265 research outputs found
The application of the in-tree knapsack problem to routing prefix caches
Modern routers use specialized hardware, such as Ternary Content Addressable Memory (TCAM), to solve the Longest Prefix Matching Problem (LPMP) quickly. Due to the fact that TCAM is a non-standard type of memory and inherently parallel, there are concerns about its cost and power consumption. This problem is exacerbated by the growth in routing tables, which demands ever larger TCAMs.
To reduce the size of the TCAMs in a distributed forwarding environment, a batch caching model is proposed and analyzed. The problem of determining which routing prefixes to store in the TCAMs reduces to the In-tree Knapsack Problem (ITKP) for unit weight vertices in this model.
Several algorithms are analysed for solving the ITKP, both in the general case and when the problem is restricted to unit weight vertices. Additionally, a variant problem is proposed and analyzed, which exploits the caching model to provide better solutions. This thesis concludes with discussion of open problems and future experimental work
Beyond Node Degree: Evaluating AS Topology Models
This is the accepted version of 'Beyond Node Degree: Evaluating AS Topology Models', archived originally at arXiv:0807.2023v1 [cs.NI] 13 July 2008.Many models have been proposed to generate Internet Autonomous System (AS) topologies, most of which make structural assumptions about the AS graph. In this paper we compare AS topology generation models with several observed AS topologies. In contrast to most previous works, we avoid making assumptions about which topological properties are important to characterize the AS topology. Our analysis shows that, although matching degree-based properties, the existing AS topology generation models fail to capture the complexity of the local interconnection structure between ASs. Furthermore, we use BGP data from multiple vantage points to show that additional measurement locations significantly affect local structure properties, such as clustering and node centrality. Degree-based properties, however, are not notably affected by additional measurements locations. These observations are particularly valid in the core. The shortcomings of AS topology generation models stems from an underestimation of the complexity of the connectivity in the core caused by inappropriate use of BGP data
IP Flow Mobility support for Proxy Mobile IPv6 based networks
The ability of offloading selected IP data traffic from 3G to WLAN access networks is considered a key feature in the upcoming 3GPP specifications, being the main goal to alleviate data congestion in celular networks while delivering a positive user experience. Lately, the 3GPP has adopted solutions that enable mobility of IP-based wireless devices relocating mobility functions from the terminal to the network. To this end, the IETF has standardized Proxy Mobile IPv6 (PMIPv6), a protocol capable to hide often complex mobility procedures from the mobile devices.
This thesis, in line with the mentioned offload requirement, further extends Proxy Mobile IPv6 to support dynamic IP flow mobility management across access wireless networks according to operator policies. In this work, we assess the feasibility of the proposed solution and provide an experimental analysis based on a prototype network setup, implementing the PMIPv6 protocol and the related enhancements for flow mobility support.
***
La capacità di spostare flussi IP da una rete di accesso 3G ad una di tipo WLAN è considerata una caratteristica chiave nelle specifiche future di 3GPP, essendo il principale metodo per alleviare la congestione nelle reti cellulari mantenendo al contempo una ragionevole qualità percepita dall'utente. Recentemente, 3GPP ha adottato soluzioni di mobilità per dispositivi con accesso radio basato su IP, traslando le funzioni di supporto dal terminale alla rete, e, a questo scopo, IETF ha standardizzato Proxy Mobile IPv6 (PMIPv6), un protocollo studiato per nascondere le procedure di mobilità ai sistemi mobili.
Questa tesi, in linea con la citata esigenza di spostare flussi IP, estende ulteriormente PMIPv6 per consentire il supporto alla mobilità di flussi tra diverse reti di accesso wireless, assecondando le regole e/o politiche definite da un operatore.
In questo lavoro, ci proponiamo di asserire la fattibilità della soluzione proposta, fornendo un'analisi sperimentale di essa sulla base di un prototipo di rete che implementa il protocollo PMIPv6 e le relative migliorie per il supporto alla mobilità di flussiope
Side-channel timing attack on content privacy of named data networking
Tese de Doutoramento em Engenharia Electrónica e de ComputadoresA diversity of current applications, such as Netflix, YouTube, and social media, have used the Internet mainly
as a content distribution network. Named Data Networking (NDN) is a network paradigm that attempts to
answer today’s applications need by naming the content. NDN promises an optimized content distribution
through a named content-centric design. One of the NDN key features is the use of in-network caching
to improve network efficiency in terms of content distribution. However, the cached contents may put the
consumer privacy at risk. Since the time response of cached contents is different from un-cached contents,
the adversary may distinguish the cached contents (targets) from un-cached ones, through the side-channel
timing responses. The scope of attack can be towards the content, the name, or the signature. For instance,
the adversary may obtain the call history, the callee or caller location on a trusted Voice over NDN (VoNDN)
and the popularity of contents in streaming applications (e.g. NDNtube, NDNlive) through side-channel
timing responses of the cache.
The side-channel timing attack can be mitigated by manipulating the time of the router responses. The
countermeasures proposed by other researches, such as additional delay, random/probabilistic caching,
group signatures, and no-caching can effectively be used to mitigate the attack. However, the content
distribution may be affected by pre-configured countermeasures which may go against the goal of the
original NDN paradigm. In this work, the detection and defense (DaD) approach is proposed to mitigate the
attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection
mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can
be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force
timing attack was implemented and simulated with the following applications and testbeds: i. a trusted
application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN testbed, and
ii. a streaming-like NDNtube application to identify the popularity of videos on the NDN testbed and AT&T
company. In simulation primary results showed that the multi-level detection based on DaD mitigated the
attack about 39.1% in best-route, and 36.6% in multicast communications. Additionally, the results showed
that DaD preserves privacy without compromising the efficiency benefits of in-network caching in NDNtube
and VoNDN applications.Várias aplicações atuais, como o Netflix e o YouTube, têm vindo a usar a Internet como uma rede de
distribuição de conteúdos. O Named Data Networking (NDN) é um paradigma recente nas redes de comunicações
que tenta responder às necessidades das aplicações modernas, através da nomeação dos
conteúdos. O NDN promete uma otimização da distribuição dos conteúdos usando uma rede centrada
nos conteúdos. Uma das caracterÃsticas principais do NDN é o uso da cache disponivel nos nós da rede
para melhorar a eficiência desta em termos de distribuição de conteúdos. No entanto, a colocação dos
conteúdos em cache pode colocar em risco a privacidade dos consumidores. Uma vez que a resposta
temporal de um conteúdo em cache é diferente do de um conteúdo que não está em cache, o adversário
pode distinguir os conteúdos que estão em cache dos que não estão em cache, através das respostas de
side-channel. O objectivo do ataque pode ser direcionado para o conteúdo, o nome ou a assinatura da
mensagem. Por exemplo, o adversário pode obter o histórico de chamadas, a localização do callee ou do
caller num serviço seguro de voz sobre NDN (VoNDN) e a popularidade do conteúdos em aplicações de
streaming (e.g. NDNtube, NDNlive) através das respostas temporais de side-channel.
O side-channel timing attack pode ser mitigado manipulando o tempo das respostas dos routers. As
contramedidas propostas por outros pesquisadores, tais como o atraso adicional, o cache aleatório /probabilÃstico,
as assinaturas de grupo e não fazer cache, podem ser efetivamente usadas para mitigar um
ataque. No entanto, a distribuição de conteúdos pode ser afetada por contramedidas pré-configuradas
que podem ir contra o propósito original do paradigma NDN. Neste trabalho, a abordagem de detecção e
defesa (DaD) é proposta para mitigar o ataque de forma eficiente e eficaz. Com o uso do DaD, um ataque
pode ser detectado por um mecanismo de detecção multi-nÃvel, a fim de aplicar as contramedidas contra
as interfaces dos adversários. Além disso, as detecções podem ser usadas para determinar a gravidade
do ataque. A fim de detectar o comportamento de um adversário, um timing attack de força-bruta foi
implementado e simulado com as seguintes aplicações e plataformas (testbeds): i. uma aplicação segura
que implementa o VoNDN e identifica o certificado em cache numa plataforma NDN mundial; e ii. uma
aplicação de streaming do tipo NDNtube para identificar a popularidade de vÃdeos na plataforma NDN da
empresa AT&T. Os resultados da simulação mostraram que a detecção multi-nÃvel oferecida pelo DaD atenuou
o ataque cerca de 39,1% em best-route e 36,5% em comunicações multicast. Para avaliar o efeito nos
pedidos legÃtimos, comparou-se o DaD com uma contramedida estática, tendo-se verificado que o DaD foi
capaz de preservar todos os pedidos legÃtimos
Optimal route reflection topology design
An Autonomous System (AS) is a group of Internet Protocol-based networks with a single and clearly defined external routing policy, usually under single ownership, trust or administrative control. The AS represents a connected group of one or more blocks of IP addresses, called IP prefixes, that have been assigned to that organization and provides a single routing policy to systems outside the AS.
The Internet is composed of the interconnection of several thousands of ASes, which use the Border Gateway Protocol (BGP) to exchange network prefixes (aggregations of IP addresses) reachability advertisements. BGP advertisements (or updates) are sent over BGP sessions administratively set between pairs of routers.
BGP is a path vector routing protocol and is used to span different ASes. A path vector protocol defines a route as a pairing between a destination and the attributes of the path to that destination. Interior Border Gateway Protocol (iBGP) refers to the BGP neighbor relationship within the same AS. When BGP neighbor relationship are formed between two peers belonging to different AS are called Exterior Border Gateway Protocol (eBGP). In the last case, BGP routers are called Autonomous System Border Routers (ASBRs), while those running only iBGP sessions are referred to as Internal Routers (IRs).
Traditional iBGP implementations require a full-mesh of sessions among routers of each AS
Greedy routing and virtual coordinates for future networks
At the core of the Internet, routers are continuously struggling with
ever-growing routing and forwarding tables. Although hardware advances
do accommodate such a growth, we anticipate new requirements e.g. in
data-oriented networking where each content piece has to be referenced
instead of hosts, such that current approaches relying on global
information will not be viable anymore, no matter the hardware
progress. In this thesis, we investigate greedy routing methods that
can achieve similar routing performance as today but use much less
resources and which rely on local information only. To this end, we
add specially crafted name spaces to the network in which virtual
coordinates represent the addressable entities. Our scheme enables participating
routers to make forwarding decisions using only neighbourhood information,
as the overarching pseudo-geometric name space structure already
organizes and incorporates "vicinity" at a global level.
A first challenge to the application of greedy routing on virtual
coordinates to future networks is that of "routing dead-ends"
that are local minima due to the difficulty of consistent coordinates
attribution. In this context, we propose a routing recovery scheme
based on a multi-resolution embedding of the network in low-dimensional Euclidean spaces.
The recovery is performed by routing greedily on a blurrier view of the network. The
different network detail-levels are obtained though the embedding of
clustering-levels of the graph. When compared with
higher-dimensional embeddings of a given network, our method shows a
significant diminution of routing failures for similar header and
control-state sizes.
A second challenge to the application of virtual coordinates and
greedy routing to future networks is the support of
"customer-provider" as well as "peering" relationships between
participants, resulting in a differentiated services
environment. Although an application of greedy routing within such a
setting would combine two very common fields of today's networking
literature, such a scenario has, surprisingly, not been studied so
far. In this context we propose two approaches to address this scenario.
In a first approach we implement a path-vector protocol similar to
that of BGP on top of a greedy embedding of the network. This allows
each node to build a spatial map associated with each of its
neighbours indicating the accessible regions. Routing is then
performed through the use of a decision-tree classifier taking the
destination coordinates as input. When applied on a real-world dataset
(the CAIDA 2004 AS graph) we demonstrate an up to 40% compression ratio of
the routing control information at the network's core as well as a computationally efficient
decision process comparable to methods such as binary trees and tries.
In a second approach, we take inspiration from consensus-finding in social
sciences and transform the three-dimensional distance data structure
(where the third dimension encodes the service differentiation) into a
two-dimensional matrix on which classical embedding tools can be used.
This transformation is achieved by agreeing on a set of
constraints on the inter-node distances guaranteeing an
administratively-correct greedy routing. The computed distances are
also enhanced to encode multipath support. We demonstrate a good
greedy routing performance as well as an above 90% satisfaction of multipath constraints
when relying on the non-embedded obtained distances on synthetic datasets.
As various embeddings of the consensus distances do not fully exploit their multipath potential, the use of compression techniques such as transform coding to
approximate the obtained distance allows for better routing performances
Washington University Record, January 29, 1998
https://digitalcommons.wustl.edu/record/1781/thumbnail.jp
FPGA-based architectures for next generation communications networks
This engineering doctorate concerns the application of Field Programmable Gate Array (FPGA) technology to some of the challenges faced in the design of next generation communications networks. The growth and convergence of such networks has fuelled demand for higher bandwidth systems, and a requirement to support a diverse range of payloads across the network span.
The research which follows focuses on the development of FPGA-based architectures for two important paradigms in contemporary networking - Forward Error Correction and Packet Classification. The work seeks to combine analysis of the underlying algorithms and mathematical techniques which drive these applications, with an informed approach to the design of efficient FPGA-based circuits
Noise-tolerance feasibility for restricted-domain Information Retrieval systems
Information Retrieval systems normally have to work with rather heterogeneous sources, such as Web sites or documents from Optical Character Recognition tools. The correct conversion of these sources into flat text files is not a trivial task since noise may easily be introduced as a result of spelling or typeset errors. Interestingly, this is not a great drawback when the size of the corpus is sufficiently large, since redundancy helps to overcome noise problems. However, noise becomes a serious problem in restricted-domain Information Retrieval specially when the corpus is small and has little or no redundancy. This paper devises an approach which adds noise-tolerance to Information Retrieval systems. A set of experiments carried out in the agricultural domain proves the effectiveness of the approach presented
- …