Publications
Disclaimer :
These papers are made available as a means to ensure timely dissemination of scholarly and technical work
on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders,
notwithstanding that they have offered their works here electronically. It is understood that all persons copying
this information will adhere to the terms and constraints invoked by each author's copyright. These works may not
be reposted without the explicit permission of the copyright holder.
2007
An NSIS-based Approach for Firewall Traversal in Mobile IPv6 Networks ,
Xiaoming Fu , Niklas Steinleitner , Hannes Tschofenig , Dieter Hogrefe, and Thomas Schreck, Third Annual International Wireless Internet Conference (WICON 2007), Austin, Texas, USA,
ACM Press, October 2007.
Read abstract
Firewalls have been successfully deployed in todays network infrastructure in various environments and will also be used in IPv6 networks. However, most of the current firewalls do not support Mobile IPv6, the best known standardized solution for mobility support in IPv6. As a result, Mobile IPv6 traffic will be most likely dropped when used without an appropriate firewall traversal solution.
This paper describes the problems and impacts of having firewalls in Mobile IPv6 environments and presents a firewall traversal solution based on the IETFs Next Steps In Signaling framework to address these issues. Compared with other candidates such as STUN, TURN, ICE, ALG, MIDCOM
and COPS, this approach does not rely on specific firewall placements and can be applied in various operational modes without additional introducing entities. In this paper we also explore security aspects since they are typically difficult to handle.
PDF [372.2 kB]
2006
Implementation and Performance Study of a New NAT/Firewall Signaling Protocol ,
Xiaoming Fu , Henning Peters , Niklas Steinleitner , Hannes Tschofenig , in Proceedings of the 26th International Conference on Distributed Computing Systems-Workshops (ICDCSW 2006), the 5th International Workshop on Assurance in Distributed Systems and Networks (ADSN2006), Lisboa, Portugal,
IEEE Computer Society, ISBN 0-7695-2541-5, July 2006.
Read abstract
The NAT/Firewall NSIS Signaling Layer Protocol (NAT/FW NSLP) is a path-coupled signaling protocol for explicit Network Address Translator and firewall configuration within an extensible IP signaling framework currently being developed by the IETF Next Steps in Signaling (NSIS) working group. This new protocol allows end hosts to signal along a path to configure NATs and firewalls according to the data flow needs. In this paper we present a first open source implementation and performance evaluation of the NAT/FW NSLP protocol. The implementation utilizes a generic state machine template and can automatically generate source code for message handling classes. The performance study shows that our implementation scales well and is able to support firewall signaling for up to tens of thousands of flows in parallel even in a low-end PC testbed environment. The overall performance bottleneck is found to lie in the utilized firewall implementation, not depending on the NAT/FW NSLP implementation.
PDF [394.6 kB]
2005
Implementation and Performance Testing of the NAT/FW NSIS Signaling Layer Protocol ,
Niklas Steinleitner , Master Thesis No. ZFI-BM-2005-41, Center for Informatics, University of Goettingen, Germany,
ISSN 1612-6793, December 2005.
Read abstract
This thesis describes the first implementation and performance testing of the path-coupled signaling protocol for Network Address Translator (NAT) and firewall configuration within an extensible IP signaling framework developed by the IETF Next Steps in Signaling (NSIS) working group, called the NAT/FW NSIS Signaling Layer Protocol (NAT/FW NSLP). This new protocol allows hosts to signal along a data path to configure NATs and firewalls according to the data flow needs.
In comparison with prior works on firewall signaling, one major contribution of this thesis is that it presents a detailed performance study of the NAT/FW NSLP protocol through an experimental testbed. The performance results show that implementation can support firewall signaling for up to tens of thousands of flows in parallel, and scale well. Besides the limitation due to the low-end PC hardware, the overall performance bottleneck is found to lie in the utilized firewall implementation, not depending on the NAT/FW NSLP implementation.
PDF [4063.9 kB]
Performance Analysis of the TCP/IP Stack of Linux Kernel 2.6.9 ,
Jan Demter , Christian Dickmann , Xiaoming Fu , Henning Peters , Niklas Steinleitner , Technical Report No. IFI-TB-2005-03, Institute of Computer Science, University of Göttingen, Germany,
ISSN 1611-1044, April 2005.
Read abstract
This document reports the project "performance study of the TCP/IP stack for the Linux kernel" which we performed during the practical course Computer Networks in winter semester 2004/05, including its design, implementation and performance results. We analysed the packet processing time traversing each layer of the Linux kernel 2.6.9 TCP/IP stack (socket, TCP/UDP, IP and Ethernet) and the influence of multi-threading and different packet sizes. The design is based on the idea of inserting probing points via hooks in the kernel code and export timing data to a userspace application. A packet generator and analysis tools were also developed. The results demonstrate a number of key concepts in TCP/IP networking, such as layering, user-system interface, connection versus datagram modes, processing routines and their overhead in different layers. Some preliminary results reveal the system has its bottlenecks in different situations, and our tools released under GPL-license have been designed in such a way that allows easy extensibility for other networking diagnostics purposes.
PDF [246.1 kB]
