Browsing by Author "Montero Banegas, Diego Teodoro"

Now showing 1 - 14 of 14

A new era for cities with fog computing
(2017) Jain, Anuj
In this article, the authors dissect the technical challenges that cities face when implementing smart city plans and outlines the design principles and lessons learned after they carried out a flagship initiative on fog computing in Barcelona. In particular, they analyze what they call the Quadruple Silo (QS) problem -- that is, four categories of silos that cities confront after deploying commercially available solutions. Those silo categories are: physical (hardware) silos, data silos, and service management silos, and the implications of the three silos in administrative silos. The authors show how their converged cloud/fog paradigm not only helps solve the QS problem, but also meets the requirements of a growing number of decentralized services -- an area in which traditional cloud models fall short. The article exposes cases in which fog computing is a must, and shows that the reasons for deploying fog are centered much more on operational requirements than on performance issues related to the cloud.
A survey on the recent efforts of the internet standardization body for securing inter-domain routing
(2015) Siddiqui Shoaib, Muhammad; Montero Banegas, Diego Teodoro; Serral Gracià, René; Masip Bruin, Xavier; Yannuzzi,, Marcelo
The Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet, thus it plays a crucial role in current communications. Unfortunately, it was conceived without any internal security mechanism, and hence is prone to a number of vulnerabilities and attacks that can result in large scale outages in the Internet. In light of this, securing BGP has been an active research area since its adoption. Several security strategies, ranging from a complete replacement of the protocol up to the addition of new features in it were proposed, but only minor tweaks have found the pathway to be adopted. More recently, the IETF Secure Inter-Domain Routing (SIDR) Working Group (WG) has put forward several recommendations to secure BGP. In this paper, we survey the efforts of the SIDR WG including, the Resource Public Key Infrastructure (RPKI), Route Origin Authorizations (ROAs), and BGP Security (BGPSEC), for securing the BGP protocol. We also discuss the post SIDR inter-domain routing unresolved security challenges along with the deployment and adoption challenges of SIDR’s proposals. Furthermore, we shed light on future research directions in managing the broader security issues in inter-domain routing. The paper is targeted to readers from the academic and industrial communities that are not only interested in an updated article accounting for the recent developments made by the Internet standardization body toward securing BGP (i.e., by the IETF), but also for an analytical discussion about their pros and cons, including promising research lines as well.
Diagnosis of route leaks among autonomous systems in the internet
(IEEE, 2014) Serral Gracià, René
Border Gateway Protocol (BGP) is the defacto inter-domain routing protocol in the Internet. It was designed without an inherent security mechanism and hence is prone to a number of vulnerabilities which can cause large scale disruption in the Internet. Route leak is one such inter-domain routing security problem which has the potential to cause wide-scale Internet service failure. Route leaks occur when Autonomous systems violate export policies while exporting routes. As BGP security has been an active research area for over a decade now, several security strategies were proposed, some of which either advocated complete replacement of the BGP or addition of new features in BGP, but they failed to achieve global acceptance. Even the most recent effort in this regard, lead by the Secure Inter-Domain Routing (SIDR) working group (WG) of IETF fails to counter all the BGP anomalies, especially route leaks. In this paper we look at the efforts in countering the policy related BGP problems and provide an analytical insights into why they are ineffective. We contend a new direction for future research in managing the broader security issues in the inter-domain routing. In that light, we propose a naive approach for countering the route leak problem by analyzing the information available at hand, such as the RIB of the router. The main purpose of this paper was to position and highlight the autonomous smart analytical approach for tackling policy related BGP security issues.
Improving TCP performance and reducing self-induced congestion with receive window modulation
(Institute of Electrical and Electronics Engineers Inc., 2019) Arcas Abella, Oriol
We present a control module for software edge routers called Receive Window Modulation - RWM. Its main objective is to mitigate what we define as self-induced congestion: the result of traffic emission patterns at the source that cause buffering and packet losses in any of the intermediate routers along the path between the connection's endpoints. The controller modifies the receiver's TCP advertised window to match the computed bandwidth-delay product, based on the connection round-trip time estimation and the bandwidth locally available at the edge router. The implemented controller does not need any endpoint modification, allowing it to be deployed in corporate edge routers, increasing visibility and control capabilities. This scheme, when used in real-world experiments with loss-based congestion control algorithms such as CUBIC, is shown to optimize access link utilization and per-connection goodput, and to reduce latency variability and packet losses.
Key ingredients in an IoT recipe: fog computing, cloud computing, and more fog computing
(IEEE, 2014) Montero Banegas, Diego Teodoro
This paper examines some of the most promising and challenging scenarios in IoT, and shows why current compute and storage models confined to data centers will not be able to meet the requirements of many of the applications foreseen for those scenarios. Our analysis is particularly centered on three interrelated requirements: 1) mobility; 2) reliable control and actuation; and 3) scalability, especially, in IoT scenarios that span large geographical areas and require real-time decisions based on data analytics. Based on our analysis, we expose the reasons why Fog Computing is the natural platform for IoT, and discuss the unavoidable interplay of the Fog and the Cloud in the coming years. In the process, we review some of the technologies that will require considerable advances in order to support the applications that the IoT market will demand.
Network coding-based protection scheme for elastic optical networks
(IEEE, 2014) Yannuzzi,, Marcelo
Optical technologies are the foundations supporting the current telecommunication network backbones due to the high speed transmissions achieved in fiber optical networks. Traditional optical networks consist of a fixed 50 GHz grid, resulting in a low optical spectrum (OS) utilization, specifically with transmission rates above 100 Gbps. This issue is magnified when network resilience capabilities are required. For instance, proactive protection solutions such as Dedicated Protection (DP) are widely used because of their low recovery time. However, a significant drawback of DP is its high utilization of optical bandwidth. Recently, optical networks are undergoing significant changes with the purpose of providing a flexible grid that can fully exploit the potential of optical networks. This has led to a new network paradigm termed as Elastic Optical Networks (EON). Moreover, a novel strategy referred to as network coding (NC) has been proposed with the aim of improving network throughput. In this paper, we propose a proactive protection scheme so-called E-DPNC* that combines both the advantages concerning network throughput offered by EON and NC, and the low recovery time of a DP scheme, in order to enable network resilience against optical link failures while also reducing the optical spectrum utilization. Our evaluation results show that our solution reduces the OS utilization by 41% compared with conventional protection schemes deployed on fixed grid scenarios.
Offloading personal security applications to the Network Edge: a mobile user case scenario
(Institute of Electrical and Electronics Engineers, 2016) Serral Gracià, René
Route leak detection using real-time analytics on local BGP information
(IEEE, 2014) Serral Gracià, René
A route leak can be defined as a security gap that occurs due to the infringement of the routing policies that any two Autonomous Systems (ASes) have agreed upon. Route leaks are seemingly simple, but hard to resolve since the ASes keep their routing policies confidential. Indeed, the traditional palliatives, such as the utilization of route filters, are no longer used by a large number of ASes, given the high administrative burden that they entail. Other alternatives, like BGP monitoring tools, not only require third party information gathered at multiple vantage points, but also they become impotent in many cases, due to their limited view of the interdomain routing state. In this paper, we propose a different approach, which allows to autonomously detect the occurrence of route leaks by solely inspecting the BGP information available at the AS. Our main contributions can be summarized as follows. First, we propose a self-contained Route Leak Detection (RLD) technique, which is based on real-time analytics on the Route Information Bases (RIBs) of the border routers of an AS. Second, we introduce Benign Fool Back (BFB), "a harmless bluff" that can substantially improve the success rate of the RLD technique. Third, we show through exhaustive simulations that our technique can detect route leak incidents in various scenarios with high success rate. In addition, our solution has the following practical advantages: a) no reliance on third party information (e.g., on vantage points); b) no changes required to control-plane protocols (e.g., to BGP); and c) allows non-invasive integration (e.g., using SDN).
Route leak identification: a step toward making inter-domain routing more reliable
(IEEE, 2014) Masip Bruin, Xavier
Route leaks are one of the anomalies of inter-domain routing that have the capacity to produce large Internet service disruptions. Route leaks are caused because of violation of routing policies among Autonomous Systems. Unfortunately, there are not many studies that formally and thoroughly analyze the route leak problem. There exist few conventional solutions that can be used as a first line of defense, such as route filters. However, these palliatives become unfeasible in terms of scalability, mainly due to the administrative overhead and cost of maintaining the filters updated. As a result, a significant part of the Internet is defenseless against route leak attacks. In this paper, we define, describe, and examine the different types of route leaks that threaten the security and reliability of the routing system. Our main contributions can be summarized as follows. We develop a rather basic theoretical framework, which, under realistic assumptions, enables a domain to autonomously determine if a particular route advertisement received corresponds to a route leak. We reason the possible occurrence of route leaks in different scenarios, with the aim of formulating requirements for their identification, and hence thereof prevention to improve routing reliability.
SABES: statistical available bandwidth estimation from passive TCP measurements
(IEEE, Instituto de Ingenieros Eléctricos y Electrónicos Inc., 2020) Nemirovsky, Mario
Estimating available network resources is fundamental when adapting the sending rate both at the application and transport layer. Traditional approaches either rely on active probing techniques or iteratively adapting the average sending rate, as is the case for modern TCP congestion control algorithms. In this paper, we propose a statistical method based on the inter-packet arrival time analysis of TCP acknowledgments to estimate a path available bandwidth. SABES first estimates the bottleneck link capacity exploiting the TCP flow slow start traffic patterns. Then, an heuristic based on the capacity estimation, provides an approximation of the end-to-end available bandwidth. Exhaustive experimentation on both simulations and real-world scenarios were conducted to validate our technique, and our results are promising. Furthermore, we train an artificial neural network to improve the estimation accuracy.
Securing the LISP map registration process
(Institute of Electrical and Electronics Engineers, 2013) Montero Banegas, Diego Teodoro; Montero Banegas, Diego Teodoro
The motivation behind the Locator/Identifier Separation Protocol (LISP) has shifted over time from routing scalability issues in the core Internet to a set of use cases for which LISP stands as a technology enabler. Among these are the mobility of physical and virtual appliances without breaking their TCP connections, seamless migration and fast deployments of IPv6, multihoming, and data-center applications. However, LISP was born without security, and therefore is susceptible to attacks in its control-plane. The IETF's LISP working group has recently started to work in this direction, but the protocol still lacks end-to-end mechanisms for securing the overall registration process on the mapping system. In this paper, we address this issue and propose a solution that counters the attacks. We have deployed LISP in a real testbed, and compared the performance of our proposal with current LISP implementations, in terms of both messaging and packet size overhead. Our preliminary results prove that our solution offers much higher security with minimum overhead.
Self-reliant detection of route leaks in inter-domain routing
(2015) Yannuzzi,, Marcelo
Route leaks are among the several inter-domain routing anomalies that have the potential to cause large scale service disruptions on the Internet. The reason behind the occurrence of route leaks is the violation of routing policies among Autonomous Systems (ASes). There exist a few rudimentary solutions that can be used as a first line of defense, such as the utilization of route filters, but these palliatives become unfeasible in large domains due to the administrative overhead and the cost of maintaining the filters updated. As a result, a significant part of the Internet is defenseless against route leak attacks. In this paper, we examine the different types of route leaks and propose detection methodologies for improving the reliability of the routing system. Our main contributions can be summarized as follows. We develop a relatively basic theoretical framework, which, under realistic assumptions, enables a domain to autonomously determine if a particular route advertisement received from a neighbor corresponds to a route leak. Based on this, we propose three incremental methodologies, namely Cross-Path (CP), Benign Fool Back (BFB), and Reverse Benign Fool Back (R-BFB), for autonomously detecting route leaks. Our strength resides in the fact that these detection techniques solely require the analysis of control and data plane information available within the domain. We analyze the performance of the proposed route leak identification techniques both through real-time experiments as well as simulations at large scale. Our results show that the proposed detection techniques achieve high success rates for countering route leaks in different scenarios.
The unavoidable convergence of NFV, 5G, and fog: a model-driven approach to bridge cloud and edge
(2017) Rodríguez, Juan Pedro
The interplay between cloud and fog computing is crucial for the evolution of IoT, but the reach and specification of such interplay is an open problem. Meanwhile, the advances made in managing hyper-distributed infrastructures involving the cloud and the network edge are leading to the convergence of NFV and 5G, supported mainly by ETSI's MANO architecture. This article argues that fog computing will become part of that convergence, and introduces an open and converged architecture based on MANO that offers uniform management of IoT services spanning the continuum from the cloud to the edge. More specifically, we created the first YANG models for fog nodes, for IoT services involving cloud, network, and/or fog, and expanded the concept of "orchestrated assurance" to provision carrier-grade service assurance in IoT. The article also discusses the application of our model in a flagship pilot in the city of Barcelona.
Virtualized security at the network edge: a user-centric approach
(2015) Risso, Fulvio
The current device-centric protection model against security threats has serious limitations. On one hand, the proliferation of user terminals such as smartphones, tablets, notebooks, smart TVs, game consoles, and desktop computers makes it extremely difficult to achieve the same level of protection regardless of the device used. On the other hand, when various users share devices (e.g., parents and kids using the same devices at home), the setup of distinct security profiles, policies, and protection rules for the different users of a terminal is far from trivial. In light of this, this article advocates for a paradigm shift in user protection. In our model, protection is decoupled from users' terminals, and it is provided by the access network through a trusted virtual domain. Each trusted virtual domain provides unified and homogeneous security for a single user irrespective of the terminal employed. We describe a user-centric model where nontechnically savvy users can define their own profiles and protection rules in an intuitive way. We show that our model can harness the virtualization power offered by next-generation access networks, especially from network functions virtualization in the points of presence at the edge of telecom operators. We also analyze the distinctive features of our model, and the challenges faced based on the experience gained in the development of a proof of concept.