Defending Against Sequence Number Attacks

IP spoofing attacks based on sequence number spoofing have become a serious threat on the Internet (CERT Advisory CA-95:01). While ubiquitous crypgraphic authentication is the right answer, we propose a simple modification to TCP implementations that should be a very substantial block to the current wave of attacks

Herramienta para el desarrollo y evaluación de métodos de control de congestión en TCP

Desde que fue definido, el protocolo TCP se ha adaptado a un número considerable de cambios en su medioambiente de operación: definido en momentos en que la red subyacente estaba compuesta de vínculos homogéneos y pocos equipos conectados, ha visto crecer a la Internet de manera exponencial, y a las tecnologías de comunicación aumentar su capacidad y diversificar sus características de manera no menos significativa. Pese a estos cambios, TCP ha sido adaptado exitosamente para cumplir con sus objetivos de lograr un uso eficiente de la red y ofrecer un servicio adecuado a los usuarios. Esta adaptación ha sido consecuencia de una considerable actividad de investigación, consistente principalmente en el desarrollo de mecanismos de control de congestión. Este trabajo, motivado por el hecho de que TCP deberá aún seguir adaptándose a cambios considerables en su medioambiente, consiste en el desarrollo de la funcionalidad básica de TCP en un lenguaje portable, Java, y de manera independiente de cualquier sistema operativo. Este desarrollo se utilizará como herramienta para el desarrollo y evaluación de nuevas heurísticas de control de congestión en TCP. El nuevo código podrá ser incluido con poco esfuerzo en el TCP desarrollado, y las pruebas – intercambio de información entre dos equipos a través de la Internet - se verán facilitadas debido a la portabilidad de la plataforma elegida.Since its definition, TCP has been adapted to significant changes that has took place in its environment. When TCP was first intoduced, the connected networks had few hosts and the communication links were homogenous. In few years, the Internet exponentially grew in number of hosts and networks. In addition, the communication technologies varied significantly. In spite of these changes, TCP has been adapted successful to fulfill their objectives: to obtain an efficient use of the network and to offer an suitable service to the users. This adaptation has been consequence of a considerable research activity, consistent mainly in the development of congestión control mechanisms This work, motivated by the constant necessity to adapt TCP to new conditions of operation, consists of the development of the basic functionality of TCP independently of any operating system, and using Java, a portable language. This development will be used as a tool for the development and evaluation of new heuristics related to congestion control in TCP. The new code could be including with little effort in the developed TCP, and the tests - exchange of information between two hosts through the Internet - will be facilitated due to the portability of the chosen platform.I Workshop de Arquitecturas, Redes y Sistemas Operativos (WARSO)Red de Universidades con Carreras en Informática (RedUNCI

Herramienta para el desarrollo y evaluación de métodos de control de congestión en TCP

Desde que fue definido, el protocolo TCP se ha adaptado a un número considerable de cambios en su medioambiente de operación: definido en momentos en que la red subyacente estaba compuesta de vínculos homogéneos y pocos equipos conectados, ha visto crecer a la Internet de manera exponencial, y a las tecnologías de comunicación aumentar su capacidad y diversificar sus características de manera no menos significativa. Pese a estos cambios, TCP ha sido adaptado exitosamente para cumplir con sus objetivos de lograr un uso eficiente de la red y ofrecer un servicio adecuado a los usuarios. Esta adaptación ha sido consecuencia de una considerable actividad de investigación, consistente principalmente en el desarrollo de mecanismos de control de congestión. Este trabajo, motivado por el hecho de que TCP deberá aún seguir adaptándose a cambios considerables en su medioambiente, consiste en el desarrollo de la funcionalidad básica de TCP en un lenguaje portable, Java, y de manera independiente de cualquier sistema operativo. Este desarrollo se utilizará como herramienta para el desarrollo y evaluación de nuevas heurísticas de control de congestión en TCP. El nuevo código podrá ser incluido con poco esfuerzo en el TCP desarrollado, y las pruebas – intercambio de información entre dos equipos a través de la Internet - se verán facilitadas debido a la portabilidad de la plataforma elegida.Since its definition, TCP has been adapted to significant changes that has took place in its environment. When TCP was first intoduced, the connected networks had few hosts and the communication links were homogenous. In few years, the Internet exponentially grew in number of hosts and networks. In addition, the communication technologies varied significantly. In spite of these changes, TCP has been adapted successful to fulfill their objectives: to obtain an efficient use of the network and to offer an suitable service to the users. This adaptation has been consequence of a considerable research activity, consistent mainly in the development of congestión control mechanisms This work, motivated by the constant necessity to adapt TCP to new conditions of operation, consists of the development of the basic functionality of TCP independently of any operating system, and using Java, a portable language. This development will be used as a tool for the development and evaluation of new heuristics related to congestion control in TCP. The new code could be including with little effort in the developed TCP, and the tests - exchange of information between two hosts through the Internet - will be facilitated due to the portability of the chosen platform.I Workshop de Arquitecturas, Redes y Sistemas Operativos (WARSO)Red de Universidades con Carreras en Informática (RedUNCI

A Look Back at "Security Problems in the TCP/IP Protocol Suite"

About fifteen years ago, I wrote a paper on security problems in the TCP/IP protocol suite. In particular, I focused on protocol-level issues, rather than implementation flaws. It is instructive to look back at that paper, to see where my focus and my predictions were accurate, where I was wrong, and where dangers have yet to happen. This is a reprint of the original paper, with added commentary

JTCP: una implementación de TCP orientada a la evaluación de técnicas de control de congestión

TCP es un protocolo ampliamente difundido en la Internet. Gran parte del tráfico de la Internet, proviene de aplicaciones que lo utilizan. Esta característica indica la importancia de la tasa a la cual TCP introduce sus datos en la red. La tasa de envío debe adaptarse a las necesidades de la aplicación, sin saturar la red. El envío de datos a tasas que no se adapten a las condiciones de la red podria hacerla colapsar. Desde que fue definido, el protocolo TCP ha sido adaptado exitosamente para cumplir con sus objetivos de lograr un uso eficiente de la red y ofrecer un servicio adecuado a los usuarios. Esta adaptación ha sido consecuencia de una considerable actividad de investigación, consistente principalmente en el desarrollo de mecanismos de control de congestión. Este trabajo presenta el desarrollo de JTCP, un protocolo con la funcionalidad básica de TCP, portable y fácilmente modificable. JTCP esta totalmente implementado en Java, y es independiente del sistema operativo que lo soporta. El diseño de JTCP permite intercambiar fácilmente las técnicas de control de congestión utilizadas por el protocolo. Su portabilidad facilita la prueba de esas técnicas de control de congestión entre cualquier par de equipos conectados a la Internet. El objetivo de este desarrollo es posibilitar la evaluación de alternativas de control de congestión TCP en diferentes medioambientes de operación, tales como vínculos de banda ancha (fibra óptica) o con elevada tasa de errores (vínculos wíreless).TCP is a widely spread transport protocol on the Internet; great part of the traffic comes from applications that use TCP. This feature indicates the importance of the rate to which TCP introduces their data in the network. The rate of transmission must adapt to the requirements of the application, without saturating the network. Data rates that do not adapt to the conditions of the network could make it collapse. TCP has been adapted successful to fulfill their objectives: to obtain an efficient use of the network and to offer a suitable service to the users. This adaptation has been consequence of a considerable research activity, consistent mainly in the development of congestion control mechanisms. This work presents the development of JTCP, a protocol with the basic functionality of TCP, portable and easily modifiable. JTCP is totally implemented in Java, and is independent of the operating system that supports it. JTCP design allows to easily interchange congestión control techniques used by the protocol. Its portability facilitates the test of those congestion control techniques between any pair of hosts connected to the Internet. The objective of the present work is to make possible the evaluation of alternatives for congestion control in TCP, in different operation environments, such as those with high bandwidth (optic fiber links) or those with a high rate of errors (wireless links).Workshop de Arquitecturas, Redes y Sistemas Operativos (WARSO)Red de Universidades con Carreras en Informática (RedUNCI

State-Based Techniques For Designing, Verifying And Debugging Message Passing Systems

Message passing systems support the applications of concurrent events, where independent or semi-independent events occur simultaneously in a nondeterministic fashion. The nature of independence, random interactions and concurrency made the code development of such applications complicated and error-prone. Conventional code development environments or IDEs, such as Microsoft Visual Studio, provide little programming support in this regard. Furthermore, ensuring the correctness of a message passing system is a challenge. Typically, it is important to guarantee that a system meets its desired specifications along its construction process. Model checking is one of the techniques used in software verification which has proven to be effective in discovering hidden design and implementation errors. The required advanced knowledge of formal methods and temporal languages is one of the impediments in adopting model checking by software developers. To integrate model checking environments and conventional IDEs, this dissertation proposes a multi-phase development framework that facilitates designing, verifying, implementing and debugging state-based message passing systems. The techniques and design principles of the proposed framework focus on improving and easing the software development experience. In the first phase, a two-level design methodology is proposed through using abstract high-level communication blocks and hierarchical state-behavioral descriptions that were developed in this research. In the second phase, a new method based on choosing from a pre-determined set of patterns in concurrent communication properties is proposed to facilitate collecting the essential specifications of the system where the atomic propositions are linked with the system design. A complex property can be attained by hierarchically nesting some of these patterns. A procedure to automatically generate formal models in a model checker (MC) language is proposed. Once the model that contains both the design and the properties of the system are generated, a model checker is used to verify the correctness of the proposed system and ensure its compliance with specifications. To help in locating the source of an undesired specification, if any, a procedure to map a counter example generated by the MC to the original design is presented. In the third phase, a skeleton code of the design specification is generated in a general programming language such as Microsoft C\#, Java, etc. moreover, the ability to debug the generated code using a conventional IDE while tracing the debugging process back to the original design was established. Finally, a graphical software tool that supports the proposed framework is developed where SPIN MC is used as a verifier. The tool was used to develop and verify several case studies. The proposed framework and the developed software tool can be considered a key solution for message passing systems design and verification

Computer based simulation of optical wireless communications for the development of optimized error protection and correction schemes

Commercial application of optical wireless communications is currently limited to the area of short range near ground connections, like networks between buildings over a few kilometers. For other areas of application, like data downlinks from flying platforms, demonstrations have been done, but commercial systems for long range communications over many kilometers are not yet available for general usage. The biggest challenge for reliable optical communications is to mitigate the fading of the received optical signal. A possible solution is to implement error protection and correction mechanisms for securing transmitted data. In this dissertation a simplified channel model is developed which can be used for computer based simulation. This simplified channel model is then used for the evaluation of error protection and correction mechanisms applied to the optical wireless channel. Finally generally proposed communication scenarios are evaluated if optical wireless communication is possible, based on the developed channel model. The results show that the combination of forward error correction and selective repeat automatic repeat request protocols can be used to realize reliable optical communication links in all proposed scenarios, even the most challenging ones. The back channel traffic for automatic repeat request protocols leads to a significant reduction of the transmittable user data rate in worst-case scenarios and has to be taken into account for the system design. The developed simulation approach can be used to optimize protocols for the optical wireless channel in order to reduce the load on the back channel and the over all required memory.Die kommerzielle Anwendung der optischen Freiraumkommunikation ist gegenwärtig auf den Bereich der bodennahen Kurzstreckenverbindungen mit wenigen Kilometern Länge begrenzt, beispielsweise Netzwerkverbindung zwischen Gebäuden. In anderen Anwendungsbereichen, z.B. Datendownlinks von fliegenden Plattformen, wurden zwar Technologiedemonstrationen durchgeführt, jedoch sind für solche Langstreckenverbindungen keine alltagstauglichen kommerziellen Systeme verfügbar. Die größte Herausforderung für zuverlässige optische Kommunikation ist die Kompensation der Signalschwankungen des empfangenen optischen Signals. Eine mögliche Lösung für dieses Problem ist die Implementierung von Fehlersicherungs- und Fehlerkorrekturmechanismen, um die Datenübertragung abzusichern. In dieser Dissertation wird ein vereinfachtes Kanalmodell entwickelt, welches für die Simulationen mittels Computern geeignet ist. Dieses vereinfachte Modell wird anschließend für die Bewertung von Fehlersicherungs- und Fehlerkorrekturmechanismen für den optischen Kanal verwendet. Abschliessend wird basierend auf dem entwickelten Kanalmodell der mögliche Einsatz von optischer Freiraumkommunikation in häufig vorgeschlagenen Szenarien untersucht. Die Ergebnisse zeigen, dass die Kombination von Vorwärtsfehlerkorrektur und Protokollen mit selektiver Wiederholung und automatischer Wiederholungsanfrage geeignet ist, um zuverlässige optische Kommunikationsverbindungen in allen vorgeschlagenen Szenarien zu realisieren, selbst in den anspruchsvollsten. Die Datenübertragung auf dem Rückkanal von Protokollen mit automatischer Wiederholungsanfrage führt im schlechtesten Fall zu einer signifikanten Reduzierung der übertragbaren Nutzdatenrate und muss bei der Systemauslegung berücksichtigt werden. Mit dem entwickelten Simulationsansatz können Protokolle für den optischen Funkkanal optimiert werden, um die Belastung des Rückkanals zu reduzieren und um den allgemeinen Speicherbedarf zu reduzieren

Enhancing Networks via Virtualized Network Functions

University of Minnesota Ph.D. dissertation. May 2019. Major: Computer Science. Advisor: Zhi-Li Zhang. 1 computer file (PDF); xii, 116 pages.In an era of ubiquitous connectivity, various new applications, network protocols, and online services (e.g., cloud services, distributed machine learning, cryptocurrency) have been constantly creating, underpinning many of our daily activities. Emerging demands for networks have led to growing traffic volume and complexity of modern networks, which heavily rely on a wide spectrum of specialized network functions (e.g., Firewall, Load Balancer) for performance, security, etc. Although (virtual) network functions (VNFs) are widely deployed in networks, they are instantiated in an uncoordinated manner failing to meet growing demands of evolving networks. In this dissertation, we argue that networks equipped with VNFs can be designed in a fashion similar to how computer software is today programmed. By following the blueprint of joint design over VNFs, networks can be made more effective and efficient. We begin by presenting Durga, a system fusing wide area network (WAN) virtualization on gateway with local area network (LAN) virtualization technology. It seamlessly aggregates multiple WAN links into a (virtual) big pipe for better utilizing WAN links and also provides fast fail-over thus minimizing application performance degradation under WAN link failures. Without the support from LAN virtualization technology, existing solutions fail to provide high reliability and performance required by today’s enterprise applications. We then study a newly standardized protocol, Multipath TCP (MPTCP), adopted in Durga, showing the challenge of associating MPTCP subflows in network for the purpose of boosting throughput and enhancing security. Instead of designing a customized solution in every VNF to conquer this common challenge (making VNFs aware of MPTCP), we implement an online service named SAMPO to be readily integrated into VNFs. Following the same principle, we make an attempt to take consensus as a service in software-defined networks. We illustrate new network failure scenarios that are not explicitly handled by existing consensus algorithms such as Raft, thereby severely affecting their correct or efficient operations. Finally, we re-consider VNFs deployed in a network from the perspective of network administrators. A global view of deployed VNFs brings new opportunities for performance optimization over the network, and thus we explore parallelism in service function chains composing a sequence of VNFs that are typically traversed in-order by data flows

Bandwidth management and monitoring for IP network traffic : an investigation

Bandwidth management is a topic which is often discussed, but on which relatively little work has been done with regard to compiling a comprehensive set of techniques and methods for managing traffic on a network. What work has been done has concentrated on higher end networks, rather than the low bandwidth links which are commonly available in South Africa and other areas outside the United States. With more organisations increasingly making use of the Internet on a daily basis, the demand for bandwidth is outstripping the ability of providers to upgrade their infrastructure. This resource is therefore in need of management. In addition, for Internet access to become economically viable for widespread use by schools, NGOs and other academic institutions, the associated costs need to be controlled. Bandwidth management not only impacts on direct cost control, but encompasses the process of engineering a network and network resources in order to ensure the provision of as optimal a service as possible. Included in this is the provision of user education. Software has been developed for the implementation of traffic quotas, dynamic firewalling and visualisation. The research investigates various methods for monitoring and management of IP traffic with particular applicability to low bandwidth links. Several forms of visualisation for the analysis of historical and near-realtime traffic data are also discussed, including the use of three-dimensional landscapes. A number of bandwidth management practices are proposed, and the advantages of their combination, and complementary use are highlighted. By implementing these suggested policies, a holistic approach can be taken to the issue of bandwidth management on Internet links