Managing ClientInitiated Connections

The Session Initiation Protocol (SIP) allows proxy servers to initiate TCP connections or to send asynchronous UDP datagrams to User Agents in order to deliver requests. However, in a large number of real deployments, many practical considerations, such as the existence of firewalls and Network Address Translators (NATs) or the use of TLS with server-provided certificates, prevent servers from connecting to User Agents in this way. This specification defines behaviors for User Agents, registrars, and proxy servers that allow requests to be delivered on existing connections established by the User Agent. It also defines keep-alive behaviors needed to keep NAT bindings open and specifies the usage of multiple connections from the User Agent to its registrar. Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as th

Routed end-to-end Ethernet : Proof of Concept

Tämän diplomityön tavoitteena on tutkia ja analysoida Ethernet- ja IEEE 802.1 -standardeja, sekä IPv4- ja IPv6-protokollia. Näiden parhaita puolia yhdistämällä kehitettiin uusi päästä-päähän reitittävä Ethernet -konsepti, jonka mukaan rakennettiin Proof of Concept -verkko. Tämä idea pyrkii ratkaisemaan Internetin suurimman ongelman, jossa osoiteavaruudesta loppuvat osoitteet, käyttämällä laitteiden identifioimiseen ja Ethernet-pakettien reitittämiseen sekä MAC- että NSAP-osoitteita. Hierarkkisuuden puute osoitteissa estää tehokkaan reitityksen ja sen takia Ethernet-verkot eivät skaalaudu maailmanlaajuiseksi verkoksi. IEEE 802.1 -standardeissa on parannettu Ethernet-verkkojen skaalautuvuutta, mutta osoitteistusta ei ole muutettu ja reititykseen käytetään edelleen Spanning Tree -protokollaa. Internet-protokollan versio 4:stä tuli Internetin hallitseva verkkoprotokolla, koska siinä osoitteisto on hierarkkinen, mikä mahdollistaa tehokkaan reitityksen. Ongelmaksi on kuitenkin muodostunut pieni osoiteavaruus, josta osoitteet alkavat loppua. IPv6:ssa on suurempi osoiteavaruus, mutta siltikään se ei ole syrjäyttänyt IPv4-osoitteita. RE2EE:n ideana on lisätä Ethernet-verkkoon hierarkkiset osoitteet, jotka yhdessä mahdollistaisivat riittävän ison osoiteavaruuden ja tehokkaan reitityksen. Proof of Conceptissa luotiin RE2EE-verkko pienessä mittakaavassa ja todistettiin sen avulla RE2EE:n perusominaisuuksin toteuttaminen käyttämällä ainoastaan Ethernet-paketteja.The main goal of this thesis is to investigate and analyse the Ethernet and IEEE 802.1 standards, and IPv4 and IPv6 protocols. From those combine a new idea of Routed End-to-End Ethernet in theory and to build a Proof of Concept network that shows it in a small scale. This concept would solve the address exhaustion problem by using MAC and NSAP addresses for host identification and for routing Ethernet packets in the network. From Ethernet and IEEE 802.1 standards we found that the main problem of the Ethernet is that it does not have hierarchical addresses. Hierarchical addresses would allow efficient routing enabling the network to scale globally. IEEE 802.1 has many standards with features for scaling Ethernet networks better, but they are still not enough. The only routing protocols used in the Ethernet networks are still the Spanning Tree Protocols. Internet Protocol version 4 that is the dominant network protocol in the Internet, has a hierarchical address space enabling efficient routing. A big problem with IPv4 is that the address space is small and is running out of addresses. IPv6 has larger address space, but for some reason the deployment is really slow. RE2EE would use Ethernet added with hierarchical addresses for the Internet. This would make the address space large enough and also efficient routing would be possible. In the Proof of Concept a small scale network was built, which showed that it is possible to create the basic functionalities of RE2EE using only Ethernet packets

An analysis of IP Telephony Signaling using the Session Initiation Protocol (SIP)

This paper examines both the emergence of IP telephony in the telecommunications industry and the Session Initiation Protocol (SIP) as a method for providing signaling services for IP telephony networks. The technical as well as cost advantages of IP telephony are addressed and the various SIP components, addressing mechanisms, protocol messages, and protocol functionality are discussed. The technical benefits of SIP are examined and a brief comparison is made between SIP and H.323, an ITU umbrella specification and a leading alternative to SIP. SIP and the latest version of H.323 are found to be relatively comparable, although due to the inherent simplicity in developing SIP implementations and applications, SIP has the potential to challenge H.323's dominance in the IP telephony signaling market space

The Impact of DNSSEC on the Internet Landscape

In this dissertation we investigate the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions. DNS spoofing attacks divert an application to the wrong server, but are also used routinely for blocking access to websites. We provide evidence for systematic DNS spoofing in China and Iran with measurement-based analyses, which allow us to examine the DNS spoofing filters from vantage points outside of the affected networks. Third-parties in other countries can be affected inadvertently by spoofing-based domain filtering, which could be averted with DNSSEC. The security goals of DNSSEC are data integrity and authenticity. A point solution called NSEC3 adds a privacy assertion to DNSSEC, which is supposed to prevent disclosure of the domain namespace as a whole. We present GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the namespace contents. We demonstrate with active measurements that DNSSEC has found wide adoption after initial hesitation. At server-side, there are more than five million domains signed with DNSSEC. A portion of them is insecure due to insufficient cryptographic key lengths or broken due to maintenance failures. At client-side, we have observed a worldwide increase of DNSSEC validation over the last three years, though not necessarily on the last mile. Deployment of DNSSEC validation on end hosts is impaired by intermediate caching components, which degrade the availability of DNSSEC. However, intermediate caches contribute to the performance and scalability of the Domain Name System, as we show with trace-driven simulations. We suggest that validating end hosts utilize intermediate caches by default but fall back to autonomous name resolution in case of DNSSEC failures.In dieser Dissertation werden die Sicherheitsdefizite des Domain Name Systems (DNS) untersucht und die Auswirkungen der DNSSEC-Sicherheitserweiterungen bewertet. DNS-Spoofing hat den Zweck eine Anwendung zum falschen Server umzuleiten, wird aber auch regelmäßig eingesetzt, um den Zugang zu Websites zu sperren. Durch messbasierte Analysen wird in dieser Arbeit die systematische Durchführung von DNS-Spoofing-Angriffen in China und im Iran belegt, wobei sich die Messpunkte außerhalb der von den Sperrfiltern betroffenen Netzwerke befinden. Es wird gezeigt, dass Dritte in anderen Ländern durch die Spoofing-basierten Sperrfilter unbeabsichtigt beeinträchtigt werden können, was mit DNSSEC verhindert werden kann. Die Sicherheitsziele von DNSSEC sind Datenintegrität und Authentizität. Die NSEC3-Erweiterung sichert zudem die Privatheit des Domainnamensraums, damit die Inhalte eines DNSSEC-Servers nicht in Gänze ausgelesen werden können. In dieser Arbeit werden GPU-basierte Angriffsmethoden auf die von NSEC3 zugesicherte Privatheit vorgestellt, die eine effiziente Wiederherstellung des Domainnamensraums ermöglichen. Ferner wird mit aktiven Messmethoden die Verbreitung von DNSSEC untersucht, die nach anfänglicher Zurückhaltung deutlich zugenommen hat. Auf der Serverseite gibt es mehr als fünf Millionen mit DNSSEC signierte Domainnamen. Ein Teil davon ist aufgrund von unzureichenden kryptographischen Schlüssellängen unsicher, ein weiterer Teil zudem aufgrund von Wartungsfehlern nicht mit DNSSEC erreichbar. Auf der Clientseite ist der Anteil der DNSSEC-Validierung in den letzten drei Jahren weltweit gestiegen. Allerdings ist hierbei offen, ob die Validierung nahe bei den Endgeräten stattfindet, um unvertraute Kommunikationspfade vollständig abzusichern. Der Einsatz von DNSSEC-Validierung auf Endgeräten wird durch zwischengeschaltete DNS-Cache-Komponenten erschwert, da hierdurch die Verfügbarkeit von DNSSEC beeinträchtigt wird. Allerdings tragen zwischengeschaltete Caches zur Performance und Skalierbarkeit des Domain Name Systems bei, wie in dieser Arbeit mit messbasierten Simulationen gezeigt wird. Daher sollten Endgeräte standardmäßig die vorhandene DNS-Infrastruktur nutzen, bei Validierungsfehlern jedoch selbständig die DNSSEC-Zielserver anfragen, um im Cache gespeicherte, fehlerhafte DNS-Antworten zu umgehen

Negotiating Internet Governance

What is at stake for how the Internet continues to evolve is the preservation of its integrity as a single network. In practice, its governance is neither centralised nor unitary; it is piecemeal and fragmented, with authoritative decision-making coming from different sources simultaneously: governments, businesses, international organisations, technical and academic experts, and civil society. Historically, the conditions for their interaction were rarely defined beyond basic technical coordination, due at first to the academic freedom granted to the researchers developing the network and, later on, to the sheer impossibility of controlling mushrooming Internet initiatives. Today, the search for global norms and rules for the Internet continues, be it for cybersecurity or artificial intelligence, amid processes fostering the supremacy of national approaches or the vitality of a pluralist environment with various stakeholders represented. This book provides an incisive analysis of the emergence and evolution of global Internet governance, unpacking the complexity of more than 300 governance arrangements, influential debates and political negotiations over four decades. Highly accessible, this book breaks new ground through a wide empirical exploration and a new conceptual approach to governance enactment in global issue domains. A tripartite framework is employed for revealing power dynamics, relying on: a) an extensive database of mechanisms of governance for the Internet at the global and regional level; b) an in-depth analysis of the evolution of actors and priorities over time; and c) a key set of dominant practices observed in the Internet governance communities. It explains continuity and change in Internet-related negotiations, opening up new directions for thinking and acting in this field

Analyzing practical communication security of Android vendor applications

The development of mobile devices and the new personalized services have gone to the point, where users do not alone control their data. While the devices are in constant communication with the cloud services the user’s data and the data of the user move ever more to the services providers’ cloud services. Little is known about how and how well service providers protect the users’ information. The work studies two biggest western Android based ecosystems, Google’s and Amazon’s, own applications’ practical security in the communication process. The aim is to identify all mechanisms used to protect the information that is communicated with the Android device. The study used one device from Amazon and Google, and the application market was chosen from both service providers for in-depth study. The applications were selected on the basis that they must provide same service in order to make the comparison possible. In practice, the applications and devices were studied by performing active and passive Man-in-the-middle (MITM) attacks in network laboratory. The communications were intercepted and analysed afterwards. Both vendors relied heavily on SSL/TLS protocol. Also in common was the usage, roles and acquirement of authorization tokens. Amazon’s client applications were noticed to use digital signatures. The biggest difference between the market applications was that Google required authentication when buying an application, while Amazon did not require it. During the same authentication Google sent user’s password in plaintext inside the TLS connection. During the less frequently happening registration of the user’s Google account to the device the user’s password is sent instead encrypted inside the TLS connection. An active MITM attack was performed on the Google device and account to demonstrate what the attacker can do in practice, when SSL/TLS connection is compromised. With manipulating traffic and intercepting authorization tokens the attacker is able to spy the victim and access to nearly all the victim’s Google data for the present. In addition, the attacker can “force” the victim to register herself again to the Android device and the attacker can use the victim’s intercepted encrypted password to add the victim’s Google account to her own device

Optimization of BGP Convergence and Prefix Security in IP/MPLS Networks

Multi-Protocol Label Switching-based networks are the backbone of the operation of the Internet, that communicates through the use of the Border Gateway Protocol which connects distinct networks, referred to as Autonomous Systems, together. As the technology matures, so does the challenges caused by the extreme growth rate of the Internet. The amount of BGP prefixes required to facilitate such an increase in connectivity introduces multiple new critical issues, such as with the scalability and the security of the aforementioned Border Gateway Protocol. Illustration of an implementation of an IP/MPLS core transmission network is formed through the introduction of the four main pillars of an Autonomous System: Multi-Protocol Label Switching, Border Gateway Protocol, Open Shortest Path First and the Resource Reservation Protocol. The symbiosis of these technologies is used to introduce the practicalities of operating an IP/MPLS-based ISP network with traffic engineering and fault-resilience at heart. The first research objective of this thesis is to determine whether the deployment of a new BGP feature, which is referred to as BGP Prefix Independent Convergence (PIC), within AS16086 would be a worthwhile endeavour. This BGP extension aims to reduce the convergence delay of BGP Prefixes inside of an IP/MPLS Core Transmission Network, thus improving the networks resilience against faults. Simultaneously, the second research objective was to research the available mechanisms considering the protection of BGP Prefixes, such as with the implementation of the Resource Public Key Infrastructure and the Artemis BGP Monitor for proactive and reactive security of BGP prefixes within AS16086. The future prospective deployment of BGPsec is discussed to form an outlook to the future of IP/MPLS network design. As the trust-based nature of BGP as a protocol has become a distinct vulnerability, thus necessitating the use of various technologies to secure the communications between the Autonomous Systems that form the network to end all networks, the Internet

Service composition based on SIP peer-to-peer networks

Today the telecommunication market is faced with the situation that customers are requesting for new telecommunication services, especially value added services. The concept of Next Generation Networks (NGN) seems to be a solution for this, so this concept finds its way into the telecommunication area. These customer expectations have emerged in the context of NGN and the associated migration of the telecommunication networks from traditional circuit-switched towards packet-switched networks. One fundamental aspect of the NGN concept is to outsource the intelligence of services from the switching plane onto separated Service Delivery Platforms using SIP (Session Initiation Protocol) to provide the required signalling functionality. Caused by this migration process towards NGN SIP has appeared as the major signalling protocol for IP (Internet Protocol) based NGN. This will lead in contrast to ISDN (Integrated Services Digital Network) and IN (Intelligent Network) to significantly lower dependences among the network and services and enables to implement new services much easier and faster. In addition, further concepts from the IT (Information Technology) namely SOA (Service-Oriented Architecture) have largely influenced the telecommunication sector forced by amalgamation of IT and telecommunications. The benefit of applying SOA in telecommunication services is the acceleration of service creation and delivery. Main features of the SOA are that services are reusable, discoverable combinable and independently accessible from any location. Integration of those features offers a broader flexibility and efficiency for varying demands on services. This thesis proposes a novel framework for service provisioning and composition in SIP-based peer-to-peer networks applying the principles of SOA. One key contribution of the framework is the approach to enable the provisioning and composition of services which is performed by applying SIP. Based on this, the framework provides a flexible and fast way to request the creation for composite services. Furthermore the framework enables to request and combine multimodal value-added services, which means that they are no longer limited regarding media types such as audio, video and text. The proposed framework has been validated by a prototype implementation