Andreas Klenk

Behavior and classification of NAT devices and implications for NAT traversal

For a long time, traditional client-server communication was the predominant communication paradigm of the Internet. Network address translation devices emerged to help with the limited availability of IP addresses and were designed with the hypothesis of asymmetric connection establishment in mind. But with the growing success of peer-to-peer applications, this assumption is no longer true. Consequently network address translation traversal became a field of intensive research and standardization for enabling efficient operation of new services. This article provides a comprehensive overview of NAT and introduces established NAT traversal techniques. A new categorization of applications into four NAT traversal service categories helps to determine applicable techniques for NAT traversal. The interactive connectivity establishment framework is categorized, and a new framework is introduced that addresses scenarios that are not supported by ICE. Current results from a field test on NAT behavior and the success ratio of NAT traversal techniques support the feasibility of this classification.

Preventing identity theft with electronic identity cards and the trusted platform module

Together with the rapidly growing number of services in the Internet, authentication becomes an issue of increasing importance. A very common situation is that for each service, users must remember the associated name and password they are registered under. This method is prone to identity theft and its usability leaves much to be desired. The Trusted Platform Module (TPM) is a microcontroller with cryptographic functions that is integrated into many computers. It is capable to protect against software attacks. TPM can generate and store non-migratable keying material for authentication and is an effective safeguard against the acquisition and use of an identity by an adversary. Even though TPM prohibits identity theft, Internet services still have few options to verify the true identity of a user. Electronic identity cards (eID) assert for the identity of their owner. Their large-scale deployment can be expected in the near future. The use of eIDs is impaired, though. They must be present for each authentication, and all devices must be equipped with a compatible card reader. We mitigate the problems of both approaches by using eIDs for establishing trust in user specific TPM authentication credentials. The eID and a compatible reader must be present only at one time for establishing the initial trust. We integrated our identity theft resistant authentication method with the OpenID identity system to allow a large number of services to profit from verified and trustworthy identity assertions.

On the applicability of knowledge based NAT-traversal for home networks

The presence of Network Address Translation (NAT) is a hindrance when accessing services within home networks, because NAT breaks the end-to-end connectivity model of the Internet protocol suite. Communication across NATs is only possible if it is initiated from a host belonging to the internal network. Thus, services expecting a connection established from the outside fail in most situations. Existing approaches for NAT-Traversal do not cover the full range of NAT-Traversal methods and fail in certain situations, or deliver sub optimal results in others. Part of the problem of existing approaches is that they do not differentiate between different types of applications. We argue that the classification of applications into four service categories helps to determine the best matching NAT-Traversal technique. An extensive field test enables us to acquire knowledge about the success rates of promising NAT-Traversal techniques. These results will help us to develop a knowledge driven NAT-Traversal framework making its choice based on an understanding of NAT behavior, NAT-Traversal options and the service category of the application.

Towards Autonomic Service Control in Next Generation Networks

Current standardization efforts aim towards a unifying platform for fixed and mobile telecommunication services. The IP multimedia subsystem is advocated as the candidate for building next generation networks (NGNs). However the direction taken in standardization is towards a rather static architecture with centralized features. The downside is an expected increase in service management complexity and the need for highly specialized infrastructures. This paper presents an approach for improving service quality, scalability and reliability while facilitating service management towards self-managing next generation networks. To approach this we utilize and combine functionality available in the network using a Peer-to-Peer based service composition mechanism. The construction of composed services is based on a service chain principle and incorporates information about available services, QoS and applicable SLAs.

Automated trust negotiation in autonomic environments

Autonomic computing environments rely on devices that are able to make intelligent decisions without human supervision. Automated Trust Negotiation supports the cooperation of devices with no prior trust relationship. They can reach an agreement by iteratively exchanging credentials during a negotiation process. These credentials can serve as authorization tokens or may carry information that becomes a parameter of the further service usage. A careful negotiation strategy helps in protecting sensitive credentials that must only be available to authorized entities. We introduce the VersaTrust framework that supports a stateless negotiation protocol to reach comprehensive agreements. We argue how this approach applies to autonomic environments and demonstrate its scalability.

An architecture for autonomic security adaptation

Communication is the grounding principle of nowadays complex applications where the functionalities of the overall system are much more powerful then the ones of the isolated components. The task of keeping the communication system operable is highly critical due to the configuration complexity and the need for manual administration. Autonomous configuration mechanisms offer a compelling solution for the communication problem. We present an architecture for the autonomous configuration of secure, layer independent, end-to-end connections in this paper. The Extensible Security Adaptation Framework (Esaf) separates the particularities of communication setups strictly from the communication usage by the applications. Applications are unaware of the utilized security mechanisms and the complex configuration thereof. Protocols and security primitives can be easily introduced into the system whereas others might be disabled due to vulnerabilities without the need to modify existing programs. Moreover the setup can adapt to changing environments dynamically during runtime.RésuméLa communication est l’élément de base des applications complexes d’aujourd’hui, dans lesquels des fonctionnalités du système entier ont une puissance beaucoup plus grande que celle des composants isolés. A cause de la complexité de la configuration et la nécessité d’administration manuelle, la tâche de tenir le système de communication en fonction est hautement critique. Une solution impérative pour le problème de communication est offert par des méchanismes de configuration autonome. Dans cette publication, nous présentons une architecture pour la configuration autonome des connexions de bout en bout sécurisées et indépendantes de la couche. L’Extensible Security Adaptation Framework (Esaf) sépare strictement les particularités des environnements de communication et l’usage par les applications. Les applications sont ignorantes des méchanismes de sécurité utilisés et leur configuration complexe. Des protocoles et des primitives de sécurité peuvent être facilement introduits dans le système, tandis que d’autres pourraient être désactivés à cause des vulnérabilités, sans la nécessité de modifier des programmes existants. En outre, l’installation est capable de s’adapter dynamiquement aux environnements modifiants pendant le temps d’exécution.

ANTS - A Framework for Knowledge Based NAT Traversal

Today most home networks are connected to the Internet via Network Address Translation (NAT) devices. NAT is an obstacle for services that should be accessible from the public Internet. Especially applications following the peer-to-peer paradigm suffer from the existence of NAT. Various NAT Traversal methods emerged in research and standardization, but none of them can claim to be a general solution working in the heterogeneous environment of todays networks. This paper introduces the Advanced NAT Traversal Service (ANTS), a framework improving the communication of existing and future applications across NAT devices. The core idea of ANTS is to use previously acquired knowledge about NAT behavior and services for setting up new connections. We introduce the architecture of the extensible framework and propose a signaling protocol for the coordination of distributed instances. Finally, we compare the framework to ICE showing that ANTS is not only more flexible, but also faster due to the decoupled connectivity checks.

Iterative multi-party agreement negotiation for establishing collaborations

Inter-domain collaborations suffer not only from technological obstacles that hinder interoperability, but also from diverting business objectives of the involved domains. Today, hand-crafted contracts define the terms and conditions for service interactions. Electronic negotiation can serve as the enabler of dynamic interdomain collaborations by providing a large degree of freedom for the automation of agreement formation and electronic contracting. Negotiation by electronic means has been an area of intensive research for many years now. However, most effort was put on the determination of prices and neglected that real-world agreements also consist of complex dependencies of interdependent obligations. In this paper we present agreement negotiation as a tool to establish ad hoc services collaborations. Our novel protocol allows for the discovery of complex agreement options and for the formation of multi-party agreements. The protocol works through an iterative exchange of requirements and offers. A major benefit over existing bilateral negotiation protocols is that our protocol is capable of discovering potential collaborations between different parties. It will leave each negotiating party with a complete agreement document after a successful negotiation. This comprehensive agreement document defines the interdependent obligations between all parties and is well suited for E-Contracting.

Pluggable Authorization and Distributed Enforcement with pam_xacml

Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam_xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.