Martin J. Reed

Bandwidth protection in MPLS networks using p-cycle structure

This paper addresses the routing of backup tunnels with bandwidth guarantee in MPLS networks. Backup tunnels implemented by the packet layer in MPLS are seen as a useful alternative (or addition) to the schemes offered by a SONET/SDH layer in particular for providing protection for real time packet services such as voice over IP. Many schemes have been proposed, working with MPLS, to provide the switching architecture for backup tunnels. However, the routing of the tunnels in these schemes is not clearly defined and hence the motivation for this work. This paper investigates the use of the p-cycle scheme to route the bandwidth-guaranteed backup tunnels, a scheme that was originally devised for optical transport networks and IP/MPLS networks as well. We demonstrate that the problem (as for all but trivial p-cycle schemes) is too large to solve optimally and propose a relaxation method that pre-selects candidate cycles that are likely to provide a good solution. Furthermore, we show that working load distributions can significantly affect the performance of a p-cycle scheme and compare two routing algorithms to show how good distribution of working load can help increase the efficiency of the system.

IP over ICN - The better IP?

This paper presents a proposition for information centric networking (ICN) that lies outside the typical trajectory of aiming for a wholesale replacement of IP as the internetworking layer of the Internet. Instead, we propose that a careful exploitation of key ICN benefits, expanding previously funded ICN efforts, will enable individual operators to improve the performance of their IP-based services along many dimensions. Alongside the main motivation for our work, we present an early strawman architecture for such an IP-over-ICN proposition, which will ultimately be implemented and trialed in a recently started H2020 research effort.

Service-oriented multi-granular optical network testbed

This paper presents a service-oriented multi-granular multi-format network demonstrator. Service-oriented wavelength and sub-wavelengthnetwork connection establishment is being demonstrated by utilising SOON-JIT protocols to support VoD HD and Quad-HD multi-media applications.

Scalability of information centric networking using mediated topology management

Information centric networking is a new concept that places emphasis on the information items themselves rather than on where the information items are stored. Consequently, routing decisions can be made based on the information items rather than on simply destination addresses. There are a number of models proposed for information centric networking and it is important that these models are investigated for their scalability if we are to move from early prototypes towards proposing that these models are used for networks operating at the scale of the current Internet. This paper investigates the scalability of an ICN system that uses mediation between information providers and information consumers using a publish/subscribe delivery mechanism. The scalability is investigated by extrapolating current IP traffic models for a typical national-scale network provider in the UK to estimate mediation workload. The investigation demonstrates that the mediation workload for route determination is on a scale that is comparable to, or less than, that of current IP routing while using a forwarding mechanism with considerably smaller tables than current IP routing tables. Additionally, the work shows that this can be achieved using a security mechanism that mitigates against maliciously injected packets thus stopping attacks such as denial of service that is common with the current IP infrastructure.

Optimized hash for network path encoding with minimized false positives

The Bloom filter is a space efficient randomized data structure for representing a set and supporting membership queries. Bloom filters intrinsically allow false positives. However, the space savings they offer outweigh the disadvantage if the false positive rates are kept sufficiently low. Inspired by the recent application of the Bloom filter in a novel multicast forwarding fabric, this paper proposes a variant of the Bloom filter, the optihash. The optihash introduces an optimization for the false positive rate at the stage of Bloom filter formation using the same amount of space at the cost of slightly more processing than the classic Bloom filter. Often Bloom filters are used in situations where a fixed amount of space is a primary constraint. We present the optihash as a good alternative to Bloom filters since the amount of space is the same and the improvements in false positives can justify the additional processing. Specifically, we show via simulations and numerical analysis that using the optihash the false positives occurrences can be reduced and controlled at a cost of small additional processing. The simulations are carried out for in-packet forwarding. In this framework, the Bloom filter is used as a compact link/route identifier and it is placed in the packet header to encode the route. At each node, the Bloom filter is queried for membership in order to make forwarding decisions. A false positive in the forwarding decision is translated into packets forwarded along an unintended outgoing link. By using the optihash, false positives can be reduced. The optimization processing is carried out in an entity termed the Topology Manger which is part of the control plane of the multicast forwarding fabric. This processing is only carried out on a per session basis, not for every packet. The aim of this paper is to present the optihash and evaluate its false positive performances via simulations in order to measure the influence of different parameters on the false positive rate. The false positive rate for the optihash is then compared with the false positive probability of the classic Bloom filter.

Uniform DoS traceback

Denial of service (DoS) is a significant security challenge in the Internet. Identifying the attackers so that their attack traffic can be blocked at source is one strategy that can be used to mitigate DoS attacks. However, determining the source can be difficult due to the inherent connectionless nature of IP. Traceback using various marking schemes that overload, mostly unused, fields in the IP header are promising techniques to identify the source of the attack. This paper shows that the marking probability used in two existing techniques: probabilistic packet marking (PPM) and dynamic probabilistic packet marking (DPPM) are not optimal and derives an optimal marking scheme called uniform probabilistic packet marking (UPPM). The performance of UPPM is shown to be improved compared to PPM and DPPM by performing comparative numerical analysis. One significant advantage of UPPM over these earlier techniques is that it performs marking at the level of autonomous systems (ASs) rather than at every router. This has advantages both in terms of marking overhead and allowing the optimal formulation of marking probability by utilizing metrics readily available from BGP-4, the inter-AS routing protocol.

Sufficient Encryption with Codewords and Bin-strings of H.264/SVC

Multi-layered scalable bit-stream distribution requires protection for the rendering and transmission of its individual layers. This paper presents a sufficient encryption (SE) scheme for SVC layers which maintains the compression efficiency and the format compliancy of scalable bit-streams, without compromising the security. The purpose of SE is achieved by applying the partial encryption on carefully selected codewords and bin-strings of the CAVLC and CABAC of H.264/SVC respectively. The performance of the scheme is tested on various resolution sequences, which demonstrate the advantages of the scheme when compared to alternative techniques. These advantages include: minimal computational delay by encrypting partial data; no bit-rate escalation by keeping the compression ratio unchanged; and, format compliancy of the bit-stream at the decoder. A comparative security analysis of the scheme confirms that it is suitable for commercial, real-time applications. The minimal increase in processing requirements ensures that the scheme is highly suitable for video distribution to users who have subscribed to differing video qualities on end systems ranging from small handheld devices to those with high computational capability.

Traffic engineering for information-centric networks

Information-centric networking (ICN) proposes a networking architecture that uses methodologies such as publish-subscribe to achieve a data-oriented approach as opposed to a destination based approach found in the current Internet. This new architecture brings both new problems to be solved and also natural solutions to existing problems. This paper investigates an intra-domain traffic engineering (TE) problem for an information-centric networking (ICN) architecture where a form of source routing is used as the forwarding mechanism. The TE goal is to maximise the residual capacity in the network so that the load is spread evenly. A network flow approach is used and it is shown that the source routing mechanism allows the traffic to be split across multiple paths in a manner that is difficult to achieve using existing IP or IP/MPLS networks. Allowing splittable flows means that a fully polynomial-time approximation scheme can be used that has superior results when compared to existing constraint based routing schemes for flows that cannot be split. Consequently, this work demonstrates that the ICN architecture can simplify the given TE problem in a natural manner.

Efficient selective encryption with H.264/SVC CABAC bin-strings

The distribution of copyrighted scalable video content to differing digital devices should be protected during rendering and transmission. The proposed scheme is applied to H.264 Scalable Video Coding (SVC) CABAC bin-strings in a compression-friendly and decoder format compliant manner. It achieves this by careful selection of the entropy coder syntax elements for selective encryption (SE) with respect to SVC. Tests show that: decoding delay is small, replacement and key substitution attacks are fruitless; there is no increase in bitrate; and the stream remains format compliant. The proposed SE scheme is extremely suitable for video distribution to users who have subscribed to differing video qualities on medium- to high-computationally capable digital devices.

Confidentiality of a selectively encrypted H.264 coded video bit-stream

It is an assumption that selective encryption does not strongly protect confidentiality owing to the partial visibility of some video data. This is because, though encryption keys may be difficult to derive, an enhanced version of selectively encrypted video sequence might be found from knowledge of the unencrypted parts of the sequence. An efficient selective encryption method for syntax elements of H.264 encoded video was recently proposed at the entropy coding stage of an H.264 encoder. Using this recent scheme as an example, the purpose of this paper is a comprehensive cryptanalysis of selectively encrypted H.264 bit-streams to contradict the previous assumption that selective encryption is vulnerable. The novel cryptanalysis methods presented in this paper analyze the ability of an attacker to improve the quality of the encrypted video stream to make it watchable. The conclusion is drawn that if the syntax elements for selective encryption are chosen using statistical and structural characteristics of the video, then the selective encryption method is secure. The cryptanalysis is performed by taking into account the probability distribution of syntax elements within the video sequence, the relationship of syntax elements with linear regression analysis and the probability of successfully attacking them in order to enhance the visual quality. The results demonstrate the preservation of distorted video quality even after considering many possible attacks on: the whole video sequence; each video frame; and on small video segments known as slices.