Marco Bonola

Performance Assessment of an Epidemic Protocol in VANET Using Real Traces

Abstract Many vehicular ad-hoc network protocols have been validated using complex urban mobility simulators or by means of the few publicly available real mobility traces. This work presents an extensive measurement campaign of the positions of a fleet of 370 taxi cabs moving around the city of Rome, Italy. Due to its street network and its traffic conditions, Rome presents a characteristic mobility pattern representative of an ancient city with heavy road congestion, and therefor provides a valuable test case to experiment VANET protocols. We exploit these traces to run a set of experiments to assess the performance of a simple epidemic protocol that we compare with the basic random waypoint model in order to quantify how far the performance metrics are from this baseline. The results show the possible outcomes of implementing data dissemination through an opportunistic network that uses taxi cabs as an information vector.

The SPARTA pseudonym and authorization system

This paper deals with privacy-preserving (pseudonymized) access to a service resource. In such a scenario, two opposite needs seem to emerge. On one side, the service provider may want to control, in first place, the user accessing its resources, i.e., without being forced to delegate the issuing of access permissions to third parties to meet privacy requirements. On the other side, it should be technically possible to trace back the real identity of a user upon dishonest behavior, and of course, this must be necessary accomplished by an external authority distinct from the provider itself. The framework described in this paper aims at coping with these two opposite needs. This is accomplished through (i) a distributed third-party-based infrastructure devised to assign and manage pseudonym certificates, decoupled from (ii) a two-party procedure, devised to bind an authorization permission to a pseudonym certificate with no third-party involvement. The latter procedure is based on a novel blind signature approach which allows the provider to blindly verify, at service subscription time, that the user possesses the private key of the still undisclosed pseudonym certificate, thus avoiding transferability of the authorization permission.

Stateful OpenFlow: Hardware proof of concept

This paper presents a hardware implementation of Openstate, an extension of OpenFlow that allows performing stateful control functionalities directly inside the switch, without requiring the intervention of an external controller. The paper shows how, with a minimal reworking of the OpenFlows basic architecture, and reusing the same building blocks, it is possible to greatly extend the intelligence of an OpenFlow switch allowing the offload of many control task directly in the switch. An FPGA based implementation of an Openstate prototype is here presented, the different architectural design choices are discussed, and the performance and limitations of the developed prototype are examinated. Finally, the paper proposes a discussion on the performance achievable by using an ASIC implementation of the OpenState switch1.

StreaMon: A software-defined monitoring platform

The fast evolving nature of modern cyber threats and network monitoring as well as the increasing interest in virtualization approaches for more complex network middlebox functionalities call for new, “software-defined”, solutions to virtualize and simplify the programming and deployment of online (stream-based) traffic analysis functions. StreaMon is based on a data-plane abstraction devised to scalably decouple the “programming logic” of a traffic analysis application (tracked states, features, anomaly conditions, etc.) from elementary primitives (counting and metering, matching, events generation, etc), efficiently pre-implemented in the probes, and used as common instruction set for supporting the desired logic. The proposed SDN approach entails platform-independent, portable, multi-tenant online traffic analysis tasks written in a high level language and enables system users to completely virtualize network monitoring functionalities, isolate aggregated traffic flows and run multiple independent applications on a single software instance of the StreaMon platform. We validate our design by developing a prototype and a set of simple (but functionally demanding) use-case applications and by testing them over real traffic traces.

Per-application Mobility management: Performance evaluation of the UPMT solution

In this paper, we provide the performance evaluation of the UPMT (Universal Per-application Mobility management using Tunnels) solution. UPMT offers per-application mobility management, i.e. the capability of separately taking handover decisions for each application. UPMT supports legacy applications, private IP addressing/NATs and it is an overlay solution that does not require the access network to offer any specific support. We have implemented UPMT under Linux OS and made it available under the GPL Open Source license.

The SPARTA Pseudonym and Authorization System

This paper deals with privacy-preserving (pseudonymized) access to a service resource. In such a scenario, two opposite needs seem to emerge. On one side, the service provider may want to control in first place the user accessing its resources, i.e., without being forced to delegate the management of access permissions to third parties to meet privacy requirements. On the other side, it should be technically possible to trace back the real identity of an user upon dishonest behavior, and of course this must be necessary accomplished by an external authority distinct from the provider itself. The framework described in this paper aims at coping with these two opposite needs. This is accomplished through i) a distributed third-party-based instrastructure devised to assign and manage pseudonym certificates, decoupled from ii) a two-party procedure, devised to bind an authorization permission to a pseudonym certificate with no third-party involvement. The latter procedure is based on a novel blind signature approach which allows the provider to blindly verify, at registration time, that the user possesses the private key of the still undisclosed pseudonym certificate, thus avoiding transferability of the authorization permission.

StreaMon: A Data-Plane Programming Abstraction for Software-Defined Stream Monitoring

The fast evolving nature of modern cyber threats and network monitoring needs calls for new, “software-defined”, approaches to simplify and quicken programming and deployment of online (stream-based) traffic analysis functions. StreaMon is a carefully designed data-plane abstraction devised to scalably decouple the “programming logic” of a traffic analysis application (tracked states, features, anomaly conditions, etc.) from elementary primitives (counting and metering, matching, events generation, etc), efficiently pre-implemented in the probes, and used as common instruction set for supporting the desired logic. Multi-stage multi-step real-time tracking and detection algorithms are supported via the ability to deploy custom states, relevant state transitions, and associated monitoring actions and triggering conditions. Such a separation entails platform-independent, portable, online traffic analysis tasks written in a high level language, without requiring developers to access the monitoring device internals and program their custom monitoring logic via low level compiled languages (e.g., C, assembly, VHDL). We validate our design by developing a prototype and a set of simple (but functionally demanding) use-case applications and by testing them over real traffic traces.

On the feasibility of “breadcrumb” trails within OpenFlow switches

Several network protocols require the ability to dynamically deploy, along a network path, stateful data, nicknamed “breadcrumbs”, used to forward packets on the reverse direction. This is the case of either classical reverse path forwarding schemes, as well as more recent information centric networking approaches. Perhaps surprisingly, this paper shows that such capability is already somewhat at reach in current OpenFlow switch architectures: its support requires only very marginal modification of the existing OpenFlow hardware. We support our claim with a concrete hardware proof-of-concept implementation, and we show, with the help of both traditional reverse path schemes and original approaches, how such functionality can be programmed via a platform-agnostic abstraction.

Mobility Support in User-Centric Networks

In this paper, an overview of challenges and requirements for mobility management in user-centric networks is given, and a new distributed and dynamic per-application mobility management solution is presented. After a brief summary of generic mobility management concepts, existing approaches from the distributed and peer-to-peer mobility management literature are introduced, along with their applicability or shortcomings in the UCN environment. Possible approaches to deal with the decentralized and highly dynamic nature of UCNs are also provided with a discussion and an introduction to potential future work.

D-StreaMon: From middlebox to distributed NFV framework for network monitoring

Many reasons make NFV an attractive paradigm for IT security: lowers costs, agile operations and better isolation as well as fast security updates, improved incident responses and better level of automation. On the other side, the network threats tend to be increasingly complex and distributed, implying huge traffic scale to be monitored and increasingly strict mitigation delay requirements. Considering the current trend of the networking and the requirements to counteract to the evolution of cyber-threats, it is expected that also network monitoring will move towards NFV based solutions. In this paper, we present D-StreaMon an NFV-capable distributed framework for network monitoring realized to face the above described challenges. It relies on the StreaMon platform, a solution for network monitoring originally designed for traditional middleboxes. An evolution path which migrates StreaMon from middleboxes to Virtual Network Functions (VNFs) has been realized.