Alberto Caponi

Check before storing: what is the performance price of content integrity verification in LRU caching?

In some network and application scenarios, it is useful to cache content in network nodes on the fly, at line rate. Resilience of in-network caches can be improved by guaranteeing that all content therein stored is valid. Digital signatures could be indeed used to verify content integrity and provenance. However, their operation may be much slower than the line rate, thus limiting caching of cryptographically verified objects to a small subset of the forwarded ones. How this affects caching performance? To answer such a question, we devise a simple analytical approach which permits to assess performance of an LRU caching strategy storing a randomly sampled subset of requests. A key feature of our model is the ability to handle traffic beyond the traditional Independent Reference Model, thus permitting us to understand how performance vary in different temporal locality conditions. Results, also verified on real world traces, show that content integrity verification does not necessarily bring about a performance penalty; rather, in some specific (but practical) conditions, performance may even improve.

A Survey on the Security of Stateful SDN Data Planes

Software-defined networking (SDN) emerged as an attempt to introduce network innovations faster, and to radically simplify and automate the management of large networks. SDN traditionally leverages OpenFlow as device-level abstraction. Since OpenFlow permits the programmer to “just” abstract a static flow-table, any stateful control and processing intelligence is necessarily delegated to the network controller. Motivated by the latency and signaling overhead that comes along with such a two-tiered SDN programming model, in the last couple of years several works have proposed innovative switch-level (data plane) programming abstractions capable to deploy some smartness directly inside the network switches, e.g., in the form of localized stateful flow processing. Furthermore, the possible inclusion of states and state maintenance primitives inside the switches is currently being debated in the OpenFlow standardization community itself. In this paper, after having provided the reader with a background on such emerging stateful SDN data plane proposals, we focus our attention on the security implications that data plane programmability brings about. Also via the identification of potential attack scenarios, we specifically highlight possible vulnerabilities specific to stateful in-switch processing (including denial of service and saturation attacks), which we believe should be carefully taken into consideration in the ongoing design of current and future proposals for stateful SDN data planes.

Exploitation of Information Centric Networking principles in satellite networks

This paper explores possible advantages of the Information Centric Networking (ICN) paradigm in a geostationary satellite network. We find out that, with respect to plain HTTP services, ICN makes possible to reduce the downstream bandwidth consumed for Internet access by better exploiting the temporal locality of references within requested streams of Web contents. We present an ICN satellite architecture, describe its peculiar mechanisms and assess our solution through simulations.

Mobile-PEP: Satellite terminal handover preserving service continuity

Mobile user terminals allow to access different networks through several interfaces. Seamless communications is an essential requirement and service continuity is its main metric from user perspective. Mobile IPv6, ad-hoc routing, dynamic link layer protocol, SDN paradigm greatly facilitate mobility and network flexibility. Nonetheless, full mobility is limited by NAT routers or proxy agents, which break end-to-end semantic, as Performance Enhancing Proxies (PEPs), mandatory component over satellite networks to optimize performance. PEP spoofs TCP connections to end-users and hides connection context to the end-user control. Thus, any dynamic path change leads to the drop of the ongoing connections impairing service continuity. In this paper, we present an enhanced PEP implementation, Mobile-PEP, able to manage handovers without connection context transfer. Main operations and added value in several satellite-based operational scenarios are herein shown, leveraging on a Mobile-PEP prototype implementation.

On the interplay among naming, content validity and caching in Information Centric Networks

Information Centric Networking (ICN) is paradigm in which the network layer provides users with content addressed “by name”. In-network caching is one of the key functionality to be provided by ICN nodes. To avoid network nodes caching fake contents, it is necessary to verify the validity of data items. A content is deemed to be valid if it verifies three properties: i) integrity: it has not be modified; ii) provenance: it comes from the intended source; iii) relevance: it is indeed the content requested from the user (by using the name of that content). In this paper, we discuss the interplay among three pivotal ICN aspects: caching, validity and naming. Specifically, we will investigate different naming and digital signature schemes, evaluating their speed, overhead and their impact on caching performance. Perhaps counter-intuitively, we find that the relatively slow verification time of todays signatures, which bottlenecks the rate of storing new data items in the network caches, does not come as a critical shortcoming, but may actually even improve the cache hit probability when the LRU caching policy is employed.

WI-FAB: attribute-based WLAN access control, without pre-shared keys and backend infrastructures

Two mainstream techniques are traditionally used to authorize access to a WiFi network. Small scale networks usually rely on the offline distribution of a WPA/WPA2 static pre-shared secret key (PSK); security hence relies on the fact that this PSK is not leaked by end user, and is not disclosed via dictionary or brute-force attacks. On the other side, Enterprise and large scale networks typically employ online authorization using an 802.1X-based authentication service leveraging a backend online infrastructure (e.g. Radius servers/proxies). In this work, we propose a new mechanism which does not require neither online operation nor backend access control infrastructure, but which does not force us to rely on a static pre-shared secret key. The idea is very simple, yet effective: directly broadcast in the WLAN beacons an encrypted version of the secret key required to access the WLAN network, so that only the users which possess suitable authorization credentials can decrypt and use it. This proposed approach clearly decouples the management of authorization credentials, issued offline to the authorized end users, from the actual secret key used in the WLAN network, which can thus be in principle changed at each new users access. The solution described in the paper relies on attribute-based encryption, and is designed to be compatible with WPA2 and deployable within standard 802.11 management frames. Since no user identification is required (access control is based on attributes rather than on the user identity), the proposed approach further improves privacy. We demonstrate the feasibility of the proposed solution via a concrete implementation in Linux-based devices and via relevant testing in a real-world experimental setup.

D-StreaMon: From middlebox to distributed NFV framework for network monitoring

Many reasons make NFV an attractive paradigm for IT security: lowers costs, agile operations and better isolation as well as fast security updates, improved incident responses and better level of automation. On the other side, the network threats tend to be increasingly complex and distributed, implying huge traffic scale to be monitored and increasingly strict mitigation delay requirements. Considering the current trend of the networking and the requirements to counteract to the evolution of cyber-threats, it is expected that also network monitoring will move towards NFV based solutions. In this paper, we present D-StreaMon an NFV-capable distributed framework for network monitoring realized to face the above described challenges. It relies on the StreaMon platform, a solution for network monitoring originally designed for traditional middleboxes. An evolution path which migrates StreaMon from middleboxes to Virtual Network Functions (VNFs) has been realized.

On the feasibility of attribute-based encryption for WLAN access control

User authentication at Wi-Fi Access Points (APs) is becoming an important issue. Wi-Fi APs are indeed ubiquitous, but existing authentication methods such as WPA/WPA2 static pre-shared secret key (PSK), or 802.1X-based online authentication services (e.g., RADIUS servers/proxies) have their theoretical or practical limitations. In a previous work, we proposed WI-FAB, a new authentication mechanism which neither requires online backend access control infrastructure, nor relies on a static pre-shared secret key. In this paper, we extend WI-FAB by removing the need for having a central authority for user authentication and credential issuing. Our main contribution is twofold: (i) adopting decentralized multi-authority CP-ABE, we support the users who have authentication/authorization credentials from multiple authorities. We decouple the user credentials issuing from the management of the WPA2-PSK, so that neither the credential issuing authority can track the users, nor the AP can access the real identity of the users. Considering an extensive attack model, we show that the proposed approach is secure and preserves the privacy of the users. (ii) We provide a real-world implementation of the proposed approach on off-the-shelf embedded hardware to demonstrate its feasibility and efficiency.

EXPLoRa: Extending the performance of LoRa by suitable spreading factor allocations

LoRaWAN is emerging as an attractive network infrastructure for ultra low power Internet of Thing devices. Albeit the technology itself is quite mature and specified, how to effectively allocate wireless resources so as to support a large amount of devices in a same terrestrial area is an open challenge. This paper contributes by proposing two algorithms (of incremental complexity) which are shown to outperform the basic Adaptive Rate Strategy (ADR) so far considered. A first approach, named EXPLoRa-SF, shows the benefits of a simple strategy which does not limit to use (as per ADR) distance/RSSI measurements, but also selects Spreading Factors (SF) based on the total number of connected devices. The advantages attained with EXPLoRa-SF further lead us to propose a more sophisticated algorithm, named EXPLoRa-AT, which employs an innovative “ordered waterfilling” approach which attempts to allocate the spreading factors so as to equalize the Time on Air of the packets transmitted by the systems end devices in each spreading factors group. Simulation results show that the proposed algorithms significantly outperform the basic ADR strategy, and particularly the EXPLoRa-AT algorithm appears very robust to different operating conditions and consistently guarantees high bit rates in the case of high traffic loads.

FEBA: An Action-Based Feature Extraction Framework for Behavioural Identification and Authentication

While the usage of behavioural features for authentication purposes is gaining more and more consensus in the community, there is less consensus on which specific behavioural traits may be useful in eventually different settings. This calls for flexible tools which the application developer can leverage to automate the extraction and management of behavioural features for identification and authentication. This paper specifically describes a framework called FEBA (Feature Extraction Based on Action), which to the best of our knowledge is the first open-source framework that provides the developer with simple and flexible means to: i) define application-specific actions, ii) recognize actions based on the received raw data, and iii) finally extract the action-specific features. We have built a complete implementation of FEBA, and made it available online to facilitate future research in such context. To prove the performance of FEBA, we provide an experimental evaluation of a use case scenario, i.e., mouse movements feature extraction and pattern recognition. We believe that FEBA will help researchers and developers to design and implement novel behavioural authentication mechanisms.