面向固定移动融合环境的P2PSIP系统设计

全业务运营是电信市场继语音和宽带接入服务之后的下一个增长点,而基于IP的融合有线网络和无线网络的语音服务则是全业务的重点之一。本文通过分析现有VoIP网络存在的问题以及固定移动融合网络环境下VoIP的特点,提出一种新型双层重叠网架构的P2PSIP架构,并阐述了新型架构的优点及双层重叠网之间的通信机制。新型架构能有效提高系统的安全性、健壮性和用户节点资源利用效率,更好的满足固定移动融合网络环境下VoIP对带宽、网络质量和安全性的要求。     

An integrated management environment for network resources andservices

Technological and human factors have contributed to increase the complexity of the network management problem. Heterogeneity and globalization of network resources, on one hand, have increased user expectations for flexible and easy-to-use environments; on the other hand, they have suggested entirely novel ways to face the management problem. Several research efforts recognize the need for integrated solutions to manage both network resources and services in open, global, and untrusted environments. In addition, these solutions should permit the coexistence of different management models and should interoperate with legacy systems. In the paper, we define a general architecture based on a distributed processing environment (DFE) that offers a large set of facilities to the application level. We have developed the MESIS management environment shaped after the above architecture and its DPE facilities with mobile agents technology. MESIS handles, in a uniform way, both resources and services, and focuses on two crucial properties: interoperability to overcome heterogeneity, and security to grant users safe and protected operations. The Agent Interoperability Facility supports compliance with CORBA-based management systems and with MASIF agent platforms. The Agent Security Facility provides authentication, integrity, privacy, authorization, and secure interoperation with CORBA systems     

A self-encryption mechanism for authentication of roaming and teleconference services

A simple authentication technique for use in the global mobility network (GLOMONET) is proposed. This technique is based on the concept of distributed security management, i.e., the original security manager administrates the original authentication key (long-term secret key) acquired when a user makes a contract with his home network, while a temporary security manager is generated for a roaming user in the visited network that provides roaming services. The temporary security manager will take the place of the original security manager when the roaming user stays in the service area of the visited network. In the proposed authentication protocol for the regular communication phase, the procedures of the original security manager and the temporary security manager are the same except for introducing different parameters. Furthermore, the proposed technique not only reduces the number of transmissions during the authentication phase, but it also can decrease the complexity of mobile equipment. The idea behind the proposed technique is to introduce a simple mechanism which is called "self-encryption". We also suggest that this mechanism can be easily adopted as the authentication function for the secure teleconference service.     

An authentication technique based on distributed securitymanagement for the global mobility network

This paper proposes an authentication technique for use in the global mobility network (GLOMONET), which provides a personal communication user with global roaming service. This technique is based on new distributed security management, where authentication management in roaming-service provision is conducted only by the roamed network (the visited network). The original security manager (OSM) administrates the original authentication key (OAK) acquired when a user makes contracts with the home network, while the temporary security manager (TSM) is generated for a roamer in the visited network in order to provide roaming services. The TSM generates and administrates the temporary authentication key (TAK) for a roamer, which key is confidential to the OSM, releases the TAK administration when a roamer moves to other networks, and then disappears. The proposed authentication technique consists of two phases. In the roaming-service-setup phase, triggered by the user's location registration request, authentication control to set up the roaming-service environment is negotiated by the TSM in the visited network, the OSM, and the roamer. In the roaming-service-provision phase, triggered by the user's service request, authentication control to provide the roaming service is negotiated (using the TAK acquired by the roamer in the first phase) only by the visited network and the roamer. This authentication control using the TAK provides a unified authentication procedure with a single logic to both subscribers and roamers. In addition, the security management of the whole GLOMONET is reinforced and the security responsibility is made clear by allocating the subscriber's/roamer's security administration to only the TSM     

基于公钥认证的P2P多点数据传输系统

近年来,多点数据传输成为一个热门话题,广泛应用于各种P2P网络中。随着网络资源的共享越来越被强化,由于对等网络缺乏集中化的管理,安全性难以保证,多点数据传输系统的大规模商业应用所面临的安全问题越来越突出。针对P2P网络的安全问题,设计了一种公钥认证模式来识别用户身份,并实现了一个多点数据传输系统,该系统包括文件分块下载、即时聊天及音频／视频服务等常见应用。     

基于指纹识别的云安全认证技术

在云计算环境中,作为云安全的第一道防线,用户身份认证有着至关重要的作用。分析了当前云服务系统的认证需求,考虑到指纹识别技术在云安全认证中的应用优势,提出了一种基于指纹识别的云安全认证系统。并对其系统架构、工作流程进行了深入研究,以通过更加安全的认证方式防止恶意用户的非法访问,保证云环境下用户数据的访问安全。     

An ANSA overview

With the appropriate architecture, telecommunications services can work with computer applications components to support networked information services. ANSA is an architecture that enables telecommunications services and computer application components to work together despite diversity of programming languages, operating systems, computer hardware, networks, communications protocols and management, and security policies. The architecture is relevant to telecommunications, manufacturing, sales, cooperative working, banking, health service, research, and other applications. It provides a framework for the design and implementation of distributed computer systems supporting networked information services. The framework ensures that different design choices, made for particular applications, present the maximum opportunity for interworking     

可信移动Agent的研究及在分布式网络管理中的应用

为解决分布式网络管理的安全问题,利用移动Agent框架作为底层平台,应用VMC概念将移动Agent和SNMPAgent相融合,构建一种基于可信移动Agent的安全体系结构。实验结果表明,采用此体系结构的网络管理系统能够确保移动Agent的可信性。因此,该体系结构在受到Agent到Agent平台或Agent到Agent攻击情况下的安全性得到评估,证明在网络管理任务中其性能是可信的。     

Reliable and secure data transfer in IoT networks

With the rapid technological improvements in mobile devices and their inclusion in Internet of Things (IoT), secure key management becomes mandatory to ensure security of information exchange. For instance, IoT applications, such as smart health-care and smart homes, provide automated services to the users with less or no user intervention. As these application use user-sensitive data, ensuring their security and privacy should be paramount, especially during the key management process. However, traditional approaches for key management will not suit well in IoT environment because of the inherent resource constraint property of IoT devices. In this paper, we propose a novel distributed key management scheme for IoT ecosystem. The proposed scheme efficiently provides security to IoT devices by delegating most of the resource consuming cryptographic processing to a local entity. This entity coordinates with other peer entities to provide a distributed key as well as an authentication mechanism to network devices. In particular, the proposed scheme exploits the advantages of mobile agents by deploying them in different subnetworks as and when required: (1) to process the cryptography work for the IoT devices, and (2) to act as an local authenticated entity to perform fast authentication process. To verify the effectiveness and correctness of our proposed scheme, we have simulated it in a large IoT scenario and evaluated against relevant metrics that includes user mobility, certification generation time, and communication overhead.

     

基于Agent的认证与网络访问控制系统

身份认证与网络访问控制验证用户的合法身份,授权网络资源的访问.针对目前相关系统的缺陷,设计并实现了基于Agent技术的多因素认证与粗、细粒度网络访问控制系统.通过分析和设计Agent软件的通信安全性、认证和访问控制的关键环节和流程,结合硬件特征属性密钥和用户信息,实现多因素认证,并根据网络服务资源的敏感和保密程度,划分不同密级的用户.以Windows XP为例,具体论述Agent软件利用HOOK技术实现以上关键功能.实验结果表明,该系统效率高,可扩展性、通用性好.     

Securing multimedia services over satellite ATM networks

In recent years there has been increasing interest in interconnecting satellite and ATM networks, because both share common characteristics of the ability to provide bandwidth-on-demand and flexibility of integrating voice, video and data services. There are several new satellite constellation proposals that support multimedia service and transport ATM traffic. For a successful implementation of such systems it is essential to address the security requirements of users, satellite ATM network operators and multimedia service providers. In order to minimize delay and the cost of implementing security systems for satellite ATM networks, the network operator role (in security services) can be limited to the mutual authentication with satellite users during call set-up periods. In this paper a mutual authentication protocol between the user and the satellite network is presented using digital signature and public key systems. Also, another mutual authentication protocol between the user and the service provider is presented to provide end-to-end authentication and negotiation of security options such as selecting a secret key system and the key length. Finally, a detailed hardware implementation of ATM cell payload encryption is presented using the DES/TripleDES secret key system. © 1998 John Wiley & Sons, Ltd.     

An architecture for a mobile OSI mail access system

An architecture and implementation which support an interface to the X.400 mail environment using the full open-systems communications protocols for a portable computer are described. The implementation is designed to be used over a cellular radio telephone network. The portable computer is used to implement the user agent interface of the CCITT X.413 (1988) message store. A full set of security facilities, designed for use with interpersonal messaging (IPM), is included in the architecture. A number of important issues are discussed regarding the placement and management of keys for the IPM security, as well as authentication between the user and the portable computer and between the user agent and the message store. To support the use of the CCITT message-store model, it was necessary to implement a full protocol stack for open systems interconnection on the portable computer. The design and the author's experiences are described     

GigaManP2P: an overlay network for distributed QoS management and resilient routing

Management of long‐distance, high‐speed optical backbones spanning multiple administrative domains requires new solutions for challenging tasks. In particular, it is not trivial to negotiate, monitor and continuously enforce the required quality of service (QoS) for applications that span multiple domains. This paper proposes GigaManP2P: a novel peer‐to‐peer (P2P) management architecture for high‐speed QoS‐aware backbones. GigaManP2P peers provide management services in a ubiquitous fashion through modules that interface with both the communication infrastructure and network users. In particular, we describe management services for on inter‐domain QoS monitoring and resilient routing. After detecting a QoS constraint violation trend, a proactive rerouting strategy is triggered based on redundant virtual circuits, allowing both full and partial rerouting. The P2P overlay implementation is the basis for allowing transparent communication across autonomous systems. Experimental results showing the overhead of the P2P infrastructure in comparison to raw Simple Network Management Protocol, and the performance of the rerouting strategy, are presented. Copyright © 2011 John Wiley & Sons, Ltd.     

SIP security issues: the SIP authentication procedure and its processing load

Session Initiation Protocol (SIP) is currently receiving much attention and seems to be the most promising candidate as a signaling protocol for the current and future IP telephony services, also becoming a real competitor to the plain old telephone service. For the realization of such a scenario, there is an obvious need to provide a certain level of quality and security, comparable to that provided by the traditional telephone systems. While the problem of QoS mostly refers to the network layer, the problem of security is strictly related to the signaling mechanisms and the service provisioning model. For this reason, at present, a very hot topic in the SIP and IP telephony standardization track is security support. In this work, the security model used by SIP is described, and the different open issues are highlighted. We focus, in particular, on the problem of authentication providing a short tutorial on the solution under standardization. The architecture of a possible commercial IP telephony service including user authentication is also described. Finally, we focus on performance issues. By means of a real testbed implementation, we provide an experimental performance analysis of the SIP security mechanisms, based on our open source Java implementation of a SIP proxy server. The performance of the server has been compared with and without security support, under various scenarios.     

网络环境中远程医疗保健服务分布式安全模型

提出了一种用于中远程医疗服务的分布式安全模型,该模型包括用于医疗大数据管理和处理的安全网络.在模型中,安全网络与物联网相结合,可在无任何资源限制的情况下正常运行,适应面向安全的网络特性.使用双重加密的高级加密标准和用于提供用户匿名性的环签名技术进行建模.将基于认证、机密性、隐私性、完整性等安全因素对获得的结果进行检验....     

网络智能化标准、开源与产业研究

网络智能化是AI技术与通信网络的硬件、软件、系统、流程等的深度融合,利用AI技术助力通信网络流程智能化,降本、增效、提质,促进技术体系变革,使能业务敏捷创新。自动驾驶网络提出通过简化网络架构、封装自治域和提供业务/网络操作控制闭环,实现用户体验最优化、管理操作自动化和资源效率最大化,为网络智能化明晰了目标架构和实现路径。首先,以自动驾驶网络的分层架构与分级框架为基础,梳理总结网络智能化技术体系;其次,对相关标准组织、开源社区、产业协作以及研发应用现状进行广泛调研;最后,结合运营商应用需求与相关实践,为引导后续产业发展提供差距分析、协作建议和总结展望。     

An Agent-Based Smart Home System and Its Service-Scheduling Mechanism: Design and Implementation

This investigation presents an agent-based smart (ABS) home system that automates home-service operations. The ABS home system comprises three subsystems, namely user interface, home gateway, and home functionality. ABS home users can request services with handheld devices through an ABS user interface, and receive them through an agent cooperation mechanism. This investigation has designed three agents and implemented them in the agent platform: the manager agent schedules the service processes; the service agent manages service requests, and the task agent executes service operations. With home-functionality subsystems including location servers, message centers, and multimedia centers in ABS homes, services are conveniently provided, efficient, and comfortably manipulated. The Universal Plug and Play feature adopts IP network technology to control, manage, and transfer data among functionality devices in ABS homes. The proposed service-scheduling mechanism provides services that are conveniently provided, efficient, and comfortably manipulated. This study presents an implementation of the ABS home system to illustrate the feasibility of the proposed architecture. The study also presents a performance evaluation to demonstrate the effectiveness of the proposed mechanism.     

Cooperative Approach between ISP and P2P Users to Reduce Inter-AS Traffic

A peer-to-peer(P2P) network is a distributed application architecture which provides many attractive features,such as availability,self-organization,load-balancing,and anonymity.However,P2P network has created significant problems to network operators by generating large volumes of inter autonomous system(inter-AS) traffic.Focusing on the BitTorrent swarming protocol,this paper proposes an approach which aims to reduce P2P generated inter-AS traffic.In particular,the approach can reduce inter-AS traffic by 50% to 70%.Moreover,it can improve the downloading speed by 60% for the popular torrents.The evaluation shows that controlled regional-based contents replication can effectively achieve this goal.Furthermore,the approach is incrementally deployable.Network regions in which the system gets deployed can solve their P2P generated inter-AS traffic problems autonomously,i.e.,without any Internet service providers-collaboration and any requirement,the system can be deployed in the entire Internet.     

一种基于文件共享的P2P节点认证方案

身份认证是P2P（peertopeer）网络安全的重要组成部分,但传统的PKI（金钥基础设施）认证方式因为具有静态的集中化控制和固定的证书内容等特点,不能很好地满足P2P网络安全认证的需要,且在公钥的分发过程中容易遭受中间人攻击。为此,提出了一种新型的公钥管理架构和身份认证方案,每个节点可以自己产生并分发公私钥,认证服务器仅在节点加入网络时参与完成公钥的分发。超级节点负责管理本组内全部节点的公钥,节点在相互认证时无需认证服务器的参与,仅通过超级节点来完成。分析结果表明,这种认证方案可以有效地抵抗中间人攻击,在保持高效率的基础上又保证了认证的安全性。     

An IP-based QoS architecture for 4G operator scenarios

This article describes a global QoS architecture for multimedia traffic in mobile heterogeneous environments. This architecture supports both multiple access networks and multiple service provider scenarios. The architecture is able to provide QoS per user and per service, implementing the notion of a user profile associated network management in the case of heterogeneous and mobile network access is presented based on cooperative association between QoS brokers and authentication, authorization, accounting, and charging systems. The overall exchange of messages is exemplified for the case of a field test with specific optimizations for voice traffic.