End-to-end security in active networks

Active network solutions have been proposed to many of the problems caused by the increasing heterogeneity of the Internet. These ystems allow nodes within the network to process data passing through in several ways. Allowing code from various sources to run on routers introduces numerous security concerns that have been addressed by research into safe languages, restricted execution environments, and other related areas. But little attention has been paid to an even more critical question: the effect on end-to-end security of active flow manipulation. This thesis first examines the threat model implicit in active networks. It develops a framework of security protocols in use at various layers of the networking stack, and their utility to multimedia transport and flow processing, and asks if it is reasonable to give active routers access to the plaintext of these flows. After considering the various security problem introduced, such as vulnerability to attacks on intermediaries or coercion, it concludes not. We then ask if active network systems can be built that maintain end-to-end security without seriously degrading the functionality they provide. We describe the design and analysis of three such protocols: a distributed packet filtering system that can be used to adjust multimedia bandwidth requirements and defend against denial-of-service attacks; an efficient composition of link and transport-layer reliability mechanisms that increases the performance of TCP over lossy wireless links; and a distributed watermarking servicethat can efficiently deliver media flows marked with the identity of their recipients. In all three cases, similar functionality is provided to designs that do not maintain end-to-end security. Finally, we reconsider traditional end-to-end arguments in both networking and security, and show that they have continuing importance for Internet design. Our watermarking work adds the concept of splitting trust throughout a network to that model; we suggest further applications of this idea

Analysis domain model for shared virtual environments

The field of shared virtual environments, which also encompasses online games and social 3D environments, has a system landscape consisting of multiple solutions that share great functional overlap. However, there is little system interoperability between the different solutions. A shared virtual environment has an associated problem domain that is highly complex raising difficult challenges to the development process, starting with the architectural design of the underlying system. This paper has two main contributions. The first contribution is a broad domain analysis of shared virtual environments, which enables developers to have a better understanding of the whole rather than the part(s). The second contribution is a reference domain model for discussing and describing solutions - the Analysis Domain Model

Service introduction in an active network

Thesis (Ph.D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 1999.Includes bibliographical references (p. 151-157).by David J. Wetherall.Ph.D

Network architecture for large-scale distributed virtual environments

Distributed Virtual Environments (DVEs) provide 3D graphical computer generated environments with stereo sound, supporting real-time collaboration between potentially large numbers of users distributed around the world. Early DVEs has been used over local area networks (LANs). Recently with the Internet's development into the most common embedding for DVEs these distributed applications have been moved towards an exploiting IP networks. This has brought the scalability challenges into the DVEs evolution. The network bandwidth resource is the more limited resource of the DVE system and to improve the DVE's scalability it is necessary to manage carefully this resource. To achieve the saving in the network bandwidth the different types of the network traffic that is produced by the DVEs have to be considered. DVE applications demand· exchange of the data that forms different types of traffic such as a computer data type, video and audio, and a 3D data type to keep the consistency of the application's state. The problem is that the meeting of the QoS requirements of both control and continuous media traffic already have been covered by the existing research. But QoS for transfer of the 3D information has not really been considered. The 3D DVE geometry traffic is very bursty in nature and places a high demands on the network for short intervals of time due to the quite large size of the 3D models and the DVE application requirements to transmit a 3D data as quick as possible. The main motivation in carrying out the work presented in this thesis is to find a solution to improve the scalability of the DVE applications by a consideration the QoS requirements of the 3D DVE geometrical data type. In this work we are investigating the possibility to decrease the network bandwidth utilization by the 3D DVE traffic using the level of detail (LOD) concept and the active networking approach. The background work of the thesis surveys the DVE applications and the scalability requirements of the DVE systems. It also discusses the active networks and multiresolution representation and progressive transmission of the 3D data. The new active networking approach to the transmission of the 3D geometry data within the DVE systems is proposed in this thesis. This approach enhances the currently applied peer-to-peer DVE architecture by adding to the peer-to-peer multicast neny_ork layer filtering of the 3D flows an application level filtering on the active intermediate nodes. The active router keeps the application level information about the placements of users. This information is used by active routers to prune more detailed 3D data flows (higher LODs) in the multicast tree arches that are linked to the distance DVE participants. The exploration of possible benefits of exploiting the proposed active approach through the comparison with the non-active approach is carried out using the simulation­based performance modelling approach. Complex interactions between participants in DVE application and a large number of analyzed variables indicate that flexible simulation is more appropriate than mathematical modelling. To build a test bed will not be feasible. Results from the evaluation demonstrate that the proposed active approach shows potential benefits to the improvement of the DVE's scalability but the degree of improvement depends on the users' movement pattern. Therefore, other active networking methods to support the 3D DVE geometry transmission may also be required

Netzwerkmanagement und Hochleistungskommunikation. Teil XXII. Seminar SS 2000

Zusammenfassung Der vorliegende interne Bericht enthält die Beiträge zum Seminar "`Netzwerkmanagement und Hochleistungskommunikation"\u27, das im Sommersemester 2000 zum 22. Mal stattgefunden hat. Die Themenauswahl kann grob in folgende drei Blöcke gegliedert werden: enumerate Ein Block ist der Hochgeschwindigkeits-Technologie gewidmet. Im ersten Beitrag wird das Konzepts des Multiprotocol Label Switchings (MPLS) vorgestellt, welches gegenüber herkömmlichem Routing einen Geschwindigkeitsvorteil im Bereich einer Größenordnung mit sich bringt. Der zweite Beitrag beschreibt effiziente Verfahren und Algorithmen zur Klassifikation von IP-Paketen, welche bei ständig zunehmender Geschwindigkeit der Router zunehmend an Bedeutung gewinnen. Der dritte Beitrag behandelt Varianten des Transmission Control Protocols TCP, dessen Mechanismen für höhere Leistung oder mobile Einsatzszenarien erweitert werden müssen. Ein zweiter Block beschäftigt sich mit verschiedenen Themen aus den Bereichen drahtlose Kommunikation, Netzwerkmanagement und Sicherheit. Hier wird zum einen die Protokoll-Architektur des Wireless Application Protocols (WAP) vorgestellt, welches die speziellen Anforderungen mobiler Teilnehmer mit kleinsten drahtlos angebundenen Endgeräten, beispielsweise Mobiltelefonen, in Bezug auf die Internet- bzw. Datenkommunikation berücksichtigt. Zum anderen wird im Beitrag zur automatischen Netzwerk-Konfiguration auf ein im Zeitalter der ständig wachsenden Netze zunehmend wichtiges Netzwerkmanagement-Thema eingegangen. Schließlich werden im dritten Thema Zero-Knowledge-Protokolle, elegante Verfahren zur Authentisierung, vorgestellt, welche etwa im Bereich des elektronischen Zahlungsverkehrs eingesetzt werden können. Der dritte Block umfasst den Themenbereich der Gruppenkommunikation. Hier werden einerseits neuere Ansätze zum Multicast-Routing beschrieben und andererseits eine Auswahl der funktional darüber angeordneten, zahlrei chen Multicast-Transportprotokolle. enumerate Abstract This Technical Report includes student papers produced within a seminar of `Network Management and High Performance Communications\u27. For the 22nd time this seminar has attracted a largenumber of diligent students, proving the broad interest in topics of network management and high performance communications. The topics of this report may be divided into three blocks: enumerate One block is devoted to high speed and high performance technology. At first, the concept of Multiprotocol Label Switchings (MPLS) is described. Subsequently, Efficient Methods and Algorithms for Classification of IP Packets and Variants of TCP are presented. A second block deals with various topics such as wireless communications, network management and security. The first article shows advantages of the Wireless Application Protocol (WAP) to access Internet information in mobile environments. The second article describes Automatic Network Configuration Mechanisms which are of increasing importance. Third, Zero Knowledge Protocols for secure authentication are examined and presented. The third block deals with group communication and shows New Approaches for Multicast Routing as well as an overview of some Multicast Transport Protocols

A Reliable Subcasting Protocol for Wireless Environments

This paper presents an end-to-end reliable multicast protocol for use in environments with wireless access. It divides a multicast tree into sub-trees where subcasting within these smaller regions is applied using a tree of retransmission servers (RSs). RM2 is receiver oriented [1] in that the transmitter does not need to know its receivers, hence offering better scalability