Towards Secure and Leak-Free Workflows Using Microservice Isolation

Data leaks and breaches are on the rise. They result in huge losses of money for businesses like the movie industry, as well as a loss of user privacy for businesses dealing with user data like the pharmaceutical industry. Preventing data exposures is challenging, because the causes for such events are various, ranging from hacking to misconfigured databases. Alongside the surge in data exposures, the recent rise of microservices as a paradigm brings the need to not only secure traffic at the border of the network, but also internally, pressing the adoption of new security models such as zero-trust to secure business processes. Business processes can be modeled as workflows, where the owner of the data at risk interacts with contractors to realize a sequence of tasks on this data. In this paper, we show how those workflows can be enforced while preventing data exposure. Following the principles of zero-trust, we develop an infrastructure using the isolation provided by a microservice architecture, to enforce owner policy. We show that our infrastructure is resilient to the set of attacks considered in our security model. We implement a simple, yet realistic, workflow with our infrastructure in a publicly available proof of concept. We then verify that the specified policy is correctly enforced by testing the deployment for policy violations, and estimate the overhead cost of authorization

ISP Probing Reduction with Anaximander

peer reviewedSince the early 2000's, Internet topology discovery has been an active research topic, providing data for various studies such as Internet modeling, network management, or to assist and support network protocol design. Within this research area, ISP mapping at the router level has attracted little interest despite its utility to perform intra-domain routing evaluation. Since Rocketfuel (and, to a smaller extent, mrinfo), no new tool or method has emerged for systematically mapping intra-domain topologies. In this paper, we introduce Anaximander, a new efficient approach for probing and discovering a targeted ISP in particular. Considering a given set of vantage points, we implement and combine several predictive strategies to mitigate the number of probes to be sent without sacrificing the ISP coverage. To assess the ability of our method to efficiently retrieve an ISP map, we rely on a large dataset of ISPs having distinct nature and demonstrate how Anaximander can be tuned with a simple parameter to control the trade-off between coverage and probing budget

Computing Delay-Constrained Least-Cost Paths for Segment Routing is Easier Than You Think

With the growth of demands for quasi-instantaneous communication services such as real-time video streaming, cloud gaming, and industry 4.0 applications, multi-constraint Traffic Engineering (TE) becomes increasingly important. While legacy TE management planes have proven laborious to deploy, Segment Routing (SR) drastically eases the deployment of TE paths and thus became the most appropriate technology for many operators. The flexibility of SR sparked demands in ways to compute more elaborate paths. In particular, there exists a clear need in computing and deploying Delay-Constrained Least-Cost paths (DCLC) for real-time applications requiring both low delay and high bandwidth routes. However, most current DCLC solutions are heuristics not specifically tailored for SR. In this work, we leverage both inherent limitations in the accuracy of delay measurements and an operational constraint added by SR. We include these characteristics in the design of BEST2COP, an exact but efficient ECMP-aware algorithm that natively solves DCLC in SR domains. Through an extensive performance evaluation, we first show that BEST2COP scales well even in large random networks. In real networks having up to thousands of destinations, our algorithm returns all DCLC solutions encoded as SR paths in way less than a second

Routage multichemins par interface d'entrée

La fiabilité d'un réseau IP face aux pannes et aux congestions dépend du temps de réaction associé au protocole de routage sous-jacent. Actuellement, les protocoles de routage à états des liens tels que OSPF ou IS-IS n utilisent que les meilleures routes de coût égal pour commuter les paquets IP à l'échelle d'un domaine. La propriété de sous-optimalité des meilleures routes garantit la cohérence du routage au saut par saut bien que les chemins calculés via l'algorithme de Dijkstra soient composés de proche en proche. Selon la métrique employée, la diversité des chemins existant peut être largement sous exploitée avec une condition telle que la sous-optimalité. Or la diversité des alternatives de routage est l'un des éléments clés pour assurer un temps de réaction limité. La difficulté inhérente aux protocoles de routage multichemins saut par saut est la vérification de l'absence de boucles de routage. Chaque noeud doit garantir que le trafic qu il achemine ne soit pas commuté sur un circuit dont il fait partie. Dans ce rapport de thèse, après avoir mis en avant l'état de l'art existant dans la littérature, nous exposons deux contributions dont la combinaison assure cette propriété. La première proposition est basée sur l'algorithme de Dijkstra, il s'agit d'un algorithme de recherche opératoire nommé Dijkstra-Transverse qui calcule un ensemble de chemins transverses entre un noeud racine et chaque autre noeud du graphe modélisant le réseau. La seconde contribution est une procédure de validation distribuée dont le but est d'élaguer les circuits potentiellement générés par le routage saut par saut. Pour accroître la diversité des chemins validés, la procédure de commutation est spécifique à chaque interface entrante. Par ailleurs, nous avons évalué l'impact de la diversité des chemins pour mettre en oeuvre une couverture efficace en cas de panne de liens. La notion de couverture se décline en deux versions, locale ou globale, selon le type de protection envisagé, en d'autres termes, s'il est possible ou non de notifier les routeurs en amont de l'occurence d'une panne. Nous nous sommes également intéressés aux aspects ingénierie de trafic liés à l'équilibrage de la charge en cas de congestion. Afin d'estimer l'importance de la diversité des chemins pour mettre en oeuvre un routage proportionnel efficace, notre travail s'est focalisé sur la définition d'un module réactif de partage de charge. Celui-ci est simplement basé sur une analyse locale de la bande passante résiduelle et permet de mettre en relief les performances de nos propositions de routage par comparaison avec l'existant. De manière générale, dans un souci de crédibilité, nos évaluations par simulation sont basés sur des topologies et une génération de trafic réalistes. Les résultats obtenus mettent en avant l'efficacité de nos algorithmes pour déployer un routage multichemins générant une diversité accrue par rapport à l'existant. Celle-ci est en effet nécessaire pour obtenir une capacité de commutation suffisante pour contourner les pannes et les congestions comme l'indiquent nos résultats liés aux deux types d'applications évalués.The reliability of IP networks in terms of failures and congestions depends on the reaction time associated with the underlying routing protocol. Currently, link state routing protocols such as OSPF or IS-IS use only the best paths to forward the IP packets at a domain scale. The sub-optimality property of best paths ensures consistency of hop by hop routing although the paths calculated using Dijkstra s algorithm are composed of close in close. According to the metric, the diversity of existing paths may be largely under estimated with a condition such as sub-optimality. Yet the diversity of alternatives paths is one of the key elements to ensure a limited reaction time. The main difficulty related to hop by hop multipath routing protocols is to ensure the absence of routing loops. Each node must verify that the traffic it carries is not switched on circuit where they belong. In this PhD report, we present two contributions whose the combination ensures that property. The first proposition, based on Dijkstra s algorithm, is a multipath search algorithm called Dijkstra-Transverse (DT) which calculates a set of multiple paths between a root node and each other node in the graph modeling the network. The second contribution is a distributed validation procedure DT(p) whose the aim is to prune circuits potentially generated by hop by hop routing composition. To increase the diversity of validated paths, the forwarding mechanism is specific to each incoming interface. Furthermore, we have evaluated the impact of the path diversity to produce an effective coverage if link failure occurs. The coverage can be defined in two versions, local or global, depending on the possibility to notify upstream routers of the detected failure. We are also interested in traffic engineering issues related to load balancing in case of congestion. To estimate the importance of paths diversity to implement a efficient proportional routing, we have defined a reactive load balancing module. This module is based on a local analysis of residual bandwidth and highlight the performance of our proposed routing scheme. For the sake of credibility, our simulations are based on realistic topologies and traffic generation. The results underline the effectiveness of our algorithms to generate a greater diversity of paths compared to existing propositions. Paths diversity is necessary in order to obtain a sufficient forwarding capacity to circumvent outages and congestion as indicated by our results related to these two types of applications

Build and measure routing systems

InformatiqueRésumé en françai

Path Diversity in Energy-Efficient Wireless Sensor Networks

Abstract—Energy efficiency is one of the most important issue to be tackled in wireless sensor networks. Activity scheduling protocols aim at prolonging the network lifetime by reducing the proportion of nodes that participate in the application. Among the vast range of criteria existing to schedule nodes activities, area coverage by connected sets is one of the most studied. Active nodes must ensure area coverage while remaining connected in order to guarantee proper data collection to the sink stations. As wireless communications stand for the main source of energy consumption, we investigated the communication redundancy of the active nodes set. We define a path diversity based metric that allows to characterize the communication redundancy of a given set of nodes. We show that one of the most used connectivity criterion is far from building minimal connected sets in terms of communicating nodes involved. Our results open new directions to design localized connected sets solutions. I

Network Fingerprinting: TTL-Based Router Signatures

peer reviewedFingerprinting networking equipment has many potential applications and benefits in network management and security. More generally, it is useful for the understanding of network structures and their behaviors. In this paper, we describe a simple fingerprinting mechanism based on the initial TTL values used by routers to reply to various probing messages. We show that main classes obtained using this simple mechanism are meaningful to distinguish routers platforms. Besides, it comes at a very low additional cost compared to standard active topology discovery measurements. As a proof of concept, we apply our method to gain more insight on the behavior of MPLS routers and to, thus, more accurately quantify their visible/invisible deployment

Extracting Intra-Domain Topology from mrinfo Probing

peer reviewedActiveandpassivemeasurementsfortopologydiscoveryhave known an impressive growth during the last decade. If a lot of work has been done regarding inter-domain topology discovery and modeling, only a few papers raise the question of how to extract intra-domain topologies from measurements results. In this paper, based on a large dataset collected with mrinfo, a multicast tool that silently discovers all interfaces of a router, we provide a mechanism for retrieving intra-domain topologies. The main challenge is to assign an AS number to a border router whose IP addresses are not mapped to the same AS. Our algorithm is based on probabilistic and empirical IP allocation rules. The goal of our pool of rules is to converge to a consistent router to AS mapping. We show that our router-to-AS algorithm results in a mapping in more than 99% of the cases. Furthermore, with mrinfo, point-to-point links between routers can be distinguished from multiple links attached to a switch, providing an accurate view of the collected topologies. Finally, we provide a set of large intra-domain topologies in various formats