NATCracker: NAT Combinations Matter

In this paper, we report our experience in working with Network Address Translators (NATs). Traditionally, there were only 4 types of NATs. For each type, the (im)possibility of traversal is well-known. Recently, the NAT community has provided a deeper dissection of NAT behaviors resulting into at least 27 types and documented the (im)possibility of traversal for some types. There are, however, two fundamental issues that were not previously tackled by the community. First, given the more elaborate set of behaviors, it is incorrect to reason about traversing a single NAT, instead combinations must be considered and we have not found any study that comprehensively states, for every possible combination, whether direct connectivity with no relay is feasible. Such a statement is the first outcome of the paper. Second, there is a serious need for some kind of formalism to reason about NATs which is a second outcome of this paper. The results were obtained using our own scheme which is an augmentation of currently-known traversal methods. The scheme is validated by reasoning using our formalism, simulation and implementation in a real P2P network

Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs

A Network Address Translator (NAT) is a popular technological tool used in networks, especially in small-sized networks. Recently, network operators have been considering deploying Large Scale NATs (LSNs) to cope with IPv4 address pool exhaustion. This will make it necessary to deal with several problems related to LSNs, such as multiple levels of NATs (cascaded NATs) and the shortage of port numbers used by NATs. To address these issues, this paper extends the concept of UDP Multiple Hole Punching previously proposed by us. The use of our proposed method enables an accurate Port Prediction and reduces the number of open ports. The new method can determine the low TTL values for IP packets. We also discuss the application of i-Path routers, which provide status information about NATs along a network path for end hosts. The use of these routers makes it easier to perform NAT traversal

Traversing NAT: A Problem

This quasi-experimental before-and-after study measured and analyzed the impacts of adding security to a new bi-directional Network Address Translation (NAT). Literature revolves around various types of NAT, their advantages and disadvantages, their security models, and networking technologies’ adoption. The study of the newly created secure bi-directional model of NAT showed statistically significant changes in the variables than another model using port forwarding. Future research of how data will traverse networks is crucial in an ever-changing world of technology

An Architecture for Global Distributed SIP Network Using IPv4 Anycast

Tato diplomová práce se zabývá metodami pro výběr nejbližší RTP proxy k VoIP klientům s použitím IP anycastu. RTP proxy servery jsou umístěny v síti Internetu a přeposílají RTP data pro VoIP klienty za síťovými překladači adres(NAT). Bez zeměpisně rozmístěných RTP proxy serverů a metod pro nalezení nejbližšího RTP proxy serveru by došlo ke zbytečnému poklesu kvality přenosu médialních dat a velkému zpoždení. Tento dokument navrhuje 4 metody a jejich porovnání s podrobnějšími rozbory metod s využitím DNS resolvování a přímo SIP protokolu. Tento dokument také obsahuje měření chování IP anycastu v porovnání mezi metrikami směrování a metrikami časovými. Nakonec dokumentu je také uvedena implemetace na SIP Express Router platformě.This thesis is about using IP anycast-based methods for locating RTP proxy servers close to VoIP clients. The RTP proxy servers are hosts on the public Internet that relay RTP media between VoIP clients in a way that accomplishes traversal over Network Address Translators (NATs). Without geographically-dispersed RTP proxy servers and methods to find one in client's proximity, voice latency may be unbearably long and dramatically reduce perceived voice quality. This document proposes four methods their comparison with further design of DNS-based and SIP-based methods. It includes IP anycast measurements that provides an overview of IP anycast behaviour in terms of routing metrics and latency metrics. It also includes implementation on SIP Express Router platform.

Enhancing Automated Network Management

Network management benefits from automated tools. With the recent advent of software-defined principles, automated tools have been proposed from both industry and academia to fulfill function components in the network management control loop. While automation aims to accommodate the ever increasing network diversity and dynamics with improved reliability and management efficiency, it also brings new concerns as it’s becoming more difficult to understand the control of the network and operators cannot rely on traditional troubleshooting tools. Meanwhile, how to effectively integrate new automation tools with existing legacy networks remains a question. This dissertationpresents efficient methods to address key functionalities within the control loop in the adaption of automated network management.Identifying the network-wide forwarding behaviors of a packet is essential for many network management tasks, including policy enforcement, rule verification, and fault localization. We start by presenting AP Classifier. AP Classifier was developed based on the concept of atomic predicates which can be used to characterize the forwarding behaviors of packets. There is an increasing trend that enterprises outsource their Network Function (NF) processing to a cloud to lower cost and ease management. To avoid threats to the enterprise’s private information, we propose SICS based on AP Classifier, a secure and dynamic NF outsourcing framework. Stateful NFs have become essential parts of modern networks, increasing the complexity in network management. A major step in network automation is to automatically translate high level network intents into low level configurations. To ensure those configurations and the states generated by automation match intents, we present Epinoia, a network intent checker for stateful networks. While the concept of auto-translation sounds promising, operators may not know what intents should be. To close the control loop, we present AutoInfer to automatically infer intents of running networks, which helps operators understand the network runtime states

Evaluating the Effectiveness of IP Hopping via an Address Routing Gateway

This thesis explores the viability of using Internet Protocol (IP) address hopping in front of a network as a defensive measure. This research presents a custom gateway-based IP hopping solution called Address Routing Gateway (ARG) that acts as a transparent IP address hopping gateway. This thesis tests the overall stability of ARG, the accuracy of its classifications, the maximum throughput it can support, and the maximum rate at which it can change IPs and still communicate reliably. This research is accomplished on a physical test network with nodes representing the types of hosts found on a typical, corporate-style network. Direct measurement is used to obtain all results for each factor level. Tests demonstrate ARG classifies traffic correctly, with no false negatives and less than a 0.15% false positive rate on average. The test environment conservatively shows this to be true as long as the IP address change interval exceeds two times the network\u27s round-trip latency; real-world deployments may allow for more frequent hopping. Results show ARG capably handles traffic of at least four megabits per second with no impact on packet loss. Fuzz testing validates the stability of ARG itself, although additional packet loss of around 23% appears when under attack

Models, Algorithms, and Architectures for Scalable Packet Classification

The growth and diversification of the Internet imposes increasing demands on the performance and functionality of network infrastructure. Routers, the devices responsible for the switch-ing and directing of traffic in the Internet, are being called upon to not only handle increased volumes of traffic at higher speeds, but also impose tighter security policies and provide support for a richer set of network services. This dissertation addresses the searching tasks performed by Internet routers in order to forward packets and apply network services to packets belonging to defined traffic flows. As these searching tasks must be performed for each packet traversing the router, the speed and scalability of the solutions to the route lookup and packet classification problems largely determine the realizable performance of the router, and hence the Internet as a whole. Despite the energetic attention of the academic and corporate research communities, there remains a need for search engines that scale to support faster communication links, larger route tables and filter sets and increasingly complex filters. The major contributions of this work include the design and analysis of a scalable hardware implementation of a Longest Prefix Matching (LPM) search engine for route lookup, a survey and taxonomy of packet classification techniques, a thorough analysis of packet classification filter sets, the design and analysis of a suite of performance evaluation tools for packet classification algorithms and devices, and a new packet classification algorithm that scales to support high-speed links and large filter sets classifying on additional packet fields

Contributions towards softwarization and energy saving in passive optical networks

Ths thesis is a result of contributions to optimize and improve the network management systme and power consumption in Passive Optical Network (PON). Passive Optical Network elements such as Optical Line Terminal (OLT) and Optical Network Units (ONUs) are currently managed by inflexible legacy network management systems. Software-Defined Networking (SDN) is a new networking paradigm that improves the operation and management of networks by decoupling control plane from data plane. Currently, network management in PON networks is not always automated nor normalized. One goal of the researchers in optical networking is to improve the programmability, efficiency, and global optimization of network operations, in order to minimize both Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) by reducing the complexity of devices and its operation. Therefore, it makes sense to use an SDN approach in order to manage the passive optical network functionalities and migrating must of the upper layer functions to the SDN controller. Many approaches have already addressed the topic of applying the SDN architecture in PON networks. However; the focus was usually on facilitating the deployment of SDN-based service and so Service Interoperability remains unexplored in detail. The main challenge toward this goal is how to make compatible the synchronous nature of the EPON media access control protocols with the asynchronous architecture of SDN, and in particular, OpenFlow. In our proposed architecture, the OLT is partially virtualized and some of its functionalities are allocated to the core network management system, while the OLT itself is replaced by an OpenFlow switch. A new MultiPoint MAC Control (MPMC) sublayer extension based on the OpenFlow protocol is presented. The OpenFlow switch is extended with synchronous ports to retain the time-critical nature of the EPON network. Our simulation-based results demonstrate the effectiveness of the new architecture, while retaining a similar (or improved) performance in term of delay and throughput when compared to legacy PONs. Nowadays, many researchers are working simultaneously to develop power saving techniques and improves energy efficiency in the PON network, and since the contribution of access networks to the global energy consumption is large, energy efficiency has become an increasingly important requirement in designing access networks. Therefore, energy-saving approaches are being investigated to provide high performance and consume less energy. Several techniques have been proposed to increase energy efficiency in PON networks. Such techniques are related to the centeralized DBA but the advantage of power saving in a distributed DBA remains untouched. We present a distributed energy-efficient Dynamic Bandwidth Allocation (DBA) algorithm for both the upstream and downstream channels of EPON to improve energy efficiency in EPON networks. The proposed algorithm analyzes the queue status of the ONUs and OLT in order to power-off the transmitter and/or receiver of an ONU whenever there is no upstream or downstream traffic. We have been able to combine the advantage of a distributed DBA such as DDSPON (a smaller packet delay, due to the shorter time needed by DDSPON to allocate the transmission slots) and the energy-saving features (that come at a price of longer packet delays due to the fact that switching off the transmitters make the packet queues grow). Our proposed DBA algorithm minimizes the ONU energy consumption across a wide range of network loads, while maintaining at an acceptable level the penalty introduced in terms of channel utilization and packet delay.Las contribuciones de esta tesis se centran en mejorar el sistema de gestión de red y el consumo de energía en redes de acceso ópticas pasivas (PON). Los elementos de las redes PON, como el terminal de línea óptica (OLT) y las unidades de red ópticas (ONU), se gestionan actualmente mediante sistemas poco flexibles. El nuevo paradigma de redes definidas por software (SDN) mejora la gestión de redes al desacoplar el plano de control del plano de datos. Actualmente, la gestión de redes PON no está automatizada ni normalizada. Uno de los objetivos de los investigadores en redes ópticas es mejorar la programabilidad, la eficiencia y la optimización global de las operaciones de red, con el fin de minimizar tanto el gasto de capital (CAPEX) como el gasto operativo (OPEX) al reducir la complejidad de los dispositivos y su funcionamiento. Por lo tanto, tiene sentido utilizar un enfoque SDN para gestionar las funciones de red óptica pasiva y migrar algunas de las funciones PON de capas superiores al controlador SDN. Otros investigadores han estudiado esta aproximación. sin embargo; el enfoque generalmente estaba en facilitar la implementación del servicio basado en SDN y, por lo tanto, la interoperabilidad de los servicios permanecía sin ser explorado en detalle. El principal desafío hacia este objetivo es cómo compatibilizar la naturaleza síncrona de los protocolos de control de acceso a medios EPON con la arquitectura asíncrona de SDN y, en particular, OpenFlow. En nuestra propuesta de arquitectura, la OLT se virtualiza parcialmente y algunas de sus funcionalidades se asignan al sistema de gestión de red centralizado, mientras que la OLT se reemplaza por un conmutador OpenFlow. Proponemos una nueva extensión de la subcapa de control múltiple de MAC (MPMC) basada en el protocolo OpenFlow. El conmutador OpenFlow se amplía con puertos síncronos para asegurar la naturaleza de tiempo real de la red EPON. Nuestros resultados basados ¿¿en simulaciones demuestran la efectividad de la nueva arquitectura, al tiempo que se mantiene un rendimiento similar (o mejorado) en términos de retardos y rendimiento en comparación con las PON clásicas. Por otro lado, se están desarrollando técnicas de ahorro de energía y mejora de la eficiencia energética en redes PON, y dado que la contribución de las redes de acceso al consumo total de energía es importante, la eficiencia energética se ha convertido en un requisito cada vez más importante. Se han propuesto varias técnicas por parte de otros autores para aumentar la eficiencia energética en las redes PON, relacionadas con algoritmos DBA (Dynamic Bandwidth Allocation) centralizados, pero las ventaja del ahorro de energía en un DBA distribuido no se ha explorado todavía. Por ello nuestra segunda contiribución es un algoritmo distribuido de asignación dinámica de ancho de banda energéticamente eficiente tanto para los canales ascendentes como descendentes de EPON para mejorar la eficiencia energética en las redes EPON. El algoritmo propuesto analiza el estado de cola de las ONU y la OLT para apagar el transmisor y/o el receptor de una ONU cuando no hay tráfico en sentido ascendente o descendente. Hemos podido combinar la ventaja de un DBA distribuido como DDSPON (que asegura retardos más pequeños, debido al menor tiempo que DDSPON necesita para asignar las ranuras de transmisión) y las características de ahorro de energía (al precio de tener retardos de paquete más grandes debido al hecho de que apagar los transmisores hace que las colas de paquetes crezcan). Nuestro algoritmo de DBA propuesto minimiza el consumo de energía de la ONU en una amplia gama de cargas de red, mientras mantiene a un nivel aceptable la penalización introducida en términos de utilización del canal y retardos