Walter Wong

Secure naming in information-centric networks

In this paper, we present a secure naming system to locate resources in information-centric networks. The main goal is to allow secure content retrieval from multiple unknown or untrusted sources. The proposal uses a new, flexible naming scheme that is backwards compatible with the current. URL naming scheme and allows for independent content identification regardless of the routing, forwarding, and storage mechanisms by separating the source and location identification rules in the URI/URL authority fields. Some benefits of the new naming system include the opportunity to securely retrieve content from any source in the network, content mobility, content validation with the original source, and full backwards compatibility with the current naming system.

Neighborhood search and admission control in cooperative caching networks

In-network caching of content is a popular technique for eliminating redundant traffic from the network and improve the performance of network applications. In this paper we present a novel cooperative caching strategy to improve performance of in-network caches. Our cooperative scheme is composed of an admission policy for the incoming data and a content exchange protocol between neighbor network caches to improve the search zone. The admission policy enforces that a previously cached data is not unnecessary replicated in other caches, resulting in more space for new data. The content exchange protocol allows for exchange on cached data, increasing the hit rate for incoming requests. The benefits are twofold: first, we reduce the redundant content caching in the network, and second, we improve the hit rate by informing the content cached in the nearby caches. As a proof-of-concept, we have implemented a prototype and evaluated its performance using different large-scale topologies against standard non-cooperative caching algorithms. Our numerical results show that both admission and content exchange policies yield large performance gains over standard algorithms.

Content Routers: Fetching Data on Network Path

In this paper we present an in-network caching architecture based on content routers to improve the traffic efficiency in the Internet. The main idea is to provide a forwarding fabric where data requests are forwarded towards the closest caches in the network path. Conversely, data chunks from the servers are cached in the content routers along the path, serving further requests. In addition, content routers store a neighborhood mapping of available routers, leveraging resource discovery in the network proximity. Some benefits of the architecture include multi-source content retrieval, better traffic efficiency and gradual deployment. As a proof-of-concept, we implemented a content router prototype and evaluated it in different scenarios comparing the bandwidth, latency and neighborhood search. The experimental results show that the content router can leverage multi-source content retrieval with bandwidth reduction without incurring in increased latency.

An Architecture for Mobility Support in a Next-Generation Internet

The current internetworking architecture presents some limitations to naturally support mobility, security and multi- homing. Among the limitations, the IP semantic overload seems to be a primary issue to be considered. In this paper we present a next generation internetworking architecture to overcome the IP semantic overload by introducing an identity layer located between the network and transport layers. This new layer provides a stable cryptographic identifier for end-hosts and seamlessly allows the deployment of new services, such as mobility, multi-homing and security. A prototype was implemented and evaluated considering some mobility scenarios, including intra-domain, inter-domain and simultaneous node mobility.

A next generation internet architecture for mobility and multi-homing support

The current internetworking architecture presents some limitations to naturally support mobility and multi-homing. Among the limitations, the IP semantic overload seems to be a primary issue to be considered. In this paper we present a next generation internetworking architecture to overcome the IP semantic overload by introducing an identification layer located between the network and transport layers. This new layer provides a stable identifier for end-hosts, enabling the natural deployment of new services, such as mobility, multi-homing and security embedded. We implemented a prototype and evaluated it considering the legacy application support in mobility scenarios.

Piece Fingerprinting: Binding Content and Data Blocks Together in Peer-to-Peer Networks

Peer-to-peer systems provide a scalable content distribution environment where each peer contributes with a share of resources in the distributed system. The efficiency of peer-to-peer networks comes from the file segmentation procedure, allowing peers to redistribute small pieces of the original file as soon as they finish downloading them instead of waiting for the complete file download. Moreover, the decentralized fashion of the paradigm with multiple sources makes it scalable and robust under high churn. Due to the popularity of such systems, many attacks such as content pollution arose, targeting the content integrity by inserting bogus data in the network to increase the download time and bandwidth consumption. In this paper we present the piece fingerprinting mechanism, a new integrity verification procedure that algorithmically binds all pieces together and relates them to the complete file. Each data block resulted from the segmentation of a large file has a fingerprint indicating whether a block belongs to the content file and also allows the integrity verification of specific parts of the content. The mechanism allows the early detection and correction of the corrupted blocks only, reducing the download time and bandwidth consumption which would be spent re-downloading larger pieces. The analytical evaluation shows that the fingerprinting mechanism has low overhead, usually less than 1% of the file size, and can reduce the bandwidth consumption by 90% in the best case by saving the amount of bandwidth consumed from the re- downloaded pieces.

An Identifier-Based Architecture for Native Vertical Handover Support

The growing demand for ubiquitous computing lead manufactures to develop multi-band devices supporting different network access technologies, such as GSM, Wi-fi, and UMTS. Although these devices support different access technologies, they lack of native vertical handover support, breaking any ongoing connections whenever users switch between access technologies. In this paper we present a next-generation Internet architecture with native vertical handover support, providing mechanisms to support mobility between different access technologies without disruptions. The architecture introduces an identification layer that decouples the host identification from its location, enabling native mobility support for legacy applications. The identification layer employs cryptographic identifiers to identify end-hosts over the Internet and to provide security mechanisms for identity management during vertical handovers. As a proof of concept, a prototype was implemented and evaluated in different vertical handover scenarios in GSM, Wi-fi and wired domains.

A security plane for publish/subscribe based content oriented networks

The publish/subscribe communication paradigm is an appealing mechanism for efficient content retrieval due to the decoupling of data sources and consumers. However, the location decoupling nature of the paradigm opens security issues related to the content authentication and integrity since there is no binding between published content and its providers. In this paper we propose a new control plane called security plane, which is responsible for providing all essential security functionalities, such as efficient content authentication, data integrity and publication control. The security plane creates a binding between information providers and their contents, allowing secure content authentication by subscribers, mitigating security flaws such as fake content publication and data corruption.

Towards verifiable parallel content retrieval

Many software vendors are providing mechanisms for parallel content retrieval using multiple connections, e.g., parallel HTTP channels, to increase the availability and reliability of the download procedure. At the same time, there is no native verification mechanism to support simultaneous content verification from multiple sources. While it is possible to set-up multiple TLS tunnels with different sources, there is no guarantee that the data itself is authentic since the trust is placed on the connection and not in the data itself. In this paper we present a parallel verification mechanism based on hash trees, allowing clients to authenticate data segments regardless of the container from where they were retrieved from, but just with the original provider. Some benefits of the proposed mechanism include low CPU processing costs, low verification overhead and possibility to support legacy data.

SIP over an Identifier/Locator Splitted Next Generation Internet Architecture

Research around the tenets of a next generation Internet architecture has resulted in numerous future Internet proposals, both evolutionary and clean slate. One promising approach is the identifier/locator split, which opens a new paradigm of network communications by using static node identifiers uncoupled from the actual network location. In this work, we validate our instantiation of an id/loc splitted next generation Internet architecture in respect of legacy application support. Our prototype implementation demonstrates that existing SIP services can benefit from the inherent capabilities of the proposed architecture in terms of transparent mobility and security support.