Bootstrapping Real-world Deployment of Future Internet Architectures

The past decade has seen many proposals for future Internet architectures. Most of these proposals require substantial changes to the current networking infrastructure and end-user devices, resulting in a failure to move from theory to real-world deployment. This paper describes one possible strategy for bootstrapping the initial deployment of future Internet architectures by focusing on providing high availability as an incentive for early adopters. Through large-scale simulation and real-world implementation, we show that with only a small number of adopting ISPs, customers can obtain high availability guarantees. We discuss design, implementation, and evaluation of an availability device that allows customers to bridge into the future Internet architecture without modifications to their existing infrastructure

IBTrack: An ICMP Black holes Tracker

ICMP is a fundamental part of the Internet as it handles the control and error messages. ICMP's treatment by the network and in particular by different routers it may cross is therefore a key aspect driving troubleshooting and diagnosis processes. In this paper we present IBTrack, a tool that aims at characterizing how the network actually treats different ICMP messages from an user point of view. Specifically, we detail a classification algorithm to categorize router behaviors and we introduce its associated refining method which exploits multiple probing protocols. We illustrate the average Internet router behavior and path composition through results gathered from Planet-Lab nodes using a large CAIDA's snapshot of routed /24. We further show that our refining method improves the routers behavior characterization up to 10% for more than 1% of the total number of observed routers

A middlebox-cooperative TCP for a non end-to-end Internet. In

ABSTRACT Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One particularly daunting aspect of the challenge is the presence of transparent middleboxes-which are now common in today's Internet. In-path middleboxes that modify packet headers are typically transparent to a TCP, yet can impact end-to-end performance or cause blackholes. We develop TCP HICCUPS to reveal packet header manipulation to both endpoints of a TCP connection. HICCUPS permits endpoints to cooperate with currently opaque middleboxes without prior knowledge of their behavior. For example, with visibility into end-to-end behavior, a TCP can selectively enable or disable performance enhancing options. This cooperation enables protocol innovation by allowing new IP or TCP functionality (e.g., ECN, SACK, Multipath TCP, Tcpcrypt) to be deployed without fear of such functionality being misconstrued, modified, or blocked along a path. HICCUPS is incrementally deployable and introduces no new options. We implement and deploy TCP HICCUPS across thousands of disparate Internet paths, highlighting the breadth and scope of subtle and hard to detect middlebox behaviors encountered. We then show how path diagnostic capabilities provided by HICCUPS can benefit applications and the network

Blocking DDoS attacks at the network level

Denial of service (DDoS) is a persistent and continuously growing problem. These attacks are based on methods that flood the victim with messages that it did not request, effectively exhausting its computational or bandwidth resources. The variety of attack approaches is overwhelming and the current defense mechanisms are not completely effective. In today’s internet, a multitude of DDoS attacks occur everyday, some even degrading the availability of critical or governmental services. In this dissertation, we propose a new network level DDoS mitigation protocol that iterates on previous attempts and uses proven mechanisms such as cryptographic challenges and packet-tagging. Our analysis of the previous attempts to solve this problem led to a ground-up design of the protocol with adaptability in mind, trying to minimize deployment and adoption barriers. With this work we concluded that with software changes only on the communication endpoints, it is possible to mitigate the most used DDoS attacks with results up to 25 times more favourable than standard resource rate limiting (RRL) methods

Measuring Path MTU discovery behaviour

Path MTU Discovery (PMTUD) is widely believed to be unreliable because of firewalls that discard ICMP “Packet Too Big”messages. This paper measures PMTUD behaviour for 50,000 popular websites and finds the failure rate in IPv4 is much less than previous studies. We measure the overall failure rate between 5% and 18%, depending on the MTU of the constraining link. We explore methods webserver operators are using to reduce their dependence on PMTUD, and find 11% limit themselves to sending packets no larger than 1380 bytes. We identify a number of common behaviours that seem to be software bugs rather than filtering by firewalls. If these are corrected PMTUD failures could be reduced by 63%. We further find the IPv6 failure rate is less than the IPv4 rate even with more scope for failure in IPv6