Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8256053
Zan Yao, Y. Wang, J. Ba, Junran Zong, Sixiang Feng, Zhanwei Wu
The construction of energy-efficient network and achievement of green communication have garnered great attention as a promising a way to reduce network operating costs and C emissions. Moreover, recently the deadline-aware and energy-efficient routing and scheduling algorithms in data center network have been attracting a broad attention. However, the dynamic scheduling for flows has not been explicitly studied by the existing research. In this paper, we investigated the dynamic flow scheduling in data center network, and propose a deadline-aware and energy-efficient dynamic flow scheduling (DEDFS) algorithm, assuming the path of the flow could be calculated in advance and pre-stored. In addition, the number of mouse flows in data center network accounts for main proportion, but consumption is very small. In order to achieve the balance of energy-saved and efficiency, mouse flows will be directly transferred, while elephant flows will be scheduled by the Most-Critical-First static strategy based dynamic scheduling algorithm. It selects the interval of largest energy consumption density as the critical interval, and all of the flows in this critical interval will be preferentially scheduled. Finally, the feasibility and validity of the algorithm are verified by simulation.
{"title":"Deadline-aware and energy-efficient dynamic flow scheduling in data center network","authors":"Zan Yao, Y. Wang, J. Ba, Junran Zong, Sixiang Feng, Zhanwei Wu","doi":"10.23919/CNSM.2017.8256053","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8256053","url":null,"abstract":"The construction of energy-efficient network and achievement of green communication have garnered great attention as a promising a way to reduce network operating costs and C emissions. Moreover, recently the deadline-aware and energy-efficient routing and scheduling algorithms in data center network have been attracting a broad attention. However, the dynamic scheduling for flows has not been explicitly studied by the existing research. In this paper, we investigated the dynamic flow scheduling in data center network, and propose a deadline-aware and energy-efficient dynamic flow scheduling (DEDFS) algorithm, assuming the path of the flow could be calculated in advance and pre-stored. In addition, the number of mouse flows in data center network accounts for main proportion, but consumption is very small. In order to achieve the balance of energy-saved and efficiency, mouse flows will be directly transferred, while elephant flows will be scheduled by the Most-Critical-First static strategy based dynamic scheduling algorithm. It selects the interval of largest energy consumption density as the critical interval, and all of the flows in this critical interval will be preferentially scheduled. Finally, the feasibility and validity of the algorithm are verified by simulation.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130398387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8256054
Luis Guillen, S. Izumi, Toru Abe, T. Suganuma, H. Muraoka
The use of Distributed Storage Systems (DSS) has considerably increased in the past years, alongside the need for effective data transfer from storage to storage. Although current network infrastructure can reliably handle large amounts of traffic, networking techniques have not changed for several years, leading to an under-use of resources, i.e. most routing solutions still use single-path routing. In this paper, we present a pragmatic approach for multipath routing in DSS, which is based on Software Defined Networking (SDN) that uses parallel links at the edge-side. Path discovery is calculated by finding the k-maximum disjoint paths in a multigraph. Preliminary results show that, by using our multipath solution, not only the overall throughput increases but also the efficiency of resources usage.
{"title":"SDN implementation of multipath discovery to improve network performance in distributed storage systems","authors":"Luis Guillen, S. Izumi, Toru Abe, T. Suganuma, H. Muraoka","doi":"10.23919/CNSM.2017.8256054","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8256054","url":null,"abstract":"The use of Distributed Storage Systems (DSS) has considerably increased in the past years, alongside the need for effective data transfer from storage to storage. Although current network infrastructure can reliably handle large amounts of traffic, networking techniques have not changed for several years, leading to an under-use of resources, i.e. most routing solutions still use single-path routing. In this paper, we present a pragmatic approach for multipath routing in DSS, which is based on Software Defined Networking (SDN) that uses parallel links at the edge-side. Path discovery is calculated by finding the k-maximum disjoint paths in a multigraph. Preliminary results show that, by using our multipath solution, not only the overall throughput increases but also the efficiency of resources usage.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132053382","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8255974
José Santos, T. Wauters, B. Volckaert, F. Turck
In the last years, traffic over wireless networks has been increasing exponentially, due to the impact of Internet of Things (IoT) and Smart Cities. Current networks must adapt to and cope with the specific requirements of IoT applications since resources can be requested on-demand simultaneously by multiple devices on different locations. One of these requirements is low latency, since even a small delay for an IoT application such as health monitoring or emergency service can drastically impact their performance. To deal with this limitation, the Fog computing paradigm has been introduced, placing cloud resources on the edges of the network to decrease the latency. However, deciding which edge cloud location and which physical hardware will be used to allocate a specific resource related to an IoT application is not an easy task. Therefore, in this paper, an Integer Linear Programming (ILP) formulation for the IoT application service placement problem is proposed, which considers multiple optimization objectives such as low latency and energy efficiency. Solutions for the resource provisioning of IoT applications within the scope of Antwerp's City of Things testbed have been obtained. The result of this work can serve as a benchmark in future research related to placement issues of IoT application services in Fog Computing environments since the model approach is generic and applies to a wide range of IoT use cases.
{"title":"Resource provisioning for IoT application services in smart cities","authors":"José Santos, T. Wauters, B. Volckaert, F. Turck","doi":"10.23919/CNSM.2017.8255974","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8255974","url":null,"abstract":"In the last years, traffic over wireless networks has been increasing exponentially, due to the impact of Internet of Things (IoT) and Smart Cities. Current networks must adapt to and cope with the specific requirements of IoT applications since resources can be requested on-demand simultaneously by multiple devices on different locations. One of these requirements is low latency, since even a small delay for an IoT application such as health monitoring or emergency service can drastically impact their performance. To deal with this limitation, the Fog computing paradigm has been introduced, placing cloud resources on the edges of the network to decrease the latency. However, deciding which edge cloud location and which physical hardware will be used to allocate a specific resource related to an IoT application is not an easy task. Therefore, in this paper, an Integer Linear Programming (ILP) formulation for the IoT application service placement problem is proposed, which considers multiple optimization objectives such as low latency and energy efficiency. Solutions for the resource provisioning of IoT applications within the scope of Antwerp's City of Things testbed have been obtained. The result of this work can serve as a benchmark in future research related to placement issues of IoT application services in Fog Computing environments since the model approach is generic and applies to a wide range of IoT use cases.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"111 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132287877","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8255986
Ren Quinn, Zihui Ge, He Yan, J. Merwe
Networks, and the services they enable, are increasingly diverse and highly utilized. From DSL and fiber-to-the-home access networks, to cellular mobile networks, to contentdelivery networks; all require extensive monitoring in order to meet the increase of user expectations of the availability and quality of those services provided to them. The complexity of these networks and services require better management on the part of providers as the data resulting from service monitoring experiences an increase in dimensionality, making it difficult to fully interpret anomalies in the data. For example, anomaly detection generally says “I found an anomaly with mobile phone A in market Z”. But it is more useful to know what other phones and what other markets are also experiencing the same anomaly.
{"title":"AutoFocus: Automatically scoping the impact of anomalous service events","authors":"Ren Quinn, Zihui Ge, He Yan, J. Merwe","doi":"10.23919/CNSM.2017.8255986","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8255986","url":null,"abstract":"Networks, and the services they enable, are increasingly diverse and highly utilized. From DSL and fiber-to-the-home access networks, to cellular mobile networks, to contentdelivery networks; all require extensive monitoring in order to meet the increase of user expectations of the availability and quality of those services provided to them. The complexity of these networks and services require better management on the part of providers as the data resulting from service monitoring experiences an increase in dimensionality, making it difficult to fully interpret anomalies in the data. For example, anomaly detection generally says “I found an anomaly with mobile phone A in market Z”. But it is more useful to know what other phones and what other markets are also experiencing the same anomaly.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"102 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133507332","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8256035
Bahman Rashidi, Carol J. Fung, E. Bertino
The increasing popularity of Android phones and its open app market system have caused the proliferation of malicious Android apps. The increasing sophistication and diversity of the malicious Android apps render the conventional malware detection techniques ineffective, which results in a large number of malicious applications remaining undetected. This calls for more effective techniques for detection and classification of Android malware. Hence, in this paper, we present an Android malicious application detection framework based on the Support Vector Machine (SVM) and Active Learning technologies. In our approach, we extract applications' activities while in execution and map them into a feature set, we then attach timestamps to some features in the set. We show that our novel use of time-dependent behavior tracking can significantly improve the malware detection accuracy. In particular, we build an active learning model using Expected error reduction query strategy to integrate new informative instances of Android malware and retrain the model to be able to do adaptive online learning. We evaluate our model through a set of experiments on the DREBIN benchmark malware dataset. Our evaluation results show that the proposed approach can accurately detect malicious applications and improve updatability against new malware.
{"title":"Android malicious application detection using support vector machine and active learning","authors":"Bahman Rashidi, Carol J. Fung, E. Bertino","doi":"10.23919/CNSM.2017.8256035","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8256035","url":null,"abstract":"The increasing popularity of Android phones and its open app market system have caused the proliferation of malicious Android apps. The increasing sophistication and diversity of the malicious Android apps render the conventional malware detection techniques ineffective, which results in a large number of malicious applications remaining undetected. This calls for more effective techniques for detection and classification of Android malware. Hence, in this paper, we present an Android malicious application detection framework based on the Support Vector Machine (SVM) and Active Learning technologies. In our approach, we extract applications' activities while in execution and map them into a feature set, we then attach timestamps to some features in the set. We show that our novel use of time-dependent behavior tracking can significantly improve the malware detection accuracy. In particular, we build an active learning model using Expected error reduction query strategy to integrate new informative instances of Android malware and retrain the model to be able to do adaptive online learning. We evaluate our model through a set of experiments on the DREBIN benchmark malware dataset. Our evaluation results show that the proposed approach can accurately detect malicious applications and improve updatability against new malware.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"103 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123845783","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8255985
Michael Seufert, Christian Moldovan, Valentin Burger, T. Hossfeld
Offloading mobile Internet data via WiFi has emerged as an omnipresent trend. WiFi networks are already widely deployed by many private and public institutions (e.g., libraries, cafes, restaurants) but also by commercial services to provide alternative Internet access for their customers and to mitigate the load on mobile networks. Moreover, smart cities start to install WiFi infrastructure for current and future civic services, e.g., based on sensor networks or the Internet of Things. A simple model for the distribution of WiFi hotspots in an urban environment is presented. The hotspot locations are modeled with a uniform distribution of the angle and an exponential distribution of the distance, which is truncated to the city limits. We compare the characteristics of this model in detail to the real distributions. Moreover, we show the applicability and the limitations of this model, and the results suggest that the model can be used in scenarios, which do not require an accurate spatial collocation of the hotspots, such as offloading potential, coverage, or signal strength.
{"title":"Applicability and limitations of a simple WiFi hotspot model for cities","authors":"Michael Seufert, Christian Moldovan, Valentin Burger, T. Hossfeld","doi":"10.23919/CNSM.2017.8255985","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8255985","url":null,"abstract":"Offloading mobile Internet data via WiFi has emerged as an omnipresent trend. WiFi networks are already widely deployed by many private and public institutions (e.g., libraries, cafes, restaurants) but also by commercial services to provide alternative Internet access for their customers and to mitigate the load on mobile networks. Moreover, smart cities start to install WiFi infrastructure for current and future civic services, e.g., based on sensor networks or the Internet of Things. A simple model for the distribution of WiFi hotspots in an urban environment is presented. The hotspot locations are modeled with a uniform distribution of the angle and an exponential distribution of the distance, which is truncated to the city limits. We compare the characteristics of this model in detail to the real distributions. Moreover, we show the applicability and the limitations of this model, and the results suggest that the model can be used in scenarios, which do not require an accurate spatial collocation of the hotspots, such as offloading potential, coverage, or signal strength.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115874026","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8256036
Luuk Hendriks, P. Boer, A. Pras
With the Internet transitioning from IPv4 to IPv6, the number of IPv6-specific DNS records (AAAA) increases. Misconfigurations in these records often go unnoticed, as most systems are provided with connectivity over both IPv4 and IPv6, and automatically fall back to IPv4 in case of connection problems. With IPv6-only networks on the rise, such misconfigurations result in servers or services rendered unreachable. Using long-term active DNS measurements over multiple zones, we qualify and quantify these IPv6-specific misconfigurations. Applying pattern matching on AAAA records revealed which configuration mistakes occur most, the distribution of faulty records per DNS operator, and how these numbers evolved over time. We show that more than 97% of invalid records can be categorized into one of our ten defined main configuration mistakes. Furthermore, we show that while the number and ratio of invalid records decreased over the last two years, the number of DNS operators with at least one faulty AAAA record increased. This emphasizes the need for easily applicable checks in DNS management systems, for which we provide recommendations in the conclusions of this work.
{"title":"IPv6-specific misconfigurations in the DNS","authors":"Luuk Hendriks, P. Boer, A. Pras","doi":"10.23919/CNSM.2017.8256036","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8256036","url":null,"abstract":"With the Internet transitioning from IPv4 to IPv6, the number of IPv6-specific DNS records (AAAA) increases. Misconfigurations in these records often go unnoticed, as most systems are provided with connectivity over both IPv4 and IPv6, and automatically fall back to IPv4 in case of connection problems. With IPv6-only networks on the rise, such misconfigurations result in servers or services rendered unreachable. Using long-term active DNS measurements over multiple zones, we qualify and quantify these IPv6-specific misconfigurations. Applying pattern matching on AAAA records revealed which configuration mistakes occur most, the distribution of faulty records per DNS operator, and how these numbers evolved over time. We show that more than 97% of invalid records can be categorized into one of our ten defined main configuration mistakes. Furthermore, we show that while the number and ratio of invalid records decreased over the last two years, the number of DNS operators with at least one faulty AAAA record increased. This emphasizes the need for easily applicable checks in DNS management systems, for which we provide recommendations in the conclusions of this work.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123040177","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8255975
Abeer Ali, C. Anagnostopoulos, D. Pezaros
Virtualizing middleboxes as software for Cloud tenants can eliminate the monolithic processing and static deployment of legacy middleboxes and provide an efficient provisioning for security services. However, inefficient managing of the virtualized security services can reduce the gains of Cloud deployment. We propose a resources-efficient placement of the security functions in the infrastructure of a three-tier Cloud DC by modifying the Best-Fit Decreasing algorithm to solve the problem while satisfying the placement resources and traffic constraints.
{"title":"Resource-aware placement of softwarised security services in cloud data centers","authors":"Abeer Ali, C. Anagnostopoulos, D. Pezaros","doi":"10.23919/CNSM.2017.8255975","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8255975","url":null,"abstract":"Virtualizing middleboxes as software for Cloud tenants can eliminate the monolithic processing and static deployment of legacy middleboxes and provide an efficient provisioning for security services. However, inefficient managing of the virtualized security services can reduce the gains of Cloud deployment. We propose a resources-efficient placement of the security functions in the infrastructure of a three-tier Cloud DC by modifying the Best-Fit Decreasing algorithm to solve the problem while satisfying the placement resources and traffic constraints.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122133163","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8256000
L. J. Chaves, Islene C. Garcia, E. Madeira
Software Defined Networking (SDN) and Network Function Virtualization (NFV) paradigms have been widely used to redesign the traditional mobile networks. Despite several proposals on the literature, researchers have drawn limited attention to the virtualization of user-plane functions that demand high traffic volume processing, as the case of Long Term Evolution (LTE) mobile gateways. This paper introduces an adaptive mechanism for the user plane virtualization of the LTE Packet Data Network (PDN) GateWay (P-GW), running entirely on top of OpenFlow switches. Using both SDN and NFV concepts, the proposed mechanism employs elastic computing notions to dynamically activate or deactivate the infrastructure switches so the virtualized gateway can adjust to workload changes. This work addresses both software and hardware OpenFlow infrastructure platforms, and simulation results highlight the benefits that can be achieved by the presented mechanism.
{"title":"An adaptive mechanism for LTE P-GW virtualization using SDN and NFV","authors":"L. J. Chaves, Islene C. Garcia, E. Madeira","doi":"10.23919/CNSM.2017.8256000","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8256000","url":null,"abstract":"Software Defined Networking (SDN) and Network Function Virtualization (NFV) paradigms have been widely used to redesign the traditional mobile networks. Despite several proposals on the literature, researchers have drawn limited attention to the virtualization of user-plane functions that demand high traffic volume processing, as the case of Long Term Evolution (LTE) mobile gateways. This paper introduces an adaptive mechanism for the user plane virtualization of the LTE Packet Data Network (PDN) GateWay (P-GW), running entirely on top of OpenFlow switches. Using both SDN and NFV concepts, the proposed mechanism employs elastic computing notions to dynamically activate or deactivate the infrastructure switches so the virtualized gateway can adjust to workload changes. This work addresses both software and hardware OpenFlow infrastructure platforms, and simulation results highlight the benefits that can be achieved by the presented mechanism.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129129455","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-11-01DOI: 10.23919/CNSM.2017.8255973
M. Kühlewind, Tobias Bühler, B. Trammell, S. Neuhaus, Roman Muntener, G. Fairhurst
The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see. We propose an architectural solution to this issue, by introducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to-end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transportindependent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.
{"title":"A path layer for the Internet: Enabling network operations on encrypted protocols","authors":"M. Kühlewind, Tobias Bühler, B. Trammell, S. Neuhaus, Roman Muntener, G. Fairhurst","doi":"10.23919/CNSM.2017.8255973","DOIUrl":"https://doi.org/10.23919/CNSM.2017.8255973","url":null,"abstract":"The deployment of encrypted transport protocols imposes new challenges for network operations. Key in-network functions such as those implemented by firewalls and passive measurement devices currently rely on information exposed by the transport layer. Encryption, in addition to improving privacy, helps to address ossification of network protocols caused by middleboxes that assume certain information to be present in the clear. However, “encrypting it all” risks diminishing the utility of these middleboxes for the traffic management tasks for which they were designed. A middlebox cannot use what it cannot see. We propose an architectural solution to this issue, by introducing a new “path layer” for transport-independent, in-band signaling between Internet endpoints and network elements on the paths between them, and using this layer to reinforce the boundary between the hop-by-hop network layer and the end-to-end transport layer. We define a path layer header on top of UDP to provide a common wire image for new, encrypted transports. This path layer header provides information to a transportindependent on-path state machine that replaces stateful handling currently based on exposed header flags and fields in TCP; it enables explicit measurability of transport layer performance; and offers extensibility by sender-to-path and path-to-receiver communications for diagnostics and management. This provides not only a replacement for signals that are not available with encrypted traffic, but also allows integrity-protected, enhanced signaling under endpoint control. We present an implementation of this wire image integrated with the QUIC protocol, as well as a basic stateful middlebox built on Vector Packet Processing (VPP) provided by FD.io.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129356366","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: