capitulo 9)
Conceptos y Protocolos de Enrutamiento (Capitulo 9)Conceptos y Protocolos de Enrutamiento (Capitulo 9)
Conceptos y Protocolos de Enrutamiento (Capitulo 9)Cristiān Villegās
 
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)Faisal Jatt
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingKHNOG
 
RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part IICT PRISTINE
 
1st RINASim webinar
1st RINASim webinar1st RINASim webinar
1st RINASim webinarVladimír Veselý
 

Contenu connexe

Tendances

IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 FundamentalsMatt Bynum
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...BAKOTECH
 
BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)NetProtocol Xpert
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesSegment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesCisco Canada
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing Heba_a
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
 
Simple Mail Transfer Protocol
Simple Mail Transfer ProtocolSimple Mail Transfer Protocol
Simple Mail Transfer ProtocolRajan Pandey
 
Conceptos y Protocolos de Enrutamiento (Capitulo 9)
Conceptos y Protocolos de Enrutamiento (Capitulo 9)Conceptos y Protocolos de Enrutamiento (Capitulo 9)
Conceptos y Protocolos de Enrutamiento (Capitulo 9)Cristiān Villegās
 
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)Faisal Jatt
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingKHNOG
 

Tendances (20)

IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 Fundamentals
 
Bgp
BgpBgp
Bgp
 
Cisco CCNA- DHCP Server
Cisco CCNA- DHCP ServerCisco CCNA- DHCP Server
Cisco CCNA- DHCP Server
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
IPv6
IPv6IPv6
IPv6
 
IS-IS Protocol Introduction
IS-IS Protocol IntroductionIS-IS Protocol Introduction
IS-IS Protocol Introduction
 
SOMEIP-protocol.pptx
SOMEIP-protocol.pptxSOMEIP-protocol.pptx
SOMEIP-protocol.pptx
 
Icmp
IcmpIcmp
Icmp
 
BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)BGP (Border Gateway Protocol)
BGP (Border Gateway Protocol)
 
Segment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use CasesSegment Routing Technology Deep Dive and Advanced Use Cases
Segment Routing Technology Deep Dive and Advanced Use Cases
 
SEGMENT Routing
SEGMENT RoutingSEGMENT Routing
SEGMENT Routing
 
IPV6 Addressing
IPV6 Addressing IPV6 Addressing
IPV6 Addressing
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Automating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkAutomating for Monitoring and Troubleshooting your Cisco IOS Network
Automating for Monitoring and Troubleshooting your Cisco IOS Network
 
Inter as vpn option c
Inter as vpn option c Inter as vpn option c
Inter as vpn option c
 
Simple Mail Transfer Protocol
Simple Mail Transfer ProtocolSimple Mail Transfer Protocol
Simple Mail Transfer Protocol
 
Conceptos y Protocolos de Enrutamiento (Capitulo 9)
Conceptos y Protocolos de Enrutamiento (Capitulo 9)Conceptos y Protocolos de Enrutamiento (Capitulo 9)
Conceptos y Protocolos de Enrutamiento (Capitulo 9)
 
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP Spoofing
 

En vedette

RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part IICT PRISTINE
 
Dublin mngmt140120
Dublin mngmt140120Dublin mngmt140120
Dublin mngmt140120ICT PRISTINE
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016ICT PRISTINE
 
Dublin addressingtheproblem131224
Dublin addressingtheproblem131224Dublin addressingtheproblem131224
Dublin addressingtheproblem131224ICT PRISTINE
 
4 addressing theory130115
4 addressing theory1301154 addressing theory130115
4 addressing theory130115Eleni Trouva
 
Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...ICT PRISTINE
 

En vedette (8)

RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part I
 
1st RINASim webinar
1st RINASim webinar1st RINASim webinar
1st RINASim webinar
 
2nd RINASim Webinar
2nd RINASim Webinar2nd RINASim Webinar
2nd RINASim Webinar
 
Dublin mngmt140120
Dublin mngmt140120Dublin mngmt140120
Dublin mngmt140120
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016
 
Dublin addressingtheproblem131224
Dublin addressingtheproblem131224Dublin addressingtheproblem131224
Dublin addressingtheproblem131224
 
4 addressing theory130115
4 addressing theory1301154 addressing theory130115
4 addressing theory130115
 
Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...
 

Similaire à RINA Introduction, part II

Jonas Barochia_Java Developer
Jonas Barochia_Java DeveloperJonas Barochia_Java Developer
Jonas Barochia_Java DeveloperJonas Barochia
 
Lecture notes -001
Lecture notes -001Lecture notes -001
Lecture notes -001Eric Rotich
 
2 introto rina-e130123
2 introto rina-e1301232 introto rina-e130123
2 introto rina-e130123ARCFIRE ICT
 
Network Analysis & Design
Network Analysis & DesignNetwork Analysis & Design
Network Analysis & DesignErmanHamid3
 
IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...
IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...
IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...IEEEFINALYEARSTUDENTPROJECTS
 
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...IEEEMEMTECHSTUDENTSPROJECTS
 
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...IEEEFINALYEARSTUDENTPROJECT
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceAPNIC
 
IT327-1404A-01 Implementing, Managing and Mainta.docx
IT327-1404A-01 Implementing, Managing and Mainta.docxIT327-1404A-01 Implementing, Managing and Mainta.docx
IT327-1404A-01 Implementing, Managing and Mainta.docxpriestmanmable
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonCisco DevNet
 
Agile Gurugram 2023 | Observability for Modern Applications. How does it help...
Agile Gurugram 2023 | Observability for Modern Applications. How does it help...Agile Gurugram 2023 | Observability for Modern Applications. How does it help...
Agile Gurugram 2023 | Observability for Modern Applications. How does it help...AgileNetwork
 
Individual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxIndividual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxdirkrplav
 
Cloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisCloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisAlex Henthorn-Iwane
 
6 security130123
6 security1301236 security130123
6 security130123ARCFIRE ICT
 
Net essentials6e ch6
Net essentials6e ch6Net essentials6e ch6
Net essentials6e ch6APSU
 
Ex 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chenEx 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chenĐô GiẢn
 
Ex 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chenEx 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chenĐô GiẢn
 

Similaire à RINA Introduction, part II (20)

Jonas Barochia_Java Developer
Jonas Barochia_Java DeveloperJonas Barochia_Java Developer
Jonas Barochia_Java Developer
 
Lecture notes -001
Lecture notes -001Lecture notes -001
Lecture notes -001
 
2 introto rina-e130123
2 introto rina-e1301232 introto rina-e130123
2 introto rina-e130123
 
Network Analysis & Design
Network Analysis & DesignNetwork Analysis & Design
Network Analysis & Design
 
IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...
IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...
IEEE 2014 JAVA DATA MINING PROJECTS Privacy preserving and content-protecting...
 
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
 
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
2014 IEEE JAVA DATA MINING PROJECT Privacy preserving and content-protecting ...
 
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day ConferenceWhere are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
Where are we now: IPv6 deployment update - Brunei National IPv6 Day Conference
 
IT327-1404A-01 Implementing, Managing and Mainta.docx
IT327-1404A-01 Implementing, Managing and Mainta.docxIT327-1404A-01 Implementing, Managing and Mainta.docx
IT327-1404A-01 Implementing, Managing and Mainta.docx
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
 
Agile Gurugram 2023 | Observability for Modern Applications. How does it help...
Agile Gurugram 2023 | Observability for Modern Applications. How does it help...Agile Gurugram 2023 | Observability for Modern Applications. How does it help...
Agile Gurugram 2023 | Observability for Modern Applications. How does it help...
 
Individual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docxIndividual CommentsYour answers missed there below topics, sp.docx
Individual CommentsYour answers missed there below topics, sp.docx
 
Cloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow AnalysisCloud-Scale BGP and NetFlow Analysis
Cloud-Scale BGP and NetFlow Analysis
 
6 security130123
6 security1301236 security130123
6 security130123
 
6 security130123
6 security1301236 security130123
6 security130123
 
EAI (Integration) and Mulesoft
EAI (Integration) and MulesoftEAI (Integration) and Mulesoft
EAI (Integration) and Mulesoft
 
Viloria osi layer4-7
Viloria osi layer4-7Viloria osi layer4-7
Viloria osi layer4-7
 
Net essentials6e ch6
Net essentials6e ch6Net essentials6e ch6
Net essentials6e ch6
 
Ex 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chenEx 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chen
 
Ex 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chenEx 1 chapter03-appliation-layer-tony_chen
Ex 1 chapter03-appliation-layer-tony_chen
 

Plus de ICT PRISTINE

Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQAssuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQICT PRISTINE
 
Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...ICT PRISTINE
 
The hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diegoThe hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diegoICT PRISTINE
 
The hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzoThe hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzoICT PRISTINE
 
The hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peymanThe hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peymanICT PRISTINE
 
The hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduardThe hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduardICT PRISTINE
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterICT PRISTINE
 
Th hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neilTh hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neilICT PRISTINE
 
The hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduardThe hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduardICT PRISTINE
 
The hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelThe hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelICT PRISTINE
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorialICT PRISTINE
 
2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)ICT PRISTINE
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016ICT PRISTINE
 
Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016ICT PRISTINE
 
Rina acc-icc16-stein
Rina acc-icc16-steinRina acc-icc16-stein
Rina acc-icc16-steinICT PRISTINE
 
Congestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesCongestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesICT PRISTINE
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
Lost layer talk 2014
Lost layer talk 2014Lost layer talk 2014
Lost layer talk 2014ICT PRISTINE
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015ICT PRISTINE
 

Plus de ICT PRISTINE (20)

Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQAssuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
 
Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...
 
The hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diegoThe hague rina-workshop-nfv-diego
The hague rina-workshop-nfv-diego
 
The hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzoThe hague rina-workshop-interop-deployment_vincenzo
The hague rina-workshop-interop-deployment_vincenzo
 
The hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peymanThe hague rina-workshop-congestioncontrol-peyman
The hague rina-workshop-congestioncontrol-peyman
 
The hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduardThe hague rina-workshop-mobility-eduard
The hague rina-workshop-mobility-eduard
 
The hageu rina-workshop-security-peter
The hageu rina-workshop-security-peterThe hageu rina-workshop-security-peter
The hageu rina-workshop-security-peter
 
Th hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neilTh hauge rina-workshop-sdn-virtualisation_neil
Th hauge rina-workshop-sdn-virtualisation_neil
 
The hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduardThe hague rina-workshop-intro-eduard
The hague rina-workshop-intro-eduard
 
The hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelThe hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguel
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorial
 
2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
 
Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016
 
Rina acc-icc16-stein
Rina acc-icc16-steinRina acc-icc16-stein
Rina acc-icc16-stein
 
Congestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesCongestion Control in Recursive Network Architectures
Congestion Control in Recursive Network Architectures
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
Rina sim workshop
Rina sim workshopRina sim workshop
Rina sim workshop
 
Lost layer talk 2014
Lost layer talk 2014Lost layer talk 2014
Lost layer talk 2014
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015
 

Dernier

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 

Dernier (20)

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 

RINA Introduction, part II

  • 1. The Pouzin Society © John Day, 2013 All Rights Reserved 1 Welcome to the RINAissance! An Introduction to the RINA Architecture Part 2 3rd Annual International RINA Workshop John Day Ghent 2015 In a network of devices why would we route between processes? - Toni Stoey, RRG 2009
  • 2. The Pouzin Society © John Day, 2013 All Rights Reserved 2 2 What a Layer Looks Like •  Processing at 3 timescales, decoupled by either a State Vector or a Resource Information Base –  IPC Transfer actually moves the data ( ≈ IP + UDP) –  IPC Control (optional) for retransmission (ack) and flow control, etc. –  IPC Layer Management for routing, resource allocation, locating applications, access control, monitoring lower layer, etc. •  Remember that within a scope if there is a partitioning of functions, it will be orthogonal? Well, here it is. IPC Transfer IPC Control IPC Management Delimiting Transfer Relaying/ Muxing PDU Protection Common Application Protocol Applications, e.g., routing, resource allocation, access control, etc. Application-entities Application Process
  • 3. The Pouzin Society © John Day, 2013 All Rights Reserved 3 What are the Protocols? •  Only two –  A data transfer protocol, EFCP, based on delta-t with mechanism and policy separated. This provides both unreliable and reliable flows. –  The common application protocol based on CDAP. IPC Management CDAP Resource Allocation RIB Daemon IRM RMT EFCP Flow Allocator
  • 4. The Pouzin Society © John Day, 2013 All Rights Reserved 4 Error and Flow Control Protocol* (EFCP) •  There is one DTP (and possibly one DTCP) per flow •  One Relaying and Multiplexing Task per IPC Process •  At most, one SDU Protection per (N-1)-flow/DIF. •  Delimiting is a function with an inverse that converts SDUs to User-Data Fields for PDUs. •  DTP is a bit like IP/UDP (if you don’t look too close) •  See the EFCP Specification Delimiting, Fragmentation/ Reassembly Relaying and Multiplexing Task SDU Protection State Vector DTP- Sequencing/PDU Identification, Data Transfer DTCP - Retransmission and Flow Control
  • 5. The Pouzin Society © John Day, 2013 All Rights Reserved 5 *A Bit More to Say About Error and Flow Control Protocols •  This has been a subject of intense research since the early 70s. You would think we had pretty much exhausted the subject. Not so. First there was: –  Separating mechanism and policy revealed that the protocol naturally cleaved into data and control and –  that there was no distinct relaying protocol and –  SDU Protection wasn’t really part of the protocol and –  Heavy weight solutions like IPsec were unnecessary •  Recently we have also found that: –  Fragmentation/Reassembly is part of Delimiting –  The A-Timer has a role in DTP. –  Finer grained flow control across connections is possible external to EFCP. –  Can one dynamically shift from using DTCP without affecting a connection? •  Very likely. Set DRF and just do it. •  Why are we finding these new results? –  Because we are acting scientifically: we are trying to understand the nature of the problem.
  • 6. The Pouzin Society © John Day, 2013 All Rights Reserved 6 Common Distributed Application Protocol •  Common Application Connection Establishment (CACE) is the common procedure for establishing application connections. It ensures that there is a known first exchange. –  Based on the OSI ACSE which was defined to be used recursively and has hooks for. . . •  An authentication module, which is a policy of whatever strength required. •  CACE and an authentication module can be wrapped around any existing application protocol, e.g. HTTP. (See the CACE specification.) •  CDAP provides the minimal six operations and a basic object-oriented functionality scope and filter. (See the CDAP specification.) –  Would other programming paradigms lead to different functions? CACE Authentication CDAP
  • 7. The Pouzin Society © John Day, 2013 All Rights Reserved 7 Only Three Kinds of Systems •  Middleboxes? We don’t need no stinking middleboxes! •  NATs: either no where or everywhere, •  NATs only break broken architectures •  The Architecture may have more layers, but no box need have more than the usual complement. –  Hosts may have more layers, depending on what they do. Hosts Interior Routers Border Routers
  • 8. The Pouzin Society © John Day, 2013 All Rights Reserved 8 All Communication goes through Three Phases •  Enrollment –  Operations to create sufficient state within the network to allow an instance of communication to be created. •  Allocation (also known as Establishment) –  Operations required to allocate an instance of communication creating sufficient shared state among instances to support the functions of the data transfer phase. •  Data Transfer –  Operations to provide the actual transfer of data and functions which support it. •  Most of our attention has been on the last two. The first has often been ignored and is usually seen as necessarily ad-hoc. But enrollment turns out to be key.
  • 9. The Pouzin Society © John Day, 2013 All Rights Reserved 9 How Does It Work? Enrollment or Joining a Layer •  Nothing more than Applications establishing communication (for management) –  Authenticating that A is a valid member of the (N)-DIF –  Initializing it with the current information on the DIF –  Assigning it a synonym to facilitate finding IPC Processes in the DIF, i.e. an address –  (see the Enrollment specification for an example.) (N-1)-DIF (N)-DIF A
  • 10. The Pouzin Society © John Day, 2013 All Rights Reserved 10 Enrollment Details: The Naïve Approach •  First, create a flow with the lower layer. •  Then, create an application connection with a member of the DIF at this layer, then authenticate each other. If successful, proceed to enroll. Allocate (N-1)-flow Connect Connect Response Start Enrollment Write New Synonym Initialize New Member With static info and some dynamic info. Write Responses • • • Stop Enrollment Cause RIB Update to update dynamic info. Authentication Exchange
  • 11. The Pouzin Society © John Day, 2013 All Rights Reserved 11 Enrollment Resource Allocation Layers •  If a member fails and reappears (router crash), can’t assume all is well. –  OTOH, the naïve approach would be onerous. •  Assume that most Enrollment requests are members dropping out and coming back. •  Assume that state information they have (including addresses assigned to them) has a lifetime. If gone a short amount of time, then assume it is still good; otherwise, upload. (But still has to authenticate) •  But to save time, let the new member decide what to upload. •  See Enrollment Specification for details
  • 12. The Pouzin Society © John Day, 2013 All Rights Reserved 12 Enrollment A Pragmatic Approach for Resource Sharing Layers •  First part is the same. Allocate (N-1)-flow Connect Connect Response Start Enrollment Write New Synonym Initialize New Member Write Responses Authentication Exchange
  • 13. The Pouzin Society © John Day, 2013 All Rights Reserved 13 Enrollment Procedure I •  When the New Member receives the M_Connect Response, the New Member copies Current_Address to Saved_Address, it sends –  ! M_Start Enrollment(address, Address_expiration_time, other data about New Member) •  /* The New Member is telling the Existing Member what it knows. Primarily this is derived from the address (NULL or not), and the expiration life-time of the address if non-NULL. Since addresses are generally assigned for hours or minutes, tight time synchronization is not required. (Even for DIFs with fast turnover, fairly long assignment times are still prudent.)*/ •  The Member sends –  ! M_Start_R Enrollment(address (potentially different), Application Process Name, Current_Address, Address_Expiration).
  • 14. The Pouzin Society © John Day, 2013 All Rights Reserved 14 Enrollment Procedure II •  Using the information, provided by the New Member, the Existing Member sends –  ! M_Create (zero or more) to initialize the Static and Near Static information required. When finished and the New Member has sent all necessary –  M_Create_Rs •  The Existing Member sends a –  ! M_Stop Enrollment (Immediate:Boolean) •  The New Member may Read any additional information not provided by the Existing Member. –  M_Read (zero or more) –  M_Stop_R Enrollment •  If the Immediate Boolean is True, the New Member is free to transition to the Operational state. •  If the Boolean Immediate is False, then the New Member can not transition to the Operational state until an M_Start Operation is received.
  • 15. The Pouzin Society © John Day, 2013 All Rights Reserved 15 Enrollment Procedure III •  The New Member is free to Read any information not provided by the Existing Member. Once these are completed, the Existing Member sends: –  ! M_Start Operation •  The New Member sends –  M_Start_R Operation •  Invoke RIB Update of dynamic information which will cause others to send data to the New Member.
  • 16. The Pouzin Society © John Day, 2013 All Rights Reserved 16 How Does It Work? Establishing Communication •  Simple: do what IPC tells us to do. –  A asks IPC to allocate comm resources to B –  Determine that B is not local to A use search rules to find B –  Keep looking until we find an entry for it. –  Then go see if it is really there and whether we have access. –  Then tell A the result. –  (See Flow Allocator specification) •  This has multiple advantages. –  We know it is really there. –  We can enforce access control –  We can return B’s policy and port-id choices –  If B has moved, we find out and keep searching A BAhh, look there!
  • 17. The Pouzin Society © John Day, 2013 All Rights Reserved 17 Flow Allocator •  The Flow Allocator contains a Name Space Management function which registers applications, allocates new addresses within the DIF, and allocates flows. •  Most IPC Processes will maintain a cache of recent name to address mappings from flow allocate requests. Larger DIFs may dedicate IPC Processes to repositories (partially replicated databases) to facilitate flow allocation. Repositories Flow  Allocator Flow  Allocation   Requestors Enrollment Request
  • 18. © John Day, All Rights Reserved, 2009 9 February 2015 . 18 What about IPC Naming? •  An IPC Process has an Application Process Name, but give it a synonym of scope limited to the layer. •  Commonly called an address •  There are three local identifiers: –  A Flow Allocator Instance Identifier, •  Commonly called a port-id –  A Data Transfer Instance Identifier, and •  Commonly called a connection-endpoint-identifier Address CEP-ids Connections Port-ids bindings Application Process Name
  • 19. © John Day, All Rights Reserved, 2009 9 February 2015 . 19 To Summarize •  All identifiers except address and connection-id are local to the IPC Process. –  Scope of the address is the Layer. –  Scope of the connection-id is the participants in the connection. •  None has more scope than it needs. Common Term Scope Application Term Application Process Name Global (unambiguous) Application Process Name Address Layer (unambiguous) Synonym for IPC Process’ Application Process Name Port-id IPC Process (unique) Flow-Allocator-Instance- Identifier Connection-endpoint-identifier IPC Process (unique) Data Transfer Instance-Identifier Connection-id Src/Dest Data Transfer (unique) Concatentation of data-transfer- instance-identifiers DIF Management Updates IPC Process (unambiguous) AE-identifier
  • 20. © John Day, 2013 20 Rights Reserved The Pouzin Society Names Implications of the Model (Basics) •  We have made a big deal of node and point of attachment, but they are relative, not absolutes. –  An (N)-IPC-Process is a node in the (N)-DIF. •  An (N-1)-IPC-Process is a node in the (N-1)-DIF –  An (N-1)-IPC-Process is a point of attachment to an (N)-IPC-Process. –  An (N)-address is a synonym for an (N)-IPC-Process. •  So as long as we keep that straight, there is no point to making the distinction. •  Note that it is the port-id that creates layer independence. With a port-id, No Protocol-Id Field is Necessary, or if there is such a field something is wrong. Address Port -id (N)-IPC-Process (N-1)-IPC-Process
  • 21. This Bounds Router Table Size •  There will be Natural Subnets within a layer around the Central Hole. •  Each can be a routing domain; Each Subnet is one hop across the Hole. –  The hole is crossed in the layer below. •  A Topological Space is imposed on the Address Space of Each Layer Backbone Regionals Metros (N)-Routing Domains (N-1)-Routing Domains
  • 22. Example of Topological Address Assignment Regionals Metros W N S E •   •   E3920   S4729   Possible Address Space For Regional Networks N and S would be similar Possible Address Space For Metro Networks •   ESE8399   W N S E WW NW SW NE SE EE • WWW7428 Note that strictly speaking the address spaces are independent Similarityintheupperpartoftheaddress hierarchycanbeleveragedtosimplifyrouter calculations.
  • 23. © John Day, 2013 23 Rights Reserved The Pouzin Society Names Implications of the Model (Multihoming) •  Yea, so? What is the big deal? –  It just works •  PDU arrives at the (N-1)-IPC Process. If the address designates this IPC Process, the CEP-id is bound to the port-id, so after stripping off (N-1)-PCI, it passes it up. •  The process repeats. If the address in the (N)-PCI is this IPC-Process, it looks at the CEP-id and pass it up as appropriate. •  Normal operation. Yes, the (N-1)-bindings may fail from time to time. •  Not a big deal. Address Port -id (N)-IPC-Process (N-1)-IPC-Process
  • 24. © John Day, 2013 24 Rights Reserved The Pouzin Society Names Implications of the Model (Mobility) •  Yea, so? What is the big deal? –  It just works just like multihoming only the (N-1)-port-ids come and go a bit more frequently. •  O, worried about having to change address if it moves too far? Easy. •  Assign a new synonym to it. Put it in the source address field on all outgoing traffic. Stop advertising the old address as a route to this IPC-Process. •  Want to renumber the DIF for some reason? Same procedure. •  Again, no special cases. No special protocols. No concept of a home router. Okay, policies in the DIF may be a bit different to accommodate faster changing points of attachment, but that is it. Address Port -id (N)-IPC-Process (N-1)-IPC-Process New Address
  • 25. © John Day, 2013 25 Rights Reserved The Pouzin Society The Skewed Necklace (DIF view) •  Clearly more layers could be used to ensure the scope allows sufficient time for updating relative to the time to cross the scope of the layer. –  Space does not permit drawing networks. •  It appears that one could make the mobile host appear stationary to the top layer, i.e. the top layer addresses don’t change because all the routing is handled in the lower layers. Base Station Metro Subnet Regional Subnet Mobile Infrastructure Network Traditional ISP Provider Network with normal necklace with an e-mall top layer.
  • 26. © John Day, 2013 26 Rights Reserved The Pouzin Society What New Is Needed? •  Nothing –  Enrollment in a new DIF follows normal procedures –  Allocation of a flow follows normal procedures –  Changing the address of an IPC Process with in a DIF follows the normal procedure. –  New points of attachments, i.e. new lower layer DIFs, are acquired in the normal way. •  There are specific cases to work out here. In general, expect that a wireless device will be probing for new PoAs. But then a system with a down wireline interface should be doing the same thing. –  Current points of attachment are discarded when they can no longer provide an acceptable QoS (criteria and measurement is policy as it is in the wireline case).
  • 27. © John Day, 2013 27 Rights Reserved The Pouzin Society Even the Shim DIF was Enlightening •  A Shim DIF creates the thinnest possible veneer to make a legacy layer service look like a DIF. •  Both IP and Ethernet (without LLC) have a ‘protocol-id’ field –  Historically (1982) a problem: (N+1)-protocol identified in an (N)-protocol •  Without port-ids, there is no isolation and this implies that for each protocol type, there can only be one “user” of the “flow.” –  There can be only one QoS-cube. •  Conclusion: Port-ids are necessary to a well-formed layer/DIF. These are ill- formed layers. –  Ethernet with LLC is well-formed. –  Port-ids provide isolation. Dest Src Protocol-id Stuff User-Data DIF Boundary
  • 28. Why Can WiFi Have 4 MAC Addresses? BSS- id Laptop Access Point Router/ Cable Modem Sndr/Rcvr “Ethernet” btwn SRC/DEST IP Laptop Access Point Access Point Router/ Cable Modem Sndr/Rcvr Sndr/Rcvr “Ethernet” btwn SRC/DEST IP •  Because it is really two layers! •  In general, there is forwarding across access points. First two addresses would be SNDR/RCVR addresses and would change at every hop, while . . . •  Over the top is a logical Ethernet with Src/Dest addresses constant, continuous with the Wired Ethernet connecting the last Access Point to the Router. •  The most common configuration is a Star Network connected to a Router/Cable Modem. In this case, the SRC and SNDR addresses are the same, so only 3 addresses are necessary. •  VLANs are doing the same thing: Multiple Layers of the Same Rank over a Common Media
  • 29. WiLAN Model •  The Wired Media DIF is point-to-point between a station or bridge and another bridge. –  Hence, this DIF does not need addresses, but does need CEP-ids and port-ids. •  OTOH, the wireless-media DIF is also point-to-point but needs both addresses and CEP-ids. –  Because multiple wireless networks may exist in the same physical space. •  Over the top is any ordinary DIF. Station Bridges Access Point Wired Media DIFs Wireless Media DIF Station
  • 30. © John Day, 2013 30 Rights Reserved The Pouzin Society Implications of the Model Names (Choosing a Layer) •  In building the IPC Model, the first time there were multiple DIFs (data link layers in that case), to maintain the API a task was needed to determine which DIF to use. I A P D i r Mux Flow Mgr – User didn’t have to see all of the wires –  But the User shouldn’t have to see all of the “Nets” either. •  This not only generalizes but has major implications.
  • 31. © John Day, 2013 31 Rights Reserved The Pouzin Society Implications of the Model Names (A DIF Allocator) •  A DIF-Allocator incorporating a Name Space Management function determines via what DIFs applications are available. –  If this system is a not member, it either joins the DIF as before –  or creates a new one. •  Which Implies that the largest address space has to be only large enough for the largest e-mall. •  Given the structure, 32 or 48 bits is probably more than enough. •  You mean? •  Right. IPv6 was a waste of time . . . •  Twice. DIF-Allocator
  • 32. © John Day, 2013 32 Rights Reserved The Pouzin SocietySo a Global Address Space is Not Required but Neither is a Global Application Name Space Inter-DIF Directory To Peers In Oher DIFs Actually one could still have distinct names spaces within a DIFs (synonyms) with its own directory database. •  Not all names need be in one Global Directory. •  Coexisting application name spaces and directory of distributed databases are not only possible, but useful. •  Needless to say, a global name space can be useful, but not a requirement imposed by the architecture. •  The scope of the name space is defined by the chain of databases that point to each other.
  • 33. © John Day, 2013 33 Rights Reserved The Pouzin SocietyScope is Determined by the Chain of Places to Look •  The chain of databases to look for names determines the scope of the name space. –  Here there are 2 non-intersecting chains of systems, that could be using the same wires, but would be entirely oblivious to the other.
  • 34. © John Day, 2013 34 Rights Reserved The Pouzin SocietyName Space Management •  There is a common functional required to manage name spaces. It handles registration, query, and delegation of names and is incorporated found in both DIFs and DAFs. •  There are two major uses: the DIF-Allocator and the Flow Allocator, as well as in many distributed database applications, etc. Repositories Registration   Server Query   Servers Registration   Client Query  Client
  • 35. © John Day, 2013 35 Rights Reserved The Pouzin Society DIF Allocator •  A DIF Allocator is very similar to the Flow Allocator, both contain a NSM function for application names and addresses, respectively and operate at different granularities creating either DIFs or connections. Registration Server Query Servers Registration Client Query IRM DA-DAP NSM Repositories DIF Creation and RelayNSM- DAP DA-DAF
  • 36. How It Works •  There is a repeating structure of name mappings. •  The DIF Allocator has an NSM of Application-Names with scope greater than any one DIF. Associated with each name is the name of the processing system on which it resides, and a list of supporting DIFs. From this information, the DA is able to project the application-names into the Flow Allocator of supporting DIFs and the IPC Processes of that DIF. •  The Flow Allocator keeps the mapping of each application-name to the synonym of the IPC Process in the same processing system. •  The Resource Allocator contains an NSM for the synonyms for each IPC Process, i.e. addresses, in this DIF and the (N-1)- DIFs supporting the synonym. The Resource Allocator is consulted during Enrollment to get appropriate synonyms assigned. The Resource Allocator also injects information for the (N-1)-Flow Allocator, serving the analogous service as the DIF Allocator. •  Needless to say, that this mapping information may be acquired from bottom up as well as top down. •  Supporting DIF-name and access control information might only be stored “near” the object named for security reasons, to keep databases small, or accommodate frequent changes. •  There may be a topological relation between synonym spaces of (N)- and (N-1)-DIFs. •  It is highly unlikely that there will be a topological relation between the Application Name Space and the Synonyms of a DIF. –  A topological relation between Name Spaces of DAFs is a different matter. DIF Allocator Flow Alloc Res-Alloc DA-NSM: Application-names - DIF/DAF names, Processing Systems FA: (N+1)-names - (N)-names RA: (N)-names- (N-1)-names, (N-1)-DIFs
  • 37. © John Day, 2013 37 Rights Reserved The Pouzin Society Multicast and Anycast are Simpler Too •  Generalized to Whatevercast: –  A set and a rule that returns as many members of the set that satisfy the rule. •  Unicast becomes a degenerate case of whatevercast. –  Forwarding table entry maps Destination Address to a list of next hops. For unicast, the list has one element. •  Primarily handled by hosts or border routers, where all whatevercast traffic is either: •  On this subnet (only do spanning tree within subnet if there is a lot) or •  Transit to another subnet, (both cases degenerate to point-to-point). •  So we see Whatevercast devolves into Unicast.
  • 38. © John Day, 2013 38 Rights Reserved The Pouzin Society Multicast and Anycast are Simpler Too •  Information in topological addresses imply an approximate spanning tree, which can be used to identify the border routers. Thus, in most cases obviating the need for a separate spanning tree (multicast) routing algorithm. •  And also making it straightforward to multiplex whatevercasts with common sub-trees which will allow even greater efficiency. –  Note that the common sub-trees do not have to be strict sub-trees but simply have a reasonable degree of commonality to be worthwhile.
  • 39. © John Day, 2013 39 Rights Reserved The Pouzin SocietyBut Another Surprise (Allocating a Group) •  Start with a set of Application Names (or something similar) •  Need to Allocate a Group •  Now we need to find the addresses and create a spanning tree. •  Shall we just do what the model says? •  Doesn’t sound promising, send out Create Flows for all of the addresses in the set? Okay lets try it. Flow Allocator Allocate (. . . .)
  • 40. © John Day, 2013 40 Rights Reserved The Pouzin SocietyBut Another Surprise (Allocating a Group) •  We found the addresses, and then the Responses get forwarded back through the Border Routers. •  Wow! It generates the spanning tree! –  There is much to explore here. •  Just follow the Model. Allocate (. . . .) FA
  • 41. The Pouzin Society © John Day, 2013 All Rights Reserved 41 “Internet” Congestion Control •  Congestion Control has been a known issue since 1972. –  Except in the Internet who only discovered it when it crashed around their ears in 86 •  The effectiveness of any congestion control is directly related to the time to effect a change. –  The longer it takes the less effective the congestion control •  End-to-end implicit notification is predatory. –  Longest response time. Will work against any attempt to do it at a lower level with shorter scope and better response time. •  The Internet has network congestion control, –  not internet congestion control
  • 42. The Pouzin Society © John Day, 2013 All Rights Reserved 42 What is the Difference Between Flow Control and Congestion Control? Data Control Control Data Data Notify Flow Control is a feedback mechanism co-located with the resource being controlled. Congestion Control is a feedback mechanism not co-located with the resource being controlled.
  • 43. The Pouzin Society © John Day, 2013 All Rights Reserved 43 How Does It Work? “Congestion Control” •  Congestion Control in TCP was always known to be a stop-gap. •  A DIF always has the potential for the full capability of functions. •  Do flow control (without retransmissions) between intermediate points. –  Better congestion control, really flow control –  Allocate different resources to different e-malls. –  Allows provider much more effective management of resources. –  Provides means to throttle flows being used for denial of service attacks –  All of these places? Probably not all in the same DIF. Major Area for Research
  • 44. The Pouzin Society © John Day, 2013 All Rights Reserved 44 How Does It Work? The Internet and ISPs •  ISPs have as many layers as they need to best manage their resources. Backbone Regionals Metros
  • 45. The Pouzin Society © John Day, 2013 All Rights Reserved 45 How Does It Work? The Internet and ISPs •  The Internet floats on top of ISPs, a “e-mall.” –  One in the seedy part of town, but an “e-mall” –  Not the only emall and not one you always have to be connected to. Public Internet ISP 1 ISP 2 ISP 3
  • 46. The Pouzin Society © John Day, 2013 All Rights Reserved 46 How Does It Work? The Internet and ISPs •  But there does not need to be ONE e-mall. –  You mean! •  Yes, it is really an INTERnet! Public Internet ISP 1 ISP 2 ISP 3 Internet Rodeo Drive Utility SCADAMy NetFacebook Boutique Internet Mall of America
  • 47. The Pouzin Society © John Day, 2013 All Rights Reserved 47 How Does It Work? The User’s Perspective In this case, one host on the local network chooses to join one of the available e-malls. e-common DIFs Provider Network Local Customer Network Peering DIF A Customer Network has a border router that makes several e-malls available. A choice can be made whether the entire local network joins, a single host or a single application. e-common DIFs Provider Network Local Customer Network Peering DIF
  • 48. © John Day, 2013 48 Rights Reserved The Pouzin Society Before Tackling Security A Word on Method (hardly news by now) •  When trying to work out the IPC Model absolutely no thought was given to security. All of the focus was just understanding the structure. •  People kept asking, What about Security? Is there a security layer? •  Didn’t Know. Hadn’t thought about it. •  There was the obvious: –  The recursion of the layer provided Isolation. –  That only the Application Name and local port-id were exposed to the correspondents. •  Interesting, but hardly an answer •  But it wasn’t the time for those questions . . . •  At least not yet . . .
  • 49. © John Day, 2013 49 Rights Reserved The Pouzin SocietyThe Recursion Provided Isolation •  Security by isolation, (not obscurity) •  Hosts can not address any element of the ISP. •  No user hacker can compromise ISP assets. •  Unless ISP is physically compromised. ISP Hosts and ISPs do not share DIFS. (ISP may have more layers
  • 50. © John Day, 2013 50 Rights Reserved The Pouzin Society How Does It Work? Security •  A Hacker in the Public Internet cannot connect to an Application in another DIF without either joining the DIF, or creating a new DIF spanning both. Either requires authentication and access control. –  Non-IPC applications that can access two DIFs are a potential security problem. •  Certainly promising Public Internet ISP 1 ISP 2 ISP 3 Internet Rodeo Drive Utility SCADAMy NetFacebook Boutique Internet Mall of America
  • 51. © John Day, 2013 51 Rights Reserved The Pouzin Society But When It Was Time •  The question was not, how to put in security? •  The question was, •  What does the IPC Model tell us about security? –  Remember, our first task is always understanding. •  Let the Problem Answer the Question! –  Let the Problem Tell Us What to Do.
  • 52. © John Day, 2013 52 Rights Reserved The Pouzin Society The Problem Had a Lot to Say •  We Already Mentioned How Little is Exposed the Layer Above. •  The Original OS Model indicated where Access Control went. •  Creating the Application Connection for Enrollment indicated where Authentication belonged, and that –  Authentication of Applications must be done by the Applications themselves. –  All members of the layer are authenticated within policy. •  SDU Protection clearly provided Confidentiality and Integrity. •  That implied that only Minimal trust was necessary: –  Only that the lower layer will deliver something to someone. Port:=Allocate(Dest-Appl, params) Access Control Exercised
  • 53. © John Day, 2013 53 Rights Reserved The Pouzin Society A Very Unexpected Result •  A DIF with no explicit security mechanisms is inherently more secure than the current Internet under the same conditions! •  It would appear that –  A DIF is a Securable Container.
  • 54. © John Day, 2013 54 Rights Reserved The Pouzin SocietyOther Things Fall Into Place •  Data Transfer in RINA is based on Delta-t (Watson, 1980) •  Lot has happened in 30 years, many attacks on TCP have been found: –  Port scanning – Reset Attacks –  SYN attacks – Reassembly Attacks •  Long after delta-t was designed, what about delta-t? •  Short answer: –  None of them work (Boddapati, et al., 2012) •  Amazing, totally unexpected –  Why not? •  Multiple fundamental reasons, but all inherent in the structure: –  First, have to join the DIF (all members are authenticated) –  Second, No Well-Known Ports •  Would have to scan all possible application names! –  Third and more importantly, . . .
  • 55. © John Day, 2013 55 Rights Reserved The Pouzin Society Decoupling Port Allocation and Synchronization •  No Way to Know What CEP-ids are Being Used, Since There is No Relation Between Port-id and CEP-id. –  SYN-Ack Attack: must guess which of 2^16 CEP-id. –  Data Transfer: must guess CEP-id and seq num within window! –  Reassembly attack: Reassembly only done once. –  No well-known ports to scan. Synchronization Connection Endpoint Port Allocation Port-id Connection
  • 56. © John Day, 2013 56 Rights Reserved The Pouzin Society Decoupling Port Allocation and Synchronization: No IPSec •  IPsec is necessary with TCP/IP because no authentication and Sequence numbers turn over too quickly: don’t repeat sequence number with same CEP-id. •  With RINA and delta-t, IPC Processes all authenticated, SDU Protection does the encryption, and packet sequence numbers slows rollover, but if it does, then simply allocate a new connection •  And bind it to the same port-ids, old one disappears after 2MPL. Connection Endpoint Port Allocation Port-id Connection SDU Protection SDU Protection
  • 57. © John Day, 2013 57 Rights Reserved The Pouzin Society RINA is Inherently More Secure and Less Work •  A DIF is a Securable Container. (Small, 2011) –  What info required to mount an attack, How to get the info –  Small does a threat analysis at the architecture level •  Implies that Firewalls are Unnecessary, –  The DIF is the Firewall! •  RINA Security is considerably Less Complex than the Current Internet Security (Small, 2012) –  Only do a rough estimate counting protocols and mechanisms. •  See paper for details.
  • 58. © John Day, 2013 58 Rights Reserved The Pouzin Society Internet RINA Protocols 8 0 Non-Security Mechanisms 59 0 Security Mechanisms 28 7 To Add Security Copyright © 2012, Jeremiah Small. All Rights Reserved.
  • 59. © John Day, 2013 59 Rights Reserved The Pouzin Society Summing Up Security •  This is a MAJOR Improvement in Internet Security. –  Not only more secure, but for less cost, with less overhead. •  So is Internet Security solved? –  Hardly. –  Still need: to develop the plug-in policy modules –  to consider DDoS (we have some ideas) –  As well as protecting against Rogue IPC Processes –  and much more to explore and who knows what general principles will fall out. •  Most attacks are in the Applications, this does nothing about that. –  But Much of this applies equally well to DAFs •  Model implies that OS security reduces to Bounds Checking on Memory and IPC Security. –  May also make it harder, might be able to deflect more DDoS attacks
  • 60. The Pouzin Society © John Day, 2013 60 Rights Reserved Management DAFs
  • 61. The Pouzin Society © John Day, 2013 61 Rights Reserved An Important Class of DAFs: DAF Management Systems •  There are four major kinds of distributed management systems (DMS): –  Operating System – Network Management –  Distributed Applications – Name Space Management •  The Most Important Property of Management –  Commonality, Commonality, Commonality. Reduce the Parts Count. •  Not Necessarily make everything look alike, but –  Effectively separating the like from the unlike •  Maximizing invariance and minimizing discontinuities •  This is what the principles we have uncovered do, and have been •  Embodied in RINA. –  RINA was not designed to do this. We worked out the principles and then did what they said. (There wasn’t that much leeway.) –  We aren’t done. We have pushed commonality into major parts of the model but there are more principles, invariances to find. •  It is subtle, greatest generality with least constraint, often requires shift in POV
  • 62. The Pouzin Society © John Day, 2013 62 Rights Reserved DAF Management Systems •  There is a commonality to their structure and •  A range in their complexity from distributed to centralized •  Each DAF/DIF has a DAF Management Task. These constitute data collection and autonomic functions, what IEEE calls layer management. •  The DAF Manager can be considered the nervous system of a DAF. –  A DAF Manager might manage more than one DAF or –  In a degenerate case, the DAF Management Tasks might constitute the DAF Manager. DAF Manager
  • 63. The Pouzin Society © John Day, 2013 63 Rights Reserved The General Model •  And down the side were the labels •  This became the core of our approach to Network Management Cerebellum Cerebrum Hypothalamus (Ganglia) Peripheral Increasing Aggregation Sensor Agent Manager Coordinator Raw Data Filtered Processed Data Planning Data Increasing “Cycle” Time
  • 64. The Pouzin Society © John Day, 2013 64 Rights Reserved But More Importantly It was Clear that Network Management is •  The whole point is that events are happening too fast for humans to be in the loop. They can manage, but not control. •  Control must be autonomic. Monitor and Repair But not Control
  • 65. The Pouzin Society © John Day, 2013 65 Rights Reserved The Management Architecture Central Nervous System •  While there might be managers for distinct subnets (domains) and the subnets might be a hierarchy, the managers were peers. –  Many talked about managers of managers but there is really nothing for second level managers to do. (that generalizes?) •  Then Realized what was missing: Where’s the Homunculus? Agent Event ConfigPerf Fault Agent Agent Agent Agent Reliable Req/Resp Best Effort Telemetry Agent MIB Network Management System (NMS) Devices to be Managed NMS Agent Agent Agent Agent autonomic
  • 66. The Pouzin Society © John Day, 2013 66 Rights Reserved The Relation Among Management Applications •  Configuration Management – is the primary “action” a management system should take. –  Security Management is a subset of Configuration Management. •  Performance Management monitors the autonomic functions, e.g. routing and congestion, and provides input to the Coordination Level for improving policies. –  It should seldom result in direct action. Although some policies might provide tunable parameters. This is dangerous. •  Accounting Management is a Coordination Level function. It’s data is a subset of Performance data. •  Fault Management isn’t an app, but a management system with a small domain for diagnosing, testing, and repairing network elements.
  • 67. The Pouzin Society © John Day, 2013 67 Rights Reserved Note of Practicality •  We have identified 4 kinds of management systems: Systems, Applications, Network, and Name Space. •  While they can all be stand-alone (and there will be cases where they should be), they will often occur as symbiotic, i.e. incorporated into another Management system. •  Many of the confusions today are because these 4 are not clearly recognized. –  For example, in a corporate environment, it would not be unusual for all four to be combined. But even here, different groups might have their own application management or even system management systems within that. –  In a data center, the data center would manage its systems and network resources and allocate them to users who would use their application management systems to manage the applications running on the datacenter. –  Etc.
  • 68. The Pouzin Society © John Day, 2013 68 Rights Reserved On Autonomic vs Centralized •  In nature, a central nervous system appears in fairly primitive organisms, such as Platyhelminthes (flatworms). –  Clearly monitoring and reporting must be centralized. •  Some actions can be done without a central nervous system, see coelenterate locomotion and tentacles. –  Some rhythmic behaviors as well, where reacting to neighbors suffice. •  However, complex actions across the organism may require more coordination, as will finding true optima rather than local optima. –  In nature, we find that ganglia suffice for this much of the time with ganglia often being larger than the “brain.” •  Food for thought for management.
  • 69. The Pouzin Society © John Day, 2013 All Rights Reserved 69 Questions?