Stefano Salsano

SIP security issues: the SIP authentication procedure and its processing load

Session Initiation Protocol (SIP) is currently receiving much attention and seems to be the most promising candidate as a signaling protocol for the current and future IP telephony services, also becoming a real competitor to the plain old telephone service. For the realization of such a scenario, there is an obvious need to provide a certain level of quality and security, comparable to that provided by the traditional telephone systems. While the problem of QoS mostly refers to the network layer, the problem of security is strictly related to the signaling mechanisms and the service provisioning model. For this reason, at present, a very hot topic in the SIP and IP telephony standardization track is security support. In this work, the security model used by SIP is described, and the different open issues are highlighted. We focus, in particular, on the problem of authentication providing a short tutorial on the solution under standardization. The architecture of a possible commercial IP telephony service including user authentication is also described. Finally, we focus on performance issues. By means of a real testbed implementation, we provide an experimental performance analysis of the SIP security mechanisms, based on our open source Java implementation of a SIP proxy server. The performance of the server has been compared with and without security support, under various scenarios.

Supporting the Web with an information centric network that routes by name

Information Centric Networking (ICN) is a new paradigm in which the network layer provides users with content, instead of providing communication channels between hosts, and is aware of the name (or identifiers) of the contents. A fundamental ICN operation is the routing of content requests towards a node that is able to provide the requested content. To meet this goal, different routing architectures have been proposed so far. In this paper, we consider a network that uses a routing-by-name architecture, i.e. content requests are routed on the base of the content name by using a name-based routing table. We focus on the scenario of fetching Web contents, assuming to use ICN in place of traditional TCP/IP means. In this scenario we need to handle tens of billions of name-based routes, due to the high numbers of Web contents and to the limited aggregability of their names. Consequently, re-using the existing architecture of an IP router would result in two severe problems. First, the current Forwarding Information Base (FIB) technology is unable to contain all name-based routes. Second, implementing a so large Routing Information Base (RIB) requires a very costly hardware. In order to overcome these problems, we propose a routing-by-name architecture, named Lookup-and-Cache, where the FIB is used as a cache of routes, while the RIB is stored in a remote and centralized routing engine. By analyzing real Internet traces, we prove the effectiveness of the proposed architecture, which we also show to be feasible with current technology. In fact, our ICN nodes require to have only a limited set of routes in their FIB, even when supporting a high number of traffic flows. We have implemented our proposed Lookup-and-Cache solution within the CCNx software framework and we used this implementation to assess system performance, such as download delay, lookup rate and fairness. The paper is completed with a discussion on how ICN can be used not only to fetch Web contents but also for other scenarios.

AQUILA: adaptive resource control for QoS using an IP-based layered architecture

Support for quality of service is an essential component of the next-generation Internet. The European research project AQUILA is committed to defining a DiffServ-based architecture for delivering on-demand QoS to requesting applications. Focal characteristics of the proposed solution are backward compatibility to the existing Internet and scalability to very large networks. To achieve such goals, AQUILA implements an overlaid distributed control layer, the resource control layer, implementing a novel mechanism for dynamic control of intradomain resources, the dynamic resource pool. On the interdomain aspects, the AQUILA architecture extends the BGRP framework for the aggregation of interdomain reservations to overcome scalability issues. This article describes the general AQUILA architecture, with a special focus on the DRP and BGRP mechanisms.

Advanced QoS provisioning in IP networks: the European premium IP projects

This article describes the current evolution of QoS architectures, mechanisms, and protocols in the Internet, as it is ongoing in the framework of the European Union funded research projects on premium IP networks. A short review of the proposed standard approaches to QoS (e.g., differentiated services, integrated services, and label switching technologies) is given. Then we focus on the state-of-the-art architectures, mainly based on DiffServ concepts. Several issues arise when trying to implement these architectures in the real world: QoS aspects, network monitoring of the offered QoS, and end-user control of received QoS. The article then discusses the existing results and the current direction of European research and development in these areas.

QoS control by means of COPS to support SIP-based applications

The COPS protocol has been designed to enable communication on the interface between the policy decision administrator and the policy enforcement devices in a policy-based networking environment. It can be recognized that on the same interface there is the need to transfer information related to the request of resource by QoS clients and for the allocation of resources by resource allocation servers (e.g., bandwidth broker) in a DiffServ network. Hence, it is sensible to add this resource allocation functionality in the COPS framework. In particular, there are at least two cases where it is sensible to use COPS. The first case is on the interface between an edge node and a resource control node for handling resource allocation in a network provider domain. The second case is on the interface between a customer (client of a QoS enabled network) and the network provider: here COPS can be used as a protocol to signal dynamic admission control requests. In this article we present the definition of a new COPS client type to support the above-mentioned functionality, then describe an application scenario where SIP-based IP telephony applications can use Diffserv-based QoS networks. Simple backward-compatible enhancements to SIP are needed to interact with COPS/Diffserv QoS. A testbed implementation of the proposed solutions is finally described.

Information centric networking over SDN and OpenFlow: Architectural aspects and experiments on the OFELIA testbed

Information Centric Networking (ICN) is a new networking paradigm in which the network provides users with content instead of communication channels between hosts. Software Defined Networking (SDN) is an approach that promises to enable the continuous evolution of networking architectures. In this paper we propose and discuss solutions to support ICN by using SDN concepts. We focus on an ICN framework called CONET, which grounds its roots in the CCN/NDN architecture and can interwork with its implementation (CCNx). Although some details of our solution have been specifically designed for the CONET architecture, its general ideas and concepts are applicable to a class of recent ICN proposals, which follow the basic mode of operation of CCN/NDN. We approach the problem in two complementary ways. First we discuss a general and long term solution based on SDN concepts without taking into account specific limitations of SDN standards and equipment. Then we focus on an experiment to support ICN functionality over a large scale SDN testbed based on OpenFlow, developed in the context of the OFELIA European research project. The current OFELIA testbed is based on OpenFlow 1.0 equipment from a variety of vendors, therefore we had to design the experiment taking into account the features that are currently available on off-the-shelf OpenFlow equipment.

Transport-layer issues in information centric networks

Content to be transported over an Information Centric Networking (ICN) infrastructure can be very variable in size, from few bytes to hundreds of gigabytes. Therefore it needs to be segmented in smaller size data units, typically called chunks, in order to be handled by ICN nodes. A chunk is the basic data unit to which caching and security (e.g. encryption and signature) functions are applied. If we consider the overhead and the number of cryptographic operations to be performed by nodes, a good choice for the chunk size would be from hundreds of KBs up to few MBs. However, if the chunk size is bigger than the Maximum Transfer Unit of a link, chunks will be fragmented. We show that if we have more than 3-4 fragments per chunk, and congestion and reliability functions are executed on a chunk by chunk basis, the efficiency of the congestion control algorithm drastically decreases. On the other side, a small chunk size would increase overhead and rate of signature checks. The contribution of this paper is twofold: 1) we propose to segment content in two levels: at the first level the content is segmented in chunks, at the second level the chunks are segmented into smaller data units, handled by an ICN specific Transport Protocol (ICTP), performing reliability and congestion control functions; 2) we propose to adopt a receiver-driven transport protocol, in which the receiver adjusts the sending rate to control congestion, we describe an implementation of this protocol, and evaluate its performance.

Supporting information-centric functionality in software defined networks

The Information-Centric Networking (ICN) paradigm is expected to be one of the major innovation of the Future Internet An ICN can be characterized by some key components like: (i) the content-centric request/reply paradigm for data distribution, (ii) route-by-name operations, and (iii) in-network caching. In this paper we focus on a framework for ICN called CONET (COntent NETwork) and in particular on a solution devised under this framework called coCONET. coCONET characteristics make it suitable for deployment in accordance to the Software Defined Networks (SDN) philosophy. In this paper, we will describe how coCONET can be implemented over an OpenFlow (the most popular SDN instantiation, to date) network and how OpenFlow should be modified to better suit the operations of coCONET and, more in general, of ICN solutions.

Design and implementation of the OFELIA FP7 facility: The European OpenFlow testbed

The growth of the Internet in terms of number of devices, the number of networks associated to each device and the mobility of devices and users makes the operation and management of the Internet network infrastructure a very complex challenge. In order to address this challenge, innovative solutions and ideas must be tested and evaluated in real network environments and not only based on simulations or laboratory setups. OFELIA is an European FP7 project and its main objective is to address the aforementioned challenge by building and operating a multi-layer, multi-technology and geographically distributed Future Internet testbed facility, where the network itself is precisely controlled and programmed by the experimenter using the emerging OpenFlow technology. This paper reports on the work done during the first half of the project, the lessons learned as well as the key advantages of the OFELIA facility for developing and testing new networking ideas. An overview on the challenges that have been faced on the design and implementation of the testbed facility is described, including the OFELIA Control Framework testbed management software. In addition, early operational experience of the facility since it was opened to the general public, providing five different testbeds or islands, is described.

Off-line configuration of a MPLS over WDM network under time-varying offered traffic

Coupling MPLS traffic engineering on top of a wavelength-routed WDM layer offers great flexibility to operators to allocate traffic demands in their networks. We consider the problem of off-line joint configuration at both packet and optical layers. We consider time-variant offered traffic, and assume that the operator has knowledge of the traffic dynamics as a set of traffic matrices at different instants. A novel mixed integer linear programming (MILP) formulation is proposed, which takes as input this set of traffic matrices, and provides an optimal static configuration capable of accommodating the time-varying traffic. We provide a resolution strategy based on heuristics, and give numerical results for some sample cases. The proposed method is compared with a simple alternative approach for obtaining a single static solution, to show that our method utilizes much fewer resources. The solution under the proposed formulation is also compared with the set of solutions obtained by running distinct optimization problems at different instants, showing that the increase of resource is minimal. Hence our approach can provide a static configuration with about the same resources as a fully adaptable dynamical configuration.