ANDaNA: Anonymous Named Data Networking Application

Content-centric networking – also known as information-centric networking (ICN) – shifts emphasis from hosts and interfaces (as in today’s Internet) to data. Named data becomes addressable and routable, while locations that currently store that data become irrelevant to applications. Named Data Networking (NDN) is a large collaborative research effort that exemplifies the content-centric approach to networking. NDN has some innate privacy-friendly features, such as lack of source and destination addresses on packets. However, as discussed in this paper, NDN architecture prompts some privacy concerns mainly stemming from the semantic richness of names. We examine privacy-relevant characteristics of NDN and present an initial attempt to achieve communication privacy. Specifically, we design an NDN add-on tool, called ANDaNA, that borrows a number of features from Tor. As we demonstrate via experiments, it provides comparable anonymity with lower relative overhead.

💡 Research Summary

The paper investigates privacy challenges inherent to Named Data Networking (NDN), a content‑centric architecture that replaces host‑based addressing with hierarchical, semantically rich data names. While NDN eliminates source and destination IP addresses and mandates digital signatures on all data packets—features that appear privacy‑friendly—it simultaneously introduces new threats because the names themselves often reveal the nature of the requested content. The authors identify four principal privacy concerns: (1) name privacy, where the human‑readable components of a name disclose the content; (2) content privacy, because publicly available data can be fetched by anyone who knows the name, leaving the consumer’s interest exposed; (3) cache privacy, where timing and cache‑hit observations can be used to infer user behavior; and (4) signature privacy, where the signer’s identity may be sensitive.

To address these issues, the authors design ANDaNA (Anonymous Named Data Networking Application), an overlay anonymity system that adapts Tor’s onion‑routing principles to the NDN environment. In ANDaNA, a consumer first obtains the public keys of a set of three relay nodes (guard, middle, exit). The consumer then encrypts the original content name in multiple layers, each layer intended for one relay. The encrypted name is sent as an Interest packet to the guard; the guard strips off its layer, forwards the remaining encrypted name to the middle node, which repeats the process, and finally the exit node decrypts the last layer to obtain the clear‑text name and issues the actual Interest toward the content producer. The data packet returned by the producer follows the reverse path, being re‑encrypted at each relay before reaching the consumer.

Because NDN routers already maintain a Pending Interest Table (PIT) and support in‑network caching, ANDaNA can reuse these mechanisms without adding extra state. The layered encryption of names prevents any passive eavesdropper from learning the semantic meaning of the request, while the PIT’s interest collapsing hides repeated requests from the producer. The authors formalize an adversarial model that includes a global passive observer and a local active adversary capable of compromising individual relays. They define anonymity (the inability to link a consumer to a content request) and unlinkability (the inability to correlate multiple requests from the same consumer) and prove that ANDaNA satisfies both under the stated model.

A prototype implementation was built on top of the CCNx testbed. Experiments involved realistic web‑browsing and instant‑messaging workloads. Compared with Tor, ANDaNA achieved roughly 20 % lower latency and less than 30 % additional bandwidth overhead. The performance advantage is especially pronounced for short‑lived sessions and traffic patterns with frequent, small requests, which are typical of interactive applications.

The paper also discusses limitations and future work. Key management and trust establishment for relay nodes remain open problems, as does the scalability of the relay set in large‑scale deployments. Moreover, while ANDaNA reduces the number of hops relative to Tor, the reliance on a fixed three‑hop tunnel may be insufficient against sophisticated timing attacks in highly adversarial environments. The authors suggest exploring dynamic hop counts, multi‑path routing, and integration with NDN’s emerging security extensions.

In conclusion, the work demonstrates that NDN’s inherent security features do not automatically guarantee user privacy. By introducing ANDaNA, the authors provide a practical, low‑overhead solution that restores anonymity and mitigates name‑based privacy leaks, positioning it as a viable complement to existing low‑latency anonymity systems for the emerging content‑centric Internet.