Multidomain Network Based on Programmable Networks: Security Architecture

This paper proposes a generic security architecture designed for a multidomain and multiservice network based on programmable networks. The multiservice network allows users of an IP network to run programmable services using programmable nodes located in the architecture of the network. The programmable nodes execute codes to process active packets, which can carry user data and control information. The multiservice network model defined here considers the more pragmatic trends in programmable networks. In this scenario, new security risks that do not appear in traditional IP networks become visible. These new risks are as a result of the execution of code in the programmable nodes and the processing of the active packets. The proposed security architecture is based on symmetric cryptography in the critical process, combined with an efficient manner of distributing the symmetric keys. Another important contribution has been to scale the security architecture to a multidomain scenario in a single and efficient way.Publicad

DoS protection for a Pragmatic Multiservice Network Based on Programmable Networks

Proceedings of First International IFIP TC6 Conference, AN 2006, Paris, France, September 27-29, 2006.We propose a scenario of a multiservice network, based on pragmatic ideas of programmable networks. Active routers are capable of processing both active and legacy packets. This scenario is vulnerable to a Denial of Service attack, which consists in inserting false legacy packets into active routers. We propose a mechanism for detecting the injection of fake legacy packets into active routers. This mechanism consists in exchanging accounting information on the traffic between neighboring active routers. The exchange of accounting information must be carried out in a secure way using secure active packets. The proposed mechanism is sensitive to the loss of packets. To deal with this problem some improvements in the mechanism has been proposed. An important issue is the procedure for discharging packets when an attack has been detected. We propose an easy and efficient mechanism that would be improved in future work.Publicad

Operational and Performance Issues of a CBQ router

The use of scheduling mechanisms like Class Based Queueing (CBQ) is expected to play a key role in next generation multiservice IP networks. In this paper we attempt an experimental evaluation of ALTQ/CBQ demonstrating its sensitivity to a wide range of parameters and link layer driver design issues. We pay attention to several CBQ internal parameters that affect performance drastically and particularly to “borrowing”, a key feature for flexible and efficient link sharing. We are also investigating cases where the link sharing rules are violated, explaining and correcting these effects wheneverpossible. Finally we evaluateCBQ performance and make suggestions for effective deployment in real networks.

Admission control in multiservice IP networks : architectural issues and trends

The trend toward the integration of current and emerging applications and services in the Internet has launched new challenges regarding service deployment and management. Within service management, admission control (AC) has been recognized as a convenient mechanism to keep services under controlled load and assure the required QoS levels, bringing consistency to the services offered. In this context, this article discusses the role of AC in multiservice IP networks and surveys current and representative AC approaches. We address and compare the architectural principles of these AC approaches and their main features, virtues and limitations that impact on the quality control of network services. We identify important design aspects that contribute to the successful deployment of flexible and scalable AC solutions in multiservice networks

MIRAI Architecture for Heterogeneous Network

One of the keywords that describe next-generation wireless communications is "seamless." As part of the e-Japan Plan promoted by the Japanese Government, the Multimedia Integrated Network by Radio Access Innovation project has as its goal the development of new technologies to enable seamless integration of various wireless access systems for practical use by 2005. This article describes a heterogeneous network architecture including a common tool, a common platform, and a common access. In particular, software-defined radio technologies are used to develop a multiservice user terminal to access different wireless networks. The common platform for various wireless networks is based on a wireless-supporting IPv6 network. A basic access network, separated from other wireless access networks, is used as a means for wireless system discovery, signaling, and paging. A proof-of-concept experimental demonstration system is available

Multicast traffic aggregation in MPLS-based VPN networks

This article gives an overview of the current practical approaches under study for a scalable implementation of multicast in layer 2 and 3 VPNs over an IP-MPLS multiservice network. These proposals are based on a well-known technique: the aggregation of traffic into shared trees to manage the forwarding state vs. bandwidth saving trade-off. This sort of traffic engineering mechanism requires methods to estimate the resources needed to set up a multicast shared tree for a set of VPNs. The methodology proposed in this article consists of studying the effect of aggregation obtained by random shared tree allocation on a reference model of a representative network scenario.Publicad

Handling concurrent admission control in multiservice IP networks

Comunicação apresentada na "Consumer Communications & Networkin Conference 2006", Las Vegas, Nevada, USA, 8-10 Janeiro 2006.This paper debates the problem of handling concurrent admission control decisions in multiservice networks, putting forward solutions to mitigate the negative impact that distributed admission of flows might have on the service level guarantees provided to network customers. Keeping in mind that simplicity is a key factor for deployable solutions, we suggest and discuss the use of (i) a service-dependent concurrency index; (ii) a token-based system and (iii) a rate-based credit system, as alternative or complementary proposals to minimize or solve QoS degradation resulting from AC false acceptance

Improving QoS guarantees through implicit AC

http://www2.dcc.ufmg.br/eventos/noms2008/In multiservice networks, admission control (AC) is a convenient means of assuring high quality communications by safeguarding enough availability for customer traffic. This can be particularly useful to preserve the quality of services such as IP telephony and video conferencing, and to ensure acceptable throughput to elastic flows. This paper tackles the problematic of performing implicit AC in multiservice networks, pointing out a flexible yet simple to deploy solution for controlling flows which do not explicitly send signaling admission requests. This allows to complement the explicit AC case, widening the ability to integrate services and applications in a transparent way. The versatility and self-adaptability of the proposed distributed AC criteria in ensuring the quality of multiple services is also proved

Tuning active monitoring in multiservice IP networks

Comunicação apresentada "Performance Modelling and Evaluation of Heterogeneous Networks (HET-Nets 04), 2, Ilkley, U.K., July 2004.This paper explores the use of edge-to-edge active monitoring to control simultaneously multiple QoS parameters in multi-service IP networks, while reducing the effects of intrusion on real traffic. Considering a multi-class domain where traffic is controlled at network boundaries based on feedback from on-line measurements, the present work is centered on obtaining adequate per class in-band probing streams so that each class behaviour is correctly captured, even if more than a QoS metric is under control. In this way, we investigate distinct properties of probing patterns and cross-check probing and passive measurement results in order to assess and tune probing effectiveness. To enhance probing ability to sense multiple metrics, we explore Active Queue Management effects on probes and their different probability of reaching the network boundary. The results show that, while IPTD can be easily captured using a very low probing rate, matching ipdv and IPLR is not straightforward. However, we found that choosing a convenient drop precedence for probing packets, the simultaneous estimation of these QoS metrics can be significantly improved