Paper

 

"Persistent Personal Names for Globally Connected Mobile Devices", by B. Ford, C. Lesniewski-Laas, J. Strauss, S. Rhea, F. Kaashoek, R. Morris, Proceedings of the Seventh Symposium on Operating Systems Design and Implementation ({OSDI} 2006), November 2006.

 

Presented by

 

Aiman Erbad

 

Discussion by

 

Charles Krasic

 

 

Important Links

 

Presentation Slides

Abridged version of OSDI presentation

 

UIA OSDI 2006 

Paper and Video Demo

 

UIA project page

Code and Previous Publications

 

 

Discussion Recap

 

The discussion was for the four papers Chords, ROFL, SFS, and UIA. The major points related to UIA are:

 

ROFL and UIA can be thought of as complimentary. UIA covers the naming while ROFL handles the routing ( DHT provides scalable lookup of arbitrary flat identifiers in large distributed address spaces and UIA makes a mapping between personal names and flat identifiers, EID). It is not black and white but you can see that UIA proposed social networking as a solution for routing and ROFL is independent on the layers working on top of it.

 

Currently, device introduction requires both users to be in a local area network so the rendezvous toll Bonjour’s would find them, then the keys would be exchanged. However, if you think about the whole internet we can have browsers come with the top twenty list of the popular services. Currently, UIA was build to solve the mobility problem using persistent personal names but for wide scale deployment, we should consider how to initialize, distribute, exchange, or share the keys.    

 

In the current design in section 2.4 about transitive merging the authors say “Alice’s devices similarly gossip her new link named Bob and learn about Bob’s three devices, after which she can, for example, refer to Bob’s laptop as laptop.Bob”. So Alice will know about and view all the devices in Bob’s group; however, this doesn’t necessary gives her access to the devices. In the future work, they intend to add read access control to enable the user to hide certain names or limit visibility of devices.

 

 

 

Discussion Questions

 

The device log is append-only means that it will never shrink. While this is fine for large device such as laptops and PDA, would this post a limited life-time on storage limited devices?

 

In their examples, if Bob's cell phone and laptop dispute each other, each will form their own subgroup. What prevents both network claiming to be the true "Bob" and try to connect to Alice? Can Alice tell them apart?

 

Connecting up devices should be this easy... is this just a matter of getting everyone to standardize on doing it the same way, or there are some technical difficulties that need to be dealt with? (To rephrase the question: is this more of a UI design problem than a technical problem?)

 

Wasn't Sun's Jini supposed to do some of the things in this paper?

 

Isn't UIA in some sense routing on flat labels (where the labels are the EIDs), and thus achieving the goal of the ROFL paper (on a smaller scale)?

 

What characteristic of social networks forces them to use gossip for implementing discovery?

 

If social groups are small and tend to be isolated in clusters, why not always make  every device in a group contact the same given stable node, or small group of stable nodes (say Bob’s computer and Alice’s server) to get (and update) the IP of Bob’s cell phone ?

 

If Bob's stolen cell phone and his laptop each create successor groups, how do his other devices know which group they should join? Is it dependent on Bob having physical control of the devices, or is it enough that they are on the same local network? If the thief has access to Bob's local network (e.g. he lives in the same building and can connect wirelessly), is it possible for the thief to gain control of Bob's other devices?

 

Is it possible for users to hack their devices so that they will perform less routing, thereby saving power without hurting the hacking user, but hurting everyone else? Would this be a serious problem?

 

In the future works section of the paper the authors have mentioned that the naming layer currently assumes that groups are small and change infrequently so using the gossip protocol is reasonable. They have proposed to use a DNS-like structure for large or infrequently used groups. What are the tradeoffs between these two methods (gossiping and DNS)?

 

How does this system deal with devices that might frequently change their location while they are communicating with other devices?

 

Although they have implemented the ownership revocation the security treat in case of a stolen/lost device is still high (It might take a long time before someone can revoke the ownership...). Do you think this system can gain popularity in business applications?

 

Revocation of ownership properties of a mobile device is a nice property against theft (data security attacks),  but the idea seems to work only if the owner has another mobile device in the same group with the stolen device. What if the user doesn’t own another device this still gives the thief the opportunity gain information about other users for the groups he (victim) owns. Can the revocation be transferred to a higher authority (a device to fallback, presumably immobile so harder to get stolen)?

 

This question is not on data security but on property security, might be a bit off the track: Do you think the EID would also provide security against mobile device thefts. If we use IMEI numbers of the mobile phones (and presumably generate for other devices) the idea in the paper might help tracking such devices?

 

 

The prototype UIA currently runs only runs on Linux and Mac OS X. I am curious if the idea of this paper can work on the cell phones. If so, how could is routing implemented? How to build a TCP connection on cell phones? More briefly, what is IP address of a cell phone?

 

2) I did some NAT traversal research before and I know source-routed Forwarding is not just as easy as this paper says. I think the routing layer of this paper is not illustrated briefly enough. This paper is focused on mobile devices, but routing is tough task in mobile network especially wireless Ad-Hoc routing. I doubt of the real performance on mobile phones. I think it will not run very well due to the bad performance of routing layer. What do you think?

 

 

When the devices that are being used by the friends are removed from the laptop or the PC, what will happen?

 

I think this paper is very interesting and the idea is promising. I would like to know more details on its performance and security. I think the two factors are important for its practicability.

 

In security and ownership revocation, the part about a device in another group learning about revocation from another group seems a little insecure. What if a phone in group A having access to group B gets stolen and group B doesn't know about a revocation? Guess the local user authentication has to be pretty well enforced.

 

How stable do you think the overlay network using personal devices forming a social neighborhood will be? How big a part does the social neighborhood play in UIA routing? Can non-UIA Internet nodes take part in the routing?

 

UIAs personal naming model is inspired in part by SDSI/SPKI, but what major differences are between UIA and SDSI?

 

DHT provides scalable lookup of arbitrary flat identifiers in large distributed address spaces.  Is it possible that UIA can be built on DHT?

 

What would happen if the single 'stable' device in proximity to the connected device, switches off or loses 'stability'? How will the device continue to remain connected?

 

Is there a possibility of 'clash of interests' if two users in a group connect to a common device and use its service?

 

Does the system require some known servers to set up an overlay network for routing?  I'm unclear on how a roaming device can find the overlay network in the first place.

 

Do we think that users of this system would want or need more connected devices than they could reasonably add manually?  eg. Would adding EVERYONE at OSDI be a compelling usage case?

 

Since devices in a group namespace aren't explicitly added, are there any potential threats from a group originating from a compromised device? (i.e. anything that can't be cleaned up easily once the keys are revoked.)

 

 

Related Work