Contribución al diseño de arquitecturas distribuidas de nodos de red programable

Hoy en día, los nodos de red que forman Internet son complejos sistemas hardware/software que soportan un gran número de protocolos, servicios de red, o funcionalidades avanzadas como rewall o NAT. Sin embargo el proceso para añadir un nuevo protocolo o servicio es extremadamente largo y costoso, debido a múltiples causas, pero especialmente a que los routers siguen siendo sistemas propietarios, integrados verticalmente por los fabricantes. En este sentido, la investigación en redes programables intenta simpli car el desarrollo y el despliegue de los servicios de red mediante la de nición de interfaces abiertos entre todos los elementos que forman el router. Sin embargo hasta que los primeros diseños de nodos de red totalmente programables lleguen a comercializarse, es necesario aportar soluciones a corto y medio plazo que permitan ampliar las capacidades y servicios de los routers de alto rendimiento actuales. Esta tesis presenta una arquitectura de nodo de red programable de transici ón y bajo coste, denominada Simple Assistant-Router Architecture (SARA), que permite extender las capacidades de un router comercial delegando el procesamiento avanzado de los paquetes a un cluster de asistentes , lo que simpli ca el desarrollo y despliegue dinámico de los nuevos servicios de red. Un aspecto fundamental de esta arquitectura distribuida es la de nición de mecanismos de coordinación de los asistentes entre sí y con el router legado. Para ello se propone la utilización del Router-Assistant Protocol (RAP), un protocolo de control que permite a los asistentes con gurar el plano de datos del router, recibir eventos, así como desviar paquetes de señalización y ujos de datos para su procesamiento en los asistentes. Dada la heterogeneidad de los requisitos de las aplicaciones de red es necesario proporcionar varios mecanismos para asegurar un reparto de carga efectivo en el cluster de asistentes. Esta Tesis Doctoral propone dos algoritmos de Fast Robust Hashing que permiten la asignación equitativa y persistente de ujos a asistentes, mejorando el rendimiento de las técnicas de Robust Hashing actuales, por lo que son lo su cientemente e cientes como para ser implementados en el plano de datos de un router comercial. Además, este trabajo especi ca el eXtensible Service Discovery Framework (XSDF), un marco de trabajo sencillo y escalable, que integra en un único proceso el descubrimiento de servicios y el reparto de carga entre servidores desacoplados.Nowadays, the network nodes that build Internet are complex hardware/ software systems, that support many signalling protocols, network services, and complex functionalities such as rewalling or NAT. However adding a new capability is a long, complex and costly process, due to many causes, but specially because routers are still proprietary systems, vertically integrated by the vendors. In this sense, the research in programmable networks tries to simplify the development and deployment of network services by specifying open interfaces among all the elements that make up a router. However, before the rst programmable network nodes start being deployed, it is necessary to provide short and medium term solutions that allow current high-performance routers to add advanced capabilities and new network services. This PhD. Thesis presents a low-cost transition architecture for programmable network nodes named Simple Assistant-Router Architecture (SARA), that allows a commercial router to easily extend its capabilities by delegating the advanced packet processing to a cluster of assistants , which greatly simpli es the development and dynamic deployment of new network services. A key aspect of this distributed architecture is the need of several coordination mechanisms between the router and the assistants, and among assistant themselves. Therefore, the Router-Assistant Protocol (RAP) has been proposed, which is a control protocol based on ForCES, that allows assistants to con gure the router's data plane, to notify events, as well as to divert signalling packets and data ows to the assistants. As network application requirements could be very heterogeneous, it is necessary to provide several mechanisms in order to load-balance the assistant cluster. Thus, this Thesis presents two novel Fast Robust Hashing algorithms that provides a permanent and fair mapping of ows to assistants, and improves existing Robust Hash techniques as it is e cient enough to be implemented in the data plane of a commercial router. Moreover this research work also de - nes the eXtensible Service Discovery Framework (XSDF), which integrates in a single process: scalable service location, and load-sharing among lightly-coupled servers

Off-line incentive mechanism for long-term P2P backup storage

This paper presents a micro-payment-based incentive mechanism for long-term peer-to-peer storage systems. The main novelty of the proposed incentive mechanism is to allow users to be off-line for extended periods of time without updating or renewing their information by themselves. This feature is enabled through a digital cheque, issued by the user, which is later employed by the peers to get a gratification for storing the user's information when the user is off-line. The proposed P2P backup system also includes a secure and lightweight data verification mechanism. Moreover, the proposed incentive also contributes to improve the availability of the stored information and the scalability of the whole system. The paper details the verification and cheque-based incentive mechanisms in the context of a P2P backup service and analyzes its scalability and security properties. The system is furthermore validated by means of simulation, proving the effectiveness of the proposed incentive.This work has been funded by the Regional Government of Madrid under the MEDIANET project (S2009/TIC-1468) and has also received funding from the Ministry of Science and Innovation of Spain, under the QUARTET project (TIN2009-13992-C02-01).Publicad

Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites

This paper studies the privacy risks for the users of two popular single sign-on platforms for web-based content access: OpenID and Facebook Connect. In particular we describe in detail a privacy vulnerability of the OpenID Authentication Protocol that leads to the exposure of the OpenID user identifier to third parties. We illustrate how OpenID agents leak the (potentially unique) OpenID identifiers of their users to third parties, like advertisement and traffic analysis corporations. This vulnerability is a real and widespread privacy risk for OpenID users. This paper also analyzes the privacy of Facebook Connect --the proprietary single sign-on platform that is gaining a lot of popularity recently-- and, we conclude that it is not affected by the same vulnerability but other important privacy issues remain. Finally, this paper studies the solution space of these problems and defines a number of possible countermeasures. In the case of the OpenID vulnerability, we propose three solutions to this problem: one for the long term to avoid the root cause of the vulnerability, and another two short-term mitigations.The work presented in this paper has been funded by the INDECT project (Ref 218086) of the 7th EU Framework Programme.Publicad

A practical approach to network-based processing

The usage of general-purpose processors externally attached to routers to play virtually the role of active coprocessors seems a safe and cost-effective approach to add active network capabilities to existing routers. This paper reviews this router-assistant way of making active nodes, addresses the benefits and limitations of this technique, and describes a new platform based on it using an enhanced commercial router. The features new to this type of architecture are transparency, IPv4 and IPv6 support, and full control over layer 3 and above. A practical experience with two applications for path characterization and a transport gateway managing multi-QoS is described.Most of this work has been funded by the IST project GCAP (Global Communication Architecture and Protocols for new QoS services over IPv6 networks) IST-1999-10 504. Further development and application to practical scenarios is being supported by IST project Opium (Open Platform for Integration of UMTS Middleware) IST-2001-36063 and the Spanish MCYT under projects TEL99-0988-C02-01 and AURAS TIC2001-1650-C02-01.Publicad

An empirical study of Cloud Gaming

This work is at: 11th Annual Workshop on Network and Systems Support for Games (NetGames), took place November 22-23, 2012 in Venice (Italy)Online gaming connects players from all over the world together for fun and entertainment, and has been regarded as one of the most profitable and popular Internet services. Besides, there is a growing trend towards moving local applications to remote data centers: this is often referred to as the cloud. With the purpose of studying the impact of Cloud Gaming on the access network load, in this paper we carry out an empirical network traffic analysis of two well-known cloud gaming platforms: On-Live and Gaikai. Traffic traces have been collected and analysed from five different games of both platforms. Cloud gaming has been observed to be remarkably different from traditional online gaming in terms of network load and traffic characteristics. Moreover, the traces have revealed similarities between the two platforms regarding the packet size distribution, and differences concerning the packet inter-arrival times. However, each platform shows a similar traffic pattern for most of the games it serves. Nonetheless, the racing and shooter games considered in this work demand more bandwidth than other game-genres.This work is partly supported by the projects TRION (TEC 2009-10724), FIERRO (TEC 2010- 12250-E) and Medianet (S-2009/TIC-1468); and by the Generalitat de Catalunya through the research support program project SGR-1202 and AGAUR FI-DGR 2012 grant.Publicad

STARR-DCS: Spatio-temporal adaptation of random replication for data-centric storage

This article presents a novel framework for data-centric storage (DCS) in a wireless sensor and actor network (WSAN) that employs a randomly selected set of data replication nodes, which also change over time. This enables reductions in the average network traffic and energy consumption by adapting the number of replicas to applications' traffic, while balancing energy burdens by varying their locations. To that end, we propose and validate a simple model to determine the optimal number of replicas, in terms of minimizing average traffic/energy consumption, based on measurements of applications' production and consumption traffic. Simple mechanisms are proposed to decide when the current set of replication nodes should be changed, to enable new applications and nodes to efficiently bootstrap into a working WSAN, to recover from failing nodes, and to adapt to changing conditions. Extensive simulations demonstrate that our approach can extend a WSAN's lifetime by at least 60%, and up to a factor of 10× depending on the lifetime criterion being considered. The feasibility of the proposed framework has been validated in a prototype with 20 resource-constrained motes, and the results obtained via simulation for large WSANs have been also corroborated in that prototype.The research leading to these results has been partially funded by the Spanish MEC under the CRAMNET project (TEC2012-38362-C03-01) and the FIERRO project (TEC 2010- 12250-E), and by the General Directorate of Universities and Research of the Regional Government of Madrid under the MEDIANET Project (S2009/TIC-1468). G. de Veciana was supported by the National Science Foundation under Award CNS-0915928Publicad

Applying low discrepancy sequences for node-ID assignment in P2PSIP

The IETF P2PSIP Working Group is currently designing a standard overlay protocol, named RELOAD, that employs a centralized node identifier (node-id) assignment for security reasons. Given this scenario, we propose the utilization of a Low Discrepancy Sequence (LDS) for the assignment of node-ids in the P2PSIP architecture. We perform an analytical and simulation study considering a Chord DHT that demonstrates that using a LDS-based node-id assignment guarantees a fair distribution of the node's zone of responsibility, even in high churn scenarios. Previous studies have shown that a fairer distribution of the zones of responsibility sizes leads to a fairer distribution of the storage and routing load. Therefore we conclude that the proposed LDS node-id assignment provides these features without adding any extra overhead.This work has been partially supported by the EU through the FP7 TREND Project (257740), the Spanish Government through the T2C2 project (TIN2008-06739-C04-01), and the Regional Government of Madrid through the MEDIANET project (S-2009/TIC- 1468).Publicad

Integrated security infrastructures for law enforcement agencies

Published online: 22 June 2013. This paper is an improved version of “Security Infrastructures: Towards the INDECT System Security” from the same authors, presented in the 5th International Conference on Multimedia Communication Services & Security (MCSS 2012), Krakow (Poland), May 31- June 1, 2012.This paper provides an overview of the security architecture for Law Enforcement Agencies (LEAs) designed by the INDECT project, and in particular the security infrastructures that have been deployed so far. These security infrastructures can be organized in the following main areas: Public Key Infrastructure (PKI) and user management, communications security, and new cryptographic algorithms. This paper presents the new ideas, architectures and deployed testbeds for these areas. In particular, it explains the inner structure of the INDECT PKI employed for federated identity management, the different technologies employed in the VPN testbed, the INDECT Block Cipher (IBC) – a novel cryptographic algorithm that has being integrated into OpenSSL library, and how IBC-enabled TLS/SSL sessions and X.509 certificates are employed to protect INDECT applications. All proposed mechanisms have been designed to work in an integrated fashion as the security foundation of all systems being developed by the INDECT project for LEAs.This work has been funded by the EU Project INDECT (Intelligent information system supporting observation, searching and detection for security of citizens in urban environment)—grant agreement number: 218086

A Model to Quantify the Success of a Sybil Attack Targeting RELOAD/Chord Resources

The Sybil attack is one of the most harmful security threats for distributed hash tables (DHTs). This attack is not only a theoretical one, but it has been spotted "in the wild", and even performed by researchers themselves to demonstrate its feasibility. In this letter we analyse the Sybil attack whose objective is that the targeted resource cannot be accessed by any user of a Chord DHT, by replacing all the replica nodes that store it with sybils. In particular, we propose a simple, yet complete model that provides the number of random node-IDs that an attacker would need to generate in order to succeed with certain probability. Therefore, our model enables to quantify the cost of performing a Sybil resource attack on RELOAD/Chord DHTs more accurately than previous works, and thus establishes the basis to measure the effectiveness of different solutions proposed in the literature to prevent or mitigate Sybil attacks.This work has been partially supported by the EU FP7 TREND project (257740), the Spanish T2C2 project (TIN2008-06739-C04-01) and the Madrid MEDIANET project (S-2009/TIC-1468).European Community's Seventh Framework ProgramPublicad

Strengths and Weaknesses of the ETSI Adaptive DCC Algorithm: A Proposal for Improvement

This letter studies the adaptive decentralized congestion control (DCC) algorithm defined in the ETSI TS 102 687 V1.2.1 specification. We provide insights on the parameters used in the algorithm and explore the impact of those parameters on its performance. We show how the algorithm achieves good average medium utilization while protecting against congestion, but we also show how the chosen parameters can result in slow speed of convergence and long periods of unfairness in transitory situations. Finally, we propose a modification to the algorithm which results in significant improvements in the speed of convergence and fairness.This work was partially supported by the Spanish Ministerio de Economía y Competitividad through the Texeo project (TEC2016-80339-R)