End-to-end security in active networks

Active network solutions have been proposed to many of the problems caused by the increasing heterogeneity of the Internet. These ystems allow nodes within the network to process data passing through in several ways. Allowing code from various sources to run on routers introduces numerous security concerns that have been addressed by research into safe languages, restricted execution environments, and other related areas. But little attention has been paid to an even more critical question: the effect on end-to-end security of active flow manipulation. This thesis first examines the threat model implicit in active networks. It develops a framework of security protocols in use at various layers of the networking stack, and their utility to multimedia transport and flow processing, and asks if it is reasonable to give active routers access to the plaintext of these flows. After considering the various security problem introduced, such as vulnerability to attacks on intermediaries or coercion, it concludes not. We then ask if active network systems can be built that maintain end-to-end security without seriously degrading the functionality they provide. We describe the design and analysis of three such protocols: a distributed packet filtering system that can be used to adjust multimedia bandwidth requirements and defend against denial-of-service attacks; an efficient composition of link and transport-layer reliability mechanisms that increases the performance of TCP over lossy wireless links; and a distributed watermarking servicethat can efficiently deliver media flows marked with the identity of their recipients. In all three cases, similar functionality is provided to designs that do not maintain end-to-end security. Finally, we reconsider traditional end-to-end arguments in both networking and security, and show that they have continuing importance for Internet design. Our watermarking work adds the concept of splitting trust throughout a network to that model; we suggest further applications of this idea

Smart network caches : localized content and application negotiated recovery mechanisms for multicast media distribution

Thesis (Ph. D.)--Massachusetts Institute of Technology, Program in Media Arts & Sciences, 1998.Includes bibliographical references (p. 133-138).by Roger George Kermode.Ph.D

An Improved Active Network Concept and Architecture for Distributed and Dynamic Streaming Multimedia Environments with Heterogeneous Bandwidths

A problem in todays Internet infrastructure may occur when a streaming multimedia application is to take place. The information content of video and audio signals that contain moving or changing scenes may simply be too great for Internet clients with low bandwidth capacity if no adaptation is performed. In order to satisfactorily reach clients with various bandwidth capacities some works such as receiver-driven multicast and resilient overlay networks (RON) have been developed. However these efforts mainly call for modification on router level management or place additional layer to the Internet structure, which is not recommended in the nearest future due to the highly acceptance level and widely utilization of the current Internet structure, and the lengthy and tiring standardization process for a new structure or modification to be accepted. We have developed an improved active network approach for distributed and dynamic streaming multimedia environment with heterogeneous bandwidth, such as the case of the Internet. Friendly active network system (FANS) is a sample of our approach. Adopting application level active network (ALAN) mechanism, FANS participants and available media are referred through its universal resource locator (url). The system intercepts traffic flowing from source to destination and performs media post-processing at an intermediate peer. The process is performed at the application level instead of at the router level, which was the original approach of active networks. FANS requires no changes in router level management and puts no additional requirement to the current Internet architecture and, hence, instantly applicable. In comparison with ALAN, FANS possesses two significant differences. From the system overview, ALAN requires three minimum elements: clients, servers, and dynamic proxy servers. FANS, on the other hand, unifies the functionalities of those three elements. Each of peers in FANS is a client, an intermediate peer, and a media server as well. Secondly, FANS members tracking system dynamically detects the existence of a newly joined computers or mobile device, given its url is available and announced. In ALAN, the servers and the middle nodes are priori known and, hence, static. The application level approach and better performance characteristics distinguished also our work with another similar work in this field, which uses router level approach. The approach offers, in general, the following improvements: FANS promotes QoS fairness, in which clients with lower bandwidth are accommodated and receive better quality of service FANS introduces a new algorithm to determine whether or not the involvement of intermediate peer(s) to perform media post-processing enhancement services is necessary. This mechanism is important and advantageous due to the fact that intermediate post-processing increases the delay and, therefore, should only be employed selectively. FANS considers the size of media data and the capacity of clients bandwidth as network parameters that determine the level of quality of service offered. By employing the above techniques, our experiments with the Internet emulator show that our approach improves the reliability of streaming media applications in such environment

Interactivity And User-heterogeneity In On Demand Broadcast Video

Video-On-Demand (VOD) has appeared as an important technology for many multimedia applications such as news on demand, digital libraries, home entertainment, and distance learning. In its simplest form, delivery of a video stream requires a dedicated channel for each video session. This scheme is very expensive and non-scalable. To preserve server bandwidth, many users can share a channel using multicast. Two types of multicast have been considered. In a non-periodic multicast setting, users make video requests to the server; and it serves them according to some scheduling policy. In a periodic broadcast environment, the server does not wait for service requests. It broadcasts a video cyclically, e.g., a new stream of the same video is started every t seconds. Although, this type of approach does not guarantee true VOD, the worst service latency experienced by any client is less than t seconds. A distinct advantage of this approach is that it can serve a very large community of users using minimal server bandwidth. In VOD System it is desirable to provide the user with the video-cassette-recorder-like (VCR) capabilities such as fast-forwarding a video or jumping to a specific frame. This issue in the broadcast framework is addressed, where each video and its interactive version are broadcast repeatedly on the network. Existing techniques rely on data prefetching as the mechanism to provide this functionality. This approach provides limited usability since the prefetching rate cannot keep up with typical fast-forward speeds. In the same environment, end users might have access to different bandwidth capabilities at different times. Current periodic broadcast schemes, do not take advantage of high-bandwidth capabilities, nor do they adapt to the low-bandwidth limitation of the receivers. A heterogeneous technique is presented that can adapt to a range of receiving bandwidth capability. Given a server bandwidth and a range of different client bandwidths, users employing the proposed technique will choose either to use their full reception bandwidth capability and therefore accessing the video at a very short time, or using part or enough reception bandwidth at the expense of a longer access latency

Provider-Controlled Bandwidth Management for HTTP-based Video Delivery

Over the past few years, a revolution in video delivery technology has taken place as mobile viewers and over-the-top (OTT) distribution paradigms have significantly changed the landscape of video delivery services. For decades, high quality video was only available in the home via linear television or physical media. Though Web-based services brought video to desktop and laptop computers, the dominance of proprietary delivery protocols and codecs inhibited research efforts. The recent emergence of HTTP adaptive streaming protocols has prompted a re-evaluation of legacy video delivery paradigms and introduced new questions as to the scalability and manageability of OTT video delivery. This dissertation addresses the question of how to enable for content and network service providers the ability to monitor and manage large numbers of HTTP adaptive streaming clients in an OTT environment. Our early work focused on demonstrating the viability of server-side pacing schemes to produce an HTTP-based streaming server. We also investigated the ability of client-side pacing schemes to work with both commodity HTTP servers and our HTTP streaming server. Continuing our client-side pacing research, we developed our own client-side data proxy architecture which was implemented on a variety of mobile devices and operating systems. We used the portable client architecture as a platform for investigating different rate adaptation schemes and algorithms. We then concentrated on evaluating the network impact of multiple adaptive bitrate clients competing for limited network resources, and developing schemes for enforcing fair access to network resources. The main contribution of this dissertation is the definition of segment-level client and network techniques for enforcing class of service (CoS) differentiation between OTT HTTP adaptive streaming clients. We developed a segment-level network proxy architecture which works transparently with adaptive bitrate clients through the use of segment replacement. We also defined a segment-level rate adaptation algorithm which uses download aborts to enforce CoS differentiation across distributed independent clients. The segment-level abstraction more accurately models application-network interactions and highlights the difference between segment-level and packet-level time scales. Our segment-level CoS enforcement techniques provide a foundation for creating scalable managed OTT video delivery services

Service introduction in an active network

Thesis (Ph.D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 1999.Includes bibliographical references (p. 151-157).by David J. Wetherall.Ph.D

Decentralization of multimedia content in a heterogeneous environment

The aim of this study has been the decentralization of multimedia content in a heterogeneous environment. The environment consisted of the research networks connecting the European Organization for Nuclear Research and the Finnish University and Research Network. The European Organization for Nuclear Research produces multimedia content which can be used as studying material all over the world. The Web University pilot in the European Organization for Nuclear Research has been developing a multimedia content delivery service for years. Delivering the multimedia content requires plenty of capacity from the network infrastructure. Different content of the material can have different demands for the network. In a heterogeneous environment, like the Internet, fulfilling all the demands can be a problem. Several methods exist to improve the situation. Decentralization of the content is one of the most popular solutions. Mirroring and caching are the main methods for decentralization. Recently developed content delivery networks are using both of these techniques to satisfy the demands of the content. The practical application consisted of measurements of the network connection between the multimedia server in the European Organization for Nuclear Research and the Finnish University and Research Network, planning and building a decentralization system for the multimedia content. After the measurements, it became clear that there is n o need for decentralization of the multimedia content for users that are able to utilise the Finnish University and Research Network. There could be double today's usage, and still there would be no problems with the capacity. However, the European Organization for Nuclear Research routes all traffic that comes from outside research networks through a gateway in the USA. This affects every connection that is made from Finland: users are not able to use the international connection offered by the Finnish University and Research Network. For these users I designed and built a simple, modular and portable decentralization system

Peer-to-peer overlay in mobile ad-hoc networks

Wireless multi-hop networks such as mobile ad-hoc (MANET) or wireless mesh networks (WMN) have attracted big research efforts during the last years as they have huge potential in several areas such as military communications, fast infrastructure replacement during emergency operations, extension of hotspots or as an alternative communication system. Due to various reasons, such as characteristics of wireless links, multi-hop forwarding operation, and mobility of nodes, performance of traditional peer-to-peer applications is rather low in such networks. In this book chapter, we provide a comprehensive and in-depth survey on recent research on various approaches to provide peer-to-peer services in wireless multi-hop networks. The causes and problems for low performance of traditional approaches are discussed. Various representative alternative approaches to couple interactions between the peer-to-peer overlay and the network layer are examined and compared. Some open questions are discussed to stimulate further research in this area. © 2010 Springer Science+Business Media, LLC