Traffic Modelling and Simulation Techniques for Evaluating ACL Implementation

This paper presents a modelling and simulation framework for analysing Access Control List (ACL) implementation on Internet devices. It uses the established modelling/simulation techniques of abstraction and simplification to isolate the essential components of the system from peripheral issues. As a case study, the viability of a simple real-time optimisation technique is demonstrated

An argument for simple embedded ACL optimisation

The difficulty of efficiently reordering the rules in an Access Control List is considered and the essential optimisation problem formulated. The complexity of exact and sophisticated heuristics is noted along with their unsuitability for real time implementation embedded in the hardware of the network device. A simple alternative is proposed, in which a very limited rule reordering is considered following the processing of each packet. Simulation results are given from a range of traffic types. The method is shown to achieve savings that make its use worthwhile for lists longer than a given number of rules. This number is dependent on traffic characteristics but generally around 25 for typical network conditions

A Simplified Method for Optimising Sequentially Processed Access Control Lists

Among the various options for implementing Internet packet filters in the form of Access Control Lists (ACLs), is the intuitive – but potentially crude – method of processing the ACL rules in sequential order. Although such an approach leads to variable processing times for each packet matched against the ACL, it also offers the opportunity to reduce this time by reordering its rules in response to changing traffic characteristics. A number of heuristics exist for optimising rule order in sequentially processed ACLs and the most efficient of these can be shown to have a beneficial effect in a majority of cases and for ACLs with relatively small numbers of rules. This paper presents an enhancement to this algorithm by reducing part of its complexity. Although the simplification involved leads to an instantaneous lack of accuracy, the long-term trade-off between processing speed and performance can be seen, through experimentation, to be positive. This improvement, though small, is consistent and worthwhile and can be observed in the majority of cases

Extended end-to-end cost metrics for improved dynamic route calculation

This paper considers the use of compound cost functions in routing calculations. Using an abstracted version of Cisco’s EIGRP as its basic model, it develops the theoretical principals of optimal end-to-end interior routing then details the limitations of conventional and current implementation. The requirements of an improved system are discussed and proposals for an enhanced Ant Colony Optimisation - DUAL protocol given. A comparative example is used to illustrate the points made and further work needed and other open questions are considered in conclusion. The paper has two purposes. In the main, it provides an analysis of current routing protocols and a model for future ones. In part, however, it is also intended to promote debate into many aspects of Internet routing and its ‘optimality’ in advance of long-term development of the new protocol

Cooling of cryogenic electron bilayers via the Coulomb interaction

Heat dissipation in current-carrying cryogenic nanostructures is problematic because the phonon density of states decreases strongly as energy decreases. We show that the Coulomb interaction can prove a valuable resource for carrier cooling via coupling to a nearby, cold electron reservoir. Specifically, we consider the geometry of an electron bilayer in a silicon-based heterostructure, and analyze the power transfer. We show that across a range of temperatures, separations, and sheet densities, the electron-electron interaction dominates the phonon heat-dissipation modes as the main cooling mechanism. Coulomb cooling is most effective at low densities, when phonon cooling is least effective in silicon, making it especially relevant for experiments attempting to perform coherent manipulations of single spins.Comment: 9 pages, 5 figure

Optimization of delays experienced by packets due to ACLs within a domain

The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes however this has a negative effect on performance since it introduces a delay associated with packet filtering. Recommended techniques for network design imply that every packet should be checked at the first possible ingress points of the network. When access control lists (ACL's) are used within a router for this purpose then there can be a significant overhead associated with this process. The purpose of this paper is to consider the effect of delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACL. Using theoretical principles modified by practical calculation a model is created for packet delay for all nodes across a given path in a domain

Prediction of Wireless Network Signal Strength within a Building

With the increase in the provision of access to Wireless Local Area Networks and the abundance of user devices capable of utilising Wi-Fi, the design of the network infrastructure has introduced some significant problems. Prior to the installation of Access Points it is difficult to predict whether access can be guaranteed at specific locations. Additionally, to increase the level of security, it is often preferable, despite the use of security protocols, to ensure that the signal strength is not large enough to enable connection in areas other than those designated. By combining the theory of antennae and the measurement of the performance of devices, it is possible to predict whether access is likely and hence how secure the network design is. Additionally, the use of a simple application is proposed that enables the network designer to enter a configuration and produce an answer showing if WIFI will operate and a value to indicate the margin

Improving the Performance of IP Filtering using a Hybrid Approach to ACLs

With the use of policy based security being implemented in Access Control Lists (ACLs) at the distribution layer and the increased speed of interfaces the delays introduced into networks by routers are becoming significant. This paper investigates the size of the problem that is encountered in a typical network installation. Additionally since specialized hardware is not always available a hybrid approach to optimizing the order of rules in an ACL is put forward. This approach is based on the off-line pre-processing of lists to enable them to be reordered dynamically based on the type of traffic being processed by the router

Web Application for Visual Modeling of Discrete Event Systems

This research work has resulted in the development of a web application that enables discrete event systems simulation to be created using a Petri-object approach. It provides the development of a model in two stages. In the first stage, the dynamics of the classes of objects are created using Petri net. In the second stage, the model is composed of objects with given dynamics. The simulation algorithm is based on stochastic Petri net with multichannel transitions and is implemented using Ruby. The web application enables the design of the model's dynamics by manipulation with graphics objects and saving it not only as a graphics object but also as a program method. This greatly improves the overall performance of the simulation model development

An Investigation into the Effect of Security on Performance in a VoIP Network

Voice over Internet Protocol (VoIP) is a communications technology that transmits voice over packet switched networks such as the Internet. VoIP has been widely adopted by home and business customers. When adding security to a VoIP system, the quality of service and performance of the system are at risk. This study has two main objectives, firstly it illustrates suitable methods to secure the signalling and voice traffic within a VoIP system, secondly it evaluates the performance of a VoIP system after implementing different security methods. This study is carried out on a pilot system using an asterisk based SIP (Session initiation Protocol) server (Asterisk, 2009). Since VoIP is intended for use over the Internet, VPNs (Virtual Private Networks) have been used in a tunnel configuration to provide the service. Additionally the performance of networks level IPSec (Internet Protocol Security) and application level ZRTP (Zimmerman Real Time Transport Protocol) security have been compared with no security. Registration, call setup and voice transmission packets have been captured and analysed. The results have then been extrapolated to the Internet