Catálogo de publicaciones - libros

One of the major challenges in next generation networks is naming, which allows the different entities on the network to identify, find, and address each other. In this paper, we propose a novel Peer-to-Peer naming infrastructure, which takes into account the expected changes in the next generation networks due to the trends shaping network evolution. The success of the Peer-to-Peer paradigm for applications such as file sharing and instant messaging has lead to research on other areas where such a paradigm could be useful, to provide the scalability, robustness, and flexibility that characterize Peer-to-Peer applications.

The necessity to split the endpoint identity and locator has been understood since sometime both from routing and security perspective. Today endpoints are identified by IP address that is location dependent and attributed by ISPs, whereas the identity neither depends on location nor on ISP. So splitting the routing and identification space is expected to make network operation such as mobility, multihoming and traffic engineering transparent for the end user. While in the operator side the use of a single space for routing and identification brings scaling issues. The operators will benefit from the split by decreased routing table size.

Within IETF/IRTF solutions are being developed to separate the IP layer into Endpoint Identifier (EID) space and routing locator (RLOC) space in the form of Locator/ID Separation Protocol (LISP). In LISP the Identifier (ID) has the format of a IPv4 or IPv6 address. This architecture provides ID to locator resolution so that the packets can be routed through the Internet.

This paper proposes a solution that considers an Endpoint Identifier (EID) as the combination of a domain name and a cryptographic Identifier (cryptoID). Such EIDs are hosted in a mixed DNS/Distributed Hash Table (DHT) architecture. Resolution involves a DNS and a DHT resolution. We show how the use of DNSSEC enhances the routing algorithm of the DHT resolution, and present advantages a such an architecture in term of deployment and future use of the Internet.

In this paper, a new mechanism to achieve anonymity in peer-to-peer (P2P) file sharing systems is proposed. As usual, anonymity is obtained by means of connecting the source and destination peers through a set of intermediate nodes, creating a multiple-hop path. The main contribution of the paper is a distributed algorithm able to guarantee the anonymity even when a node in a path fails (voluntarily or not). The algorithm takes into account the inherent costs associated with multiple-hop communications and tries to reach a well-balanced solution between the anonymity degree and its associated costs. Some parameters are obtained analytically but the main network performances are evaluated by simulation. We quantify the costs associated with the control packets used by the distributed recovery algorithm. On the other hand, we also measure the anonymity provided by our system (benefit), using a simulation-based analysis to calculate the average entropy.

Diagnosis of anomalous routing states is essential for stable inter-AS (autonomous system) routing management, but it is difficult to perform such actions because inter-AS routing information changes spatially and temporally in different administrative domains. In particular, the route hijack problem, which is one of the major routing-management issues, remains difficult to analyze because of its diverse distribution dynamism. Although a multi-agent-based diagnostic system that can diagnose a set of routing anomalies by integrating the observed routing statuses among distributed agents has been successfully applied to real Internet service providers, the diagnostic accuracy depends on where those agents are located on the BGP topology map. This paper focuses on the AS adjacency topology of an actual network structure and analyzes hijacked-route behavior from the viewpoint of the connectivity of each AS. Simulation results using an actual Internet topology show the effectiveness of an agent-deployment strategy based on connectivity information.

On the inter-domain Internet today, the address prefix origin in our BGP operations has become a major security concern. This critical problem can be stated simply as “Is the originating Autonomous System (AS) authorized to advertise the destination address prefix?” In the long term maybe we will be able to prevent this problem by applying proposed solutions such as SBGP[1] or SoBGP[2]. However, in practical network operations, it is critical to monitor and analyze all the BGP events potentially related to this BGP origin problem. In this paper, we have analyzed OASC (Origin Autonomous System Change) events, generated from the Oregon Route Views [4] archive, related to the Brazil BGP network. Our main focus is on how the Brazil BGP operation has been interacting with the rest of the Internet in the past five years. Also, we provide some possible explanations for OASC anomalies in Brazil.

Dynamic configuration of IP Network Address Translators (NATs) and firewalls through application aware instances has been used within the Internet for quite some time. While current approaches, such as integrated application level gateway, are suitable for specific deployments only, the path-coupled signaling for NAT and firewall configuration seems to be a promising approach in a wide range of scenarios. Path-coupled signaling ensures that signaling messages and data flow are traveling the same route through the network and traversing the same NATs and firewalls. The path-coupled NAT/firewall signaling protocol is based on IETF’s NSIS protocol suite. The NSIS-based NAT/firewall protocol specification is close to maturity and still needs a suitable and scalable security solution. This paper presents a framework to secure the NSIS-based path-coupled NAT/firewall signaling protocol across different administrative domains, based on zero-common knowledge security.

Determining the maximum amount of traffic that can be admitted in a DiffServ network is a difficult task. Considering a realistic traffic scenario, the relationship between the traffic load and the queue length distribution of a DiffServ node is very difficult to model. This paper demonstrates how a non-liner programming (NLP) algorithm can be employed to determine the maximum load that can be accepted by a DiffServ node without deriving an analytical model. The NLP algorithm is used to “train” a parameter based admission controller (PBAC) using a specifically designed traffic profile. After training the PBAC for a specific network and specific statistical QoS guarantees, it can be used to provide these guarantees to distinct offered traffic loads. This method was evaluated in a sample scenario where (aggregated on-off) VoIP traffic and (self-similar) data traffic compete for the network resources.

Network protection mechanisms are critical in the design of IP-based networks. In GMPLS networks, backup path protection and Shared-backup protection have been widely studied. More recent protection mechanisms, Self-Protecting Multipath (SPM), can be implemented in GMPLS networks. In this paper, we evaluate the traffic provision in SPM GMPLS networks where events of up to two simultaneous link failure can occur. We present a mathematical formulation to perform optimal capacity allocation in an SPM network environment. Network Service Provider (NSP) could use this mathematical model to design a network with certain availability requirement according to Service Level Agreement(SLA) of each connection requirement in dual link failure scenarios.

A collaborative system for dynamic refinement of security in peer-to-peer and mobile ad hoc networks is described in this paper. This is based on a closed loop system where live distributed trust measures are used to modify access control settings in a changing threat environment. A service oriented trust overlay architecture and model underlies this system. In this model, services have associated trust thresholds – the more sensitive the service, the higher the threshold. The results of simulations of the dynamics of this kind of system are presented and a variety of algorithmic approaches to managing trust are analysed and discussed. It is demonstrated that this dynamic system has the potential to enhance security and access control efficiency and that it displays properties of robustness when faced with malicious entities that attempt to corrupt the system.

While long term throughput not exceeding TCP with Reno congestion control algorithm is widely accepted as the criterion of weighing TCP friendliness, this may lead to resource waste in high speed networks due to Reno’s known performance limits. Inspired by FAST TCP, a congestion control algorithm named Rate Adaptation for Unreliable Unicast traffic (RAUU) is proposed for unreliable unicast traffic in high speed networks to improve its efficiency while still holding friendliness to TCP. Being a rate-based approach to best fit unreliable unicast traffic, RAUU has made special design choices to alleviate the inherent contiguous loss problem of rate adaptation algorithms. Like FAST, it also tries to maintain appropriate number of extra packets in networks, and for that purpose it combines loss and delay as congestion signals. Theoretical analysis shows that in ideal networks RAUU has and will converge to its one and only equilibrium state where the number of extra packets is equal to the preset value. Plentiful simulation experiments confirmed that it could achieve similar performance to FAST as well as comparable throughput smoothness to TFRC while keeping TCP-friendliness at the same time.