Tutorial on active networks and their management

Active networking is an expanding field of research. It includes the ability to easily install and modify customized network services and to process packets within the network in a customized way. This paper overviews active networking approaches and their management. It is meant more as a tutorial or survey like paper, than mostly undefinite or unpublished concepts and approaches. It classifies different approaches to active networking on various criteria. Furthermore, some applications, or better application areas, may profit from active network technology. The second part addresses the question of how the benefits of active networking can be exploited in an environment, where a number of customers must share a common network infrastructure also referred to as telecom environment in this paper. And it also lists possible drawbacks of the technology. In the third part, we introduce a management framework for active networks that allows customers to deploy and manage their own active services in a provider domain. The key concept in our framework is the Virtual Active Network (Van). From the customer’s perspective, theVan represents the environment in which the customer can install, run, and manage active services without interaction with theVan provider. From theVan provider’s perspective theVan represents the object of resource partitioning and customer isolation. Active networking combined with theVan concept allows for new business models in the telecom industry.     

Un environnement de conception de systèmes distribués basé sur UML

This paper introduces a new environment for developing distributed systems. It is based on theTurtle uml profile. Analysis and design phases, described in previous papers, have been extended with an additional deployment phase. In this new step,Turtle components are deployed over hardware execution nodes, and nodes are connected together throughout links,Turtle deployment diagrams are given a formal semantics inRt-lotos, therefore following the approach used forTurtle analysis and design diagrams. Moreover, the paper presents a Java code generator which outputs appropriate Java code forTurtle deployment diagrams. This code is automatically deployable on networks because it implements node communication using network protocols such asUdp orRmi. ttool, the turtle toolkit has been extended to support these new diagrams and code generators. The attack of protected data exchanged throughout securedHttp sessions serves as example.     

Architecture d’un réseau actif à base de services Web

This paper presents a novel active architecture for building and deploying network services:aswa, Web Services based Active network Architecture. At the architectural level,aswa defines an active node whose functionalities are divided into the Node Operating System, the Execution Environment, and the Active Applications. At the implementation level,aswa is a Web Services based platform where new components could be added and deployed, in order to dynamically modify network nodes behavior. Applications can be developed with any language and communicate across heterogeneous environments, and across Internet and Intranet structures. At the deployment levelaswa uses an active node approach, and offers a controlled deployment mode. In terms of security, Authentication of deployed code and protection of the nodes is achieved by the use ofhttps and the header extensions of thesoap envelope. Finally to validate this architecture,aswa defines a Firewall as an Active Application to secure the code deployment.     

Network-controlled mobility within radio access networks based onWLAN technologies

This article presents a network-controlled approach of user terminal mobility within anIP based WirelessLAN Access Network. In a first part, this article makes a review of the mobility support, on the subject of emergingWLAN technologies asHIPERLAN/2 andIEEE 802.11, on the one hand, and, regardingIP networks as currently studied withinIETF, on the other hand. Both types ofIP mobility protocols are presented, either global mobility protocols such as MobileIP, or local mobility management protocols (micro mobility). In the next part, the overall principles of our mobility management approach are explained; this approach is based on the implementation of a new network entity dedicated to the control of user terminal mobility. The last part details a practical implementation of this approach. The implementation is carried out on the basis of Hierarchical MobileIPv6 (HMIPv6). The experimental results confirm the importance to carefully plan and control the user terminal mobility within largeIP based Access Networks, as this brings benefit to the user as well as to the operator.     

AIMD-based online MPLS traffic engineering for TCP flows via distributed multi-path routing

With this paper, we propose a distributed online traffic engineering architecture formpls networks. In this architecture, a primary and secondarympls lsp are established from an ingresslsr to every other egresslsr. We propose to split thetcp traffic between the primary and secondary paths using a distributed mechanism based onecn marking andaimd-based rate control. Inspired by the random early detection mechanism for active queue management, we propose a random early reroute scheme to adaptively control the delay difference between the primary and secondarylsps. Considering the adverse effect of packet reordering ontcp performance for packet-based load balancing schemes, we propose that thetcp splitting mechanism operates on a per-flow basis. Using flow-based models developed for Internet traffic and simulations, we show that flow-based distributed multi-path traffic engineering outperforms on a consistent basis the case of a single path in terms of per-flow goodputs. Due to the elimination of out-of-order packet arrivals, flow-based splitting also enhancestcp performance with respect to packet-based splitting especially for longtcp flows that are hit hard by packet reordering. We also compare and contrast two queuing architectures for differential treatment of data packets routed over primary and secondarylsps in thempls data plane, namely first-in-first-out and strict priority queuing. We show through simulations that strict priority queuing is more effective and relatively more robust with respect to the changes in the traffic demand matrix than first-in-first-out queuing in the context of distributed multi-path routing.     

A distributed cross-layer intrusion detection system forad hoc networks

Most existing intrusion detection systems (Idss) for ad hoc networks are proposed for single layer detection. Although they may apply to other layers of network protocol stack, individual layers of data is still being analyzed separately. In addition, most have not been able to emphasize localization of attack source. In this paper, we propose an anomaly-based ids that utilizes cross-layer features to detect attacks, and localizes attack sources within onehop perimeter. Specifically, we suggest a compact feature set that incorporate intelligence from bothMac layer and network layer to profile normal behaviors of mobile nodes; we adapt a data mining anomaly detection technique from wired networks to ad hoc networks; and we develop a novel collaborative detection scheme that enables theIds to correlate local and global alerts. We validate our work through ns-2 simulation experiments. Experimental results demonstrate the effectiveness of our method.     

Application level active network (alan) server management architecture

This paper presents the details of the policy-based security and resource management architecture for Application Level Active Network (alan) servers.alan is an active network architecture which enables deployment of user-customised processes (proxylets), which enhance the existing services or introduce new services to the end-user, on the select group of servers in anip network. The issues of security and resource management in this scenario are of crucial importance so as to efficiently facilitate and control the resource consumption of user-specified processes on the active servers, as well as to protect the server platforms from unauthorised proxylet deployment or malevolent behaviour. The architecture allowing efficient resource and security control is presented in this paper, including detaileduml diagrams capturing the management functionality, as well as a set of concrete management policies for thealan scenario. The examplexml policies are also given, and the deployment of this architecture in real-life trials is described. This development forms a part of a larger management architecture foralan-enabled networks developed in the context of theist projectandroid (Active Network DistRibuted Open Infrastructure Development).     

IP-based transport of voice traffic in the UMTS radio access network: analytical study and empirical validation

In this paper, we investigate theIp protocol as a transport option for the user traffic in the UMTS Terrestrial Radio Access Network (Utran), where stringent delay bounds are to be met for both real-time and non real-time traffic. We focus on real-time voice traffic and present an analytical model for the multiplexing and transport of voice channels in theUtran usingIp. The novelty of our model is that it analytically includes and quantifies the performance of the timer used in multiplexing arriving Frame Protocol (Fp) frames into largerIp packets. We then validate our work through empirical results on a test-bed emulating theUtran transport functionalities. We show the trade-offs between performance, in terms of delay and link utilization, and quantify optimal values for the timer as well as the number ofFp frames perIp packet for a given output link capacity.     

Rogue-base station detection in WiMax/802.16 wireless access networks

We address the problem of detecting a rogue base station (Bs) in WiMax/802.16 wireless access networks. A rogueBs is a malicious station that impersonates a legitimate access point (Ap). The rogueBs attack represents a major denial-of-service threat against wireless networks. Our approach is based on the observation that inconsistencies in the signal strength reports received by the mobile stations (Mss) can be seen if a rogueBs is present in a network. These reports can be assessed by the legitimate base stations, for instance, when a mobile station undertakes a handover towards anotherBs. Novel algorithms for detecting violations of received signal strength reports consistency are described in this paper. These algorithms can be used by an intrusion detection system localized on the legitimateBss or on a global network management system operating theBss.     

Optimizing IP networks in a hybrid IGP/MPLS environment

In this paper, we consider a traffic engineering (te) approach toip networks in a hybridigp/mpls environment. Thoughigp (Interior Gateway Protocol) routing has proven its scalability and reliability, effective traffic engineering has been difficult to achieve in public IP networks because of the limited functional capabilities of conventionalip technologies.mpls (Multi-Protocol Label Switching) on the one hand enhances the possibility to engineer traffic onip networks by allowing explicit routes. But on the other hand it suffers from the scalability (n-square) problem. Hybridigp/mpls approaches rely onip native routing as much as possible and usempls only if necessary. In this work we propose a novel hybrid traffic engineering method based on genetic algorithms, which can be considered as an offlinete approach to handle long or medium-term traffic variations in the range days, weeks or months. In our approach the maximum number of hops anlsp (Label Switched Path) may take and the number oflsps which are applied solely to improve the routing performance, are treated as constraints due to delay considerations and the complexity of management. We apply our method to the German scientific network (b-win) for which a traffic matrix is available and also to some other networks with a simple demand model. We will show results comparing this hybridigp/mpls routing scenario with the result of pureigp routing and that of a full meshmpls with and without traffic splitting.     

Bandwidth sharing under the assured forwarding Per-Hop behavior

The DiffServ’s Assured Forwarding (af) Per-Hop Behavior (phb) Group defines a differentiated forwarding of packets in four independent classes, each class having three levels of drop precedence. Specific end-to-end services based on thisphb are still being defined. A particular type of service that could assure a given rate to a traffic aggregate has been outlined elsewhere. In such a service, a fair distribution of bandwidth is one of the main concerns. This paper presents experimental work carried out to evaluate howaf distributes bandwidth among flows under different load conditions and traffic patterns. We focused on the effect that marking mechanisms have on bandwidth sharing among flows within a singleaf class. The traffic types we used includeudp flows, individual and aggregatedtcp flows, mix oftcp andudp, tcp sessions with heterogeneous round-trip times, as well as color-blind and color-aware re-marking at the aggregation point fortcp flows. Tests were performed on real and simulated networks. We have found certain conditions under whichaf distributes bandwidth fairly among nonadaptiveudp flows andtcp aggregates. Finally, we evaluate a basic rule for setting the parameters of the two-rate Three-Color Marker conditioning algorithm (trtcm) in order to achieve a better bandwidth distribution fortcp flows.     

WLAN standards and evolutions

Wireless Local Area Networks technologies have known an important technological and commercial development. Multiplicity of standards and variety of domains of use make necessary to compose with different technologies that can be seen either as concurrent or complementary. In this article, after positioning the different types of wireless networks (IEEE 802.11, HomeRF,HIPERLAN/2, Bluetooth) for mass market and professional applications destination, some generalities are briefly reminded such as centralised and ad-hoc architectures, regulatory constraints in the 2.45 and 5GHZ frequency bands used forWLAN, typical ranges, mobility and security features and limitations. Then the differentIEEE (802.11, 802.11a et 802.11b) andETSI (HIPERLAN/2) standards are described in details as well as their foreseen evolutions. It appears that 802.11 family of standards would take benefit of the currently existing products to evolve smoothly while integrating new features (broadband 802.11a physical layer, necessary radio features to meet European regulatory requirements, future introduction of Quality of Service schemes…). In the meantime,HIPERLAN/2 which has been specified as a complete system already supports most of those important features and is able to be adapted to various kinds of higher network layers. Lastly, it is shown that interworking schemes between 3G cellular systems andWLAN currently under investigations in 3GPP andETSI BRAN should permit in the future to easily operate wide area and multi-access technology based mobile networks.     

A scheduler for relative delay service differentiation

We propose a new delay-based scheduler called asRD-VC (Relative Delay VirtualClock). Since it performs a delay-based service differentiation among flow aggregates, the quality at microflow level is the same as that at aggregate level. This is not easily achievable when the service differentiation is bandwidth-based or loss-based. Unlike theEDF (Earliest Deadline First) scheduler [1], our proposed scheduler self-regulates and adapts the delays according to load changes. This characteristic permits us to implement it in an AF-likePHB providing the relative quantification service in a DiffServ network. Finally, we compare our proposedrd-vc scheduler with two important existing propositions:WTP (Waiting Time Priority) [2, 3] andex-vc (Extended VirtualClock) [4]. Both these propositions are delay-based and have self-regulation property. All three schedulers (RD-VC, WTP andEX-VC) maintain the required service differentiation among aggregates and have comparable long term average performance like mean throughput per aggregate and packet loss ratio etc. However,RD-VC and WTP take an edge overEX-VC at short-term performance like jitter. Bothrd-vc andWTP have good long term and short-term performance. Our proposedrd-vc, compared to existingWTP, has two additional characteristics, i.e. unlike WTP which is limited to architectures with one queue per Qos class, it has no limitation on implementation scope (with or without separate queues per class) and it has lower complexity. This rendersRD-VC an interesting proposition.     

Une caractérisation non gaussienne et à longue mémoire du trafic Internet et de ses anomalies: validation expérimentale et application à la détection d’attaque de DDoS/Non Gaussian Long Memory Model for Internet Traffic: Experimental Validation and Application to DDoS Detection

Being now a mainstream communication, Internet is subject to many kinds of anomalies (failures, flash-crowds, attacks). In order to compare the statistics of normal traffic with traffic with anomalies, we collect both regular and anomalous traffic. The traffic is collected on the Renater network by the Metrosec project and we produce both Denial of Service (DoS) attacks with real attack softwares (TFN2k, TRIN00) aimed at various services (ICMP, SYN, UDP, TCP), and flash-crowd anomalies. We propose a multiresolution, non-Gaussian model with long memory and the corresponding estimators. It models, jointly at all aggregation levels, normal traffic, and also traffic containing anomalies. We show that the model enables to detect the anomalies in the traffic and distinguish between flash-crowd and Dos types of anomaly.     

Securing communications overAtm networks: the remoteAtm private networks interconnection example

When remoteAtm sites communicate through anAtm public network, a number of security problems arise, such as hacking, eavesdropping and traffic tampering. This paper proposes three contributions to these security problems. Firstly, risks due toAtm technology usage are detailed. Secondly, a survey of existing techniques aiming at securingAtm communications is presented with emphasis on theAtm Forum’s security specifications. Thirdly, a new solution called Safe (which stands for Solution for anAtm Frequent communications Environment) developed in the Démostène project is described. Safe realizes both firewall’s filtering functions and communications protection over theAtm network. The main idea of Safe is to use signaling (Uni 3.1) as a means to exchange security information over the network. This idea has been implemented and introduced to theAtm Forum.     

An evaluation oftcp with explicit congestion notification

We study the effect of Explicit Congestion Notification (ecn) ontcp for relatively large but finite file transfers inip networks, and compare it to other congestion avoidance mechanisms, namely Drop Tail (dt) and Random Early Detection (red). We use simulation to measuretcp performance for transfers initiated by a varying number of end hosts. In contrast to previous work, we focus on situations in which all nodes in the network operate uniformly under the same mechanism (dt orred orecn). Our results show that under such uniform conditionsecn does not necessarily lead to significant improvement intcp goodput, although in no case does it lead to an actual degradation in performance. Our results also show that, withecn, tcp flows benefit from lower overhead for unsuccessful transmissions. Furthermore, lockouts are largely avoided. In other words, in an all-ecn network resources are shared more fairly. Finally, we show that global synchronization is no longer an issue, and argue that currenttcp versions have essentially solved the problem, regardless of the queue management scheme employed.     

Codage conjoint source-canal des paramètres lsf du codeur FS1016: application de la quantification vectorielle par treillis optimisée pour un canal bruité

In this paper, we present an optimized trellis coded vector quantization (tcvq) coding system designed for the effective and robust coding of lsf spectral parameters at low bit rate. The aim of this system, called at the beginning « lsf-otcvq Encoder », is to achieve a low bit rate transparent quantization of lsf parameters of the us Federal Standard (fs1016) speech coder. Once the effectiveness of our lsf-otcvq encoders (with weighted distance) was proven in the case of ideal transmissions over noiseless channel, we were interested after in the improvement of their robustnesses for real transmissions over noisy channel. To implicitly protect the transmission indices of our lsf-otcvq coders incorporated in the Fsl016, we used a joint source-channel coding carried out by the channel optimized vector quantization (covq) method. In the case of transmissions over noisy channel, we will show that our new encoding system, called “covq-lsf-otcvq Encoder”, would be able to contribute significantly in the improvement of the fs1016 performances by ensuring a good coding robustness of its lsf spectral parameters.     

Mastering quality of service in GPRS/UMTS an overview

Quality of Service (QoS) has become a very important issue in networking, covering many performance aspects and numerous measures. The deployment of next generation wireless system includes 2.5G General Packet Radio Service (Gprs), which is the packet-switched extension of the Global System for Mobile communications (Gsm), and Third-Generation (3G) Universal Mobile Telecommunications System (Umts) to meet the needs of larger capacity and higher bit rates. AnUmts packet core network is an IP-based network. The Internet Engineering Task Force (Ietf) Forum developed several IP QoS related mechanisms available for IP transport networks. Service Quality Management (Sqm), one component of Telecommunication Management Network (Tun), will enable providers to manage QoS against objectives set out in customer Service Level Agreements (Slas) and will enable customers to compare the service offerings of different service providers.     

nOBS: an ns2 based simulation tool for performance evaluation of TCP traffic in OBS networks

Performance evaluation of tcp traffic in obs networks has been under intensive study, since tcp constitutes the majority of Internet traffic. As a reliable and publicly available simulator, ns2 has been widely used for studying tcp/ip networks; however ns2 lacks many of the components for simulating optical burst switching networks. In this paper, an ns2 based obs simulation tool (nobs), which is built for studying burst assembly, scheduling and contention resolution algorithms in obs networks is presented. The node and link objects in obs are extended in nobs for developing optical nodes and optical links. The ingress, core and egress node functionalities are combined into a common optical node architecture, which comprises agents responsible for burstification, routing and scheduling. The effects of burstification parameters, e.g., burstification timeout, burst size and number of burstification buffers per egress node, on tcp performance are investigated using nobs for different tcp versions and different network topologies.     

LDPC-based space-time coded OFDM systems: Turbo-EM receiver design with channel state information guessing algorithms

In this paper we study some turbo receiver architectures employing low-density parity check (Ldpc) codes together with orthogonal frequency division multiplexing (Ofdm) for high data rate wireless transmissions. Different demodulation schemes based on expectation-maximization (Em) algorithm are studied along with the channel impulse response (Em) algorithms. We studied differentCir guessing algorithms including the EM-based algorithms such as a space-alternating generalized expectation-maximization algorithm (Sage). It is shown that the proposed turbo-Em receiver employing a soft maximum a posteriori (Map)Em demodulator and a belief propagationLdpc decoder can perform within 1 dB from the ergodic capacity of the studiedMimo ofdm channels. Besides, we find that a suboptimum structure based on a soft interference cancellationMmse filtering demodulator exhibits negligible loss in non-correlated fadingMimo channels but suffer extra performance loss in highly correlatedMimo channels.