611 research outputs found

    The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

    Full text link
    In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.Comment: To be published at ACM IMC 201

    A Future Internet Architecture Based on De-Conflated Identities

    Full text link
    We present a new Internet architecture based on de-conflated identities (ADI) that explicitly establishes the separation of ownership of hosts from the underlying infrastructure connectivity. A direct impact of this de-conflated Internet architecture is the ability to express organizational policies separately and thus more naturally, from the underlying infrastructure routing policies. Host or organizational accountability is separated from the infrastructure accountability, laying the foundations of a cleaner security and policy enforcement framework. Also, it addresses the present Internet routing problems of mobility, multihoming, and traffic engineering more naturally by making a clear distinction of host and infrastructure responsibilities and thus defining these functions as a set of primitives governed by individual policies. In this paper, we instantiate the primitive mechanisms related to the issues of end-to-end policy enforcements, mobility, multihoming, traffic engineering, etc., within the context of our architecture to emphasize the relevance of a de-conflated Internet architecture on these functions

    Design of a Scalable Path Service for the Internet

    Get PDF
    Despite the world-changing success of the Internet, shortcomings in its routing and forwarding system have become increasingly apparent. One symptom is an escalating tension between users and providers over the control of routing and forwarding of packets: providers understandably want to control use of their infrastructure, and users understandably want paths with sufficient quality-of-service (QoS) to improve the performance of their applications. As a result, users resort to various “hacks” such as sending traffic through intermediate end-systems, and the providers fight back with mechanisms to inspect and block such traffic. To enable users and providers to jointly control routing and forwarding policies, recent research has considered various architectural approaches in which provider- level route determination occurs separately from forwarding. With this separation, provider-level path computation and selection can be provided as a centralized service: users (or their applications) send path queries to a path service to obtain provider- level paths that meet their application-specific QoS requirements. At the same time, providers can control the use of their infrastructure by dictating how packets are forwarded across their network. The separation of routing and forwarding offers many advantages, but also brings a number of challenges such as scalability. In particular, the path service must respond to path queries in a timely manner and periodically collect topology information containing load-dependent (i.e., performance) routing information. We present a new design for a path service that makes use of expensive pre- computations, parallel on-demand computations on performance information, and caching of recently computed paths to achieve scalability. We demonstrate that, us- ing commodity hardware with a modest amount of resources, the path service can respond to path queries with acceptable latency under a realistic workload. The ser- vice can scale to arbitrarily large topologies through parallelism. Finally, we describe how to utilize the path service in the current Internet with existing Internet applica- tions

    Securing The Root: A Proposal For Distributing Signing Authority

    Get PDF
    Management of the Domain Name System (DNS) root zone file is a uniquely global policy problem. For the Internet to connect everyone, the root must be coordinated and compatible. While authority over the legacy root zone file has been contentious and divisive at times, everyone agrees that the Internet should be made more secure. A newly standardized protocol, DNS Security Extensions (DNSSEC), would make the Internet's infrastructure more secure. In order to fully implement DNSSEC, the procedures for managing the DNS root must be revised. Therein lies an opportunity. In revising the root zone management procedures, we can develop a new solution that diminishes the impact of the legacy monopoly held by the U.S. government and avoids another contentious debate over unilateral U.S. control. In this paper we describe the outlines of a new system for the management of a DNSSEC-enabled root. Our proposal distributes authority over securing the root, unlike another recently suggested method, while avoiding the risks and pitfalls of an intergovernmental power sharing scheme

    Policy Based QoS support using BGP Routing

    Get PDF
    Abstract -Routing protocols are important to exchange routing information between neighboring routers. Such information is Key words: BGP, QoS, Autonomous System (AS) Introduction Current Internet architecture is based on the Best Effort (BE) model, where packets can be dropped indiscriminately in the event of congestion. Such architecture attempts to deliver all traffic as soon as possible within the limits of its abilities, but without any guarantee about throughput, delay, packet loss, etc. Though such a model works well for certain traditional applications such as FTP, E-mail and less QoS constrained applications, it can be intolerable for newly emerged real-time, multimedia applications such as Internet Telephony (VoIP), Video-Conferencing and Video on-Demand, as well as future services. Hence, with massive deployment of Internet based applications in recent years and the need to manage them efficiently, current Internet structure needs a major shift from the BE model to a service oriented model with support for desired QoS. Current research in this direction is focused towards providing better than BE service over the Internet through a new architecture. Also the new architecture should be both scalable and guarantee end-to-end QoS for different services/applications while supporting different levels of performance. Current Internet architecture lacks standardization while deployed across various domains, hence affecting end-to-end QoS significantly. In this paper our effort is to find a scalable and uniform solution mainly addressing routing and its effect on end to end QoS. In this regard, we consider current inter-domain routing based on BGP as the central component and develop an algorithm allowing QoS domains to be easily identified and enable policy based routing to support QoS for various applications. One of the main objectives in setting up an end-to-end path for any service over the Internet is providing support for its service requirements to achieve necessary QoS, and such tasks are difficult to achieve through current Internet architecture. In this regard, our algorithm is designed to address such heterogeneous service parameter requirements for different services between ASs, and tries to find a viable solution by integrating network policies with routing and traffic engineering objectives. We mainly focus on Inter-domain traffic engineering issues in resolving the policy requirements of different services. In doing so, we have identified and addressed two core problems in the Internet today in relation to QoS

    Vers une utilisation de la diversité de chemins dans l'internet

    Get PDF
    In this thesis we consider a new service where carriers offer additional routes to their customers (w.r.t. to the BGP default route) as a free or value-added service. These alternate routes can be used by customers to optimize their communications, by bypassing some congested points in the Internet (e.g. a “tussled” peeringpoints), to help them to meet their traffic engineering objectives (better delays etc.) or just for robustness purposes (e.g, shift to a disjoint alternate route if needed). First we propose a simple architecture that allows a network service provider to benefit from the diversity it currently receives. Then we extend this architecture in order to make the propagation of the Internet path diversity possible, not only to direct neighbors but also to their neighbors and so on. We take advantage of this advance to relax the route selection processes of autonomous systems in order to make them be able to set up new routing paradigms. Nevertheless announcing additional paths can lead to scalability issues, so each carrier could receive more paths than what it could manage. We quantify this issue and we underline easy adaptations and small path filterings which make the number of paths drop to a manageable amount. Last but not least we set up an auction-type route allocation framework, which gives to network service providers the opportunities first to propagate to their neighbors only the paths the said neighbors are interested in and second to leverage a new routing selection paradigm based on commercial agreements and negotiationsNous considĂ©rons, dans cette thĂšse, un nouveau service par lequel les opĂ©rateurs de tĂ©lĂ©communications offrent des routes supplĂ©mentaires Ă  leurs clients (en plus de la route par dĂ©faut) comme un service gratuit ou Ă  valeur ajoutĂ©e. Ces routes supplĂ©mentaires peuvent ĂȘtre utilisĂ©es par des clients afin d’optimiser leurs communications, en outrepassant des points de congestion d’Internet, ou les aider Ă  atteindre leurs objectifs d’ingĂ©nierie de trafic (meilleurs dĂ©lais etc.) ou dans un but de robustesse. Nous proposons d’abord une architecture simple permettant Ă  un opĂ©rateur de tĂ©lĂ©communication de bĂ©nĂ©ficier de la diversitĂ© de chemin qu’il reçoit dĂ©jĂ . Nous Ă©tendons ensuite cette architecture afin de rendre possible la propagation de cette diversitĂ© de chemin, non seulement aux voisins directs mais aussi, de proche en proche, aux autres domaines. Nous profitons de cette occasion pour relaxer la sĂ©lection des routes des diffĂ©rents domaines afin de leur permettre de mettre en place de nouveaux paradigmes de routage. NĂ©anmoins, annoncer des chemins additionnels peut entrainer des problĂšmes de passage Ă  l’échelle car chaque opĂ©rateur peut potentiellement recevoir plus de chemins que ce qu’il peut gĂ©rer. Nous quantifions ce problĂšme et mettons en avant des modifications et filtrages simples permettant de rĂ©duire ce nombre Ă  un niveau acceptable. En dernier, nous proposons un processus, inspirĂ© des ventes aux enchĂšres, permettant aux opĂ©rateurs de propager aux domaines voisins seulement les chemins qui intĂ©ressent les dits voisins. De plus, ce processus permet de mettre en avant un nouveau paradigme de propagation de routes, basĂ© sur des nĂ©gociations et accords commerciau

    Provide quality of service for differentiated services networks by policy-based networking

    Get PDF
    Master'sMASTER OF ENGINEERIN

    Supporting policy-based contextual reconfiguration and adaptation in ubiquitous computing

    Get PDF
    In order for pervasive computing systems to be able to perform tasks which support us in everyday life without requiring attention from the users of the environment, they need to adapt themselves in response to context. This makes context-awareness in general, and context-aware adaptation in particular, an essential requirement for pervasive computing systems. Two of the features of context-awareness are: contextual reconfiguration and contextual adaptation in which applications adapt their behaviour in response to context. We combine both these features of context-awareness to provide a broad scope of adaptation and put forward a system, called Policy-Based Contextual Reconfiguration and Adaptation (PCRA) that provides runtime support for both. The combination of both context-aware reconfiguration and context-aware adaptation provides a broad scope of adaptation and hence allows the development of diverse adaptive context-aware applications. However, another important issue is the choice of an effective means for developing, modifying and extending such applications. The main argument forming the basis of this thesis is that we advocate the use of a policy-based programming model and argue that it provides more effective means for developing, modifying and extending such applications. This thesis addresses other important surrounding issues which are associated with adaptive context-aware applications. These include the management of invalid bindings and the provision of seamless caching support for remote services involved in bindings for improved performance. The bindings may become invalid due to failure conditions that can arise due to network problems or migration of software components, causing bindings between the application component and remote service to become invalid. We have integrated reconfiguration support to manage bindings, and seamless caching support for remote services in PCRA. This thesis also describes the design and implementation of PCRA, which enables development of adaptive context-aware applications using policy specifications. Within PCRA, adaptive context-aware applications are modelled by specifying binding policies and adaptation policies. The use of policies within PCRA simplifies the development task because policies are expressed at a high-level of abstraction, and are expressed independently of each other. PCRA also allows the dynamic modification of applications since policies are independent units of execution and can be dynamically loaded and removed from the system. This is a powerful and useful capability as applications may evolve over time, i.e. the user needs and preferences may change, but re-starting is undesirable. We evaluate PCRA by comparing its features to other systems in the literature, and by performance measures
    • 

    corecore