With the growth of the Internet, various types of services are rapidly expanding; such services include the World Wide Web (WWW), the File Transfer Protocol (FTP), and remote login. Consequently, managing authentication information, e.g., user ID/password pairs, keys, and certificates- is difficult for users, since the amount of required authentication information has been increased. To address this problem, researchers have developed a Single Sign-On (SSO) system that makes all the services available for a user via a one-time authentication: however, existing authentication systems cannot provide such SSO services for all kind of services on the Internet, even if the service provider deploys the SSO server. Further, existing systems also cannot provide the SSO service which does not make it conscious of a network domain to a user on secure network environment. Therefore, in this paper, we propose a new SSO system with a hardware token and a key management server to improve the safety, ubiquity, and adaptability of services. Further, we implement the proposed system and show its effectiveness through evaluation. Adding any functions for this system provides various conveniences to us. We also explore the ability to add functions to this system; for example, we add high trust connection functionality for a Web server and show its effectiveness.

In routing, we usually use OSPF with Dijkstra or RIP with Bellman-Ford, but they can only treat single metric routing problem. With multiple metrics, we would use the weighted average of the metrics or techniques from operations research, but they are not suitable for routing because they lack validity and simplicity. Here, we propose a routing algorithm to deal with the three security metrics proposed by I. A. Almerhag and M. E. Woodward, and show an example routing policy. Besides, we make a study on the constraints of the metrics and the routing policies, and come to the precondition of the proposed routing algorithm.

We have focused on the RIO queueing mechanism in statistical bandwidth allocation service, which uses AF-PHB. We have studied the parameterization of RIO to achieve both high throughput and low delay. We were able to parameterize RIO for that purpose in terms of both minth and maxp used in dropping OUT packets. Furthermore, we have also examined the parameterization regarding EWMA (Exponential Weighted Moving Average), i.e., weight factor wqout, and have shown that dropping OUT packets should depend upon the queue length without much delay unlike in RED. From our simulation results, we could see that our parameterization provided high throughput performance and also limited the queue length in a narrow range more effectively.

Differentiated Service (DiffServ) is a technology designed to provide Quality of Service (QoS) in the Internet, and is superior to Integrated Service (IntServ) technology with respect to the simplicity of its architecture and the scalability of networks. Although various simulation studies and estimations over testbeds have investigated the QoS that is offered via the DiffServ framework, almost all of them focused on the characteristics in a single DiffServ domain. However, the Internet is actually composed of a large number of AS domains, and thus packets are very likely to arrive at their destinations after going through many different domains. Therefore, we have analyzed the QoS performance in a model consisting of multiple DiffServ domains, and focused especially on the quality provided by Assured Forwarding Service (AF) to achieve statistical bandwidth allocation with AF-PHB. Our simulation results show some throughput characteristics of flows over multiple Diffserv domains, which clarify how network configurations impact the QoS over multiple DiffServ domains.

A transport layer mobility management scheme for handling seamless handoffs between appropriate networks is presented. The future mobile environment will be characterized by multimodal connectivity with dynamic switching. Many technologies have been proposed to support host mobility across diverse wireless networks, and operate in various layers of the network architecture. Our major focus is on the transport protocol that recovers packets lost during handoffs and controls transmission speed to achieve efficient communication. Majority of the existing technologies can maintain the connection by updating the information of a single connection around a handoff. Moreover, none of the studies extensively examine the handoff latencies and focus how an appropriate network is selected, during the handoff. In this paper, we first extensively investigate the various handoff latencies and discuss the limited performance of existing technologies based on the single connection. We then propose a new scheme resolving the problems by the transport protocol enabling the adaptive selection of an appropriate interface based on communication condition among all available interfaces. Finally, we demonstrate that the proposed scheme promptly and reliably selects the appropriate interface, and achieves excellent goodput performance by comparing with the existing technologies.

In a society preoccupied with gradual erosion of electronic privacy, loss of privacy in the current Domain Name System is an important issue worth considering. In this paper, we first review the DNS and some security & privacy threats to make average users begin to concern about the significance of privacy preservation in DNS protocols. Then, by an careful survey of four noise query generation based existing privacy protection approaches, we analyze some benefits and limitations of these proposals in terms of both related performance evaluation results and theoretic proofs. Finally, we point out some problems that still exist for research community's continuing efforts in the future.

On wide area networks (WANs), UDP has likely been used for real-time applications, such as video and audio. UDP supplies minimized transmission delay by omitting the connection setup process, flow control, and retransmission. Meanwhile, more than 80 percent of the WAN resources are occupied by Transmission Control Protocol (TCP) traffic. As opposed to UDP's simplicity, TCP adopts a unique flow control mechanism with sliding windows. Hence, the quality of service (QoS) of real-time applications using UDP is affected by TCP traffic and its flow control mechanism whenever TCP and UDP share a bottleneck node. In this paper, the characteristics of UDP packet loss are investigated through simulations of WANs conveying UDP and TCP traffic simultaneously. In particular, the effects of TCP flow control on the packet loss of real-time audio are examined to discover how real-time audio should be transmitted with the minimum packet loss, while it is competing with TCP traffic for the bandwidth. The result obtained was that UDP packet loss occurs more often and successively when the congestion windows of TCP connections are synchronized. Especially in this case, the best performance of real-time audio applications can be obtained when they send-small sized packets without reducing their transmission rates.

The distribution of streaming multicast and real time audio/video applications in the Internet has been quickly increased in the Internet. Commonly, these applications rarely use congestion control and do not fairly share provided network capacity with TCP-based applications such as HTTP, FTP and emails. Therefore, Internet communities will be threatened by the increase of non-TCP-based applications that likely cause a significant increase of traffics congestion and starvation. This paper proposes a set of mechanisms, such as providing various data rates, background traffics, and various scenarios, to act friendly with TCP when sending multicast traffics. By using 8 scenarios of simulations, we use 6 layered multicast transmissions with background traffic Pareto with the shape factor 1.5 to evaluate performance metrics such as throughput, delay/latency, jitter, TCP friendliness, packet loss ratio, and convergence time. Our study shows that non TCP traffics behave fairly and respectful of the co-existent TCP-based applications that run on shared link transmissions even with background traffic. Another result shows that the simulation has low values on throughput, vary in jitter (0-10 ms), and packet loss ratio > 3%. It was also difficult to reach convergence time quickly when involving only non TCP traffics.

Recently, the security scheme, proposed by Kempf and Koodli, has been adopted as a security standard for Fast handover for Mobile IPv6. But, it does not prevent denial of service attacks while resulting in high computation cost. More importantly, we find that it is still vulnerable to redirection attacks because it fails to secure the Unsolicited Neighbor Advertisement messages. In this paper, Kempf-Koodli's scheme is formally analyzed through BAN-logic and its weaknesses are demonstrated.

Over the future Internet, the real time communication generating such as CBR (Constant Bit Rate) traffic will widely spread, whereas the current Internet has no ability to provide QoS (Quality of Service) assurance for real time communication so far. In QoS networks, CBR traffic will have priority for its stringent QoS requirement over non-real time traffic such as TCP connections, which use the unused bandwidth left by CBR connections. Therefore, there is possibility that CBR traffic with priority causes TCP throughput degradation in QoS networks. For this reason, the performance of Tahoe TCP has been examined in that context, but other TCP variants such as Reno TCP, NewReno TCP and TCP with SACK option, which are now very common, have not yet been investigated clearly. In the present research, we will clarify how these TCP variants behave in QoS networks by means of simulations and compare their performance. From the results, SACK TCP can adapt very well to the changing bandwidth available and is very robust against the fluctuation, i.e., burstness, of CBR packet arrival process.

Recently, Kempf and Koodli have proposed a security protocol for Fast Mobile IPv6 (FMIPv6). Through the SEcure Neighbor Discovery (SEND) protocol, it achieves secure distribution of a handover key, and consequently becomes a security standard for FMIPv6. However, it is still vulnerable to redirection attacks. In addition, due to the SEND protocol, it suffers from denial of service attacks and expensive computational cost. In this paper, we present a security protocol, which enhances Kempf-Koodli's one with the help of the AAA infrastructure.

Two congestion control schemes designed specifically to handle changes in the datalink interface of a mobile host are presented. The future mobile environment is expected to involve multimode connectivity to the Internet and dynamic switching of the connection mode depending on network conditions. The conventional Transmission Control Protocol (TCP), however, is unable to maintain stable and efficient throughput across such interface changes. The two main issues are the handling of the change in host Internet Protocol (IP) address, and the reliability and continuity of TCP flow when the datalink interface changes. Although existing architectures addressing the first issue have already been proposed, the problem of congestion control remains. In this paper, considering a large change in bandwidth when the datalink interface changes, two new schemes to address these issues are proposed. The first scheme, Immediate Expiration of Timeout Timer, detects interface changes and begins retransmission immediately without waiting for a retransmission timeout as in existing architectures. The second scheme, Bandwidth-Aware Slow Start Threshold, detects the interface change and estimates the new bandwidth so as to set an appropriate slow start threshold for retransmission. Through simulations, the proposed schemes are demonstrated to provide marked improvements in performance over existing architectures.

Fast Handover for Hierarchical Mobile IPv6 (F-HMIPv6) that combines advantages of Fast Handover for Mobile IPv6 (FMIPv6) and Hierarchical Mobile IPv6 (HMIPv6) achieves the superior performance in terms of handover latency and signaling overhead compared with previously developed mobility protocols. However, without being secured, F-HMIPv6 is vulnerable to various security threats. In 2007, Kang and Park proposed a security scheme, which is seamlessly integrated into F-HMIPv6. In this paper, we reveal that Kang-Park's scheme cannot defend against the Denial of Service (DoS) and redirect attacks while largely relying on the group key. Then, we propose an Enhanced Security Scheme for F-HMIPv6 (ESS-FH) that achieves the strong key exchange and the key independence as well as addresses the weaknesses of Kang-Park's scheme. More importantly, it enables fast handover between different MAP domains. The proposed scheme is formally verified based on BAN-logic, and its handover latency is analyzed and compared with that of Kang-Park's scheme.

We address reliable key distribution scheme for lossy channels such as wireless or power line. In the key distribution over these lossy channels, if key information is lost, there is critical issue that the subsequent communication is disabled. In this paper, we show that our proposal has more reliable property than the related works and has the reliable property equivalent to the dedicated communication channels such as Ethernet.

With the multiplication of attacks against computer networks, system administrators are required to monitor carefully the traffic exchanged by the networks they manage. However, that monitoring task is increasingly laborious because of the augmentation of the amount of data to analyze. And that trend is going to intensify with the explosion of the number of devices connected to computer networks along with the global rise of the available network bandwidth. So system administrators now heavily rely on automated tools to assist them and simplify the analysis of the data. Yet, these tools provide limited support and, most of the time, require highly skilled operators. Recently, some research teams have started to study the application of visualization techniques to the analysis of network traffic data. We believe that this original approach can also allow system administrators to deal with the large amount of data they have to process. In this paper, we introduce a tool for network traffic monitoring using visualization techniques that we developed in order to assist the system administrators of our corporate network. We explain how we designed the tool and some of the choices we made regarding the visualization techniques to use. The resulting tool proposes two linked representations of the network traffic and activity, one in 2D and the other in 3D. As 2D and 3D visualization techniques have different assets, we resulted in combining them in our tool to take advantage of their complementarity. We finally tested our tool in order to evaluate the accuracy of our approach.