Network protection with multiple availability guarantees

We develop a novel network protection scheme that provides guarantees on both the fraction of time a flow has full connectivity, as well as a quantifiable minimum grade of service during downtimes. In particular, a flow can be below the full demand for at most a maximum fraction of time; then, it must still support at least a fraction q of the full demand. This is in contrast to current protection schemes that offer either availability-guarantees with no bandwidth guarantees during the downtime, or full protection schemes that offer 100% availability after a single link failure. We develop algorithms that provide multiple availability guarantees and show that significant capacity savings can be achieved as compared to full protection. If a connection is allowed to drop to 50% of its bandwidth for 1 out of every 20 failures, then a 24% reduction in spare capacity can be achieved over traditional full protection schemes. In addition, for the case of q = 0, corresponding to the standard availability constraint, an optimal pseudo-polynomial time algorithm is presented.National Science Foundation (U.S.) (NSF grants CNS-1116209)National Science Foundation (U.S.) (NSF grants CNS-0830961)United States. Defense Threat Reduction Agency (grant HDTRA-09-1-005)United States. Defense Threat Reduction Agency (grant HDTRA1-07-1-0004)United States. Air Force (Air Force contract # FA8721-05-C-0002

Availability-driven NFV orchestration

Virtual Network Functions as a Service (VNFaaS) is a promising business whose technical directions consist of providing network functions as a Service instead of delivering standalone network appliances, leveraging a virtualized environment named NFV Infrastructure (NFVI) to provide higher scalability and reduce maintenance costs. Operating the NFVI under stringent availability guarantees is fundamental to ensure the proper functioning of the VNFaaS against software attacks and failures, as well as common physical device failures. Indeed the availability of a VNFaaS relies on the failure rate of its single components, namely the physical servers, the hypervisor, the VNF software, and the communication network. In this paper, we propose a versatile orchestration model able to integrate an elastic VNF protection strategy with the goal to maximize the availability of an NFVI system serving multiple VNF demands. The elasticity derives from (i) the ability to use VNF protection only if needed, or (ii) to pass from dedicated protection scheme to shared VNF protection scheme when needed for a subset of the VNFs, (iii) to integrate traffic split and load-balancing as well as mastership role election in the orchestration decision, (iv) to adjust the placement of VNF masters and slaves based on the availability of the different system and network components involved. We propose a VNF orchestration algorithm based on Variable Neighboring Search, able to integrate both protection schemes in a scalable way and capable to scale, while outperforming standard online policies

Network protection with service guarantees

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2013.This electronic version was submitted and approved by the author's academic department as part of an electronic thesis pilot project. The certified thesis is available in the Institute Archives and Special Collections.Cataloged from department-submitted PDF version of thesis.Includes bibliographical references (p. 167-174).With the increasing importance of communication networks comes an increasing need to protect against network failures. Traditional network protection has been an "all-or-nothing" approach: after any failure, all network traffic is restored. Due to the cost of providing this full protection, many network operators opt to not provide protection whatsoever. This is especially true in wireless networks, where reserving scarce resources for protection is often too costly. Furthermore, network protection often does not come with guarantees on recovery time, which becomes increasingly important with the widespread use of real-time applications that cannot tolerate long disruptions. This thesis investigates providing protection for mesh networks under a variety of service guarantees, offering significant resource savings over traditional protection schemes. First, we develop a network protection scheme that guarantees a quantifiable minimum grade of service upon a failure within the network. Our scheme guarantees that a fraction q of each demand remains after any single-link failure, at a fraction of the resources required for full protection. We develop both a linear program and algorithms to find the minimum-cost capacity allocation to meet both demand and protection requirements. Subsequently, we develop a novel network protection scheme that provides guarantees on both the fraction of time a flow has full connectivity, as well as a quantifiable minimum grade of service during downtimes. In particular, a flow can be below the full demand for at most a maximum fraction of time; then, it must still support at least a fraction q of the full demand. This is in contrast to current protection schemes that offer either availability-guarantees with no bandwidth guarantees during the down-time, or full protection schemes that offer 100% availability after a single link failure. We show that the multiple availability guaranteed problem is NP-Hard, and develop solutions using both a mixed integer linear program and heuristic algorithms. Next, we consider the problem of providing resource-efficient network protection that guarantees the maximum amount of time that flow can be interrupted after a failure. This is in contrast to schemes that offer no recovery time guarantees, such as IP rerouting, or the prevalent local recovery scheme of Fast ReRoute, which often over-provisions resources to meet recovery time constraints. To meet these recovery time guarantees, we provide a novel and flexible solution by partitioning the network into failure-independent "recovery domains", where within each domain, the maximum amount of time to recover from a failure is guaranteed. Finally, we study the problem of providing protection against failures in wireless networks subject to interference constraints. Typically, protection in wired networks is provided through the provisioning of backup paths. This approach has not been previously considered in the wireless setting due to the prohibitive cost of backup capacity. However, we show that in the presence of interference, protection can often be provided with no loss in throughput. This is due to the fact that after a failure, links that previously interfered with the failed link can be activated, thus leading to a "recapturing" of some of the lost capacity. We provide both an ILP formulation for the optimal solution, as well as algorithms that perform close to optimal.by Gregory Kuperman.Ph.D

State of The Art and Hot Aspects in Cloud Data Storage Security

Along with the evolution of cloud computing and cloud storage towards matu- rity, researchers have analyzed an increasing range of cloud computing security aspects, data security being an important topic in this area. In this paper, we examine the state of the art in cloud storage security through an overview of selected peer reviewed publications. We address the question of defining cloud storage security and its different aspects, as well as enumerate the main vec- tors of attack on cloud storage. The reviewed papers present techniques for key management and controlled disclosure of encrypted data in cloud storage, while novel ideas regarding secure operations on encrypted data and methods for pro- tection of data in fully virtualized environments provide a glimpse of the toolbox available for securing cloud storage. Finally, new challenges such as emergent government regulation call for solutions to problems that did not receive enough attention in earlier stages of cloud computing, such as for example geographical location of data. The methods presented in the papers selected for this review represent only a small fraction of the wide research effort within cloud storage security. Nevertheless, they serve as an indication of the diversity of problems that are being addressed

Ethernet - a survey on its fields of application

During the last decades, Ethernet progressively became the most widely used local area networking (LAN) technology. Apart from LAN installations, Ethernet became also attractive for many other fields of application, ranging from industry to avionics, telecommunication, and multimedia. The expanded application of this technology is mainly due to its significant assets like reduced cost, backward-compatibility, flexibility, and expandability. However, this new trend raises some problems concerning the services of the protocol and the requirements for each application. Therefore, specific adaptations prove essential to integrate this communication technology in each field of application. Our primary objective is to show how Ethernet has been enhanced to comply with the specific requirements of several application fields, particularly in transport, embedded and multimedia contexts. The paper first describes the common Ethernet LAN technology and highlights its main features. It reviews the most important specific Ethernet versions with respect to each application field’s requirements. Finally, we compare these different fields of application and we particularly focus on the fundamental concepts and the quality of service capabilities of each proposal

Resilient availability and bandwidth-aware multipath provisioning for media transfer over the internet (Best Paper Award)

Traditional routing in the Internet is best-effort. Path differentiation including multipath routing is a promising technique to be used for meeting QoS requirements of media intensive applications. Since different paths have different characteristics in terms of latency, availability and bandwidth, they offer flexibility in QoS and congestion control. Additionally protection techniques can be used to enhance the reliability of the network. This paper studies the problem of how to optimally find paths ensuring maximal bandwidth and resiliency of media transfer over the network. In particular, we propose two algorithms to reserve network paths with minimal new resources while increasing the availability of the paths and enabling congestion control. The first algorithm is based on Integer Linear Programming which minimizes the cost of the paths and the used resources. The second one is a heuristic-based algorithm which solves the scalability limitations of the ILP approach. The algorithms ensure resiliency against any single link failure in the network. The experimental results indicate that using the proposed schemes the connections availability improve significantly and a more balanced load is achieved in the network compared to the shortest path-based approaches

Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials

Personal cryptographic keys are the foundation of many secure services, but storing these keys securely is a challenge, especially if they are used from multiple devices. Storing keys in a centralized location, like an Internet-accessible server, raises serious security concerns (e.g. server compromise). Hardware-based Trusted Execution Environments (TEEs) are a well-known solution for protecting sensitive data in untrusted environments, and are now becoming available on commodity server platforms. Although the idea of protecting keys using a server-side TEE is straight-forward, in this paper we validate this approach and show that it enables new desirable functionality. We describe the design, implementation, and evaluation of a TEE-based Cloud Key Store (CKS), an online service for securely generating, storing, and using personal cryptographic keys. Using remote attestation, users receive strong assurance about the behaviour of the CKS, and can authenticate themselves using passwords while avoiding typical risks of password-based authentication like password theft or phishing. In addition, this design allows users to i) define policy-based access controls for keys; ii) delegate keys to other CKS users for a specified time and/or a limited number of uses; and iii) audit all key usages via a secure audit log. We have implemented a proof of concept CKS using Intel SGX and integrated this into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation performs approximately 6,000 signature operations per second on a single desktop PC. The latency is in the same order of magnitude as using locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on Security, Privacy, and Identity Management in the Cloud (SECPID) 201