Traffic-Flow Analysis for Fast Performance Estimation of Communication Systems

The traffic-flow analysis (TFA) is a promising method for the performance estimation of communication systems. TFA produces approximate results with much less computation (that is, much faster) than discrete-event simulation of the system. In the first step, TFA distributes the traffic in units of properly chosen size using the actual routing algorithm of the network. In the second step, TFA adjusts the time distribution of the traffic according to the finite capacities of the network. It was found that the results of TFA approximate the results of the analytical method well

Improving the performance and security of the TOTD DNS64 implementation

DNS64 and NAT64 IPv6 transition mechanisms are expected to play an important role in the near future to solve the problem that some of the new clients will not be able to get public IPv4 addresses and thus having only IPv6 addresses they still should be able to reach servers that have only IPv4 addresses. In our earlier experiments, the TOTD DNS64 implementation showed significantly better average performance than BIND, however TOTD was not stable, therefore now it was carefully tested to find the reason for its experienced strange behavior. Besides the detailed description of the testing method, the bug and the correction, a security vulnerability is disclosed and a patch is provided. The performance and the stability of the modified versions of TOTD are analyzed and compared to that of the original TOTD and BIND.Facultad de Informátic

Optimizing the Performance of the Iptables Stateful NAT44 Solution

The stateful NAT44 performance of iptables is an important issue when it is used as a stateful NAT44 gateway of a CGN (Carrier-Grade NAT) system. The performance measurements of iptables published in research papers do not comply with the requirements of RFC 2544 and RFC 4814 and the usability of their results has serious limitations. Our Internet Draft has proposed a benchmarking methodology for stateful NATxy (x, y are in {4, 6}) gateways and made it possible to perform the classic RFC 2544 measurement procedures like throughput, latency, frame loss rate, etc. with stateful NATxy gateways using RFC 4814 pseudorandom port numbers. It has also defined new performance metrics specific to stateful testing to quantify the connection setup and connection tear down performance of stateful NATxy gateways. In our current paper, we examine how the performance of iptables depends on various settings, and also if certain tradeoffs exist. We measure the maximum connection establishment rate, throughput and tear down rate of iptables as well as its memory consumption as a function of hash table size always using 40 million connections. We disclose all measurement details and results. We recommend new settings that enable network operators to achieve significantly higher performance than using the traditional ones

Methodology for DNS Cache Poisoning Vulnerability Analysis of DNS64 Implementations

The trustworthy operation of the DNS service is a very important precondition for a secure Internet. As we point it out, DNS cache poisoning could be even more dangerous if it is performed against DNS64 servers. Based on RCF 5452, we give an introduction to the three main components of DNS cache poisoning vulnerability, namely Transaction ID prediction, source port number prediction, and birthday paradox based attack, which is possible if a DNS or DNS64 server sends out multiple equivalent queries (with identical QNAME, QTYPE, and QCLASS fields) concurrently. We design and implement a methodology and a testbed, which can be used for the systematic testing of DNS or DNS64 implementations, whether they are susceptible to these three vulnerabilities. We perform the tests with the following DNS64 implementations: BIND, PowerDNS, Unbound, TOTD (two versions) and mtd64-ng. As for the testbed, we use three virtual Linux machines executed by a Windows 7 host. As for tools, we use VMware Workstation 12 Player for virtualization, Wireshark and tshark for monitoring, dns64perf for Transaction ID and source port predictability tests, and our currently developed "birthday-test" program for concurrently sent multiple equivalent queries testing. Our methodology can be used for DNS cache poisoning vulnerablility analysis of further DNS or DNS64 implementations. A testbed with the same structure may be used for security vulnerablility analysis of DNS or DNS64 servers and also NAT64 gateways concerning further threats

Towards Implementing a Software Tester for Benchmarking MAP-T Devices

Several IPv6 transition technologies have been designed and developed over the past few years to accelerate the full adoption of the IPv6 address pool. To make things more organized, the Benchmarking Working Group of IETF has standardized a comprehensive benchmarking methodology for these technologies in its RFC 8219. The Mapping of Address and Port using Translation (MAP-T) is one of the most important transition technologies that belong to the double translation category in RFC 8219. This paper aims at presenting our progress towards implementing the world’s first RFC 8219 compliant Tester for the MAP-T devices, more specifically, the MAP-T Customer Edge (CE) and the MAP-T Border Relay (BR). As part of the work of this paper, we presented a typical design for the Tester, followed by a discussion about the operational requirements, the scope of measurements, and some design considerations. Then, we installed a testbed for one of the MAP-T implementations, called Jool, and showed the results of the testbed. And finally, we ended up with a brief description of the MAP-T test program and its configuration parameters in case of testing the BR device

Effect of Path QoS on Throughput Aggregation Capability of the MPT Network Layer Multipath Communication Library

An increase in the use of smart and portable devices like smartphones, laptops, and tablets has led to a rise in the number of network interfaces and thus the number of possible channels for communication. However, the current approach over the Internet only employs a single path for a communication session. As an innovative and promising method for real-time transmission based on GRE-in-UDP encapsulation, which provides an IPv4 or IPv6 tunneling mechanism, this paper presents multipath throughput testing for the MPT network layer multipath communication library. We investigated the effectiveness of MPT's channel capacity aggregation while dealing with wired channels and examined scenarios in symmetric and asymmetric paths. Our network throughput measurements showed that MPT can efficiently aggregate the capacities of both symmetric and asymmetric paths. In this paper, we established a network topology that included a server, which we used for generating various quality of service (QoS) metrics. We measured how latency, transmission speed, packet loss rate, jitter, and the setting of the path weights influence throughput aggregation capability of the MPT communication library

Performance Analysis of MTD64, our Tiny Multi-Threaded DNS64 Server Implementation: Proof of Concept

In the current stage of IPv6 deployment, the combination of DNS64 and NAT64 is an important IPv6 transition technology, which can be used to enable IPv6 only clients to communicate with IPv4 only servers. In addition to the existing free software DNS64 implementations, we proposed a tiny multithreaded one, MTD64. In this paper, the performance of MTD64 is measured and compared to that of the industry standard BIND in order to check the correctness of the design concepts of MTD64, especially of the one that we use a new thread for each request. For the performance measurements, our earlier proposed dns64perf program is enhanced as dns64perf2, which one is also documented in this paper. We found that MTD64 seriously outperformed BIND and hence our design principles may be useful for the design of a high performance production class DNS64 server. As an additional test, we have also examined the effect of dynamic CPU frequency scaling to the performance of the implementations