To improve TCP throughput even if the maximum receiving window size is small, a TCP performance enhancing proxy (PEP) using a UDP-like packet sending policy with error control has been proposed. The PEP operates on a router along a TCP connection. When the PEP receives a data packet from the source host, it transmits the packet to the destination host, copies the packet into the local buffer (PEP buffer) in case the packets need to be transmitted and sends a premature ACK acknowledging receipt of the packet to the source host. In the PEP, the number of prematurely acknowledged packets in the PEP buffer is limited to a fixed threshold (watermark) value to avoid network congestion. Although the watermark value should be adjusted to changes in the network conditions, watermark adjusting algorithms have not been investigated. In this paper, we propose a watermark adjusting algorithm the goal of which is to maximize the throughput of each connection as much as possible without excessively suppressing the throughputs of the other connections. In our proposed algorithm, a newly established connection uses the initial watermark value of zero to avoid drastic network congestion and increases the value as long as its throughput increases. In addition, when a new connection is established, every already-established connection halves its watermark value to allow the newly established connection to use some portion of the bandwidth and increases again as long as its throughput increases. We compare the proposed algorithm (CW method) with other methods: the FW method that uses a fixed large watermark value and the NP method that does not use the PEP. Numerical results with respect to throughput and fairness showed that the CW method is generally superior to the other two methods.

Proxy Mobile IPv6 (PMIPv6) is proposed as a new network-based local mobility protocol which does not involve the Mobile Node (MN) in mobility management. PMIPv6, which uses link-layer attachment information, reduces the movement detection time and eliminates duplicate address detection procedures in order to provide faster handover than Mobile IPv6 (MIPv6). To eliminate packet loss during the handover period, the Local Mobility Anchor (LMA) buffering scheme is proposed. In this scheme, the LMA buffers lost packets of the Mobile Access Gateway (MAG) and the MN during the handover and recovers them after handover. A new Automatic Repeat reQuest (ARQ) handler is defined which efficiently manages the LMA buffer. The ARQ handler relays ARQ result between the MAG and the MN to the LMA. The LMA removes any buffered packets which have been successfully delivered to the MN. The ARQ handler recovers the packet loss during the handover using buffered packets in the LMA. The ARQ information, between the MAG and LMA, is inserted in the outer header of IP-in-IP encapsulated packets of a standard PMIPv6 tunnel. Since the proposed scheme simply adds information to the standard operation of an IP-in-IP tunnel between the LMA and the MAG, it can be implemented seamlessly without modification to the original PMIPv6 messages and signaling sequence. Unlike other Fast Handovers for Mobile IPv6 (FMIPv6) based enhancement for PMIPv6, the proposed scheme does not require any handover related information before the actual handover.

Proxy cryptosystems are classified into proxy decryption systems and proxy re-encryption systems on the basis of a proxy's role. In this paper, we propose an ID-based proxy cryptosystem with revocability and hierarchical confidentialities. In our scheme, on receiving a ciphertext, the proxy has the rights to perform the following three tasks according to the message confidentiality levels of the sender's intention: (1) to decrypt the ciphertext on behalf of the original decryptor; (2) to re-encrypt the ciphertext such that another user who is designated by the original decryptor can learn the message; (3) to do nothing except for forwarding the ciphertext to the original decryptor. Our scheme supports revocability in the sense that it allows proxy's decryption and re-encryption rights to be revoked even during the valid period of the proxy key without changing the original decryptor's public information. We prove that our proposal is indistinguishable against chosen identity and plaintext attacks in the standard model. We also show how to convert it into a system against chosen identity and ciphertext attacks by using the Fujisaki-Okamoto transformation.

In this paper, we propose an SNMP-aware web cache design that has two main objectives: (1) to avoid overload of network devices by SNMP requests, and (2) guaranteeing the monitoring time granularity of SNMP Object Identifiers (OID) for a large scale network such as the Internet. To meet these objectives, a cache is built into an RESTful active proxy, called Tambourine, which is the gateway for accessing management information through the Internet. Tambourine changes the landscape of traditional SNMP monitoring by allowing the Internet users to monitor closed-domain network devices through translating requests in HTTP into SNMP. However, the typical web cache algorithm can not be used in Tambourine due to two main reasons: (1) SNMP is not a cache-aware protocol and therefore can not provide Tambourine with the caching rules that need to be applied, and (2) the cache in Tambourine needs to accommodate two SNMP monitoring patterns: periodic and on-demand polling. In order for efficient periodic polling, SNMP traffic is reduced by a multi-TTL cache and user (or Manager)-side aggregation. For efficient on-demand polling, four-state transition is used to categorize OIDs into dynamic and static objects, each of which is allocated an optimum TTL. To provide users with a proper time stamp, the cache time stamp is included in the response to the users' request. Our experiments show that our cache design gives the staleness of 0 and a bounded number of SNMP requests even when the number of users' requests goes to infinity.

Timed-Release Encryption (TRE) is a kind of time-dependent encryption, where the time of decryption can be controlled. More precisely, TRE prevents even a legitimate recipient decrypting a ciphertext before a semi-trusted Time Server (TS) sends trapdoor sT assigned with a release time T of the encryptor's choice. Cathalo et al. (ICICS2005) and Chalkias et al. (ESORICS2007) have already considered encrypting a message intended for multiple recipients with the same release time. One drawback of these schemes is the ciphertext size and computational complexity, which depend on the number of recipients N. Ideally, it is desirable that any factor (ciphertext size, computational complexity of encryption/decryption, and public/secret key size) does not depend on N. In this paper, to achieve TRE with such fully constant costs from the encryptor's/decryptor's point of view, by borrowing the technique of Proxy Re-Encryption (PRE), we propose a cryptosystem in which even if the proxy transformation is applied to a TRE ciphertext, the release time is still effective. By sending a TRE ciphertext to the proxy, an encryptor can foist N-dependent computation costs on the proxy. We call this cryptosystem Timed-Release PRE (TR-PRE). This function can be applied to efficient multicast communication with a release time indication.

In future mobile networks, the ever-increasing loads imposed by mobile Internet traffic will force the network architecture to be changed from hierarchical to flat structure. Most of the existing mobility protocols are based on a centralized mobility anchor, which will process all control and data traffic. In the flat network architecture, however, the centralized mobility scheme has some limitations, such as unwanted traffic flowing into the core network, service degradation by a single point of failure, and increased operational costs, etc. This paper proposes mobility schemes for distributed mobility control in the flat network architecture. Based on the Proxy Mobile IPv6 (PMIP), which is a well-known mobility protocol, we propose the three mobility schemes: Signal-driven PMIP (S-PMIP), Data-driven Distributed PMIP (DD-PMIP), and Signal-driven Distributed PMIP (SD-PMIP). By numerical analysis, we show that the proposed distributed mobility schemes can give better performance than the existing centralized scheme in terms of the binding update and packet delivery costs, and that SD-PMIP provides the best performance among the proposed distributed schemes.

In proxy re-encryption schemes, a semi-trusted entity called a proxy can convert a ciphertext encrypted for Alice into a new ciphertext for Bob without seeing the underlying plaintext. Several proxy re-encryption schemes have been proposed, however, only two schemes which enables the conversion of IBE ciphertexts to PKE ciphertexts has been proposed. One of schemes has some drawbacks such that the size of the re-encrypted ciphertext increases and Bob must be aware of existence of the proxy, which means Bob cannot decrypt a re-encrypted ciphertext with same PKE decryption algorithm. The other one achieves security under Selective-ID model. We propose a new, efficient scheme that enables the conversion of IBE ciphertexts to PKE ciphertexts, and prove full-ID CPA security in the standard model. In our scheme, the size of the re-encrypted ciphertext is optimal and Bob should not aware of existence of the proxy. As far as we know, this is the first IBE-PKE type scheme that holds the above properties.

In PMIPv6, all packets sent by mobile nodes or correspondent nodes are transferred through the local mobility anchor. This unnecessary detour results in high delivery latency and significant processing cost. Several PMIPv6 route optimization schemes have been proposed to solve this issue. However, they also suffer from the high signaling costs when determining the optimized path. The proposed scheme which adopts the prediction algorithm in PFMIPv6 can reduce the signaling costs of the previous schemes. Analytical performance evaluation is performed to show the effectiveness of the proposed scheme.

In Proxy Mobile IPv6 (PMIPv6), when a Mobile Node (MN) enters a PMIPv6 domain and attaches to an access link, the router on the access link detects attachment of the MN by the link-layer access. All elements of PMIPv6 including the router then provide network-based mobility management service for the MN. If the MN moves to another router in this PMIPv6 domain, the new router emulates attachment to the previous router by providing same network prefix to the MN. In other words, PMIPv6 provides rapid mobility management based on layer-2 attachment and transparent mobility support to the MN by emulating layer-3 attachment with respect to intra-domain roaming. However, when the MN moves to other PMIPv6 domains, although the domains also provide the network-based mobility management service, the MN should exploit the host-based mobility management protocol, i.e. Mobile IPv6 (MIPv6), for the inter-domain roaming. Hence, this letter proposes the rapid and transparent inter-domain roaming mechanism controlled by the networks adopting PMIPv6.

Multi-hop Wireless LAN-based mesh network (WMN) provides high capacity and self-configuring capabilities. Due to data forwarding and path selection based on MAC address, WMN requires additional operations to achieve global connectivity using IPv6 address. The neighbor discovery operation over WLAN mesh networks requires repeated all-node broadcasting and this gives rise to a big burden in the entire mesh networks. In this letter, we propose the proxy neighbor discovery scheme for optimized IPv6 communication over WMN to reduce network overhead and communication latency. Using simulation experiments, we show that the control overhead and communication setup latency can be significantly reduced using the proxy-based neighbor discovery mechanism.

Proxy Mobile IPv6 (PMIPv6) has been proposed in order to overcome the limitations of host-based mobility management in IPv6 networks. However, packet losses during doing handover are still a problem. To solve this issue, several schemes have been developed, and can be classified into two approaches: predictive and reactive handover. Both approaches commonly use bi-directional tunnel between mobile access gateways (MAGs). In predictive schemes especially, mobility support for a mobile node (MN) is triggered by simplified link signal strength. Thereafter, the MN sends handover notification to its serving MAG, and is then able to initiate packet forwarding. Therefore, if the MN moves toward an unexpected MAG that does not have any pre-established tunnel with the serving MAG, it may lead to packet losses. In this paper, we define this problem as Early Packet Forwarding (EPF). As a solution, we propose an enhanced PMIPv6 scheme using two-phase tunnel control based on the IEEE 802.21 Media Independent Handover (MIH).

To enable fine-grained delegations for proxy re-encryption systems, in AsiaCCS'09, Weng et al.'s introduced the concept of conditional proxy re-encryption (C-PRE), in which the proxy can convert a ciphertext only if a specified condition is satisfied. Weng et al. also proposed a C-PRE scheme, and claimed that their scheme is secure against chosen-ciphertext attack (CCA). In this paper, we show that their scheme is not CCA-secure under their defined security model.

This letter describes combining OSGi and Web Services in service composition. According to our approach, a composite service is described in WS-BPEL. Each component service in the description may be resolved to either an OSGi service or Web Service at runtime. The proposal can overcome current limitations with OSGi technology in terms of its geographical coverage and candidate service population available for service composition.

Packet delivery in Proxy Mobile IPv6 (PMIPv6) relies on an anchor node called LMA. All packets sent by a source node reach a receiver node via LMA, even though the two nodes attach to the same MAG. In some scenarios, PMIPv6 results in high delivery latency and processing costs due to this unnecessary detour. To address this issue, several PMIPv6 route optimization schemes have been proposed. However, high signaling costs and excessive delays remain when handover is performed. For this reason, we propose an enhanced PMIPv6 route optimization (EPRO) scheme. In addition, we analyze the performance of the EPRO. Analytical results indicate that the EPRO outperforms previous schemes in terms of signaling overhead and handover latency.

This paper analyzes the limitations of the multihoming support in the Proxy Mobile IPv6 protocol, then proposes an enhanced multihoming support scheme based on a per-interface address configuration method. The proposed scheme can provide a more flexible multihoming support and also maintain application session continuity during a handoff between two interfaces by using IPv6 extension headers. Plus, flow distribution with filters is also used to realize the advantages of multihoming. Simulation results with the OPNET validate the proposed multihoming support scheme for convergent networks.

Distributed denial-of-service attacks on public servers have recently become more serious. Most of them are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. We need a defense method which can protect legitimate traffic so that end users can connect the target servers during such attacks. In this paper, we propose a new framework, in which all of the TCP connections to the victim servers from a domain are maintained at the gateways of the domain (i.e., near the clients). We call the nodes maintaining the TCP connection defense nodes. The defense nodes check whether arriving packets are legitimate or not by maintaining the TCP connection. That is, the defense nodes delegate reply packets to the received connection request packets and identify the legitimate packets by checking whether the clients reply to the reply packets. Then, only identified traffic are relayed via overlay networks. As a result, by deploying the defense nodes at the gateways of a domain, the legitimate packets from the domain are relayed apart from other packets including attack packets and protected. Our simulation results show that our method can protect legitimate traffic from the domain deploying our method. We also describe the deployment scenario of our defense mechanism.

In a proxy multi-signature scheme, a designated proxy signer can generate the signature on behalf of a group of original signers. Recently, Wang and Cao proposed an identity based proxy multi-signature scheme along with a security model. Although they proved that their scheme is secure under this model, we disprove their claim and show that their scheme is not secure.

The IEEE 802.15.4 standard for Low Power Wireless Personal Area Networks (LoWPANs) has emerged as a promising technology to bring the envisioned ubiquitous paradigm, into realization. Considerable efforts are being carried on to integrate LoWPANs with other wired and wireless IP networks, in order to make use of pervasive nature and existing infrastructure associated with IP technologies. Provisioning of service discovery and network selection in such pervasive environments puts heavy communication and processing overhead in networks with highly constrained resources. Localization of communication, through accessing the closest services, increases the total network capacity and increases the network life. We present a hierarchical service discovery architecture based on SSLP, in which we propose directory proxy agents to act as cache service for directory agent, in order to localize the service discovery communication and access the closest services. We also propose algorithms to make sure that service users are connected to the closest proxy agent in order to access the closest service in the vicinity. The results show that our architecture and algorithms help finding the closest services, reduce the traffic overhead for service discovery, decrease the service discovery time, and save nodes' energy considerably in 6LoWPANs.

Proxy Mobile IPv6 (PMIPv6) is designed not only to avoid tunneling overhead over the air but also to manage the mobility of hosts that are not equipped with any mobility management software. However, PMIPv6 leads to increasing signaling cost as mobile nodes move frequently because the protocol is based on the global mobility management protocol. In this letter we propose Localized PMIPv6 with Route Optimization (LPMIPv6-RO). Our numerical analysis shows that the proposed scheme outperforms previously proposed mobility protocols in terms of both signaling and packet delivery cost.

Parallel downloading retrieves different pieces of a file from different servers simultaneously and so is expected to greatly shorten file fetch times. A key requirement is that the different servers must hold the same file. We have already proposed a proxy system that can ensure file freshness and concordance. In this paper, we combine parallel downloading with the proxy server technology in order to download a file quickly and ensure that it is the latest version. Our previous paper on parallel downloading took neither the downloading order of file fragments nor the buffer space requirements into account; this paper corrects those omissions. In order to provide the user with the required file in correct order as a byte stream, the proxy server must reorder the pieces fetched from multiple servers and shuffle in the delayed blocks as soon as possible. Thus, "substitution download" is newly introduced, which requests delayed blocks from other servers to complete downloading earlier. Experiments on substitution download across the Internet clarify the tradeoff between the buffering time and the redundant traffic generated by duplicate requests to multiple servers. As a result, the pseudo-optimum balance is discovered and our method is shown both not to increase downloading time and to limit the buffer space. This network software can be applied to download files smoothly absorbing the difference in performance characteristics among heterogeneous networks.