Overlay Network Physical LayerR : router Overlay Layer N R R R R R N.

Overlay NetworkPhysical Layer R : router

Overlay Layer

N

R

R

R

R

R

N

Overlay Network

Problem of IP Multicast (Physical Layer)

Multicast for key distribution requires router must have specific function.

It costs to change every router has Multicast function.

Overlay NetworkAn overlay network is a computer network which

is built on top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network. - wikipedia -

Advance : Multicast group self-organize into efficient structures for delivering data without requiring any support from the existing network infrastructure.

Confidential data deliveryPrevious work

Security mechanisms can be efficiently provided by using symmetric key based cryptographic algorithm, which in turn require all participants to share a secret key (Group key) using IP Multicast.

Problem of previous work1. To use IP Multicast with previous existing

router, it might be replaced to new router which can support IP Multicast function. May incur cost to replace router

2. While a few recent works have considered issues with key dissemination using overlays, these works rely on analysis or simulations with synthetic workloads and don’t consider issues such as resilient key delivery.

3. There doesn’t exist real implementation and Internet experiments in an overlay context

Solution & ContributionConduct a systematic performance evaluation of

strategies for key dissemination in the context of overlay broadcasting system on the Planetlab testbed using real traces of join/leave dynamics.

Considering resilient key dissemination on an overlay network.

Design space for dissemination of data and keys using decoupled architecture.

Why we consider?

Using key dissemination for a network security

Network bandwidth is limited

Frequent rekeying causes network slowly

Key management algorithm Centralized key management schemes

Relying on single key server

Batch rekeying several group changes are accumulated in group key.

In rekey period, Low rekey period frequent rekeying, high

overhead High rekey period make scheme more vulnerable

to violation of security properties

Key management algorithm2 key management algorithms

1. Key-star encrypt new key when performing a rekey

operation. Required O(N) encrypt message where N is

the group size.2. Marking

variant of LKH protocol, using subgroup key to reduce encryption cost. Not considering members left

Resilient key disseminationLosing rekey packets can be severe.Focusing on minimizing loss of rekey packets

Naïve Unicast : using TCP connection individually

Tree-TCP, Tree-UDP : For overlay multicast

Tree-Unicast

Key and Data dissemination coupling strategies

Fig. 1. a) An LKH keys tree.

b) An overlay structure optimized for data delivery. Intermediate nodes are positioned by their network characteristics. New keys are sent to all nodes.

c) An overlay structure optimized for keys delivery. Intermediate nodes are positioned by their ID. New keys are sent only to nodes that need them.

Key and Data dissemination coupling strategies

Coupled-Data Optimized : sub-optimal,High overhead

Coupled-Key Optimized : May reduce rekeying overheadCan violate saturation degree of nodes when bandwidth

demanding broadcasting application are considered.

Decoupled : two specialized dissemination structureAdvance : providing good performance data delivery and

reduction in overhead to disseminate key message.Drawback: source must maintain two structures, hence

needs additional complexity and overhead to maintain extra structure

Evaluation goalsReliable key dissemination :

Considering data & keys loss or delay.Which algorithm is the best?

Key & data coupling : Reduction of overhead.Benefits significant under real work-load.

TestBased on real world Internet load, classified 5

typesConference 1Conference 2PortalCompetitionRally

Each type has different type of data transmission, which means numbers of join/leaves are variable.

ResultChoice of rekey period :

Marking algorithm

ResultChoice of Resilient key dissemination:

Tree-TCP , Tree-Unicast

ResultCoupling strategies: DecoupledOverhead of key messages is reduced by 50%~67%

of that incurred with Coupled-DataOptimized.

Even though there needs additional overhead of maintaining the separate key-delivery structure, the reduction in total overhead is still significant.

Especially, it shows remarkably reduced where overhead of key messages is the major component like type “Rally”.

Limitation on the proposed solutionOnly considering single-source broadcasting

application.

There might be many multi-source broadcasting system in the real world.

It may incur lots of rekeying overhead to the sub-group Bottleneck