2,566 research outputs found
Quantum Cryptography in Practice
BBN, Harvard, and Boston University are building the DARPA Quantum Network,
the world's first network that delivers end-to-end network security via
high-speed Quantum Key Distribution, and testing that Network against
sophisticated eavesdropping attacks. The first network link has been up and
steadily operational in our laboratory since December 2002. It provides a
Virtual Private Network between private enclaves, with user traffic protected
by a weak-coherent implementation of quantum cryptography. This prototype is
suitable for deployment in metro-size areas via standard telecom (dark) fiber.
In this paper, we introduce quantum cryptography, discuss its relation to
modern secure networks, and describe its unusual physical layer, its
specialized quantum cryptographic protocol suite (quite interesting in its own
right), and our extensions to IPsec to integrate it with quantum cryptography.Comment: Preprint of SIGCOMM 2003 pape
A model for the analysis of security policies in service function chains
Two emerging architectural paradigms, i.e., Software Defined Networking (SDN)
and Network Function Virtualization (NFV), enable the deployment and management
of Service Function Chains (SFCs). A SFC is an ordered sequence of abstract
Service Functions (SFs), e.g., firewalls, VPN-gateways,traffic monitors, that
packets have to traverse in the route from source to destination. While this
appealing solution offers significant advantages in terms of flexibility, it
also introduces new challenges such as the correct configuration and ordering
of SFs in the chain to satisfy overall security requirements. This paper
presents a formal model conceived to enable the verification of correct policy
enforcements in SFCs. Software tools based on the model can then be designed to
cope with unwanted network behaviors (e.g., security flaws) deriving from
incorrect interactions of SFs in the same SFC
Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results
Fixed and mobile telecom operators, enterprise network operators and cloud
providers strive to face the challenging demands coming from the evolution of
IP networks (e.g. huge bandwidth requirements, integration of billions of
devices and millions of services in the cloud). Proposed in the early 2010s,
Segment Routing (SR) architecture helps face these challenging demands, and it
is currently being adopted and deployed. SR architecture is based on the
concept of source routing and has interesting scalability properties, as it
dramatically reduces the amount of state information to be configured in the
core nodes to support complex services. SR architecture was first implemented
with the MPLS dataplane and then, quite recently, with the IPv6 dataplane
(SRv6). IPv6 SR architecture (SRv6) has been extended from the simple steering
of packets across nodes to a general network programming approach, making it
very suitable for use cases such as Service Function Chaining and Network
Function Virtualization. In this paper we present a tutorial and a
comprehensive survey on SR technology, analyzing standardization efforts,
patents, research activities and implementation results. We start with an
introduction on the motivations for Segment Routing and an overview of its
evolution and standardization. Then, we provide a tutorial on Segment Routing
technology, with a focus on the novel SRv6 solution. We discuss the
standardization efforts and the patents providing details on the most important
documents and mentioning other ongoing activities. We then thoroughly analyze
research activities according to a taxonomy. We have identified 8 main
categories during our analysis of the current state of play: Monitoring,
Traffic Engineering, Failure Recovery, Centrally Controlled Architectures, Path
Encoding, Network Programming, Performance Evaluation and Miscellaneous...Comment: SUBMITTED TO IEEE COMMUNICATIONS SURVEYS & TUTORIAL
Policy-Based Management of a Secure Dynamic and Multipoint Virtual Private Network
Although IP VPN technology has recently been imposed because of its cost effectiveness and that several research studies have been proposed for centralized policy management of intra / inter VPN domain, most solutions are only addressed to VPN site-to-site technology, according to our researches no centralized management model based on a server for dynamic multipoint VPN networks was proposed. In this paper we propose a model 201C;DMVPN Security Management System201D;for centralized policy management of dynamic multipoint multi-architectures VPN network, using a new web interface. We have implemented and tested the model on Single Hub Single Cloud architecture consisting of ten Spokes, the time required for an expert on VPN networks for manual set up of this architecture is an hour, we moved that to five minutes with our model, in addition to time effectiveness the margin error is null
IP-based virtual private networks and proportional quality of service differentiation
IP-based virtual private networks (VPNs) have the potential of delivering cost-effective, secure, and private network-like services. Having surveyed current enabling techniques, an overall picture of IP VPN implementations is presented.
In order to provision the equivalent quality of service (QoS) of legacy connection-oriented layer 2 VPNs (e.g., Frame Relay and ATM), IP VPNs have to overcome the intrinsically best effort characteristics of the Internet. Subsequently, a hierarchical QoS guarantee framework for IP VPNs is proposed, stitching together development progresses from recent research and engineering work.
To differentiate IP VPN QoS, the proportional QoS differentiation model, whose QoS specification granularity compromises that of IntServ and Diffserv, emerges as a potential solution. The investigation of its claimed capability of providing the predictable and controllable QoS differentiation is then conducted.
With respect to the loss rate differentiation, the packet shortage phenomenon shown in two classical proportional loss rate (PLR) dropping schemes is studied. On the pursuit of a feasible solution, the potential of compromising the system resource, that is, the buffer, is ruled out; instead, an enhanced debt-aware mechanism is suggested to relieve the negative effects of packet shortage. Simulation results show that debt-aware partially curbs the biased loss rate ratios, and improves the queueing delay performance as well.
With respect to the delay differentiation, the dynamic behavior of the average delay difference between successive classes is first analyzed, aiming to gain insights of system dynamics. Then, two classical delay differentiation mechanisms, that is,proportional average delay (PAD) and waiting time priority (WTP), are simulated and discussed. Based on observations on their differentiation performances over both short and long time periods, a combined delay differentiation (CDD) scheme is introduced. Simulations are utilized to validate this method.
Both loss and delay differentiations are based on a series of differentiation parameters. Though previous work on the selection of delay differentiation parameters has been presented, that of loss differentiation parameters mostly relied on network operators\u27 experience. A quantitative guideline, based on the principles of queueing and optimization, is then proposed to compute loss differentiation parameters. Aside from analysis, the new approach is substantiated by numerical results
VM-MAD: a cloud/cluster software for service-oriented academic environments
The availability of powerful computing hardware in IaaS clouds makes cloud
computing attractive also for computational workloads that were up to now
almost exclusively run on HPC clusters.
In this paper we present the VM-MAD Orchestrator software: an open source
framework for cloudbursting Linux-based HPC clusters into IaaS clouds but also
computational grids. The Orchestrator is completely modular, allowing flexible
configurations of cloudbursting policies. It can be used with any batch system
or cloud infrastructure, dynamically extending the cluster when needed. A
distinctive feature of our framework is that the policies can be tested and
tuned in a simulation mode based on historical or synthetic cluster accounting
data.
In the paper we also describe how the VM-MAD Orchestrator was used in a
production environment at the FGCZ to speed up the analysis of mass
spectrometry-based protein data by cloudbursting to the Amazon EC2. The
advantages of this hybrid system are shown with a large evaluation run using
about hundred large EC2 nodes.Comment: 16 pages, 5 figures. Accepted at the International Supercomputing
Conference ISC13, June 17--20 Leipzig, German
- …