Making On-Demand Routing Efficient with Route-Request Aggregation

In theory, on-demand routing is very attractive for mobile ad hoc networks (MANET), because it induces signaling only for those destinations for which there is data traffic. However, in practice, the signaling overhead of existing on-demand routing protocols becomes excessive as the rate of topology changes increases due to mobility or other causes. We introduce the first on-demand routing approach that eliminates the main limitation of on-demand routing by aggregating route requests (RREQ) for the same destinations. The approach can be applied to any existing on-demand routing protocol, and we introduce the Ad-hoc Demand-Aggregated Routing with Adaptation (ADARA) as an example of how RREQ aggregation can be used. ADARA is compared to AODV and OLSR using discrete-event simulations, and the results show that aggregating RREQs can make on-demand routing more efficient than existing proactive or on-demand routing protocols

PROVIDE: hiding from automated network scans with proofs of identity

Network scanners are a valuable tool for researchers and administrators, however they are also used by malicious actors to identify vulnerable hosts on a network. Upon the disclosure of a security vulnerability, scans are launched within hours. These opportunistic attackers enumerate blocks of IP addresses in hope of discovering an exploitable host. Fortunately, defensive measures such as port knocking protocols (PKPs) allow a service to remain stealth to unauthorized IP addresses. The service is revealed only when a client includes a special authentication token (AT) in the IP/TCP header. However this AT is generated from a secret shared between the clients/servers and distributed manually to each endpoint. As a result, these defense measures have failed to be widely adopted by other protocols such as HTTP/S due to challenges in distributing the shared secrets. In this paper we propose a scalable solution to this problem for services accessed by domain name. We make the following observation: automated network scanners access servers by IP address, while legitimate clients access the server by name. Therefore a service should only reveal itself to clients who know its name. Based on this principal, we have created a proof of the verifier’s identity (a.k.a. PROVIDE) protocol that allows a prover (legitimate user) to convince a verifier (service) that it is knowledgeable of the verifier’s identity. We present a PROVIDE implementation using a PKP and DNS (PKP+DNS) that uses DNS TXT records to distribute identification tokens (IDT) while DNS PTR records for the service’s domain name are prohibited to prevent reverse DNS lookups. Clients are modified to make an additional DNS TXT query to obtain the IDT which is used by the PKP to generate an AT. The inclusion of an AT in the packet header, generated from the DNS TXT query, is proof the client knows the service’s identity. We analyze the effectiveness of this mechanism with respect to brute force attempts for various strength ATs and discuss practical considerations.This work has been supported by the National Science Foundation (NSF) awards #1430145, #1414119, and #1012798

The Price of Updating the Control Plane in Information-Centric Networks

We are studying some fundamental properties of the interface between control and data planes in Information-Centric Networks. We try to evaluate the traffic between these two planes based on allowing a minimum level of acceptable distortion in the network state representation in the control plane. We apply our framework to content distribution, and see how we can compute the overhead of maintaining the location of content in the control plane. This is of importance to evaluate content-oriented network architectures: we identify scenarios where the cost of updating the control plane for content routing overwhelms the benefit of fetching a nearby copy. We also show how to minimize the cost of this overhead when associating costs to peering traffic and to internal traffic for operator-driven CDNs.Comment: 10 pages, 12 figure