HoPP: Robust and Resilient Publish-Subscribe for an Information-Centric Internet of Things

This paper revisits NDN deployment in the IoT with a special focus on the interaction of sensors and actuators. Such scenarios require high responsiveness and limited control state at the constrained nodes. We argue that the NDN request-response pattern which prevents data push is vital for IoT networks. We contribute HoP-and-Pull (HoPP), a robust publish-subscribe scheme for typical IoT scenarios that targets IoT networks consisting of hundreds of resource constrained devices at intermittent connectivity. Our approach limits the FIB tables to a minimum and naturally supports mobility, temporary network partitioning, data aggregation and near real-time reactivity. We experimentally evaluate the protocol in a real-world deployment using the IoT-Lab testbed with varying numbers of constrained devices, each wirelessly interconnected via IEEE 802.15.4 LowPANs. Implementations are built on CCN-lite with RIOT and support experiments using various single- and multi-hop scenarios

Prelude: Ensuring Inter-Domain Loop-Freedom in~SDN-Enabled Networks

Software-Defined-eXchanges (SDXes) promise to tackle the timely quest of bringing improving the inter-domain routing ecosystem through SDN deployment. Yet, the naive deployment of SDN on the Internet raises concerns about the correctness of the inter-domain data-plane. By allowing operators to deflect traffic from the default BGP route, SDN policies are susceptible of creating permanent forwarding loops invisible to the control-plane. In this paper, we propose a system, called Prelude, for detecting SDN-induced forwarding loops between SDXes with high accuracy without leaking the private routing information of network operators. To achieve this, we leverage Secure Multi-Party Computation (SMPC) techniques to build a novel and general privacy-preserving primitive that detects whether any subset of SDN rules might affect the same portion of traffic without learning anything about those rules. We then leverage that primitive as the main building block of a distributed system tailored to detect forwarding loops among any set of SDXes. We leverage the particular nature of SDXes to further improve the efficiency of our SMPC solution. The number of valid SDN rules, i.e., not creating loops, rejected by our solution is 100x lower than previous privacy-preserving solutions, and also provides better privacy guarantees. Furthermore, our solution naturally provides network operators with some hindsight on the cost of the deflected paths

All-Path Bridging: Path Exploration Protocols for Data Center and Campus Networks

Today, link-state routing protocols that compute multiple shortest paths predominate in data center and campus networks, where routing is performed either in layer three or in layer two using link-state routing protocols. But current proposals based on link-state routing do not adapt well to real time traffic variations and become very complex when attempting to balance the traffic load. We propose All-Path bridging, an evolution of the classical transparent bridging that forwards frames over shortest paths using the complete network topology, which overcomes the limitations of the spanning tree protocol. All-Path is a new frame routing paradigm based on the simultaneous exploration of all paths of the real network by a broadcast probe frame, instead of computing routes on the network graph. This paper presents All- Path switches and their differences with standard switches and describes ARP-Path protocol in detail, its path recovery mechanisms and compatibility with IEEE 802.1 standard bridges. ARP-Path is the first protocol variant of the All-Path protocol family. ARP-Path reuses the standard ARP Request and Reply packets to explore reactively the network and find the fastest path between two hosts. We compare its performance in terms of latency and load distribution with link-state shortest-path routing bridges, showing that ARP-Path distributes the load more evenly and provides lower latencies. Implementations on different platforms prove the robustness of the protocol. The conclusion is that All-Path bridging offer a simple, resilient and scalable alternative to path computation protocols

CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP

The Internet routing protocol BGP expresses topological reachability and policy-based decisions simultaneously in path vectors. A complete view on the Internet backbone routing is given by the collection of all valid routes, which is infeasible to obtain due to information hiding of BGP, the lack of omnipresent collection points, and data complexity. Commonly, graph-based data models are used to represent the Internet topology from a given set of BGP routing tables but fall short of explaining policy contexts. As a consequence, routing anomalies such as route leaks and interception attacks cannot be explained with graphs. In this paper, we use formal languages to represent the global routing system in a rigorous model. Our CAIR framework translates BGP announcements into a finite route language that allows for the incremental construction of minimal route automata. CAIR preserves route diversity, is highly efficient, and well-suited to monitor BGP path changes in real-time. We formally derive implementable search patterns for route leaks and interception attacks. In contrast to the state-of-the-art, we can detect these incidents. In practical experiments, we analyze public BGP data over the last seven years

vrfinder: Finding outbound addresses in traceroute

Current methods to analyze the Internet's router-level topology with paths collected using traceroute assume that the source address for each router in the path is either an inbound or off-path address on each router. In this work, we show that outbound addresses are common in our Internet-wide traceroute dataset collected by CAIDA's Ark vantage points in January 2020, accounting for 1.7% - 5.8% of the addresses seen at some point before the end of a traceroute. This phenomenon can lead to mistakes in Internet topology analysis, such as inferring router ownership and identifying interdomain links. We hypothesize that the primary contributor to outbound addresses is Layer 3 Virtual Private Networks (L3VPNs), and propose vrfinder, a technique for identifying L3VPN outbound addresses in traceroute collections. We validate vrfinder against ground truth from two large research and education networks, demonstrating high precision (100.0%) and recall (82.1% - 95.3%). We also show the benefit of accounting for L3VPNs in traceroute analysis through extensions to bdrmapIT, increasing the accuracy of its router ownership inferences for L3VPN outbound addresses from 61.5% - 79.4% to 88.9% - 95.5%

FABRIC: A National-Scale Programmable Experimental Network Infrastructure

FABRIC is a unique national research infrastructure to enable cutting-edge and exploratory research at-scale in networking, cybersecurity, distributed computing and storage systems, machine learning, and science applications. It is an everywhere-programmable nationwide instrument comprised of novel extensible network elements equipped with large amounts of compute and storage, interconnected by high speed, dedicated optical links. It will connect a number of specialized testbeds for cloud research (NSF Cloud testbeds CloudLab and Chameleon), for research beyond 5G technologies (Platforms for Advanced Wireless Research or PAWR), as well as production high-performance computing facilities and science instruments to create a rich fabric for a wide variety of experimental activities

Systems for characterizing Internet routing

2018 Spring.Includes bibliographical references.Today the Internet plays a critical role in our lives; we rely on it for communication, business, and more recently, smart home operations. Users expect high performance and availability of the Internet. To meet such high demands, all Internet components including routing must operate at peak efficiency. However, events that hamper the routing system over the Internet are very common, causing millions of dollars of financial loss, traffic exposed to attacks, or even loss of national connectivity. Moreover, there is sparse real-time detection and reporting of such events for the public. A key challenge in addressing such issues is lack of methodology to study, evaluate and characterize Internet connectivity. While many networks operating autonomously have made the Internet robust, the complexity in understanding how users interconnect, interact and retrieve content has also increased. Characterizing how data is routed, measuring dependency on external networks, and fast outage detection has become very necessary using public measurement infrastructures and data sources. From a regulatory standpoint, there is an immediate need for systems to detect and report routing events where a content provider's routing policies may run afoul of state policies. In this dissertation, we design, build and evaluate systems that leverage existing infrastructure and report routing events in near-real time. In particular, we focus on geographic routing anomalies i.e., detours, routing failure i.e., outages, and measuring structural changes in routing policies

All-Path Bridging: Path Exploration Protocols for Data Center and Campus Networks

Today, link-state routing protocols that compute multiple shortest paths predominate in data center and campus networks, where routing is performed either in layer three or in layer two using link-state routing protocols. But current proposals based on link-state routing do not adapt well to real time traffic variations and become very complex when attempting to balance the traffic load. We propose All-Path bridging, an evolution of the classical transparent bridging that forwards frames over shortest paths using the complete network topology, which overcomes the limitations of the spanning tree protocol. All-Path is a new frame routing paradigm based on the simultaneous exploration of all paths of the real network by a broadcast probe frame, instead of computing routes on the network graph. This paper presents All- Path switches and their differences with standard switches and describes ARP-Path protocol in detail, its path recovery mechanisms and compatibility with IEEE 802.1 standard bridges. ARP-Path is the first protocol variant of the All-Path protocol family. ARP-Path reuses the standard ARP Request and Reply packets to explore reactively the network and find the fastest path between two hosts. We compare its performance in terms of latency and load distribution with link-state shortest-path routing bridges, showing that ARP-Path distributes the load more evenly and provides lower latencies. Implementations on different platforms prove the robustness of the protocol. The conclusion is that All-Path bridging offer a simple, resilient and scalable alternative to path computation protocols