Results 1 - 10
of
68
An End-Middle-End Approach to Connection Establishment
- IN: PROCEEDINGS OF SIGCOMM’07, KYOTO
, 2007
"... We argue that the current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate due to problems that go beyond the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about ..."
Abstract
-
Cited by 44 (1 self)
- Add to MetaCart
We argue that the current model for flow establishment in the Internet: DNS Names, IP addresses, and transport ports, is inadequate due to problems that go beyond the small IPv4 address space and resulting NAT boxes. Even where global addresses exist, firewalls cannot glean enough information about a flow from packet headers, and so often err, typically by being over-conservative: disallowing flows that might otherwise be allowed. This paper presents a novel architecture, protocol design, and implementation, for flow establishment in the Internet. The architecture, called NUTSS, takes into account the combined policies of endpoints and network providers. While NUTSS borrows liberally from other proposals (URI-like naming, signaling to manage ephemeral IPv4 or IPv6 data flows), NUTSS is unique in that it couples overlay signaling with data-path signaling. NUTSS requires no changes to existing network protocols, and combined with recent NAT traversal techniques, works with IPv4 and existing NAT/firewalls. This paper describes NUTSS and shows how it satisfies a wide range of “end-middle-end” network requirements, including access control, middlebox steering, multi-homing, mobility, and protocol negotiation.
HTTP as the NarrowWaist of the Future Internet
, 2010
"... Over the past decade a variety of network architectures have been proposed to address IP’s limitations in terms of flexible forwarding, security, and data distribution. Meanwhile, fueled by the explosive growth of video traffic and HTTP infrastructure (e.g., CDNs, web caches), HTTP has became the de ..."
Abstract
-
Cited by 40 (3 self)
- Add to MetaCart
Over the past decade a variety of network architectures have been proposed to address IP’s limitations in terms of flexible forwarding, security, and data distribution. Meanwhile, fueled by the explosive growth of video traffic and HTTP infrastructure (e.g., CDNs, web caches), HTTP has became the de-facto protocol for deploying new services and applications. Given these developments, we argue that these architectures should be evaluated not only with respect to IP, but also with respect to HTTP, and that HTTP could be a fertile ground (more so than IP) for deploying the newly proposed functionalities. In this paper, we take a step in this direction, and find that HTTP already provides many of the desired properties for new Internet architectures. HTTP is a content centric protocol, provides middlebox support in the form of reverse and forward proxies, and leverages DNS to decouple names from addresses. We then investigate HTTP’s limitations, and propose an extension, called S-GET that provides support for low-latency applications, such as VoIP and chat. 1.
Phalanx: Withstanding Multimillion-Node Botnets
"... Large-scale distributed denial of service (DoS) attacks are an unfortunate everyday reality on the Internet. They are simple to execute and with the growing prevalence and size of botnets more effective than ever. Although much progress has been made in developing techniques to address DoS attacks, ..."
Abstract
-
Cited by 37 (3 self)
- Add to MetaCart
(Show Context)
Large-scale distributed denial of service (DoS) attacks are an unfortunate everyday reality on the Internet. They are simple to execute and with the growing prevalence and size of botnets more effective than ever. Although much progress has been made in developing techniques to address DoS attacks, no existing solution is unilaterally deployable, works with the Internet model of open access and dynamic routes, and copes with the large numbers of attackers typical of today’s botnets. In this paper, we present a novel DoS prevention scheme to address these issues. Our goal is to define a system that could be deployed in the next few years to address the danger from present-day massive botnets. The system, called Phalanx, leverages the power of swarms to combat DoS. Phalanx makes only the modest assumption that the aggregate capacity of the swarm exceeds that of the botnet. A client communicating with a destination bounces its packets through a random sequence of end-host mailboxes; because an attacker doesn’t know the sequence, they can disrupt at most only a fraction of the traffic, even for end-hosts with low bandwidth access links. We use PlanetLab to show that this approach can be both efficient and capable of withstanding attack. We further explore scalability with a simulator running experiments on top of measured Internet topologies. 1
TVA: a DoS-limiting Network Architecture
"... We motivate the capability approach to network denial-of-service (DoS) attacks, and evaluate the TVA architecture which builds on capabilities. With our approach, rather than send packets to any destination at any time, senders must first obtain “permission to send” from the receiver, which provides ..."
Abstract
-
Cited by 36 (5 self)
- Add to MetaCart
(Show Context)
We motivate the capability approach to network denial-of-service (DoS) attacks, and evaluate the TVA architecture which builds on capabilities. With our approach, rather than send packets to any destination at any time, senders must first obtain “permission to send” from the receiver, which provides the permission in the form of capabilities to those senders whose traffic it agrees to accept. The senders then include these capabilities in packets. This enables verification points distributed around the network to check that traffic has been authorized by the receiver and the path in between, and hence to cleanly discard unauthorized traffic. To evaluate this approach, and to understand the detailed operation of capabilities, we developed a network architecture called TVA. TVA addresses a wide range of possible attacks against communication between pairs of hosts, including spoofed packet floods, network and host bottlenecks, and router state exhaustion. We use simulations to show the effectiveness of TVA at limiting DoS floods, and an implementation on Click router to evaluate the computational costs of TVA. We also discuss how to incrementally deploy TVA into practice.
Theory and Practice of Bloom Filters for Distributed Systems
"... Many network solutions and overlay networks utilize probabilistic techniques to reduce information processing and networking costs. This survey article presents a number of frequently used and useful probabilistic techniques. Bloom filters and their variants are of prime importance, and they are h ..."
Abstract
-
Cited by 30 (0 self)
- Add to MetaCart
Many network solutions and overlay networks utilize probabilistic techniques to reduce information processing and networking costs. This survey article presents a number of frequently used and useful probabilistic techniques. Bloom filters and their variants are of prime importance, and they are heavily used in various distributed systems. This has been reflected in recent research and many new algorithms have been proposed for distributed systems that are either directly or indirectly based on Bloom filters. In this survey, we give an overview of the basic and advanced techniques, reviewing over 20 variants and discussing their application in distributed systems, in particular for caching, peer-to-peer systems, routing and forwarding, and measurement data summarization.
NetFence: Preventing Internet Denial of Service from Inside Out
, 2010
"... Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoSresistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enabl ..."
Abstract
-
Cited by 28 (2 self)
- Add to MetaCart
(Show Context)
Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoSresistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feedback in packet headers to signal congestion, and access routers use it to police senders ’ traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress unwanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guarantees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux implementation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System). Categories and Subject Descriptors
Verifying and enforcing network paths with icing
- in Proceedings of ACM CoNEXT
, 2011
"... We describe a new networking primitive, called a Path Verification Mechanism (PVM). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traff ..."
Abstract
-
Cited by 26 (2 self)
- Add to MetaCart
(Show Context)
We describe a new networking primitive, called a Path Verification Mechanism (PVM). There has been much recent work about how senders and receivers express policies about the paths that their packets take. For instance, a company might want fine-grained control over which providers carry which traffic between its branch offices, or a receiver may want traffic sent to it to travel through an intrusion detection service. While the ability to express policies has been well-studied, the ability to enforce policies has not. The core challenge is: if we assume an adversarial, decentralized, and high-speed environment, then when a packet arrives at a node, how can the node be sure that the packet followed an approved path? Our solution, ICING, incorporates an optimized cryptographic construction that is compact, and requires negligible configuration state and no PKI. We demonstrate ICING’s plausibility with a NetFPGA hardware implementation. At 93 % more costly than an IP router on the same platform, its cost is significant but affordable. Indeed, our evaluation suggests that ICING can scale to backbone speeds.
The Internet’s not a big truck: Toward quantifying network neutrality
- In Proc. of PAM Workshop
, 2007
"... Abstract. We present a novel measurement-based effort to quantify the prevalence of Internet “port blocking. ” Port blocking is a form of policy control that relies on the coupling between applications and their assigned transport port. Networks block traffic on specific ports, and the coincident ap ..."
Abstract
-
Cited by 23 (0 self)
- Add to MetaCart
(Show Context)
Abstract. We present a novel measurement-based effort to quantify the prevalence of Internet “port blocking. ” Port blocking is a form of policy control that relies on the coupling between applications and their assigned transport port. Networks block traffic on specific ports, and the coincident applications, for technical, economic or regulatory reasons. Quantifying port blocking is technically interesting and highly relevant to current network neutrality debates. Our scheme induces a large number of widely distributed hosts into sending packets to an IP address and port of our choice. By intelligently selecting these “referrals, ” our infrastructure enables us to construct a per-BGP prefix map of the extent of discriminatory blocking, with emphasis on contentious ports, i.e. VPNs, email, file sharing, etc. Our results represent some of the first measurements of network neutrality and aversion. 1
A policy framework for the future Internet
"... This paper is about the Internet’s future, but we begin with its past. The history of network routing began as a topological problem: how does one find the shortest paths in a graph ([11])? However, with the advent of ..."
Abstract
-
Cited by 15 (4 self)
- Add to MetaCart
(Show Context)
This paper is about the Internet’s future, but we begin with its past. The history of network routing began as a topological problem: how does one find the shortest paths in a graph ([11])? However, with the advent of
Postmodern Internetwork Architecture
, 2006
"... Network-layer innovation has proven surprisingly difficult, in part because internetworking protocols ignore competing economic interests and because a few protocols dominate, enabling layer violations that entrench technologies. Many shortcomings of today’s internetwork layer result from its inflex ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
(Show Context)
Network-layer innovation has proven surprisingly difficult, in part because internetworking protocols ignore competing economic interests and because a few protocols dominate, enabling layer violations that entrench technologies. Many shortcomings of today’s internetwork layer result from its inflexibility with respect to the policies of the stakeholders: users and service providers. The consequences of these failings are well-known: various hacks, layering violations, and overloadings are introduced to enforce policies and attempt to get the upper hand in various “tussles”. The result is a network that is increasingly brittle, hostile to innovation, vulnerable to attack, and insensitive to concerns about accountability and privacy. Our project aims to design, implement, and evaluate through daily use a minimalist internetwork layer and auxiliary functionality that anticipates tussles and allows them to be played out in policy space, as opposed to in the packet-forwarding path. We call our approach postmodern internetwork architecture, because it is a reaction against many established network layer design concepts. The overall goal of the project is to make a larger portion of the network design space accessible without sacrificing the economy of scale offered by the unified Internet. We will use the postmodern architecture to explore basic architectural questions. These include: • What mechanisms should be supported by the network such that any foreseeable policy requirement can be
