Hirofumi Yamaki

Network Virtualization Using VPN for Stable Communication with Offshore Cloud

It has become common to access cloud computers in other countries via the Internet. However, in some countries, many international communication channels are suddenly shut down by governmental bodies. This causes significant degradation of the Quality of Service (QoS) for accessing cloud computers, Web conferences, and so on. To cope with this, we propose a network virtualization method for intelligent routers to detect the restriction of international communication and form VPN bypass. The routers placed at users offices bypass/switch routes from the internet to VPN contracted by each enterprise or company to ensure QoS and only during shutdown and the like not to be regulated by governmental bodies. More concretely, a method for applying asymmetric criteria to decide whether to bypass is proposed for robust Internet operation to keep connections with cloud servers. Differential values of network latency are used for detecting the start of intentional network barriers, and absolute threshold values to determine both their start and end. This method is verified by a network simulator as well as latency on real regulation. Validation has been done by more than 50 offices successful real usage.

Seamless Virtual Network for International Business Continuity in Presence of Intentional Blocks

In developing countries, links are poor among domestic communities or internet service providers. Besides, international internet channels are suddenly blocked by such as Golden Shield (GS) in China. Offshore business communications are involved in these. To avoid such involvement, a seamless virtual network is proposed as an international business communication bridging solution. This uses Round Trip Time (RTT) based multiple thresholds for differential switch to Virtual Private Network (VPN) bypass. The characteristics are (1) using multiple threshold integrated differential calculus of RTT increase, a sign of the block is recognized as the steep staircase increase of RTT, (2) followed by the immediate automatic switch to VPN having RTT below 200ms. (3) Asymmetrically, only the absolute threshold value and continuation time are used to determine when to switch back. This method is analytically and statistically evaluated as being successful (below 3% errors), using around 200 cases of data on GS blocks. Furthermore, it has been validated by the real seamless usage in more than 20 offshore companies for three years. Besides response time in offshore applications, our method can also alleviate problems such as voice echoes and video jitters which irritate business users. These effects were validated analytically and by questionnaires to scores of business customers.

Intelligent bypass method Exploiting VPN for stable offshore business on the Internet

It has become common to access offshore cloud computers via the Internet. However, in some countries Governmental bodies suddenly block international communication channels. If involved in such blocking as called GS (Golden shield) in China, significant degradation of QoS occurs in accessing cloud/remote computers, Web conference pages, etc. To avoid such involvement and continue smooth access to offshore cloud systems, an intelligent bypass method using VPN from business companies to cloud/remote computer sites is proposed. The characteristics are as follows: (1) a sign of the above restriction is recognized, using differential calculus effective to predict the network latency increase of a multiple staircase, (2) immediately followed by switching to VPN bypass before serious network latency starts, (3) but, only the absolute threshold value and elapsed time are used asymmetrically to determine the end of bypassing. This method is verified by the latency data on real blocking of GS.

Network virtualization by differentially switched VPN for stable business communication with offshore computers

Accessing offshore cloud or remote computers via the Internet has become popular. However, in some countries, governmental agencies or organizations may suddenly block international communication links. Temporary blocks or more permanent barriers as China’s Golden Shield (GS) are known to introduce significant network latency or Quality of Service (QoS) degradation that may hinder offshore business. To avoid this, we propose a network virtualization method and tool based on recognizing step-wise increases of Round Trip Time (RTT) that are caused by intentionally blocking international communication links. Our method predicts and avoids intentional blocks or restriction as follows: (1) the onset of the restriction is predicted or recognized in the early stage, using differential calculus of RTT, (2) immediate switching to Virtual Private Network (VPN) bypass is automatically performed before serious increase in network latency is experienced by users. (3) Asymmetrically, non-differential threshold value and elapsed time are used to determine the end of restriction and switch back to the open (ordinary or public) Internet. Our method is validated by quantitative analysis on latency data corresponding to real GS blocks. Furthermore, 2–3 years’ successful usage of our tool in more than fifty offices confirms our method’s stable and dependable communication as well as its reasonable cost.

Evaluation of Method for Multiplexing Communication Routes to Avoid Intentional Barriers

It is common to operate an IT system where client computers in offices in a country access cloud computers in another country via the Internet. However, in some countries including China, network communication is often shut down by governmental bodies, in addition to network outage caused by network attacks. In case of such intentional interruptions, users need countermeasures to avoid them. Here, we propose a method to form bypass routes which consist of application-level gateways and intelligent routers placed at offices where client computers run, to select bypass routes based on the Internet status. A method for applying asymmetric criteria to decide whether to apply bypass routes is proposed for robust operation of Internet based applications. Differential values of network latency are used for detecting intentional barriers through monitoring and analyzing the huge amount of temporal data, and absolute values to determine their ends. Such temporal data analysis knowledge is verified by a network simulator.

Integration of Wifi Services Based on the IEEE802.11u Standard

This paper presents a novel technique to integrate multiple Wifi services into a single hardware access point. This is achieved by combining service advertisement mechanism defined in the IEEE 802.11u standard and dynamic VLAN assignment used in enterprise-level networks, both of which are for authentication techniques to achieve secure and flexible access to IP-based networks. Compared to virtual access points which is normal solution, a larger number of services can be integrated into an access point without degrading the performance of network access services. The method, the implementation a prototype system and the result of performance test are described.

Implementation of a User Account Provisioning System Based on NFC for Public Wi-Fi Services

For secure usage of public Wi-Fi services, mutual authentication between service providers and users is required. However, because the cost of the user account provisioning to achieve mutual authentication is high, the level of authentication is suppressed low in many services. In this research, we aim to reduce this cost. One of the problems in user account provisioning is that theft or swap of authentication information is performed as man-in-the-middle attack during message exchange process for authentication. In Near-Field Communication(NFC), it is hard for adversary to get between communicators. In this paper, to achieve a user account provisioning of public Wi-Fi services based on NFC, we propose a secure system for both service providers and users.

Multiplexing communication routes with proxy-network to avoid intentional barriers in large scale network

It has become common to operate an IT system where client computers in offices in a country access cloud computers in another country via the Internet. On the other hand, in some countries including China, network communication is often shut down by governmental bodies, in addition to network outage caused by network attacks. In the presence of these intentional or deliberate interruptions, users of such systems need some countermeasures to avoid them. In this paper, we propose a method to form bypass routes which consists of application-level gateways, and intelligent routers, which are placed at offices where client computers are run, to select bypass routes based on the status of the Internet. A method for applying asymmetric criteria in order to decide whether to apply bypass routes is proposed for robust operation of Internet-based applications. In our approach, differential values of network latency are used for detecting intentional barriers, and absolute values to determine their ends. This method is applied in practice and supports the continuity of network based systems in China.

Performance Analysis of Bidirectional Private Policy Matching Protocol Based on Additively Homomorphic Encryption Systems

Automated Trust Negotiation (ATN) is a mechanism to establish mutual trust between service providers and users in an open network environment like the Internet. In this paper, we propose Bidirectional Private Policy Matching based on Additively Homomorphic Encryption Systems(BPPM/AHES) as an ATN negotiation protocol where uni-directional private policy matching based on additively homomorphic encryption systems is repeated. In this protocol, there is no disclosure of credentials before the negotiation succeeds. Because there is no unnecessary disclosure of policies except for policies which can be inferred the negotiation outcome, the amount of the unnecessary disclosure of policies decreases compared to existing protocols.

A Flexible Authorization Mechanism for Public Wireless LAN Services Based on Automated Trust Negotiation

An EAP method, EAP-ATN, is proposed for controlling accesses to services provided to general public in open environments, such as public wireless LAN access services. Automated Trust Negotiation (ATN) is a framework where a service provider and a client collaboratively determine whether to trust each other by exchanging credentials. By performing ATN as an EAP method, flexible and secure usage of public wireless access is achieved, compared to the current deployment of such services. This paper sketches the implementation of a prototype access control system based on EAP-ATN, and gives the result of a preliminary performance test.