Decentralized trust in the inter-domain routing infrastructure

Inter-domain routing security is of critical importance to the Internet since it prevents unwanted traffic redirections. The current system is based on a Public Key Infrastructure (PKI), a centralized repository of digital certificates. However, the inherent centralization of such design creates tensions between its participants and hinders its deployment. In addition, some technical drawbacks of PKIs delay widespread adoption. In this paper we present IPchain, a blockchain to store the allocations and delegations of IP addresses. IPchain leverages blockchains' properties to decentralize trust among its participants, with the final goal of providing flexible trust models that adapt better to the ever-changing geopolitical landscape. Moreover, we argue that Proof of Stake is a suitable consensus algorithm for IPchain due to the unique incentive structure of this use-case, and that blockchains offer relevant technical advantages when compared to existing systems, such as simplified management. In order to show its feasibility and suitability, we have implemented and evaluated IPchain's performance and scalability storing around 350k IP prefixes in a 2.5 GB chain.Peer ReviewedPostprint (published version

Global state, local decisions: Decentralized NFV for ISPs via enhanced SDN

The network functions virtualization paradigm is rapidly gaining interest among Internet service providers. However, the transition to this paradigm on ISP networks comes with a unique set of challenges: legacy equipment already in place, heterogeneous traffic from multiple clients, and very large scalability requirements. In this article we thoroughly analyze such challenges and discuss NFV design guidelines that address them efficiently. Particularly, we show that a decentralization of NFV control while maintaining global state improves scalability, offers better per-flow decisions and simplifies the implementation of virtual network functions. Building on top of such principles, we propose a partially decentralized NFV architecture enabled via an enhanced software-defined networking infrastructure. We also perform a qualitative analysis of the architecture to identify advantages and challenges. Finally, we determine the bottleneck component, based on the qualitative analysis, which we implement and benchmark in order to assess the feasibility of the architecture.Peer ReviewedPostprint (author's final draft

A control plane for WireGuard

WireGuard is a VPN protocol that has gained significant interest recently. Its main advantages are: (i) simple configuration (via pre-shared SSH-like public keys), (ii) mobility support, (iii) reduced codebase to ease auditing, and (iv) Linux kernel implementation that yields high performance. However, WireGuard (intentionally) lacks a control plane. This means that each peer in a WireGuard network has to be manually configured with the other peers’ public key and IP addresses, or by other means. In this paper we present an architecture based on a centralized server to automatically distribute this information. In a nutshell, first we manually establish a WireGuard tunnel to the centralized server, and ask all the peers to store their public keys and IP addresses in it. Then, WireGuard peers use this secure channel to retrieve on-demand the information for the peers they want to communicate to. Our design strives to: (i) offer a key distribution scheme simpler than PKI-based ones, (ii) limit the number of public keys sent to the peers, and (iii) reduce tunnel establishment latency by means of an UDP-based protocol. We argue that such automation can help the deployment in enterprise or ISP scenarios. We also describe in detail our implementation and analyze several performance metrics. Finally, we discuss possible improvements regarding several shortcomings we found during implementation.This work was partially supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE) and the Catalan Institution for Research and Advanced Studies (ICREA).Peer ReviewedPostprint (author's final draft

Wide area network autoscaling for cloud applications

Modern cloud orchestrators like Kubernetes provide a versatile and robust way to host applications at scale. One of their key features is autoscaling, which automatically adjusts cloud resources (compute, memory, storage) in order to adapt to the demands of applications. However, the scope of cloud autoscaling is limited to the datacenter hosting the cloud and it doesn't apply uniformly to the allocation of network resources. In I/O-constrained or data-in-motion use cases this can lead to severe performance degradation for the application. For example, when the load on a cloud service increases and the Wide Area Network (WAN) connecting the datacenter to the Internet becomes saturated, the application flows experience an increase in delay and loss. In many cases this is dealt with overprovisioning network capacity, which introduces additional costs and inefficiencies. On the other hand, thanks to the concept of "Network as Code", the WAN exposes a set of APIs that can be used to dynamically allocate and de-allocate capacity on-demand. In this paper we propose extending the concept of cloud autoscaling into the network to address this limitation. This way, applications running in the cloud can communicate their networking requirements, like bandwidth or traffic profile, to a Software-Defined Networking (SDN) controller or Network as a Service (NaaS) platform. Moreover, we aim to define the concepts of vertical and horizontal autoscaling applied to networking. We present a prototype that automatically allocates bandwidth to the underlay network, according to the requirements of the applications hosted in Kubernetes. Finally, we discuss open research challenges.This work was supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE), the Catalan Institution for Research and Advanced Studies (ICREA).Peer ReviewedPostprint (author's final draft

Draft Genome Sequences of Corynebacterium kroppenstedtii CNM633/14 and CNM632/14, Multidrug-Resistant and Antibiotic-Sensitive Isolates from Nodules of Granulomatous Mastitis Patients

Fernández-Natal MI, Soriano F, Ariza-Miguel J, et al. Draft Genome Sequences of Corynebacterium kroppenstedtii CNM633/14 and CNM632/14, Multidrug-Resistant and Antibiotic-Sensitive Isolates from Nodules of Granulomatous Mastitis Patients. Genome announcements. 2015;3(3): e00525-15.Corynebacterium kroppenstedtii has been associated with infections of the female breast. Genome sequencing of two strains revealed a specific genomic island in the multidrug-resistant isolate CNM633/14 with similarity to the R plasmid pJA144188 of Corynebacterium resistens DSM 45100, being indicative of the horizontal transfer of antibiotic resistance genes to C. kroppenstedtii

Programmable overlays via OpenOverlayRouter

Among the different options to instantiate overlays, the Locator/ID Separation Protocol (LISP) [7] has gained significant traction among industry and academia [5], [6], [8]–[11], [14], [15]. Interestingly, LISP offers a standard, inter-domain, and dynamic overlay that enables low capital expenditure (CAPEX) innovation at the network layer [8]. LISP follows a map-and-encap approach where overlay identifiers are mapped to underlay locators. Overlay traffic is encapsulated into locator-based packets and routed through the underlay. LISP leverages a public database to store overlay-to-underlay mappings and on a pull mechanism to retrieve those mappings on demand from the data plane. Therefore, LISP effectively decouples the control and data planes, since control plane policies are pushed to the database rather than to the data plane. Forwarding elements reflect control policies on the data plane by pulling them from the database. In that sense, LISP can be used as an SDN southbound protocol to enable programmable overlay networks [5].Peer ReviewedPostprint (published version

Knowledge-defined networking

The research community has considered in the past the application of Artificial Intelligence (AI) techniques to control and operate networks. A notable example is the Knowledge Plane proposed by D.Clark et al. However, such techniques have not been extensively prototyped or deployed in the field yet. In this paper, we explore the reasons for the lack of adoption and posit that the rise of two recent paradigms: Software-Defined Networking (SDN) and Network Analytics (NA), will facilitate the adoption of AI techniques in the context of network operation and control. We describe a new paradigm that accommodates and exploits SDN, NA and AI, and provide use-cases that illustrate its applicability and benefits. We also present simple experimental results that support, for some relevant use-cases, its feasibility. We refer to this new paradigm as Knowledge-Defined Networking (KDN).Peer ReviewedPostprint (author's final draft

DeScripto. Plataforma digital para el aprendizaje de las ciencias y técnicas historiográficas

El proyecto: deScripto: Plataforma digital para el aprendizaje de las Ciencias y Técnicas Historiográficas, se presentó con el objetivo de configurar una herramienta con finalidad educativa en el aprendizaje de las Ciencias y Técnicas Historiográficas (Paleografía, Diplomática, Epigrafía y Numismática). Para ello se propone la creación de un espacio web con recursos para la docencia y el aprendizaje de las Ciencias y Técnicas Historiográficas

Risk Factors and Predictive Score for Bacteremic Biliary Tract Infections Due to Enterococcus faecalis and Enterococcus faecium: a Multicenter Cohort Study from the PROBAC Project

Biliary-tract bloodstream infections (BT-BSI) caused by Enterococcus faecalis and E. faecium are associated with inappropriate empirical treatment and worse outcomes compared to other etiologies. The objective of this study was to investigate the risk factors for enterococcal BT-BSI. Patients with BT-BSI from the PROBAC cohort, including consecutive patients with BSI in 26 Spanish hospitals between October 2016 and March 2017, were selected; episodes caused by E. faecalis or E. faecium and other causes were compared. Independent predictors for enterococci were identified by logistic regression, and a predictive score was developed. Eight hundred fifty episodes of BT-BSI were included; 73 (8.5%) were due to target Enterococcus spp. (48 [66%] were E. faecium and 25 [34%] E. faecalis). By multivariate analysis, the variables independently associated with Enterococcus spp. were (OR; 95% confidence interval): cholangiocarcinoma (4.48;1.32 to 15.25), hospital acquisition (3.58;2.11 to 6.07), use of carbapenems in the previous month (3.35;1.45 to 7.78), biliary prosthesis (2.19;1.24 to 3.90), and moderate or severe chronic kidney disease (1.55;1.07 to 2.26). The AUC of the model was 0.74 [95% CI0.67 to 0.80]. A score was developed, with 7, 6, 5, 4, and 2 points for these variables, respectively, with a negative predictive value of 95% for a score ? 6. A model, including cholangiocarcinoma, biliary prosthesis, hospital acquisition, previous carbapenems, and chronic kidney disease showed moderate prediction ability for enterococcal BT-BSI. Although the score will need to be validated, this information may be useful for deciding empirical therapy in biliary tract infections when bacteremia is suspected. IMPORTANCE Biliary tract infections are frequent, and a significant cause of morbidity and mortality. Bacteremia is common in these infections, particularly in the elderly and patients with cancer. Inappropriate empirical treatment has been associated with increased risk of mortality in bacteremic cholangitis, and the probability of receiving inactive empirical treatment is higher in episodes caused by enterococci. This is because many of the antimicrobial agents recommended in guidelines for biliary tract infections lack activity against these organisms. To the best of our knowledge, this is the first study analyzing the predictive factors for enterococcal BT-BSI and deriving a predictive score