Descoberta de serviços independentes do acesso para redes heterogéneas

Mestrado em Engenharia de Computadores e TelemáticaA recente proliferação de nós móveis com múltiplas interfaces sem fios e a constituição de ambientes heterogéneos possibilitaram a criação de cenários complexos onde os operadores de rede necessitam de disponibilizar conectividade para diferentes tipos de redes de acesso. Assim, a norma IEEE 802.21 foi especificada de forma a facilitar e optimizar os procedimentos de handover entre diferentes tecnologias de acesso sem perda de conectividade. Para cumprir o seu propósito, a norma disponibiliza serviços chamados Media Independent Handover e que permitem o controlo e a obtenção de informação de diferentes ligações. A configuração estática destes serviços por parte do nó móvel torna-se ineficiente devido aos múltiplos cenários possíveis. Desta forma, o nó móvel deve descobrir nós da rede que providenciem serviços de mobilidade e as suas capacidade de uma forma dinâmica. Nesta dissertação, um conjunto de mecanismos para descoberta de serviços de handover independentes do acesso são analisados, implementados e avaliados em termos de duração e quantidade de informação trocada. Um novo mecanismo de descoberta de entidades locais é também proposto e avaliado, demonstrando que a sua utilização aumenta o desempenho e requer a troca de menos quantidade de informação.The recent proliferation of mobile nodes with multiple wireless interfaces, in addition to the creation of heterogeneous environments, created complex scenarios where network operators need to provide connectivity for di erent kinds of access networks. Therefore, the IEEE 802.21 standard has been speci ed to facilitate and optimize handover procedures between di erent access technologies in a seamless way. To ful l its purpose, it provides Media Independent Handover services which allow the control and gathering of information from di erent links. The static con guration of these services by the MN becomes ine cient due to the amount of possible scenarios. Thus, the MN must discover the network-supporting nodes and their capabilities in a dynamic way. In this work, a series of proposed Media Independent Handover discovery procedures are analyzed, implemented and evaluated in terms of duration and amount of exchanged information. In addition, a novel discovery procedure for local entities is proposed and evaluated, showing that its deployment increases the performance and requires less information exchanged

Saving Brian's Privacy: the Perils of Privacy Exposure through Reverse DNS

Given the importance of privacy, many Internet protocols are nowadays designed with privacy in mind (e.g., using TLS for confidentiality). Foreseeing all privacy issues at the time of protocol design is, however, challenging and may become near impossible when interaction out of protocol bounds occurs. One demonstrably not well understood interaction occurs when DHCP exchanges are accompanied by automated changes to the global DNS (e.g., to dynamically add hostnames for allocated IP addresses). As we will substantiate, this is a privacy risk: one may be able to infer device presence and network dynamics from virtually anywhere on the Internet -- and even identify and track individuals -- even if other mechanisms to limit tracking by outsiders (e.g., blocking pings) are in place. We present a first of its kind study into this risk. We identify networks that expose client identifiers in reverse DNS records and study the relation between the presence of clients and said records. Our results show a strong link: in 9 out of 10 cases, records linger for at most an hour, for a selection of academic, enterprise and ISP networks alike. We also demonstrate how client patterns and network dynamics can be learned, by tracking devices owned by persons named Brian over time, revealing shifts in work patterns caused by COVID-19 related work-from-home measures, and by determining a good time to stage a heist

IPv6-kotiverkon liittäminen Internetin nimipalveluun

Current home networks are very simple containing only a few devices. As the number of devices connected to the home network increases, there is no reasonable way for a user to access devices using only IP addresses. Due to the exponential growth of devices connected to the Internet, the addresses of the current IP version are however soon to be depleted. A new IP version has already been implemented in the Internet, containing a very large amount of addresses compared to the current IP version. Addresses in the new IP address version are also much longer and more complicated. Therefore it is not reasonable to try to use IP addresses alone to access devices anymore. The previous facts force to implement a name service to the home network. Name service is quite similar to that used in the Internet, although the home network version should be much more automatic and user friendly. This means that users do not have to type IP addresses anymore to be able to access services, but they can use meaningful names like in the Internet. The first objective of the thesis is to examine methods to implement as automated name service as possible to the home network. Second objective is to examine connecting the home network name service to the Internet name service. Accomplishing this allows users to access services at home from the Internet. This has to be made in a secure manner to protect the integrity and authenticity of the user information. A live experiment of the thesis concentrates to the second objective of the thesis by establishing the connection and transferring the name service information between home network and the Internet name service. The study and the live experiments indicate that there is still work to be done before the two objectives can be fully accomplished. At the moment there is no convenient way to automatically name devices at home. Connecting to the Internet name service involves also quite a lot of effort, thus requiring more than basic computing skills from the user

Utilisation d'identifiants cryptographiques pour la sécurisation IPv6

IPv6, protocole succédant à IPv4, est en cours de déploiement dans l Internet. Il repose fortement sur le mécanisme Neighbor Discovery Protocol (NDP). Celui-ci permet non seulement à deux nœuds IPv6 de pouvoir communiquer, à l instar du mécanisme Address Resolution Protocol (ARP) en IPv4, mais il apporte aussi de nouvelles fonctionnalités, telles que l autoconfiguration d adresse IPv6. Aussi, sa sécurisation pour le bon fonctionnement de l Internet en IPv6 est critique. Son mécanisme de sécurité standardisée à l Internet Engineering Task Force (IETF) se nomme Secure Neighbor Discovery (SEND). Il s appuie à la fois sur l utilisation d identifiants cryptographiques, adresses IPv6 appelées Cryptographically Generated Addresses (CGA) et qui sont générées à partir d une paire de clés publique/privée, et de certificats électroniques X.509. L objet de cette thèse est l étude de ces identifiants cryptographiques, les adresses CGA, ainsi que le mécanisme SEND les employant, et leurs réutilisations potentielles pour la sécurisation IPv6. Dans une première partie de cette thèse, tout d abord, nous posons l état de l art. Dans une deuxième partie de cette thèse, nous nous intéressons à la fiabilité du principal mécanisme connu employant les adresses CGA, le mécanisme SEND. Dans une troisième et dernière partie de cette thèse, nous présentons des utilisations des identifiants cryptographiques pour la sécurisation IPv6IPv6, next Internet protocol after IPv4, is under deployment in the Internet. It is strongly based on the Neighbor Discovery Protocol (NDP) mechanism. First, it allows two IPv6 nodes to communicate, like the Address Resolution Protocol (ARP) mechanism in IPv4, but it brings new functions too, as IPv6 address autoconfiguration. So, the security of this mechanism is critical for an Internet based on IPv6. The security mechanism standardized by the Internet Engineering Task Force (IETF) is Secure Neighbor Discovery (SEND). It is based on the use of cryptographical identifiers, IPv6 addresses named Cryptographically Generated Addresses (CGA) and generated from a public/private keys pair, and X.509 certificates. The goal of this PhD thesis is the study of such cryptographical identifiers, CGA addresses, as well as SEND using them, and their potential re-use to secure IPv6. In a first part of this thesis, we recall the main features of the IPv6 protocol. In a second part of this thesis, we are interested in the reliability of the main known mechanism using the CGA addresses, SEND. In a third and last part of this thesis, we present different uses of cryptographical identifiers to secure IPv6EVRY-INT (912282302) / SudocSudocFranceF

Dynamic auto configuration and self-management of next generation personal area networks

Estágio realizado no INESC-Porto e orientado pelo Eng.º Rui Lopes CamposTese de mestrado integrado. Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 200

DNS in Computer Forensics

The Domain Name Service (DNS) is a critical core component of the global Internet and integral to the majority of corporate intranets. It provides resolution services between the human-readable name-based system addresses and the machine operable Internet Protocol (IP) based addresses required for creating network level connections. Whilst structured as a globally dispersed resilient tree data structure, from the Global and Country Code Top Level Domains (gTLD/ccTLD) down to the individual site and system leaf nodes, it is highly resilient although vulnerable to various attacks, exploits and systematic failures

Virtual Desktop Sizing

This paper is intended to describe a process of choosing and building a demo of virtualization solution for a group of people in campus of EPFL located in a city of Sion, Valais Wallis. The aim of the paper is to compare different desktop virtualization solutions and choose the best one within the given customer’s requirements and infrastructure. The second goal of the paper is to provide a demo implementation of the selected virtualization solution with guidelines describing how it was created and notes on specific customizations required within the given internal computer structure of the campus