A Multiple LSPs Approach to Secure Data in MPLS Networks

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

51

A Multiple LSPs Approach to Secure Data in MPLS Networks Sahel Alouneh, Abdeslam En-nouaary, Anjali Agarwal Concordia University/Electrical and Computer Engineering Department, Montreal, Canada Email: {s_aloune, ennouaar, aagarwal}@ece.concordia.ca

Abstract— MPLS security is an evolving issue which has been raised by many researchers and service providers. The basic architecture of MPLS network does not provide security services such as encryption. Therefore, MPLS does not protect the confidentiality of data transmitted. This paper provides a mechanism to enhance the security in MPLS networks by proposing a modified (k, n) Threshold Secret Sharing scheme where the n shares obtained are send over multiple disjoint paths. We have implemented our approach to measure its time overhead on packet transmission. Index Terms—MPLS, Security, Threshold Secret Sharing, LSP

I. INTRODUCTION Multi-protocol label switching (MPLS) is desired solution to address the problems faced by conventional IP networks (speed, scalability, Quality-of-Service (QoS), and traffic engineering). MPLS is an advanced forwarding scheme that extends routing with respect to packet forwarding and path controlling. An MPLS domain is a contiguous set of routers which operate MPLS routing and forwarding and which are also in one routing or administrative domain. An MPLS capable router is called LSR (label switching router). MPLS provides mechanisms in IP backbones for explicit routing using LSPs (Label Switched Paths), encapsulating the IP packet in an MPLS packet. MPLS combines a label swapping algorithm, similar to that used in ATM, with network layer routing. A label is a short, fixed-length identifier that is used to forward packets. In MPLS, the FEC (Forward Equivalence Class) assignment will only be done just once at the ingress router. The FEC to which the packet is assigned is encoded into a label. At the ingress LSR of an MPLS domain, IP packets are classified and routed based on a combination of the information carried in the IP header of these packets and local routing information maintained by the LSR. An MPLS header, called label, is then inserted for each packet. Within an MPLS domain, an LSR will use the label as the index to look up the forwarding table of the Based on “Securing MPLS Networks with Multi-path Routing ”, by S. Alouneh, A. En-nouaary, and A. Agarwal which appeared in the Proceedings of the IEEE Fourth International Conference on Information Technology 2007, Las Vegas, USA, April 2007. © 2007 IEEE.

© 2007 ACADEMY PUBLISHER

LSR. The packet is processed as specified by the forwarding table entry. The incoming label is replaced by the outgoing label, and the packet is switched to the next LSR. Before a packet leaves an MPLS domain, its MPLS header is removed. Figure 1 shows a simple process of assigning labels in MPLS network. Each router receives a packet with LabelIN value, after checking its FEC value the packet is forwarded to the next hop with LabelOut value. Moreover, the processes for requesting and mapping the labels are shown. For example, for an IP packet (with IP prefix value 47.1 that is used with other Quality of Service (QoS) requirements to determine its FEC value) entering an MPLS network uses labels L7 and L4 to traverse from ingress router toward the egress router.

Figure 1. MPLS single path label distribution

MPLS network architecture does not provide header or payload encryption [1] [11]. MPLS technology has emerged mainly to provide high speed packet delivery. As a result security considerations have not been discussed thoroughly until recent demands for security have emerged by most providers and researchers. The reason why MPLS does not provide encryption mechanisms is related to the purpose it was built for. In conventional IP networks, every router in the network has a role in analyzing IP packets headers, to classify, and to process every packet passing through it. This of course will add more overhead and delay in the network [6] [14]. In MPLS network, only two routers (the ingress and egress routers) are responsible for this task. Core or LSR routers in MPLS network will only forward packets based on labels transmitted through a pre-established LSP. The use of encryption to provide privacy of data requires the

52

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

core MPLS routers to analyze and process packets’ header, which will result in reducing the performance of MPLS network. Our approach considers security based on Threshold Secret Sharing (TSS) scheme where the shares obtained are send over multiple disjoint paths. To our best knowledge, this concept has never been proposed to secure MPLS networks. In our work, we consider the types of attacks we intend to protect the MPLS network from, and operational considerations including reducing overhead, saving bandwidth. What kind of attacks are we protecting from? We are protecting the packet confidentiality (including the header and payload) so that an attacker cannot collect and analyze traffic data or understand routing configuration. In this paper, we are not protecting against other security aspects like attacks on availability, modification and fabrication. These issues are out of the scope of this paper and will be considered in our future work.

that have to be considered such as bandwidth [13], and complexity of data processing.

II. RELATED WORK

Using Lagrange linear interpolation the polynomial function can be represented as follows:

MPLS security concerns have been raised recently as there are many service providers deploying MPLS technology. Most of the literature works on MPLS security concentrate on MPLS-VPN architecture. Behringer et al. [11] discussed MPLS VPN security. The authors present a practical guide to hardening MPLS networks. They assumed “zones of trust” for MPLS VPN environment. The main assumption was to assume core MPLS routers (LSRs) to be trusted or secure. This assumption led to some security concerns such as VPN data confidentiality. There is no guarantee to VPN users that packets do not get read or sniffed when they are in transit over the MPLS core. MPLS as such does not provide a mechanism for encrypting the data. The authors left the issue of securing MPLS core routers (if they are not trusted) as an open issue for more discussion. Another study by T. Saad et al. [14] has discussed the effect of MPLS-based tunnels on end–to-end virtual connection service and security. The study shows that applying IPSec in MPLS-based tunnels reduces overall throughput of TCP flow and adds more overhead. A cryptographic protocol to protect MPLS Labels was proposed by Barlow et al. [5]. The design applies simple encryption technique on labels to prevent header modification. The protocol does not provide data confidentiality. Chung et al. [6] proposed a method for RSA algorithm suitable for multi-path topology. It was mentioned that the algorithm can be applied to MPLS networks however the details are not provided. III. TSS ALGORITHM In cryptography, Threshold Secret Sharing (TSS) refers to any method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own. The use of TSS scheme to provide networking data confidentiality has other requirements

© 2007 ACADEMY PUBLISHER

A. (k, n) Threshold Secret Sharing scheme The idea behind the TSS is to divide a message into n pieces, called shadows or shares, such that any k of them can be used to reconstruct the original message. Using any number of shares less than k will not help to reconstruct the original message. Adi Shamir polynomial approach [7] will be used to show this concept, while there are other approaches such as Vector Scheme [9] and Asmuth-Bloom [10] that could be used. The Shamir’s (k, n) threshold scheme is based on the Lagrange interpolation for polynomials. The polynomial function is shown as in equation 1. Let p be a prime number, then a polynomial with intermediate x values over the finite field Zp has the following expression form: f(x) = (ak-1xk-1 + … + a2x2 + a1x + a0) mod p

k

f(x)=

∑y j =1

ij

∏

1≤ s ≤ k , s ≠ j

x − xis xij − xis

(1)

(2)

where the coefficients a0 , … , ak-1 are unknown elements of Zp, and a0 = M is the original message. Since yij = f(xij), 1 ≤ j ≤ k, 1 ≤ i ≤ n, a subset of participants can obtain k linear equations in the k unknowns a0 , … , ak-1, where all arithmetic is done in Zp. If the equations are linearly independent, there will be a unique solution, and a0 will be revealed. Example: let M be 11, then in a (3, 4) threshold sharing scheme, any three out of four shares can reconstruct M. First, a quadratic equation should be generated, where the coefficients a1 and a2 are chosen randomly (Note that random selection assumption is going to be modified in our model), and the p value should be greater than any coefficient value, in this case 13: f(x) = (7x2 + 8x + 11) mod 13 The following shares are calculated for different values of x: f(1) ≡ 0 (mod 13) f(2) ≡ 3 (mod 13)

f(3) ≡ 7 (mod 13) f(5) ≡ 5 (mod 13)

For example if f(2), f(3), and f(5) are chosen, the following three equations are solved using Langrage Interpolation: (a0 + a1 (2) + a2 (2)2) ≡ 3 (a0 + a1 (3) + a2 (3)2) ≡ 7 (a0 + a1 (5) + a2 (5)2) ≡ 5

(mod 13) (mod 13) (mod 13)

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

53

The solution to the equations is a2 = 7, a1 = 8, and a0 = 11 = M, and hence, the original M is reconstructed. B. Integration of TSS with MPLS The Threshold Sharing Scheme (TSS) discussed above is modified to integrate with MPLS networks. Figure 2 shows an architectural view that describes how the distribution and reconstruction processes are applied to an MPLS network.

Figure 2. Distributor and reconstruction processes

IP packet entering an MPLS network is divided into n shares or MPLS packets where each new packet has its own label. Every new generated MPLS packet is not a simple fragmentation of the original IP packet [7] but a mathematical transformation or code such that each individual share bears information about the IP packet but does not carry any meaningful partial plain text of the original IP packet. With less than k shares/MPLS packets, the attacker can do no better than guessing [13]. To start up the discussion of our approach, the distributor and reconstruction algorithms will be explained in the following sections. C. Distributor Process When an IP packet enters an MPLS ingress router, a distributor process is used to generate the n=k share messages/packets that will become the payloads for MPLS packets. These k MPLS packets are allocated over k maximally disjoint LSPs obtained using multi-path routing [12]. The IP packet is divided into L bit blocks S0, S1, ... , Sm. The k shares are calculated using the k different xi values as agreed between a sender (ingress) and a receiver (egress). Figure 3 shows an detailed example of applying a modified (3, 4) Threshold Secret Sharing scheme into an IP packet. It should be noticed how polynomial coefficients are calculated. It is important to mention here that we consider all coefficients of the polynomial function to be part of packet division. Unlike the original definition used in the Threshold Sharing Scheme [7], a1 and a2 values are provided from each block (not by assigning random values). The number of coefficients of polynomial function shown in Figure 3 is three coefficients, and hence, each L bytes block is divided into three equal parts. These parts will be mapped to the polynomial’s three coefficients a0, a1, a2 .

© 2007 ACADEMY PUBLISHER

Figure 3. Detailed example showing the mathematical calculation of a (3, 4) modified TSS for an IP packet at the ingress and egress routers.

In this paper, our main focus is on data confidentiality. Therefore a (k, k) Threshold Secret Sharing scheme is capable to satisfy this goal. Therefore, no extra shares (when n > k) is really needed. The use of redundant shares for n > k can be used to provide availability and data integrity but this topic is out of scope of this paper and will be considered in future work. Figure 4 show an example of applying the modified TSS scheme for providing data confidentiality in MPLS network. The flow chart that is shown in Figure 5 sets up the required TSS level by consulting the Control Unit. The control unit should find the maximal number of disjoint LSPs. The TSS scheme can work with only (2, 2) threshold secret sharing level, that is only two LSPs are needed between ingress and egress routers. On the other hand, having larger number of maximal disjoints LSPs will make it harder for an attacker to reconstruct the original IP packet because the attacker in this case has to hijack more number of nodes/LSRs in a larger group of disjoint LSPs.

54

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

link can be shared within limited or permitted ranges [4]. Those shared nodes/links may be protected with more advanced methods than other nodes in the network.

Figure 4. Processing an IP packet by Distributor process for (3, 3) TSS level

D. Reconstruction Process The shares/MPLS packets generated at the ingress router from the original IP packet traverse through the multiple LSPs toward their destination (egress router). Figure 6 shows the flow chart of the reconstruction process. The following points should be considered in the reconstruction process: - Shares/MPLS packets should be received within some permitted range (a time out). If timeout is exceeded, then the group of shares/MPLS packets already received has to be discarded (since they will not be enough to reconstruct the original IP packet) and a message has to be sent to the ingress router for retransmission. - The ordering of shares/MPLS packets (that belong to the same original IP packet) received at egress router is not important for reconstructing the original IP packet since both ingress and egress router will be using the same polynomial function, hence, the order of coefficients a0, a1, ..., am-1 are already preserved by the polynomial function ( see Eq. 1).

Figure 5. A distributor process flow chart

We believe that the following issues have to be considered when selecting multiple disjoint LSPs between an ingress and egress routers: - Proposals used to find disjoint paths between a source and destination intend to increase the effective bandwidth, reduce congestion, and reduce the probability of packet loss by focusing on finding shortest paths. However, from the security point of view, longer paths (and in our case LSPs) can be adopted as long as this provides a higher level of security [6] (but at the same time, should be within some permitted ranges). - If it is hard to find completely disjoint paths (by disjoint paths we mean node disjoint paths), then some nodes or

© 2007 ACADEMY PUBLISHER

Figure 6. A reconstruction process flow chart

E. Bandwidth Analysis of modified TSS Additional bandwidth is not required when creating shares/MPLS packets.In the original TSS scheme, the secret message is the only value supplied to the polynomial coefficients (to coefficient a0) where other coefficients values are selected randomly. See example in section A. Assuming an IP packet of size Psize= Q bytes, and using the original (k, k) Threshold Secret Sharing scheme. The total size of k MPLS packets is:

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

55

Total k packets size ToriginalTSS(k) = k × Q bytes.

(3)

The TSS scheme generates k shares of size Q byres each. This is because the coefficients a1 and a2 were selected to have random values. Using the modified TSS algorithm, since all coefficients values are considered to be part of the original IP packet (Referring to Fig.4 and Fig.7) it results in having the total packets size of k shares/MPLS packets equal to: Total k packets size TmodifiedTSS(k) = Psize = Q bytes

(4)

Each share/MPLS packet size = (Q / k) bytes.

Figure 7. (a) Original TSS scheme of (3, 3) security level.

Figure 7. (b) Modified TSS scheme of (3, 3) security level.

In MPLS networks, each packet is tagged with MPLS header of 32 bits or 4 bytes long. On the other hand, In IP or ad hoc networks, the IP header is at least 20 bytes long. Accordingly, the overhead of attaching a header to each generated share/MPLS packets will be lower compared to IP or ad hoc networks. Additionally, source routing may be required to provide multiple explicit routes between source and destination for packets in IP networks. This can add more overhead on the network while in MPLS networks this could simply be provided using labels and accordingly reduces the overhead [1]. The number of available disjoints LSPs between an ingress and egress routers depend on the MPLS network topology and the security level required. If the possibility that an attacker is able to attack larger number of LSPs, then the security level of TSS should be increased (by increasing the number of k multiple LSPs) as long as the MPLS network topology allows that. F. RSVP-TE extension to provide multipath routing The current MPLS label distribution protocols (CRLDP [2] and RSVP-TE [15]) are used as signaling © 2007 ACADEMY PUBLISHER

protocols that establish and maintain a single path or LSP between an ingress and egress routers. We focus on RSVP-TE signaling protocol in this paper as it becomes widely used by many service providers. Moreover, An advantage of using RSVP to establish LSP tunnels is that it enables the allocation of resources along the path. The original specification of RSVP-TE [15] does not consider multiple LSP setup for data flow with the same FEC classifications. The following issues should be considered when multiple LSPs setup is used: The EXPLICIT_ROUTE object should be extended to carry multiple paths between the ingress (sender) and egress (receiver) routers, for the data flow carrying the same FEC class. The explicitly routed paths or LSPs can be administratively specified, or automatically computed by a suitable entity based on QoS and policy requirements, taking into consideration the prevailing network state. The LABEL_REQUEST object requests intermediate routers and receiver routers to provide a label binding for the session. The destination router of a label-switched path responds to a LABEL_REQUEST by including a LABEL object in its response RSVP Resv message. The Label_REQUEST object should be extended to provide multiple LSP setup. The receiver router should respond with multiple RSVP Resv messages. The Resv messages are sent back upstream towards the sender, following the multiple path states created by the Path messages, in reverse order Other RSVP-TE objects should also be extended to provide multiple LSP routing including Session, Sender Template, and Filter Spec, Session attribute, HELLO format, HELLO request. The detailed specification of each of these objects is left for future work. IV. SIMULATION RESULTS This part of our simulation is used to measure the time needed by the modified Threshold Sharing scheme (TSS) to be processed at ingress and egress routers. We want to show that applying TSS application does not significantly affect the total time needed to send and receive a packet between two routers (ingress and egress). The simulations were performed on 3 GHz Intel Pentium 4 CPU processor with 1 GB memory running under Linux operating system. In our simulation we used MPZ functions under GNU Multiple Precision (GMP) Arithmetic Library. The simulation results are obtained for the construction process at the ingress router. The average time in (µsec) needed for processing variable IP packet size at ingress or egress routers is shown in Figure 8. The Maximum Transmission Unit (MTU) on a path across an MPLS network is equal to 1500 bytes [16]. We give examples of up to 8 Kbytes IP packets for simulation purpose only, but in reality IP packets entering MPLS network should not exceed MTU size, otherwise it has to be fragmented [17]. Selecting different block sizes for the same packet size affects the average packet processing time. The smaller block size implemented as in Figure 3 and 4, the faster processing

56

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

we get and this is an important issue since our goal is to reduce the packet processing time.

sizes as it was indicated in by Figure 8, where in VSR model the whole packet is considered as one block. Our implementation was able to perform the job with much smaller block size to be able to reduce the packet processing time. Our scheme is targeting networking application which is sensitive to the time issue.

Figure 8. Average packet processing time using a modified (3, 3) TSS

We measured the effect of variable (k, k) level on IP packet processing time. The relation is shown in Figure 9 for a packet size equal to 2K bytes and a block size equal to 24 bytes. We conclude from the results that variable (k, k) level has no significant effect on the IP packet processing time. The results obtained are within tens of microseconds. Therefore, comparing to the total packet transmission time which is in order of tens of milliseconds, our method does not impose a significant impact.

Figure 9. The effect of variable (k, n) modified TSS level on packet processing time

We also compared our method with the VSR model [18]. The VSR model is used for survivable storage systems and it uses the threshold sharing scheme in its implementation. The author used MIRACL package for arithmetic integer precision. The scheme targets on distributing data storage in multiple servers to preserve it for long time. The VSR model is designed for data storage and was not intended for networking aspects. We compared the processing time of our modified TSS scheme with VSR model as shown in Figure 10. Our implementation improves processing time significantly because we performed our modified TSS in smaller block

© 2007 ACADEMY PUBLISHER

Figure 10. Comparison between Modified TSS and VSR model for packet size equal to 8K bytes

The simulation results have shown that the time needed to process our technique does not add significant time delay onto the total packet transmission time. The next section presents a performance evaluation study which compares between the use of single and multiple paths in terms of security point of view. A. Performance Evaluation: Single Vs Multiple LSPs We analyze the impact of single and multiple LSPs on MPLS security. First, we analyze the security performance that can be achieved when a virtual connection takes a multiple disjoint LSPs to the destination. The work by Yang et al. [19] provides an analytical framework to study and evaluate the security performance provided by multi-path traffic dispersion techniques. Second, we investigate the performance of our security approach and compare it with the single path approach. We define that “a LSP is attacked” as at least one LSR on that LSP is hijacked. In this paper, the connection intrusion probability is defined as the probability that all of the traffic sent by the ingress router towards the egress router is sniffed. In the single path or LSP, the connection intrusion probability equals to the probability that the single path or LSP taken by a connection is attacked. In the single path or LSP, it is only possible that either all the traffic is attacked or all the traffic is successful to reach the destination without being leaked out or sniffed by intermediate routers. When a connection disperses traffic on multiple LSPs, the connection intrusion probability equals to the probability that all of the LSPs that a connection takes are attacked. In multi-path traffic scheme, there is also a possibility that only part of the traffic is attacked which corresponds to the event that only part of the LSPs that a connection takes are attacked.

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007

57

Our scheme mandates the LSPs that take part in the multi-path routing should be disjoint, which is defined as there are no common LSRs among the multiple LSPs taken by the connection. For simplicity, but without loss of generality, we further assume that all the LSRs on the same LSP have the same probability of failure while other LSRS in different LSPs might have different probability of failure. To be able to measure the traffic intrusion probability, we have to calculate the whole connection intrusion probability. If there are N disjoint LSPs allocated to a connection, the probability that the whole connection attacked, in other words, each LSR in each of the N LSPs is in attack, P (N) is given by: N

Ρ ( N ) = Π [1 − (1 − p i ) i=1

n

i

]

(5)

Where ni refers to the number of LSRs on LSPi, and pi refers to the probability that a LSR on the LSPi failed. The connection intrusion probability P(N) has the property that it is a monotonic decreasing function of N as can be proved as follows: P ( N ) = P( LSP1attack ^ LSP2 attack … ^ LSPN attack) P ( N ) = P( LSP1attack) × P(LSP2 attack)… × P(LSPN attack) Based on the fact that for any LSP the probability attack is 0≤ P (LSP attack) ≤ 1, then P(N) keeps monotonically decreasing as N increases. Therefore, the following result is obtained: P ( N ) < P (Single LSPattack)

(6)

This indicates that the probability of attack intrusion in a single path connection is higher than having multiple paths connection. Accordingly, in our approach the probability that an attacker can attack multiple LSPs in a connection is lower than if the connection has only one path. In other words, the attacker needs to attack more than one LSP; k LSPs in a (k, k) TSS; to be able to gain access for the whole connection. Therefore the probability of attacking more than one LSP is lower as obtained from equation (6). V. CONCLUSION In this paper, we presented a mechanism to enhance security in MPLS network. We used a modified Threshold Secret Sharing scheme to provide data confidentiality for MPLS network. The modification in the TSS scheme is to make all the coefficients in the polynomial function take part in the message division process. This procedure results in saving bandwidth. As future work, we are targeting to define the parameters required to extend The RSVP-TE to support multi-path routing since the current specification of RSVP-TE does not consider multiple LSP setup for the same data flow carrying the same FEC class.

© 2007 ACADEMY PUBLISHER

Additionally, data integrity or authentication should also be considered. REFERENCES [1] E. Rosen, A. Viswanathan, and R. Callon, “Multi-protocol Label Switching Architecture”, IETF, RFC 3031, 2001. [2] B. Jamoussi, L. Andersson, R. Callon, R. Dantu, N. Feldman, L. Wu, A. Fredette, and B. Thomas, “Constraintbased LSP setup using LDP ”, IETF, RFC 3212, 2002. [3] D. Awduche, “Requirements for Traffic Engineering over MPLS”, RFC 2702. [4] L. Zhou, Z. Haas, “Securing of Ad Hoc Networks”, IEEE Network, Nov/Dec 1999. [5] D. Barlow, V. Vassilio, H. Owen, “A cryptographic protocol to protect MPLS Labels”, Proceeding of IEEE Workshop of Information Assurance, 2003. [6] J. Chung, “Multiple LSP Routing Network Security for MPLS Networking”, IEEE-MWSCAS, 2002. [7] A. Shamir, “How to share a secret”, Communications of ACM, vol. 24, Nov. 1979. [8] B. Schneier, Applied Cryptography, 2nd edition, Chapters 3 and 23, John Wiley & Sons, 1996. [9] G. R. Blakley, “Safeguarding Cryptographic Keys”, Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies, vol.48, 1979. [10] C. Asmuth, “A Modular Appraoch to Key Safeg uarding”, IEEE Transactions on Information Theory, vol. IT-29, n.2, Mar. 1983. [11] M. Behringer, M. J. Morrow, “MPLS VPN- Security”, Cisco Press, 2005. [12] D. Sidhu, R. Nair, S. Abdallah, “Finding Disjoint Paths in Networks”, Proceeding ACM-SIGCOMM’91 Symposium, 1991. [13] W. Lou, Y. Fang, “A Multipath Routing Approach for Secure Data Delivery”, IEEE Milcom’01, 2001. [14] T. Saad, B. Alawieh, H. Mouftah, “Tunneling Techniques for End-to-End VPNs: Generic Deployment in an Optical Testbed Environment”, IEEE Communication Magazine, 2006. [15] D. Awduche, L. Berger, D. Gan, T. Li, V. Srinivasan, G. Swallow, “ RSVP-TE: Extensions to RSVP for LSP Tunnels”, IETF, RFC 3209, 2001. [16] M. Lewis, “Troubleshooting Any Transport over MPLS Based VPNs”, Cisco Press article, June 2005. [17] E. Rosen et al, “MPLS Label Stack Encoding”, IETF, RFC 3032, 2001. [18] T. Wong, “Decentralized Recovery for Survivable Storage Systems”, Ph.D Thesis, Carnegie Mellon University, 2004. [19] J. yang, S. Papavassiliou, “Improving network security by multipath traffic dispersion”, IEEE Military Communication Conference MILCOM, Vol. 1, pp. 34-38, 2001.

BIOGRAPHY Sahel Alouneh is PhD candidate in the Department of Electrical and Computer Engineering, Concordia University, Canada. He received his B.E in 1999 and his M.Sc. in 2005 from JUST University, Jordan and Concordia University, Canada respectively, both in Computer Engineering. His research Interests include

58

network and software security, fault tolerance, and multicasting. Abdeslam En-Nouaary received an engineer degree in computer engineering, option data communication and computer networks, from ENSIAS (École Nationale Supérieure d'Informatique et d'Analyse des Systèmes), Rabat, Morocco, in 1996, the M. Sc. and Ph. D. degrees in Computer Science from the University of Montreal in 1998 and 2001 respectively. Abdeslam En-Nouaary is currently an assistant professor at the Electrical and Computer Engineering Department of Concordia University, Montreal, Canada. His research interests include protocol engineering, software engineering, computer security, and real-time systems. Anjali Agarwal received her B.E. degree (with Distinction) in Electronics and Communication Engineering from Delhi College of Engineering, India, in 1983, the M.Sc. degree in Electrical Engineering from University of Calgary, Canada, in 1986, and Ph.D. degree in Electrical and Computer Engineering from Concordia University, Canada, in 1996. Presently, she is an Associate Professor in the Department of Electrical and Computer Engineering at Concordia University, Montreal, Canada. She has an industrial experience as well as an academic experience. Dr. Agarwal’s current research interests are Voice over Data Networks, Real Time Multimedia Communication over Internet, IP telephony, Quality of Service, and communication protocols.

© 2007 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 2, NO. 4, AUGUST 2007