Path Steering in CCNx and NDN

Introduction Path Steering is a mechanism to discover paths to the producers of ICN content objects and steer subsequent Interest messages along a previously discovered path. It has various uses, including the operation of state-of-the-art multipath congestion control algorithms and for network measurement and management. This specification derives directly from the design published in and therefore does not recapitulate the design motivations, implementation details, or evaluation of the scheme. That publication should be considered a normative reference as it is not likely a reader will be able to understand all elements of this design without first having read the reference. Some technical details are different however, and where there are differences, the design documented here is to be considered definitive. Path discovery and subsequent path steering in ICN networks is facilitated by the symmetry of forward and reverse paths in the CCNx and NDN architectures. Path discovery is achieved by a consumer endpoint transmitting an ordinary Interest message and receiving a Content (Data) message containing an end-to-end path label constructed on the reverse path by the forwarding plane. Path steering is achieved by a consumer endpoint including a path label in the Interest message, which is forwarded to each nexthop through the corresponding egress interfaces in conjunction with longest name prefix match (LNPM) FIB lookup.

Path Steering as an experimental extension to ICN protocol architectures There are a number of important use cases to justify extending ICN architectures such as CCNx or NDN to provide these capabilities. These are summarized as follows:

Support the discovery, monitoring and troubleshooting of multi-path network connectivity based on names and name prefixes. Analogous functions have been shown to be a crucial operational capability in multicast and multi-path topologies for IP. The canonical tools are the well-known traceroute and ping. For point-to-multipoint MPLS the more recent tree trace protocol is used. Equivalent diagnostic functions have been defined for CCNx through the ICN Ping and ICN Traceroute specifications, both of which are capable of exploiting path steering if available.
Perform accurate online measurement of network performance, which generally requires multiple consecutive packets follow the same path under control of an application.
Improve the performance and flexibility of multi-path congestion control algorithms. Congestion control schemes such as and depend on the ability of a consumer to explicitly steer packets onto individual paths in a multi-path and/or multi-destination topology.
A consumer endpoint can mitigate content poisoning attacks by directing its Interests onto the network paths that bypass poisoned caches.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Terminology This document uses the general ICN terms that are defined in . In addition we define the following terms specific to path steering:

Path Discovery:: The process of sending an Interest requesting discover of a path and if successful, receiving a Data containing a Path Label for the path the corresponding Interest traversed
Path Steering:: The process of sending an Interest message containing the Path Label of a previously discovered path in roder that the forwarders use that path when forwarding that particular Interest message.
Path Label:: An optional field in the packet indicating a particular path from a consumer to either a producer, or a forwarder cache that can respond with the requested item. In an Interest message, the Path Label gets built up hop by hop as the interest traverses a path. In a Data message, the Path Label carries the full path information back to the consumer for use in one or more subsequent Interest messages.
Nexthop Label:: One entry in a Path Label representing the next hop for the corresponding forwarder to use when a path-steered Interest message arrives at that forwarder. A sequence of Nexthop Labels constitutes a full Path Label.

Essential elements of ICN path discovery and path steering We elucidate the design using CCNx semantics and extend its Packet Encoding as defined in . While the terminology is slightly different, this design can be applied also to NDN, by extending its bespoke packet encodings (See ).

Path Discovery End-to-end Path Discovery for CCNx is achieved by creating a path label and placing it as a hop-by-hop TLV in a CCNx Content (Data) message. The path label is constructed hop-by-hop as the message traverses the reverse path of transit CCNx forwarders as shown in the first example in . The path label is updated by adding to the existing path label the nexthop label of the interface at which the Content (Data) message has arrived. Eventually, when the Content(Data) message arrives at the consumer, the path label identifies the complete path the Content (Data) message took to reach the consumer. As shown in the second example in the figure, when multiple paths are available, subsequent interests can discover additional paths by omitting a path steering TLV and obtaining a new path label on the returning interest.

Basic example of path discovery and steering Issue: how to indicate in an Interest message that the consumer wants to do path discovery? Flag in the fixed header? Empty Path Label TLV (with index set to zero?). If we do the former, would need some way to indicate how big the producer should make it since it doesn't know how many hops there are on the reverse path. That's not a problem if we do the latter, but that makes the Interest message bigger even though it doesn't have a path yet. Making the path Label TLV the maximum size (i.e. based on what hop limit is set to) wastes a lot of space since most paths are likely to be way shorter than what the hop limit is set to by the consumer. Doing so does make transforming the Interest message into a Content Object message a bit easier though, since the hop-by-hop headers are likely already sized right. Another option is to define a new TLV to carry the unmodified hop limit by the consumer. Then the producer then just does a subtraction to get the traversed path length. Ilya:I added some flags TLV, so it is possible to have a separate "Discovery mode" flag, that would tell forwarders to increment hop label index (instead of decrementing and reading the path label) Ilya:Is 64 bytes really much these days? I don't quite like the idea of telling the producer how far away i am. I think it will be a privacy concern for some people. Ilya:Can it be solved from prefix registration side? Producer gets label size supported by the network from its ISP? Idk what about intermediate caches. -->

Path Steering Due to the symmetry of forward and reverse paths in CCNx, a consumer application can reuse a discovered path label to fetch the same or similar (e.g. next chunk, or next Application Data Unit, or next pointer in a Manifest) Content (Data) message over the discovered network path. This Path Steering is achieved by processing the Interest message's path label at each transit ICN forwarder and forwarding the Interest through the specified nexthop among those identified as feasible by LNPM FIB lookup ().

Path Steering CCN / NDN data plane | Content |->| PIT | ------------>| Label |----------------> | Store | +-----+ | Lookup | +---------+ | \ (no path label) +--------+ | | \ |\ (path label mismatch) Data | | \ | \ <---------+ v \ | \ aggregate \ | \ \ | \ \ | +-----+ Interest +--------------|---->| FIB | ---------> | +-----+ Interest-Return (NACK) v | (no route) <----------------------------------------------+<-------+ ------------------------------------------------------------------------ REVERSE PATH ------------------------------------------------------------------------ Interest-return(NACK) +-----+ (update path label) Interest-Return(NACK) <---------------------| |<----------------------------------------- | | Data +---------+ | PIT | (update path label) Data <------| Content |<---| |<----------------------------------------- | Store | | | +---------+ +-----+ | | (no match) v ]]>

Handling Path Steering errors Over time, the state of interfaces and the FIB on forwarders may change such that, at any particular forwarder, a given nexthop is no longer valid for a given prefix. In this case, the path label will point to a now-invalid nexthop. This is detected by failure to find a match between the decoded nexthop ID and the nexthops of the FIB entry after LNPM FIB lookup. On detecting an invalid path label, the forwarder SHOULD respond to the Interest with an Interest-Return. We therefore define a new Invalid path label response code for the Interest Return message and include the current path label as a hop-by-hop header. Each transit forwarder processing the Interest-Return message updates the path label in the same manner as Content (Data) messages, so that the consumer receiving the Interest-Return (NACK) can easily identify which path label is no longer valid. Issue: should we provide an option to the consumer to forward the interest rather than returning the error? This is briefly discussed in the paper, but specific machinery isn't suggested. I think this would potentially be useful for diagnosis. If so, we need to re-jigger the description a bit and include the following paragraph --> A consumer may alternatively request that a forwarder detecting the inconsistency forward the Interest by means of normal LNPM FIB lookup rather than returning an error. The consumer endpoint, if it cares, can keep enough information about outstanding Interests to determine if the path label sent with the Interest fails to match the path label in the corresponding returned Content (Data), and use that information to replace stale path labels. It does so by setting the FALLBACK MODE flag of the path label TLV in its Interest message.

How to represent the Path Label presents various options for how to represent a path label, with different tradeoffs in flexibility, performance and space efficiency. For this specification, we choose the Polynomial encoding which achieves reasonable space efficiency at the cost of establishing a hard limit on the length of paths that can be represented. The polynomial encoding utilizes a fixed-size bit array. Each transit ICN forwarder is allocated a fixed sized portion of the bit array. This design allocates 12 bits (i.e. 4095 as a generator polynomial) to each intermediate ICN forwarder. This should match the scalability of today's commercial routers that support up to 4096 physical and logical interfaces and usually do not have more than a few hundred active ones.

Fixed size path label |<---- 12bit ---->|<---- 12bit ---->|<----------------->| ]]> A forwarder that receives a Content (Data) message encodes the nexthop label in the next available slot and increments label index. Conversely, a forwarder that receives an Interest message reads the current nexthop label and decrements label index. Therefore, the extra computation required at each hop to forward either an interest or Content Object message with a path label is minimized and constitutes a fairly trivial additional overhead compared to FIB lookup and other required operations. This approach results in individual path label TLV instances being of fixed pre-computed size. While this places a hard upper bound on the maximum number of network hops that can be represented, this is not a significant a practical problem in NDN and CCNx, since the size can be pre-set during Content(Data) message encoding based on the exact number of network hops traversed by the Interest message. Even long paths of 24 hops will fit in a path label bitmap of 36 bytes if nexthop label is encoded in 12 bits.

Mapping to CCNx and NDN packet encodings

Path label TLV A Path label TLV is the tuple: {[Flags], [Path Label Hop Count], [Nexthop Label], [Path label bitmap]}. Path label flags

Flag	Value (hex)
DISCOVERY MODE	0x00
FALLBACK MODE	0x01
STRICT MODE	0x02

The Path Label Hop Count (PLHC) MUST be incremented by NDN and CCNx forwarders if the Interest packet carries a path label and DISCOVERY mode flag is set. A producer node or a forwarder with cached data packet MUST use PLHC in calculation of a path label bitmap size suitable for encoding the entire path to the consumer. The Path Label Hop Count (PLHC) MUST be set to zero in newly created Data or Interest-Return (NACK) packets. A consumer node MUST reuse Path Label Hop Count (PLHC) together with the Path label bitmap (PLB) in order to correctly forward the Interest(s) along the corresponding network path. If an NDN or CCNx forwarder supports path labeling, the Nexthop label MUST be used to determine the correct egress interface for an Interest packet carrying either the FALLBACK MODE or STRICT MODE flag. If any particular NDN or CCNx forwarder is configured to decrypt path labels of Interest packets (Section "Security considerations"), then the forwarder MUST

decrypt the path label with its own symmetric key,
update the nexthop label with outermost label in the path label,
decrement Path Label Hop Count (PLHC), and
remove the outermost label from the path label.

If any particular NDN or CCNx forwarder is NOT configured to decrypt path labels of Interest packets, then path label decryption SHOULD NOT be performed. The Nexthop label MUST be ignored by NDN and CCNx forwarders if present in Data or Interest-Return (NACK) packets. If any particular NDN or CCNx forwarder is configured to encrypt path labels of Data and Interest-Return (NACK) packets (Section Security Considerations), then the forwarder MUST encrypt existing path label with its own symmetric key, append the nexthop label of the ingress interface to the path label, and increment Path Label Hop Count (PLHC). If any particular NDN or CCNx forwarder is NOT configured to encrypt path labels of Interest packets, then path label encryption SHOULD NOT be performed. NDN and CCNx forwarders MUST fallback to longest name prefix match (LNPM) FIB lookup if an Interest packet carries an invalid nexthop label and the FALLBACK MODE flag is set. CCNx forwarders MUST respond with an Interest Return packet specifying the T_RETURN_INVALID_PATH_LABEL code if Interest packet carries an invalid path label and the STRICT MODE flag is set. CCNx forwarders MUST respond with an Interest Return packet specifying the T_RETURN_MALFORMED_INTEREST code if the Interest packet carries a path label TLV with both FALLBACK MODE and STRICT MODE flags set.

Path label encoding for CCNx Path Label is an optional Hop-by-Hop header TLV that can be present in CCNx Interest, InterestReturn and Content Object packets.

Path label Hop-by-Hop header TLV for CCNx

Path label encoding for NDN Path Label is an optional TLV in NDN Interest, Data and NACK packets. The Path Label TLV SHOULD NOT take part in Interest, Data or NACK signature calculation as it is potentially modified at every network hop.

Path label TLV for NDN TLV-TYPE number assignments

Flag	Value (hex)
PATH-LABEL-TYPE	0x09
PATH-LABEL-FLAGS-TYPE	0x0B
PATH-LABEL-BITMAP-TYPE	0x0D
PATH-LABEL-NEXTHOP-LABEL-TYPE	0x0E
PATH-LABEL-HOP-COUNT-TYPE	0x0F

IANA Considerations IANA is requested to make the following assignments:

Please assign the value 0x0004 for T_PATH_LABEL in the CCNx Hop-by-Hop Types registry.
Please assign the TLV types in in the CCNx Hop-by-Hop type registry.
Please assign the value 0xA for the T_RETURN_INVALID_PATH_LABEL in the CCNx Interest Return Code Types" registry.
Please create the CCNx Path Label Flags registry and assign the values listed in .

Security Considerations A path is invalidated by renumbering nexthop label(s). A malicious consumer can attempt to mount an attack by transmitting Interests with path labels which differ only in a single now-invalid nexthop label in order to brute force a valid nexthop label. If such an attack succeeds, a malicious consumer would be capable of steering Interests over a network path that may not match the paths computed by the routing algorithm or learned adaptively by the forwarders. When a label lookup fails, by default an Invalid path label Interest-Return (NACK) message is returned to the consumer. This contains a path label identical to the one included in the corresponding Interest message. A malicious consumer can therefore analyze the message's Hop Count field to infer which specific nexthop label had failed and direct an attack to influence path steering at that hop. This threat can be mitigated by the following countermeasures:

A nexthop label of larger size is harder to crack. If nexthop labels are not allocated in a predictable fashion by the routers, brute forcing a 32-bit nexthop label requires on average O(2^31) Interests. However, this specification uses nexthop labels with much less entropy (12 bits), so depending on computational hardness is not workable.
An ICN forwarder can periodically update nexthop labels to limit the maximum lifetime of paths. It is RECOMMENDED that forwarders update path labels at least every few minutes.
A void Hop Count field in an Invalid path label Interest-Return (NACK) message would not give out the information on which specific nexthop label had failed. An attacker might need to brute force all nexthop labels in all combinations. However, some useful diagnostic capability is lost by obscuring the hop count. For example the locus of routing churn is harder to pin down through analysis of path-steered pings or traceroutes. A forwarder MAY choose to invalidate the hop count in addition to changing nexthop labels periodically as above.

ICN protocols can be susceptible to a variety of cache poisoning attacks, where a colluding consumer and producer arrange for bogus content (with either invalid or inappropriate signatures) to populate forwarder caches. These are generally confined to on-path attacks. It is also theoretically possible to launch a similar attack without a cooperating producer such that the caches of on-path routers become poisoned with the content from off-path routers (i.e. physical connectivity, but no route in a FIB for a given prefix). We estimate that without any prior knowledge of the network topology, the complexity of this type of attack is in the ballpark of Breadth-First-Search and Depth-First-Search algorithms with the additional burden of transmitting 2^31 Interests in order to crack a nexthop label on each hop. Relatively short periodic update of nexthop labels and anti- label scan heuristics implemented in the ICN forwarder may successfully mitigate this type of attack.

Cryptographic protection of a path label If the countermeasures listed above do not provide sufficient protection against malicious mis-steering of Interests, the path label can be made opaque to the consumer endpoint via hop-by-hop symmetric cryptography applied to the path labels (). This method is viable due to the symmetry of forward and reverse paths in CCNx and NDN architectures combined with ICN path steering requiring only reads/writes of the topmost nexthop label (i.e. active nexthop label) in the path label. This way a path steering capable ICN forwarder receiving a Data (Content) message encrypts the current path label with its own non-shared symmetric key prior to adding a new nexthop label to the path label. The Data (Content) message is forwarded downstream with unencrypted topmost (i.e active) nexthop label and encrypted remaining content of the path label. As a result, a consumer endpoint receives a Data (Content) message with a unique path label exposing only the topmost nexthop label as cleartext. A path steering forwarder receiving an Interest message performs label lookup using the topmost nexthop label, decrypts the path label with its own non-shared symmetric key, and forwards the message upstream. Cryptographic protection of a path label does not require any key negotiation among ICN forwarders, and is no more expensive than MACsec or IPsec. It is also quite possible that strict hop-by-hop path label encryption is not necessary and path label encryption only on the border routers of the trusted administrative or routing domains may suffice.

Path label protection with hop-by-hop symmetric cryptography