Independent Submission S. Vinapamula Request for Comments: 7767 Juniper Networks Category: Informational

Abstract This document specifies a mechanism for a host to indicate via the Port Control Protocol (PCP) which connections should be protected against network failures. These connections will then be subject to high-availability mechanisms enabled on the network side. This approach assumes that applications and/or users have more visibility about sensitive connections than any heuristic that can be enabled on the network side to guess which connections should be check-pointed

Analysis of security impact of making mShield an IPv4 to IPv6 converter box

info:eu-repo/semantics/acceptedVersio

NAT64/DNS64 in the Networks with DNSSEC

Zvyšuj?c? se pod?l resolverů a aplikac? použ?vaj?c? DNS-over-HTTPSvede k vyš?mu pod?lu klientů použ?vaj?c?ch DNS resolvery třet?chstran. Kvůli tomu ovšem selhává nejpouž?vanějš? NAT64 detekčn?metoda RFC7050[1], což vede u klientů použ?vaj?c?ch přechodovémechanismy NAT64/DNS64 nebo 464XLAT k neschopnosti tytopřechodové mechanismy správně detekovat, a t?m k nedostupnostiobsahu dostupného pouze po IPv4. C?lem této práce je navrhnoutnovou detekčn? metodu postavenou na DNS, která bude pracovati s resolvery třet?ch stran, a bude schopná využ?t zabezpečen? DNSdat pomoc? technologie DNSSEC. Práce popisuje aktuálně standardizovanémetody, protokoly na kterých závis?, jejich omezen?a interakce s ostatn?mi metodami. Navrhovaná metoda použ?vá SRVzáznamy k přenosu informace o použitém NAT64 prefixu v globáln?mDNS stromu. Protože navržená metoda použ?vá již standardizovanéprotokoly a typy záznamů, je snadno nasaditelná bez nutnostimodifikovat jak DNS server, tak s?t'ovou infrastrukturu. Protožemetoda použ?vá k distribuci informace o použitém prefixu globáln?DNS strom, umožňuje to metodě použ?t k zabezpečen? technologiiDNSSEC. To této metodě dává lepš? bezpečnostn? vlastnosti nežjaké vykazuj? předchoz? metody. Tato práce vytvář? standardizačn?bázi pro standardizaci v rámci IETF.The rising number of DNS-over-HTTPS capable resolvers and applicationsresults in the higher use of third-party DNS resolvers byclients. Because of that, the currently most deployed method of theNAT64 prefix detection, the RFC7050[1], fails to detect the NAT64prefix. As a result, clients using either NAT64/DNS64 or 464XLATtransition mechanisms fail to detect the NAT64 prefix properly,making the IPv4-only resources inaccessible. The aim of this thesisis to develop a new DNS-based detection method that would workwith foreign DNS and utilize added security by the DNS securityextension, the DNSSEC. The thesis describes current methods ofthe NAT64 prefix detection, their underlying protocols, and theirlimitations in their coexistence with other network protocols. Thedeveloped method uses the SRV record type to transmit the NAT64prefix in the global DNS tree. Because the proposed method usesalready existing protocols and record types, the method is easilydeployable without any modification of the server or the transportinfrastructure. Due to the global DNS tree usage, the developedmethod can utilize the security provided by the DNSSEC and thereforeshows better security characteristics than previous methods.This thesis forms the basis for standardization effort in the IETF.

Security Mechanisms for Workflows in Service-Oriented Architectures

Die Arbeit untersucht, wie sich Unterstützung für Sicherheit und Identitätsmanagement in ein Workflow-Management-System integrieren lässt. Basierend auf einer Anforderungsanalyse anhand eines Beispiels aus der beruflichen Weiterbildung und einem Abgleich mit dem Stand der Technik wird eine Architektur für die sichere Ausführung von Workflows und die Integration mit Identitätsmanagement-Systemen entwickelt, die neue Anwendungen mit verbesserter Sicherheit und Privatsphäre ermöglicht

Unifying Static And Runtime Analysis In Declarative Distributed Systems

Today’s distributed systems are becoming increasingly complex, due to the ever-growing number of network devices and their variety. The complexity makes it hard for system administrators to correctly configure distributed systems. This motivates the need for effective analytic tools that can help ensure correctness of distributed systems. One challenge in ensuring correctness is that there does not exist one solution that works for all properties. One type of properties, such as security properties, are so critical that they demand pre-deployment verification (i.e., static analysis) which, though time-consuming, explores the whole execution space. However, due to the potential problem of state explosion, static verification of all properties is not practical, and not necessary. Violation of non-critical properties, such as correct routing with shortest paths, is tolerable during execution and can be diagnosed after errors occur (i.e., runtime analysis), a more light-weight approach compared to verification. This dissertation presents STRANDS, a declarative framework that enables users to perform both pre-deployment verification and post-deployment diagnostics on top of declarative specification of distributed systems. STRANDS uses Network Datalog (NDlog), a distributed variant of Datalog query language, to specify network protocols and services. STRANDS has two components: a system verifier and a system debugger. The verifier allows the user to rigorously prove safety properties of network protocols and services, using either the program logic or symbolic execution we develop for NDlog programs. The debugger, on the other hand, facilitates diagnosis of system errors by allowing for querying of the structured history of network execution (i.e., network provenance) that is maintained in a storage-efficient manner. We show the effectiveness of STRANDS by evaluating both the verifier and the debugger. Using the verifier, we prove path authenticity of secure routing protocols, and verify a number of safety properties in software-defined networking (SDN). Also, we demonstrate that our provenance maintenance algorithm achieves significant storage reduction, while incurring negligible network overhead

Proceedings Work-In-Progress Session of the 13th Real-Time and Embedded Technology and Applications Symposium

The Work-In-Progress session of the 13th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS\u2707) presents papers describing contributions both to state of the art and state of the practice in the broad field of real-time and embedded systems. The 17 accepted papers were selected from 19 submissions. This proceedings is also available as Washington University in St. Louis Technical Report WUCSE-2007-17, at http://www.cse.seas.wustl.edu/Research/FileDownload.asp?733. Special thanks go to the General Chairs – Steve Goddard and Steve Liu and Program Chairs - Scott Brandt and Frank Mueller for their support and guidance

Modelação e simulação de equipamentos de rede para Indústria 4.0

Currently, the industrial sector has increasingly opted for digital technologies in order to automate all its processes. This development comes from notions like Industry 4.0 that redefines the way these systems are designed. Structurally, all the components of these systems are connected in a complex network known as the Industrial Internet of Things. Certain requirements arise from this concept regarding industrial communication networks. Among them, the need to ensure real-time communications, as well as support for dynamic resource management, are extremely relevant. Several research lines pursued to develop network technologies capable of meeting such requirements. One of these protocols is the Hard Real-Time Ethernet Switch (HaRTES), an Ethernet switch with support for real-time communications and dynamic resource management, requirements imposed by Industry 4.0. The process of designing and implementing industrial networks can, however, be quite time consuming and costly. These aspects impose limitations on testing large networks, whose level of complexity is higher and requires the usage of more hardware. The utilization of network simulators stems from the necessity to overcome such restrictions and provide tools to facilitate the development of new protocols and evaluation of communications networks. In the scope of this dissertation a HaRTES switch model was developed in the OMNeT++ simulation environment. In order to demonstrate a solution that can be employed in industrial real-time networks, this dissertation presents the fundamental aspects of the implemented model as well as a set of experiments that compare it with an existing laboratory prototype, with the objective of validating its implementation.Atualmente o setor industrial tem vindo cada vez mais a optar por tecnologias digitais de forma a automatizar todos os seus processos. Este desenvolvimento surge de noções como Indústria 4.0, que redefine o modo de como estes sistemas são projetados. Estruturalmente, todos os componentes destes sistemas encontram-se conectados numa rede complexa conhecida como Internet Industrial das Coisas. Certos requisitos advêm deste conceito, no que toca às redes de comunicação industriais, entre os quais se destacam a necessidade de garantir comunicações tempo-real bem como suporte a uma gestão dinâmica dos recursos, os quais são de extrema importância. Várias linhas de investigação procuraram desenvolver tecnologias de rede capazes de satisfazer tais exigências. Uma destas soluções é o "Hard Real-Time Ethernet Switch" (HaRTES), um switch Ethernet com suporte a comunicações de tempo-real e gestão dinâmica de Qualidade-de-Serviço (QoS), requisitos impostos pela Indústria 4.0. O processo de projeto e implementação de redes industriais pode, no entanto, ser bastante moroso e dispendioso. Tais aspetos impõem limitações no teste de redes de largas dimensões, cujo nível de complexidade é mais elevado e requer o uso de mais hardware. Os simuladores de redes permitem atenuar o impacto de tais limitações, disponibilizando ferramentas que facilitam o desenvolvimento de novos protocolos e a avaliação de redes de comunicações. No âmbito desta dissertação desenvolveu-se um modelo do switch HaRTES no ambiente de simulação OMNeT++. Com um objetivo de demonstrar uma solução que possa ser utilizada em redes de tempo-real industriais, esta dissertação apresenta os aspetos fundamentais do modelo implementado bem como um conjunto de experiências que o comparam com um protótipo laboratorial já existente, no âmbito da sua validação.Mestrado em Engenharia Eletrónica e Telecomunicaçõe

UWOMJ Volume 81, Issue 1, Spring 2012

Schulich School of Medicine & Dentistryhttps://ir.lib.uwo.ca/uwomj/1013/thumbnail.jp