Deep packet inspection has been subject to controversial debates about network neutral- ity and online privacy for the last few years. In this white paper we will argue that DPI as such is a neutral, neither good nor bad technology, and that it depends on the applica- tion that utilizes DPI if and how it will affect the Internet and our society.
PROACTIVE DETECTION OF DDOS ATTACKS IN PUBLISH-SUBSCRIBE NETWORKSIJNSA Journal
Abstract. Information centric networking (ICN) using architectures such as Publish-Subscribe Internet
Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an
important candidate for the Internet of the future. ICN is an emerging research area that proposes a
transformation of the current host centric Internet architecture into an architecture where information
items are of primary importance. This change allows network functions such as routing and locating to be
optimized based on the information items themselves. The Bloom filter based content delivery is a sourcerouting
scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many
issues of today’s Internet such as the growth of the routing table and the scalability problems, it is
vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery
scheme that has the advantages of Bloom filter based approach while at the same time being able to
prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed
approach, the forwarding plane is able to resist attacks such as DDoS with very high probability.
Comparison of DOD and OSI Model in the Internet Communicationijtsrd
The Internet protocol suite is the computer networking model and set of communications protocols used on the Internet and similar computer networks. It is commonly known as TCP IP, because it's most important protocols, the Transmission Control Protocol TCP and the Internet Protocol IP , were the first networking protocols defined in this standard. Often also called the Internet model, it was originally also known as the DoD model, because the development of the networking model was funded by DARPA, an agency of the United States Department of Defense. TCP IP provides end to end connectivity specifying how data should be packetized, addressed, transmitted, routed and received at the destination. This functionality is organized into four abstraction layers which are used to sort all related protocols according to the scope of networking involved. From lowest to highest, the layers are the link layer, containing communication technologies for a single network segment link the internet layer, connecting hosts across independent networks, thus establishing internetworking the transport layer handling host to host communication and the application layer, which provides process to process application data exchange. Our aim is describe operation and models of TCP IP suite in data communication networking. Ei Ei Khaing "Comparison of DOD and OSI Model in the Internet Communication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd27834.pdfPaper URL: https://www.ijtsrd.com/computer-science/computer-network/27834/comparison-of-dod-and-osi-model-in-the-internet-communication/ei-ei-khaing
In protocol tunnelling, one application protocol is encapsulated within another carrier protocol possibly to circumvent firewall policy. Application-layer tunnels are a significant security and resource abuse threat for networks. The existing techniques for identification of applications running across the network, for example packet data analysis techniques are not always successful, especially for applications which use encrypted tunnels. This work describes a statistical approach to detect applications which are running using application layer tunnels. A fast machine learning algorithm, k-Nearest Neighbours is demonstrated to be able to perform the detection of tunnelled applications based on statistical features obtained from the network applications running inside protocol tunnels. The scalability of the mechanism is also investigated.
How to detect middleboxes guidelines on a methodologycsandit
Internet middleboxes such as VPNs, firewalls, and proxies can significantly change handling of
traffic streams. They play an increasingly important role in various types of IP networks. If end
hosts can detect them, these hosts can make beneficial, and in some cases, crucial improvements
in security and performance But because middleboxes have widely varying behavior and effects
on the traffic they handle, no single technique has been discovered that can detect all of them.
Devising a detection mechanism to detect any particular type of middlebox interference involves
many design decisions and has numerous dimensions. One approach to assist with the
complexity of this process is to provide a set of systematic guidelines. This paper is the first
attempt to introduce a set of general guidelines (as well as the rationale behind them) to assist
researchers with devising methodologies for end-hosts to detect middleboxes by the end-hosts.
The guidelines presented here take some inspiration from the previous work of other
researchers using various and often ad hoc approaches. These guidelines, however, are mainly
based on our own experience with research on the detection of middleboxes. To assist
researchers in using these guidelines, we also provide an example of how to bring them into
play for detection of network compression
PROACTIVE DETECTION OF DDOS ATTACKS IN PUBLISH-SUBSCRIBE NETWORKSIJNSA Journal
Abstract. Information centric networking (ICN) using architectures such as Publish-Subscribe Internet
Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an
important candidate for the Internet of the future. ICN is an emerging research area that proposes a
transformation of the current host centric Internet architecture into an architecture where information
items are of primary importance. This change allows network functions such as routing and locating to be
optimized based on the information items themselves. The Bloom filter based content delivery is a sourcerouting
scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many
issues of today’s Internet such as the growth of the routing table and the scalability problems, it is
vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery
scheme that has the advantages of Bloom filter based approach while at the same time being able to
prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed
approach, the forwarding plane is able to resist attacks such as DDoS with very high probability.
Comparison of DOD and OSI Model in the Internet Communicationijtsrd
The Internet protocol suite is the computer networking model and set of communications protocols used on the Internet and similar computer networks. It is commonly known as TCP IP, because it's most important protocols, the Transmission Control Protocol TCP and the Internet Protocol IP , were the first networking protocols defined in this standard. Often also called the Internet model, it was originally also known as the DoD model, because the development of the networking model was funded by DARPA, an agency of the United States Department of Defense. TCP IP provides end to end connectivity specifying how data should be packetized, addressed, transmitted, routed and received at the destination. This functionality is organized into four abstraction layers which are used to sort all related protocols according to the scope of networking involved. From lowest to highest, the layers are the link layer, containing communication technologies for a single network segment link the internet layer, connecting hosts across independent networks, thus establishing internetworking the transport layer handling host to host communication and the application layer, which provides process to process application data exchange. Our aim is describe operation and models of TCP IP suite in data communication networking. Ei Ei Khaing "Comparison of DOD and OSI Model in the Internet Communication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd27834.pdfPaper URL: https://www.ijtsrd.com/computer-science/computer-network/27834/comparison-of-dod-and-osi-model-in-the-internet-communication/ei-ei-khaing
In protocol tunnelling, one application protocol is encapsulated within another carrier protocol possibly to circumvent firewall policy. Application-layer tunnels are a significant security and resource abuse threat for networks. The existing techniques for identification of applications running across the network, for example packet data analysis techniques are not always successful, especially for applications which use encrypted tunnels. This work describes a statistical approach to detect applications which are running using application layer tunnels. A fast machine learning algorithm, k-Nearest Neighbours is demonstrated to be able to perform the detection of tunnelled applications based on statistical features obtained from the network applications running inside protocol tunnels. The scalability of the mechanism is also investigated.
How to detect middleboxes guidelines on a methodologycsandit
Internet middleboxes such as VPNs, firewalls, and proxies can significantly change handling of
traffic streams. They play an increasingly important role in various types of IP networks. If end
hosts can detect them, these hosts can make beneficial, and in some cases, crucial improvements
in security and performance But because middleboxes have widely varying behavior and effects
on the traffic they handle, no single technique has been discovered that can detect all of them.
Devising a detection mechanism to detect any particular type of middlebox interference involves
many design decisions and has numerous dimensions. One approach to assist with the
complexity of this process is to provide a set of systematic guidelines. This paper is the first
attempt to introduce a set of general guidelines (as well as the rationale behind them) to assist
researchers with devising methodologies for end-hosts to detect middleboxes by the end-hosts.
The guidelines presented here take some inspiration from the previous work of other
researchers using various and often ad hoc approaches. These guidelines, however, are mainly
based on our own experience with research on the detection of middleboxes. To assist
researchers in using these guidelines, we also provide an example of how to bring them into
play for detection of network compression
Peer-to-Peer Communication Service and Messaging SystemEditor IJMTER
The peer-to-peer communication services[1] has entered into the public limelight over the last few
years. Several researches are underway on peer-to-peer communication technologies, but no definitive conclusion
is currently available. Comparing to traditional server client technology on the Internet, the peer-to-peer
technology has capabilities to realize highly scalable, extensible and efficient distributed applications. Our work
presents an anonymous peer-to-peer (P2P) messaging system. A P2P network consists of a large number of peers
interconnected together to share all kinds of digital content. A key weakness of most existing P2P systems is the
lack of anonymity. Without anonymity, it is possible for third parties to identify the participants involved. First,
anonymous P2P system should make it impossible for third parties to identify the participants involved. Second,
anonymous P2P system should guarantee that only the content receiver knows the content. Third, anonymous P2P
system should allow the content publisher to plausibly deny that the content originated from him or her.
As the enormous use of internet increases day by day so as security concern is also raise day by day over
the internet. In this paper we discuss the network security and its related threats and also study the types of
protocols and few issues related to protocols in computer networks. We also simulate the design of 5 node
wired network scenario, its packet drop rate analysis through TCP protocol using NS2 as a simulator.
Analyzed the performance of 5-node network when the packet is drop down by graphical method also
called as Xgraph when rate parameter is in mb and also analyzed the performance of same network by
changing the value of rate parameter at same time so no packets would drop down at same time and also
analyzed the performance by Xgraph method.
MANAGING ORGANISATION USING VPN's : A SURVEYEditor IJMTER
The basic concept of a VPN is to connect networks in separate offices in such a way that
makes them appear as a single network.The investigation of using peer-to-peer communication
began due to the low performance of traditional, client-server based model. The bandwidth and
latency of the communication between the connected clients , was improved by virtual private
networks (VPN's). Thus a new peer-to-peer connection based VPN protocol was developed. It uses
both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) communication to
transfer Ethernet frames between the connected clients across IPv4 and IPv6 networks, and it makes
direct communication for the clients possible.
SECURITY CONSIDERATION IN PEER-TO-PEER NETWORKS WITH A CASE STUDY APPLICATIONIJNSA Journal
Peer-to-Peer (P2P) overlay networks wide adoption has also created vast dangers due to the millions of users who are not conversant with the potential security risks. Lack of centralized control creates great risks to the P2P systems. This is mainly due to the inability to implement proper authentication approaches for threat management. The best possible solutions, however, include encryption, utilization of administration, implementing cryptographic protocols, avoiding personal file sharing, and unauthorized downloads. Recently a new non-DHT based structured P2P system is very suitable for designing secured communication protocols. This approach is based on Linear Diophantine Equation (LDE) [1]. The P2P architectures based on this protocol offer simplified methods to integrate symmetric and asymmetric cryptographies’ solutions into the P2P architecture with no need of utilizing Transport Layer Security (TLS), and its predecessor, Secure Sockets Layer (SSL) protocols.
Analysis of threats and security issues evaluation in mobile P2P networks IJECEIAES
Technically, mobile P2P network system architecture can consider as a distributed architecture system (like a community), where the nodes or users can share all or some of their own software and hardware resources such as (applications store, processing time, storage, network bandwidth) with the other nodes (users) through Internet, and these resources can be accessible directly by the nodes in that system without the need of a central coordination node. The main structure of our proposed network architecture is that all the nodes are symmetric in their functions. In this work, the security issues of mobile P2P network system architecture such as (web threats, attacks and encryption) will be discussed deeply and then we propose different approaches and we analysis and evaluation of these mobile P2P network security issues and submit some proposal solutions to resolve the related problems with threats and other different attacks since these threats and attacks will be serious issue as networks are growing up especially with mobility attribute in current P2P networks.
Content Distribution for Peer-To-Peer Overlays on Mobile Adhoc Networks to Fu...Editor IJCATR
Peer-to-peer (P2P) networks existing on a MANET are a natural evolution since both are decentralized and have dynamic
topologies. As MANETs grow in use due to the increasing popularity of wireless mesh and 4G networks, it is expected that P2P
applications will remain as a popular means of obtaining files. Network coding has been shown as an efficient means of sharing large
Files in a P2P network. With network coding, all file blocks have the same relative importance. This paper presents an efficient
content distribution scheme that uses network coding to share large files in a P2P overlay running on a MANET. Peers request file
blocks from multiple server nodes and servers multicast blocks to multiple receivers, providing efficient multipoint-to-multipoint
communication.
Simulation results show that compared to other common download techniques, the proposed scheme performs very well, having lower
download time and energy consumption. Also, more peers participate in uploading the file, resulting in greater fairness.
Many people mistaken that Internet 2.0 is Web 2.0 which is a mis-concept. Internet means internetworking which works at the transmission media layer and current Internet is based on IP protocol therefore is subject to many security vulnerabilities. Internet 2.0 is based on new patented protocol which utilize native telephony network to establish secure point to point connection and able to prevents a lot of current Internet vulnerabilities.
Efficient End-to-End Secure Key Management Protocol for Internet of Things IJECEIAES
Internet of things (IoT) has described a futurevision of internetwhere users, computing system, and everyday objects possessing sensing and actuating capabilities are part of distributed applications and required to support standard internet communication with more powerful device or internet hosts. This vision necessitates the security mechanisms for end-to-end communication. A key management protocol is critical to ensuring the secure exchange of data between interconnecting entities, but due to the nature of this communication system where a high resource constrained node may be communicating with node with high energy makes the application of existing key management protocols impossible. In this paper, we propose a new lightweight key management protocol that allows the constrained node in 6loWPAN network to transmit captured data to internet host in secure channel. This protocol is based on cooperation of selected 6loWPAN routers to participate in computation of highly consuming cryptographic primitives. Our protocol is assessed with AVISPA tool, the results show that our scheme ensured security properties.
AN EXPERIMENTAL STUDY OF IOT NETWORKS UNDER INTERNAL ROUTING ATTACKIJCNCJournal
Internet of Things (IoT) deployments mostly relies on the establishment of Low-Power and Lossy Networks (LLNs) among a large number of constraint devices. The Internet Engineering Task Force (IETF) provides an effective IPv6-based LLN routing protocol, namely the IPv6 Routing Protocol for Low Power and Lossy Network (RPL). RPL provides adequate protection against external security attacks but stays vulnerable to internal routing attacks such as a rank attack. Malicious RPL nodes can carry out a rank attack in different forms and cause serious network performance degradation. An experimental study of the impact of the decreased rank attack on the overall network performance is presented in this paper. In also besides, it is
important to understand the main influencing factors in this context. In this study, several some many network scenarios were considered with varying network sizes, attacker properties, and topological setups. The experimental results indicate a noticeable adverse effect of the rank attack on the average PDR, delay, ETX, and beacon interval. However, such impact was varied according to network size, attacker position,
attacker neighbor count, number of attack-affected nodes, and overall hops increase. The results give a practical reference to the overall performance of RPL networks under rank attacks.
A SURVEY ON AUTHENTICATION AND KEY AGREEMENT PROTOCOLS IN HETEROGENEOUS NETWORKSIJNSA Journal
Unlike current closed systems such as 2nd and 3rd generations where the core network is controlled by a sole network operator, multiple network operators will coexist and manage the core network in Next Generation Networks (NGNs). This open architecture and the collaboration between different network
operators will support ubiquitous connectivity and thus enhances users’ experience. However, this brings to the fore certain security issues which must be addressed, the most important of which is the initial Authentication and Key Agreement (AKA) to identify and authorize mobile nodes on these various networks. This paper looks at how existing research efforts the HOKEY WG, Mobile Ethernet and 3GPP
frameworks respond to this new environment and provide security mechanisms. The analysis shows that most of the research had realized the openness of the core network and tried to deal with it using different methods. These methods will be extensively analysed in order to highlight their strengths and weaknesses.
International Journal of Computational Engineering Research(IJCER)ijceronline
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology
COMPARATIVE STUDY OF CAN, PASTRY, KADEMLIA AND CHORD DHTS ijp2p
Peer-to-Peer (P2P) systems allow decentralization, sharing of all the resources of a network with direct
communication and collaboration between nodes. There are three main families of P2P networks: the
centralized architecture, the decentralized architecture that can be structured or unstructured and the
hybrid architecture. Today, there are several implementations for structured decentralized architectures.
This implies that the insertion and search algorithms are different. Among them we have; Chord, Pastry,
Kademlia, CAN(Content Addressable Network) . The choice of these DHTs (Distributed Hash Table) for an
application is made on the basis of their performances. Studies of each of these DHTs mentioned have been
done, proving their performance. But a comparative study of the four DHTs Chord, Pastry, CAN, Kademlia
has not been clearly addressed by previous works. In this paper, we have conducted a comparative
theoretical study of the DHTs Chord, Pastry, CAN, Kademlia. Then, by simulation, we have evaluated the
performances in terms of latency, number of hops and number of transmitted messages. Our study clearly
shows the differences between mathematically established performance and actual performance in an
environment with less restriction. This analysis was made from the data obtained by using the simple
network layer of the PeerfactSim simulator. This simulator abstracts the different network layers, which
gives the advantage of testing the performances with reasonable accuracy. The use of the single network
layer can be considered an ideal case because the node searches are done locally
During the last years, file sharing of copyright-protected material, particularly in peer- to-peer (P2P) networks, has been a serious threat to the established business models of the content industry. There have been numerous discussions about possible counter- measures, some of which have already been implemented. This white paper aims to provide an as objective as possible assessment of the countermeasures for P2P from the perspective of a network device vendor with particular experience with Internet traffic management solutions.
Implementation of Steganographic Method Based on IPv4 Identification Field ov...IJERA Editor
In this paper we present first a study of covert channels (steganography) that may be applied for each TCP/IP layer in VoIP application. Then, we present a steganographic method which hide secret data in IP protocol header fields, particularly the identification field. The IP protocol covert channel implementation was carried out in NS-3 (Network Simulator 3).
Peer-to-Peer Communication Service and Messaging SystemEditor IJMTER
The peer-to-peer communication services[1] has entered into the public limelight over the last few
years. Several researches are underway on peer-to-peer communication technologies, but no definitive conclusion
is currently available. Comparing to traditional server client technology on the Internet, the peer-to-peer
technology has capabilities to realize highly scalable, extensible and efficient distributed applications. Our work
presents an anonymous peer-to-peer (P2P) messaging system. A P2P network consists of a large number of peers
interconnected together to share all kinds of digital content. A key weakness of most existing P2P systems is the
lack of anonymity. Without anonymity, it is possible for third parties to identify the participants involved. First,
anonymous P2P system should make it impossible for third parties to identify the participants involved. Second,
anonymous P2P system should guarantee that only the content receiver knows the content. Third, anonymous P2P
system should allow the content publisher to plausibly deny that the content originated from him or her.
As the enormous use of internet increases day by day so as security concern is also raise day by day over
the internet. In this paper we discuss the network security and its related threats and also study the types of
protocols and few issues related to protocols in computer networks. We also simulate the design of 5 node
wired network scenario, its packet drop rate analysis through TCP protocol using NS2 as a simulator.
Analyzed the performance of 5-node network when the packet is drop down by graphical method also
called as Xgraph when rate parameter is in mb and also analyzed the performance of same network by
changing the value of rate parameter at same time so no packets would drop down at same time and also
analyzed the performance by Xgraph method.
MANAGING ORGANISATION USING VPN's : A SURVEYEditor IJMTER
The basic concept of a VPN is to connect networks in separate offices in such a way that
makes them appear as a single network.The investigation of using peer-to-peer communication
began due to the low performance of traditional, client-server based model. The bandwidth and
latency of the communication between the connected clients , was improved by virtual private
networks (VPN's). Thus a new peer-to-peer connection based VPN protocol was developed. It uses
both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) communication to
transfer Ethernet frames between the connected clients across IPv4 and IPv6 networks, and it makes
direct communication for the clients possible.
SECURITY CONSIDERATION IN PEER-TO-PEER NETWORKS WITH A CASE STUDY APPLICATIONIJNSA Journal
Peer-to-Peer (P2P) overlay networks wide adoption has also created vast dangers due to the millions of users who are not conversant with the potential security risks. Lack of centralized control creates great risks to the P2P systems. This is mainly due to the inability to implement proper authentication approaches for threat management. The best possible solutions, however, include encryption, utilization of administration, implementing cryptographic protocols, avoiding personal file sharing, and unauthorized downloads. Recently a new non-DHT based structured P2P system is very suitable for designing secured communication protocols. This approach is based on Linear Diophantine Equation (LDE) [1]. The P2P architectures based on this protocol offer simplified methods to integrate symmetric and asymmetric cryptographies’ solutions into the P2P architecture with no need of utilizing Transport Layer Security (TLS), and its predecessor, Secure Sockets Layer (SSL) protocols.
Analysis of threats and security issues evaluation in mobile P2P networks IJECEIAES
Technically, mobile P2P network system architecture can consider as a distributed architecture system (like a community), where the nodes or users can share all or some of their own software and hardware resources such as (applications store, processing time, storage, network bandwidth) with the other nodes (users) through Internet, and these resources can be accessible directly by the nodes in that system without the need of a central coordination node. The main structure of our proposed network architecture is that all the nodes are symmetric in their functions. In this work, the security issues of mobile P2P network system architecture such as (web threats, attacks and encryption) will be discussed deeply and then we propose different approaches and we analysis and evaluation of these mobile P2P network security issues and submit some proposal solutions to resolve the related problems with threats and other different attacks since these threats and attacks will be serious issue as networks are growing up especially with mobility attribute in current P2P networks.
Content Distribution for Peer-To-Peer Overlays on Mobile Adhoc Networks to Fu...Editor IJCATR
Peer-to-peer (P2P) networks existing on a MANET are a natural evolution since both are decentralized and have dynamic
topologies. As MANETs grow in use due to the increasing popularity of wireless mesh and 4G networks, it is expected that P2P
applications will remain as a popular means of obtaining files. Network coding has been shown as an efficient means of sharing large
Files in a P2P network. With network coding, all file blocks have the same relative importance. This paper presents an efficient
content distribution scheme that uses network coding to share large files in a P2P overlay running on a MANET. Peers request file
blocks from multiple server nodes and servers multicast blocks to multiple receivers, providing efficient multipoint-to-multipoint
communication.
Simulation results show that compared to other common download techniques, the proposed scheme performs very well, having lower
download time and energy consumption. Also, more peers participate in uploading the file, resulting in greater fairness.
Many people mistaken that Internet 2.0 is Web 2.0 which is a mis-concept. Internet means internetworking which works at the transmission media layer and current Internet is based on IP protocol therefore is subject to many security vulnerabilities. Internet 2.0 is based on new patented protocol which utilize native telephony network to establish secure point to point connection and able to prevents a lot of current Internet vulnerabilities.
Efficient End-to-End Secure Key Management Protocol for Internet of Things IJECEIAES
Internet of things (IoT) has described a futurevision of internetwhere users, computing system, and everyday objects possessing sensing and actuating capabilities are part of distributed applications and required to support standard internet communication with more powerful device or internet hosts. This vision necessitates the security mechanisms for end-to-end communication. A key management protocol is critical to ensuring the secure exchange of data between interconnecting entities, but due to the nature of this communication system where a high resource constrained node may be communicating with node with high energy makes the application of existing key management protocols impossible. In this paper, we propose a new lightweight key management protocol that allows the constrained node in 6loWPAN network to transmit captured data to internet host in secure channel. This protocol is based on cooperation of selected 6loWPAN routers to participate in computation of highly consuming cryptographic primitives. Our protocol is assessed with AVISPA tool, the results show that our scheme ensured security properties.
AN EXPERIMENTAL STUDY OF IOT NETWORKS UNDER INTERNAL ROUTING ATTACKIJCNCJournal
Internet of Things (IoT) deployments mostly relies on the establishment of Low-Power and Lossy Networks (LLNs) among a large number of constraint devices. The Internet Engineering Task Force (IETF) provides an effective IPv6-based LLN routing protocol, namely the IPv6 Routing Protocol for Low Power and Lossy Network (RPL). RPL provides adequate protection against external security attacks but stays vulnerable to internal routing attacks such as a rank attack. Malicious RPL nodes can carry out a rank attack in different forms and cause serious network performance degradation. An experimental study of the impact of the decreased rank attack on the overall network performance is presented in this paper. In also besides, it is
important to understand the main influencing factors in this context. In this study, several some many network scenarios were considered with varying network sizes, attacker properties, and topological setups. The experimental results indicate a noticeable adverse effect of the rank attack on the average PDR, delay, ETX, and beacon interval. However, such impact was varied according to network size, attacker position,
attacker neighbor count, number of attack-affected nodes, and overall hops increase. The results give a practical reference to the overall performance of RPL networks under rank attacks.
A SURVEY ON AUTHENTICATION AND KEY AGREEMENT PROTOCOLS IN HETEROGENEOUS NETWORKSIJNSA Journal
Unlike current closed systems such as 2nd and 3rd generations where the core network is controlled by a sole network operator, multiple network operators will coexist and manage the core network in Next Generation Networks (NGNs). This open architecture and the collaboration between different network
operators will support ubiquitous connectivity and thus enhances users’ experience. However, this brings to the fore certain security issues which must be addressed, the most important of which is the initial Authentication and Key Agreement (AKA) to identify and authorize mobile nodes on these various networks. This paper looks at how existing research efforts the HOKEY WG, Mobile Ethernet and 3GPP
frameworks respond to this new environment and provide security mechanisms. The analysis shows that most of the research had realized the openness of the core network and tried to deal with it using different methods. These methods will be extensively analysed in order to highlight their strengths and weaknesses.
International Journal of Computational Engineering Research(IJCER)ijceronline
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology
COMPARATIVE STUDY OF CAN, PASTRY, KADEMLIA AND CHORD DHTS ijp2p
Peer-to-Peer (P2P) systems allow decentralization, sharing of all the resources of a network with direct
communication and collaboration between nodes. There are three main families of P2P networks: the
centralized architecture, the decentralized architecture that can be structured or unstructured and the
hybrid architecture. Today, there are several implementations for structured decentralized architectures.
This implies that the insertion and search algorithms are different. Among them we have; Chord, Pastry,
Kademlia, CAN(Content Addressable Network) . The choice of these DHTs (Distributed Hash Table) for an
application is made on the basis of their performances. Studies of each of these DHTs mentioned have been
done, proving their performance. But a comparative study of the four DHTs Chord, Pastry, CAN, Kademlia
has not been clearly addressed by previous works. In this paper, we have conducted a comparative
theoretical study of the DHTs Chord, Pastry, CAN, Kademlia. Then, by simulation, we have evaluated the
performances in terms of latency, number of hops and number of transmitted messages. Our study clearly
shows the differences between mathematically established performance and actual performance in an
environment with less restriction. This analysis was made from the data obtained by using the simple
network layer of the PeerfactSim simulator. This simulator abstracts the different network layers, which
gives the advantage of testing the performances with reasonable accuracy. The use of the single network
layer can be considered an ideal case because the node searches are done locally
During the last years, file sharing of copyright-protected material, particularly in peer- to-peer (P2P) networks, has been a serious threat to the established business models of the content industry. There have been numerous discussions about possible counter- measures, some of which have already been implemented. This white paper aims to provide an as objective as possible assessment of the countermeasures for P2P from the perspective of a network device vendor with particular experience with Internet traffic management solutions.
Implementation of Steganographic Method Based on IPv4 Identification Field ov...IJERA Editor
In this paper we present first a study of covert channels (steganography) that may be applied for each TCP/IP layer in VoIP application. Then, we present a steganographic method which hide secret data in IP protocol header fields, particularly the identification field. The IP protocol covert channel implementation was carried out in NS-3 (Network Simulator 3).
Standard Protocols for Heterogeneous P2P Vehicular Networksijtsrd
Vehicular Communication Systems are developing form of networks in which moving vehicles and side road units are the main communicating nodes. In such networks, vehicular nodes provide information to other nodes via Vehicle to Vehicle communication protocols. A vehicular communication system can be used to support smart road applications such as accidents and traffic congestion avoidance, collision warning forwarding, forensic accidents assistance, crime site investigation, and alert notification. However, current Vehicular Communication Systems suffer from many issues and challenges, one of which is their poor interoperability as they lack standardization due to the inconsistent technologies and protocols they use. This paper proposes several standard protocols and languages for P2P vehicular networks that are built using heterogeneous technologies and platforms. These standards consist of three protocols a Standard Communication Protocol which enables the interoperable operation between the heterogeneous nodes of a P2P Vehicular network an Autonomous Peers Integration Protocol which enables the self integration and self disintegration of functionalities and a Standard Information Retrieval Protocol which allows the P2P network to be queried using a standard high level language. In the experiments, a case study was presented as a proof of concept which demonstrated the feasibility of the proposed protocols and that they can be used as a standard platform for data exchange in P2P Vehicular Communication Systems. As future work, Service oriented architectures for vehicular networks are to be investigated while addressing security issues such as confidentiality, integrity, and availability. Youssef Bassil ""Standard Protocols for Heterogeneous P2P Vehicular Networks"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-3 , April 2019, URL: https://www.ijtsrd.com/papers/ijtsrd23025.pdf
Paper URL: https://www.ijtsrd.com/computer-science/computer-network/23025/standard-protocols-for-heterogeneous-p2p-vehicular-networks/youssef-bassil
Watchguard Firewall overview and implemetationKaveh Khosravi
This document explains firewall technologies and intrusion detection techniques by using the combination of watchguard firewall and snort , the widely known intrusion detection system ,.
"This presentation was created through wide-ranged research and is intended specially for everyone interested in network technology".
-BRIAN S. CUNAL
KALINGA-APAYAO STATE COLLEGE
IT Instructor.
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...Edureka!
** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **
This "Cybersecurity tutorial" ppt presented by edureka gives an in-depth information about the Cyber Security world and talks about its basic concepts. Below are the topics covered in this tutorial:
1. Packet structure
2. Network architecture
3. Addressing
4. IP/MAC
5. Firewalls
6. Symmetric Cryptography
7. Public key Cryptography
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Pushing the limits of ePRTC: 100ns holdover for 100 days
Whitepaper Deep Packet Inspection
1. Introduction
New technologies often spark controversy, particularly if
their use has a potential impact on our daily lives. The abil-
ity – and necessity – to embark on an open discussion be-
fore a wider adoption is an important pillar of modern so-
ciety. One such technology that recently made rather con-
troversial headlines is deep packet inspection (DPI). A
number of quite vocal adversaries has presented a host of
concerns, some of them reasonable and worth a discussion,
but many also polemic and based on false statements or
poor technical understanding. DPI has been branded by
some as evil technology that could end the Internet as we
know it.
This white paper aims to contribute to this debate by first
clarifying the technological background from the perspec-
tive of a vendor of networking products based on DPI tech-
nology, and by second discussing the potential impact the
widespread deployment of DPI applications may have on
the Internet and society.
Critics often mix up DPI with a network service or function
using DPI as its base technology. Examples of network func-
tions using DPI include spam and virus filters, intrusion de-
tection and prevention systems (IDS/IPS), and firewalls, all
of which have been around for many years. And there has
hardly been a debate about the perils of any of these. So
what is happening in the DPI discussion?
The target of it was not so much DPI, but Internet traffic
management based on DPI as a new network function – yet
another application using DPI. The core claims of its oppo-
nents is the alleged violation of privacy and net neutrality.
In fact there are other DPI-based network functions that
could be seen even more critical than traffic management.
Examples are network monitoring for lawful interception,
which can include mass interception and target profiling,
and in-line content injection used for targeted advertise-
ment. So it is all about the application DPI is used for, and
not the technology itself. Thus it is important to discuss all
these applications separately.
This white paper will focus on DPI-based traffic or band-
width management. After a technical introduction of DPI
and DPI-based Internet traffic management, this paper will
extensively discuss the benefits and potential dangers of this
technology, including the weakening of net neutrality and
freedom of speech in the Internet.
Technical Background: What Is DPI?
At first glance, a technical definition of deep packet inspec-
tion is straightforward to write down and in fact very sim-
ple. DPI systems inspect entire packets traveling the network
as part of a communication, looking not only at packet
headers like legacy systems, but also at the packet’s pay-
load.
The central point of this definition is the inspection of packet
payload. While this seems to be quite clear, both terms
require a closer look, not least because this payload inspec-
tion constitutes the main draw for criticism of DPI technol-
ogy. The key problem is that Internet packets do not have
only a single header plus payload. Instead, there is a
packet header and payload at each layer of the multi-layer
Internet architecture that can be found in each network-
connected host. A detailed discussion of this header-
payload dilemma can be found in the boxed text on the
following page.
Deep Packet Inspection White Paper
Technology, Applications & Net Neutrality Klaus Mochalski, Hendrik Schulze
Deep packet inspection has been subject to controversial debates about network neutral-
ity and online privacy for the last few years. In this white paper we will argue that DPI as
such is a neutral, neither good nor bad technology, and that it depends on the applica-
tion that utilizes DPI if and how it will affect the Internet and our society. This paper will
focus on Internet bandwidth management based on DPI. Interestingly, the technology has
been around in other applications such as firewalls and virus scanners for much longer
without sparking similar controversy. After a simple technical explanation of what DPI is
– and what it is not –, we will straighten some myths and untruths. Future discussions,
particularly in the area of bandwidth management, should not focus on DPI as a tech-
nology, but on its specific applications. To facilitate these discussions, we will propose a
simple system of categories that classify different Internet traffic management schemes
according to their impact on net neutrality, market competition and online privacy.
3. “[...] Comcast opens its customers’ mail because it
wants to deliver mail not based on the address or type
of stamp on the envelope but on the type of letter con-
tained therein.”
Later in the same document, a statement by then FCC
chairman Kevin J. Martin begins with:
“Would it be OK if the post office opened your mail,
decided they didn’t want to bother delivering it, and hid
that fact by sending it back to you stamped ‘address
unknown –return to sender’? Or would it be OK, when
someone sends you a first class-stamped letter, if the
post office opened it, decided that because the mail
truck is full sometimes, letters to you could wait, and
then hid both that they read your letters and delayed
them?
Unfortunately, that is exactly what Comcast was doing
with their subscribers’ Internet traffic.”
So DPI is like ‘opening’ a letter and ‘reading’ its content,
right? One could argue about opening because a sealed
letter is clearly marked ‘private content – do not open’, a
network packet, if it is unencrypted, is not. But this is de-
batable. DPI systems, at least those used for bandwidth
management as in the case of Comcast, by no means
‘read’ or even ‘understand’ the communication content.
Instead, they scan for certain markers – or patterns – to
classify the protocol or application that generated the
packets used to transmit the content. Such systems only find
what they are looking for, i.e. if they do not scan for the
word ‘bomb’, they will not know if it is there or not. Or in
other words, DPI does not index the content of network
packets as search engines like Google do for Web pages.
DPI in bandwidth management systems does not read all
packets. Instead, it only scans for patterns in the first few
packets of each network flow – about 1-3 packets for unen-
crypted and 3-20 packets for encrypted communication
protocols. The rest is done by a flow tracking – or stateful
filtering as known from firewalls. Scanning all packets of a
flow would be both unnecessary and rather expensive.
If one really wants to use the ‘reading of letters’ analogy, it
should be postcards instead of letters, and the ‘reader’
should be one who does not understand the language of
the letter and who only scans certain parts of the contents
for matching symbols from a list of symbols – or patterns. It
is important for our discussion to understand that DPI is not
automatically a privacy violation.
Applications and Systems Using DPI
Interestingly, there have been DPI-based applications and
network functions deployed in many places across the
Internet for many years without drawing much criticism.
Here is a short list of examples:
◦ E-mail spam filtering
◦ Anti-virus filtering for e-mail and other Internet content
◦ Intrusion detection and prevention systems (IDS/IPS)
◦ Firewalls
◦ Content caching systems (e.g. for Web pages)
◦ Network probes for network monitoring and trouble-
shooting
All these technologies have a certain misuse potential as
they all have access to user content data. DPI-based traffic
management is just another DPI application on this list and
should be treated as such.
Bandwidth Management –
A DPI Application
The rest of this white paper will focus on one particular
application of DPI: Internet traffic or bandwidth manage-
ment.
The Big QoS Failure
It is common knowledge that different network applications
have varying quality of service (QoS) requirements. For
instance, Internet telephony and online games work best
under low-latency, low-jitter conditions, but consume little
bandwidth. Large downloads are nearly unaffected by la-
tency and jitter and only need as much bandwidth as pos-
sible.
Unfortunately, the Internet has so far failed to bring about
QoS support. Not that there have been no attempts. ATM3
tried to solve this issue by overturning the entire architecture
of the Internet – and failed due to its overwhelming com-
plexity. Then, extensions to TCP/IP were proposed, most
prominently Integrated Services (IntServ) and Differentiated
Services (DiffServ). The more comprehensive IntServ failed
for its poor scalability. The simpler DiffServ failed because it
would have required the support by all router hops of an
end-to-end communication path, hence the cooperation of
White Paper
3
3
ATM: Asynchronous Transfer Mode is a standards suite developed by the International Telecommunications Union (ITU) and the ATM
Forum (an industry consortium) with the ultimate goal to replace the entire Internet infrastructure from the core to the end system, includ-
ing the TCP/IP protocol suite that is the very basis of the Internet.
5. network flow. While it is true that plain pattern matching
does not work with encrypted communication, modern DPI
systems go beyond this simple method. They use behavioral
and statistical analysis as described above. In fact, encryp-
tion has very little effect on the classification ability and
accuracy of advanced DPI equipment.4
Of course encryption prevents inline systems to ‘read’
packet content thus protecting the privacy of a communica-
tion, at least in cases were information is not shared with
the general public (see box “The P2P Encryption Lie”).
Benefits of Bandwidth Management
◦ Can improve the economics of providing access to re-
mote and rural geographic areas
◦ can improve the average performance for Internet users
(at the cost of limiting the resources for a few excessive
users)
◦ Can provide users with a tailored service, including
‘soft’ QoS guarantees, at a higher or lower price, de-
pending on the required service level; users that only use
Web and e-mail would get a lower price; everyone pays
only for what they use
Dangers of Bandwidth Management
◦ Can limit access to certain Internet services (e.g. P2P file
sharing)
◦ Misuse potential for protocol/application censorship
◦ Can stifle innovation by slowing down capacity exten-
sion of the Internet
The Potential Impact of
DPI Applications on Society
DPI opponents regularly point out the potentially devastat-
ing effect an extensive deployment of such technology
would have on the Internet and society in general. Here it is
important to differentiate between two main uses of DPI:
◦ DPI used by ISPs for commercial reasons
◦ DPI as a technological basis for new regulatory systems
DPI and Network Operator Business Models
Internet service providers have deployed or plan to deploy
DPI-based traffic management systems. Their interests are
almost always commercial – maintaining or, better, increas-
ing their revenues. Foremost, that means attracting new
customers and reducing subscriber churn – the loss of cus-
tomers to competitors. At the same time, they need to pro-
tect their infrastructure investments from congestion by a
few users or applications. These two goals are somewhat
contradictory, so it is important to find the delicate balance
between them. At the end, the use of this kind of DPI traffic
management will be regulated by the market. Governments
only need to ensure a properly working market with suffi-
cient competition.
Internet Regulation
So far in human history, every new technology, such as the
automobile, the television and even the printing press and
with it freedom of speech, eventually got regulated. Such
regulation always has to take into account the specifics of a
new technology. For printing press and television it is suffi-
cient to make publishers and senders liable for the distrib-
uted content because it is easy for law enforcement to iden-
tify the source. For cars, there is a speed limit (at least in
most countries) and tight registration and liability laws.
The same legislative process will happen for the Internet as
well. In theory, existing offline laws covering issues like
libel, organized crime, terrorism and child abuse already
apply. Unfortunately, due to the distributed, multinational
nature of the Internet, current national legislation rarely
provides a satisfying solution. In many cases, suspects and
criminals are beyond the reach of the executive of a coun-
try. Solutions can be investments in online law enforcement
along with international cooperation agreements, but also
new Internet-specific regulation relying on technological
advances.
DPI and Regulation
Traffic filtering systems that use DPI have been proposed as
a technical regulatory measure in various countries to en-
White Paper
5
4
In January 2009, the European Advanced Networking Test Center (EANTC) conducted an independent test
of DPI system with special focus on the detection capabilities with respect to encrypted P2P protocols. The
results clearly showed that the three participating vendors had no difficulties with encryption. The test results
are available at Internet Evolution: http://www.internetevolution.com/document.asp?doc_id=178633.
The P2P Encryption Lie
The common claim among P2P users and DPI opponents that the
use of encryption and obfuscation in P2P networks like eDonkey
and BitTorrent is a measure to ensure the users’ privacy is plain
dishonest. Even if encryption is enabled, files are still shared
with the general public, so for everybody to download, store
and read – of course in unencrypted format. This is also why
encryption does not provide any protection against copyright
investigations in P2P networks, where investigators use normal
P2P clients to participate in the network and download files from
potential infringers. The only sensible reason for encryption is
the attempt to circumvent bandwidth limitations imposed for P2P
transfers by the ISP. However, with modern traffic management
systems, which are able to reliably detect obfuscated and en-
crypted P2P traffic, this measure is totally ineffective.
7. The simplest form of such an application-specific traffic
management would be the assignment of priorities to dif-
ferent application classes. A ruleset could for instance be:
◦ Internet telephony (e.g. SIP, H.323, Skype) gets the
highest priority
◦ Interactive applications (Web, instant messaging) get
high priority
◦ Non-interactive applications (FTP, e-mail) get normal
priority
◦ High-bandwidth downloads (P2P file sharing, file host-
ing6
) get low priority
It is important to understand that providing priorities to se-
lected applications does not necessarily cause a service
degradation. For instance, giving voice traffic a higher
priority than P2P will not at all affect the bandwidth avail-
able to P2P. This is because only less than 1 percent of all
Internet traffic is voice versus at least 50 percent P2P traffic.
The voice traffic increase will be unnoticeable and insignifi-
cant relative to the P2P traffic volume. The fear that low
priority does automatically mean a slower application is
unfounded.
However, if there are two types of high-volume applica-
tions, for instance P2P and Internet TV, then priorities can
indeed have an adverse effect on the lower-priority applica-
tion. In the specific case of Internet TV, which requires a lot
of network resources, this is why most service providers
who offer such a service have chosen to build a separate
network dedicated to this service only.
Now even if everybody agreed that priorities are a good
idea, one open problem remains: who decides what appli-
cation gets what priority? One option would be to let users
pick their priorities themselves. This option has two prob-
lems. First, it requires knowledge about the quality of serv-
ice requirements of applications and network protocols,
and second, users would most likely tend to over-prioritize
their own traffic. So the other option would be to have the
Internet service provider assign priorities. Here it is impor-
tant that assignments are not driven by the interests of a
certain ISP, but only by the QoS requirements of an applica-
tion or application class. Even an international standardiza-
tion process is conceivable. The same applies to bandwidth
management that goes beyond simple priority management
by assigning application-specific bandwidth guarantees.
A totally different solution to this fairness problem among
users would be going back from flat rate Internet access
fees to volume-based billing. While this would provide for
maximum fairness among users – yes, there is a cost per
transmitted byte! – and indeed most users, probably over
80 percent, would financially benefit by paying less for
their Internet access, it would also severely limit the Inter-
net’s potential to foster innovation.
Ultimately, the long-term solution to the net neutrality dispute
is rather simple. Governments have to ensure a competitive
environment among service providers. And then, the market
– including ISP subscribers – can and will decide.
Privacy
DPI as such has no negative impact on online privacy. It is,
again, only the applications that may have this impact.
Prohibiting DPI as a technology would be just as naive as
prohibiting automatic speech recognition because it can be
used to eavesdrop on conversations based on content. Al-
though DPI can be used as a base technology to look at
and evaluate the actual content of a network communica-
tion, this goes beyond what we understand as DPI as it is
used by Internet bandwidth management – the classification
of network protocols and applications. Other applications
of DPI, for instance lawful interception and targeted injec-
tion of advertisements, do indeed go further, but they are
beyond the scope of this paper.
Ultimately, it is again a matter of regulation and social dis-
course to decide what levels of DPI and what applications
are considered acceptable. But it is also naive to believe
that intelligence services will refrain from using the latest
available technology for wiretapping. This, too, is a matter
of regulation. Quis custodiet ipsos custodes?
Content-Specific Filtering
Filtering of data transfers based on their content is one ap-
plication where DPI goes beyond a simple protocol or ap-
plication classification. Here, not only the application or
communication protocol get classified, but the content that
is exchanged. After this classification, certain content types
may be blocked. Today, this type of content filtering is usu-
ally limited to Web traffic and is only deployed in certain
countries.
This DPI application does indeed have a potential impact
on net neutrality and freedom of speech and thus becomes
a matter of national – and maybe also international – legis-
lation. Every country has its own rules on what is legal and
what is not. Freedom of speech is not unconditional even in
the USA, meaning there are limits to what kind of content
can legally be made publicly available. This kind of regula-
tion of course exists in most countries for non-Internet con-
tent. There are age ratings for movies, and one country
would certainly not accept the categorization of another
country. Access to movies is controlled based on these rat-
ings. There is no similar classification scheme along with
access control for Internet content. This is something we
could see in the Internet of the future, and whether this is
desirable or not needs to be decided by society.
White Paper
7
6
“File hosting” refers to Web-based services that allow to upload files, including very large ones, and then provide a URL, or link, to that
file which can be shared with other users who can then simply download the file by following that link. These services are also known as
“direct download links” (DDL). The largest operators of such services currently are RapidShare and MegaUpload.
9. Levels of Bandwidth Management
The focus of this paper is Internet bandwidth management
based on DPI. The previous sections have explained the
technical, legal and social aspects of this technology. In
many of the public discussions, the participants are in ir-
reconcilable opposition. Particularly DPI opponents often
assume a very extreme position in their arguments. FUD
and other scare tactics are no rarity.
We strongly believe that a more differentiated discussion
has been long overdue. For this reason we propose a clas-
sification scheme with seven levels of bandwidth manage-
ment – some involving DPI, some not. The following list is in
ascending order according to a bandwidth management
policy’s potential impact on net neutrality. All measures
could be deployed separately or in combination.
Independent of the bandwidth management policy imple-
mented by ISPs we strongly believe that this policy should
be openly communicated to customers and – more impor-
tantly – to prospective customers. This is also were legisla-
tion, if deemed necessary, should put its focus on. Instead
of trying to define what kind of bandwidth management is
acceptable, it should enforce transparency and let the mar-
ket do the regulation.
Best Effort Service
This has been the status quo in the Internet since its incep-
tion. Every packet is treated equally independent of its type
or content. In case of congestion at a particular router hop
along a network path, packets are randomly dropped de-
pending on their arrival time and router buffer occupancy.
Pros:
◦ Provides maximum net neutrality according to some
definitions
◦ No additional implementation cost
Cons:
◦ Prevents the implementation of QoS guarantees
◦ Unfair to the majority of network users
Per-User Bandwidth Fairness
Currently, the Internet only provides per-connection fairness
for the TCP transport protocol as described above. Band-
width-greedy applications that use UDP for bulk data trans-
fer or open many simultaneous TCP connections can easily
circumvent this transport capacity fairness and use more
than their fair share of the available bandwidth. A traffic
management system can rather easily enforce a per-
subscriber bandwidth usage fairness that ensures all users
getting on average an about equal share of the available
bandwidth, which is particularly important during periods
of network congestion.
Pros:
◦ Heavy users have no negative performance impact on
others
◦ Fair distribution of available resources among all users
◦ No DPI required
Cons:
◦ None found
User-Configurable Disabling of Selected Applica-
tions
The ISP offers its subscribers the ability to block access to
selected protocols, applications or even content as a man-
aged service. Residential customers can use this feature for
parental control and enterprise customers for blocking of
non-work-related applications. For example, residential
subscribers may chose to disable P2P file sharing to avoid
prosecution for copyright infringements done by their chil-
dren. The same could be done in a company network or at
a public hotspot to avoid any liability issues for user activi-
ties. Also, access to recreational applications (e.g. media
streaming, social networking sites, online games) could be
blocked for company staff.
Pros:
◦ Improved security and application control for Internet
users
◦ Protection against copyright liabilities
◦ Protection against application-specific attacks
Cons:
◦ Requires DPI equipment
Application-Aware Congestion Management
Based on the fact that certain QoS guarantees (e.g. mini-
mum available bandwidth, maximum delay and jitter,
maximum packet loss) are more critical for some applica-
tions than for others, an ISP implements a QoS manage-
ment scheme taking into account the specific requirements
for an application or application class. In its simplest form,
this could be a tiered priority scheme as in the following
example:
◦ Highest priority: network-critical protocols such as BGP,
ICMP, DNS, maybe TCP FIN and ACK packets
White Paper
9
11. impact on other subscribers as a form of infrastructure in-
vestment protection.
In addition, ISPs have the option to monetize their gateway
position between the subscriber and the Internet. By moni-
toring the online behavior of their customers, they can serve
targeted advertisements to generate additional revenue.
Transparency – or the lack of it – is a big problem for this
kind of activity. The DPI equipment required for this ad in-
jection needs to have special capabilities to extract infor-
mation on content downloaded by subscribers to serve
relevant advertisements. This goes far beyond what DPI
bandwidth management systems do, at least for a small
subset of the entire traffic as this kind of monitoring is usu-
ally limited to Web traffic. On the more open side, the ISP
could offer this ad injection as a customer-selectable option
that reduces the monthly Internet access fee.
Pros:
◦ Allows the ISP to monetize on advertisements, which has
been traditionally limited to content providers
◦ Can reduce Internet access fees
Cons:
◦ Privacy and transparency problems
◦ Requires special, single-purpose DPI equipment
Feedback Welcome!
The presented list is not meant to be complete, but as a
contribution to bring more structure into the public debate
about DPI Internet traffic management. Feedback and
comments are always welcome.
White Paper
11