22 research outputs found
Firewall Traversal in Mobile IPv6 Networks
Middleboxes, wie zum Beispiel Firewalls, sind ein wichtiger Aspekt für eine Großzahl moderner IP-Netzwerke. Heute IP-Netzwerke basieren überwiegend auf IPv4 Technologien, daher sind viele Firewalls und Network Address Translators (NATs) ursprünglich für diese Netzwerke entwickelt worden. Die Entwicklung von IPv6 Netzwerken findet zur Zeit statt. Da Mobile IPv6 ein relativ neuer Standard ist, unterstützen die meisten Firewalls die für IPv6 Netzwerke verfügbar sind, noch kein Mobile IPv6. Sofern Firewalls sich nicht der Details des Mobile IPv6 Protokolls bewusst sind, werden sie entweder Mobile IPv6 Kommunikation blockieren oder diesen sorgfältig handhaben. Dieses stellt einen der Haupthinderunggründe zum erfolgreichen Einsatz von Mobile IPv6 da.Diese Arbeit beschreibt die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen. Dazu wird zuerst erklärt welche Arten von Middleboxes es gibt, was genau eine Middlebox ist und wie eine solche Middlebox arbeiten und zweitens die Probleme identifiziert und die Auswirkungen des Vorhandenseins von Firewalls in Mobile IPv6 Umgebungen erklärt. Anschließend werden einige State-of-the-Art Middlebox Traversal Ansätze untersucht, die als mögliche Lösungen um die Mobile IPv6 Firewall Traversal Probleme zu bewältigen betrachtet werden können. Es wird detailiert erklärt wie diese Lösungen arbeiten und ihre Anwendbarkeit für Mobile IPv6 Firewall Traversal evaluiert.Als Hauptbeitrag bringt diese Arbeit zwei detailierte Lösungsansätze ein, welche das Mobile IPv6 Firewall Traversal Problem bewältigen können. Der erste Lösungsansatz, der NSIS basierte Mobile IPv6 Firewall Traversal, basiert auf dem Next Steps in Signaling (NSIS) Rahmenwerk und dem NAT/Firewall NSIS Signaling Layer Protocol (NAT/FW NSLP). Anschließend wird der zweite Lösungsansatz vorgestellt, der Mobile IPv6 Application Layer Gateway. Diese Arbeit erklärt detailiert, wie diese Lösungsansätze die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen bewältigen. Desweitern stellt diese Arbeit vor, wie die NSIS basierte Mobile IPv6 Firewall Traversal und die Mobile IPv6 Application Layer Gateway Proof-of-Concept Implementierungen, die im Rahmen dieser Arbeit entwicklet wurden, implementiert wurden. Abschließend werden die Proof-of-Concept Implementierungen sowie die beiden Lösungsansätze allgemein evaluiert und analysiert
De-ossifying the Internet Transport Layer : A Survey and Future Perspectives
ACKNOWLEDGMENT The authors would like to thank the anonymous reviewers for their useful suggestions and comments.Peer reviewedPublisher PD
Traffic-Aware Deployment of Interdependent NFV Middleboxes in Software-Defined Networks
Middleboxes, such as firewalls, Network Address Translators (NATs), Wide Area Network (WAN) optimizers, or Deep Packet Inspector (DPIs), are widely deployed in modern networks to improve network security and performance. Traditional middleboxes are typically hardware based, which are expensive and closed systems with little extensibility. Furthermore, they are developed by different vendors and deployed as standalone devices with little scalability. As the development of networks in scale, the limitations of traditional middleboxes bring great challenges in middlebox deployments.
Network Function Virtualization (NFV) technology provides a promising alternative, which enables flexible deployment of middleboxes, as virtual machines (VMs) running on standard servers. However, the flexibility also creates a challenge for efficiently placing such middleboxes, due to the availability of multiple hosting servers, capabilities of middleboxes to change traffic volumes, and dependency between middleboxes. In our first two work, we addressed the optimal placement challenge of NFV middleboxes by considering middlebox traffic changing effects and dependency relations. Since each VM has only a limited processing capacity restricted by its available resources, multiple instances of the same function are necessary in an NFV network. Thus, routing in an NFV network is also a challenge to determine not only via a path from the source to destination but also the service (middlebox) locations. Furthermore, the challenge is complicated by the traffic changing effects of NFV services and dependency relations between them. In our third work, we studied how to efficiently route a flow to receive services in an NFV network.
We conducted large-scale simulations to evaluate our proposed solutions, and also implemented a Software-Defined Networking (SDN) based prototype to validate the solutions in realistic environments. Extensive simulation and experiment results have been fully demonstrated the effectiveness of our design
Securing softswitches from malicious attacks
Traditionally, real-time communication, such as voice calls, has run on separate, closed networks. Of all the limitations that these networks had, the ability of malicious attacks to cripple communication was not a crucial one. This situation has changed radically now that real-time communication and data have merged to share the same network. The objective of this project is to investigate the securing of softswitches with functionality similar to Private Branch Exchanges (PBX) from malicious attacks. The focus of the project will be a practical investigation of how to secure ILANGA, an ASTERISK-based system under development at Rhodes University. The practical investigation that focuses on ILANGA is based on performing six varied experiments on the different components of ILANGA. Before the six experiments are performed, basic preliminary security measures and the restrictions placed on the access to the database are discussed. The outcomes of these experiments are discussed and the precise reasons why these attacks were either successful or unsuccessful are given. Suggestions of a theoretical nature on how to defend against the successful attacks are also presented
Handling of IP-Addresses in the Context of Remote Access
Masteroppgave i informasjons- og kommunikasjonsteknologi 2008 – Universitetet i Agder, GrimstadFor various reasons (e.g., security, lack of IPv4-addresses) the services in the home
smart space only use private IP addresses. This is unfortunate in the remote service
access since these addresses frequently appear in responses sent from a service in
the remote smart space (e.g., your home) to the visited smart space (e.g., your
friend’s home).The Internet Engineering Task Force (IETF) provides some solutions
and workarounds for the problem caused by NAT.
In this project, the challenge to me is to summarize the available options, rank the
options according to which one is preferred for the RA-scenario. I will come up with
my practical NAT traversal techniques by testing and gathering data on the reliability
of NAT traversal techniques since none of the existing ones seems to work well. A
demonstration of the key features will be shown in the thesis. NAT traversal
techniques apply to TCP and UDP need to be researched in advance. Handling of
peers behind all kinds of NAT need to be tested and determined for the
communication. The result of the paper will well improve the evaluation of specific
issues on NAT and the creating of an UNSAF proposal
Informing protocol design through crowdsourcing measurements
Mención Internacional en el título de doctorMiddleboxes, such as proxies, firewalls and NATs play an important role in the modern Internet
ecosystem. On one hand, they perform advanced functions, e.g. traffic shaping, security or enhancing application
performance. On the other hand, they turn the Internet into a hostile ecosystem for innovation,
as they limit the deviation from deployed protocols. It is therefore essential, when designing a new protocol,
to first understand its interaction with the elements of the path. The emerging area of crowdsourcing
solutions can help to shed light on this issue. Such approach allows us to reach large and different sets of
users and also different types of devices and networks to perform Internet measurements. In this thesis,
we show how to make informed protocol design choices by expanding the traditional crowdsourcing focus
from the human element and using crowdsourcing large scale measurement platforms.
We consider specific use cases, namely the case of pervasive encryption in the modern Internet, TCP
Fast Open and ECN++. We consider such use cases to advance the global understanding on whether wide
adoption of encryption is possible in today’s Internet or the adoption of encryption is necessary to guarantee
the proper functioning of HTTP/2. We target ECN and particularly ECN++, given its succession of
deployment problems. We then measured ECN deployment over mobile as well as fixed networks. In the
process, we discovered some bad news for the base ECN protocol—more than half the mobile carriers we
tested wipe the ECN field at the first upstream hop. This thesis also reports the good news that, wherever
ECN gets through, we found no deployment problems for the ECN++ enhancement. The thesis includes
the results of other more in-depth tests to check whether servers that claim to support ECN, actually respond
correctly to explicit congestion feedback, including some surprising congestion behaviour unrelated
to ECN.
This thesis also explores the possible causes that ossify the modern Internet and make difficult the
advancement of the innovation. Network Address Translators (NATs) are a commonplace in the Internet
nowadays. It is fair to say that most of the residential and mobile users are connected to the Internet
through one or more NATs. As any other technology, NAT presents upsides and downsides. Probably the
most acknowledged downside of the NAT technology is that it introduces additional difficulties for some
applications such as peer-to-peer applications, gaming and others to function properly. This is partially
due to the nature of the NAT technology but also due to the diversity of behaviors of the different NAT implementations
deployed in the Internet. Understanding the properties of the currently deployed NAT base
provides useful input for application and protocol developers regarding what to expect when deploying
new application in the Internet. We develop NATwatcher, a tool to test NAT boxes using a crowdsourcingbased
measurement methodology.
We also perform large scale active measurement campaigns to detect CGNs in fixed broadband networks
using NAT Revelio, a tool we have developed and validated. Revelio enables us to actively determine from within residential networks the type of upstream network address translation, namely NAT
at the home gateway (customer-grade NAT) or NAT in the ISP (Carrier Grade NAT). We deploy Revelio
in the FCC Measuring Broadband America testbed operated by SamKnows and also in the RIPE Atlas
testbed.
A part of this thesis focuses on characterizing CGNs in Mobile Network Operators (MNOs). We develop
a measuring tool, called CGNWatcher that executes a number of active tests to fully characterize CGN
deployments in MNOs. The CGNWatcher tool systematically tests more than 30 behavioural requirements
of NATs defined by the Internet Engineering Task Force (IETF) and also multiple CGN behavioural metrics.
We deploy CGNWatcher in MONROE and performed large measurement campaigns to characterize the
real CGN deployments of the MNOs serving the MONROE nodes.
We perform a large measurement campaign using the tools described above, recruiting over 6,000 users,
from 65 different countries and over 280 ISPs. We validate our results with the ISPs at the IP level and,
reported to the ground truth we collected. To the best of our knowledge, this represents the largest active
measurement study of (confirmed) NAT or CGN deployments at the IP level in fixed and mobile networks
to date.
As part of the thesis, we characterize roaming across Europe. The goal of the experiment was to try to
understand if the MNO changes CGN while roaming, for this reason, we run a series of measurements that
enable us to identify the roaming setup, infer the network configuration for the 16 MNOs that we measure
and quantify the end-user performance for the roaming configurations which we detect. We build a unique
roaming measurement platform deployed in six countries across Europe. Using this platform, we measure
different aspects of international roaming in 3G and 4G networks, including mobile network configuration,
performance characteristics, and content discrimination. We find that operators adopt common approaches
to implementing roaming, resulting in additional latency penalties of 60 ms or more, depending on geographical
distance. Considering content accessibility, roaming poses additional constraints that leads to
only minimal deviations when accessing content in the original country. However, geographical restrictions
in the visited country make the picture more complicated and less intuitive.
Results included in this thesis would provide useful input for application, protocol designers, ISPs and
researchers that aim to make their applications and protocols to work across the modern Internet.Programa de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Gonzalo Camarillo González.- Secretario: María Carmen Guerrero López.- Vocal: Andrés García Saavedr