Path MTU discovery for IP version 6

Capability Review of X.509v3 with Link Maximum Transmission Unit in Public Key Infrastructure

Preprint

Full-text available

Nov 2023

Kunal Abhishek

The X.509v3 is widely accepted digital certificate format proposed by the International Telecommunication Union (ITU) for Internet applications. The size of the X.509v3 certificate with its extensions has now grown up significantly in the range of 1518 bytes to 200 kilobytes which is much beyond the Maximum Transmission Unit (MTU) sizes of Internet Protocol (IP) based link-layer technologies. The large certificate size leads to poor network performance due to the limited link-layer MTU sizes that causes IP fragmentation and longer Round Trip Time (RTT). We present a comprehensive capability review of X.509v3 digital certificate in light of the link-layer MTU sizes. We also investigate if this certificate format is capable to integrate and process multi-kilobytes long post-quantum key and signature as well as if this certificate size can be reduced to merely few hundred bytes for use by the resource-constrained Internet of Things (IoT) devices to realize a Public Key Infrastructure (PKI) while keeping the network performance intact. In particular, we review the X.509v3 certificate transmission over the Ethernet and IPv6 over 6Low-power Wireless Personal Area Networks (6LoWPAN) networks with a focus on their link MTUs. We also present our recommendations to efficiently handle transmission of both large and small extreme sizes of the X.509v3 certificates over the link-layer MTUs of these technologies.

Dynamic MTU : Technique to reduce packet drops in IPv6 network resulted due to smaller path mtu size

Preprint

Full-text available

Nov 2019

With an increase in the number of internet users and the need to secure internet traffic, the unreliable IPv4 protocol has been replaced by a more secure protocol, called IPv6 for Internet system. The IPv6 protocol does not allow intermediate routers to fragment the on-going IPv6 packet. Moreover, due to IP tunneling, some extra headers are added to the IPv6 packet, exceeding the packet size higher than the maximum transmission unit (MTU), resulting in increase in packet drops. One probable solution is to find the MTU of every link in advance using the Internet Control Message Protocol (ICMP) packets and accordingly fragment the packets at the source itself. However, most of the intermediate routers and the network firewalls do not allow ICMP packets to traverse through their network, resulting in network black holes, where we cannot know the MTU of some links in advance. This method tries to handle the packet drops in IPv6 network by proposing a DMTU scheme where we dynamically adjust the MTU of each link depending upon the original size of the IPv6 packet, thereby reducing the number of packet drops by a significant amount. Using mathematical and graphical analysis, our scheme proves to be much more efficient than the state-of-the-art PMTUD scheme. In this paper the method, mathematical and graphical representations are focusing solely in IPv6 Internet communication. https://arxiv.org/abs/1911.11468v4

Architectures and Algorithms for IPv4/IPv6 Compliant Optical Burst Switching Networks

Thesis

Full-text available

Nov 2008

Nuno Garcia

This thesis is devoted to Optical Burst Switched (OBS) networks, being focused on presenting new solutions to OBS network performance as a whole, from the ingress to the core nodes including the burst assembly, switching and routing tasks. We present several new solutions to problems of the OBS networks, namely, a new burst assembly machine concept named Internet Protocol Packet Aggregator and Converter (IP-PAC), with a new burst assembly algorithm, dynamic and adaptive to network traffic fluctuations. Furthermore we propose the use of this machine not only in OBS networks but also as an aggregation device for other networks. We identify several benefits from the use of the IP-PAC concept, in particular its contribution in eliminating bottleneck problems. We also present two new routing algorithms, Extended Dijkstra and Next Available Neighbour. The first is a balance and symmetry concerned algorithm that keeps the features of the Dijkstra Algorithm, i.e. it remains a shortest path simple algorithm. It is suitable to use in simulation as its behaviour tends to be closer to the behaviour of real networks since it does not overload unnecessarily some links more than others. It may also be used in machines where the computation of paths is Dijkstra based and situations of equal-cost routes may exist. Its performance is evaluated for OBS networks. The second algorithm is a dynamic non-deterministic routing algorithm that is applicable to OBS and to other networks. Its main feature is that in a situation of imminent burst loss, the burst is routed to another node, being this neighbour node the first available according to a series of metrics. As these metrics are used in a particular undetermined moment of time, the result is non-deterministic routing. The study of the characteristics of burst traffic is of capital importance to understand the behaviour of OBS networks. As a pre-requisite to this aspect of the research, we study OBS networks tributary IP traffic, using a series of recorded real IPv4 packet traces. In this thesis, we conclude that the main OBS network performance metric, burst loss ratio, is equivalent to other metrics like packet loss ratio and byte loss ratio when burst assembly is performed with efficiency concerned algorithms and using real traffic. We assess the efficiency of main burst assembly algorithms and propose a new dynamic burst assembly algorithm, with thresholds that adapt to traffic conditions to allow an optimized burst assembly process. While assessing the assembly of bursts, we found that in real traffic conditions most bursts will be at around 9 KB of size. We also study the effect of the implementation of larger IP packets size for IPv6 and conclude that there are routing and switching benefits to reap from the usage of larger IP packets. Furthermore, we conclude that for burst assembly tasks, IPv4 and IPv6 behave similarly and thus the conclusions drawn on IPv4 datagrams can be extended to IPv6 packets, including Jumbograms. The main contribution of this thesis is the proposal of a new OBS architecture, named Common Control Channel OBS, or C3-OBS for short. In this architecture we propose the passive broadcast of the control packets in a special tree-like control channel, as a way to disseminate the information throughout the network. We then propose the use of a Local Network Model (LNM) database structure at each node to allow concise network management and behaviour prediction. In the C3-OBS nodes we propose and test a new routing and scheduling algorithm we named Travel Agency Algorithm. We analyse some problems that rise in this new approach and propose solutions, a new approach using network domains for OBS as a way to minimize the flooding of the network with control packets, and some special features on the Travel Agency Algorithm as a way to identify and solve concurrent reservation situations. We assess and compare the performance of the C3-OBS architecture with regular OBS architecture for several topologies. Finally we present the research conclusions and propose directions for future work.

Architectures and Algorithms for IPv4/IPv6 Compliant Optical Burst Switching Networks

Thesis

Full-text available

Nov 2008

Nuno Garcia

Dynamic MTU: A smaller path MTU size technique to reduce packet drops in IPv6

Article

Full-text available

Jun 2021

With an increase in the number of internet users and the need to secure internet traffic, the IPv4 protocol has been replaced by a more secure protocol, namely IPv6. The IPv6 protocol does not allow intermediate routers to fragment the on-going packets. Moreover, due to IP tunneling, some extra headers are added to the IPv6 packet, exceeding the packet size, resulting in increased packet drops due to lower path mtu. One probable solution is to use Path MTU Discovery (PMTUD) to know the path mtu using ICMP packets. Due to dependency on ICMP error messages, this method faces security and failure issues. In this paper, we propose a Dynamic MTU (DMTU) scheme, which tries to handle the packet drops in IPv6 network, by dynamically adjusting the MTU of each link depending upon the incoming packet size, thereby reducing the number of packet drops by a significant amount. Unlike PMTUD, the algorithm works on intermediate node level which is further optimised by assigning specific phases for validation and then, for processing. The method has ability to work in standalone and in parallel with PMTUD. Using mathematical and graphical analysis, our scheme proves to be much more efficient than the state-of-the-art PMTUD scheme.

Solving MTU Mismatch and Broadcast Overhead of NDN over Link-layer Networks

Article

Full-text available

Dec 2019

Named Data Networking (NDN) has been considered as a promising Internet architecture for the future data-centric communication. In particular, NDN over link-layer networks would cut off the overheads of Transmission Control Protocol/Internet Protocol (TCP/IP), and enhance the efficiency of data distribution. However, there are two main unsolved issues for the NDN link-layer, namely broadcast overhead and Maximum Transmission Unit (MTU) mismatch. In this paper, we have therefore designed and implemented an NDN Neighborhood Discovery Protocol, named NDN-NDP, to enable a unicast data transmission over the link-layer. Furthermore, our NDN-NDP has included a negotiation mechanism to fix the MTU mismatch issue. In comparison to previously proposed NDN link-layer technologies, we can fix both MTU mismatch and broadcast overhead problems. Through emulation and experiments on a test-bed, we have also compared our NDN-NDP with the Link-layer Protocol for NDN (NDNLP), which is the most widely deployed NDNLP. From our experiments, NDN-NDP can efficiently fix MTU mismatch and broadcast overhead issue.

A tenant-aware identification scheme for Cloud Computing -- Universal Cloud Classification (UCC)

Conference Paper

Aug 2019

Sebastian Jeuk

Cloud has profoundly changed the provisioning and consumption of computing services across the Internet. It enables dynamic, scalable and on-demand deployment of services to allow users access to storage, compute and network resource capacities from anywhere. Cloud has adopted legacy technologies for traffic identification, such as VLAN and VxLAN, which were not originally designed for the cloud. These technologies come with known limitations, some of which are amplified by cloud characteristics. In this thesis, I analyse and compare entity and traffic flow identification technologies for general networks and the cloud. I investigate the deficiencies of legacy technologies used for traffic flow identification in the cloud and their incapability to cope with the emerging demands posed by cloud computing. My research reveals that the root cause of these problems is the lack of tenant-specific entity identification in the cloud. I argue that not a modification of an existing technology, but rather a new, overall solution is needed to address these challenges. I propose Universal Cloud Classification (UCC) as the next-generation tenant-specific entity identification scheme for cloud, which enables scalable, global, universal, consistent and unique cloud identification, including services, tenants as well as traffic flows within a cloud, between clouds and across the Internet. My research leads to a practical solution capable of assigning and managing the UCC identifiers both globally and locally. I test and evaluate the feasibility and performance of UCC in an environment using industrial standard hardware and software and realistic traffic scenarios. My results illustrate the practicality of UCC and highlight the superiority of UCC over existing technologies in terms of identification capabilities. I demonstrate that although VxLAN can practically identify only a few thousand tenants, UCC is able to identify millions of tenants, services and clouds, respectively. Even when we evaluate UCC and VxLAN for identifying the same number of tenants, UCC still either outperforms or shows similar performance than VxLAN in terms of line-rate, packets-per-second, jitter and end-toend delay. UCC is designed to support diverse implementations complimentary to the basic IPv4 and IPv6 options. Thanks to its technological advances, such as broad applicability, interoperability and implementation independency, UCC brings a wide range of new applications and benefits to cloud. It not only supports existing cloud structures, but is also flexible enough to accommodate new cloud deployment types, such as micro-service based applications. I also propose UCC as a Service (UCCaaS), which can help to drive timely and wide adoption of UCC across data centres. UCC has received significant attention from academia and industry. A series of patents have been filed and were granted through industry support with the aim to productise UCC for next-generation clouds.

An Empirical Study on Transmission Performance of IPv6 over WAN Latency

Article

Full-text available

Nov 2020

Compared to IPv4, IPv6 provides more internet protocol (IP) addresses and higher security and has easier routing capability; and these advantages lead to tendency of the IP protocol used by a network to be upgraded from IPv4 to IPv6. With the global transmission requirements of Big Data increasing rapidly, wide area network (WAN) will play a crucial role in data transfer, but majority of previous research studies are limited to local area network (LAN). Therfore, in this study, a WAN experiment is implemented to estimate the transmission control protocol (TCP) throughput of IPv4 and IPv6, which is used as an index to evaluate the efficiency of data transmission. Four latest operating systems were tested to assess performance, and a pair of operating systems was chosen to estimate the transmission efficiency of WAN by time delay. In this experiment, performance degradation in latency was quantified. The results will be a useful reference for followup research in the future.

Mathematical Analysis of Path MTU Discovery With New Generation Networks

Preprint

Full-text available

Aug 2022

In this paper we have presented the effects of path mtu discovery in IPv4 & IPv6 in mathematical, logical and graphical representation. We try to give a mathematical model to the working of path mtu discovery and calculated its behaviour using a transmission of a packet. We analysed the time consumed to transmit a single packet from source to destination in IPv6 network in the presence of PMTUD and similarly in IPv4 network with DF bit 1. Based on our analysis, we concluded that the communication time increases with the varying MTU of the intermediate nodes. Moreover, we formulated the mathematical model to determine the communication delay in a network. Our model shows that the asymptotic lower bound for time taken is Ω(n) and the asymptotic upper bound is Θ(n2), using PMTUD. We have find that the packet drop frequency follows the Bernoulli's trials and which helps to define the success probability of the packet drop frequency, which shows that the probability is higher for packet drop rate for beginning 2% of the total nodes in the path. We further found that nCa possible number of a-combinations without repetitions that can be formed for a particular number of packet drop frequency. The relation between summation (acts as a coefficient in the time wastage equation) of each combination and their frequency resulted in symmetric graph and also mathematical and statistical structures to measure time wastage and its behaviour. This also helps in measuring the possible relative maximum, minimum and average time wastage. We also measured the probability of relative maximum, min and average summation for a given value of packet drop frequency and number of nodes in a path.

ICMPv6-Based DoS and DDoS Attacks Detection Using Machine Learning Techniques, Open Challenges, and Blockchain Applicability: A Review

Article

Full-text available

Sep 2020

Although the launch of Internet Protocol version six (IPv6) addressed the issue of IPv4's address depletion, but also mandated the use of Internet Control Message Protocol version six (ICMPv6) messages in newly introduced features such as the Neighbor Discovery Protocol (NDP). This has exacerbated existing network attacks including ICMPv6-based Denial of Service (DoS) attacks and its variant form Distributed Denial of Service (DDoS) attack. Intrusion Detection Systems (IDS) aimed at tackling security issues raised by ICMPv6-based DoS and DDoS attacks have been reviewed by researchers and a general classification of existing IDSs was proposed as anomaly-based and signature-based. However, it is incredibly hard to see the overall picture of IDSs based on Machine Learning (ML) techniques with such a classification, as there is a lack of a more detailed view of the ML approach, classifiers, feature selection techniques, datasets, and different evaluation metrics. Nevertheless, recent developments in this relatively new field have not been covered such as ML-based IDSs using flow-based traffic representation. Therefore, this article specifically reviews and classifies IDSs based on ML techniques to detect ICMPv6-based DoS and DDoS attacks as single and hybrid classifiers. In addition, blockchain applicability in Collaborative IDS (CIDS) architecture based on the ensemble framework has been proposed as a solution to one of the open challenges for ICMPv6-based DoS and DDoS attacks detection problem. Moreover, this review also provides a classification of ICMPv6 vulnerabilities to DoS and DDoS attacks which would provide a reference resource for future researchers in this domain. To the best of the author's knowledge, this is the first review paper specifically focusing on IDSs based on ML techniques in this domain, as well as blockchain applicability as a possible research direction has been proposed to attract researcher's focus on building ensemble learning-based IDS models. INDEX TERMS Intrusion detection system, CIDS, ICMPv6, DoS, DDoS, machine learning, blockchain.

Software Defined IPv6 Network: A New Paradigm for Future Networking

Article

Full-text available

Jul 2019

Recent advancement in the field of Information and Communication Technology (ICT) has encouraged all stakeholders to move towards the new networking paradigm. Internet Protocol version 6 (IPv6) addressing, Software Defined Network (SDN) and Network Function Virtualization (NFV) are regarded as technologies for enhancing network efficiency and effectiveness. However, the technology migration becomes one of the central challenges for the stakeholders such as service providers, end users, and regulatory bodies. This is more challenging in case of developing countries due to lack of sufficient cost and skilled human resources. In this paper, we provide an overview and survey of SDN and IPv6 networking technologies, their benefits and future challenges. Then we introduce Software Defined IPv6 (SoDIP6) network as a next generation networking technologies and their unified approach of deployment over the Tier-3 ISPs of the developing nations that could help for speedy and smooth migration with optimized cost. The demonstrated superior features of SDN enabled IPv6 network from different perspectives with its contributions to green ICT are recognized as the networks of the future generation in the networking world.

Rate limitable and efficient discovery of path maximum transmission units

Article

Full-text available

Feb 2019
INT J COMMUN SYST

Ramesh R. Subbaraman

Path maximum transmission unit discovery (PMTUD) is the protocol by which a host can find the largest packet it can send through an internet protocol (IP) network to a given destination. It relies on intermediary nodes sending “packet too big” (PTB) messages in IPv6 or “datagram too big” messages in IPv4 (both henceforth referred to as PTB for the purposes of this paper). These are often completely blocked by firewalls, presumably due to a fear of PTB floods wasting the bandwidth of network links. This breaks PMTUD, forcing the use of fragmentation in IPv4 and/or suboptimal packet sizes. In IPv6, fragmentation by intermediary nodes is no longer an option. Utilizing a dynamic programming‐based solution to the generalization of a mathematical puzzle, the two‐egg problem, this work presents a family of strategies for a host to discover path MTU while obeying hard limits on the maximum number of incoming PTB messages that may be generated. This allows a firewall to mitigate PTB floods via rate limits. Moreover, these strategies are compliant with the relevant standards on PMTUD and thus can be deployed by merely changing the PMTUD algorithm implementation in TCP/IP stacks on end hosts without changing intermediary nodes' protocol behavior.

Service Provider IPv4 to IPv6 Network Migration Strategies

Article

Full-text available

Oct 2015

With the increase of Internet of Things (IoT) smart devices and the trend of world moving to converged network environment into the mode of packet based communication network, internet protocol address becomes the major logical infrastructure for all kinds of voice and data communications, led to the exhaustion of 32 bits IPv4 address space. Several issues like security, quality of service, addressing, routing management along with the depletion of addresses have been sought with the IPv4 addressing infrastructure. This forced the world required to migrate into IPv6 as a new addressing paradigm. Currently, the term 'migration' refers to different research dimensions in the world of science and engineering. The Information and Communication Technology (ICT) service providers are in the rush of not only the migration to IPv6 but also towards the migration into cloud computing and software defined networking, where "migration in togetherness" is coined to enter into the new era of IT based businesses and services. IPv4 and IPv6 are not interoperable. Hence moving into IPv6 operable network is a gradual process. The concerned organizations throughout the world are in different stages of network migration to IPv6. Service Providers and organizations of the developing countries are lacking behind the migration due to the lack of awareness, training, and cost of transition. This paper proposed the network transition steps after highlighting the migration strategies for Service Providers(SP) with different transition technologies. http://www.cisjournal.org/journalofcomputing/archive/vol6no10/vol6no10_8.pdf

Security and Privacy Analysis of NSF Future Internet Architectures

Article

Full-text available

Oct 2016

The Internet Protocol (IP) is the lifeblood of the modern Internet. Its simplicity and universality have fueled the unprecedented and lasting global success of the current Internet. Nonetheless, some limitations of IP have been emerging in recent years. Its original design envisaged supporting perhaps tens of thousands of static hosts operating in a friendly academic-like setting, mainly in order to facilitate email communication and remote access to scarce computing resources. At present IP interconnects billions of static and mobile devices (ranging from supercomputers to IoT gadgets) with a large and dynamic set of popular applications. Starting in mid-1990s, the advent of mobility, wirelessness and the web substantially shifted Internet usage and communication paradigms. This accentuated long-term concerns about the current Internet architecture and prompted interest in alternative designs. The U.S. National Science Foundation (NSF) has been one of the key supporters of efforts to design a set of candidate next-generation Internet architectures. As a prominent design requirement, NSF emphasized "security and privacy by design" in order to avoid the long and unhappy history of incremental patching and retrofitting that characterizes the current Internet architecture. To this end, as a result of a competitive process, four prominent research projects were funded by the NSF in 2010: Nebula, Named-Data Networking (NDN), MobilityFirst (MF), and Expressive Internet Architecture (XIA). This paper provides a comprehensive and neutral analysis of salient security and privacy features (and issues) in these NSF-funded Future Internet Architectures. It also compares the four candidate designs with the current IP-based architecture and discusses similarities, differences, and possible improvements.

PORTEND: A Joint Performance Model for Partitioned Early-Exiting DNNs

Conference Paper

Dec 2023

MTU Analyzing for Data Centers Interconnected Using VxLAN

Conference Paper

Jan 2024

Network Addressing Architecture

Chapter

Oct 2023

A network address is used to identify a network or network device on the Internet for data communication. It is an IP address in TCP/IP networks, such as the Internet. IP addressing largely determines the format of the packet transferred over a network or the Internet. It also determines how to route and deliver traffic from end to end. Therefore, network addressing architecture is an important component in the planning and design of the overall network architecture. It characterizes how IP addressing resources can be better used, how traffic routing can be improved, and how the hierarchy, isolation, and grouping of users and devices can be supported through various addressing mechanisms and strategies.

Packet Too Big Detection and its Integration into QUIC

Conference Paper

Sep 2023

FBAR: An effective method for resolving large‐scale IPv6 aliases

Article

Full-text available

Sep 2023
INT J COMMUN SYST

With the promotion and application of IPv6 in the world, there is a growing demand for IPv6 alias resolution. How to resolve IPv6 alias efficiently and accurately becomes an urgent problem to be solved. After analyzing the features of IPv6 addresses, this paper proposes a large‐scale adaptive IPv6 alias resolution method based on fingerprint information by combining Too‐Big Trick, UAv6, APD, and other alias resolution algorithms. It sends ICMPv6 probe packets to different types of IPv6 addresses to get the fingerprint information of target hosts. After filtering the classified addresses, our proposed alias resolution method is adaptively selected to resolve alias addresses. In the experiment, we use multi‐thread method to resolve the aliases of large‐scale IPv6 addresses, which greatly improves the efficiency of detection. Meanwhile, we use IPv6 datasets collected from the organizations RIPE and CAIDA. By comparing with Speedtrap and Too‐Big Trick, we confirm the accuracy of this method and obtain more alias pairs.

Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects

Conference Paper

May 2023

Testing and Analysis of IPv6-Based Internet of Things Products for Mission-Critical Network Applications

Conference Paper

Nov 2022

Per-flow entry verification for legacy SDN

Conference Paper

Aug 2016

بروتوكول الإنترنت: الإصداران الرابع والسادس

Book

Full-text available

Mar 2022

Michel Bakni

This is a journey through fifty years of Internet history. The book begins by presenting how to model a data network showing the origins of the network and the function of Internetworking. Then, it explains how the Internet protocol (IPv4) was developed: What is it? why did we need it, what kind of services does it provide? how do its auxiliary works? The book then follows the problem of exhaustion of the IPv4 addresses space discussing the solutions that have been put forward to confront this problem, namely Classless interdomain Routing (CIDR) and Network address translation (NAT), and down to the IPv6, the protocol which represents the definitive solution. The book ends by discussing the auxiliaries of IPv6, namely the Internet control message protocol for IPv6 (ICMPv6) Neighbor Discovery Protocol (NDP).

DET: Enabling Efficient Probing of IPv6 Active Addresses

Article

Aug 2022

Fast IPv4 scanning significantly improves network measurement and security research. Nevertheless, it is infeasible to perform brute-force scanning of the IPv6 address space. Alternatively, one can find active IPv6 addresses through scanning the candidate addresses generated by state-of-the-art algorithms. However, the probing efficiency of such algorithms is often very low. In this paper, our objective is to improve the probing efficiency of IPv6 addresses. We first perform a longitudinal active measurement study and build a high-quality dataset, hitlist, including more than 1.95B IPv6 addresses distributed in 58.2K BGP prefixes and collected over 17 months period. Different from the previous works, we probe the announced BGP prefixes using a pattern-based algorithm. This results in a dataset without uneven address distribution and low active rates. Further, we propose an efficient address generation algorithm, DET, which builds a density space tree to learn high-density address regions of the seed addresses with linear time complexity and improves the active addresses’ probing efficiency. We then compare our algorithm DET against state-of-the-art algorithms on the public hitlist and our hitlist by scanning 50M addresses. Our analysis shows that DET increases the de-aliased active address ratio and active address (including aliased addresses) ratio by 10%, and 14%, respectively. Furthermore, we develop a fingerprint-based method to detect aliased prefixes. The proposed method for the first time directly verifies whether the prefix is aliased or not. Our method finds that 10.64% of the public aliased prefixes are false positive.

The search of the path MTU with QUIC

Conference Paper

Dec 2021

Off-Path TCP Hijacking Attacks via the Side Channel of Downgraded IPID

Article

Oct 2021

In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond. Our attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, thus building a shared IPID counter that forms a side channel in the victim. Second, the attacker detects the presence of TCP connections by observing the side channel of the shared IPID counter. Third, the attacker infers sequence and acknowledgment numbers of the detected connection by observing the side channel. Consequently, the attacker can completely hijack the connection, e.g., resetting the connection or poisoning the data stream. We evaluate the impacts of our attack in the real world, and we uncover that more than 20% of Alexa top 100k websites are vulnerable to our attack. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Moreover, we demonstrate that our attack can be further extended to exploit IPv4/IPv6 dual-stack networks on increasing the hash collisions and enlarging vulnerable populations. Finally, we analyze the root cause and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness in the real world.

James Aweya, IP Routing Protocols: Link-State and Path-Vector Routing Protocols, CRC Press, Taylor & Francis Group, ISBN 9780367710361, May 2021.

Book

Full-text available

Apr 2021

James Aweya

This book discusses link-state routing protocols (OSPF and IS-IS), and the path-vector routing protocol (BGP). It covers their most identifying characteristics, operations, and the databases they maintain. Material is presented from a practicing engineer’s perspective, linking theory and fundamental concepts to common practices and real-world examples. Every aspect of the book is written to reflect current best practices using real-world examples. The book begins with a detailed description of the OSPF area types and hierarchical routing, and the different types of routers used in an OSPF autonomous system. The author goes on to describe in detail the different OSPF packet types, and inbound and outbound processing of OSPF link-state advertisements (LSAs). Next, the book gives an overview of the main features of IS-IS. The author then discusses the two-level routing hierarchy for controlling the distribution of intra-domain (Level 1) and inter-domain (Level 2) routing information within an IS-IS routing domain. He then describes in detail IS-IS network address formats, IS-IS routing metrics, IS-IS packet types, IS-IS network types and adjacency formation, IS-IS LSDB and synchronization, and IS-IS authentication. The book then reviews the main concepts of path-vector routing protocols, and describes BGP packet types, BGP session states and Finite State Machine, BGP path attributes types, and BGP Autonomous System Numbers (ASNs). - Focuses solely on link-state routing protocols (OSPF and IS-IS), and the only path-vector routing protocol in use today (BGP). - Reviews the basic concepts underlying the design of IS-IS and provides a detailed description of IS-IS area types and hierarchical routing, and the different types of routers used by IS-IS. - Discusses the two-level routing hierarchy for controlling the distribution of intra-domain (Level 1) and inter-domain (Level 2) routing information within an IS-IS routing domain. - Describes in detail BGP packet types, BGP session states and Finite State Machine, BGP path attributes types, and BGP ASNs, includes a high-level view of the typical BGP router and its components, and inbound and outbound message processing.

Increasing fault tolerance in service-level agreement constrained context-aware data networks

Article

Full-text available

Dec 2020

Ints Meijers

Attribute study and analysis of fault tolerant data networks. This work is aimed at introducing SLA constrain into fault tolerance and thus increasing overall network availability. Proposed model will evaluate given constraints and select best path that fits requirements. Fault tolerance is increased by adding multiple constraints and thus reducing available paths to best fitting ones.

RFC 9006 TCP Usage Guidance in the Internet of Things (IoT)

Article

Full-text available

Mar 2021

Snoop Through Traffic Counters to Detect Black Holes in Segment Routing Networks

Chapter

Feb 2021

The new Segment Routing paradigm provides network operator the possibility of highly increasing network performance exploiting advanced Traffic Engineering features and novel network programability functions. Anyway, as any new solutions, SRv6 has a side effect: the introduction of unknown service disruption events. In this work we focus on packet lost events due to the incorrect computation of the Maximum Transmission Unit (MTU) value of an end-to-end path in an SRv6 network. This event, referred to as MTU dependent SR Black Hole, cannot be detected by known monitoring solutions based on active probing: the reason is that in SRv6 probe packets and user data can experience different network behaviors. In this work we propose a passive monitoring solution able to exploit the SRv6 Traffic Counters to detect links where packets are lost due to MTU issues. The performance evaluation shows that the algorithm proposed is able to identify the link affected by the blackhole with a precision equal to \(100\%\); moreover, the flow causing the blackhole cannot be detected with the same precision, but it is possible to identify a restricted set of flows, referred to as suspected flows, containing the target one.

OVERVIEW OF WIRELESS NETWORK CONTROL PROTOCOL IN SMART PHONE DEVICES

Article

Apr 2013

The computer network connection without wire or any cable is referring as wireless network. These wireless local area networks are popular for its worldwide applications. It has covered wide scale wireless local area network. The large scale systems to all applicable areas make large numbers of wireless termination and covering very much area. To reduce the complexity associated with server management, Information Technology organizations begins the process of centralizing servers. It used with architecture principles of centralized management requirement for network to scale, network architecture needs to be able to support enhanced services in addition to just raw connectivity, distributed processing is required both for scalability ability and services, network support continuously increase the level of throughputs etc. Wireless LAN product architectures have evolved from single autonomous access points to systems, consisting of a centralized Access Controller and Wireless Termination Points. The basic goal of centralized control architectures is to move access control, including user authentication and authorization, mobility & radio management, from one access point to centralized controller. The Wireless network Control Protocol allows for access and control of large-scale wireless local area networks. It can allows management of these networks, Control and Provisioning of Wireless Access Points In computer networking, a wireless access point is a device that allows wireless devices to connect to wired network using Wi-Fi, Bluetooth or related standards. The WAP usually connects to a router via a wired network, and can relay data between the wireless devices such as computers or printers and wired devices on the network.

IP Over Optical Fiber

Chapter

Nov 2013

Nuno Garcia

Koмпютърни мрежи

Book

Full-text available

Sep 2017

Nikolay Raychev

Изданието е предназначено за студенти, аспиранти и технически специалисти, които биха искали да придобият основни познания за принципите на изграждане на компютърни мрежи, да разберат характеристиките на традиционните и усъвършенствани технологии на локални и глобални мрежи, да проучат начините за създаване на големи композитни мрежи и управление на такива мрежи.

A STUDY OF TRANSPARENCY AND ADAPTABILITY OF HETEROGENEOUS COMPUTER NETWORKS WITH TCP/IP AND IPV6 PROTOCOLS

Article

Full-text available

Dec 2012

Anupam Das

The present study "Transparency and Adaptability of Heterogeneous Computer networks" deals with the study of specially two protocols TCP/IP and IPv6. The two protocols differ in their structures and features. The proposed study entitled "Transparency and Adaptability of Heterogeneous computer networks" is basically an analysis of protocols of different environments such as TCP/IP and IPv6. The proposed study deals in mapping from TCP/IP to IPv6 and vice versa. The mapping is done for frame formats and error detection. In this study the mapping of frame format is done by using C++ language. The error detection and correction is done by using Hamming Code technique and C++ language. So, this paper outlines the various features of TCP/IP and IPv6 protocol environment and the mapping from TCP/IP to IPv6 and vice versa considering the two components frame format and error detection.

Adaptive selection of configuration methods in 6LoWPAN based IoUT

Conference Paper

Full-text available

Sep 2019

For providing Internet service to underwater IoT nodes, it is necessary to divide the IPv6 packets appropriately according to appropriate MTU size. 6LoWPAN adaptation layer defined by IETF is able to support the address auto-configuration, header compression and so on. In particular, 6LoWPAN defines two configuration methods. In route-over configuration method and mesh-under configuration methods, fragmentation/reassembly processes are operated as hop-by-hop or end-to-end manner, respectively. However, route-over configuration method consumes computing overhead. On the other hand, mesh-under configuration method could decrease throughputs. Therefore, in this paper, we propose adaptive selection of configuration methods scheme in 6LoWPAN IoUT. In our scheme, each intermediate nodes measure overhead that is occurred by mesh-under configuration method and select their configuration method according to the measured overhead.

Exploring Usable Path MTU in the Internet

Conference Paper

Jun 2018

Path MTU Discovery Considered Harmful

Conference Paper

Jul 2018

Security and Privacy Analysis of National Science Foundation Future Internet Architectures

Article

Jan 2018

The Internet Protocol (IP) is the lifeblood of the modern Internet. Its simplicity and universality have fueled the unprecedented and lasting global success of the current Internet. Nonetheless, some limitations of IP have been emerging in recent years. Furthermore, starting in mid-1990s, the advent of mobility, wirelessness and the web substantially shifted Internet usage and communication paradigms. This accentuated long-term concerns about the current Internet architecture and prompted interest in alternative designs. The U.S. National Science Foundation (NSF) has been one of the key supporters of efforts to design a set of candidate next-generation Internet architectures. As a prominent design requirement, NSF emphasized “security and privacy by design” in order to avoid the long and unhappy history of incremental patching and retrofitting that characterizes the current Internet architecture. To this end, as a result of a competitive process, four prominent research projects were funded by the NSF in 2010: Nebula, Named-Data Networking (NDN), MobilityFirst (MF), and Expressive Internet Architecture (XIA). This paper provides a comprehensive and neutral analysis of salient security and privacy features (and issues) in these NSF-funded Future Internet Architectures. Prior surveys on future Internet architectures provide a limited, or even no, comparison on security and privacy features. In addition, this paper also compares the four candidate designs with the current IP-based architecture and discusses similarities, differences, and possible improvements.

Protocol Architecture

Chapter

Jan 2005

Internet Control Message Protocol for IPv6 (ICMPv6)

Chapter

Jan 2005

Neighbor Discovery

Chapter

Jan 2005

References

Chapter

Oct 2009

IPv6 in 3GPP Networks

Chapter

Apr 2013

This chapter introduces how Internet Protocol version 6 (IPv6) is implemented in 3rd Generation Partnership Project (3GPP) core networks and 3GPP compliant User Equipments (UEs). It looks into network aspects that are specific to 3GPP. The network architectures of interest are the General Packet Radio Service (GPRS) and the Evolved Packet System (EPS), which both provide packet switched services. The chapter provides a lot of information element figures and their decompositions to ease possible debugging of GPRS Tunneling Protocol (GTP) traces. It discusses the initial packet data network (PDN) Connection activation and handover cases and how different PDN Types behave in various UE and network configurations. The chapter takes a brief look at IPv6 as a transport protocol on various signaling interfaces with the 3GPP packet core. It demonstrates some of the known anomalies and issues on early IPv6 deployments in GPRS and EPS networks. Communication system signaling; packet radio networks

Introduction to IPv6

Chapter

Apr 2013

This chapter looks at how the Internet Protocol version 6 (IPv6) addressing architecture is set up, what kind of addresses there are, how they are statelessly and statefully allocated to hosts, and how prefix delegation works for the routing scenarios. The IPv6 header structure was analyzed from the main header to the extension headers and with a peek to transport protocol headers and how the transport layer checksum includes the IPv6 pseudo header. The ICMPv6 and the key protocols it provides, such as neighbor discovery protocol (NDP), were studied. The chapter also looks to IPsec, mobile IP, routing, and protocol verification, and gave attention to a key set of IPv6?s companion protocols: the DHCPv6 and DNS. It deals with detailed real-life IPv6 packet captures and explanations of each message shown. The packet captures and their analysis should help to get up to speed with IPv6 traffic debugging and analysis. transport protocols

Overview and Design of VXLAN

Article

Full-text available

Nov 2016

Syed Measum Haider Bokhari

Server virtualization has placed increased demands on the physical network infrastructure. A physical server now has multiple virtual Machines (VMs) each with its own Media access control (MAC) address. This requires larger MAC address tables in the switched Ethernet network due to potential attachment of and communication among hundreds of thousands of VMs. Data centers are often required to host multiple tenants, each with their own isolated network domain. Since it is not economical to realize this with dedicated infrastructure, network administrators opt to implement isolation over a shared network. In such scenarios, a common problem is that each tenant may independently assign MAC addresses and VLAN IDs leading to potential duplication of these on the physical network.

LPWAN survey and gap analysis

Working Paper

Full-text available