Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers

Computer networks today typically do not provide any mechanisms to the users to learn, in a reliable manner, which paths have (and have not) been taken by their packets. Rather, it seems inevitable that as soon as a packet leaves the network card, the user is forced to trust the network provider to forward the packets as expected or agreed upon. This can be undesirable, especially in the light of today's trend toward more programmable networks: after a successful cyber attack on the network management system or Software-Defined Network (SDN) control plane, an adversary in principle has complete control over the network. This paper presents a low-cost and efficient solution to detect misbehaviors and ensure trustworthy routing over untrusted or insecure providers, in particular providers whose management system or control plane has been compromised (e.g., using a cyber attack). We propose Routing-Verification-as-a-Service (RVaaS): RVaaS offers clients a flexible interface to query information relevant to their traffic, while respecting the autonomy of the network provider. RVaaS leverages key features of OpenFlow-based SDNs to combine (passive and active) configuration monitoring, logical data plane verification and actual in-band tests, in a novel manner

Optimal Algorithms for Near-Hitless Network Restoration via Diversity Coding

Diversity coding is a network restoration technique which offers near-hitless restoration, while other state-of-the art techniques are significantly slower. Furthermore, the extra spare capacity requirement of diversity coding is competitive with the others. Previously, we developed heuristic algorithms to employ diversity coding structures in networks with arbitrary topology. This paper presents two algorithms to solve the network design problems using diversity coding in an optimal manner. The first technique pre-provisions static traffic whereas the second technique carries out the dynamic provisioning of the traffic on-demand. In both cases, diversity coding results in smaller restoration time, simpler synchronization, and much reduced signaling complexity than the existing techniques in the literature. A Mixed Integer Programming (MIP) formulation and an algorithm based on Integer Linear Programming (ILP) are developed for pre-provisioning and dynamic provisioning, respectively. Simulation results indicate that diversity coding has significantly higher restoration speed than Shared Path Protection (SPP) and p-cycle techniques. It requires more extra capacity than the p-cycle technique and SPP. However, the increase in the total capacity is negligible compared to the increase in the restoration speed.Comment: An old version of this paper is submitted to IEEE Globecom 2012 conferenc

Collaborative internet worm containment

Large-scale worm outbrakes that leads to distributed denial-of-dervice attacks pose a major threat to internet infrastructure security. To prevent computers from such attacks deployment of fast, scalable security overlay networks based on distributed hash tables to facilitate high-speed intrusion detection and alert-information exchange are proposed. An effective system for worm detection and cyberspace defence must have robustness, cooperation among multiple sites, responsiveness to unexpected worms and efficiency and scalability. Deployment of collaborative WormShield monitors on just 1 percent of the vulnerable edge networks can detect worm signatures roughly 10 times faster than with independent monitors.published_or_final_versio

Traffic matrix estimation on a large IP backbone: a comparison on real data

This paper considers the problem of estimating the point-to-point traffic matrix in an operational IP backbone. Contrary to previous studies, that have used a partial traffic matrix or demands estimated from aggregated Netflow traces, we use a unique data set of complete traffic matrices from a global IP network measured over five-minute intervals. This allows us to do an accurate data analysis on the time-scale of typical link-load measurements and enables us to make a balanced evaluation of different traffic matrix estimation techniques. We describe the data collection infrastructure, present spatial and temporal demand distributions, investigate the stability of fan-out factors, and analyze the mean-variance relationships between demands. We perform a critical evaluation of existing and novel methods for traffic matrix estimation, including recursive fanout estimation, worst-case bounds, regularized estimation techniques, and methods that rely on mean-variance relationships. We discuss the weaknesses and strengths of the various methods, and highlight differences in the results for the European and American subnetworks

A Novel Optimal routing using Hop-by-Hop Adaptive linking

I am presenting the first of its kind project, the first link-state routing solution carrying traffic through packet-switched networks. At each node, for every other node, the algorithm independently and iteratively updates the fraction of traffic destined to that leaves on each of its outgoing links. At each iteration, the updates are calculated based on the shortest path to each destination as determined by the marginal costs of the network’s links. The marginal link costs used to find the shortest paths are in turn obtained from link-state updates that are flooded through the network after each iteration. For stationary input traffic, we prove that our project converges to the routing assignment that minimizes the cost of the network. Furthermore, I observe that our technique is adaptive, automatically converging to the new optimal routing assignment for quasi-static network changes. I also report numerical and experimental evaluations to confirm our theoretical predictions, explore additional aspects of the solution, and outline a proof-of-concept implementation of proposal