Ali Fessi

Network resilience: a systematic approach

The cost of failures within communication networks is significant and will only increase as their reach further extends into the way our society functions. Some aspects of network resilience, such as the application of fault-tolerant systems techniques to optical switching, have been studied and applied to great effect. However, networks - and the Internet in particular - are still vulnerable to malicious attacks, human mistakes such as misconfigurations, and a range of environmental challenges. We argue that this is, in part, due to a lack of a holistic view of the resilience problem, leading to inappropriate and difficult-to-manage solutions. In this article, we present a systematic approach to building resilient networked systems. We first study fundamental elements at the framework level such as metrics, policies, and information sensing mechanisms. Their understanding drives the design of a distributed multilevel architecture that lets the network defend itself against, detect, and dynamically respond to challenges. We then use a concrete case study to show how the framework and mechanisms we have developed can be applied to enhance resilience.

Wide-Area Virtual Machine Migration as Resilience Mechanism

The resilience of services in the Internet has become an important issue and is expected to become even more important in the future. Virtualization is one of the means which can be deployed for resilience purposes. In this paper we follow a systematic approach to the use of virtualization to increase the resilience of network services. First, we provide an analysis of the potential failures of services running within Virtual Machines (VM) and how VM migration or replication can be used to address these failures. Then, we address the problem of re-establishing connectivity between a service and its clients upon successful migration, by leveraging results from mobility research. A special focus is given to wide-area VM migration, since it is considered as the solution for some difficult failures, e.g., large-scale failures due to natural disasters.

Pr2-P2PSIP: privacy preserving P2P signaling for VoIP and IM

In the last few years, there has been a good deal of effort put into the research and standardization of P2P-based VoIP signaling, commonly called P2PSIP. However, there has been one important issue which has not been dealt with adequately, privacy. Specifically i) location privacy, and ii) privacy of social interaction in terms of who is communicating with whom. In this paper, we present Pr2-P2PSIP, a Privacy-Preserving P2PSIP signaling protocol for VoIP and IM. Our contribution is primarily a feasibility study tackling the privacy issues inherent in P2PSIP. We leverage standard security protocols as well as concepts and experiences learned from other anonymization networks such as Tor and I2P where applicable. We present the design and on-going implementation of Pr2-P2PSIP and provide a threat analysis as well as an analysis of the overhead of adding privacy to P2PSIP networks. Particularly we analyze cryptographic overhead, signaling latency and reliability costs.

Path-coupled signaling for NAT/firewall traversal

Many complex protocols negotiate secondary flows on the application layer. Examples of such protocols include many peer-to-peer applications, SIP, H.323, etc. In general, this prevents firewalls from allowing them and through NATs public/private address space mapping from routing them. In this paper, we describe the requirements and design of an end-application triggered, path-coupled signaling protocol for NAT/firewall traversal. Finally, we show a prototypical implementation and discuss preliminary performance evaluation.

Resilience: Widerstandsfähigkeit des Internets gegen Störungen – Stand der Forschung und Entwicklung

ZusammenfassungObwohl das heutige Internet erstaunlich gut funktioniert, kann es nicht als widerstandsfähig bzw. ,,resilient“ bezeichnet werden. Ein Grund dafür ist, dass sich die Anforderungen an das Internet, seitdem es enstanden ist, außerordentlich weiterentwickelt haben. In diesem Artikel beleuchten wir zunächst den Begriff ,,Resilience“. Danach beschreiben wir konkret die diesbezüglichen Schwachstellen des heutigen Internets. Hauptbeitrag dieses Artikel ist eine ausführliche Übersicht über verschiedene Technologien, welche bereits heute zur Erhöhung der Netzwerk-Resilience eingesetzt werden können bzw. das Netz in naher bis ferner Zukunft noch widerstandsfähiger gestalten können oder werden.

CoSIP – a hybrid architecture for reliable and secure SIP services

ABSTRACT Currently the most prominent service on SIP basis is Voice over IP (VoIP). Despite its growing popularity, it has not yet been able to substitute the “good old” Public Switched Telephone Network (PSTN). Security, reliability, emergency calls and SPAM over IP Telephony (SPIT) are issues that have not yet been solved satisfactorily. In our approach, Cooperative SIP (CoSIP), we address two important issues: reliability and security. CoSIP is a hybrid architecture based on a Peer-to-Peer (P2P) network cooperating with central servers. The P2P network consists of SIP User Agents (UA) that organize themselves in a Distributed Hash Table (DHT). Both the DHT and the server manage user registrations and session establishments in parallel. While the P2P network provides better service reliability and robustness against denial of service (DoS) attacks, the server provides improved security for the overall architecture and a better lookup performance. Our new architcture uses both technologies in parallel to combine advantages from both concepts, leading to improved reliability, security and performance. Our prototype implementation of CoSIP acts as a local SIP proxy and can be used with standard SIP clients. The proxy implements the additional CoSIP functionalities. We successfully validated the functionality of CoSIP on PlanetLab.