ify that data they receive, including
commands, originates from a trusted
source. Because per-packet signatures are part of the architecture and
therefore not dependent on an application or domain, NDN will increase
recognition of, and reliance on, data
provenance to improve data security
and thus consumer trust in content.
In the IP Internet, provenance must
be established on a per-application
basis, and is currently established
intermittently and inconsistently.
NDN’s signature mechanisms can
help verify provenance even for orphaned data (data with no online application). Content signatures can
also reduce risks such as spoofed
data and phishing. Including such
provenance explicitly in packets mitigates concerns about data tampering en route.
To take advantage of NDN’s security
features (in particular, the per-packet
cryptographic signatures), application developers will require new trust
models that can be used by classes of
applications, as well as frameworks for
establishing, exchanging, and revoking keys within data-centric networks.
These challenges, as discussed earlier,
are the most significant for NDN architecture development. Fortunately,
we believe there will be increasing incentives to develop such trust models
and key distribution mechanisms over
time, as they are necessary not only for
NDN, but for better security in all networked communications.
Finally, NDN’s request/response
data exchange provides benefits for network security by mitigating common
problems in today’s IP Internet, such
as distributed denial of service (DDoS)
attacks. Since each Interest retrieves
at most one data packet, a router can
use the PIT (as described previously) to
control the number of pending Interests to achieve flow balance, mitigating
volumetric DDoS attacks. Techniques
for NDN DDoS mitigation have been explored extensively in other work.
1, 14
Improvements and challenges for
privacy. NDN’s four fundamental ar-
chitectural departures from IP have
implications that can both challenge
and benefit user privacy. The request/
response data exchange increases an-
onymity of information seekers, while
content signatures and names compli-
cate anonymity for content producers.
The architectural emphasis on in-network storage presents new challenges
for limiting data retention.
Support for anonymous information-seeking. NDN’s request/response data
exchange improves support for anonymous information-seeking: there is no
source address in an Interest. Though
Interest packets create a trail in the
PIT as they travel toward a data packet, each router’s table indicates only
the next hop and these PIT entries are
erased as soon as a data packet satis-fies the outstanding Interest(s). Although routers could log such trails
of breadcrumbs, users are not likely
to have their Interests traced back to
them unless an actor (an authoritarian regime, for example) can access
and correlate state across all routers
in the (possibly many) paths that data
packets have taken. The IoT scenario
illustrates how difficult enacting this
level of control would be: those paths
would likely include privately-owned
devices in homes and buildings, in
addition to routers owned by Internet
Service Providers (ISP)s. So while ISPs
might log Interests and forward them
to governments, decreased reliance on
ISPs as the sole source of connectivity
would circumvent such logging. Providing anonymous data retrieval could
substantially benefit privacy, allowing
individuals to consume controversial
content without fear of embarrassment or harm.
13, 26
Challenges for anonymous content
production. Compared to consumer anonymity, content producer anonymity in
an NDN network is difficult to achieve.
Data producers can be identified in
more than one way—for example,
by the key used to sign the data, the
namespace in which the data or key are
published, or by the content itself.
While NDN data must be signed, it
may be signed with ephemeral keys or
keys unlinked to real-world identities.
Encryption of both names and data
can be used to provide confidentiality.
But NDN’s pervasive use of signatures
may make it easier for infrastructure
providers and content consumers to
require signatures that use verified,
real-world identities. For example, on-line forum moderators struggling with
trolls and sock puppet accounts—or
trying to discriminate against certain
Because NDN
applications do not
care from where
requested data is
retrieved, any NDN
node can answer
an Interest if it has
corresponding data.