This article presents an architecture for encryption automation in interconnected Network Function Virtualization (NFV) domains. Current NFV implementations are designed for deployment within trusted domains, where overlay networks with static trusted links are utilized for enabling network security. Nevertheless, within a Service Function Chain (SFC), Virtual Network Function (VNF) flows cannot be isolated and end-to-end encrypted because each VNF requires direct access to the overall SFC data-flow. This restricts both end-users and Service Providers from enabling end-to-end security, and in extended VNF isolation within the SFC data traffic. Encrypting data flows on a per-flow basis results in an extensive amount of secure tunnels, which cannot scale efficiently in manual configurations. Additionally, creating secure data plane tunnels between NFV providers requires secure exchange of key parameters, and the establishment of an east-west control plane protocol. In this article, we present an architecture focusing on these two problems, investigating how overlay networks can be created, isolated, and secured dynamically. Accordingly, we propose an architecture for automated establishment of encrypted tunnels in NFV, which introduces a novel, tiered east-west communication channel between network controllers in a multi-domain environment.
This article describes a novel mechanism for the automated establishment of dynamic Virtual Private Networks (VPN) in the application domain of Network Function Virtualization (NFV). Each hop in an NFV Service Function Chain (SFC) lacks the capability of perflow encryption, that makes the traffic flow in federated NFV environments vulnerable for eavesdropping. Due to the possible lack of bidirectional data plane communication channels between VNFs in an SFC, the Internet Security Key Exchange protocol (IPsec-IKE) is not applicable inside a VNF. Hence, this article introduces an alternative to IPsec-IKE that is specifically designed for NFV environments. This component is named Software Defined Security Associations (SD-SA), which is shown through a proof of concept evaluation to perform better than IPsec-IKE with respect to bandwidth and resource consumption.
Our goal is to understand limitations of simplicity of knowledge structures and reasoning processes in Multiagent Systems. Therefore, we propose a framework that integrates external storage media and a capacity-constrained Multiagent System. Agents can store knowledge internally and on external storage media located in an environment. In some cases, agents either have to forget or to store knowledge externally due to limited internal memory. We define notions of suitable knowledge and let agents learn in the context of an iterative partitioning task problem. Using basic knowledge structures and a simple k-Nearest-Neighbor approach, we evaluate the role of limited internal memory in conjunction with strategic positioning of storage media and knowledge items. We also investigate dependencies between communication, internal memory size, frequently changing settings, and externally stored items. The results show that externally and strategically stored simple knowledge can support agents' reasoning processes. The approach is robust even in highly dynamic settings with small memory and without inter-agent communication.
Traditional approaches to digital forensics deal with the reconstruction of events within digital devices that were often not built for the creation of evidence. This paper focuses on incorporating requirements for forensic readiness-designing in features and characteristics that support the use of the data produced by digital devices as evidence. The legal requirements that such evidence must meet are explored in developing technical requirements for the design of digital devices. The resulting approach can be used to develop digital devices and establish processes for creating digital evidence. Incorporating the legal view early in device design and implementation can help ensure the probative value of the evidence produced the devices.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.