Cristel Pelsser

• Professor at University of Strasbourg

As QUIC gains attention, more applications that leverage its capabilities are emerging. These include defenses against on-path IP tracking and traffic analysis. However, the deployment of the underlying required support for connection migration remains largely unexplored. This paper provides a comprehensive examination of the support of the QUIC co...

Data acquisition (DAQ) networks, widely used in scientific research and industrial applications, are composed of numerous interconnected servers, exchanging substantial data volumes produced by large scientific instruments. One traffic matrix generally used in such networks is the all-to-all collective exchange, which demands substantial network re...

Network-connected Smart Home devices are becoming increasingly common, creating potential security and privacy risks. Previous research has shown these devices follow predictable network communication patterns, allowing researchers to model their normal network behavior and detect potential security breaches. However, existing approaches only obser...

BGP distributes prefixes advertised by Autonomous Systems (ASes) and computes the best paths between them. It is the only routing protocol used to exchange interdomain routes on the Internet. Since its original definition in the late 1980s, BGP uses TCP. To prevent attacks, BGP has been extended with features such as TCP-MD5, TCP-AO, GTSM and data-...

As QUIC gains attention, more applications that leverage its capabilities are emerging. These include defenses against on-path IP tracking and traffic analysis. However, the deployment of the underlying required support for connection migration remains largely unexplored. This paper provides a comprehensive examination of the support of the QUIC co...

Despite their ubiquity, the security of In-ternet of Things devices is unsatisfactory, as demonstrated by several attacks. The IETF's MUD standard aims to simplify and automate the secure deployment of network devices. A MUD file specifies a device-specific description of allowed network activities (e.g., allowed IP ports or host addresses) and can...

While the increasing number of Vantage Points (VPs) in RIPE RIS and RouteViews improves our understanding of the Internet, the quadratically increasing volume of collected data poses a challenge to the scientific and operational use of the data. The design and implementation of BGP and BGP data collection systems lead to data archives with enormous...

For the Large Hadron Collider beauty (LHCb) experiment, achieving high throughput in the data acquisition (DAQ) network is crucial for supporting scientific applications. However, failures within DAQ networks can lead to significant performance degradation. In this study, we investigate the frequency, duration, and causes of failures in the LHCb DA...

By combining the security features of TLS with the reliability of TCP, QUIC opens new possibilities for many applications. We demonstrate the benefits that QUIC brings for routing protocols. Current Internet routing protocols use insecure transport protocols. BGP uses TCP possibly with authentication. OSPF uses its own transport protocol above plai...

As RPKI is becoming part of ISPs’ daily operations and Route Origin Validation is getting widely deployed, one wonders how long it takes for the effect of RPKI changes to appear in the data plane. Does an operator that adds, fixes, or removes a Route Origin Authorization (ROA) have time to brew coffee or rather enjoy a long meal before the Internet...

The Internet use IP addresses to identify and locate network interfaces of connected devices. IPv4 was introduced more than 40 years ago and specifies 32-bit addresses. As the Internet grew, available IPv4 addresses eventually became exhausted more than ten years ago. The IETF designed IPv6 with a much larger addressing space consisting of 128-bit...

With a growing demand for quasi-instantaneous communication services such as real-time video streaming, cloud gaming, and industry 4.0 applications, multi-constraint Traffic Engineering (TE) becomes increasingly important. While legacy TE management planes like MPLS have proven laborious to deploy, Segment Routing (SR) drastically eases the deploym...

This paper reports on measuring the effect of engineering egress traffic to peering ASes using Segment Routing, called BGP-EPE. BGP-EPE can send packets destined to arbitrary prefixes to arbitrary eBGP peers regardless of the BGP path selection. This ability enables us to measure external connectivity from a single AS in various perspectives; for e...

Companies such as Netflix increasingly use the cloud to deploy their business processes. Those processes often involve partnerships with other companies, and can be modeled as workflows where the owner of the data at risk interacts with contractors to realize a sequence of tasks on the data to be secured. In this paper, we first show how those work...

With a growing demand for quasi-instantaneous communication services such as real-time video streaming, cloud gaming, and industry 4.0 applications, multi-constraint Traffic Engineering (TE) becomes increasingly important. While legacy TE management planes have proven laborious to deploy, Segment Routing (SR) drastically eases the deployment of TE...

Interactions between the intra- and inter-domain routing protocols received little attention despite playing an important role in forwarding transit traffic. More precisely, by default, IGP distances are taken into account by BGP to select the closest exit gateway for the transit traffic (hot-potato routing). Upon an IGP update, the new best gatewa...

The full Internet feed, reaching ∼867K prefixes as of March 2021, has been growing at ≈50K prefixes/year over the last 10 years. To counterbalance this sustained increase, Autonomous Systems (ASes) may filter prefixes, perform prefix aggregation and use default routes. Despite being effective, such workarounds may result in routing inconsistencies,...

Interactions between the intra- and inter-domain routing protocols received little attention despite playing an important role in forwarding transit traffic. More precisely, by default, IGP distances are taken into account by BGP to select the closest exit gateway for the transit traffic (hot-potato routing). Upon an IGP update, the new best gatewa...

Many algorithms compute shortest-path queries in mere microseconds on continental-scale networks. Mostsolutions are, however, tailored to either road or public transit networks in isolation. To fully exploit thetransportation infrastructure, multimodal algorithms are sought to compute shortest-paths combining var-ious modes of transportation. Nonet...

Data leaks and breaches are on the rise. They result in huge losses of money for businesses like the movie industry, as well as a loss of user privacy for businesses dealing with user data like the pharmaceutical industry. Preventing data exposures is challenging, because the causes for such events are various, ranging from hacking to misconfigured...

Video presentation: https://youtu.be/U1Aa0151D_k || With the growth of demands for quasi-instantaneouscommunication services such as real-time video streaming, cloud gaming, and industry 4.0 applications, multi-constraint TrafficEngineering (TE) becomes increasingly important. While legacyTE management planes have proven laborious to deploy, Segm...

With the growth of demands for quasi-instantaneous communication services such as real-time video streaming, cloud gaming, and industry 4.0 applications, multi-constraint Traffic Engineering (TE) becomes increasingly important. While legacy TE management planes have proven laborious to deploy, Segment Routing (SR) drastically eases the deployment o...

BGP reconvergence events involving a large number of prefixes may result in the loss of large amounts of traffic. Based on the observation that a very small number of prefixes carries the vast majority of traffic, we propose Power Prefixes Prioritization (PPP) to ensure the routes of these popular BGP prefixes converge first. By doing so, we signif...

We investigated Internet eXchange Points (IXPs) deployed across Latin America. We discovered that many Latin American states have been actively involved in the development of their IXPs. We further found a correlation between the success of a national IXP and the absence of local monopolistic ASes that concentrate the country's IPv4 address space....

Route planning represents a major challenge with a substantial impact on safety, economy, and even climate. An ever-growing urban population caused a significant increase in commuting times, therefore, stressing the prominence of efficient real-time route planning. In essence, the goal is to compute the fastest route to reach the target location in...

The Border Gateway Protocol (BGP) coordinates the connectivity and reachability among Autonomous Systems, providing efficient operation of the global Internet. Historically, BGP anomalies have disrupted network connections on a global scale, i.e., detecting them is of great importance. Today, Machine Learning (ML) methods have improved BGP anomaly...

BGP blackholing is a common technique used to mitigate DDoS attacks. Generally, the victim sends in a request for traffic to the attacked IP(s) to be dropped. Unfortunately, remote parties may misuse blackholing [29, 57] and send requests for IPs they do not own, turning a defense technique into a new attack vector. As DDoS attacks grow in number,...

The Internet is a complex ecosystem composed of thousands of Autonomous Systems (ASs) operated by independent organizations; each AS having a very limited view outside its own network. These complexities and limitations impede network operators to finely pinpoint the causes of service degradation or disruption when the problem lies outside of their...

BGP communities are a mechanism widely used by operators to manage policy, mitigate attacks, and engineer traffic; e.g., to drop unwanted traffic, filter announcements, adjust local preference, and prepend paths to influence peer selection. Unfortunately, we show that BGP communities can be exploited by remote parties to influence routing in uninte...

The Border Gateway Protocol propagates routing information accross the Internet in an incremental manner. It only advertises to its peers changes in routing. However, as early as 1998, observations have been made of BGP announcing the same route multiple times, causing router CPU load, memory usage and convergence time higher than expected. In this...

In the Internet, Autonomous Systems continuously exchange routing information via the BGP protocol: the large number of networks involved and the verbosity of BGP result in a huge stream of updates. Making sense of all those messages remains a challenge today. In this paper, we leverage the notion of “primary path” (i.e., the most used inter-domain...

Understanding data plane health is essential to improving Internet reliability and usability. For instance, detecting disruptions in distant networks can identify repairable connectivity problems. Currently this task is difficult and time consuming as operators have poor visibility beyond their network's border. In this paper we leverage the divers...

It is a challenge to select the most appropriate vantage points in a measurement platform with a wide selection. RIPE Atlas [2], for example currently has over 9600 active measurement vantage points, with selections based on AS, country, etc. A user is limited to how many vantage points they can use in a measurement. This is not only due to limitat...

Understanding network health is essential to improve Internet reliability. For instance, detecting disruptions in peer and provider networks facilitates the identification of connectivity problems. Currently this task is time consuming for network operators. It involves a fair amount of manual observation because operators have little visibility in...

Public measurement platforms composed of low-end hardware devices such as RIPE Atlas have gained significant traction in the research community. Such platforms are indeed particularly interesting as they provide Internet-wide measurement capabilities together with an ever growing set of measurement tools. To be scalable though, they allow for concu...

In this paper, we propose the BGP Visibility Toolkit, a system for detecting and analyzing anomalous behavior in the Internet. We show that interdomain prefix visibility can be used to single out cases of erroneous demeanors resulting from misconfiguration or bogus routing policies. The implementation of routing policies with BGP is a complicated p...

BGP, the de-facto inter-domain routing protocol, was designed without considering security. Recently, network operators have experienced hijacks of their network prefixes, often due to BGP misconfiguration by other operators, sometimes maliciously. In order to address this, prefix origin validation, based on a RPKI infrastructure, was proposed and...

The advertisement of more-specific prefixes provides network operators with a fine-grained method to control the interdomain ingress traffic. Prefix deaggregation is recognized as a steady long-lived phenomenon at the interdomain level, despite its well-known negative effects for the community. In this paper, we look past the original motivation fo...

Over a decade of work has gone into securing the BGP routing control plane. Through all this, there has been an oft repeated refrain, "It is acknowledged that rigorous control plane verification does not in any way guarantee that packets follow the control plane." We describe what may be the first deployment of data plane enforcement of RPKI-based...

The Border Gateway Protocol (BGP) is the protocol used to distribute Internet routes between different organizations. BGP routing policies are very important because they enable organizations to enforce their business relationships by controlling route redistribution and route selection. In this paper, we investigate the semantic of BGP policies. W...

The main functionality of the Internet is to provide global connectivity for every node attached to it. In light of the IPv4 address space depletion, large networks are in the process of deploying IPv6. In this paper we perform an extensive analysis of how BGP route propagation affects global reachability of the active IPv6 address space in the con...

Monitoring Internet performance and measuring user quality of experience are drawing increased attention from both research and industry. To match this interest, large-scale measurement infrastructures have been constructed. We believe that this effort must be combined with a critical review and calibrarion of the tools being used to measure perfor...

Prefix deaggregation is recognized as a steady long-lived phenomenon at the interdomain level, despite its well-known negative effects for the community. The advertisement of more-specific prefixes provides network operators with a fine-grained method to control the interdomain ingress traffic. Moreover, customer networks combining this mechanism w...

The network infrastructure of Internet service providers (ISPs) undergoes constant evolution. Whenever new requirements arise (e.g., the deployment of a new Point of Presence or a change in the business relationship with a neighboring ISP), operators need to change the configuration of the network. Due to the complexity of the Border Gateway Protoc...

Network-wide migrations of a running network, such as the replacement of a routing protocol or the modification of its configuration, can improve the performance, scalability, manageability, and security of the entire network. However, such migrations are an important source of concerns for network operators as the reconfiguration campaign can lead...

Internet Service Providers (ISPs) need to balance multiple opposing objectives. On one hand, they strive to offer innovative services to obtain competitive advantages; on the other, they have to interconnect with potentially competing ISPs to achieve reachability, and coordinate with them for certain services. The complexity of balancing these obje...

Routing stability and correctness in the Internet have long been a concern. Despite this, few theoretical frameworks have been proposed to check BGP configurations for convergence and safety. The most popular approach is based on the Stable Paths Problem (SPP) model. Unfortunately, SPP requires enumeration of all possible control-plane paths, which...

Internet Service Providers (ISPs) use routing policies to implement the requirements of business contracts, manage traffic, address security concerns and increase scalability of their network. These routing policies are often a high-level expression of strategies or intentions of the ISP. They have meaning when viewed from a network-wide perspectiv...

The Great East Japan Earthquake and Tsunami on March 11, 2011, disrupted a significant part of communications infrastructures both within the country and in connectivity to the rest of the world. Nonetheless, many users, especially in the Tokyo area, reported experiences that voice networks did not work yet the Internet did. At a macro level, the I...

Network-wide migrations of a running network, such as the replacement of a routing protocol or the modification of its configuration, can improve the performance, scalability, manageability, and security of the entire network. However, such migrations are an important source of concerns for network operators as the reconfiguration campaign can lead...

The Internet is organized as a collection of networks called Autonomous Systems (ASes). The Border Gateway Protocol (BGP) is the glue that connects these administrative domains. Communication is thus possible between users worldwide and each network is responsible of sharing reachability information to peers through BGP. Protocol extensions are per...

The Internet has grown extremely fast in the last two decades. The number of routes to be supported by the routers has become very large. Moreover, the number of messages exchanged to distribute the routes has increased even faster. In this paper, we propose SpliTable, a scalable way to support the Internet routes in a Service Provider network. In...

The Border Gateway Protocol (BGP), the de facto inter-domain routing protocol of the Internet, is known to be noisy. The protocol has two main mechanisms to ameliorate this, MinRouteAdvertisementInterval (MRAI), and Route Flap Damping (RFD). MRAI deals with very short bursts on the order of a few to 30 seconds. RFD deals with longer bursts, minutes...

The role of BGP inside an AS is to disseminate the routes learned from external peers to all routers of the AS. A straightforward, but not scalable, solution, is to resort to a full-mesh of iBGP sessions between the routers of the domain. Achieving scalability in the number of iBGP sessions is possible by using Route Reflectors (RR). Relying on a s...

Route-Reflection and confederations were introduced to alleviate the scalability issue of maintaining a full-mesh of iBGP sessions. However, these techniques may lead to routing, forwarding, route diversity and sub-optimal routing issues. In this paper, we propose a new scalable internal BGP route distribution architecture that is rid of these issu...

The Internet is organized as a collection of administrative domains, known as Autonomous Systems (ASes). These ASes interact through the Border Gateway Protocol (BGP) that allows them to share reachability information. Adjacent routers in distinct ASes use external BGP (eBGP), whereas in a given AS routes are propagated over internal BGP (iBGP) ses...

In this paper, we show a prototype implementation for a new architecture of supporting interdomain routes. It is widely recognized that the rapid growth of Internet is forcing a scalability bottleneck to itself from the aspect of routing. We propose a scalable way to support the Internet routes in a service provider network. We make use of distribu...

IP fast reroute techniques have been proposed to achieve fast failure recovery in just a few milliseconds. The basic idea of IP fast reroute is to reduce recovery time after failure by precomputing backup routes. A multiple routing configurations (MRC) algorithm has been proposed for obtaining IP fast reroute. MRC prepares backup configurations, wh...

The Internet has grown extremely fast in the last two decades. The number of routes to be supported by the routers has become very large. Moreover, the number of messages exchanged to distribute the routes has increased even faster. To keep up with the increase, network operators regularly have to perform costly upgrades of the routers. It is uncle...

IP fast reroute techniques have been proposed for achieving fast failure recovery in just a few milliseconds. The basic idea of IP fast reroute is to reduce recovery time after failure by precomputing backup routes. A multiple routing configurations (MRC) algorithm has been proposed for obtaining IP fast reroute. MRC prepares backup configurations,...

Due to the way BGP paths are distributed over iBGP sessions inside an Autonomous System (AS), a BGP withdraw that follows a failure may be propagated outside the AS although other routers of the AS know a valid alternate path. This causes transient losses of connectivity and contributes to the propagation of a large number of unnecessary BGP messag...

In a service provider (SP) network, routes for external destinations are distributed on iBGP sessions. This traditionally required the establishment of a full-mesh of iBGP sessions in the network. A common practice is now to make use of route reflectors (RR). Such a practice is more scalable in the number of iBGP sessions to be configured in a SP n...

MultiProtocol Label Switching (MPLS) is used today inside most large Service Provider (SP) networks. In this paper, we analyze the establishment of interdomain MPLS LSPs with QoS constraints. These LSPs cross diverse SP networks that may belong to different companies. We show that using the standard BGP route for the establishment of such LSPs is n...

Many Internet Service Providers tune the configuration of th e Border Gateway Protocol on their routers to control their traffic. Content p roviders often need to control their outgoing traffic while access providers need t o control their incoming traffic. We show, by means of measurements and simulations, t hat controlling the flow of the incomin...

this paper, we propose two heuristics to select thedownstream AS and the ingress router inside this AS for the establishmentof inter-domain LSPs. Then, we evaluate them in termsof the quality of the resulting paths and the number of unsuccessfulattempts

Nowadays, the success of MPLS is mostly due to the increasing demand for BGP/MPLS VPNs. Even though the need for interdomain LSPs is growing, no ISP today proposes the dynamic establishment of LSPs across AS boundaries. In this paper, we investigate the complexity of establishing end-to-end interdomain LSPs with QoS guarantees, based on the BGP rou...

Multiprotocol Label Switching (MPLS) is currently used inside Autonomous Systems (ASs) for Virtual Private Networks (VPNs) or Traffic Engineering purposes. We first discuss the Service Provider's requirements for the utilization of MPLS Label Switched Paths (LSPs) across AS boundaries. Then we propose a minimum set of extensions to RSVP-TE that all...

Multiprotocol label switching (MPLS) is currently used inside autonomous systems (ASs) for virtual private networks (VPNs) or traffic engineering (TE) purposes. We first discuss the service provider's requirements for the utilization of MPLS label switched paths (LSPs) across AS boundaries. Then we propose a minimum set of extensions to RSVP-TE tha...

Traffic engineering is performed by means of a set of techniques that can be used to better control the flow of packets inside an IP network. We discuss the utilization of these techniques across interdomain boundaries in the global Internet. We first analyze the characteristics of interdomain traffic on the basis of measurements from three differe...

This deliverable D3.1 proposes a framework for intra-domain traffic engineering. This document is the basis for algorithms and mech-anisms that will be designed in Work Package 3 of the ATRIUM project. Several aspects are covered, such as DiffServ (Differentiated Services) support in MPLS (Multi-Protocol Label Switching), LSP (Label Switched Path)...

Core Stateless Fair Queueing (CSFQ) is a scalable mechanism to provide per-flow fairness in highspeed networks in that it does not need to maintain per-flow state in the core routers. This is possible because the state for each flow is encoded as special labels inside each packet. In this paper, we propose and evaluate by simulations two improvemen...

RÉSUMÉ. BGP est le protocole de routage interdomaine actuellement utilisé dans l'Internet. Au sein d'un système autonome, les routes interdomaines sont souvent distribuées par le biais de réflecteurs de routes BGP. Dans cet article, nous montrons qu'en ajoutant de l'intelligence dans les réflecteurs de routes, il est possible de fournir des service...

MultiProtocol Label Switching (MPLS) is used inside large ISP networks to provide services with stringent Service Level Agreements such as Virtual Private Networks (VPNs). Customers are now urging ISPs to provide such services across interdomain boundaries. This requires the ability to establish interdomain MPLS Label Switched Paths (LSPs) with con...