Calibration and Analysis of Enterprise and Edge Network Measurements

With the growth of the Internet over the past several decades, the field of Internet and network measurements has attracted the attention of many researchers. Doing the measurements has allowed a better understanding of the inner workings of both the global Internet and its specific parts. But undertaking a measurement study in a sound fashion is no easy task. Given the complexity of modern networks, one has to take great care in anticipating, detecting and eliminating all the measurement errors and biases. In this thesis we pave the way for a more systematic calibration of network traces. Such calibration ensures the soundness and robustness of the analysis results by revealing and fixing flaws in the data. We collect our measurement data in two environments: in a medium-sized enterprise and at the Internet edge. For the former we perform two rounds of data collection from the enterprise switches. We use the differences in the way we recorded the network traces during the first and second rounds to develop and assess the methodology for five calibration aspects: measurement gain, measurement loss, measurement reordering, timing, and topology. For the dataset gathered at the Internet edge, we perform calibration in the form of extensive checks of data consistency and sanity. After calibrating the data, we engage in the analysis of its various aspects. For the enterprise dataset we look at TCP dynamics in the enterprise environment. Here we first make a high- level overview of TCP connection characteristics such as termination status, size, duration, rate, etc. Then we assess the parameters important for TCP performance, such as retransmissions, out-of-order deliveries and channel utilization. Finally, using the Internet edge dataset, we gauge the performance characteristics of the edge connectivity

Efficient traffic trajectory error detection

Our recent survey on publicly reported router bugs shows that many router bugs, once triggered, can cause various traffic trajectory errors including traffic deviating from its intended forwarding paths, traffic being mistakenly dropped and unauthorized traffic bypassing packet filters. These traffic trajectory errors are serious problems because they may cause network applications to fail and create security loopholes for network intruders to exploit. Therefore, traffic trajectory errors must be quickly and efficiently detected so that the corrective action can be performed in a timely fashion. Detecting traffic trajectory errors requires the real-time tracking of the control states (e.g., forwarding tables, packet filters) of routers and the scalable monitoring of the actual traffic trajectories in the network. Traffic trajectory errors can then be detected by efficiently comparing the observed traffic trajectories against the intended control states. Making such trajectory error detection efficient and practical for large-scale high speed networks requires us to address many challenges. First, existing traffic trajectory monitoring algorithms require the simultaneously monitoring of all network interfaces in a network for the packets of interest, which will cause a daunting monitoring overhead. To improve the efficiency of traffic trajectory monitoring, we propose the router group monitoring technique that only monitors the periphery interfaces of a set of selected router groups. We analyze a large number of real network topologies and show that effective router groups with high trajectory error detection rates exist in all cases. We then develop an analytical model for quickly and accurately estimating the detection rates of different router groups. Based on this model, we propose an algorithm to select a set of router groups that can achieve complete error detection and low monitoring overhead. Second, maintaining the control states of all the routers in the network requires a significant amount of memory. However, there exist no studies on how to efficiently store multiple complex packet filters. We propose to store multiple packet filters using a shared Hyper- Cuts decision tree. To help decide which subset of packet filters should share a HyperCuts decision tree, we first identify a number of important factors that collectively impact the efficiency of the resulting shared HyperCuts decision tree. Based on the identified factors, we then propose to use machine learning techniques to predict whether any pair of packet filters should share a tree. Given the pair-wise prediction matrix, a greedy heuristic algorithm is used to classify packet filters into a number of shared HyperCuts decision trees. Our experiments using both real packet filters and synthetic packet filters show that our shared HyperCuts decision trees require considerably less memory while having the same or a slightly higher average height than separate trees. In addition, the shared HyperCuts decision trees enable concurrent lookup of multiple packet filters sharing the same tree. Finally, based on the two proposed techniques, we have implemented a complete prototype system that is compatible with Juniper's JUNOS. We have shown in the thesis that, to detect traffic trajectory errors, it is sufficient to only selectively implement a small set of key functions of a full-fletched router on our prototype, which makes our prototype simpler and less error prone. We conduct both Emulab experiments and micro-benchmark experiments to show that the system can efficiently track router control states, monitor traffic trajectories and detect traffic trajectory errors

Verkonvalvontapalvelun testaus IPv6-ympäristössä

Tämä työ tehtiin Cygate Oy:lle. IPv4:n (Internet-protokollan versio 4) loppuunkäytetty osoiteavaruus, ja muut lukuisat puutteet ovat aiheuttaneet sen, että yritysten on alettava varautua lähitulevaisuudessa tapahtuvaan IPv6:n (Internet-protokollan versio 6) käyttöönottoon. Kun tämä muutos tapahtuu, niin Cygaten on oltava valmis suoriutumaan verkonvalvonta- ja hallintatehtävistä myös IPv6-ympäristöissä. Työn tavoitteena oli rakentaa perinteistä asiakasverkkoa vastaava IPv6:ta tukeva laboratorioympäristö, suorittaa suunnitelmien mukaiset testit, sekä kuvata testien aikana ilmenneet ongelmat ja rajoitukset. Työn alussa kuvattiin yleisimmät verkonvalvontaan ja –hallintaan käytetyt proseduurit ja protokollat (SNMP, ICMP, Syslog, MIB) mahdollisia rajoittuvuuksia samalla etsien IPv6:n näkökulmasta. Tämän jälkeen esiteltiin Cygaten nykyinen hallinta- ja valvonta-alustan kokoonpano ja toiminnallisuus. Teoriaosuuden jälkeen suunniteltiin GNS3-virtuaaliympäristöön toteutettava perinteistä asiakasympäristöä vastaava tietoverkko, jonka laitteet toimivat työssä valvottavina kohteina. Suunnitteluosuus piti sisällään myös IPv6-osoitteistuksen ja aliverkkojen suunnittelun. Reititysprotokollaksi valittiin OSPFv3. Lopuksi suunnitelmat toteutettiin suljetussa laboratorioympäristössä, ja konfiguroitiin laitteille työn alussa esitetyt tavallisimmat, myös tämänhetkisen Cygaten valvonta- ja hallinta-alustan käyttämät, verkonhallintaprotokollat, sekä selvitettiin ja tutkittiin niiden toimintaa yksityiskohtaisemmin. Työn viimeisessä osuudessa esitettiin arvio mahdollisuudesta ja aikataulusta siirtää palvelu tuotantoon. Testit osoittivat, että palvelu ei ole vielä valmis tuotantoon siirrettäväksi. Samalla esitettiin suositeltavat jatkotoimenpiteet.This thesis was made for Cygate corporation. The driving force for this work was the exhausted IPv4 (Internet Protocol version 4) address space and the fact that companies will have to implement IPv6 (Internet Protocol version 6) networks in the near future. At that time Cygate needs to have a ready, secure and reliable solution to offer with an equal amount of features compared to the present system. The main targets were to build a traditional and fully native IPv6 network in a virtualized environment and to run the planned tests using the same methods as the present network management system uses with IPv4. All the faced problems were documented carefully if they could not be solved during the project and if they were clearly out of the networking scope. The results were delivered to the network management system development team at Cygate who will initiate a sequel project and try to investigate and solve the emerged problems. At the beginning, the thesis introduces traditional network management procedures and protocols from the IPv6 point of view. Cygate’s existing network management platform is introduced followed by the plans to test it in an IPv6 environment. The plans also include addressing and subnetting the network with investigations for which dynamic routing protocol will be used. OSPFv3 was chosen as the routing protocol. After careful planning, the plan was excecuted in a closed network made for testing purposes only. After the basic network level connectivity with the dynamic routing was achieved, network monitoring specific configurations were executed and investigated in detail. All the tools, devices and addressing reflected the real customer networks indicating that the tests made would also be reliable in other environments. The last part of the thesis discusses the possibility and schedule to move the IPv6 network management service into a production environment. Testing showed that the service is not completely ready for the production environment. Suggestions on how to proceed from here are given at the end

Fingerprinting Encrypted Tunnel Endpoints

Operating System fingerprinting is a reconnaissance method used by Whitehats and Blackhats alike. Current techniques for fingerprinting do not take into account tunneling protocols, such as IPSec, SSL/TLS, and SSH, which effectively `wrap` network traffic in a ciphertext mantle, thus potentially rendering passive monitoring ineffectual. Whether encryption makes VPN tunnel endpoints immune to fingerprinting, or yields the encrypted contents of the VPN tunnel entirely indistinguishable, is a topic that has received modest coverage in academic literature. This study addresses these question by targeting two tunnelling protocols: IPSec and SSL/TLS. A new fingerprinting methodology is presented, several fingerprinting discriminants are identified, and test results are set forth, showing that endpoint identities can be uncovered, and that some of the contents of encrypted VPN tunnels can in fact be discerned.Dissertation (MSc (Computer Science))--University of Pretoria, 2005.Computer Scienceunrestricte

Resilient and Scalable Forwarding for Software-Defined Networks with P4-Programmable Switches

Traditional networking devices support only fixed features and limited configurability. Network softwarization leverages programmable software and hardware platforms to remove those limitations. In this context the concept of programmable data planes allows directly to program the packet processing pipeline of networking devices and create custom control plane algorithms. This flexibility enables the design of novel networking mechanisms where the status quo struggles to meet high demands of next-generation networks like 5G, Internet of Things, cloud computing, and industry 4.0. P4 is the most popular technology to implement programmable data planes. However, programmable data planes, and in particular, the P4 technology, emerged only recently. Thus, P4 support for some well-established networking concepts is still lacking and several issues remain unsolved due to the different characteristics of programmable data planes in comparison to traditional networking. The research of this thesis focuses on two open issues of programmable data planes. First, it develops resilient and efficient forwarding mechanisms for the P4 data plane as there are no satisfying state of the art best practices yet. Second, it enables BIER in high-performance P4 data planes. BIER is a novel, scalable, and efficient transport mechanism for IP multicast traffic which has only very limited support of high-performance forwarding platforms yet. The main results of this thesis are published as 8 peer-reviewed and one post-publication peer-reviewed publication. The results cover the development of suitable resilience mechanisms for P4 data planes, the development and implementation of resilient BIER forwarding in P4, and the extensive evaluations of all developed and implemented mechanisms. Furthermore, the results contain a comprehensive P4 literature study. Two more peer-reviewed papers contain additional content that is not directly related to the main results. They implement congestion avoidance mechanisms in P4 and develop a scheduling concept to find cost-optimized load schedules based on day-ahead forecasts