Ricardo Nabhen

Optimal DiffServ AC Design using Non-Linear Programming

Most DiffServ admission control (AC) algorithms rely on tuning parameters to help in the decision making. Tuning these parameters is a difficult task, especially when one considers the problem of assuring QoS guarantees to individual flows. This paper proposes a method for helping the design of DiffServ AC algorithms based on non-linear programming optimization. It enables to find the values for the AC parameters that permits to satisfy the QoS guarantees for individual VoIP flows, while minimizing a cost function that represents the performance goals of the service provider. This approach is used to compare the performance of some commonly used DiffServ AC techniques and also to design a novel AC algorithm based on queue estimates.

A Policy Based Framework for Access Control

This paper presents a policy-based framework for managing access control in distributed heterogeneous systems. This framework is based on the PDP/PEP approach. The PDP (Policy Decision Point) is a network policy server responsible for supplying policy information for network devices and applications. The PEP (Policy Enforcement Point) is the policy client (usually, a component of the network device/application) responsible for enforcing the policy. The communication between the PDP and the PEP is implemented by the COPS protocol, defined by the IETF. The COPS (Common Open Policy Service) protocol defines two modes of operation: outsourcing and provisioning. The choice between outsourcing and provisioning is supposed to have an important influence on the policy decision time. This paper evaluates the outsourcing model for access control policies based on the RBAC (Role-Based Access Control) model. The paper describes a complete implementation of the PDP/PEP framework, and presents the average response time of PDP under different load conditions.

Some Experiences in Using Virtual Machines for Teaching Computer Networks

Laboratory practice is a fundamental aspect of computer network learning. Experiments tend to be very specific, frequently demanding changes in the local network topology and privileged access to the operating system configuration. These features impose a specific and exclusive laboratory for network teaching experiments. However, it is not always possible to provide such laboratory; the reality in most institutions is to have shared laboratories, used by different students and disciplines. This problem can be alleviated by the use of virtual machines, allowing each student to build his/her own network experiment, using the appropriate topology, and thus not disturbing the other activities running in the lab. This paper presents some experiences in using virtual machines to teach advanced aspects of computer networks, such as IPSec, firewalls and network services. Also, some key points are highlighted in order to show the benefits of virtual machines for pedagogical practice.

An RBAC-based policy information base

This paper presents a framework for representing and distributing access control policies in distributed heterogeneous systems. Access control polices follow the RBAC (role based access control) model proposed by the NIST. The framework is based on the provisioning strategy defined by IETF, i.e., the RBAC information is represented in terms of a PIB (policy information base) and distributed to the enforcement elements using the COPS-PR protocol. This approach can be explored in several scenarios, for configuring both, network devices and RBAC-aware applications. The provisioning process takes into account the capabilities of the enforcement element, permitting to eliminate or adapt the configuration not supported by the managed device or application.

RBPIM: a PCIM-based framework for RBAC

This paper presents a PCIM-based framework for storing and enforcing RBAC (role based access control) policies in distributed heterogeneous systems. PCIM (policy core information model) is a generic information model proposed by IETF. This paper proposes a PCIM extension, called RBPIM (role-based policy information model), in order to represent network access policies based on the RBAC model. An RBPlM implementation framework based on the POP/PEP (policy decision point/policy enforcement point) approach is also presented. In the proposed framework, the communication between the PDP and the PEPs is implemented using the COPS (common open policy service) protocol, also defined by the IETF. The framework adopts the outsourcing approach, where the policy rules are evaluated by the PDP, as defined by the COPS standard. This paper evaluates the outsourcing model for access control by presenting a case study and the average response time of PDP under different load conditions.

Modeling a multi-queue network node with a fuzzy predictor

Capacity planning of IP-based networks is a difficult task. Ideally, in order to estimate the maximum amount of traffic that can be carried by the network, without violating QoS requirements such as end-to-end delay and packet loss, it is necessary to determine the queue length distribution of the network nodes under different traffic conditions. When per-flow guarantees are required (e.g., VoIP traffic), it is also necessary to determine the impact of the queue behavior on the performance of individual flows. Analytical models for queue length distribution are available only for relatively simple traffic patterns. This paper proposes a generic method for building a fuzzy predictor for modeling the behavior of a DiffServ node with multiple queues. The method combines nonlinear programming (NLP) and simulation to build a fuzzy predictor capable of determining the performance of a DiffServ node subjected to both per-flow and aggregated performance guarantees. This approach does not require deriving an analytical model, and can be applied to any type of traffic. In this paper, we employ the fuzzy approach to model the behavior of a multi-queue node where (aggregated ON-OFF) VoIP traffic and (self-similar) data traffic compete for the network resources.

A Policy-Based Framework for RBAC

This paper presents a PCIM-based framework for storing and enforcing RBAC (Role Based Access Control) policies in distributed heterogeneous systems. PCIM (Policy Core Information Model) is an information model proposed by IETF. It defines a vendor independent model for storing network policies that control how to share network resources. PCIM is a generic core model. Application-specific areas must be addressed by extending the policy classes and associations proposed by PCIM. In this context, this paper proposes a PCIM extension, called RBPIM (Role-Based Policy Information Model), in order to represent network access policies based on the RBAC model. A RBPIM implementation framework based on the PDP/PEP (Policy Decision Point/Policy Enforcement Point) approach is also presented and evaluated.

Beyond scalability: Swarm intelligence affected by magnetic fields in distributed tuple spaces

Abstract Tuple Spaces have long been recognized as a simple and elegant model for parallel and distributed computing. This is mainly because of spatial and temporal uncoupling of system components, which simplifies inter-process communication as well as component inclusion and replacement. However, Tuple Spaces have shown scalability limitations when employed in large scale and highly demanding contexts. In order to deal with this problem, “bioinspired” techniques based on swarm intelligence including SwarmLinda and Anti-Over-Clustering have been proposed. This work shows that although these approaches do improve the system scalability, they end up producing an important degradation on tuple search performance, due to poor tuple placement. By applying the concept of “virtual magnetic fields” to swarms, a novel solution called Magnetic SwarmLinda is proposed. Magnetic SwarmLinda arranges tuples in expandable clusters of clusters (called “magnetic clusters”) naturally providing load balancing among the supporting computing nodes. Simulation results show that the proposed strategy outperforms previous approaches in most scenarios.

Analysis of individual flows performance for delay sensitive applications

SLA management approaches typically adopt provisioning strategies based on aggregate traffic in order to support end-to-end delay requirements of applications. They do not take into account individual flows needs in terms of delay. However, this delay can be very higher than the one observed by aggregate traffic, causing an important impact in network application performance. This paper presents a study based on simulations that makes an analysis of the end-to-end delay observed by individual flows. Several scenarios are used to evaluate this performance and some metrics are proposed to investigate empirical relations that show the end-to-end delay behavior when are analyzed individual flows, the aggregate traffic and the network load.