Secure Opportunistic Multipath Key Exchange
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Microsoft DNS
1 a. Domain Name Service (DNS) encompassing Microsoft DNS From Wikipedia, the free encyclopedia Jump to: navigation, search Microsoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems. Contents [hide] 1 Overview 2 DNS lookup client o 2.1 The effects of running the DNS Client service o 2.2 Differences from other systems 3 Dynamic DNS Update client 4 DNS server o 4.1 Common issues 5 See also 6 References 7 External links [edit] Overview The Domain Name System support in Microsoft Windows NT, and thus its derivatives Windows 2000, Windows XP, and Windows Server 2003, comprises two clients and a server. Every Microsoft Windows machine has a DNS lookup client, to perform ordinary DNS lookups. Some machines have a Dynamic DNS client, to perform Dynamic DNS Update transactions, registering the machines' names and IP addresses. Some machines run a DNS server, to publish DNS data, to service DNS lookup requests from DNS lookup clients, and to service DNS update requests from DNS update clients. The server software is only supplied with the server versions of Windows. [edit] DNS lookup client Applications perform DNS lookups with the aid of a DLL. They call library functions in the DLL, which in turn handle all communications with DNS servers (over UDP or TCP) and return the final results of the lookup back to the applications. 2 Microsoft's DNS client also has optional support for local caching, in the form of a DNS Client service (also known as DNSCACHE). Before they attempt to directly communicate with DNS servers, the library routines first attempt to make a local IPC connection to the DNS Client service on the machine. -
A Measurement-Based Study of Multipath TCP Performance Over Wireless Networks
A Measurement-based Study of MultiPath TCP Performance over Wireless Networks Yung-Chih Chen Yeon-sup Lim Richard J. Gibbens School of Computer Science School of Computer Science Computer Laboratory University of Massachusetts University of Massachusetts University of Cambridge Amherst, MA USA Amherst, MA USA Cambridge, UK [email protected] [email protected] [email protected] Erich M. Nahum Ramin Khalili Don Towsley IBM Thomas J. Watson T-Labs, Deutsche Telekom School of Computer Science Research Center Berlin, Germany University of Massachusetts Yorktown Heights, NY USA [email protected] Amherst, MA USA [email protected] berlin.de [email protected] ABSTRACT Keywords With the popularity of mobile devices and the pervasive use Multi-Path TCP; MPTCP; Congestion Control; Measure- of cellular technology, there is widespread interest in hybrid ments; Wireless; Cellular Networks; 4G; LTE; 3G; CDMA networks and on how to achieve robustness and good per- formance from them. As most smart phones and mobile de- 1. INTRODUCTION vices are equipped with dual interfaces (WiFi and 3G/4G), a promising approach is through the use of multi-path TCP, Many users with mobile devices can access the Internet which leverages path diversity to improve performance and through both WiFi and cellular networks. Typically, these provide robust data transfers. In this paper we explore the users only utilize one technology at a time: WiFi when it is performance of multi-path TCP in the wild, focusing on sim- available, and cellular otherwise. Research has also focused ple 2-path multi-path TCP scenarios. -
Opportunistic Keying As a Countermeasure to Pervasive Monitoring
Opportunistic Keying as a Countermeasure to Pervasive Monitoring Stephen Kent BBN Technologies Abstract This document was prepared as part of the IETF response to concerns about “pervasive monitoring” (PM) [Farrell-pm]. It begins by exploring terminology that has been used in IETF standards (and in academic publications) to describe encryption and key management techniques, with a focus on authentication and anonymity. Based on this analysis, it propose a new term, “opportunistic keying” to describe a goal for IETF security protocols, in response to PM. It reviews key management mechanisms used in IETF security protocol standards, also with respect to these properties. The document explores possible impediments to and potential adverse effects associated with deployment and use of techniques that would increase the use of encryption, even when keys are distributed in an unauthenticated manner. 1. What’s in a Name (for Encryption)? Recent discussions in the IETF about pervasive monitoring (PM) have suggested a desire to increase use of encryption, even when the encrypted communication is unauthenticated. The term “opportunistic encryption” has been suggested as a term to describe key management techniques in which authenticated encryption is the preferred outcome, unauthenticated encryption is an acceptable fallback, and plaintext (unencrypted) communication is an undesirable (but perhaps necessary) result. This mode of operation differs from the options commonly offered by many IETF security protocols, in which authenticated, encrypted communication is the desired outcome, but plaintext communication is the fallback. The term opportunistic encryption (OE) was coined by Michael Richardson in “Opportunistic Encryption using the Internet Key Exchange (IKE)” an Informational RFC [RFC4322]. -
The Effects of Different Congestion Control Algorithms Over Multipath Fast Ethernet Ipv4/Ipv6 Environments
Proceedings of the 11th International Conference on Applied Informatics Eger, Hungary, January 29–31, 2020, published at http://ceur-ws.org The Effects of Different Congestion Control Algorithms over Multipath Fast Ethernet IPv4/IPv6 Environments Szabolcs Szilágyi, Imre Bordán Faculty of Informatics, University of Debrecen, Hungary [email protected] [email protected] Abstract The TCP has been in use since the seventies and has later become the predominant protocol of the internet for reliable data transfer. Numerous TCP versions has seen the light of day (e.g. TCP Cubic, Highspeed, Illinois, Reno, Scalable, Vegas, Veno, etc.), which in effect differ from each other in the algorithms used for detecting network congestion. On the other hand, the development of multipath communication tech- nologies is one today’s relevant research fields. What better proof of this, than that of the MPTCP (Multipath TCP) being integrated into multiple operating systems shortly after its standardization. The MPTCP proves to be very effective for multipath TCP-based data transfer; however, its main drawback is the lack of support for multipath com- munication over UDP, which can be important when forwarding multimedia traffic. The MPT-GRE software developed at the Faculty of Informatics, University of Debrecen, supports operation over both transfer protocols. In this paper, we examine the effects of different TCP congestion control mechanisms on the MPTCP and the MPT-GRE multipath communication technologies. Keywords: congestion control, multipath communication, MPTCP, MPT- GRE, transport protocols. 1. Introduction In 1974, the TCP was defined in RFC 675 under the Transmission Control Pro- gram name. Later, the Transmission Control Program was split into two modular Copyright © 2020 for this paper by its authors. -
SMAPP : Towards Smart Multipath TCP-Enabled Applications
SMAPP : Towards Smart Multipath TCP-enabled APPlications B. Hesmans ∗, G. Detal y, S. Barre y, R. Bauduin ∗, O. Bonaventure ∗ ∗ Université catholique de Louvain, Louvain-la-Neuve, Belgium y Tessares, Louvain-la-Neuve, Belgium ∗ [email protected] y [email protected] ABSTRACT applications running on a wide range of devices ranging Multipath TCP was designed and implemented as a from smartphones to datacenters. Despite or maybe due backward compatible replacement for TCP. For this rea- to its popularity, TCP continues to evolve. Multipath son, it exposes the standard socket API to the applica- TCP [7, 19] is one of the most recent TCP extensions. It tions that cannot control the utilisation of the different completely changes one of the basic design assumptions paths. This is a key feature for applications that are un- of the original TCP specification : a TCP connection aware of the multipath nature of the network. On the is always identified by a four-tuple (source and desti- contrary, this is a limitation for applications that could nation IP addresses and ports). All the packets that benefit from specific knowledge to use multiple paths are sent for such a connection always contain this four- in a way that fits their needs. As the specific knowl- tuple. An annoying consequence of this coupling is that edge of an application can not be known in advance, on a multihomed host, e.g. a smartphone with a cellular we propose a Multipath TCP path manager that dele- and a WiFi interface or a simple dual-stack PC having gates the management of the paths to the applications. -
Software-Defined Networking: Improving Security for Enterprise and Home Networks
Worcester Polytechnic Institute Digital WPI Doctoral Dissertations (All Dissertations, All Years) Electronic Theses and Dissertations 2017-04-24 Software-defined etN working: Improving Security for Enterprise and Home Networks Curtis Robin Taylor Worcester Polytechnic Institute Follow this and additional works at: https://digitalcommons.wpi.edu/etd-dissertations Repository Citation Taylor, C. R. (2017). Software-defined Networking: Improving Security for Enterprise and Home Networks. Retrieved from https://digitalcommons.wpi.edu/etd-dissertations/161 This dissertation is brought to you for free and open access by Digital WPI. It has been accepted for inclusion in Doctoral Dissertations (All Dissertations, All Years) by an authorized administrator of Digital WPI. For more information, please contact [email protected]. Software-defined Networking: Improving Security for Enterprise and Home Networks by Curtis R. Taylor A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements for the Degree of Doctor of Philosophy in Computer Science by May 2017 APPROVED: Professor Craig A. Shue, Dissertation Advisor Professor Craig E. Wills, Head of Department Professor Mark Claypool, Committee Member Professor Thomas Eisenbarth, Committee Member Doctor Nathanael Paul, External Committee Member Abstract In enterprise networks, all aspects of the network, such as placement of security devices and performance, must be carefully considered. Even with forethought, networks operators are ulti- mately unaware of intra-subnet traffic. The inability to monitor intra-subnet traffic leads to blind spots in the network where compromised hosts have unfettered access to the network for spreading and reconnaissance. While network security middleboxes help to address compromises, they are limited in only seeing a subset of all network traffic that traverses routed infrastructure, which is where middleboxes are frequently deployed. -
How Can We Protect the Internet Against Surveillance?
How can we protect the Internet against surveillance? Seven TODO items for users, web developers and protocol engineers Peter Eckersley [email protected] Okay, so everyone is spying on the Internet It's not just the NSA... Lots of governments are in this game! Not to mention the commerical malware industry These guys are fearsome, octopus-like adversaries Does this mean we should just give up? No. Reason 1: some people can't afford to give up Reason 2: there is a line we can hold vs. So, how do we get there? TODO #1 Users should maximise their own security Make sure your OS and browser are patched! Use encryption where you can! In your browser, install HTTPS Everywhere https://eff.org/https-everywhere For instant messaging, use OTR (easiest with Pidgin or Adium, but be aware of the exploit risk tradeoff) For confidential browsing, use the Tor Browser Bundle Other tools to consider: TextSecure for SMS PGP for email (UX is terrible!) SpiderOak etc for cloud storage Lots of new things in the pipeline TODO #2 Run an open wireless network! openwireless.org How to do this securely right now? Chain your WPA2 network on a router below your open one. TODO #3 Site operators... Deploy SSL/TLS/HTTPS DEPLOY IT CORRECTLY! This, miserably, is a lot harder than it should be TLS/SSL Authentication Apparently, ~52 countries These are usually specialist, narrowly targetted attacks (but that's several entire other talks... we're working on making HTTPS more secure, easier and saner!) In the mean time, here's what you need A valid certificate HTTPS by default Secure cookies No “mixed content” Perfect Forward Secrecy A well-tuned configuration How do I make HTTPS the default? Firefox and Chrome: redirect, set the HSTS header Safari and IE: sorry, you can't (!!!) What's a secure cookie? Go and check your site right now.. -
The Danger of the New Internet Choke Points
The Danger of the New Internet Choke Points Authored by: Andrei Robachevsky, Christine Runnegar, Karen O’Donoghue and Mat Ford FEBRUARY 2014 Introduction The ongoing disclosures of pervasive surveillance of Internet users’ communications and data by national security agencies have prompted protocol designers, software and hardware vendors, as well as Internet service and content providers, to re-evaluate prevailing security and privacy threat models and to refocus on providing more effective security and confidentiality. At IETF88, there was consensus to address pervasive monitoring as an attack and to consider the pervasive attack threat model when designing a protocol. One area of work currently being pursued by the IETF is the viability of more widespread encryption. While there are some who believe that widely deployed encryption with strong authentication should be used extensively, many others believe that there are practical obstacles to this approach including a general lack of reasonable tools and user understanding as to how to use the technology, plus significant obstacles to scaling infrastructure and services using existing technologies. As a result, the discussion within the IETF has principally focused on opportunistic encryption and weak authentication. “Weak authentication” means cryptographically strong authentication between previously unknown parties without relying on trusted third parties. In certain contexts, and by using certain techniques, one can achieve the desired level of security (see, for instance, Arkko, Nikander. Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties, Security Protocols Workshop, volume 2845 of Lecture Notes in Computer Science, page 5-19. Springer, (2002)). “Opportunistic encryption” refers to encryption without authentication. It is a mode of protocol operation where the content of the communication is secure against passive surveillance, but there is no guarantee that the endpoints are reliably identified. -
Multipath TCP Upstreaming
Multipath TCP Upstreaming Mat Martineau (Intel) and Matthieu Baerts (Tessares) Plan ● Multipath TCP Overview ● First Patch Set Upstreaming Roadmap ● Advanced Features Roadmap ● Conclusion and links 2 What is MPTCP? 3 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 4 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group ● More bandwidth: Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 5 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group ● More mobility (walk-out): Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 6 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP (MPTCP) working group ● More mobility (walk-out): Smartphone and WiFi icons by Blurred203 and Antü Plasma under CC-by-sa, others from Tango project, public domain 7 Multipath TCP (MPTCP) ● Exchange data for a single connection over different paths, simultaneously ● RFC-6824 and supported by IETF Multipath TCP -
Network Working Group T. Pauly Internet-Draft Apple Inc
Network Working Group T. Pauly Internet-Draft Apple Inc. Intended status: Informational C. Perkins Expires: September 6, 2018 University of Glasgow K. Rose Akamai Technologies, Inc. C. Wood Apple Inc. March 05, 2018 A Survey of Transport Security Protocols draft-pauly-taps-transport-security-02 Abstract This document provides a survey of commonly used or notable network security protocols, with a focus on how they interact and integrate with applications and transport protocols. Its goal is to supplement efforts to define and catalog transport services [RFC8095] by describing the interfaces required to add security protocols. It examines Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS), Quick UDP Internet Connections with TLS (QUIC + TLS), MinimalT, CurveCP, tcpcrypt, Internet Key Exchange with Encapsulating Security Protocol (IKEv2 + ESP), SRTP (with DTLS), and WireGuard. This survey is not limited to protocols developed within the scope or context of the IETF. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 6, 2018. -
"Measuring and Extending Multipath TCP"
"Measuring and extending multipath TCP" Tran, Viet Hoang ABSTRACT TCP has been one of the most important Internet protocols since the early days of this network. The initial version of TCP assumed that (1) each device has a single interface, and (2) its network address is permanent. Today's Internet attached devices have multiple interfaces with dynamic addresses. These deployments do not match anymore the design principles of TCP. By decoupling the transport layer from the underneath IP layer, Multipath TCP brings several key benefits in a variety of use cases. However, this major TCP extension is also significantly more complex than the legacy TCP. Despite growing interests in Multipath TCP, there are still many unknowns about its behaviours and performance in the real world. Moreover, most Multipath TCP implementations are based on existing TCP stacks which are part of operating systems kernels. Therefore, it is challenging to build Multipath TCP stacks that adapt to different network scenarios and user requirements. The purpose of this thesis i... CITE THIS VERSION Tran, Viet Hoang. Measuring and extending multipath TCP. Prom. : Bonaventure, Olivier http:// hdl.handle.net/2078.1/225610 Le dépôt institutionnel DIAL est destiné au dépôt DIAL is an institutional repository for the deposit et à la diffusion de documents scientifiques and dissemination of scientific documents from émanents des membres de l'UCLouvain. Toute UCLouvain members. Usage of this document utilisation de ce document à des fin lucratives for profit or commercial purposes is stricly ou commerciales est strictement interdite. prohibited. User agrees to respect copyright L'utilisateur s'engage à respecter les droits about this document, mainly text integrity and d'auteur lié à ce document, principalement le source mention. -
Multipath TCP: from Theory to Practice
MultiPath TCP: From Theory to Practice Sébastien Barré, Christoph Paasch, and Olivier Bonaventure ⋆ ICTEAM, Université catholique de Louvain B-1348 Louvain-la-Neuve, Belgium {firstname.lastname}@uclouvain.be Abstract. The IETF is developing a new transport layer solution, Mul- tiPath TCP (MPTCP), which allows to efficiently exploit several Internet paths between a pair of hosts, while presenting a single TCP connection to the application layer. From an implementation viewpoint, multiplex- ing flows at the transport layer raises several challenges. We first explain how this major TCP extension affects the Linux TCP/IP stack when considering the establishment of TCP connections and the transmission and reception of data over multiple paths. Then, based on our imple- mentation of MultiPath TCP in the Linux kernel, we explain how such an implementation can be optimized to achieve high performance and report measurements showing the performance of receive buffer tuning and coupled congestion control. Keywords: TCP, multipath, implementation, measurements 1 Introduction The Internet is changing. When TCP/IP was designed, hosts had a single in- terface and only routers were equipped with several physical interfaces. Today, most hosts have more than one interface and the proliferation of smart-phones equipped with both 3G and WiFi will bring a growing number of multihomed hosts on the Internet. End-users often expect that using multihomed hosts will increase both redundancy and performance. Unfortunately, in practice this is not always the case as more than 95% of the total Internet traffic is still driven by TCP and TCP binds each connection to a single interface. This implies that TCP by itself is not capable of efficiently and transparently using the interfaces available on a multihomed host.