Internet Indirection Architecture

Similar in goals to the previous paper, this work presents i3, which uses an API to build composable rendevouz-based communication to result in middleboxes that do not need to be physicall interposed between the two communicating ends. A receiver inserts "triggers" which live in the network an can be matched to packets that are being sent into the network; matching triggers cause the intended action to occur (which can be a send to an endpoint or set of endpoints). Like the previous paper, they use a DHT to store the triggers and ensure that all triggers with the same prefix match (which is used for multicast and anycast) gets stored on the same server for better performance.

The example applications here are mobility, multicast, and anycast, but from my reading, in principle one could create a firewall. I'm not sure about NAT-like machinery, however.

The thing I liked best about this paper is that the basic algorithm is very simple, and allows both senders and receivers to define intermediaries that are composable. With some additional complexity, a few optimizations can be introduced.

However, like the previous paper, the security concerns are many. The paper considers protection against some of the possible attacks, but any time we introduce a level of indirection into the network, the potential attack vectors must increase. I think some of the issues they bring up can be resolved pretty easily, but things like having to check for loops in the routing makes insertion of triggers take much longer since you need to check if the insertion creates a loop.

Overall, this paper has a simpler algorithm, but the security issues remain.