19 research outputs found
Distributed Adaptive Routing in Communication Networks
In this report, we present a new adaptive multi-flow routing algorithm to select end- to-end paths in packet-switched networks. This algorithm provides provable optimality guarantees in the following game theoretic sense: The network configuration converges to a configuration arbitrarily close to a pure Nash equilibrium. In this context, a Nash equilibrium is a configuration in which no flow can improve its end-to-end delay by changing its network path. This algorithm has several robustness properties making it suitable for real-life usage: it is robust to measurement errors, outdated information and clocks desynchronization. Furthermore, it is only based on local information and only takes local decisions, making it suitable for a distributed implementation. Our SDN-based proof-of-concept is built as an Openflow controller. We set up an emulation platform based on Mininet to test the behavior of our proof-of-concept implementation in several scenarios. Although real-world conditions do not conform exactly to the theoretical model, all experiments exhibit satisfying behavior, in accordance with the theoretical predictions
Distributed Adaptive Routing in Communication Networks
In this report, we present a new adaptive multi-flow routing algorithm to select end- to-end paths in packet-switched networks. This algorithm provides provable optimality guarantees in the following game theoretic sense: The network configuration converges to a configuration arbitrarily close to a pure Nash equilibrium. In this context, a Nash equilibrium is a configuration in which no flow can improve its end-to-end delay by changing its network path. This algorithm has several robustness properties making it suitable for real-life usage: it is robust to measurement errors, outdated information and clocks desynchronization. Furthermore, it is only based on local information and only takes local decisions, making it suitable for a distributed implementation. Our SDN-based proof-of-concept is built as an Openflow controller. We set up an emulation platform based on Mininet to test the behavior of our proof-of-concept implementation in several scenarios. Although real-world conditions do not conform exactly to the theoretical model, all experiments exhibit satisfying behavior, in accordance with the theoretical predictions
Distributed and Adaptive Routing Based on Game Theory
International audienceIn this paper, we present a new adaptive multi-flow routing algorithm to select end-to-end paths in packet-switched networks. This algorithm provides provable optimality guarantees in the following game theoretic sense: The network configuration converges to a configuration arbitrarily close to a pure Nash equilibrium. In this context, a Nash equilibrium is a configuration in which no flow can improve its end-to-end delay by changing its network path. This algorithm has several robustness properties making it suitable for real-life usage: it is robust to measurement errors, outdated information, and clocks desynchronization. Furthermore, it is only based on local information and only takes local decisions, making it suitable for a distributed implementation. Our SDN-based proof-of-concept is built as an Openflow controller. We set up an emulation platform based on Mininet to test the behavior of our proof-of-concept implementation in several scenarios. Although real-world conditions do not conform exactly to the theoretical model, all experiments exhibit satisfying behavior, in accordance with the theoretical predictions
Routage distribué et adaptatif fondé sur la théorie des jeux
International audienceDans cet article, nous présentons un algorithme de routage distribué multi-flots permettant de choisir des chemins debout en bout dans un réseau. Celui-ci converge vers une configuration dans laquelle aucun flot ne peut améliorer sondélai de bout en bout en changeant de chemin (équilibre de Nash).Notre algorithme est robuste aux erreurs de mesures, tolère les mesures obsolètes, et ne nécessite pas de synchronisationd’horloge. Notre preuve de concept est implémentée sous forme d’un contrôleur OpenFlow, et nous l’évaluons sur uneplate-forme d’émulation utilisant Mininet
Persistent DNS connections for improved performance
International audienc
SRPT-ECF: challenging Round-Robin for stream-aware multipath scheduling
International audienceMultipath TCP has long been the standard multipath transport protocol. However, the recent introduction of Multipath QUIC has changed the landscape by allowing multiple streams to coexist, bringing opportunities for further optimisation but also a new set of challenges. New stream-aware scheduling algorithms are necessary to account for this new variable.We show that, perhaps counter-intuitively, serving streams using a Round-Robin strategy yields poor performance when looking at stream completion time. We then describe SRPT-ECF, our novel stream-aware multipath scheduling algorithm. We show that our algorithm is optimal in a simple network model and that it exhibits good properties on HTTP/2 traces. We then sketch how it could be implemented within Multipath QUIC to schedule web resources with HTTP/2, paving the way for low-latency multipath HTTP/3 implementations
Improving end-to-end delay at the application layer
International audienc
Persistent DNS connections for improved performance
International audienceIn the DNS resolution process, packet losses and ensuing retransmission timeouts induce marked latencies: the current UDP-based resolution process takes up to 5 seconds to detect a loss event. We find that persistent DNS connections based on TCP or TLS can provide an elegant solution to this problem. With controlled experiments on a testbed, we show that persistent DNS connections significantly reduces worst-case latency. We then leverage a large-scale platform to study the performance impact of TCP/TLS on recursive resolvers. We find that off-the-shelf software and reasonably powerful hardware can effectively provide recursive DNS service over TCP and TLS, with a manageable performance hit compared to UDP
Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic
This paper concerns the problem of the absence of ingress filtering at the
network edge, one of the main causes of important network security issues.
Numerous network operators do not deploy the best current practice - Source
Address Validation (SAV) that aims at mitigating these issues. We perform the
first Internet-wide active measurement study to enumerate networks not
filtering incoming packets by their source address. The measurement method
consists of identifying closed and open DNS resolvers handling requests coming
from the outside of the network with the source address from the range assigned
inside the network under the test. The proposed method provides the most
complete picture of the inbound SAV deployment state at network providers. We
reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway
Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally,
using the data from the Spoofer project and performing an open resolver scan,
we compare the filtering policies in both directions
The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic
Source Address Validation (SAV) is a standard aimed at discarding packets
with spoofed source IP addresses. The absence of SAV for outgoing traffic has
been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and
received widespread attention. While less obvious, the absence of inbound
filtering enables an attacker to appear as an internal host of a network and
may reveal valuable information about the network infrastructure. Inbound IP
spoofing may amplify other attack vectors such as DNS cache poisoning or the
recently discovered NXNSAttack. In this paper, we present the preliminary
results of the Closed Resolver Project that aims at mitigating the problem of
inbound IP spoofing. We perform the first Internet-wide active measurement
study to enumerate networks that filter or do not filter incoming packets by
their source address, for both the IPv4 and IPv6 address spaces. To achieve
this, we identify closed and open DNS resolvers that accept spoofed requests
coming from the outside of their network. The proposed method provides the most
complete picture of inbound SAV deployment by network providers. Our
measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and
reveal that the great majority of them are fully or partially vulnerable to
inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally
show that inbound filtering is less often deployed for IPv6 than it is for
IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for
amplification DDoS attacks - 13 times more than previous work. Furthermore, we
enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that
could only be detected thanks to our spoofing technique, and that pose a
significant threat when combined with the NXNSAttack.Comment: arXiv admin note: substantial text overlap with arXiv:2002.0044