This project is advancing the scope, effectiveness, impact, and scientific rigor of experimental tools and methodologies available to researchers in cybersecurity and networking. Underpinning the project, and forming a second objective, is the creation of a new international, inter-disciplinary community of researchers in the United States and Japan that leverages the shared vision and complementary strengths of the individual collaborators and their respective research cultures. The work includes design and implementation of a federated system integrating USC/ISI?s DETER and JAIST?s StarBED research testbeds. Among key elements, the development of an advanced experiment description language builds on current DETER and StarBED capabilities to support higher-level reasoning about experiment configuration, workflow and validity, while research into new user interface approaches for controlling extremely complex experiments leverages StartBED?s kuroyuri procedural model and DETER?s SEER declarative model. Because this work is carried out in the context of DETER?s existing federation architecture, users of the facility will additionally gain access to other DETER cooperating infrastructures such as GENI. Also included is a series of catalyst research tasks, designed as motivators for the infrastructure while providing value to future networks. One task is focusing on improving the robustness and dynamic error recovery of Internet routing by creating dynamic policy-conformant fallback paths within the Internet?s interdomain routing protocol, BGP. The other task is addressing a significant challenge to the deployment of a secure Domain Name System (DNS) through robust unscheduled rekeying. Each task leverages previous research by multiple project collaborators, and each poses significant challenges to the new experimental facility.
In this project, researchers from the US and Japan came together to develop a unique new facility for carrying out experimental networking and cyber security research, and then used the new tool to support a set of technical research projects aimed at improving the reliability and security of the Internet. The project was carried out by a collaboration that included the University of Southern California’s Information Sciences Institute in the United States, with JAIST (Japan Advanced Institute of Science and Technology), NAIST (Nara Institute of Science and Technology), and the University of Tokyo in Japan. An important outcome of the project was the creation of this collaborative exchange between leading US and Japanese Internet research organizations. This allowed the US and Japanese researchers to better understand how the Internet is used, supported, and developed in each country, and to work together to develop research results that strengthen Internet security world-wide. Such results are particularly valuable because the Internet is intrinsically a multi-national entity, so that US Internet security benefits directly when the Internet’s overall robustness is strengthened. The new research facility created to support the project’s work is a federation of two existing experimental network research facilities, USC/ISI’s DETER cybersecurity testbed and JAIST’s StarBED large-scale Internet simulator. "Federation" means that the two facilities continue to be operated by their home organizations, each with their own management and usage policies, but that it is now possible to create scenarios that are implemented using both facilities but appear to be one large experiment. To create this capability, a number of new technologies were developed that together allow multiple testbed facilities to work as one. An important outcome of the project is that technologies are all reusable. Since the conclusion of the project described here, these same technologies have been used to create federations that incorporate many different research facilities at sites throughout the US and internationally, to support research in networking, cybersecurity, and cyber-physical systems such as the "smart grid". Once the federated facility was developed, the project carried out two catalyst research projects, intended both to test the facility and produce immediately useful results. The first of these, uKOI, proposed and tested a solution to a problem that is limiting the large scale commercial deployment of the DNSSEC (DNS Security) protocols. The DNSSEC protocols are a set of technical mechanisms intended to make it impossible for unscrupulous people to misrepresent or steal Internet Domain Names, such as "www.example.org". Without DNSSEC, it is possible in some circumstances for a person attempting to use a website to be misdirected to a fraudlent or misleading alternate site instead, so advancing the deployment of DNSSEC is an important step to improving the security of the Internet. Our second project, AiR (Automated internet Rerouting), is concerned with making Internet routing more robust in the face of sudden far-reaching disruptions. "Internet routing" is the mechanism that defines the path through the Internet that data will follow between senders and receivers. When Internet routing is widely perturbed, such as when many links in many providers fail simultaneously, it can take a very long time for the routing algorithms to recover and find a new path for data to follow. AiR proposes a new technology that pre-calculate alternative paths for data to follow using publicly available routing repositories, consistent with technical requirements and various providers' policies. Then, if there is a significant routing failure, we can quickly inject alternative routes without waiting for new paths to be computed. Use of this approach would allow parts of the Internet to recover much more quickly in the case of a widespread failure. The challenge with developing and testing such a technology is that we cannot break the actual Internet to see what happens! So, to better develop this technology, we used our shared research facility to create a simulated model of the Internet that we could break, and then intentionally triggered a range of "failures" in the simulated Internet that allowed us to evaluate the behavior of AiR. These experiments allowed us to understand how effectively and quickly AiR would respond to different kinds of failure, and show that the wide deployment of AiR would significantly improve the overall robustness of the Internet to potential large disruptions.
