Miljenko Mikuc

DXR: towards a billion routing lookups per second in software

Can a software routing implementation compete in a field generally reserved for specialized lookup hardware? This paper presents DXR, an IPv4 lookup scheme based on transforming large routing tables into compact lookup structures which easily fit into cache hierarchies of modern CPUs. DXR supports various memory/speed tradeoffs and scales almost linearly with the number of CPU cores. The smallest configuration, D16R, distills a real-world BGP snapshot with 417,000 IPv4 prefixes and 213 distinct next hops into a structure consuming only 782 Kbytes, less than 2 bytes per prefix, and achieves 490 million lookups per second (MLps) in synthetic tests using uniformly random IPv4 keys on a commodity 8-core CPU. Some other DXR configurations exceed 700~MLps at the cost of increased memory footprint. DXR significantly outperforms a software implementation of DIR-24-8-BASIC, has better scalability, and requires less DRAM bandwidth. Our prototype works inside the FreeBSD kernel, which permits DXR to be used with standard APIs and routing daemons such as Quagga and XORP, and to be validated by comparing lookup results against the BSD radix tree.

IMUNES Based Distributed Network Emulator

In this paper we describe a new version of our distributed network emulator that extends an existing kernel level emulator called IMUNES. IMUNES is based on a lightweight virtual machine concept and performs zero copying when packets traverse through the emulated topology. It works on a modified FreeBSD kernel and enables emulated nodes to use the standard UNIX applications. The main strengths of this tool are scalability, performance and high fidelity. We are developing a distributed network simulation to further increase the scalability by allowing parts of emulation to be deployed across a peer-to-peer emulator cluster. The decentralized management of the emulator cluster improves availability and robustness of the system. We provide support for a multi-user and multi-experiment environment to maximize the benefit from newly increased resources

A network testbed for commercial telecommunications product testing

Have open-source network topology emulators out-grown the realm of academic and educational playgrounds? We tackle with that question by dissecting our experiences with preproduction testing of functional blocks implemented in commercial carrier-grade telco equipment, which we performed in a testbed based on open-source tools. As the concepts and mechanisms on which popular network emulation platforms are based vary, so does their applicability to different problem domains in telco product testing. Our survey of the existing open-source tools reveals that the spectrum of their features and limitations is multidimensional, with the choice of virtualization techniques applied being crucial to the raw packet processing throughput, topology size scaling, experiment instantiation speeds, and the flexibility of integrating diverse tools in a single testbed environment. We measured key performance metrics for two conceptually similar emulation platforms (IMUNES and CORE) running on different operating systems (FreeBSD and Linux). Three testbed scenarios for commercial telecommunication products were described and analyzed.

Lightweight and adaptable solution for security agility

Secure communication is an important aspect of today’s interconnected environments and it can be achieved by the use of cryptographic algorithms and protocols. However, many existing cryptographic mechanisms are tightly integrated into communication protocols. Issues emerge when security vulnerabilities are discovered in cryptographic mechanisms because their replacement would eventually require replacing deployed protocols. The concept of cryptographic agility is the solution to these issues because it allows dynamic switching of cryptographic algorithms and keys prior to and during the communication. Most of today’s secure protocols implement cryptographic agility (IPsec, SSL/TLS, SSH), but cryptographic agility mechanisms cannot be used in a standalone manner. In order to deal with the aforementioned limitations, we propose a lightweight cryptographically agile agreement model, which is formally verified. We also present a solution in the Agile Cryptographic Agreement Protocol (ACAP) that can be adapted on various network layers, architectures and devices. The proposed solution is able to provide existing and new communication protocols with secure communication prerequisites in a straightforward way without adding substantial communication overhead. Furthermore, it can be used between previously unknown parties in an opportunistic environment. The proposed model is formally verified, followed by a comprehensive discussion about security considerations. A prototype implementation of the proposed model is demonstrated and evaluated.

A hierarchical approach to generating power law Internet-like topologies

Hierarchical Internet-like topology generators reflect the hierarchical structure of the Internet, but they neglect the power law property of Internet topologies. On the other hand, common power law topology generators obey the power law, but they do not provide support for different types of nodes. In this paper, we propose a new algorithm for creating Internet-like network topologies. We introduce a simple classification among different types of nodes in the topology generation process. We evaluate the topology produced by our algorithm by means of standard measures, such as the power law degree distribution coefficient, the clustering coefficient and the average path length. Our preliminary results show that the proposed algorithm generates Internet-like network topologies that provide realistic environment for simulation, testing and analyzes of network protocols.

An experiment in using IMUNES and Conpot to emulate honeypot control networks

Honeypots are used as a security measure both to divert the attention of a potential attackers intentions and to reveal the attacker since the only reason someone would interact with honeypots is if they are looking for a vulnerable target. Honeypots emulate only a part of the machine they are supposed to represent and contain no valuable data. ICS (Industrial Control System) is a term that is used for a system that monitors industrial plants, distributed control systems or other systems that mostly contain PLCs (Programmable Logic Controllers). Conpot is an open source honeypot that emulates PLC devices so it can be used in ICSs. However, Conpot can not emulate complex honeypot networks. The aim of this project is to make a tool that can be used to design a honeypot network which emulates an ICS. A network designed with that tool will be simulated as a part of this project and the data collected during the simulation will be analyzed.

Pushing the envelope: Beyond two billion IP routing lookups per second on commodity CPUs

Over the past two decades, implementing routing lookups in dedicated hardware has been accepted as an undisputable gold standard in core Internet routers due to ever increasing performance requirements and unabated global routing table growth. Several recent proposals depart from that line of thinking and suggest that software algorithms running on commodity multi-core CPUs might (again) become well suited for the task. In this article we describe a refined implementation of the DXR routing lookup scheme and subject it to a series of synthetic tests using BGP table snapshots from major Internet exchange points. Our measurements show that the algorithm scales nearly linearly on contemporary multi-core microprocessors, while the achieved peak aggregate throughput of almost 2.5 billion lookups per second presents an over a threefold increase over previously published results. Our experiments show that the aggregate throughput of a software routing lookup algorithm running on a modern commodity microprocessor can outperform a state-of-the-art ASIC chip by more than an order of magnitude, with reasonable expectations that this gap could easily double on the emerging 32- and 36-thread commodity CPUs.

Adaptable secure communication for the Cloud of Things

Cloud of Things (CoT) is a novel concept driven by the synergy of the Internet of Things (IoT) and cloud computing paradigm. The CoT concept has expedited the development of smart services resulting in the proliferation of their real world deployments. However, new research challenges arise because of the transition of research‐driven and proof‐of‐concept solutions to commercial offerings, which need to provide secure, energy‐efficient, and reliable services. An open research issue in the CoT is to provide a satisfactory level of security between various IoT devices and the cloud. Existing solutions for secure CoT communication typically use devices with pre‐loaded and pre‐configured parameters, which define a static setup for secure communication. In contrast to existing pre‐configured solutions, we present an adaptable model for secure communication in CoT environments. The model defines six secure communication operations to enable CoT entities to autonomously and dynamically agree on the security protocol and cryptographic keys used for communication. Further on, we focus on device agreement and present an original solution, which uses the Agile Cryptographic Agreement Protocol in the context of CoT. We verify our solution by a prototype implementation of CoT device agreement based on required security level, which takes into account the capabilities of communicating devices. Our experimental evaluation compares the average processing times of the proposed secure communication operations demonstrating the viability of the proposed solution in real‐world deployments. Copyright

Smart Detection and Classification of Application-Layer Intrusions in Web Directories

The Republic of Croatia homepage and directory of Croatian web servers (www.hr) attracts several thousand visitors daily, which makes it the target of various attacks. In order to lower the risk from such attacks, we propose a concept for an intrusion detection system and a classifier of detected intrusions. We first examined the concepts of existing intrusion detection systems and combined their individual benefits into a concept best suited for protecting web services on the application layer. The proposed concept uses machine learning techniques for both intrusion detection and classification. Intrusion detection, observed through analysis of requests, is implemented by a feed-forward neural network, while intrusion classification is done using self-organizing maps. The case study and preliminary evaluation is presented on the Republic of Croatia homepage (www.hr), followed by guidelines for further research.

Design issues in building a scalable network simulation/emulation middleware

Constant inventions in the field of distributed systems raise up the demands on network simulators. Resources needed for simulation of thousands to millions of nodes can be provided only by making simulators distributed. In the design process of distributed systems scalability and transparency present the key requirements. Some of the existing models for distributed systems can be used to model both of this needs, for example peer-to-peer architecture can model scalability, while middleware can model the transparency. By identifying key management issues in distributed simulation and by borrowing these concepts from distributed systems, we describe a new simulation layer that can be used by a variety of simulators.