975 research outputs found
PABO: Mitigating Congestion via Packet Bounce in Data Center Networks
In today's data center, a diverse mix of throughput-sensitive long flows and
delay-sensitive short flows are commonly presented in shallow-buffered
switches. Long flows could potentially block the transmission of
delay-sensitive short flows, leading to degraded performance. Congestion can
also be caused by the synchronization of multiple TCP connections for short
flows, as typically seen in the partition/aggregate traffic pattern. While
multiple end-to-end transport-layer solutions have been proposed, none of them
have tackled the real challenge: reliable transmission in the network. In this
paper, we fill this gap by presenting PABO -- a novel link-layer design that
can mitigate congestion by temporarily bouncing packets to upstream switches.
PABO's design fulfills the following goals: i) providing per-flow based flow
control on the link layer, ii) handling transient congestion without the
intervention of end devices, and iii) gradually back propagating the congestion
signal to the source when the network is not capable to handle the
congestion.Experiment results show that PABO can provide prominent advantage of
mitigating transient congestions and can achieve significant gain on end-to-end
delay
Vicinity-based Replica Finding in Named Data Networking
In Named Data Networking (NDN) architectures, a content object is located according to the content's identifier and can be retrieved from all nodes that hold a replica of the content. The default forwarding strategy of NDN is to forward an Interest packet along the default path from the requester to the server to find a content object according to its name prefix. However, the best path may not be the default path, since content might also be located nearby. Hence, the default strategy could result in a sub-optimal delivery efficiency. To address this issue we introduce a vicinity-based replica finding scheme. This is based on the observation that content objects might be requested several times. Therefore, replicas can be often cached within a particular neighbourhood and thus it might be efficient to specifically look for them in order to improve the content delivery performance. Within this paper, we evaluate the optimal size of the vicinity within which content should be located (i.e. the distance between the requester and its neighbours that are considered within the content search). We also compare the proposed scheme with the default NDN forwarding strategy with respect to replica finding efficiency and network overhead. Using the proposed scheme, we demonstrate that the replica finding mechanism reduces the delivery time effectively with acceptable overhead costs
On the realization of VANET using named data networking: On improvement of VANET using NDN-based routing, caching, and security
Named data networking (NDN) presents a huge opportunity to tackle some of the unsolved issues of IP-based vehicular ad hoc networks (VANET). The core characteristics of NDN such as the name-based routing, in-network caching, and built-in data security provide better management of VANET proprieties (e.g., the high mobility, link intermittency, and dynamic topology). This study aims at providing a clear view of the state-of-the-art on the developments in place, in order to leverage the characteristics of NDN in VANET. We resort to a systematic literature review (SLR) to perform a reproducible study, gathering the proposed solutions and summarizing the main open challenges on implementing NDN-based VANET. There exist several related studies, but they are more focused on other topics such as forwarding. This work specifically restricts the focus on VANET improvements by NDN-based routing (not forwarding), caching, and security. The surveyed solution herein presented is performed between 2010 and 2021. The results show that proposals on the selected topics for NDN-based VANET are recent (mainly from 2016 to 2021). Among them, caching is the most investigated topic. Finally, the main findings and the possible roadmaps for further development are highlighted
Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4
Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to
modern telecommunications networks: detecting and counteracting them is still a
crucial unresolved challenge for network operators. DDoS attack detection is
usually carried out in one or more central nodes that collect significant
amounts of monitoring data from networking devices, potentially creating issues
related to network overload or delay in detection. The dawn of programmable
data planes in Software-Defined Networks can help mitigate this issue, opening
the door to the detection of DDoS attacks directly in the data plane of the
switches. However, the most widely-adopted data plane programming language,
namely P4, lacks supporting many arithmetic operations, therefore, some of the
advanced network monitoring functionalities needed for DDoS detection cannot be
straightforwardly implemented in P4. This work overcomes such a limitation and
presents two novel strategies for flow cardinality and for normalized network
traffic entropy estimation that only use P4-supported operations and guarantee
a low relative error. Additionally, based on these contributions, we propose a
DDoS detection strategy relying on variations of the normalized network traffic
entropy. Results show that it has comparable or higher detection accuracy than
state-of-the-art solutions, yet being simpler and entirely executed in the data
plane.Comment: Accepted by TDSC on 24/09/202
Security and Privacy Issues in Wireless Mesh Networks: A Survey
This book chapter identifies various security threats in wireless mesh
network (WMN). Keeping in mind the critical requirement of security and user
privacy in WMNs, this chapter provides a comprehensive overview of various
possible attacks on different layers of the communication protocol stack for
WMNs and their corresponding defense mechanisms. First, it identifies the
security vulnerabilities in the physical, link, network, transport, application
layers. Furthermore, various possible attacks on the key management protocols,
user authentication and access control protocols, and user privacy preservation
protocols are presented. After enumerating various possible attacks, the
chapter provides a detailed discussion on various existing security mechanisms
and protocols to defend against and wherever possible prevent the possible
attacks. Comparative analyses are also presented on the security schemes with
regards to the cryptographic schemes used, key management strategies deployed,
use of any trusted third party, computation and communication overhead involved
etc. The chapter then presents a brief discussion on various trust management
approaches for WMNs since trust and reputation-based schemes are increasingly
becoming popular for enforcing security in wireless networks. A number of open
problems in security and privacy issues for WMNs are subsequently discussed
before the chapter is finally concluded.Comment: 62 pages, 12 figures, 6 tables. This chapter is an extension of the
author's previous submission in arXiv submission: arXiv:1102.1226. There are
some text overlaps with the previous submissio
In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches
Volumetric distributed Denial-of-Service (DDoS) attacks have become one of
the most significant threats to modern telecommunication networks. However,
most existing defense systems require that detection software operates from a
centralized monitoring collector, leading to increased traffic load and delayed
response. The recent advent of Data Plane Programmability (DPP) enables an
alternative solution: threshold-based volumetric DDoS detection can be
performed directly in programmable switches to skim only potentially hazardous
traffic, to be analyzed in depth at the controller. In this paper, we first
introduce the BACON data structure based on sketches, to estimate
per-destination flow cardinality, and theoretically analyze it. Then we employ
it in a simple in-network DDoS victim identification strategy, INDDoS, to
detect the destination IPs for which the number of incoming connections exceeds
a pre-defined threshold. We describe its hardware implementation on a
Tofino-based programmable switch using the domain-specific P4 language, proving
that some limitations imposed by real hardware to safeguard processing speed
can be overcome to implement relatively complex packet manipulations. Finally,
we present some experimental performance measurements, showing that our
programmable switch is able to keep processing packets at line-rate while
performing volumetric DDoS detection, and also achieves a high F1 score on DDoS
victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management
Special issue on Latest Developments for Security Management of Networks and
Service
Self-Modeling based Diagnosis of Services over Programmable Networks
International audienceIn this paper, we propose a multi-layer self-diagnosis framework for networking services within SDN and NFV environments. The framework encompasses three main contributions: 1) the definition of multi-layered templates to identify what to supervise while taking into account the physical, logical, virtual and service layers. These templates are also finer-granular, extendable and machine-readable; 2) a self-modeling module that takes as input these templates, instantiates them and generates on-the-fly the diagnosis model that includes the physical, logical, and the virtual dependencies of networking services; 3) a service-aware root-cause analysis module that takes into account the networking services' views and their underlying network resources observations within the aforementioned layers. We also present extensive simulations to prove the fully automated, finer granularity and reduced uncertainty of the root cause of networking services failures and their underlying network resources
Flexpop: A popularity-based caching strategy for multimedia applications in information-centric networking
Information-Centric Networking (ICN) is the dominant architecture for the future Internet.
In ICN, the content items are stored temporarily in network nodes such as routers. When the memory of routers becomes full and there is no room for a new
arriving content, the stored contents are evicted to cope with the limited cache size of the routers. Therefore, it is crucial to develop an effective caching strategy for keeping popular contents for a longer period of time. This study proposes a new caching strategy, named Flexible Popularity-based Caching (FlexPop) for storing popular contents.
The FlexPop comprises two mechanisms, i.e., Content Placement Mechanism (CPM), which is responsible for content caching, and Content Eviction Mechanism
(CEM) that deals with content eviction when the router cache is full and there is no space for the new incoming content. Both mechanisms are validated using Fuzzy Set Theory, following the Design Research Methodology (DRM) to manifest that the research is rigorous and repeatable under comparable conditions. The performance of FlexPop is evaluated through simulations and the results are compared with those of the Leave Copy Everywhere (LCE), ProbCache, and Most Popular Content (MPC) strategies. The results show that the FlexPop strategy outperforms LCE, ProbCache,
and MPC with respect to cache hit rate, redundancy, content retrieval delay, memory utilization, and stretch ratio, which are regarded as extremely important metrics (in various studies) for the evaluation of ICN caching. The outcomes exhibited in this study are noteworthy in terms of making FlexPop acceptable to users as they can verify
the performance of ICN before selecting the right caching strategy. Thus FlexPop has potential in the use of ICN for the future Internet such as in deployment of the IoT technology
- …