Design of a Scalable Path Service for the Internet

Despite the world-changing success of the Internet, shortcomings in its routing and forwarding system have become increasingly apparent. One symptom is an escalating tension between users and providers over the control of routing and forwarding of packets: providers understandably want to control use of their infrastructure, and users understandably want paths with sufficient quality-of-service (QoS) to improve the performance of their applications. As a result, users resort to various “hacks” such as sending traffic through intermediate end-systems, and the providers fight back with mechanisms to inspect and block such traffic. To enable users and providers to jointly control routing and forwarding policies, recent research has considered various architectural approaches in which provider- level route determination occurs separately from forwarding. With this separation, provider-level path computation and selection can be provided as a centralized service: users (or their applications) send path queries to a path service to obtain provider- level paths that meet their application-specific QoS requirements. At the same time, providers can control the use of their infrastructure by dictating how packets are forwarded across their network. The separation of routing and forwarding offers many advantages, but also brings a number of challenges such as scalability. In particular, the path service must respond to path queries in a timely manner and periodically collect topology information containing load-dependent (i.e., performance) routing information. We present a new design for a path service that makes use of expensive pre- computations, parallel on-demand computations on performance information, and caching of recently computed paths to achieve scalability. We demonstrate that, us- ing commodity hardware with a modest amount of resources, the path service can respond to path queries with acceptable latency under a realistic workload. The ser- vice can scale to arbitrarily large topologies through parallelism. Finally, we describe how to utilize the path service in the current Internet with existing Internet applica- tions

A Clean-Slate Design for the Next-Generation Secure Internet

This is the report on a workshop held at CMU on July 12-14, 2005. The workshop is part of the planning process initiated by NSF to explore potential architectures for a next generation secure network designed to meet the needs of the 21st century. In considering future architectures, we ignore issues of backward compatibility with the current Internet but seek to benefit from the experience gained by analyzing both the strengths and weaknesses of the current design. Specifically, this workshop looks at the fundamental interplay between security and underlying network architecture and seeks to chart a preliminary course for future work in this crucial research area. This workshop focused on initiating a productive dialog between experts from the network security and network architecture communities. The agenda was arranged to stimulate initial consideration of the security goals for a new Internet, the design space of possible solutions, how research in security and network architecture could be integrated so that security is included as a first-tier objective in future architectures, and to explore methods for identifying and considering the social consequences of these architecture and security design choices

Service Composition for IP Smart Object using Realtime Web Protocols: Concept and Research Challenges

The Internet of Things (IoT) refers to a world-wide network of interconnected physical things using standardized communication protocols. Recent development of Internet Protocol (IP) stacks for resource-constrained devices unveils a possibility for the future IoT based on the stable and scalable IP technology much like today's Internet of computers. One important question remains: how can data and events (denoted as services) introduced by a variety of IP networked things be exchanged and aggregated e ciently in various application domains. Because the true value of IoT lies in the interaction of several services from physical things, answers to this question are essential to support a rapid creation of new IoT smart and ubiquitous applications. The problem is known as service composition. This article explains the practicability of the future full-IP IoT with realtime Web protocols to formally state the problem of service composition for IP smart objects, provides literature review, and discusses its research challenges

Light Weight Cryptographic Address Generation Using System State Entropy Gathering for IPv6 Based MANETs

In IPv6 based MANETs, the neighbor discovery enables nodes to self-configure and communicate with neighbor nodes through autoconfiguration. The Stateless address autoconfiguration (SLAAC) has proven to face several security issues. Even though the Secure Neighbor Discovery (SeND) uses Cryptographically Generated Addresses (CGA) to address these issues, it creates other concerns such as need for CA to authenticate hosts, exposure to CPU exhaustion attacks and high computational intensity. These issues are major concern for MANETs as it possesses limited bandwidth and processing power. The paper proposes empirically strong Light Weight Cryptographic Address Generation (LW-CGA) using entropy gathered from system states. Even the system users cannot monitor these system states; hence LW-CGA provides high security with minimal computational complexity and proves to be more suitable for MANETs. The LW-CGA and SeND are implemented and tested to study the performances. The evaluation shows that LW-CGA with good runtime throughput takes minimal address generation latency.Comment: 13 Page

A review of IPv6 multihoming solutions

Abstract -Multihoming is simply defined as having connection to the Internet through more than one Internet service provider. Multihoming is a desired functionality with a growing demand because it provides fault tolerance and guarantees a continuous service for users. In the current Internet, which employs IPv4 as the network layer protocol, this functionality is achieved by announcing multihomed node prefixes through its all providers. But this solution, which employs Border Gateway Protocol, is not able to scale properly and adapt to the rapid growth of the Internet. IPv6 offers a larger address space compared to IPv4. Considering rapid growth of the Internet and demand for multihoming, the scalability issues of the current solution will turn into a disaster in the future Internet with IPv6 as the network layer protocol. A wide range of solutions have been proposed for multihoming in IPv6. In this paper, we briefly review active solutions in this area and perform an analysis, from deployability viewpoint, on them

Address spreading in future Internet supporting both the unlinkability of communication relations and the filtering of non legitimate traffic

The rotation of identifiers is a common security mechanism to protect telecommunication; one example is the frequency hopping in wireless communication, used against interception, radio jamming and interferences. In this thesis, we extend this rotation concept to the Internet. We use the large IPv6 address space to build pseudo-random sequences of IPv6 addresses, known only by senders and receivers. The sequences are used to periodically generate new identifiers, each of them being ephemeral. It provides a new solution to identify a flow of data, packets not following the sequence of addresses will be rejected. We called this technique “address spreading”. Since the attackers cannot guess the next addresses, it is no longer possible to inject packets. The real IPv6 addresses are obfuscated, protecting against targeted attacks and against identification of the computer sending a flow of data. We have not modified the routing part of IPv6 addresses, so the spreading can be easily deployed on the Internet. The “address spreading” needs a synchronization between devices, and it has to take care of latency in the network. Otherwise, the identification will reject the packets (false positive detection). We evaluate this risk with a theoretical estimation of packet loss and by running tests on the Internet. We propose a solution to provide a synchronization between devices. Since the address spreading cannot be deployed without cooperation of end networks, we propose to use ephemeral addresses. Such addresses have a lifetime limited to the communication lifetime between two devices. The ephemeral addresses are based on a cooperation between end devices, they add a tag to each flow of packets, and an intermediate device on the path of the communication, which obfuscates the real address of data flows. The tagging is based on the Flow Label field of IPv6 packets. We propose an evaluation of the current implementations on common operating systems. We fixed on the Linux Kernel behaviours not following the current standards, and bugs on the TCP stack for flow labels. We also provide new features like reading the incoming flow labels and reflecting the flow labels on a socket