Kiyohiko Okayama

A MAC-address Relaying NAT Router for PC Identification from Outside of a LAN

NAT (Network Address Translation) is well-known as one of the short-term solutions of IPv4 address exhaustion. NAT is a technique that shares a single IP address in several PCs, and is widely used for alleviating the IPv4 address exhaustion and as a security solution. However, when a backbone network has access control function for PCs based on their IP addresses, it cannot identify the PCs under a NAT router since their original IP addresses are hidden by the NAT router. In this research, we focus on MAC address which identifies PC at datalink layer and propose a NAT router which relays the MAC addresses of PCs inside of a LAN to the outside. Since the source MAC addresses of packets sent from PCs are preserved even after being relayed by the NAT router, a LAN access control server outside of the NAT router can still identify these PCs based on their MAC addresses instead of their IP addresses.

A protection method against massive error mails caused by sender spoofed spam mails

Wide spread of spam mails is one of the most serious problems on e-mail environment. Particularly, spam mails with a spoofed sender address should not be left alone, since they make the mail server corresponding to the spoofed address be overloaded with massive error mails generated by the spam mails, and since they waste a lot of network and computer resources. In this paper, we propose a protection method of the mail server against such massive error mails. This method introduces an additional mail server that mainly deals with the error mails in order to reduce the load of the original mail server. This method also provide a function that refuses error mails to these two mail servers to save the network and computer resources.

Priority control in receiving e-mails by giving a separate response to each DNS query

Delivering e-mails without unnecessary delay is one of the very important issues as the spread of e-mail service and its use become very common. But in case that a mail transfer agent (MTA) is heavily loaded by huge amount of mails sent to the MTA, not only the delay on mail delivery is inevitable but also managing the MTA service becomes difficult. Thus, a delivery method that treats legitimate mails with priority is requested. In this paper, we focus on the query to the domain name service (DNS) which is usually processed just before the mail transfer, and propose a new delivery method which separates legitimate mails from others according to the source IP address of the DNS query. That is, employing a crafted DNS server which responds to each DNS query with separate IP address, and wait for incoming mails at each address, we get a correspondence table between a DNS query and the incoming mail. And we also show that we can lead legitimate mails to the separated mail servers by dynamically changing the DNS response based on this table, and deliver them with short delay even in the case that others servers are loaded by many other mails

Throughput Optimization in TCP with a Performance Enhancing Proxy

To improve TCP throughput performance, a method using a PEP (Performance Enhancing Proxy) has been proposed. The PEP operates on a router along a TCP connection. When a data packet arrives at the PEP, it forwards the packet to the destination host, transmits the corresponding ACK (premature ACK) to the source host in behalf of the destination host, and stores a copy of the packet into its own buffer (PEP buffer) in case retransmission of the packet is required. As a congestion control method on the PEP, a method which keeps the number of prematurely acknowledged packets in the PEP buffer below a threshold (watermark) value has been proposed. However, the relation between the watermark value and throughput is not sufficiently investigated, and an optimization method of the watermark value is not proposed. In this paper, we first investigate the relation between the watermark value and the average throughput. Extensive simulations show that the simulation results are roughly classified into two cases. In the first case, the average throughput becomes larger for larger watermark values and becomes a constant value when the watermark is over a certain value. In the second case, although the average throughput becomes larger for larger watermark values in the same way, it decreases when the watermark is over a certain value. Next, based on the results about the relation, we propose an watermark optimization algorithm which can adaptively maximize the average throughput of each connection and also satisfy a fairness condition that the average throughputs of connections are equal to each other.

A Method of Dynamic Interconnection of VLANs for Large Scale VLAN Environment

VLAN (virtual LAN) is a technology which, can configure logical networks independent of the physical network structure. With VLAN, users in common spaces (such as meeting rooms) can access their department networks temporarily because changing of logical network structure is achieved only by configuration of VLAN switches. However, in the general configuration method, because VLANs are managed statically by administrators, various problems such as high administrative cost and conflict or insufficiency of VLAN-IDs may arise especially in large scale organizations where VLANs are managed by each department. To solve these problems, we propose a method which provides an interconnection between a temporary configured VLAN in a common space and a VLAN of a users department. In the proposed method, a user in a common space can access to his/her department network seamlessly by converting a temporary VLAN-ID in the common space and a VLAN-ID used in his/her department each other automatically. The effectiveness of the proposed method is confirmed by the experiment on the actual network using VLAN managers, VLAN-ID converters and authentication servers based on the proposed method

An Optical-Drop Wavelength Assignment Algorithm for Efficient Wavelength Reuse under Heterogeneous Traffic in WDM Ring Networks

The wavelength-division multiplexing (WDM) technology has been popular in communication societies for providing very large communication bands by multiple lightpaths with different wavelengths on a single optical fiber. Particularly, a double-ring optical network architecture based on the packet-over-WDM technology such as the HORNET architecture, has been extensively studied as a next generation platform for metropolitan area networks (MANs). Each node in this architecture is equipped with a wavelength-fixed optical-drop and a fast tunable transmitter so that a lightpath can be established between any pair of nodes without wavelength conversions. In this paper, we formulate the optical-drop wavelength assignment problem (ODWAP) for efficient wavelength reuse under heterogeneous traffic in this network, and prove the NP-completeness of its decision problem. Then, we propose a simple heuristic algorithm for the basic case of ODWAP. Through extensive simulations, we demonstrate the effiectiveness of our approach in reducing waiting times for packet transmissions when a small number of wavelengths are available to retain the network cost for MANs.

An Efficient Management Method of Access Policies for Hierarchical Virtual Private Networks

VPN (virtual private network) is one of the most important technologies on the Internet. With VPN, we can securely access to resources in the organizational network via the Internet. In VPNs having hierarchical structure, since each VPN domain has different access policy (whether VPN gateway should perform authentication, data encryption, and so on or not), an administrator of a VPN domain may need to configure access policies which are different from every VPN sub-domain. However, in the existing VPN methods, since access policies are stored in a static configuration file of each VPN gateway, an administrator of a VPN domain has to cooperate with the other administrators of its sub-domains. Therefore, management cost of access policies becomes considerably large if the organization has large and complicated structure. In this paper, we propose an efficient management method of access policies for hierarchical VPNs. In order to reduce management cost, we introduce a database with hierarchical structure to represent access policies easily and policy servers to get access policies automatically. The effectiveness of our proposed method is confirmed by an experiment on an actual network using policy servers based on the proposed method.

Design and Implementation of Optimal Route Selection Mechanism for Outbound Connections on IPv6 Multihoming Environment

The Internet has been widely deployed as an infrastructure to provide various ICT (Information and Communication Technology) services today. Some typical services such as e-mail, SNS (Social Network Service) and WWW rely considerably on the Internet in terms of reliability and effectiveness. In this paper, we focus on the IPv6 site multihoming technology and its collaboration with route selection mechanism, which have been reported as one solution to accomplish these goals. Even if a host can easily obtain multiple IP addresses in IPv6 multihomed site, it has to select a proper site-exit router when sending out a packet in order to avoid ingress filtering. Especially, when an inside host initializes an outbound connection it can barely select a proper site-exit router based on its source IP address. To solve this problem, we propose an optimal route selection method for IPv6 multihomed site. With this method, a middleware will be deployed within each inside host so as to connect to the destination host through multiple site-exit router during the initialization phase simultaneously, and then use the first established one for data communication. We also embedded a kind of Network Address Translation (NAT) feature into the middleware to avoid the ingress filtering. By analyzing the results of our experiments on the prototype system we confirmed that the proposed method worked as well as we expected and the collaboration of the site multihoming technology and the proper route selection method can be one possible solution for IPv6 site multihoming in a real network environment.

New Approach for Configuring Hierarchical Virtual Private Networks Using Proxy Gateways

VPN is one of key technologies on the Internet that allows users to access securely to resources in a domain via unsecure networks. For hierarchically nested security domains, such as an RD and by incorporating a proxy gateway to accommodate communication between clients and the security gateway, this permits secure and highly efficient communications without modifying the client or server.