313 research outputs found
Recommended from our members
PBS: Signaling Architecture for Network Traffic Authorization
We present a signaling architecture for network traffic authorization, Permission-Based Sending (PBS). This architecture aims to prevent Denial-of-Service (DoS) attacks and other forms of unauthorized traffic. Towards this goal, PBS takes a hybrid approach: a proactive approach of explicit permissions and a reactive approach of monitoring and countering attacks. On-path signaling is used to configure the permission state stored in routers for a data flow. The signaling approach enables easy installation and management of the permission state, and its use of soft-state improves robustness of the system. For secure permission state setup, PBS provides security for signaling in two ways: signaling messages are encrypted end-to-end using public key encryption and TLS provides hop-by-hop encryption of signaling paths. In addition, PBS uses IPsec for data packet authentication. Our analysis and performance evaluation show that PBS is an effective and scalable solution for preventing various kinds of attack scenarios, including Byzantine attacks
NetServ Framework Design and Implementation 1.0
Eyeball ISPs today are under-utilizing an important asset: edge routers. We present NetServ, a programmable node architecture aimed at turning edge routers into distributed service hosting platforms. This allows ISPs to allocate router resources to content publishers and application service pro\-vi\-ders motivated to deploy content and services at the network edge. This model provides important benefits over currently available solutions like CDN. Content and services can be brought closer to end users by dynamically installing and removing custom modules as needed throughout the network. Unlike previous programmable router proposals which focused on customizing features of a router, NetServ focuses on deploying content and services. All our design decisions reflect this change in focus. We set three main design goals: a wide-area deployment, a multi-user execution environment, and a clear economic benefit. We built a prototype using Linux, NSIS signaling, and the Java OSGi framework. We also implemented four prototype applications: ActiveCDN provides publisher-specific content distribution and processing; KeepAlive Responder and Media Relay reduce the infrastructure needs of telephony providers; and Overload Control makes it possible to deploy more flexible algorithms to handle excessive traffic
Advanced Signaling Support for IP-based Networks
This work develops a set of advanced signaling concepts for IP-based networks. It proposes a design for secure and authentic signaling and provides QoS signaling support for mobile users. Furthermore, this work develops methods which allow for scalable QoS signaling by realizing QoS-based group communication mechanisms and through aggregation of resource reservations
Simplified Network Signaling Architecture
The wheel has been reinvented several times in signaling protocols. Most signaling protocols re-invent, e.g., their own signaling transport methods, end-point discovery, measures for reliable exchange of messages and security features. Next Steps In Signaling (NSIS) framework was created in the IETF to design a single unified framework for various network signaling needs. The signaling transport layer of NSIS, the General Internet Signaling Transport (GIST), was specified in the IETF to provide a common transport service for signaling applications. The NSIS suite also includes two signaling protocols, NSIS Signaling Layer Protocols (NSLP), one for Quality of Service provisioning and one to configure middleboxes, in particular Network Address Translators and firewalls.
The different signaling applications use GIST message delivery services through an API that consists of several operations. On top of common operations for sending and receiving data, the API also covers network events, errors and session state management. The API covers all GIST aspects, and allows application developers to have adequate knowledge of network state. However, as a result the API is very cumbersome to use, and an application developer needs to take care of non-trivial amount of details. A further challenge is that to create a new signaling application, one needs to acquire and register a unique NSLP identifier with the Internet Assigned Numbers Authority (IANA).
This thesis presents the Messaging NSLP, that provides an abstraction layer to hide complex GIST features from the signaling application. Developers of Messaging Applications can use a simple Messaging API to open and close sessions and to transfer application data from one Messaging Application node to another.
Prototype implementations of NSLP API and Messaging NSLP were created and tested to verify the protocol operation with various network scenarios. Overhead analysis of GIST and Messaging NSLP were performed, and results are compatible with earlier, third-party analysis. The Messaging NSLP can introduce up to 938 bytes of overhead to initiate a signaling session, but later signaling only introduces 78 bytes of header overhead
RMD-QOSM - The Resource Management in Diffserv QoS model
This document describes an NSIS QoS Model for networks that use the Resource Management in Diffserv (RMD) concept. RMD is a technique for adding admission control and preemption function to Differentiated Services (Diffserv) networks. The RMD QoS Model allows devices external to the RMD network to signal reservation requests to edge nodes in the RMD network. The RMD Ingress edge nodes classify the incoming flows into traffic classes and signals resource requests for the corresponding traffic class along the data path to the Egress edge nodes for each flow. Egress nodes reconstitute the original requests and continue forwarding them along the data path towards the final destination. In addition, RMD defines notification functions to indicate overload situations within the domain to the edge nodes
Recommended from our members
Mitigating Network Service Disruptions in High-bandwidth, Intermittently Connected, and Peer-to-Peer Networks
Users demand high-bandwidth, ubiquitous and low-cost network services. This demand has pushed ISPs and application providers to offer more bandwidth, allow users to access the Internet almost everywhere, and provide cheap or free network services using peer-to-peer networks. These three trends underlie the growing success of today's Internet. However, (1) high-bandwidth can empower more effective denial-of-service attacks; (2) Internet access is widespread, but still not ubiquitous; and (3) peer-to-peer network services need to solve the service discovery problem. This thesis addresses these three challenges. First, we tackle denial-of-service attacks. The high bandwidth available in many parts of the Internet allows denial-of-service attacks to be effective, and the large scale of the Internet makes detecting and preventing these attacks difficult. Anonymity and openness of the Internet worsens this problem because anyone can send anything to anybody. To prevent these denial-of-service attacks, we propose Permission-Based-Sending (PBS), a signaling architecture for network traffic authorization. PBS uses the explicit permission to give legitimate users the authority to send packets. Signaling is used to configure this permission in the data path. This signaling approach enables easy installation for granting authorization to flows, and allows PBS to be deployed in existing networks. In addition, a monitoring mechanism provides a second line of defense against attacks. Next, we strive to make Internet access more ubiquitous. When public transportation stations have access points to provide Internet access to passengers, public transportation becomes a more attractive travel and commute option. However, the Internet connectivity is intermittent because passengers can access the Internet only when a bus or train is within the networking coverage of an AP at a stop. To efficiently handle this intermittent network for the public transit system, we develop Internet Cache on Wheels (ICOW), a system that provides a low-cost way for bus and train operators to offer access to Internet content. Each bus and train car is equipped with a smart cache that serves popular content to passengers. The cache updates its content based on passenger requests when it is within range of Internet access points placed at bus stops, train stations or depots. This aggregated Internet access is significantly more efficient than having passengers contact Internet access points individually and ensures continuous availability of content throughout the journey. Finally, we consider peer-to-peer services. Typical service discovery mechanisms in peer-to-peer networks cause significant overhead, consuming energy and bandwidth: (1) in highly mobile networks, service discovery consumes the energy of mobile devices to discover services that newly joined members provide; and (2) peer-to-peer network systems consumes bandwidth during service discovery. To resolve and analyze these service discovery problems, (1) we design an efficient service discovery mechanism that reduces energy consumption of mobile devices; and (2) we evaluate the bandwidth consumption caused by service discovery in real-world peer-to-peer networks
Firewall Traversal in Mobile IPv6 Networks
Middleboxes, wie zum Beispiel Firewalls, sind ein wichtiger Aspekt für eine Großzahl moderner IP-Netzwerke. Heute IP-Netzwerke basieren überwiegend auf IPv4 Technologien, daher sind viele Firewalls und Network Address Translators (NATs) ursprünglich für diese Netzwerke entwickelt worden. Die Entwicklung von IPv6 Netzwerken findet zur Zeit statt. Da Mobile IPv6 ein relativ neuer Standard ist, unterstützen die meisten Firewalls die für IPv6 Netzwerke verfügbar sind, noch kein Mobile IPv6. Sofern Firewalls sich nicht der Details des Mobile IPv6 Protokolls bewusst sind, werden sie entweder Mobile IPv6 Kommunikation blockieren oder diesen sorgfältig handhaben. Dieses stellt einen der Haupthinderunggründe zum erfolgreichen Einsatz von Mobile IPv6 da.Diese Arbeit beschreibt die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen. Dazu wird zuerst erklärt welche Arten von Middleboxes es gibt, was genau eine Middlebox ist und wie eine solche Middlebox arbeiten und zweitens die Probleme identifiziert und die Auswirkungen des Vorhandenseins von Firewalls in Mobile IPv6 Umgebungen erklärt. Anschließend werden einige State-of-the-Art Middlebox Traversal Ansätze untersucht, die als mögliche Lösungen um die Mobile IPv6 Firewall Traversal Probleme zu bewältigen betrachtet werden können. Es wird detailiert erklärt wie diese Lösungen arbeiten und ihre Anwendbarkeit für Mobile IPv6 Firewall Traversal evaluiert.Als Hauptbeitrag bringt diese Arbeit zwei detailierte Lösungsansätze ein, welche das Mobile IPv6 Firewall Traversal Problem bewältigen können. Der erste Lösungsansatz, der NSIS basierte Mobile IPv6 Firewall Traversal, basiert auf dem Next Steps in Signaling (NSIS) Rahmenwerk und dem NAT/Firewall NSIS Signaling Layer Protocol (NAT/FW NSLP). Anschließend wird der zweite Lösungsansatz vorgestellt, der Mobile IPv6 Application Layer Gateway. Diese Arbeit erklärt detailiert, wie diese Lösungsansätze die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen bewältigen. Desweitern stellt diese Arbeit vor, wie die NSIS basierte Mobile IPv6 Firewall Traversal und die Mobile IPv6 Application Layer Gateway Proof-of-Concept Implementierungen, die im Rahmen dieser Arbeit entwicklet wurden, implementiert wurden. Abschließend werden die Proof-of-Concept Implementierungen sowie die beiden Lösungsansätze allgemein evaluiert und analysiert
QoS management and control for an all-IP WiMAX network architecture: Design, implementation and evaluation
The IEEE 802.16 standard provides a specification for a fixed and mobile broadband wireless access system, offering high data rate transmission of multimedia services with different Quality-of-Service (QoS) requirements through the air interface. The WiMAX Forum, going beyond the air interface, defined an end-to-end WiMAX network architecture, based on an all-IP platform in order to complete the standards required for a commercial rollout of WiMAX as broadband wireless access solution. As the WiMAX network architecture is only a functional specification, this paper focuses on an innovative solution for an end-to-end WiMAX network architecture offering in compliance with the WiMAX Forum specification. To our best knowledge, this is the first WiMAX architecture built by a research consortium globally and was performed within the framework of the European IST project WEIRD (WiMAX Extension to Isolated Research Data networks). One of the principal features of our architecture is support for end-to-end QoS achieved by the integration of resource control in the WiMAX wireless link and the resource management in the wired domains in the network core. In this paper we present the architectural design of these QoS features in the overall WiMAX all-IP framework and their functional as well as performance evaluation. The presented results can safely be considered as unique and timely for any WiMAX system integrator
Recommended from our members
Autonomous QoS Management and Policing in Unmanaged Local Area Networks
The high increase of bandwidth-intensive applications like high definition video streaming in home and small office environments leads to QoS challenges in hybrid wired/wireless local area networks. These networks are often not QoS aware and may contain bottlenecks in their topology. In addition, they often have a hybrid nature due to the used access technology consisting of, for example, Ethernet, wireless, and PowerLAN links. In this paper, we present the research work on a novel autonomous system for hybrid QoS in local area networks, called QoSiLAN, which does not rely on network infrastructure support but on host cooperation and works independently of the access technology. We present a new QoS Signalling Protocol, policing and admission control algorithms, and a new lightweight statistical bandwidth prediction algorithm for autonomous resource management in LANs. This new QoS framework enables link based, access-medium independent bandwidth management without network support. We provide evaluation results for the novel bandwidth prediction algorithm as well as for the QoSiLAN framework and its protocol, which highlight the features, robustness, and the effectiveness of the proposed system
- …