This paper first takes IoT as an example to provide the motivation for eliminating the single point of trust (SPOT) in a CA-based private PKI. It then describes a distributed public key certificate-issuing infrastructure that eliminates the SPOT and its limitation derived from generating signing keys. Finally, it proposes a method to address its limitation by all certificate issuers.

Many public cloud datacenters have adopted the Edge-Overlay model which supports virtual switch-based network virtualization using IP tunneling. However, software-implemented virtual switches can cause performance degradation because the packet processing load can concentrate on a particular CPU core. As a result, such load concentration decreases and destabilizes the performance of virtual networks. Although multi-queue functions like Receive Side Scaling (RSS) can distribute the load onto multiple CPU cores, they still have performance problems such as IRQ core collision between priority flows as well as competitive resource use between host and guest machines for received packet processing. In this paper, we propose Virtual Switch Extension (VSE) that adaptively determines CPU core assignment for SoftIRQ to prevent performance degradation. VSE supports two types of SoftIRQ core selection mechanisms, on-the-fly or predetermined. In the on-the-fly mode, VSE selects a SoftIRQ core based on current CPU load to exploit low-loaded CPU resources. In the predetermined mode, SoftIRQ cores are assigned in advance to differentiate the performance of priority flows. This paper describes a basic architecture and implementation of VSE and how VSE assigns a SoftIRQ cores. Moreover, we evaluate fundamental throughput of various CPU assignment models in the predetermined mode. Finally, we evaluate the performance of a priority VM in two VM usecases, the client-usecase which is receive-oriented and the router-usecase which performs bi-directional communications. In the client-usecase, the throughput of the priority VM was improved by 31% compared with RSS when the priority VM had one dedicated core. In the router-usecase, the throughput was improved by 29% when three dedicated cores were provided for the VM.

A wide range of communication protocols has recently been developed to address service diversification. At the same time, firewalls (FWs) are installed at the boundaries between internal networks, such as those owned by companies and homes, and the Internet. In general, FWs are configured as whitelists and release only the port corresponding to the service to be used and block communication from other ports. In a previous study, we proposed a method for traversing a FW and enabling communication by inserting a pseudo-transmission control protocol (TCP) header imitating HTTPS into a packet, which normally would be blocked by the FW. In that study, we confirmed the efficiency of the proposed method via its implementation and experiments. Even though common encapsulating techniques work on end-nodes, the previous implementation worked on the relay node assuming a router. Further, middleboxes, which overwrite L3 and L4 headers on the Internet, need to be taken into consideration. Accordingly, we re-implemented the proposed method into an end-node and added a feature countering a typical middlebox, i.e., NAPT, into our implementation. In this paper, we describe the functional confirmation and performance evaluations of both versions of the proposed method.