An Architecture for Global Distributed SIP Network Using IPv4 Anycast

Tato diplomová práce se zabývá metodami pro výběr nejbližší RTP proxy k VoIP klientům s použitím IP anycastu. RTP proxy servery jsou umístěny v síti Internetu a přeposílají RTP data pro VoIP klienty za síťovými překladači adres(NAT). Bez zeměpisně rozmístěných RTP proxy serverů a metod pro nalezení nejbližšího RTP proxy serveru by došlo ke zbytečnému poklesu kvality přenosu médialních dat a velkému zpoždení. Tento dokument navrhuje 4 metody a jejich porovnání s podrobnějšími rozbory metod s využitím DNS resolvování a přímo SIP protokolu. Tento dokument také obsahuje měření chování IP anycastu v porovnání mezi metrikami směrování a metrikami časovými. Nakonec dokumentu je také uvedena implemetace na SIP Express Router platformě.This thesis is about using IP anycast-based methods for locating RTP proxy servers close to VoIP clients. The RTP proxy servers are hosts on the public Internet that relay RTP media between VoIP clients in a way that accomplishes traversal over Network Address Translators (NATs). Without geographically-dispersed RTP proxy servers and methods to find one in client's proximity, voice latency may be unbearably long and dramatically reduce perceived voice quality. This document proposes four methods their comparison with further design of DNS-based and SIP-based methods. It includes IP anycast measurements that provides an overview of IP anycast behaviour in terms of routing metrics and latency metrics. It also includes implementation on SIP Express Router platform.

A collaborative P2P Scheme for NAT Traversal Server discovery based on topological information

In the current Internet picture more than 70% of the hosts are located behind Network Address Translators (NATs). This is not a problem for the client/server paradigm. However, the Internet has evolved, and nowadays the largest portion of the traffic is due to peer-to-peer (p2p) applications. This scenario presents an important challenge: two hosts behind NATs (NATed hosts) cannot establish direct communications. The easiest way to solve this problem is by using a third entity, called Relay, that forwards the traffic between the NATed hosts. Although many efforts have been devoted to avoid the use of Relays, they are still needed in many situations. Hence, the selection of a suitable Relay becomes critical to many p2p applications. In this paper, we propose the Gradual Proximity Algorithm (GPA): a simple algorithm that guarantees the selection of a topologically close-by Relay. We present a measurement-based analysis, showing that the GPA minimizes both the delay of the relayed communication and the transit traffic generated by the Relay, being a QoS-aware and ISP-friendly solution. Furthermore, the paper presents the Peer-to-Peer NAT Traversal Architecture (P2P-NTA), which is a global, distributed and collaborative solution, based on the GPA. This architecture addresses the Relay discovery/selection problem. We have performed large-scale simulations based on real measurements, which validate our proposal. The results demonstrate that the P2P-NTA performs similarly to direct communications with reasonably large deployments of p2p applications. In fact, only 5% of the communications experience an extra delay that may degrade the QoS due to the use of Relays. Furthermore, the amount of extra transit traffic generated is only 6%. We also show that the P2P-NTA largely outperforms other proposals, where the QoS degradation affects up to more than 50% of the communications, and the extra traffic generated goes beyond 80%.This work has been partially funded by the Grants MEDIANET (S2009/TIC-1466) from the Regional Government of Madrid and CON-PARTE (TEC2007-67966-C03- 03) by the Ministry of Science and Innovation of Spain.Publicad

Patterns and Interactions in Network Security

Networks play a central role in cyber-security: networks deliver security attacks, suffer from them, defend against them, and sometimes even cause them. This article is a concise tutorial on the large subject of networks and security, written for all those interested in networking, whether their specialty is security or not. To achieve this goal, we derive our focus and organization from two perspectives. The first perspective is that, although mechanisms for network security are extremely diverse, they are all instances of a few patterns. Consequently, after a pragmatic classification of security attacks, the main sections of the tutorial cover the four patterns for providing network security, of which the familiar three are cryptographic protocols, packet filtering, and dynamic resource allocation. Although cryptographic protocols hide the data contents of packets, they cannot hide packet headers. When users need to hide packet headers from adversaries, which may include the network from which they are receiving service, they must resort to the pattern of compound sessions and overlays. The second perspective comes from the observation that security mechanisms interact in important ways, with each other and with other aspects of networking, so each pattern includes a discussion of its interactions.Comment: 63 pages, 28 figures, 56 reference

Survey of Transportation of Adaptive Multimedia Streaming service in Internet

[DE] World Wide Web is the greatest boon towards the technological advancement of modern era. Using the benefits of Internet globally, anywhere and anytime, users can avail the benefits of accessing live and on demand video services. The streaming media systems such as YouTube, Netflix, and Apple Music are reining the multimedia world with frequent popularity among users. A key concern of quality perceived for video streaming applications over Internet is the Quality of Experience (QoE) that users go through. Due to changing network conditions, bit rate and initial delay and the multimedia file freezes or provide poor video quality to the end users, researchers across industry and academia are explored HTTP Adaptive Streaming (HAS), which split the video content into multiple segments and offer the clients at varying qualities. The video player at the client side plays a vital role in buffer management and choosing the appropriate bit rate for each such segment of video to be transmitted. A higher bit rate transmitted video pauses in between whereas, a lower bit rate video lacks in quality, requiring a tradeoff between them. The need of the hour was to adaptively varying the bit rate and video quality to match the transmission media conditions. Further, The main aim of this paper is to give an overview on the state of the art HAS techniques across multimedia and networking domains. A detailed survey was conducted to analyze challenges and solutions in adaptive streaming algorithms, QoE, network protocols, buffering and etc. It also focuses on various challenges on QoE influence factors in a fluctuating network condition, which are often ignored in present HAS methodologies. Furthermore, this survey will enable network and multimedia researchers a fair amount of understanding about the latest happenings of adaptive streaming and the necessary improvements that can be incorporated in future developments.Abdullah, MTA.; Lloret, J.; Canovas Solbes, A.; García-García, L. (2017). Survey of Transportation of Adaptive Multimedia Streaming service in Internet. Network Protocols and Algorithms. 9(1-2):85-125. doi:10.5296/npa.v9i1-2.12412S8512591-

Security in peer-to-peer communication systems

P2PSIP (Peer-to-Peer Session Initiation Protocol) is a protocol developed by the IETF (Internet Engineering Task Force) for the establishment, completion and modi¿cation of communication sessions that emerges as a complement to SIP (Session Initiation Protocol) in environments where the original SIP protocol may fail for technical, ¿nancial, security, or social reasons. In order to do so, P2PSIP systems replace all the architecture of servers of the original SIP systems used for the registration and location of users, by a structured P2P network that distributes these functions among all the user agents that are part of the system. This new architecture, as with any emerging system, presents a completely new security problematic which analysis, subject of this thesis, is of crucial importance for its secure development and future standardization. Starting with a study of the state of the art in network security and continuing with more speci¿c systems such as SIP and P2P, we identify the most important security services within the architecture of a P2PSIP communication system: access control, bootstrap, routing, storage and communication. Once the security services have been identi¿ed, we conduct an analysis of the attacks that can a¿ect each of them, as well as a study of the existing countermeasures that can be used to prevent or mitigate these attacks. Based on the presented attacks and the weaknesses found in the existing measures to prevent them, we design speci¿c solutions to improve the security of P2PSIP communication systems. To this end, we focus on the service that stands as the cornerstone of P2PSIP communication systems¿ security: access control. Among the new designed solutions stand out: a certi¿cation model based on the segregation of the identity of users and nodes, a model for secure access control for on-the-¿y P2PSIP systems and an authorization framework for P2PSIP systems built on the recently published Internet Attribute Certi¿cate Pro¿le for Authorization. Finally, based on the existing measures and the new solutions designed, we de¿ne a set of security recommendations that should be considered for the design, implementation and maintenance of P2PSIP communication systems.Postprint (published version

Local Coordination for Interpersonal Communication Systems

The decomposition of complex applications into modular units is anacknowledged design principle for creating robust systems and forenabling the flexible re-use of modules in new applicationcontexts. Typically, component frameworks provide mechanisms and rulesfor developing software modules in the scope of a certain programmingparadigm or programming language and a certain computing platform. Forexample, the JavaBeans framework is a component framework for thedevelopment of component-based systems -- in the Java environment.In this thesis, we present a light-weight, platform-independentapproach that views a component-based application as a set of ratherloosely coupled parallel processes that can be distributed on multiplehosts and are coordinated through a protocol. The core of ourframework is the Message Bus (Mbus): an asynchronous, message-orientedcoordination protocol that is based on Internet technologies andprovides group communication between application components.Based on this framework, we have developed a local coordinationarchitecture for decomposed multimedia conferencing applications thatis designed for endpoint and gateway applications. One element of thisarchitecture is an Mbus-based protocol for the coordination of callcontrol components in conferencing applications

Descubrimiento dinámico de servidores basado en información de localización usando una tabla de Hash distribuida balanceada

The current Internet includes a large number of distributed services. In order to guarantee the QoS of the communications in these services, a client has to select a close-by server with enough available resources. To achieve this objective, in this Thesis, we propose a simple and practical solution for Dynamic and Location Aware Server Discovery based on a Distributed Hash Table (DHT). Specifically, we decide to use a Chord DHT system (although any other DHT scheme can be used). In more detail, the solution works as follows. The servers offering a given service S form a Chord-like DHT. In addition, they register their location (topological and/or geographical) information in the DHT. Each client using the service S is connected to at least one server from the DHT. Eventually, a given client C realizes that it is connected to a server providing a bad QoS, then, it queries the DHT in order to find an appropriate server (i.e. a close-by server with enough available resources). We define 11 design criteria, and compare our solution to the Related Work based on them. We show that our solution is the most complete one. Furthermore, we validate the performance of our solution in two different scenarios: (i) NAT Traversal Server Discovery and (ii) Home Agent Discovery in Mobile IP scenarios. The former serves to validate our solution in a highly dynamic environment whereas the latter demonstrates the appropriateness of our solution in more classical environments where the servers are typically always-on hosts. The extra overhead suffered from the servers involved in our system comes from their participation in the Chord DHT. Therefore, it is critical to fairly balance the load among all the servers. In our system as well as in other P2P systems (e.g. P2PSIP) the stored objects are small, then routing dominates the cost of publishing and retrieving objects. Therefore, in the second part of this Thesis, we address the issue of fairly balancing the routing load in Chord DHTs. We present an analytical model to evaluate the routing fairness of Chord based on the well accepted Jain’s Fairness Index (FI). Our model shows that Chord performs poorly. Following this observation, we propose a simple enhancement to the Chord finger selection algorithm with the goal of mitigating this effect. The key advantage of our proposal as compared to previous approaches is that it adds a neglible overhead to the basic Chord algorithm. We validate the goodness of the proposed solution analytically and by large scale simulations.-------------------------------------------------------------------------------------------------------------------------------------------------------------En los últimos años un gran número de servicios distribuídos han aparecido en Internet. Para garantizar la Calidad de Servicio de las comunicaciones en estos servicios sus clientes deben conectarse a un servidor cercano con suficientes recursos disponibles. Para alcanzar este objetivo, en esta Tesis, se propone una solución simple y práctica para el Descubrimiento Dinámico de Servidores basado en Información de Localizació usando una Tabla de Hash Distribuída (DHT). En concreto, hemos decidido usar una DHT de tipo Chord (aunque cualquier otro tipo de DHT puede usarse). A continuación describimos brevemente nuestra solución. Los servidores que ofrecen un servicio específico S forman una DHT tipo Chord donde registran su información de localización (topológica y/o geográfica). Cada cliente que usa el servicio S está conectado al menos a un servidor de la DHT. En caso de que un cliente C perciba que el servidor al que está conectado está ofreciendo una mala Calidad de Servicio, C consulta la DHT para encontrar un servidor más apropiado (p.ej. un servidor cercano con suficientes recursos disponibles). En la Tesis se definen 11 criterios de diseño y se compara nuestra solución con las soluciones existentes en base a ellos, demostrando que la nuestra es la solución más completa. Además, validamos el rendimiento de nuestra solución en dos escenarios diferentes: (i) Descubrimiento de Servidores para atravesar Traductores de Direcciones de Red (NATs) y (ii) Descubrimiento de Agentes Hogar (HAs) en escenarios de Movilidad IP. El primero sirve para validar el rendimiento de nuestra solución en escenarios altamente dinámicos mientras que el segundo demuestra la validez de la solución en un escenario más clásico donde los servidores son máquinas que están ininterrumpidamente funcionando. Los servidores involucrados en nuestro sistema sufren una sobrecarga debido a su participación en la DHT tipo Chord. Desafortunadamente, esta sobrecarga es inherente al sistema anteriormente descrito y no se puede eliminar. En cambio lo que sí podemos hacer es balancear la carga de la manera más justa posible entre todos los servidores. En nuestro sistema, al igual que en otros sistemas P2P (p.ej. P2PSIP) los objetos almacenados tienen un tamaño pequeño, produciendo que sea la tarea de enrutamiento la que domina el coste de publicar y obtener objetos. Por lo tanto, en la segunda parte de esta Tesis abordamos el reparto equilibrado de la carga de enrutamiento en DHTs tipo Chord. En primer lugar, definimos un modelo analítico para evaluar el reparto de la carga de enrutamiento entre los nodos que forman una DHT tipo Chord. Para ello nos basamos en una métrica aceptada por la comunidad investigadora como es el Jain’s Fairness Index (FI). El modelo resultante demuestra que Chord tiene un rendimiento pobre en el reparto justo de la carga de enrutamiento. Basándonos en esta observación proponemos una modificación simple al algoritmo de selección de punteros de Chord para mejorar el reparto de la carga de enrutamiento. La ventaja fundamental de nuestra solución en comparación con otras propuestas anteriores es que nuestra solución añade un coste despreciable al algoritmo básico de Chord. Finalmente, validamos el rendimiento de nuestra solución analíticamente y por medio de simulaciones a gran escala

IPv6 Deployment in a Service Provider's Data Center Network

Tämä diplomityö on tehty toimeksiantona Capgemini Finland Oy:lle (myöh. Capgemini). Sen tavoitteena on ottaa IPv6-protokolla käyttöön Capgeminin konesaliverkossa niin, että se on saavutettavissa Internetistä IPv4-protokollan lisäksi myös IPv6-protokollalla. Työn ensimmäisessä luvussa kerrotaan lyhyesti siitä, mitkä tämän työn taustat ja tavoitteet ovat sekä minkä ongelman ja osaongelmat se ratkaisee. Toisessa luvussa kerrotaan, mitkä IPv4-protokollan ongelmat ovat ja miksi IPv6-protokolla lopulta korvaa sen. Kolmannessa luvussa esitellään IPv6-protokollaa ja sen tukiprotokollia IETF:n (Internet Engineering Task Force) RFC-dokumenttien (Request For Comments) ja kirjallisuuden pohjalta. Neljännessä luvussa perehdytään lyhyesti IPv6-protokollan tietoturvaan IPv6-käyttöönottoon liittyen ja kerrotaan, millaisia IPv6-transitiomekanismeja on olemassa. Viidennessä luvussa näytetään ensin tyypillinen palvelinkeskuksen konesaliverkon verkkotopologia ja esitellään sen jälkeen Capgeminin konesaliverkon rakenne. Kuudennessa luvussa yhdistetään Capgeminin konesaliverkko Internetiin IPv6-protokollalla ja rakennetaan Capeminin laboratorioon IPv6-testiverkko. Luvussa kehitetään myös konsepti, jolla voidaan provisioida IPv6-protokollalla toimiva www-palvelu Capgeminin konesaliverkossa mahdollisimman helposti ja kustannustehokkaasti. Lopuksi seitsemännessä luvussa käydään läpi IPv6-käyttöönoton tulokset, seuraukset ja siinä esiintyneet haasteet sekä tehdään suunnitelma siitä, mitkä ovat seuraavat askeleet IPv6-protokollan laajemmalle käyttöönotolle Capgeminin konesaliverkossa.This Master's thesis was done for Capgemini Finland Oy (later referred to as Capgemini). The objective of the thesis is to deploy the IPv6 protocol in Capgemini's data center network so that it is reachable from the Internet also via IPv6 in addition to IPv4. In the first chapter of the thesis the background and objectives of the thesis in addition to the problem it solves are discussed. In the second chapter the inadequacy of the IPv4 protocol and the reasons why IPv6 will eventually replace it are explained. In the third chapter the IPv6 base protocol and its supporting protocols are presented based on RFC (Request For Comments) documents published by the IETF (Internet Engineering Task Force) and literature. In the fourth chapter IPv6 security with respect to the IPv6 deployment and IPv6 transition mechanisms are introduced. In the fifth chapter, a typical data center network topology is first shown after which the Capgemini data center network is showcased. In the sixth chapter the Capgemini data center network is connected to the Internet via IPv6 and an IPv6 test network is set up in the Capgemini laboratory. A proof of concept to provision an IPv6 web service in the Capgemini data center network with minimal capital and operational expenditure is also developed. Finally, in the seventh chapter the results, consequences and challenges of the IPv6 deployment are reviewed and a plan is made as to what the next steps for a more comprehensive IPv6 deployment in the Capgemini data center network are

A DHT-based Peer-to-peer Architecture for Distributed Internet Applications

La tecnologia peer-to-peer é divenuta popolare soprattutto per applicazioni di file-sharing come Napster, Gnutella, Kazaa ed eMule, che sono state la componente principale del traffico di Internet per diversi anni. La tecnologia peer-to-peer, tuttavia, non é solo relativa al file-sharing. Molte applicazioni, utilizzate da milioni di utenti ogni giorno, come Skype, sono applicazioni basate sul paradigma peer-to-peer. Il paradigma peer-to-peer (P2P) é un modello di comunicazione in cui una moltitudine di dispositivi indipendenti ed eterogenei interagiscono come pari (peer). In una rete P2P pura, ogni nodo implementa le funzionalità sia di client che di server, e ciascun peer può instaurare una sessione di comunicazione in qualsiasi momento. I nodi sono disposti in un'overlay network, costruita sopra ad una rete esistente, come Internet. Molte applicazioni peer-to-peer sono basate su una particolare classe di reti peer-to-peer: le Distributed Hash Tables (DHT). Le DHT sono reti peer-to-peer strutturate che forniscono un servizio di memorizzazione e recupero di informazioni simile ad una classica hash table, in cui le chiavi sono mappate a valori, in modo scalabile, flessibile ed auto-configurante. Questa tesi riporta i risultati della ricerca sull'applicazione delle tecnologie peer-to-peer al di là del file sharing. Il lavoro é stato concentrato in primo luogo sullo studio ed analisi delle implementazioni esistenti di reti peer-to-peer, specialmente le Distributed Hash Tables, e le proposte per protocolli peer-to-peer definite dall'IETF P2PSIP Working Group. La principale attività di ricerca é stata la definizione di un'architettura peer-to-peer, chiamata Distributed Location Service (DLS), che permette di instaurare connessioni dirette tra gli estremi di una comunicazione senza la necessità di dipendere da server centralizzati. Il Distributed Location Server é un servizio peer-to-peer basato su DHT che può essere utilizzato per memorizzare e recuperare informazioni relative a dove e come accedere alle risorse, eliminando il bisogno di dipendere (parzialmente) dal sistema DNS e da servizi di localizzazione centralizzati, come il SIP Location Service. Le informazioni di accesso sono memorizzate nel DLS come coppie chiave-valore, che sono mantenute da una moltitudine di nodi che partecipano alla DHT su cui si basa il DLS. Il DLS é stato implementato come un framework, definendo un set di interfacce standard per la comunicazione tra i componenti del DLS, al fine di consentire la massima flessibilità sui componenti, come l'algoritmo di DHT e il protocollo di comunicazione in uso, in quanto nessuna ipotesi é stata formulata al riguardo nella definizione dell'architettura del DLS. L'algoritmo di DHT Kademlia e il protocollo di comunicazione dSIP sono stati implementati ed integrati nel framework DLS per creare applicazioni basate su DLS al fine di dimostrare la praticabilità dell'approccio DLS. Queste applicazioni dimostrative sono state realizzate altresì con l'intento di mostrare che il peer-to-peer non può essere ridotto al solo file sharing, ma che applicazioni di comunicazione real-time, come il VoIP, file system distribuiti, e Social Netowrks possono essere realizzati utilizzando come base un'architettura peer-to-peer. Sebbene l'attività di ricerca sia stata condotta in maniera indipendente dall'IETF P2PSIP Working Group, il Distributed Location Service si é rivelato molto simile alla proposta ufficiale, chiamata RELOAD, con la quale condivide diversi concetti ed idee. Un altro aspetto studiato é stato il problema del bootstrapping nelle reti peer-to-peer. Quando un nodo intende unirsi ad una rete P2P esistente, esso deve contattare un nodo che appartiene già all'overlay P2P, il quale ammetterà il nuovo nodo. Tipicamente, la scoperta di un nodo che partecipa già all'overlay avviene attraverso meccanismi quali l'utilizzo di cache, liste di nodi pre-configurate e l'interrogazione di server centralizzati. Sebbene questi approcci abbiano funzionato finora, essi non appartengono alla filosofia peer-to-peer, in cui la decentralizzazione, la scalabilità e l'auto-configurazione sono aspetti cruciali. Si é quindi definito e validato un approccio basato su Multicast, il cui scopo é quello di ottenere un servizio caratterizzato da scalabilità ed auto-configurazione.Peer-to-peer technology has become popular primarily due to file sharing applications, such as Napster, Gnutella, Kazaa, and eMule, which have been the dominant component of usage of Internet bandwidth for several years. However, peer-to-peer technology is not all about file sharing. Many famous applications used by millions of users every day, such as Skype, are applications based on the peer-to-peer paradigm. The peer-to-peer (P2P) paradigm is a communication model in which multiple independent and heterogeneous devices interact as equals (peers). In a pure P2P network each node implements functions of both client and server, and either peer can initiate a communication session at any moment. Nodes are arranged on an overlay network, built on top of an existing network, such as the Internet. Many peer-to-peer applications are based on a particular class of peer-to-peer networks: Distributed Hash Tables (DHT). DHTs are structured peer-to-peer networks which provide a service of information storage and retrieval similar to a regular hash table where keys are mapped to values, in a scalable, flexible, and self-organizing fashion. This thesis reports the results of the research activity on applying peer-to-peer technology beyond file sharing. The work has been focused first on the study and analysis of existing peer-to-peer network implementations, especially on Distributed Hash Tables, and the proposals for peer-to-peer protocols presented by the IETF P2PSIP Working Group. The main research activity has been the definition of a peer-to-peer architecture, called Distributed Location Service (DLS), which allows the establishment of direct connections among the endpoints of a communication without the need of central servers. The Distributed Location Service is a DHT-based peer-to-peer service which can be used to store and retrieve information about where resources can be accessed, thus eliminating the need to rely (partially) on the DNS system and on central location servers, such as SIP Location Services. Access information is stored in the DLS as key-to-value mappings, which are maintained by a number of nodes that participate in the DHT overlay the DLS is built upon. The DLS has been implemented as a framework, by defining a standard set of interfaces between the components of the DLS, in order to allow maximum flexibility on components such as the DHT algorithm and communication protocol in use, as no assumption has been made in the definition of the DLS architecture. The Kademlia DHT algorithm and the dSIP communication protocol have been implemented and integrated in the DLS framework in order to create real-world DLS-based application to show the feasibility of the DLS approach. These demonstrative DLS-based applications have been realized with the intent to show that peer-to-peer is not just about file sharing, but real-time communication applications, such as VoIP, distributed file systems, and Online Social Networks, can also be built on top of a peer-to-peer architecture. Even though the research activity has been conducted independently from the IETF P2PSIP Working Group, the Distributed Location Service has been eventually found quite similar to the official proposal, named RELOAD, with whom it shares several concepts and ideas. Another aspect that was studied is the issue of bootstrapping in peer-to-peer networks. When a node wants to join an existing P2P network, it needs to gather information about one node that already belongs to the P2P overlay network which will then admit the new node. Typically, the discovery of a node that is already participating in the overlay is made through mechanisms such as caching, pre-configured list of nodes, or the use of central servers. Even though these approaches have worked so far, they are not in the true philosophy of peer-to-peer networks, where decentralization, scalability, and self-organization are critical features. A Multicast-based approach has therefore been defined and validated, with the goal of achieving true scalability and self-organization