1. Zero Trust Score-based Network-level Access Control in Enterprise Networks

Leonard Bradatsch, Natasa Trkulja, Oleksandr Miroshkin, Frank Kargl | 2023 | 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2023)

Zero Trust security has recently piqued the inter- est of the enterprise network security community. Enforcing network-level access decisions based on a trust score is one of its core concepts. However, score-based access control in the enterprise domain still lacks essential elements in our understanding, and in this paper, we contribute with respect to three crucial aspects. First, we provide a comprehensive list of 29 trust attributes that can be used to calculate a trust score. By introducing a novel mathematical approach, we demonstrate how to quantify these attributes. Second, we describe a dynamic risk-based method to calculate the trust threshold the trust score must meet for permitted access. Third, we introduce a novel trust algorithm based on Subjective Logic that incorporates the first two contributions and offers fine-grained decision possibilities. We discuss how this algorithm shows a higher expressiveness compared to a lightweight additive trust algorithm. Performance- wise, a prototype of the Subjective Logic-based approach showed similar calculation times for making an access decision as the additive approach. In addition, the dynamic threshold calculation showed only 7% increased decision-making times compared to a static threshold.

2. QUIC(k) Enough in the Long Run? Sustained Throughput Performance of QUIC Implementations

Michael König, Oliver P. Waldhorst, Martina Zitterbart | 2023 | 2023 IEEE 48th Conference on Local Computer Networks (LCN)

QUIC aims to become a general-purpose transport protocol, and numerous implementations of the QUIC protocol already exist. Earlier evaluations often examined QUIC in conjunction with HTTP/3.0 or focused on latency metrics. The measurement studies in this paper focus on actual QUIC implementations with respect to their ability to achieve high sustained throughput in network scenarios with data rates of 10 Gbit/s. We compare six popular QUIC implementations developed in different programming languages with TCP. Our findings show significant performance improvements in several QUIC implementations compared to prior evaluations. However, it is not a homogeneous picture, as current QUIC implementations often behave quite differently. We observed that in environments with low RTTs or an increased number of packet losses, most of the surveyed QUIC implementations struggle unexpectedly and cannot compete with TCP regarding sustained throughput performance.

3. Handling 5G Blockage Issue through a MPTCP Proxy Approach

Reza Poorzare, Oliver P. Waldhorst | 2023 | 2023 IEEE 14th International Conference on Network of the Future (NoF)

Cellular communication has become an integral part of human life, and 5G, as a new mobile communication technology, is expanding to provide enhanced connectivity for users. Nevertheless, due to flaws such as blockage, it cannot accomplish its goals easily. Meanwhile, with the emergence of MPTCP, the feasibility of using multiple networks is now available for users. MPTCP can indeed help the 5G network by combining it with another network in such a way that the alternative one can be an assistance for the 5G network to overcome existing issues such as blockage; however, most servers do not support this protocol, and thus, its deployment by a user can be pointless. In this paper, by using a proxy, we provide multipathing to the client side to improve the user experience. The paper mainly focuses on answering the question of whether or not it is possible to keep the performance of the 5G network stable by exploiting a secondary network. Furthermore, it elaborates on which scenarios can most benefit from the MPTCP proxy deployment, and which combination of congestion control and schedulers can fulfill it the most and enhance mobile networks’ performance.

4. Can MPTCP Proxy Practically Improve Cellular Communication?

Reza Poorzare, Oliver P. Waldhorst | 2023 | 2023 IEEE 42nd International Performance Computing and Communications Conference (IPCCC)

Emerging networks, such as 5G, can indeed deliver higher capabilities compared to previous generations. Yet, there is still a need for more capacity to meet the growing demand for higher bandwidth. Meanwhile, MPTCP has emerged as a protocol that combines existing networks to increase available bandwidth through the simultaneous use of multiple connections. However, most public servers do not currently support this protocol, forcing MPTCP connections to fall back to conventional single-path TCP. As a solution, we propose deploying a MPTCP proxy server as an enabler to provide multipathing on the client side. Using this approach, we combine the bandwidth available for 5G and LTE networks to determine the protocol’s ability to improve mobile communications. In addition, we have analyzed different congestion control and scheduling mechanisms for MPTCP to find out which are suitable for various situations and may yield significant beneficial results.

5. Steps Toward a Supervised Machine Learning Scheduler for MPTCP

Reza Poorzare, Hadi Asghari, Oliver P. Waldhorst | 2023 | 2nd Workshop on Machine Learning & Networking (MaLeNe)

The functionality of the MPTCP scheduler is a hurdle in the way of the protocol in achieving high performance. This drawback is even more severe in heterogeneous networks, where the differences in the characteristics of the paths impair the functionality of the scheduler drastically. In this paper, we introduce a dataset generated by an emulation environment, including diverse scenarios and traffic types, as an initial step toward having a supervised learning scheduler.

6. P4sec: Automated Deployment of 802.1X, IPsec, and MACsec Network Protection in P4-Based SDN

Frederik Hauser, Marco Haeberle, Michael Menth | 2023 | IEEEAccess

802.1X, MACsec, and IPsec are widespread network security mechanisms that control network access and add encryption and authentication to L2 and L3 networking. They are standardized by IEEE and IETF, and are part of most open-source and commercial network hardware and software appliances. However, lots of manual configuration is needed for their application in traditional networks. In this work, we present P4sec, a three-tier control architecture for automated configuration of these security protocols in networks with multiple sites. P4sec leverages P4-programmable switches and operates them through distributed controllers. We briefly introduce data plane programming with P4 and give an overview of 802.1X, MACsec, and IPsec. We explain the three-tier control architecture P4sec and validate it by a prototype which is published under the Apache v2 license on GitHub. Finally, we discuss opportunities and challenges.

7. P4-LISP: A P4-Based High-Performance Router for the Locator/Identifier Separation Protocol

Benjamin Steinert, Marco Haeberle, Jan-Oliver Nick, Dino Farinacci, Michael Menth | 2023 | 2023 IEEE 9th International Conference on Network Softwarization (NetSoft)

The networking paradigm locator/identifier split decouples locating and identifying functionality of addresses. Thereby it improves multi-homing, fail-over, mobility, traffic engineering over the Internet, and routing scalability. The Locator/Identifier Separation Protocol (LISP) is a prominent incarnation of that paradigm which recently became an Internet standard. However, existing LISP implementations are either proprietary or have limited performance, which makes their deployment difficult in high-speed networks. Programming Protocol-independent Packet Processors (P4) is a programming language that facilitates the implementation of custom data plane processing on high-performance switches with line rates of up to 400 Gbit/s. In this work, we present P4-LISP, an open-source P4-based proof of concept implementation of a high-performance LISP router. It supports all relevant features such as ITR, ETR, RTR, P-ITR, P-ETR, NAT-traversal, LISP-NAT, and mobile nodes. As control plane, the open-source implementation lispers.net has been integrated on the switch. Security features are added to protect the control plane from being overloaded by the highperformance data plane. The paper describes the architecture of P4-LISP in detail and extensively evaluates performance, functionality, controller performance, and overload protection.

8. A Methodology and Framework to Determine the Isolation Capabilities of Virtualisation Technologies

Volpert Simon, Erb Benjamin, Eisenhart Georg, Seybold Daniel, Wesner Stefan, Domaschka Jörg | 2023 | ICPE '23: ACM/SPEC International Conference on Performance Engineering

The capability to isolate system resources is an essential characteristic of virtualisation technologies and is therefore important for research and industry alike. It allows the co-location of experiments and workloads, the partitioning of system resources and enables multi-tenant business models such as cloud computing. Poor isolation among tenants bears the risk of noisy-neighbour and contention effects which negatively impacts all of those use-cases. These effects describe the negative impact of one tenant onto another by utilising shared resources. Both industry and research provide many different concepts and technologies to realise isolation. Yet, the isolation capabilities of all these different approaches are not well understood; nor is there an established way to measure the quality of their isolation capabilities. Such an understanding, however, is of uttermost importance in practice to elaborately decide on a suited implementation. Hence, in this work, we present a novel methodology to measure the isolation capabilities of virtualisation technologies for system resources, that fulfils all requirements to benchmarking including reliability. It relies on an immutable approach, based on Experiment-as-Code. The complete process holistically includes everything from bare metal resource provisioning to the actual experiment enactment. The results determined by this methodology help in the decision for a virtualisation technology regarding its capability to isolate given resources. Such results are presented here as a closing example in order to validate the proposed methodology.

9. Toward the Implementation of MPTCP over mmWave 5G and Beyond: Analysis, Challenges, and Solutions

Reza Poorzare, Oliver P. Waldhorst | 2023 | IEEE Access

5G and beyond 5G networks are going to be an inseparable part of human lives in the future. They will dominate any aspects of everyday activities from smart homes, remote surgery, and smart cities to autonomous driving, which demand high throughput through low latency end-to-end communication. Consequently, employing higher frequencies in millimeter-wave for the coming cellular networks will be inevitable. On the one hand, millimeter-wave can provide massive data rates; on the other hand, it suffers from some shortcomings such as blockage and misalignment that can occur because of the susceptible characteristic of the high frequencies. These flaws can mislead TCP in adjusting its sending rate efficiently and reduce the connection quality that a user discerns. Deploying Multipath TCP (MPTCP) is one of the schemes that can relieve the aforementioned issues and assist in utilizing the new generation mobile networks’ high potential by leveraging its features in exploiting diverse paths in networks such as NR or LTE. A well-designed MPTCP can select the best path among the available ones, so it can enhance the perceived user experience. This paper fills the gap of having a comprehensive overview of MPTCP and its deployment over 5G and beyond 5G networks. It analyses millimeter-wave-based cellular networks, MPTCP procedures and parameters, state-of-the-art MPTCP congestion control mechanisms and schedulers, and the probable solutions that may enhance the protocol’s functionality in cellular communication.

10. A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research

Frederik Hauser, Marco Haeberle, Daniel Merling, Steffen Lindner, Vladimir Gurevich, Florian Zeiger, Reinhard Frank, Michael Menth | 2023 | Journal of Network and Computer Applications (2023)

Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane application programming interfaces (APIs) which may be leveraged by user-defined software-defined networking (SDN) control. This offers great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community, and it is supported by various software and hardware platforms. In the first part of this paper we give a tutorial of data plane programming models, the P4 programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we categorize a large body of literature of P4-based applied research into different research domains, summarize the contributions of these papers, and extract prototypes, target platforms, and source code availability. For each research domain, we analyze how the reviewed works benefit from P4’s core features. Finally, we discuss potential next steps based on our findings.

11. P4TG: 1 Tb/s Traffic Generation for Ethernet/IP Networks

Steffen Lindner, Marco Haeberle, Michael Menth | 2023 | IEEEAccess

In this work, we present P4TG, a P4-based traffic generator (TG) which runs on the programmable Intel Tofino™ ASIC. In generation mode, P4TG is capable of generating traffic up to 1 Tb/s split across 10x 100 Gb/s ports. Thereby it measures rates directly in the data plane. Generated traffic may be fed back from the output to the input ports, possibly through other equipment, to record packet loss, packet reordering, and sampled inter-arrival times (IATs) and round trip times (RTTs). In analysis mode, P4TG measures rates on the input ports, samples IATs, and forwards traffic through its output ports. Existing software or P4-based traffic generators either lack the required accuracy, do not support high data rates, or do not provide sufficiently integrated measurement capabilities. We compare P4TG’s performance with the one of the software TG TRex and the hardware TG EXFO. P4TG’s code is provided on GitHub.

12. End-to-End is Not Enough: Towards a Coordinated Congestion Control (C3)

Michael König, Martina Zitterbart | 2022 | 3rd KuVS Fachgespräch 'Machine Learning & Networking (MaLeNe)'

13. Secure Service Function Chaining in the Context of Zero Trust Security

Leonard Bradatsch, Marco Häberle, Benjamin Steinert, Frank Kargl, Michael Menth | 2022 | 2022 IEEE 47th Conference on Local Computer Networks (LCN)

Service Function Chaining (SFC) enables dynamic steering of traffic through a set of service functions based on classification of packets, allowing network operators fine-grained and flexible control of packet flows. New paradigms like Zero Trust (ZT) pose additional requirements to the security of network architectures. This includes client authentication, confidentiality, and integrity throughout the whole network, while also being able to perform operations on the unencrypted payload of packets. However, these requirements are only partially addressed in existing SFC literature. Therefore, we first present a comprehensive analysis of the security requirements for SFC architectures. Based on this analysis, we propose a concept towards the fulfillment of the requirements while maintaining the flexibility of SFC. In addition, we provide and evaluate a proof of concept implementation, and discuss the implications of the design choices.

14. Scalable Shapeoid Recognition on Multivariate Data Streams with Apache Beam

Tsitspas Athanasios, Eisenhart Georg, Seybold Daniel, Wesner Stefan | 2022 | Intelligent Computing, Proceedings of the 2022 Computing Conference, Volume 1

Time series representation and discretisation methods are susceptible to scaling over massive data streams. A recent approach for transferring time series data to the realm of symbols under primitives, named shapeoids has emerged in the area of data mining and pattern recognition. A shapeoid will characterise a subset of the time series curve in words from its morphology. Data processing frameworks are typical examples for running operations on top of fast unbounded data, with innate traits to enable other methods which are restricted to bounded data. Apache Beam is emerging with a unified programming model for streaming applications able to uniquely translate and run on multiple execution engines, saving development time to focus on other design decisions. We develop an application on Apache Beam which transfers the concept of shapeoids to a scenario in large-scale network flow monitoring infrastructure and evaluate it over two stream computing engines.

15. A Caching SFC Proxy Based on eBPF

Häberle Marco, Steinert Benjamin, Weiss Michael, Menth Michael | 2022 | IEEE International Conference on Network Softwarization (NetSoft 2022)

Service Functions (SFs) are intermediate processing nodes on the path of IP packets. With SF chaining (SFC), packets can be steered to multiple physical or virtual SFs in a specific order. SFC-unaware SFs can be used flexibly but they do not support SFC-specific encapsulation of packets. Therefore, an SFC proxy needs to remove the encapsulation of a packet before processing by an SFC-unaware SF, and to add it again afterwards. Such an SFC proxy typically runs on a server hosting virtual network functions (VNFs) that serve as SFs. While simple SFC proxies adapt a flow-specific static header stack, the caching SFC proxy presented in this work caches packet-specific headers while packets are processed by a VNF. We present concept, use cases, and an eBPF-based implementation of the caching SFC proxy. In addition, we evaluate the performance of a prototype.

16. Recognition of Similar NetFlow Data in Decentralised Monitoring Environments

Eisenhart Georg, Volpert Simon, Braitinger Jan, Domaschka Jörg | 2022 | 3. KuVS Fachgespräch "Network Softwarization" (7.4. - 8.4.2022)

One of the main challenges in the analysis of NetFlow data in decentralised monitoring environments comes from merging datasets from different independent sites. One problem is to identify similar data points which can impact derived metrics from such data directly. This article provides a proof of concept how similarity measurements based on distance metrics can be used to identify similar or related flows from different datasets. For this, several domains are outlined which can benefit from this approach to support validation of research scenarios and data analysis.

17. Firewall-as-a-Service for Campus Networks Based on P4-SFC

Häberle Marco, Steinert Benjamin, Menth Michael | 2021 | Conference on Networked Systems 2021 (NetSys 2021)

Taking care of security is a crucial task for every operator of a cam-pus network. One of the most fundamental security-related network functions thatcan be found in most networks for this purpose are stateful firewalls. However, de-ploying firewalls in large campus networks, e.g., at a university, can be challenging.Hardware appliances that can cope with today’s high data rates at the border of acampus network are not cost-effective enough for most deployments. Shifting theresponsibility to run firewalls to single departments at a university is not feasiblebecause the expertise to manage these devices is not available there. For this reason,we propose a cloud-like infrastructure based on service function chaining (SFC) andnetwork function virtualization (NFV) that allows users to deploy network functionslike firewalls at a central place while hiding most technical details from the users.

18. Zero Trust Service Function Chaining

Bradatsch Leonard, Kargl Frank, Miroshkin Oleksandr | 2021 | Conference on Networked Systems 2021 (NetSys 2021)

In this paper, we address the inefficient handling of traditional security functions in Zero Trust networks. For this reason, we propose a novel network security concept that combines the ideas of Zero Trust and Service Function Chaining. This allows us to efficiently decide which security functions to apply to which packets and when.

19. P4-IPsec: Site-to-Site and Host-to-Site VPN With IPsec in P4-Based SDN

Frederik Hauser, Marco Häberle, Mark Schmidt, Michael Menth | 2020 | IEEE Access

In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

20. Service Function Chaining Based on SegmentRouting Using P4 and SR-IOV (P4-SFC)

Andreas Stockmayer, Stephan Hinselmann, Marco Häberle, Michael Menth | 2020 | 15th Workshop on Virtualization in High-Performance Cloud Computing (VHPC'20)

In this paper we describe P4-SFC to support service function chaining (SFC) based on a single P4-capable switch and off-the-shelfcomponents. It utilizes MPLS-based segment routing for traffic forwarding in the network and SR-IOV for efficient packet handling on hosts. We describe the P4-SFC architecture and demonstrate its feasibility by a prototype using the Tofino Edgecore Wedge 100BF-32X as P4 switch. Performance tests show that L2 throughput for VNFs on a host is significantly larger when connected via SR-IOV with the host’s networkinterface card instead of over a software switch.

21. Evaluation of the Deployment-Status of RPKI and Route Filtering

Johannes Deger, Frank Kargl | 2020 | 1st ITG Workshop on IT Security (ITSec)

The Border Gateway Protocol (BGP) is an essential infrastructure element, often termed “the glue that keeps the Internet together”. Even in its current version 4, BGP misses essential security mechanisms that would allow to validate routing information distributed through BGP in terms of its authenticity and integrity. While mechanisms like BGPsec have been proposed many years ago, so far they have not found widespread adoption and many experts believe they never will due to their inherent complexity. Incidents happening as early as 1997 like AS7007 or the more recent Pakistan YouTube hijack illustrate the problems stemming from BGP route information not being integrity protected and authenticated. In today’s Internet, BGP routing regularly gets manipulated by criminals or state actors with the goal of seizing control of certain portions of address space1 for criminal or other purposes. To ensure a minimal level of protection, most Internet service providers (ISPs) rely on heuristic filtering of routing information advertised from neighboring autonomous systems (AS). One approach is called Path Origin Validation where an ISP tries to verify whether the AS advertising a certain IP prefix is actually the legitimate owner of this prefix.

22. P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN

Frederik Hauser, Mark Schmidt, Marco Häberle, Michael Menth | 2020 | IEEE Access

We propose P4-MACsec to protect network links between P4-based SDN switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. MACsec is supported by switches and routers from many manufacturers. On these devices, it has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec suggests a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 targets. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 targets interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and a two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channels, generates keying material, and configures the P4 targets for each detected link between two P4 targets. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software target, validate the prototype through experiments, and evaluate its performance through experiments considering TCP goodput and round-trip time. We publish the prototype and experiment setup under the Apache v2 license on GitHub.

23. Context-based Access Control and Trust Scores in Zero Trust Campus Networks

Thomas Lukaseder, Maya Halter, Frank Kargl | 2020 | SICHERHEIT 2020 - Gesellschaft für Informatik e.V.

Research networks are used daily by thousands of students and scientific staff for education and research and therefore have a large number of sensitive and valuable resources. The currently predominant perimeter security model is failing more and more often to provide sufficient protection against attackers. This paper analyses to what extent the zero trust model that is popular in some commercial networks can also be applied to the open and heterogeneous research network of a German university. The concept presented herein to implement such an identity-based network model focuses in particular on the components which are necessary for authentication and authorization. The feasibility of the model is demonstrated by a self-implemented prototype that protects access control to a prominent eLearning system called Moodle. Non-functional performance tests show an increase in performance compared to the current system where access control is only conducted inside the web application. The Zero Trust Model enables the determination of the trustworthiness of individual identities and thus offers valuable new ways to secure a research network.

1. Integration of Network Security Mechanisms in Softwarized Networks with Data Plane Programming and Software-Defined Networking

Hauser, Frederik | 2022 | Ph.D. Thesis | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

In network softwarization, traditional network appliances with fixed features and limited configurability are replaced by programmable software- or hardware-based platforms. Two popular concepts of this new trend are SDN and data plane programming. SDN allows programmers to bypass the control plane of networking devices and introduce own software-based control plane algorithms. Data plane programming extends this programmability to the data plane. These new networking concepts are the basis for next-generation networks as utilized in cloud computing or 5G. OF and P4 are the most widespread standards for SDN and data plane programming, respectively. However, introducing SDN and data plane programming in existing networks requires transition strategies for the integration of existing network functions, protocols, and applications. The research of this thesis focuses on the integration of network security functions. It investigates whether existing and widespread network security mechanisms are implementable, how potential concepts and architectures of integrations may be engineered, and if mechanisms can benefit from SDN and data plane programming in terms of more efficient operation with automation, increased security, or new features. Subsequently, this research is complemented with a literature study analyzing how data plane programming with P4 is applied in fields other than network security. The results of my research are covered in five accepted and peer-reviewed papers and two papers that are currently in peer-review. Research results on OF-based SDN include an integration of 802.1X and a novel mechanism for network access and execution control for containerized applications. Research results on P4 data planes with SDN control include integrations of MACsec, IPsec, and 802.1X. The results of the literature study are covered in an extensive survey paper. Five more accepted and peer-reviewed papers are additional content of this thesis. These publications include research results on SDN transition strategies not related to network security and research results in the field of modelling and simulation. The majority of my research work was part of the bwNET100G+ research project. Additional research work was funded by the Deutsche Forschungsgemeinschaft (DFG) under grant ME2727/1-2 and by Siemens AG.

2. Security in high-bandwidth networks

Lukaseder Thomas | 2020 | Ph.D. Thesis | Institute of Distributed Systems, Ulm University

Ever-increasing bandwidth in networks presents a challenge to security mechanisms as the amount of traffic following Gilder's law) increases faster than the computational power (following Moore's law). This continuous increase in the amount of data not only impedes the effort to analyze the data in firewalls or Intrusion Detection Systems, but it can also be exploited by attackers to achieve ever stronger attacks. Moreover, testing network security mechanisms in high-bandwidth networks presents a challenge in itself as common testing tools are neither designed to produce nor to analyze such a vast amount of traffic. In this thesis, firstly, we look into testing of network applications, devices, and algorithms in high-bandwidth networks as a challenge in and of itself. We analyze traffic, build a network testing framework, and provide test data sets as groundwork for the other parts of this thesis. Following these insights, we work on improving security mechanisms to tackle the challenges of high-bandwidth networks. Hereby, we focus on two commonly used security mechanisms found in today's networks: Intrusion Detection Systems (IDS) and Mitigation Systems for Distributed Denial-of-Service (DDoS) attacks and investigate the impact of rising network traffic on their performance. We look into ways to raise IDS throughput through hardware-supported parallelization of regular expression matching. Matching regular expressions is a key component of the payload analysis in IDS and presents a major bottleneck for their throughput. Moreover, we present a framework able to detect DDoS attacks, identify attacking clients, and defend successfully against attacks. The system entails improvements in these areas with a particular focus on identifying slow DDoS attackers and defense against reflective attacks. The software developed, the data sets produced, and the insights gained in this work can help researchers, network administrators, and developers improve network security mechanisms and defend their networks more reliably against attacks.

1. Skalierbarkeit von Coordinated Congestion Control (C3)

Jannik Taubert | 2024 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

2. Evaluating Reliability and Performance of QUIC Modules for NS-3

Adrian von Heyl | 2023 | M.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

3. External Control of TCP Congestion Control Behavior Using eBPF

Salas Franz, Marco | 2023 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

4. Steigerung der Leistung von mmWave 5G- und Wi-Fi 6 Netzwerken mithilfe von Multipath-TCP

Asghari, Hadi | 2023 | B.Sc. Thesis | Supervisor: Oliver P. Waldhorst | Data-Centric Software Systems Research Group at the Institute of Applied Research, Karlsruhe University of Applied Science, Karlsruhe, Germany

Multipath TCP (MPTCP) is an extension to the single-path TCP (Transmission Control Protocol) that allows a single TCP connection to utilize multiple network interface cards (NIC) simultaneously. This enables higher throughput, improved reliability, and better utilization of available network resources. MPTCP is especially useful in modern network devices that have more than one NIC, such as cell phones or modern servers. Nevertheless, MPTCP cannot truly achieve all its aims, as a result, the user experience gets impaired. In this study, we prepared a dataset for machine learning model and undertake a real-world test using real equipment. We first collected a large dataset of MPTCP connection logs and extracted various connection parameters from Linux’ OLIA (Opportunistic Linked-Increases Algorithm) congestion avoidance algorithm such as round-trip time (RTT) in order to create a general dataset. On the second case study we employed three different clients, which performed various scenarios with and without MPTCP and compared the results. Our experimental results show that MPTCP, improves the user experience compared to single-path TCP. The importance of our study lies in the fact that MPTCP is becoming increasingly important in modern networks. Our proposed approach can help to further improve the performance of MPTCP connections, which can have significant implications for various applications such as streaming, online gaming, and cloud computing.

5. Quickest QUIC - Performance Comparison between Different QUIC Implementations

Jolondcovschi, Alexandru | 2023 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

In 2013 Google introduced the QUIC Protocol with its initial goal of replacing TCP+TLS in common web stacks. After its standardization by IETF in May 2021 (RFC 9000), QUIC aims to become a general-purpose transport protocol and a complete alternative to TCP. Compared to TCP, QUIC is commonly implemented in user space and utilizes encryption by default. Its adoption rate is already significant and is likely to continue to grow in the future. Furthermore, a multitude of QUIC implementations from different companies and individual programmers already exist. The work aims to evaluate the performance regarding sustained throughput of selected QUIC implementations for Linux and compare their performance metrics to TCP in different network scenarios.

6. Skalierungs- und Einsatzkonzepte für die koordinierte Staukontrolle

Kusmin, Alexander | 2023 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

7. Design einer für Zero Trust Service Function Chaining geeigneten Regelsprache

Schlageter Sebastian | 2022 | B.Sc. Thesis | Supervisor: Bradatsch Leonard | Institute of Distributed Systems, Ulm University

Zero Trust wird als Alternative zu dem klassischen Sicherheitskonzept des Peri- meter Modells bei Netzwerken angesehen, mit der man wichtige und sensible Ressourcen absichern, aber auch für Befugte außerhalb des Netzwerkes zu Ver- fügung stellen kann. Während Zero Trust einige Vorteile durch die Automatisie- rung und konstante Überwachung bietet, sind Sicherheitsfunktionen nicht in die Architektur integriert. Dynamisch erstellte Service Function Chains könnten zur Integration der Funktionen genutzt werden, müssen aber von einer Regelspra- che ausgewählt werden, die konventionell auf Basis statischer Vergleichsdaten entscheidet. Um granulare und aktuelle Entscheidungen zu treffen, wird ein dynamischer Ansatz für die Entscheidung und Daten benötigt, der von einer Re- gelsprache dargestellt werden kann. Aus erarbeiteten Requirements lassen sich existierende Regelsprache auf Eignung für den Anwendungszweck überprüfen. Durch eine Anwendung auf passenden Sprachen lässt sich die grundsätzliche Nutzbarkeit zeigen. Die Beispiele zeigen, dass es für die Grundprobleme schon Lösungsansätze gibt, die für die Nutzung von SFC in Zero Trust geeignet sind. Mit dynamischen Attributen lassen sich Richtlinien nicht nur teilweise einfacher designen, sondern einige Anwendungszecke sind erst dadurch möglich.

8. Analyse von Campus-Netzwerken durch Kombination von Topologie-, Metrik- und Flowdaten

Endrikat, Mattis | 2022 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

Zuverlässige Datennetze sind in der heutigen Welt elementarer Teil der Infrastruktur. Für Überwachung und Management dieser Netze stehen eine Vielzahl verschiedener Datenquellen zur Verfügung. Die Auswertung dieser Datenquellen erfolgt jedoch meist getrennt, wodurch potenzielle Synergien der Quellen nicht genutzt werden können. In dieser Arbeit wurden verschiedene Datenquellen kombiniert ausgewertet, mit dem Ziel neue Erkenntnisse über das untersuchte Netz zu gewinnen. Hierbei wurden auch einige Hürden und Probleme identifiziert. Um die Auswertungen teilweise zu automatisieren, wurde ein Prototyp auf Basis der Erkenntnisse der Arbeit entwickelt.

9. Analyse der Anwendbarkeit von Methoden des Supervised Learning in produktiven Network Monitoring Systemen

Tobias Sackmann | 2022 | M.Sc. Thesis | Supervisor: Georg Eisenhart | Institute of Information Resource Management, Ulm University

10. Towards Open-Loop Congestion Control - Design, Implementation and Evaluation of a Prototyping Framework

Andreas, Ackermann | 2022 | M.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

This thesis contributes a system architecture design for, as well as a prototype implementation of an Open-Loop Congestion Control (OLCC) system, a novel type of congestion control in which a logically centralized controller steers the congestion control behavior of multiple hosts in a network at the same time. The architecture consists of a modified QUIC library, a host-agent running on each system aggregating information from all processes using the library and communicating with the centralized controller to transmit connection metrics as well as receive congestion control parameters from it. Scalability concerns and possible failure modes of such a system are considered, and an interface for OLCC algorithms is designed. A prototype system implementing this architecture is provided, instrumenting the CUBIC congestion controller of the Amazon s2n-quic library, and its functionality is shown in a testbed.

11. Usage of Deep Reinforcement Learning in Open-Loop Congestion Control

Heck, Alexander | 2022 | M.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

The Open-Loop Congestion Control approach can be more performant compared to classical congestion control algorithms. This can be achieved through a real-time monitoring of the network and coordinating the congestion control for multiple senders. Crafting a rule set that derives performant congestion control decisions from the observed network state is hard. Instead, the decision-making could be learned by applying deep reinforcement learning. In this thesis, an Open-Loop Congestion Control system that uses deep reinforcement learning is designed, implemented and evaluated.

12. Erweiterung des Open-Loop Staukontrollkonzepts um lokale Ausweichmechanismen

Becker, Martin | 2022 | B.Sc. Thesis | Supervisor: Michael König | Institute of Telematics, Karlsruhe Institute of Technology

13. Trust Score Calculation in Zero Trust Service Function Chaining-enabled Networks

Knoblauch Steffen | 2022 | M.Sc. Thesis | Supervisor: Bradatsch Leonard | Institute of Distributed Systems, Ulm University

A fundamental part of the access decision in a Zero Trust (ZT) and Zero Trust Service Function Chaining (ZTSFC) network is the trust calculation. In general, a Trust Engine (TE) is responsible for the trust calculation, which provides a trust score for each access decision. However, there is a lack of research in the literature how these trust scores can be calculated. Although there are imple- mentations for ZT networks, such as BeyondCorp, that calculate trust internally, these implementations are not publicly available. In addition to this, there is a lack of research for ZTSFC networks that specifically looks at the trust cal- culation, although there are additional requirements for it, as the trust scores can be increased in a subsequent step. In this thesis, we introduce a TE and a corresponding architecture that uses an addition-based approach to calculate the trust scores for the access decisions in a ZT or a ZTSFC network. For this, we make an analysis of various requirements, such as the attributes that can be used as input for the trust score calculation, and use them to compare different calculation approaches from the literature to determine the most appropriate calculation approach for the TE and the corresponding architecture. The goal of this work is to present a flexible TE capable of calculating trust scores in different ZT and in ZTSFC networks, that can serve as a basis for future research in this area.

14. Implementation of a Web-Based Visualizer for Service Function Chaining Infrastructure

Rupp Charlotte | 2022 | B.Sc. Thesis | Supervisors: Häberle Marco, Steinert Benjamin | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

This thesis makes recent technological advancements in Cloud Computing accessible by designing and implementing a visualization system for Service Function Chaining (SFC) infrastructure. The visualized network architecture builds on technologies like Software Defined Networking (SDN), Virtual Network Function (VNF) and SFC. The project is supposed to become part of an application to simplify a SFC orchestrator to a point where it can be used without detailed knowledge about the underlying technical frameworks and processes. The web application and the visualization system are designed to be scalable and modular to ensure future reuse of the work. A flexible and interactive visualizer was implemented using Typescript and the D3.js package and integrated into a full-stack web application. It provides an overview of the network structure by creating a clear, interactive and multilayered network graph visualization from network infrastructure data. The application consists of an Angular frontend with a responsive user interface layout and a Django backend connected via a REST API. This bachelor thesis also offers necessary information on how the implemented visualizer can be used for arbitrary SFC architectures and possible ways to get the infrastructure data. The SFC Infrastructure Visualizer can be used for validating and debugging SFC infrastructure.

15. Finding Large Data Streams in Campus Networks Using Network Flow Analysis

Biebl, Michael | 2022 | B.Sc. Thesis | Supervisors: Michael König, Roland Bless | Institute of Telematics, Karlsruhe Institute of Technology

In our digitalised world there is an ever-growing demand for high-speed and reliable communication. Network monitoring and traffic analysis play a crucial part in ensuring that those demands can be met. They provide the means to identify anomalies, including security and operational issues. The goal is to have networks that are to able to manage, adapt and if needed, defend themselves. In order to do that, such a self-driving network needs to gather information about its current state. One use case which can have an effect on the network is the transfer of large data streams. In this thesis, a system based on Apache Spark has been developed which analyses NetFlow data that is gathered within KITnet and GridKA. It was examined what kind of information can be derived from NetFlow data with a distinct focus on analysing individual flows but also finding patterns in the overall network traffic.

16. Where Can Open-Loop Approach Improve Congestion Control?

Zimmermann, Dennis | 2021 | M.Sc. Thesis | Supervisors: Michael König, Mario Hock | Institute of Telematics, Karlsruhe Institute of Technology

Congestion Control is essential to ensure high network utility. The prevalent connection-oriented transport protocols implement closed-loop congestion control algorithms that derive the state of the network from feedback of the receiver. An open-loop approach assumes that a more holistic view of the network is provided as a basis for decision-making. This thesis examines how an open-loop congestion control system could improve the situation when the closed-loop congestion control algorithms reach their limits. A primary goal is to identify the problems closed-loop congestion control algorithms have and in which situations they manifest. Furthermore, a concept is designed to simulate open-loop behavior without an actual design or implementation of an open-loop congestion control system. Based on the analysis, three hypotheses about improvements that an open-loop congestion control system could bring are formulated and evaluated through several experiments. The evaluation results indicate all three hypotheses to be true.

17. Design and Implementation of an Extensible eBFP-based Proxy for SFC-unaware VNFs

Weiss Michael | 2021 | M.Sc. Thesis | Supervisors: Häberle Marco, Steinert Benjamin | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

Service Function Chaining (SFC) is a technology that allows composing complex network services out of basic network functions, like firewalls and load balancers, by chaining them together. With the widespread and still rising use of cloud computing and virtualization, SFC is gaining much attention. Network services are becoming increasingly virtualized to build a highly dynamic, scalable, and cost-effective infrastructure. This is known as network function virtualization (NFV). SFC allows combining such virtualized network functions into an end-to-end network service, even if they are instantiated across multiple clouds. This enables service providers to benefit significantly from virtualized software-defined networking (SDN) infrastructure. SFC requires special encapsulation headers to forward packets through Service Function Chains (SFCs) and optionally transport per-packet metadata. These additional headers are a problem for legacy service functions (SFs) that are SFC-unaware. Large service providers have many such legacy SFs which is a challenge for transitioning to SFC. To support legacy SFs, a so-called SFC proxy can be used. SFC proxies are logical elements that remove and insert SFC encapsulation headers on behalf of SFC-unaware SFs. They allow SFC-aware and -unaware SFs to coexist in an SFC-enabled domain. Various designs for SFC proxies exist. Static SFC proxies require manual configuration and are pretty limited. Dynamic SFC proxies can automatically learn their configuration based on flows through their SFs. None of the existing designs are capable of caching the SFC encapsulation headers on a per-packet basis, but this is required for transporting metadata in the SFC headers. This work presents a design for a fully dynamic SFC proxy that can cache SFC encapsulation headers on a per-packet basis without any manual configuration. A high-performance prototype based on eBPF is implemented for the Linux kernel. This new SFC proxy is integrated into the P4-SFC framework and evaluated against the currently used static SFC proxy.

18. Comprehensive Evaluation of Existing Policy Enforcement Point Solutions

Schaedler Tanaro | 2021 | B.Sc. Thesis | Supervisor: Bradatsch Leonard | Institute of Distributed Systems, Ulm University

In this Thesis, we evaluated six open-source zero-trust solutions regarding the principles of zero-trust security. There are several papers discussing how zero- trust security supersedes perimeter security and what aspects of security have to be fulfilled. However, there has not been any scientific evaluation and comparison of open-source Policy Enforcement Points. Therefore, we derived a checklist based on the security principles and researched the documentation as well as an installed version about which of these goals the software solutions meet. In this evaluation and the following comparison and discussion, we discovered that secure authentication and authorization are included in the majority of test subjects, while risk-based authorization and automatic response to incidents are not currently focused on by them.

19. Optimization of mobile network access through the parallel use of multiple paths

Brummer Philipp | 2021 | M.Sc. Thesis | Supervisor: Prof. Dr. Oliver Waldhorst | Faculty of Computer Science and Business Information Systems, Karlsruhe University of Applied Science

Mobile devices, such as phones and laptops, provide access to digital content to enhance the teaching experience at universities. They provide students with a platform supporting the use of audiovisual teaching materials, such as slides, videos, questionnaires, Virtual Reality environments and other types of interactive media. These devices can establish multiple wireless network links, such as WiFi and cellular, to download or stream data from the respective services. However, in most conventional scenarios, only one of these physical connections is used at any one time. With the Transmission Control Protocol (TCP) not allowing for the concurrent use of multiple paths by a single TCP connection, Multipath TCP (MPTCP) was designed to facilitate the sending of packets belonging to the same TCP connection over multiple physical connections. With Multipath TCP finding its way into the mainline Linux kernel and Android’s Project Mainline aiming to provide a current kernel version for mobile devices, the number of devices supporting Multipath TCP can be assumed to grow significantly. This work evaluates various options to leverage the technology on its own, and in combination with Software Defined Networking, to improve quality of service for both bandwidth-intensive content delivery services and latency-sensitive services and compares their viability in a university classroom environment. The findings presented show, that Multipath TCP can lead to improved quality of service compared to single-path TCP, especially for bandwidth-intensive services. Additionally, this work proposes solutions to achieve improved quality of service for latencysensitive services as well, without sacrificing the additional bandwidth available through the combination of multiple network paths.

20. Applying Machine Learning Approaches to Anomaly Detection in Research Network

Gui Yuan | 2020 | M.Sc. Thesis | Supervisor: Bradatsch Leonard | Institute of Distributed Systems, Ulm University

We aim to evaluate multiple supervised and unsupervised machine learning methods in the field of network anomaly detection with recent flow-based traffic data from research networks. Most related work has been done but struggles to reflect modern network environment due to outdated benchmark datasets such as KDD CUP 99 and NSL-KDD. In the following, we evaluate and compare methods such as Multilayer Perceptron (MLP), Convolutional Neural Network (CNN) and One Class Support Vector Machine(OCSVM) algorithms on a up- to-date dataset Kyoto2006+, during which multiple data preprocess methods are presented. We find that neural networks perform better with regard to the accuracy measures (precision and recall) and time (training time and test time). However, they require labelled data and struggle with identifying unknown anomalies. Here, an unsupervised method such as OCSVM may prove more practical.

21. A Demonstrator for P4-SFC-Based Firewall-as-a-Service with Self-Service Portal Control

Steinert Benjamin | 2020 | M.Sc. Thesis | Supervisor: Häberle Marco | Lehrstuhl für Kommunikationsnetze, Universität Tübingen, Fachbereich Informatik

This thesis combines recent technology advancements in the areas of Software-Defined Networking (SDN), Network Function Virtualization (NFV), and Service Function Chaining (SFC) to implement the concept of Firewall-as-a-Service (FWaaS). By leveraging the P4-SFC architecture, a cloud-like system is established that allows end-to-end network service provisioning on-demand. The presented demonstrator features a web-based self-service portal, an SFC-orchestrator, and a P4-based SDN-controller together with a P4 data plane implementation suitable for service function chaining. Thereby the management of network services can be done via the self-service portal and is highly automated via the orchestrator. The presented solution supports not only firewalls but arbitrary virtual network functions.

22. Source Based Routing on Programmable Ethernet Switch Infrastructure

Ahmed Maher | 2020 | M.Sc. Thesis | Supervisor: Georg Eisenhart | Institute of Information Resource Management, Ulm University