Feature #3161
openCS: partition by forwarding hint
0%
Description
Logically partition the ContentStore by the forwarding hint used to retrieve Data packets.
Necessity
Forwarding following forwarding hints leads to concerns about cache poisoning.
For example, Mallory may express an Interest ndn:/alice/index.html with forwarding hint [{10,ndn:/mallory}], and setup a producer at ndn:/mallory network to return fake Data for ndn:/alice/index.html.
NFD does not validate signatures on this Data because it lacks the trust model to do so, and will admit this Data into the ContentStore. After that, Interests for ndn:/alice/index.html will match the cached Data, even if it has no forwarding hint, or the forwarding hint points to a different routable prefix.
Solution
The ContentStore should be logically partitioned according to the forwarding hint.
A cached Data is stored along with the forwarding hint used to retrieve it; this applies to consumer region and Internet, but not within producer region where forwarding hint has been stripped. An incoming Interest with a forwarding hint can be satisfied by a cached Data if the cached Data has no associated forwarding hint or has the same forwarding hint.
This solution reduces cache poisoning to be no worse than a network without forwarding hints, because each forwarding hint has its own logical ContentStore, so that Mallory's fake Data cannot affect Interests without Mallory's forwarding hint. The cost of this solution is that the same Data may be stored multiple times with different forwarding hints, but this can happen only during an attack with Mallory's forwarding hint, or when the producer has published multiple Link objects used to derive forwarding hints.
This issue includes:
- CS index: logically partition the index by forwarding hint
- CS insert: accept "forwarding hint used for Data retrieval" as a parameter
- CS lookup: if Interest has forwarding hint, match a Data only if it has no associated forwarding hint or has the same forwarding hint;
special case: if Interest name ends with an implicit digest, it can match any Data that satisfies the implicit digest
NFD Developer Guide should be updated as part of this issue.
Changes in forwarding are necessary to pass a forwarding hint to CS insert procedure, but they are not part of this issue.