Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008

Présentation générale...................................................................................................... 3Activités d’enseignement ............................................................................................... 4Formation d’ingénieur généraliste.............................................................................. 4Formation d’ingénieur par apprentissage ................................................................... 4Mastères spécialisés et diplôme national de master ................................................... 5Formation continue..................................................................................................... 5Activités de recherche .................................................................................................... 6Thèmes de recherche .................................................................................................. 6Projet Germe........................................................................................................... 6Projet Pratic ............................................................................................................ 9Projet Seres........................................................................................................... 11La recherche au sein des Réseaux ............................................................................ 13Valorisation de la recherche et rayonnement ........................................................... 14Annexe 1 : liste des membres....................................................................................... 17Liste du personnel ................................................................................................ 17Liste des doctorants présents en 2008 .................................................................. 18Annexe 2 : liste des publications.................................................................................. 20Article de revue avec comité de lecture ............................................................... 20Article de revue sans comité de lecture................................................................ 20Collection des rapports de recherche de TELECOM Bretagne............................ 20Communication dans une conférence à comité de lecture ................................... 20Livre ..................................................................................................................... 25Chapitres dans un livre ......................................................................................... 25HDR soutenues en 2008 ....................................................................................... 25Thèses soutenues en 2008 .................................................................................... 25Annexe 3 : description détaillée des projets de recherche (en anglais)........................ 26- 2 -

Présentation généraleCréé en 1992, le département "Réseaux, Sécurité et Multimédia" (RSM) est situé sur lecampus de Rennes de TELECOM Bretagne et compte, au 31 décembre 2008, 14 enseignantschercheurs,51 doctorants et 9 ingénieurs experts.Le domaine d’activités de RSM recouvre tous les aspects de l’enseignement et de larecherche en réseaux, tout particulièrement les technologies IP (Internet Protocol), les réseauxet services de mobiles et la sécurité des réseaux et des systèmes d'informations.Le département RSM a des partenariats locaux, nationaux et européens avec descentres de recherche, des industriels et opérateurs de télécommunications français et desindustriels européens. En outre RSM est associé aux équipes de recherche «Réseaux» desautres écoles de l'institut TELECOM par le biais de projets RNRT et de projets incitatifsinternes.- 3 -

Activités d’enseignementLe département RSM assure la responsabilité de l’enseignement du domaine« réseaux » pour la formation d’ingénieur généraliste et la formation par apprentissage.Formation d’ingénieur généralisteAu semestre 1 de la formation d’ingénieur généraliste, le domaine « réseaux »comporte une UV (unité de valeur), représentant 42 heures de cours et travaux dirigés, quiintroduit les concepts fondamentaux des réseaux et dresse un panorama des différents types deréseaux de télécommunications. Elle est entièrement prise en charge par le département.Au semestre 2, le domaine « réseaux » est structuré en majeure et mineure commechaque domaine de l’école. La mineure contient une UV de 84 heures intitulée « Principes desréseaux ». La majeure contient deux UVs de 84 heures, l’une traitant des « Protocoles etarchitectures des réseaux » et l’autre de la « mise en oeuvre des réseaux ». Le départementRSM assure la définition du contenu et la plupart des enseignements ; les départementsOptique, « Signal et Communication » et Informatique participent à ces deux UVs demajeure.Le département RSM est responsable de la filière « Systèmes logiciels et Réseaux » de3 ème année sur le campus de Rennes. Cette filière a été créée à la rentrée scolaire 2005 etcontient trois grands parcours : « services et réseaux multimédias », « services et réseaux demobiles », « sécurité des réseaux et des systèmes d’information ». La filière est organisée en 5UVs de 60 heures dont trois sont communes aux différents parcours : « Systèmes logicielsdistribués », « Services et Réseaux Innovants », « Mise en œuvre des réseaux ». Deux UVs de60 heures sont spécifiques à chaque parcours. Une UV traite des aspects architecture etprotocole, l’autre UV traite des aspects ingénierie.Depuis l’année scolaire 2006-2007, un effort particulier a été fait pour offrir auxélèves-ingénieurs la possibilité de parcours mixtes avec la filière « Ingénierie des Services etdes Affaires » : il leur est possible de construire un programme spécifique en associant desUVs « réseaux » et des UVs « affaire ».Formation d’ingénieur par apprentissageLe département est très impliqué dans la filière d’ingénieur spécialisé en informatique,réseaux et télécommunications. Cette formation se fait par alternance en apprentissage.En première année, le département assure la responsabilité de 3 modules de 24 heureschacun. En deuxième année, il assure 4 modules représentant un total de près d’une centained’heures. En troisième année, il assure également 4 modules communs aux deux options« informatique et réseaux » et « réseaux et télécommunication » pour un total de 70 heures.Afin de faire profiter les étudiants des travaux pratiques réseaux mis en place par ledépartement, ceux-ci font un séjour à Rennes en 2 ème année. Celui-ci a duré quatre semainesen avril-mai 2008.- 4 -

Mastères spécialisés et diplôme national de masterDeux mastères spécialisés sont proposés sur le campus de Rennes par le départementRSM : « réseaux et services de mobiles » et « sécurité des systèmes d'information ». Cedernier est fait en partenariat avec l’école supérieure d’électricité (Supélec). Le mastère RSMa été classé premier en 2008 par SMBG dans la catégorie "Nouvelles technologies - Télécomset réseaux" (http://www.smbg.fr/etudiants-recherches-formation/classement.php). Lestrophées SMBG récompensent, parmi plus de 400 formations classées par SMBG, les 100responsables de masters, MS ou MBA, qui ont obtenu les meilleures notes de retour desatisfaction de la part de leurs étudiants, interrogés lors de l'élaboration du classement SMBG.Ils sont ainsi récompensés pour la qualité de leurs méthodes pédagogiques et managériales.Le département coordonne également le mastère spécialisé « Réseaux et Systèmesd'Information pour les Entreprises » élaboré conjointement avec l’Institut TechnologiqueAutonome de Mexico (ITAM).Le département participe également au diplôme national de master recherche eninformatique pour lequel TELECOM Bretagne est cohabilité avec l’université de Rennes 1.A la rentrée scolaire 2008, un nouveau mastère professionnel destiné à des étudiantsétrangers a été ouvert. Il porte sur la convergence des réseaux et s'intitule « Design andEngineering of Convergent Networks » (Conception et ingénierie des réseaux convergents).Formation continueLe département RSM contribue à la formation continue à travers la définition denouveaux programmes et modules de formation dans tous les domaines liés aux réseaux :réseaux TCP/IP, systèmes mobiles et sans fils, sécurité des systèmes d’information.L’année 2008 a été marquée par de nombreux cours donnés dans le domaine mobile etla sécurité des réseaux. Des sessions portant sur la téléphonie sur IP et sur l’IMS (IPMultimedia Subsystem) ont été créées ou enrichies en 2008.- 5 -

Activités de rechercheLe département RSM (Réseaux, Sécurité, Multimédia) est organisé en 3 projets derecherche structurants, « GERME », « PRATIC » et « SERES » et participe au projet derecherche « CAMA » (Composants pour Architecture Mobiles Adaptables) coordonné par ledépartement Informatique.La recherche se fait dans le cadre de contrats industriels bilatéraux, de projets despôles de compétitivité Images et Réseaux et Mer, de projets ANR, de thèses financées par larégion Bretagne et de thèses CIFRE ainsi que dans le cadre de projets et réseaux d’excellenceeuropéens.LISTE DES PROJETS STRUCTURANTSProgramme 2 : Réseaux de communication mobileGERME : J.M. BonninGestion de ressources et mobilité dans les réseaux radioProgramme 4 : Internet et WEBPRATIC : L. ToutainProtocoles réseaux et architectures pour les technologies innovantes de communicationSERES : F. CuppensSécurité des réseaux et des applications répartiesThèmes de rechercheProjet GermeLes transmissions sans fils se généralisent en télécommunication, soit commetechnique d'accès à des réseaux filaires, soit comme support d'interconnexion permettant laconstitution de réseaux autonomes (réseaux ad-hocs). Il est possible de combiner ces deuxutilisations pour réaliser des réseaux hybrides. Deux questions cruciales se posent dans cecontexte : comment gérer la ressource radio (fréquence, temps, code, puissance,… ) enfonction du service demandé par l'usager et des réseaux environnants, quelle architecture deprotocoles définir pour permettre à un terminal d'utiliser différents réseaux d'accès sansrupture en cas de passage de l'un à l'autre ? Les travaux du projet GERME portent sur leséléments de réponses à apporter à ces deux questions. De cette problématique découlent- 6 -

d'autres axes de recherche considérés par le projet : comment faire coopérer les différentsréseaux d'accès, comment optimiser les couches protocolaires non pas en les considérantchacune indépendamment mais conjointement (cross-layer optimisation) ?De nombreux projets ont porté ces dernières années sur les protocoles de gestion de lamobilité au niveau liaison (très orientés technologie) ou au niveau réseau (plus portés sur lesenvironnements hétérogènes). Depuis fin 2007 nous privilégions les applications dans ledomaine des transports intelligents qui posent des problèmes spécifiques qu'il faut résoudrepour pouvoir utiliser les mêmes bases technologiques que dans l'environnement Internet.Un important travail a été réalisé cette année pour achever le déploiement et rendreopérationnelle la plate-forme européenne ANEMONE. Sur la base du travail réalisé dans lecadre du Labo4G (financement des collectivités locales), le réseau d'expérimentationANEMONE et les services associés ont été mis en place dans le cœur de réseau. Un effort decommunication externe (journée ANEMONE à Rennes, matinale 4G de Rennes Atalante,interviews à des radios) et plusieurs publications et démonstrations ont permis de démontrerl'intérêt de cet outil et de le faire connaître.Le projet collaboratif REMORA (ANR/RNRT) sur les réseaux mobiles a été achevé. Ila permis le développement d'une architecture de gestion des communications pour les réseauxmobiles. Elle permet aux applications embarquées d'interagir avec un intergiciel qui s'occupede gérer et les interfaces de communications et les ressources. Ce dernier prend aussi encompte les contraintes opérationnelles définies par les opérateurs et fournit aux applicationssuffisamment d'informations pour leur permettre d'adapter leur comportement aux conditionsréseaux.Le projet industriel WiFi - WiMAX portant sur le handover rapide en environnementhétérogène sécurisé (CRE contrat industriel avec France Télécom R&D Rennes) s'est achevé.Dans ce cadre, nous avons développé un modèle reprenant les échanges protocolaires d'entréedans le réseau pour les couches WiFi et WiMAX (signalisation comprise) dans notresimulateur maison appelé SimulX.Le projet WiNEM (ANR/RNRT) en commun avec le projet PRATIC nous permet decontinuer le développement de cet outil de simulation pour le mettre à disposition de lacommunauté.Le projet LoCoSS (PRIR Région Bretagne), dont nous avons la responsabilité, a déjàpermis plusieurs publications communes traitant de l'utilisation transparente et opportunistedes réseaux publics pour offrir aux services de secours des services avancés (vidéo, carte 3D,...). Il entre dans la phase d'intégration des contributions des différents partenaires(localisation indoor, bases de données géolocalisée, communications) et des démonstrationsseront conduites l'année prochaine.Nous sommes impliqués dans plusieurs autres projets des pôles Mer (IP Extreme) etImages & réseaux (Locomotive, NextTV4All) ainsi que dans l'encadrement de thèsesfinancées par la région Bretagne (MoShi, Op WiMax).Sur notre lancée, nous avons continué à développer notre activité autour des transportsintelligent en étant investis dans plusieurs comités de programme ainsi que dans le conseilscientifique du GIS ITS Bretagne. Nous participons par ailleurs à une commission SystèmesEmbarqués du pôle Automobile Haut de Gamme.- 7 -

Notre implication dans les organismes de standardisation s'est maintenue à un niveauélevé, nous participons au groupe de travail 16 du comité technique 204 de l'ISO quidéveloppe une architecture de communication pour apporter la connectivité Internet àl'intérieur des véhicules. Bien que coûteuse en temps, cette implication nous permet de nouerdes contacts importants dans la communauté des transports intelligents et plusparticulièrement des véhicules intelligents. Cette dernière comprend aujourd'hui peu despécialistes des couches réseau et transport et il y a une forte demande d'expertise dans cedomaine dans les projets européens traitant des ITS.Nous continuons par ailleurs à nous investir à l'IETF dans les groupes ayant trait à lagestion de la mobilité et à la multi-domiciliation. Par ailleurs nous y défendons des solutionsde compression d'en-tête permettant de limiter la surcharge protocolaire liée à l'utilisation d'IPsur les liens radio.Les membres de l'équipe sont régulièrement sollicités par des industriels pour desmissions d'expertises ponctuelles.Quatre thèses ont été soutenues cette année, dont plusieurs en collaboration avec desindustriels.La Thèse de Mohamed Kassab s'effectuait en cotutelle avec l'ENSI (Tunis). Sestravaux ont constitué une part importante du projet industriel WiFi-WiMAX. Ils portaient surla gestion des handovers au niveau liaison en environnement hétérogène. Des outils pourl'optimisation du rétablissement des contextes ont été analysés pour différentes architecturesde réseau. Une application au handover WiFi sécurisé et à la gestion de la qualité de serviceen milieu hétérogène (WiFi - WiMAX dans notre exemple) a été proposée.La thèse d'Issam Mabrouki s'effectuait dans le cadre d'un contrat CIFRE avecMitsubishi Electric, elle a été soutenue en décembre 2008. Les travaux ont porté sur le routagetotalement aléatoire dans les réseaux de capteurs de type collecte de données. L'analyse a étémenée en utilisant la théorie de la marche aléatoire et a permis d'obtenir l'expression desdélais moyens de collectes et d'énergie consommée. Les performances d'un routage sontnaturellement nettement inférieures à celles de routages plus sophistiqués mais restentacceptables pour de nombreuses applications et ont l'avantage de bien répartir laconsommation entre les noeuds du réseau.La thèse d'Anis Zouari s'effectuait dans le cadre d'un contrat CIFRE avec Orange Labs(Rennes). Elle a été soutenue en janvier 2009. Le travail portait sur l'intégration de la gestionde la qualité de service dans l'architecture de gestion de la décision de handover développéepar ailleurs au sein d'Orange Labs. L'intérêt du couplage est de conditionner la décision dehandover à la disponibilité effective de la ressource. Les simulations ont montré une faiblesurcharge de signalisation et un taux d'échec de handover réduit.La thèse de Fabien Allard s'effectuait dans le cadre d'un contrat CIFRE avec OrangeLabs (Issy). Elle a été soutenue en janvier 2009. L'objectif du travail était de proposer unesolution de handover de niveau réseau (IP) dans un environnement sécurisé de type PANA ;dans cet environnement, la sécurité s'effectue au niveau IP en utilisant IPsec contrairement aucontexte de la thèse de Mohamed Kassab où la sécurisation s'effectue au niveau liaison. Unesolutions à base de transfert de contexte a été proposée et comparée avec des solutionsutilisant la pré-authentification. Il en ressort que la première est plus efficace en terme designalisation, de délai et d'implication du mobile. Elle est par contre plus difficilement- 8 -

applicable au handover inter domaine.Un effort important a été consenti cette année par les membres du projet pour publieren revue et dans des conférences majeures. Outre les articles importants en revue (1) et dansdes conférences majeures (1 GlobeCom, 2 WCNC, 1 CCNC, 4 VTC) publiés en 2008, deuxarticles de revue ont déjà été acceptés pour une publication en 2009 et trois chapitres de livreparaîtront en 2009.Projet PraticLe projet structurant PRATIC traite des problématiques IP. Les premiers travaux ontcontribué à la standardisation du protocole IPv6 à l'IETF. Depuis plusieurs années, tout encontinuant à travailler au déploiement d'IPv6, nous avons entamé un recentrage sur lesréseaux domestiques au sens large puisqu'il consiste, non seulement à traiter la partie réseauxdans l'habitat (en étudiant notamment les aspects routage, qualité de service, facturation) maiségalement à englober la partie réseau d'accès et cœur pour définir les mécanismesd'authentification et les architectures résistantes au facteur d'échelle.Pour le premier axe, nous souhaitons augmenter la capillarité du réseau en allant versles réseaux de capteurs. Ces réseaux, prémices des objets communicants, ont été peu abordésdu point de vue IP. L'IETF étudie actuellement les aspects adaptation des données sur dessupports ayant des contraintes énergétiques fortes et des débits limités ; ces problématiquessont abordées par le groupe de travail 6LoWPAN. Les aspects routage sont quant à euxdiscutés dans le groupe ROLL. Nous proposons une solution permettant de s'affranchir d'IPv6sur le lien radio tout en gardant une compatibilité avec les applications actuelles. Noustravaillons également sur les aspects routage dans le réseau domestique avec la supervision dedeux thèses, la première, portée par un contrat industriel avec France Telecom, concernel'utilisation de MPLS pour prolonger dans le réseau domestique les circuits de donnéesprovenant de l'opérateur (VoD,...) et étudier les conditions de reroutage rapide en cas dedégradation des liens. La seconde thèse, dans le cadre d’une convention CIFRE avec FranceTélécom, reprend principalement les mêmes hypothèses, mais suppose des réseaux ad-hocmulti-technologies. En collaboration avec le projet structurant SERES, nous travaillonségalement aux architectures permettant la sécurisation des réseaux domestiques, en particulierpour offrir un partitionnement des applications distribuées et éviter qu'une faille se propage àl'ensemble des services. Ces travaux trouvent un écho dans le projet ANR AFANA danslequel nous étudions les paradigmes réseau pouvant être mis en oeuvre dans les réseaux surpuce (NoC). Les NoCs doivent satisfaire des contraintes proches des réseaux de capteurs ence qui concerne le routage, en particulier pour prendre en compte les contraintes énergétiquesou la qualité de service, tout en imposant des limitations fortes sur la topologie ou lacomposition du réseau. Nous étudions les mécanismes de reroutage dans les NoCs pourprendre en compte les défaillances mais également la reconfiguration totale du NoC.Pour le deuxième axe, qui concerne les interactions avec le ou les réseaux d'opérateur,deux aspects sont envisagés, le premier concerne l'architecture IMS (plus généralementTiSPAN). Dans le projet Systermin@l, nous avons défini les interactions pour permettre lamise en place de services à l'intérieur du réseau de l'utilisateur, et rendre possible d'y accéderà distance, tout en garantissant une personnalisation des données suivant l’usager y accédant.Nous travaillons également à la gestion de la QoS dans ce type d'architecture et les aspectsmulti-domiciliation. Ces réflexions sont étendues au coeur de réseau et au réseau d’accès dans- 9 -

le cadre du projet NextTV4all où l’on considère les problématiques de routage mettant enoeuvre de la qualité de service dans un contexte multi-coeur IMS, multi-terminal et multiopérateur.Ces travaux alimentent une réflexion à plus long terme pour la définition de l'Internetdu Futur où nous nous plaçons dans une optique en continuité avec l'existant pour faireévoluer l’architecture de l’internet et l’adapter aux besoins applicatifs. Les travaux sur lamulti-domiciliation peuvent être étendus pour choisir l’architecture adéquate. Les réseaux decapteurs permettent d'explorer des hypothèses nouvelles pour les réseaux Internet (connexionsintermittentes au réseau, mobilité, ...). L'architecture IMS offrant une gestion, complexe, del'identité alors que cette fonction est traditionnellement supportée par l'adresse.Les collaborations internationales entamées les années précédentes se sont poursuiviesen Asie par le biais du projet Tiny6 avec l'Inde, la Corée et la Chine dans le cadre duprogramme STIC-Asie (Sciences et Technologies de l’Information et de la Communication)soutenu par le Ministère des affaires étrangères et du projet ARAMI6 dans le cadre duPartenariat Hubert Curien franco-taiwanais « Orchid ».Le projet Tiny6 a permis de bien définir la thématique IPv6 et réseaux de capteurs. Untutoriel d’une journée sur cette thématique a été conçu. Il a été présenté pour la première foisà la conférence NCC2009 à Guwahati (Inde). Nous avons également publié un draft à l’IETFsur la suppression du mécanisme de découverte de voisins (Neighbor Discovery) dans lesréseaux de capteurs.Le projet ARAMI6 a été déposé auprès de l’EGIDE en collaboration avec NationalIlan University (NIU) de Taïwan. Bien qu’il ne soit pas officiellement accepté, les retours quenous avons eus sont positifs et nous avons commencé à travailler sur le thème. Le but estd’étudier la création de services sur une architecture IMS en profitant de fonctions d’IPv6comme la gestion de la multi-domiciliation. Nous regardons également les aspects qualité deservice. Notre but est également de valoriser dans cette architecture nos travaux surl’intégration d’IPv6 en étudiant la possibilité d’utiliser le mécanisme Softwires (défini lesannées précédentes) qui sera bientôt publié en RFC à l’IETF.Les différents projets NextTV4All, Systermin@l et ARAMI6 nous permettent d’avoirune expertise dans les couches de l’IMS (Internet Multimedia Subsystem) et plus largementTiSPAN (Telecommunications and Internet converged Services and Protocols for AdvancedNetworking) qui sont en rapport avec les objectifs des PRATIC, à savoir, le NASS (NetworkAttachment Subsystem) sur lequel nous travaillons pour intégrer les mécanismes de transitionet le RACS (Resource Admission Control Subsystem) pour la gestion de la qualité de servicedans le réseau de l’opérateur et inter-opérateur. Nous regardons également, par le biais duprojet Systermin@l, comment intégrer des équipements non IMS dans l’architecture. Cestravaux demandent une connaissance complète de l’architecture. Nous travaillons encollaboration avec le projet structurant SERVAL sur les aspects services. Nous sommeségalement experts dans le projet Im@gin’lab sur les aspects IMS.Nous continuons à développer des études mathématiques sur les performances desréseaux, en prenant en particulier en compte la non-coopération entre les différentsutilisateurs. Un projet ANR sur le thème de la compétition entre fournisseurs d'accès réseaux(éventuellement avec différentes technologies) vient d'être lancé. Ce thème fait égalementl'objet d'une collaboration active au niveau européen via le réseau d'excellence EuroNF.- 10 -

Par ailleurs, nous continuons à étudier les problématiques associées à la couchetransport et au contrôle de congestion dans les réseaux IP. D’une part, nous nous focalisonssur les performances des protocoles TCP et SCTP et ses possibles améliorations dans descontextes spécifiques (WiMAX, très hauts débits…). Un draft sur cette thématique est encours de discussion à l’IETF . D’autre part, dans le cadre d’une thèse nous commençons àaborder le problème de la congestion dans le contexte DTN.Projet SeresDans le contexte des grandes infrastructures de traitement de l'information, il estnécessaire de disposer de mécanismes de sécurité performants pour garantir la confidentialitéet l’intégrité des données tout en assurant les engagements en terme de qualité de service et dedisponibilité. Le projet SERES s’intéresse aux mécanismes visant à assurer la protectioncontre des malveillances internes ou externes ainsi qu’aux techniques permettant de détecterces malveillances. Les thèmes étudiées concernent plus particulièrement les points suivants :(1) Expression de besoins, politiques et propriétés de sécurité, (2) Protection des réseaux etdes applications réparties, (3) Analyse de vulnérabilités et détection d'intrusion. Les activitésmenées dans le cadre de ce projet seront de types : (1) Modélisation et formalisation desconcepts, (2) Conception, développement et validation d'architectures et de logiciels sûrs etd'outils pour administrer la sécurité, (3) Expérimentation et évaluation de ces architectures,logiciels et outils.Expression de politiques de sécuritéLes travaux visant à étendre l’expressivité du modèle OrBAC et les fonctionnalités duprototype MotOrBAC se poursuivent dans le cadre des projets ANR Polux et Fluor. Il s’agitnotamment d’intégrer des exigences de contrôle d’accès et de contrôle de flux dans le modèleOrBAC en utilisant des contextes particuliers permettant de contrôler les transferts dedomaines. Nous avons également défini un modèle général de délégation et de révocation dedroits et montrer que ce modèle est plus expressif que les autres modèles existants (thèse enco-tutelle avec SupCom Tunis). Enfin, nous avons formalisé un modèle riche d’expressiond’obligations, permettant notamment de spécifier des obligations avec délais, des obligationscontinues et des obligations de groupes. Ce formalisme permet d’étendre le modèle OrBACpour exprimer des politiques de sécurité intégrant des exigences de contrôle d’usage (contrôleavant, pendant ou après l’utilisation de ressource).Méthodologie de déploiement de politiques de sécurité.Le prototype MotOrBAC repose sur une architecture modulaire qui permet d’intégrersimplement de nouvelles fonctionnalités pour déployer une politique de sécurité sous formede plugins. Nous avons notamment formalisé le déploiement de politiques de sécuritédépendant de conditions contextuelles (pouvant dépendre par exemple de conditionstemporelles, spatiales ou de l’occurrence d’une intrusion). Dans ce cas, MotOrBAC peut êtreutilisé pour gérer les conditions contextuelles et redéployer dynamiquement la politiquelorsque le contexte change. Nous avons développé un autre plugin permettant de traduire desexigences OrBAC dans le langage d’expression de droits XACML normalisé par l’OASIS.Ces travaux sont en cours d’intégration dans l’architecture XENA de négociation depolitiques de sécurité développé dans le cadre du projet RNRT Politess. Nous étudionsactuellement le déploiement d’exigences de contrôle de flux sur des mécanismes de- 11 -

cloisonnement par domaine tels qu’implantés actuellement dans certaines versions sécuriséesde Linux, en particulier Security Enhanced Linux.Mise en œuvre de la sécurité.Les travaux réalisés dans le cadre d’une thèse financée par le programme initiative «Réseaux autonomes et spontanés » supporté par l’Institut TELECOM concernentl’interopérabilité entre organisation ayant des politiques de sécurité différentes. Lesréalisations ont porté sur la gestion sécurisée de l’interopérabilité basée sur la définition decontrats. Cette notion de contrat combinée à un mapping ontologique permet de dériver lapolitique d’interopérabilité entre organisations et a été intégrée dans O2O (Organization toOrganization), une extension du modèle OrBAC. Par ailleurs, nous travaillons sur lasécurisation d’applications en utilisant les techniques de tissages d’aspects issues del’approche AOP (Aspect Oriented Programming). Cette approche est effective, chacun desaspects tissés dans une application correspondant à un appel à l’API de MotOrBAC demanière à réaliser les contrôles de sécurité nécessaires.Distribution sécurisée de contenus.Dans le cadre du projet P2Pim@ges supporté par le pôle de compétitivité « Images etRéseaux », nous étudions la mise en œuvre des besoins de sécurité dans les systèmes pairs àpairs (P2P). Le contrôle de la distribution des contenus s’appuie sur des techniques de DRM(Digital Right Management) via la mise en œuvre des modèles OPA (Onion PolicyAdministration) et FORM (Federated Right Expression Model). Cette approche est intégréedans la plate-forme Protekto qui combine les fonctionnalités de gestion des identités reposantsur des mécanismes d’authentification unique (Single Sign On) et de gestion des autorisationsd’accès aux contenus et de distribution de ces contenus.Sécurité des réseaux.Dans le cadre des travaux sur le développement de services à travers la passerelleParlay/Parlay X., le service de localisation constitue un des nouveaux services à valeurajoutée phare pour les opérateurs. Le traitement de la vie privée pour ce service est au centredes exigences. Un meilleur traitement de pseudonymes a été proposé et intégré dans unearchitecture de gestion de la vie privée pour les services composés. Pour ce qui est de lasécurité dans les réseaux domotiques, les travaux reposant sur l’utilisation d’IPv6 pour leconfinement de services ont abouti à la rédaction d’un brevet qui a été soumis à l’INPI. Cestravaux sont menés en collaboration avec le projet structurant Pratic dans le cadre d’une thèsefinancée par la région Bretagne. Par ailleurs, nous avons proposé de nouveaux mécanismesd’évaluation de la réputation pour la gestion de groupes dans les réseaux ad-hoc et montréleur efficacité par rapport aux mécanismes existants.Détection d’intrusion et techniques de réaction.Ces travaux menés dans le cadre du projet européen CELTIC/RED s’intéressent à laconception d’une plate-forme de supervision permettant de construire un diagnosticsuffisamment précis de l’intrusion détectée pour pouvoir ensuite activer une réaction adaptéeà cette intrusion. La plate-forme de supervision est basée sur trois niveaux de réaction : (1) leniveau inférieur reposant sur un diagnostic de bas niveau et l’activation de réaction sousforme d’actions « réflexes », (2) le niveau intermédiaire basé sur un diagnostic s’appuyant sur- 12 -

les techniques de fusion et de corrélation développées dans CRIM (Corrélation etreconnaissance d’intentions malveillantes) et l’activation de réactions ayant pour but debloquer l’intrusion et (3) le niveau supérieur correspondant au redéploiement de la politiquede sécurité : activation automatique des règles de sécurité OrBAC permettant de faire face àl’intrusion et reconfiguration des composants de sécurité pour prendre en compte ces règles desécurité. Dans le cadre d’une bourse CIFRE menée en collaboration avec Alcatel-Lucent,nous avons défini un modèle pour mesurer l’impact d’une intrusion ainsi que lesconséquences d’une réaction. Dans le cadre d’une autre bourse CIFRE en collaboration avecOrange Labs, les travaux actuels portent sur la gestion des dépendances entre services. Cesdifférents travaux ont un objectif commun, à savoir la sélection de la réaction la plus adaptéepour faire face à une intrusion.Conception et test de politiques de sécurité.Ces travaux menés dans le cadre du financement de la thèse région SETEQUI visentprincipalement à développer des techniques automatiques de test de l’implantation desmécanismes de sécurité. Les travaux ont permis de définir la différence entre test fonctionnelet test de sécurité et d’étudier plusieurs critères de génération de test à partir d’un modèle decontrôle d’accès. Ces critères ont été comparés sur des cas d’étude expérimentaux, l’efficacitédes tests étant mesurée grâce à une adaptation de l’approche par mutation (injection de fautesdans un programme). Pour être indépendant du langage de contrôle d’accès utilisé (BAC,DAC, RBAC, OrBac), on utilise une technique d’ingénierie dirigée par les modèles pourexprimer la sémantique des erreurs de sécurité à plus haut niveau (à l’aide d’un méta-modèleétendu avec une sémantique opérationnelle).Comme la démarche se veut préventive (conception pour la sécurité), on propose dessolutions pour insérer automatiquement des mécanismes de sécurité dans le code (techniquesd’Aspect-Oriented Programming), pour transformer semi-automatiquement des testsfonctionnels existants en tests de sécurité (modification de la fonction d’oracle) ou pourlocaliser les mécanismes existants codés en dur dans l’application lors d’une évolution de lapolitique de sécurité.La recherche au sein des RéseauxDe nombreux travaux de recherche du département sont menés en collaboration avecd’autres départements de TELECOM Bretagne (ELEC, INFO, ITI, LUSSI, MO et SC). Cescollaborations sont favorables à l’innovation grâce à l’expertise complémentaire despartenaires et permettent de mettre en place des projets couvrant plusieurs disciplines. Cela setraduit, par exemple, depuis 2007 par la participation, avec le département ELEC, au projetANR AFANA sur les réseaux sur puce (network on chip) dans le cadre du programmeArchitecture du futur sur les réseaux, à la participation aux projets Mobim@ges (avec ledépartement LUSSI), P2PImages (avec les depts INFO et LUSSI) du pôle de compétitivitéImages & Réseaux à vocation mondiale, et enfin, à la participation au projet IP-Extreme dupôle Mer (avec les dépts MO et ELEC).Le département est engagé dans le réseau d'excellence européen : Euro-FG (Designand Engineering of the Next Generation Internet).Le département RSM participe à divers groupements d’intérêt scientifique etnotamment :- 13 -

- le GIS ITS (Intelligent Transport System)- le GIS Diwall sur la sécurité des systèmes d’information avec Supélec, l’IRISA,l’université de Rennes 1 lancé en 2006.Enfin le département RSM participe au pôle de recherche avancé PRACOM(www.pracom.org) avec les départements Electronique, Micro-ondes, Signal etCommunication.Valorisation de la recherche et rayonnementPublicationsLa production du département en terme de publications, brevets et thèses sur lapériode 2008 est indiquée dans le tableau ci dessous (Voir annexe pour la liste complète).Publications Année 2008Revues 4Conférences avec actes 42Thèses 4Rapport interne 1Total 68DistinctionsL’article « Towards Fast Detecting Intrusions: Using Key Attributes of NetworkTraffic » rédigé par Wei Wang, Sylvain Gombault et Thomas Guyet (IRISA) a été sélectionnéparmi les meilleurs papiers de la 3 ème Conférence ICIMP (International Conference onInternet Monitoring and Protection) qui s’est déroulée à Bucarest du 29 Juin au 5 juillet 2008.Moins de 5% des publications à cette conférence reçoivent cette distinction.Étienne Gallet de Santerre, doctorant, et Laurent Toutain, enseignant-chercheur, ontreçu le prix du meilleur article de la 6e Manifestation des jeunes chercheurs en sciences ettechnologies de l'information et de la communication (MajecSTIC 2008). Leur articles'intitule "Source Address Routing eXtension (SAR-X)".L'article "Loss Synchronization and Router Buffer Sizing with High- Speed Versionsof TCP", rédigé par Sofiane Hassayoun et David Ros, a reçu le prix du meilleur article (BestPaper) du colloque High-Speed Networks 2008. Ce colloque a eu lieu le 13 avril 2008, àPhoenix (Arizona, États-Unis), dans le cadre de la prestigieuse conférence IEEE INFOCOM2008. La conférence IEEE INFOCOM est reconnue comme l'une des meilleuresmanifestations scientifiques dans le domaine des réseaux.Yves Le Traon a reçu avec E. Almeida, G. Sunye et P. Valduriez le prix du meilleurpapier (Best Paper) pour l’article intitulé "A Framework for Testing Peer-to-Peer Systems",au 19 ème symposium IEEE sur la fiabilité des logiciels (International Symposium on SoftwareReliability Engineering, ISSRE 2008) qui s’est déroulé en Novembre 2008 à Seattle, USA.- 14 -

Xavier Lagrange a été élevé au grade de « Senior Member » de l’IEEE. Le nombre demembres séniors représente 8,1 % des adhérents de l’IEEE.RayonnementUne présentation de la plateforme développée dans le cadre du projet européenANEMONE a été présentée le mercredi 12 décembre 2007 sur le campus de Rennes devantprès de 100 personnes. Cette plateforme permet d’offrir un accès Mobile IPv6 à l'échelleeuropéenne (http://www.ist-anemone.eu).Le département RSM s’est fortement impliqué dans la Matinale Rennes Atalante dujeudi 31 janvier 2008 portant sur « Les réseaux 4G : une évolution technologique majeurepour les communications mobiles ». Cette matinale s’est déroulée sur le campus de Rennes deTELECOM Bretagne et a réuni plus de 170 participants, ce qui constitue un vif succès pourcette rencontre entre industriels et académiques. Outre des enseignants-chercheurs dudépartement, cette matinale a comporté des présentations d’ingénieurs et chercheurs d’OrangeLabs (France Télécom R&D), de Thomson R&D, de l’Université de Rennes 1.Le département RSM avec trois autres partenaires (américain, canadien et français) aété à l'initiative d'ICST (International Conference on Software Testing, verification andvalidation), une conférence IEEE dédiée spécifiquement au test, à la vérification et à lavalidation des logiciels. Celle-ci s’est tenue du 9 au 11 avril 2008, à Lillehammer en Norvège.Il s'agit d'une toute première édition pour l'IEEE. Cette conférence est ouverte à de nombreuxdomaines d'application, que ce soit le test de sécurité, les applications Web, les systèmestélécoms ou les approches d'ingénierie des modèles. ICST se veut aussi un lieu d'interactionsentre académiques et industriels. La conférence a reçu 214 soumissions d’articles représentant45 nationalités parmi lesquels 20% ont été sélectionnés et a réuni plus de 220 participants.Pour en savoir plus : www.cs.colostate.edu/icst2008. Cette conférence a été aussi l’occasionde lancer un nouvel atelier sur le test de sécurité (1st IEEE International Workshop onSecurity Testing Collocated with ICST).La revue mensuelle Amplitel éditée par la Meito (Mission pour l'Electronique,l'Informatique, et les Télécommunications de l'Ouest) comporte une rubrique intitulée « lelaboratoire du mois ». Dans le numéro de mars 2008, c’est le département RSM qui a été distinguéet a pu présenter ses activités (http://www.meito.com/fr/NPR0000/NP0075/Art0001).Le premier atelier sur les architectures et les patterns (Workshop "Patterns &Architectures") s’est déroulé sur le campus de Rennes le 15 mai 2008 et a été co-organisé parle département RSM et l’IRISA.Le premier « camp IPv6 » organisé par l’association G6 s’est déroulé du 30 juin au 4juillet 2008 dans les locaux du campus de Rennes avec une forte participation de RSM. Il acomporté des tutoriels sur la technologie IPv6, des présentations de projets européens dans ledomaine et a réuni plus de 50 personnes de diverses nationalités.Le département RSM a également participé à l’organisation de l’école d’été Eunice2008 intitulé « Which network for which services ? ». Le réseau EUNICE(http://www.eunice-forum.org) a été créé en 1997 à l’initiative d’Universités et d’Instituts etd’Ecoles (dont TELECOM Bretagne). L’édition 2008 de l’école d’été s’est déroulée dans leslocaux de TELECOM Bretagne, à Brest, et a été suivie par 65 participants en provenance dedifférents pays européens (Université de Barcelone, Université de Stuttgart, Université de- 15 -

Twente aux Pays Bas, Université de Trondheim en Norvège, par exemple) avec un publiccomposé d’enseignants-chercheurs mais aussi d’étudiants en doctorat ou ayant tout justeterminé leur master. Les inscrits ont donc pu avoir un panorama des travaux de recherche encours sur le thème des nouveaux services et des nouveaux réseaux. Le site web de laconférence donne le détail du programme et les différentes communications qui y ont étéprésentées : http://conferences.telecom-bretagne.eu/eunice2008/program/.Le département a organisé du 1 er Workshop SETOP (sur la sécurité des réseauxautonomes et spontanés) organisé et sponsorisé par Institut TELECOM. Ce colloque s’esttenu du 13 au 17 octobre 2008 conjointement avec la conférence SAR-SSI (3 ème Conférencesur la Sécurité des Architectures Réseaux et des Systèmes d'Information). Cette dernière a étéco-organisé par le département avec Supelec Rennes. Le programme des deux événements estdisponible à http://setop2008.no-ip.fr et à http://sarssi2008.no-ip.fr. Des membres dudépartement ont assuré la présidence du comité de programme de la conférence SARSSI et duworkshop SETOP.Participation à des comités techniquesLe département RSM par l’intermédiaire de ses membres est présent dans différentscomités techniques :- Jean-Marie Bonnin est membre du comité technique de ITST 2008 (Thailand),(http://itst2008.nectec.or.th/), de CARI 2008 (Rabat/Maroc), http://www.cari-info.org/,de WITS 2008, QSHINE-FTDA-ND 2008 ,- Nora Cuppens-Boulahia est présidente du comité de programme de la conférenceSARSSI, co-présidente du comité de programme de la conférence SETOP,représentante française de l’IFIP TC11 « Information Security », et a été nommée coresponsabledu pôle « Sécurité des Systèmes d’Informations » de la SEE.- Frédéric Cuppens est président du comité de programme de la conférence SETOP- Frédéric Cuppens et Nora Cuppens-Boulahia sont co-directeurs de la collection «Information et Communication » aux Editions Publibook Université.- Xavier Lagrange est membre du conseil scientifique des Annales des Télécoms et a étéco-président du comité de programme d’Eunice 2008- Yves Le Traon est impliqué dans ICST 2008 (comité de pilotage, d'organisation(publicity chair) et comité de programme) et , à ISSRE 2008 (comité de programme),au workshop Security Testing (SECTEST 08) et Security Modeling (Modsec 08), et auWorkshop on Empirical Studies of Model-Driven Engineering (ESMDE 08).- David Ros a été membre du comité de programme d’Eunice 2008- Laurent Toutain a été nommé président du conseil scientifique de l'AFNIC(Association Française pour le Nommage Internet en Coopération). Il est égalementprésident du conseil d’administration du G6, association pour la promotion d’IPv6auprès des instances francophones.- 16 -

Annexe 1 : liste des membresListe du personnelPrénoms, NomsJean-Marie BONNINAhmed BOUABDALLAHYacine BOUZIDALaurent CRAIGNOUFrédéric CUPPENSNora CUPPENSSylvain GOMBAULTXavier LAGRANGEJean-Pierre LENARZULBenoît LE TEXIERYves LE TRAONThomas LEFORTPatrick MAILLELoutfi NUAYMIMathieu PERESSETanguy ROPITAULTDavid ROS SANCHEZBruno STEVANTGéraldine TEXIERLaurent TOUTAINFrançois WANGWei WANGMarie-Pierre YVENATQualitéMC (HDR)MCIRCIRCPr (HDR)IRC (HDR)IEPr (HDR)MCIRCPr (HDR)IRCMCMCIRCIRCMCIRCMCMCIRCIRCAG- MC : Maître de Conférences – Pr : Professeur – HDR : Habilitation à diriger desrecherches- IE : Ingénieur d’Etudes – IRC : Ingénieur de Recherche sur Contrat –- AG : Assistante de Gestion- 17 -

Liste des doctorants présents en 2008Nom et Prénom Sujet de thèse EntrepriseassociéeABI HAIDAR DiallaAJAM NabilAYED SamihaEtude détaillée de la sécurité des web services dans le cadre d'unepolitique de sécurité unifiant les mécanismes de protection contre lesattaques et de détection des actions malveillantesCréation sécurisée de services OSA/Parlay et ParlayXDécomposition et raffinement de politiques de sécuritéALLARD Fabien "Context transfer", outil de réduction du coût pour la sécurité FT R&DARCIA-MORET Andres Protocoles de transport dans des réseaux sans fils hétérogènes et ad hoc :évaluation, amélioration et mise en œuvreAWANG AzlanAYADI AhmedBALEH LounesBELGHITH AymenBEN GHORBELMeriemFair distribution of energy consumption in wireless sensor networksProtocoles de transport et consommation d'énergie dans les réseaux decapteurs et les réseaux tolérants aux délaisNetwork as a service : What can be offered by the access network part ? FT R&DOptimisation de WIMAX pour des services multimédiasAdministration d'une politique de sécuritéBEN RAYANA Rayene Support d'applications adaptives concurrentes dans les réseaux mobilesmulti-interfacesBERTIN Philippe Gestion de la mobilité dans une architecture d'accès multi-technologies FT R&DBERTRAND GillesBROTTIER ErwanFiabilisation dans les réseaux et qualité de serviceFiabilisation des exigences de qualité de service : traduction vers UML,validation par simulation et génération de tests systèmeFT R&DBSILA Amine Partage de charge intra-flux dans les réseaux multi-liens ThomsonCAPURON JeanfrançoisCOMA CélineDELAMARE RomainGénération automatique de test pour la vérification de propriétés desécuritéCohérence et interopérabilité de politiques de sécurité pour les réseauxspontanésTest des aspects fonctionnels et extra-fonctionnels dans des architecturesà base de composantsDEMONGEOT Thomas Tests de sécurité pour les SOADHRAIEF AmineEL HENI NeilaEL RAKAIBY YehiaFERU VincentHACHANA SafaàBénéfice de la multi-domicialisation IPv6 pour la mobilitéTransmission des services temps réel sur Internet sur les réseaux san filSécurité des services conversationnels dans le NGNIdentification, formalisation et intégration de patterns d'urbanisation desarchitectures télécoms : application à la QoS et à la sécurité des réseauxde télécommunicationsAuto configuration et routage dans les réseaux ad hoc imbriquésCELARIETAFT R&D- 18 -

Nom et Prénom Sujet de thèse EntrepriseassociéeHASSAYOUN SofienIBRAHIM AliKACI NassimCodage réseau, correction d'erreurs et protocoles de transportPerformance et qualité de service des futurs réseaux sans fil à hautecapacitéOptimisation de la répartition des flux d'utilisateurs mobiles dans desréseaux hétérogènesFT R&DKANOUN Wael Modèle de réaction assurence&risk-aware par anti-corrélation AlcatelKHEIR NizarKANDARAJ PriamratKASSAB MohamedDéploiement de politiques de sécurité et contre-mesures : segmentationet vérification de politiques de sécuritéGestion des réseaux d'accès mobiles en fonction de la qualité de service(perçue)Gestion de QoS dans les handovers sécurisés inter et intra technologiesbasées sur le transfert decontexteFT R&DMABROUKI Issam Accès multiple et services dans les réseaux UWB ad hoc MitsubishiElectricITEMEFTAH MorthariaMIGAULT DanielMOTTU Jean-MarieMOUELHI TejeddinePERROS KevinPICHON DominiquePREDA StereRAWAT PriyankaQuality of service and routing in heterogeneous, high speed homenetwoeksSéparation Locator/ID utilisant des identifiants cryptographiques dans un FT R&Denvironnement mobile et multihoméValidation dans un cadre de développement dirigé par les modèles(MDE)Test et sécurité : formalisation de modèles de fautes de sécurite,caractérisation de critères test et algorithmes de génération de tests depénétrationEtude des mécanismes de routage et de reconfiguration dans les réseauxsur puceMobilité inter-réseaux d'accès avec adaptation des contenus et continuitéde servicessécurisation des réseaux IPv6Etudes des interactions entre les technologies de compression et lagestion de la mobilitéFT R&DROUIL Richard Mobilité des nœuds dans les réseaux de technologies hétérogènes NIST (US)SAHALY Sinda Optomisation de couche MAC pour hybridation multi-technologies FT R&DSIMONIN Jacques MDE et urbanisation des systèmes FT R&DTHOMAS JulienZOUARI AnisNouvelles solutions pour la gestion des échanges de contenus classifiés DGAContrôle de la mobilité et du mapping de contextes de QOS entreréseaux hétérogènes dans les réseaux "beyond 3G" tout IPFT R&D- 19 -

Annexe 2 : liste des publicationsArticle de revue avec comité de lectureALLARD Fabien, BONNIN Jean-Marie, An application of the context transfer protocol : IPsec in a IPv6mobility environment. International journal of communication networks and distributed systems, 2008, vol. 1,n° 1, pp. 110-126AYED Samiha, CUPPENS Nora, CUPPENS Frédéric, Deploying Access and Flow Control in DistributedWorkflows. Journal of Research and Practice in Information Technology, november 2008, vol. 40, n° 4, pp.231-253CUPPENS Frédéric, CUPPENS Nora, Modeling contextual security policies. International Journal ofInformation Security (IJIS), august 2008, vol. 7, n° 4, pp. 285-305GARCIA ALFARO Joaquin, CUPPENS Nora, CUPPENS Frédéric, Complete analysis of configuration rulesto guarantee reliable network security policies. International Journal of Information Security (IJIS), 2008, vol.7, n° 2, pp. 103-122MAILLÉ Patrick, TOKA Laszlo, Managing a peer-to-peer data storage system in a selfish society. IEEEjournal on selected areas in communications, september 2008, vol. 26, n° 7, pp. 1295-1301THOMAS Julien, CUPPENS Frédéric, CUPPENS Nora, S-TGDH, protocole sécurisé pour la gestion degroupes dans les réseaux ad hoc. REE, revue de l'électronique et de l'électricité, octobre 2008, n° 9, pp. 81-87Article de revue sans comité de lectureBONNIN Jean-Marie Vers des véhicules Internet. La Lettre Techniques de l'Ingénieur Réseaux sans fil,janvier 2008, n°11, pp. 4-5BONNIN Jean-Marie Vers des véhicules Internet : l'architecture CALM. La lettre Techniques de l'IngénieurRéseaux sans fil, mai 2008, pp. 1-3MONTAVONT Nicolas IEEE 802.21 : plate-forme de services pour la mobilité. Techniques de l'Ingénieur,Réseaux sans fil, novembre 2008, n°16, pp. 4-6Collection des rapports de recherche de TELECOM BretagneHASSAYOUN Sofiane, ROS SANCHEZ David Loss Synchronization, Router Buffer Sizing and High-Speed Versions of TCP. Brest : Institut TELECOM/TELECOM Bretagne, 2008, 20 p. (Collection des rapportsde recherche de TELECOM Bretagne, RR-2008001-RSM, ISSN 1255-2275)Communication dans une conférence à comité de lectureAJAM Nabil, Privacy Based Access to Parlay X Location Services. International Conference on Networkingand Services,16-21 March, Guadeloupe, France , 2008, pp. 204-210AJAM Nabil, BOUABDALLAH Ahmed, Privacy Improvement through Pseudonymity in Parlay X forLocation Based Services. ICN 2008: Seventh International Conference on Networking, 13-18 April, Cancun,Mexico, 2008AJAM Nabil, BOUABDALLAH Ahmed, Managing Privay in Operator Networks for NGN Services. ICIN2008, 20-23 Octobre, Bordeaux, France, 2008ALLARD Fabien, BONNIN Jean-Marie, COMBES Jean-Michel, BOURNELLE Julien, IKE Context Transferin an IPv6 Mobility Environment. MobiArch'08, 22 août, Seattle (WA), USA, 2008AUTREL Fabien, CUPPENS Frédéric, CUPPENS Nora, COMA-BREBEL Céline, MotOrBAC 2: a securitypolicy tool. SARSSI'08 : 3ème conférence sur la Sécurité des Architectures Réseaux et des Systèmesd'Information, 13-17 octobre, Loctudy, France, 2008- 20 -

AYED Samiha, CUPPENS Nora, CUPPENS Frédéric, Managing access and flow control requirements indistributed workflows. AICCSA-08 : 6th ACS/IEEE International Conference on Computer Systems andApplications (AICCSA-08), March 31 - April 4, Doha, Qatar, 2008, pp. 702-710AYED Samiha, CUPPENS Nora, CUPPENS Frédéric, Deploying Access Control in Distributed Workflow.AISC 2008 : Australasian Information Security Conference, January 22-25, Wollongong, Australia, 2008BELGHITH Aymen, NUAYMI Loutfi, Design and implementation of a QoS-included WiMAX module forNS-2 simulator. SIMUTools 2008, March 3-7, Marseille, France, 2008BELGHITH Aymen, NUAYMI Loutfi, WiMAX capacity estimations and simulation results. VTC 2008-Spring : IEEE 67th Vehicular Technology Conference, 11-14 May, Marina Bay, Singapore, 2008BELGHITH Aymen, NUAYMI Loutfi, Comparison of WiMAX scheduling algorithms and proposals for thertPS QoS class. EW 2008 : European Wireless, 22-25 June, Prague, Czech Republic, 2008BELGHITH Aymen, NUAYMI Loutfi, MAILLÉ Patrick, Pricing of real-time applications in WiMAXsystems. VTC 2008 : IEEE 68th Vehicular Technology Conference, 21-24 September, Calgary, Alberta, Canada,2008BELGHITH Aymen, NUAYMI Loutfi, MAILLÉ Patrick, Pricing of differentiated-QoS services WiMAXnetworks. Globecom'08 : IEEE Global Communication Conference, 30 November - 4 December, New Orleans,LA, USA, 2008BEN GHORBEL Meriam, CUPPENS Frédéric, CUPPENS Nora, BOUHOULA Adel, Revocation Schemes forDelegation Licences. ICICS'08 : 10th International Conference on Information and Communications Security,20 - 22 October, Birmingham, UK, Springer, 2008, pp. 190-205BEN GHORBEL Meriam, CUPPENS Frédéric, CUPPENS Nora, BOUHOULA Adel, Managing revocation inrole based access control models. SAR SSI : 3rd conference on security in network architecture andinformation systems, october 13-17, Loctudy, France, Publibook, 2008BEN NACEF Ahmed, MONTAVONT Nicolas, A generic end-host mechanism for path selection and flowdistribution. PIMRC 2008 : 19th international symposium on Personal, Indoor and mobile radiocommunications, 15-18 september, Cannes, France, 2008, pp. 1-5BERTIN Philippe, BONJOUR Servane, BONNIN Jean-Marie, A distributed dynamic mobility managementscheme designed for flat IP architectures. NTMS'08 : second international conference on new technologies,mobility and security, November 5-7, Tangier, Maroc, 2008BERTRAND Gilles, TEXIER Géraldine, Intégration du routage PCE aux réseaux de prochaine générationavec IMS. . JDIR'08 : 9èmes Journées Doctorales en Informatique et Réseaux , 17-18 janvier, Villeneuved'Ascq, France, 2008BERTRAND Gilles, TEXIER Géraldine, Ad-hoc Recursive PCE Based Inter-domain Path Computation(ARPC) Methods. HET-NETs : Fifth International Working Conference on Performance Modelling andEvaluation of Heterogeneous Networks, February 18-20, Karlskrona, Sweden, 2008BONNIN Jean-Marie, BEN HAMOUDA Zied, LASSOUED Imed, BELGHITH Abdelfettah, Middleware formulti-interfaces management through profiles handling. Mobilware'08 : First International Conference onMOBILe Wireless MiddleWARE, Operating Systems, and Applications, February 13-15, Innsbruck, Austria,2008BOUTET Antoine, MONTAVONT Nicolas, MONTAVONT Julien, LE TEXIER Benoit, SCHREINERGuillaume, Advantages of Flow Bindings: an embedded mobile network use case. WEEDEV 2008 : 1stWorkshop on Experimental Evaluation and Deployment Experiences on Vehicular Networks in conjonctionwith TRIDENTCOM 2008, March 18 , Innsbruck, Austria, 2008BOUZIDA Yacine, MANGIN Christophe, A framework for detecting anomalies in VoIP networks. ARES2008 : Third international conference on availability, reliability and security, March 4-7, Barcelona, Spain, 2008,pp. 204-211COMA-BREBEL Céline, CUPPENS Nora, CUPPENS Frédéric, CAVALLI Ana Rosa, Context Ontology forSecure Interoperability. ARES 2008 : Third international conference on availability, reliability and security,March 4-7, Barcelona, Spain, 2008COMA-BREBEL Céline, CUPPENS Nora, CUPPENS Frédéric, CAVALLI Ana Rosa, Interoperability UsingO2O Contract. SITIS 2008 : Fourth international conference on signal-image technology & Internet-basedsystems, 30 November-3rd December, Bali, Indonésie, 2008- 21 -

COMA-BREBEL Céline, CUPPENS Nora, CUPPENS Frédéric, CAVALLI Ana Rosa, Secure interoperationwith O2O contracts. SETOP 2008 : First workshop on security of spontaneous networks, 13-14 octobre,Loctudy, France, 2008CUPPENS Frédéric, CUPPENS Nora, BOUZIDA Yacine, KANOUN Wael, CROISSANT Aurélien,Expression and Deployment of Reaction Policies.. WITDS : SITIS Workshop "Web-Based InformationTechnologies & Distributed Systems , November 30th-December 3rd, Bali, Indonesia , 2008CUPPENS Frédéric, CUPPENS Nora, THOMAS Julien, A Robust Reputation Scheme for GroupManagement in mobile ad hoc networks. SETOP 2008 : First Workshop on Security of Autonomous andSpontaneous Networks, October 13 & 14, Loctudy, France, 75015 Paris : Publibook, 2008, pp. 77-92, ISBNEAN:9782748343908CUPPENS Frédéric, CUPPENS Nora, THOMAS Julien, A Robust Reputation Scheme For DecentralizedGroups Management Systems. ICISS : Fourth International Conference on Information Systems Security, 16-20 December, JNTU, Hyderabad, India, Lecture Notes in Computer Science, 2008, pp. 71-85, ISBN 978-3-540-89861-0CUPPENS Nora, CUPPENS Frédéric, Specifying Intrusion Detection and Reaction Policies: An Applicationof Deontic Logic. DEON 2008 : Ninth Workshop on Deontic Logic in Computer Science, 15-18 July,Luxembourg, 2008, pp. 65-82CUPPENS Nora, CUPPENS Frédéric, ABI HAIDAR Diala, DEBAR Hervé, Negotiation of Prohibition: AnApproach Based on Policy Rewriting. SEC'08 : 23rd International Information Security Conference, september8-10, Milan, Italie, Boston : Springer, 2008, pp. 173-187CUPPENS Nora, CUPPENS Frédéric, LOPEZ DE VERGARA Jorge E., VAZQUEZ Enrique, GUERRA Javier,DEBAR Hervé, An ontology-based approach to react to network attacks. CRiSIS 2008 : Third InternationalConference on Risk and Security of Internet and Systems, October 28-30, Tozeur, Tunisia, 2008DELAMARE Romain, BAUDRY Benoit, LE TRAON Yves, Regression Test Selection when EvolvingSoftware with Aspects. LATE workshop, in conjunction with AOSD'08, March 31 - April 4th, Brussels,Belgium, 2008DHRAIEF Amine, MONTAVONT Nicolas, Toward Mobility and Multihoming Unification: the SHIM6protocol : a case study. WCNC 2008 : IEEE Wireless Communications and Networking Conference , March31 - Avril 3, Las Vegas, USA, 2008, pp. 2840-2845DHRAIEF Amine, ROPITAULT Tanguy, MONTAVONT Nicolas, Mobility and Multihoming Managementand Strategies. 14th Eunice Open European Summer School, 8-10 september, Brest, France, IFIP, 2008EL HENI Neila, LAGRANGE Xavier, Multicast vs multiple-unicast scheduling in high-speed cellularnetworks. VTC 2008 : IEEE 67th Vehicular Technology Conference, 11-14 May, Singapore, IEEE, 2008EL HENI Neila, LAGRANGE Xavier, Macro diversity combining schemes for multicast transmission inhigh-speed cellular networks. WINSYS 2008 : International conference on wireless information networks andsystems, 26-29 Aout, Porto, Portugal, 2008EL HENI Neila, LAGRANGE Xavier, Macro diversity for Multicast scheduling in high-speed cellularnetworks. Algotel 2008 : 10èmes Rencontres Francophones sur les Aspects Algorithmiques deTélécommunications, 13-16 Mai, Saint Malo, France, 2008EL RAKAIBY Yehia, CUPPENS Frédéric, CUPPENS Nora, Interactivity for Reactive Access Control.International Conference on Security and Cryptography, 26-29 July, Porto, Portugal, 2008GALLET DE SANTERRE Etienne, TOUTAIN Laurent, Source Address Routing eXtension (SAR-X). 6èmeMAnifestation des JEunes Chercheurs en Sciences et Technologies de l'Information et des Communications, 29-31 octobre, Marseille, France, 2008, pp. 1-8HASSAYOUN Sofiane, ROS SANCHEZ David, Loss Synchronization, Router Buffer Sizing and High-Speed Versions of TCP. HSN'2008 : IEEE INFOCOM High-Speed Networks Workshop, April 13, Phoenix(AZ), USA, 2008KANOUN Wael, CUPPENS Nora, CUPPENS Frédéric, Automated Reaction based on Risk Analysis andAttackers Skills in Intrusion Detection Systems. HP-SUA 2008 : HP Software University AssociationWorkshop, June 22-25, Marrakech, Morocco, 2008- 22 -

KANOUN Wael, CUPPENS Nora, CUPPENS Frédéric, ARAUJO José, Automated Reaction based on RiskAnalysis and Attackers Skills in Intrusion Detection Systems. CRiSIS 2008 : Third International Conferenceon Risk and Security of Internet and Systems, October 28-30, Tozeur, Tunisia , 2008KASSAB Mohamed, BONNIN Jean-Marie, BELGHITH Abdelfettah, Fast and secure handover in WLANs :an evaluation of the signaling overhead. CCNC'08 : Fifth IEEE Consumer communications & networkingconference, January 10-12, Las Vegas, Nevada, US, 2008KASSAB Mohamed, BONNIN Jean-Marie, BELGHITH Abdelfettah, General strategies for context reestablishmentin IEEE 802.11 networks. ITST'08 : 8th international conference on ITS telecommunication, 22-24 october, Phuket, Thailand, 2008KASSAB Mohamed, HACHANA Safaa, BONNIN Jean-Marie, BELGHITH Abdelfettah, High-mobility effectson WLAN fast re-authentication methods efficiency. FTDA-DN'08 : First international workshop on futuretrends on design and analysis of dynamic networks in conjunction with Qshine'08, 31 july, Hong Kong, China,2008LASSOUED Imed, BONNIN Jean-Marie, BELGHITH Abdelfateh, Towards an architecture for mobilitymanagement and resource control. WCNC’08 : IEEE Wireless Communications & Networking Conference,March 31 - April 2, Las Vegas, Nevada, USA, 2008LASSOUED Imed, BONNIN Jean-Marie, BEN HAMOUDA Zied, BELGHITH Abdelfettah, A methodologyfor evaluating vertical handoff decision mechanisms. ICN 2008 : The Seventh International Conference onNetworking, April 13-18, Cancun, Mexico, 2008, pp. 377-384LE NARZUL Jean-Pierre, HURFIN Michel, Design and Performance Evaluation of a Resource AllocationSystem Based on Agreement Services. Workshop on Grid Computing Applications Development, September26-29,Timisoara, Roumanie, 2008MABROUKI Issam, FROC Gwillerm, LAGRANGE Xavier, On the Data Delivery Delay taken by RandomWalks in Wireless Sensor Networks. QEST '08 : 5th International Conference on the Quantitative Evaluationof SysTems, 14-17 September, St Malo, France, 2008MAILLÉ Patrick, NALDI Maurizio, TUFFIN Bruno, Competition for migrating customers: a game-theoreticanalysis in a regulated regime. Globecom'08 : IEEE Global Communication Conference, 30 November - 4December, New Orleans, LA, USA, 2008MAILLÉ Patrick, TUFFIN Bruno, Analysis of Price Competition in a Slotted Resource Allocation Game.IEEE INFOCOM'08, April 13-18, Phoenix, AZ, USA, 2008, pp. 888-896MONTAVONT Nicolas, BOUTET Antoine, ROPITAULT Tanguy, TSUKADA Manabu, ERNST Thierry,Anemone : a ready-to-go testbed for IPv6 compliant intelligent transport systems. ITST 2008 : 8thinternational conference on ITS telecommunications, 22-24 october, Phuket, Thailande, 2008, pp. 228-233MOUELHI Tejeddine, BAUDRY Benoit, FLEUREY Franck, A Generic Metamodel For Security PoliciesMutation. SecTest 08: 1st International ICST workshop on Security Testing, April 9, Lillehammer, Norway,2008MOUELHI Tejeddine, FLEUREY Franck, BAUDRY Benoit, LE TRAON Yves, A model-based frameworkfor security policies specification, deployment and testing. MoDELS'08: ACM/IEEE 11th InternationalConference on Model Driven Engineering Languages and Systems, 28 Septembre - 3 Octobre, Toulouse, France,2008MOUELHI Tejeddine, FLEUREY Franck, BAUDRY Benoit, LE TRAON Yves, Mutating DAC And MACSecurity Policies: A Generic Metamodel Based Approach. Modeling Security Workshop In Association withMODELS '08, 28th September, Toulouse, France , 2008MOUELHI Tejeddine, LE TRAON Yves, PRETSCHNER Alexander, Model-Based Tests for Access ControlPolicies. ICST 2008 : First IEEE International Conference on Software, Testing, Verification and Validation,April 9-11, Lillehammer, Norway, 2008MOUELHI Tejeddine, LE TRAON Yves, PRETSCHNER Alexander, BAUDRY Benoit, Test-DrivenAssessment of Access Control in Legacy Applications. ICST 2008 : First IEEE International Conference onSoftware, Testing, Verification and Validation (ICST), April 9-11, Lillehammer, Norway, 2008OROZCO TORRENTERA Julio Enrique, ROS SANCHEZ David, TCP performance over gigabit-capablepassive optical networks. Accessnet 2008 : Third International Conference on Access Networks, Otober 15-17,Las Vegas, USA, 2008- 23 -

PHAN LE Cam Tu, CUPPENS Frédéric, CUPPENS Nora, MAILLÉ Patrick, Evaluating the trustworthinessof contributors in a collaborative environment. TrustCol-2008 : Third International Workshop on TrustedCollaboration, November 13-16, Orlando, FL, USA, 2008PIAMRAT Kandaraj, KSENTINI Adlen, VIHO César, BONNIN Jean-Marie, QoE-aware admission controlfor multimedia applications in IEEE 802.11 wireless networks. VTC'08 : IEEE 68th Vehicular TechnologyConference, September, Calgari, Canada, 2008PIAMRAT Kandaraj, KSENTINI Adlen, VIHO César, BONNIN Jean-Marie, QoE-based network selection formultimedia users in IEEE 802.11 wireless networks. LCN'08 : 33rd annual IEEE conference on localcomputer networks, october 14-17, Montreal, Quebec, 2008PICHON Dominique, GUILLOUARD Karine, BONNIN Jean-Marie, Adaptation of multimedia flows in aseamless mobility context using overlay networks. HET-NETs'08 : 5th International Working Conference onPerformance Modelling and Evaluation of Heterogeneous Networks, February 18-20, Karlskrona, Sweden, 2008RAWAT Priyanka, BONNIN Jean-Marie, Design and implementation of TuCP : a novel (IP) tunnelingheader compression protocol for mobile networks. ISWCS'08 : IEEE International Symposium on WirelessCommunication Systems, 21-24 October, Reykjavik, Iceland , 2008RAWAT Priyanka, BONNIN Jean-Marie, MINABURO TOUTAIN Ana, Optimising the use of robust headercompression profiles in NEMO networks. ICN 2008 : 7th international conference on networking, April 13-18, Cancun, Mexico, 2008, pp. 150-155RAWAT Priyanka, BONNIN Jean-Marie, TOUTAIN Laurent, CHOI Yanghee, Robust header compressionover long delay links. IEEE VTC 2008 : Vehicular technology conference, May 11-14, Marina Bay, Singapore,2008, pp. 2136-2141RAYENE Ben Rayana, BONNIN Jean-Marie, Mobility aware application manager for mobile network.ITST'08 : 8th international conference on ITS telecommunication, 22-24 october, Phuket, Thailand, 2008ROPITAULT Tanguy, MONTAVONT Nicolas, Implementation of a Flow Binding Mechanism. 4th IEEEPercomWorkshop on Pervasive Wireless Networking, March 17-21, Hong-Kong, 2008, pp. 342-347ROUIL Richard, MONTAVONT Nicolas, IEEE 802.21 transport solution using cross-layer optimizedStream Control transmission Protocol. PIMRC 2008 : 19th IEEE international conference on Personal, Indoorand Mobile Radio Communications, 15-18 September, Cannes, France, 2008, pp. 1-5SINGH Kamal Deep, OROZCO TORRENTERA Julio Enrique, ROS SANCHEZ David, RUBINO Gerardo,Improving perceived streaming-video quality in High Speed Downlink Packet Access. IEEE GLOBECOM2008 : IEEE Global Communications Conference, November 30 - December 4, New Orleans, USA, 2008, pp. 1-6THOMAS Julien, CUPPENS Frédéric, CUPPENS Nora, Environmental Constraints Management in DigitalRight Licences. SARSSI 2008 : 3ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmesd'Information, 13-17 octobre, Loctudy, France, 75015 Paris : Publibook, 2008, pp. 85-99, ISBNEAN:9782748343892TOUTAIN Laurent, PERROS Kévin, LEE Joongsoo, Supprimer le protocole Neighbor Discovery dans lesréseaux de capteurs. CFIP 2008 : Colloque francophone sur l'ingénierie des protocoles, 25-28 mars, Les Arcs,France, 2008WANG Wei, GOMBAULT Sylvain, Efficient Detection of DDoS Attacks with Important Attributes .CRISIS 2008, Third International Conference on Risks and Security on Internet and Systems, October 28-30,Tozeur, Tunisia, 2008WANG Wei, GOMBAULT Sylvain, GUYET Thomas, Towards fast detecting intrusions: using keyattributes . ICIMP 2008 : Third International Conference on Internet Monitoring and Protection, June 29 - July5, Bucharest, Romania, 2008ZAGROUBA Rachid, BONNIN Jean-Marie, GUILLOUARD Karine, A centralized resource reservation forcellular IP access networks. FTDA-DN'08 : First international workshop on future trends on design andanalysis of dynamic networks in conjunction with Qshine'08, 31 july, Hong Kong, China, 2008ZOUARI Anis, SUCIU Lucian, BONNIN Jean-Marie, GUILLOUARD Karine, A novel procedure forcoupling QoS control and handover decision for mobility management. ICWMC'08 : fourth internationalconference on wireless and mobile communications, july 21-august 1, Athens, Greece, 2008- 24 -

ZOUARI Anis, SUCIU Lucian, BONNIN Jean-Marie, GUILLOUARD Karine, A proactive and distributednegociation approach for heterogeneous environments : an evaluation of QoS signalling overhead.NGMast'08 : second international conference and exhibition on next generation mobile applications, services andtechnologies, 16-19 september, Cardiff, Wales, UK, 2008LivreDEBAR Hervé, THOMAS Yohann, CUPPENS Frédéric, CUPPENS Nora, Response: bridging the linkbetween intrusion detection alerts and security policies. Intrusion Detection Systems, Springer US, 2008,(Advances in Information Security, 38), pp. 129-170Chapitres dans un livreCUPPENS Frédéric, CAVALLI Ana Rosa, CUPPENS Nora, LENEUTRE Jean, ROUDIER Yves, SETOP 2008: First Workshop on Security of Spontaneous Networks, First Workshop on Security of SpontaneousNetworks, Loctudy, France, 13-14 October 2008. Edition Publibook, 2008, 108 p. (Information etcommunication), ISBN 2748343905CUPPENS Nora, OWEZARSKI Philippe, SARSSI 2008 : 3rd Conference on Security in NetworkArchitectures and Information Systems, Loctudy, France, 13-14 October 2008. Edition Publibook, 2008,318 p. ISBN 2748343891HDR soutenues en 2008CUPPENS-BOULAHIA Nora, Expression, déploiement, analyse et administration de politiques de sécurité,jeudi 14 février 2008.BONNIN Jean-Marie, La diversité d'accès au service de terminaux et de routeurs multi-connectés, vendredi20 juin 2008.Thèses soutenues en 2008ABI HAIDAR DiallaKASSAB MohamedMABROUKI IssamALLARD FabienZOUARI AnisSIMONIN JacquesEtude détaillée de la sécurité des web services dans le cadre d'unepolitique de sécurité unifiant les mécanismes de protection contre lesattaques et de détection des actions malveillantes27/11/08Optimisation des handovers de niveau 2 pour une mobilité intra et intertechnologies 15/12/08Marches aléatoires dans les réseaux de capteurs sans fils16/12/08Le transfert de contexte : atout pour la mobilité et outil de réduction decoûts pour la sécurité 15/01/09Contrôle de la mobilité et de la qualité de service entre les réseauxd'accès hétérogènes dans un réseau de cœur tout IP 14/01/09"Conception de l'architecture d'un système dirigé par un modèled'urbanisme fonctionnel" 29/01/09- 25 -

Annexe 3 : description détaillée des projets de recherche(en anglais)- 26 -

Description détaillée des projets derecherche (en anglais)Cette partie reprend les fiches constituées pour l’élaboration du rapport annuel PRACOM 2008.Protocols................................................................................................................................3Header Compression over Mobile Networks and Satellite Links ..................................................... 3Compression techniques and IPv6 for mobility ............................................................................ 5An easy-to-use solution for IPv6 connectivity.............................................................................. 6Loss Synchronization and Router Buffer Sizing with High-Speed Versions of TCP............................ 8Sensor Networks ................................................................................................................ 10Random Walk Techniques for Data Delivery in Wireless Sensor Networks .................................. 10Suppressing Neighbor Discovery in Wireless Sensor Networks .................................................... 12Media and Networks........................................................................................................... 14IP-based transmission of real-time services over wireless links ................................................... 14Video on Demand in IP Multimedia Subsystem.......................................................................... 15Radio Resource Management in Wireless Networks.......................................................... 17WiMAX Radio Resources Management and Capacity Estimation .................................................. 17Packet scheduling and resource sharing in HSDPA..................................................................... 19Multicast for high speed wireless networks ............................................................................... 21Management of Multiple Access Networks......................................................................... 22Network centric QoS management in an operator heterogeneous mobile network........................ 22Adaptation of Multimedia Flows in a Seamless Mobility Context .................................................. 24Rethought Mobility Management in Future Multi-technologies Access Networks ........................... 25Optimized mobility management in heterogeneous access networks ........................................... 26Mobility and Multihoming: interaction and benefits.................................................................... 27Security & Mobility ............................................................................................................. 29Use of a Context Transfer Protocol to reduce operational cost of access control........................... 29Optimization of Wi-Fi-WiMAX vertical handover......................................................................... 30Security Analysis and Validation ........................................................................................ 32Analysis and deployment of security policies............................................................................. 32Expression of security policies .................................................................................................33Security Testing: criteria, fault models and test generation ........................................................ 35Policy Administration .............................................................................................................. 36Specifying and deploying security in workflow management systems .......................................... 37PROTEKTO : Security platform for content providers ................................................................. 38Intrusion Detection ........................................................................................................... 40Detection and correlation of intrusions ..................................................................................... 40Threat response by policy revision ........................................................................................... 41Reaction after detection.......................................................................................................... 43Dependable Anomaly Detection with Diagnosis ......................................................................... 45Malicious behavior detection in ad-hoc networks....................................................................... 47Extract of Pracom’s Annual Report 2008 1

Access Control .................................................................................................................... 49Security of Web Services......................................................................................................... 49Security of NGN services......................................................................................................... 51A Fast Adaptative Secure Technology for high-speed Network.................................................... 52Consistency and interoperability in security policies ................................................................... 53Information flow control in organization ................................................................................... 55Dynamic access and usage control in pervasive environments.................................................... 56Peer 2 peer ......................................................................................................................... 58P2PIm@ges........................................................................................................................... 58Managing a Peer-to-Peer Storage System in a Selfish Society..................................................... 60Applications of networks to transports .............................................................................. 62Localization and Communication for emergency services ........................................................... 62Adaptive Application Support in Mobile Networks ...................................................................... 64Wireless Mesh Networks ......................................................................................................... 66Testbeds ............................................................................................................................. 68A showroom for practical IPv6 deployement ............................................................................. 68An Advanced Next Generation Mobile Open Network................................................................. 692 Extract of Pracom’s Annual Report 2008

ProtocolsHeader Compression over Mobile Networks and Satellite LinksResearch Staff : Jean-Marie Bonnin, Laurent Toutain – Ph.D. students: Priyanka RawatKeywords : Header Compression, Mobile IP, ROHC, Tunnel protocolApplications : VPN, network mobility, satellite linksIntroductionThe enormous growth in the use of the IPbasedmultimedia and other applications hasincreased the need of the efficient use ofavailable communication technologies includingsatellite and radio links. However, these linkshave high bit error rates and long delays.Moreover, the deployment of IP protocols overthese links leads to significant headeroverhead. Various IP tunneling mechanismswhich are widely used in network security(VPN), IPv4-to-IPv6 transition, and mobilenetworks have long delay characteristics.Header compression could be applied on suchlinks to reduce the header overhead. Thus, inthis context, it is required to study thebehavior of header compression schemes oversuch long delay links and tunnels.context of mobile networks and long delaylinks.First, we examined the behavior of ROHCmechanism over long delay links and tunnels.The study shows the impact of long delay,high bit error, and packet re-ordering on ROHCcompression mechanism.We investigated the behavior of ROHC overL2TP tunnel between the France and Korea[3]. This is important since L2TP and PPP linksare interesting in order to access the Internet(IPv6-IPv4 transition) by using a cellularaccess or to join the private network of aservice operator through any infrastructure.In mobile networks, header compressionmechanisms such as ROHC (Robust HeaderCompression) can be used to reduce theheader overhead. However, in several cases(for example IP tunneling mechanisms) thecompression mechanism does not take intoaccount all the protocol stack. The IP tunnelingmethods use multiple levels of encapsulationusing several IP and transport headers in eachpacket. That introduces high protocol headeroverheads especially in wireless links wherebandwidth remains a scarce resource.Mobility protocols Mobile IPv6 and NEMO use abi-directional tunneling mechanism and allcommunications go through this tunnel. Thistunnel easily provides network mobilitytransparency to the nodes within the networkand to their correspondents but it alsointroduces high protocol overheads sincemultiple IP headers are carried on eachmessage. However, ROHC is a complexmechanism and its use needs to be optimizedfor this specific usage.RealizationA study on ROHC and TuCP (TunnelingCompression) protocols has been done in theU modeO modeR mode0 10 50 100 200 300 400 500 600 700 800D l ( )Figure 1. ROHC performance for DelayFigure 1 shows the impact of delay on ACL(Average Compressed Header Length) in U, O,and R mode of operation. It shows that in Uand O mode, ACL is almost constant and doesnot vary with delay. However, in R mode, ACLincreases with the delay. Thus, ROHCcompression efficiency decreases while thedelay increases. It was also observed thatvalue of delay affects transitions betweenROHC modes (in O and R modes).The results obtained show that ROHCcompression can be used over long delay linksto reduce the header overheads with certainlimitations. The results of this study could beused for further designing header compressionExtract of Pracom’s Annual Report 2008 3

schemes specifically suitable for links andtunnels where delays are high.Secondly, we presented two approaches tooptimize the use of ROHC profiles when ROHCcompression is used in NEMO networks [2].The idea is to control the number of profilesthat both the HA and the MR have to maintainin order to manage all IP tunnels. In the firstapproach we only use the IP profile and thenhave one profile per mobile while in thesecond approach the number of profilesmaintained by the HA is considered as aresource that can be attributed or not to eachmobile (MR or MN) depending on their needs.The third part of the study focus on tunnelingcompression (TuCP) [1]. TuCP is used inconjunction with ROHC to reduce the tunneloverhead in NEMO networks. The solution ofROHC and TuCP compression can be extendedto nested tunneling scenarios such as thosefound in nested mobile networks (see figure 2and 3). We implemented a first version of theTuCP protocol.Figure 2. Nested Tunnels without TuCP CompressionFigure 3. Nested Tunnels with End-2-End TuCP CompressionFurther testing is ongoing for the evaluationand performance measurement of the TuCPprofiles.Figure 4. Header Compression Efficiency forROHC + TuCPWe find that header compression is moreefficient for IPv6 flows compared to IPv4flows. It is possible to achieve 66%compression efficiency for IPv6 flows (seefigure 4). The use of TuCP in conjunction withROHC in IP tunnels reduces the headeroverhead to 2 bytes. This makes tunnelingmechanisms virtually costless in terms ofbandwidth consumption.References[1] Priyanka Rawat, Jean-Marie Bonnin, AnaMinaburo, and Laurent Toutain, "An End-2-EndTunnel Header Compression Solution for NestedMobile Networks," International Conference on theLatest Advances in Networks, ICLAN'2007, Paris,Dec 2007.[2] Priyanka Rawat, Jean-Marie Bonnin, and AnaMinaburo, "Optimizing the use of Robust HeaderCompression profiles in NEMO Networks”, TheSeventh International Conference on Networking,ICN 2008, Cancun, Mexico, April 2008.[3] Priyanka Rawat, Jean-Marie Bonnin, LaurentToutain, and Yanghee Choi, "Robust HeaderCompression over Long Delay Links”, IEEE 67thVehicular Technology Conference, VTC2008-Spring,Singapore, May 2008.4 Extract of Pracom’s Annual Report 2008

Compression techniques and IPv6 for mobilityResearch Staff : Jean-Marie Bonnin, Laurent Toutain – Ph.D. students: Priyanka RawatKeywords : heterogeneous access networks, header compression, ROHC, Context-awarenessPartners & Funding : project funded by SFRIntroductionThe recent development of Internet makes IPprotocolsuite unavoidable in developing newservices. Almost all applications developed lastyears (Voice over IP, Peer-to-peer, InstantMessaging, Push-to-Talk,…) use theseprotocols even for real time and mobileservices. Unfortunately, neither IP nortransport protocols (UDP, TCP) have beenspecifically optimized for scarce resourcesusually available on wireless links.Furthermore, when application data areappropriately compressed the IP and transportprotocol headers remain very consuming.This is why using compression methodsbecomes more and more crucial to reduce thebandwidth consumption, and therefore thetransmission delay.ObjectivesSeveral compression protocols have alreadybeen developed. Some of them are known tobe better than others but they all have a majordisadvantage: None of these techniques ismulti-purpose. In fact, the efficiency of amethod depends closely on the kind of flow tobe compressed and on the link characteristics(statics and/or dynamics).This justifies the wide variety of compressionmethods in the way that each one is suitablefor a variety of data and is optimal undercertain link conditions. For example, headercompression method are more adapted thanpayload compression methods when thepayload is already compressed at theapplication level (VoIP, video, …). Some of thecompression methods rely on a contextmaintained at each side of the link (whichcould be PPP or other link technologies such asSNDCP in GPRS or PDCP in UMTSarchitectures). These methods are then verysensitive to transmission errors: they areunable to rebuild original data since bothcontexts become desynchronized.To overcome the difficulty to choose onecompression method for all flows during all theduration of a session, a suitable solution wouldbe to choose dynamically and automaticallythe most suitable compression methodregarding the flow type and linkcharacteristics. One of the aims of this projectis to design and evaluate an algorithm able toaccomplish this task [2].One of the most promising compressiontechniques is header compression such asROHC [1], especially when the user flowtransport information already compressed atthe application level. This is why the projectalso aims at evaluating the behavior of a ROHCimplementation over actual UMTS/GPRSaccess.RealizationWe integrated ROHC/TCP profile (RObustHeader Compression for TCP) proposed byIETF in our study. We implemented ROHC/TCPin order to evaluate its characteristics and itsperformances. It is an important compressionmethod since it allows a significant overheadreduction for signaling traffics, which often useTCP as transport protocol, especially onIMS/UMTS networks.In a study of ROHC behavior over IPv4UMTS/GPRS access we show that it is reallyefficient to send IPv6 traffic over a L2TP tunnelusing ROHC header compression; Almost asefficient as using directly IPv6 over GPRSaccess.A patent related to the automatic selection ofthe most adapted compression techniques ison the way with SFR.References[1] A. Couvreur, A. C. Minaburo Villar, L. LeNy, G. Rubino, B. Sericola, L. Toutain,"Performance analysis of a headercompression protocol: the ROHC unidirectionalmode", Telecommunication systems, Vol. 31,N° 1, p. 85-98, 2005.[2] R. Ben Rayana, J.-M. Bonnin, A. Belghith.“Sélection dynamique des protocoles decompression”, CFIP’2006 (ColloqueFrancophone sur l’Ingénierie des Protocoles),Tozeur, Tunisie, November 2006.Extract of Pracom’s Annual Report 2008 5

An easy-to-use solution for IPv6 connectivityResearch Staff : Laurent Toutain, Bruno Stevant, E. Gallet de SanterreKeywords : IPv6, IPv6-IPv4 transitionApplications : Home networks, SME networks,Partners & Funding : funded by Conseil Régional de BretagneIntroductionIPv6 is nowadays implemented in manycomponents such as core network, operatingsystems and even several applications.However, end-to-end IPv6 connectivity is stillmissing, especially because very few InternetAccess Providers (IAP) offer IPv6 connectivityand prefixes allocation. The IETF and somecompanies have defined and/or developedtransitions tools like: 6to4, Tunnel Broker orTeredo, but these tools concern eitherexperimented users or do not offer all the IPv6benefits (always-on, machine to machinecommunications,...) to build applications.Furthermore, some of these solutions may alsolead to some security threats.RealizationDuring the Point6 project, funded in 2005 and2006 by the Brittany Region Council, we havedefined some transition tools to bring IPv6 toSmall and Medium Enterprises (SME) andHome Networks. This experiment led to thedevelopment of the Point6Box. We alsoworked to enhance network autoconfiguration.Part of this work has beenstandardized by IETF by the Softwires workinggroup [1]. An experiment that conjointly runswith Renater allows academics and SME to getprefixes through Point6Box/Softwiresarchitecture.Point6Box/SoftwirearchitectureThe Point6Box is an add-on equipment thatcan be connected to any IPv4 network in orderto bring IPv6 connectivity and functionalities ina non-intrusive way. It is important to notethat our goal is to fill missing gaps and not tospecialize an equipment for IPv6 connectivity.Progressively, when IAP will become IPv6aware, the functionalities provided by thePoint6Box will be integrated into the providerequipments.Several usages and objectives have beenidentified in this project:• - allow IPv6 connectivity for devicesconnected in a SME and Home network, ina very easy way, nearly withoutconfiguration from the user,• - locate IPv6 functionalities on stand-aloneand cheap equipment to avoid to rely ondesktop computers. Since IPv6 implies tobe always-on, the Point6Box has not to beswitched off.• - allow the introduction of IPv6demonstrators on existing IPv4 networkinfrastructure to ease demonstrations ofnew features.• - anticipate new usages. The connectivityoffered by the Point6Box is very close tonative access. Currently, new applicationssuch as machine to machinecommunication relying on autoconfigurationfeatures and servicediscovery can be tested.• - manage an IPv6 network to discovermissing features and debugging existingsoftware to improve quality and reduceexploitation costs. Experiences learnedduring the transition phase must bedirectly reused when IPv6 will be run onnative infrastructures.• - use open source software for CPE and PEand extend functionalities when needed.• - use only fully standardized protocols,such as L2TP [RFC2661], PPP, etc.• - be able to run over any IPv4infrastructures (any NAT solutions) toprovide a transition tool to IAPs compliantwith future native access architecture.Technically, the Point6Box can be viewed asan IPv6 router with only one Ethernet portplugged into the CPEv4. To provide IPv6connectivity, the Point6Box is connected to anIPv6 Provider Edge through a VPN-like tunnel.This tunnel is made over L2TP, which providesthree main characteristics:6 Extract of Pracom’s Annual Report 2008

• - L2TP messages are carried over UDP tooffer NAT-traversal capabilities,• - PPP is used to carry IPv6 frames, so wecan rely on built-in authentication andconfiguration mechanisms, and have veryeasy interaction with AAA servers.• - PPP and L2TP hello messages may beused to detect when a tunnel is down, forinstance due to an IPv4 addressrenumbering and maintains contexts intothe NAT Box.The Point6Box removes the L2TPencapsulation and forwards incoming IPv6packets on the link. Generally SME or Homerouters interfaces are bridged with an IEEE802.11 network, so every equipmentconnected to that network will receive RouterAdvertisements. IPv6 traffic generated bythese equipments will be routed through thePoint6Box. IPv4 traffic will continue to beNATed by the IPv4 edge router.The Point6 Provider Edge is connected to theIPv6 backbone. It includes the server part andcan be connected to an AAA database to allowauthorization and monitoring. The followingpicture describes the service architecture.RADIUSserverDHCPv6serverIPv4/v6 ISPL2TP IPv6ServerDHCPv6 relayPE v6Connexion AccountingL2TP tunnelDHCPv6 request and replyRADIUS authorizationIPv6IPv4PE v4CPE v4NATb r i d g eCPE v6Point6 ClientXYZStateless autoconfusing RA mechanismFE80::XA:B:D:101::XFE80::YA:B:D:101::YFE80::ZA:B:D:101::ZAuto-configuration of the SME/Home networkis a major feature to rapidly spread IPv6. If theSME/Home network includes several routersconfiguration for IPv4 requires technical skills.We have study several approaches to offerinternal routers configuration (see[AINA2005]). In this proposal, we focus onDHCPv6 because it does not require anymodification, even if this approach is lessefficient in case of multi-homing.The Point6Box includes a DHCPv6 server toanswer the requests inside the domain. Thestatic parameters such as DNS resolver andthe DNS domain are given to other routers andA:B:D:101::1a pool of /64 prefixes is a constructed basedon the prefix received from the provider. Aninternal router will execute the followingalgorithm, when one of its interface getsconfigured through the Neighbor Discovery(ND) protocol:• - The router sends DHCPv6 requests for a/64 prefix (the interaction with ND asexplained in [2] is used to detect loops ordual prefixes allocation),• - The router waits for answers from thePoint6Box containing the prefix and otherparameters,• - The router assigns prefixes to interfaces.It starts unicast and multicast routing anda DHCPv6 relay. The relay functionality isused to allow downstream routers to talkwith the DHCPv6 server.At this point, the internal routers areconfigured, the equipment addresses can besetup through standard Neighbor Discoveryprotocol and other parameters throughDHCPv6.Future worksThe protocol used in the Point6Box is nowstandardized. We will now focused oninteroperability of Softwires equipement. TheRoHC protocol is being integrated as a featureto decrease the overhead of the tunnel. Weare also studying the interest of a Point6Boxsolution to provide IPv4 connectivity over IPv6network.References[1] B. Storer, C. Pignataro, M. Dos Santos J.Tremblay, B. Stevant, “Softwires Hub & SpokeDeployment Framework with L2TPv2”, draftietf-softwire-hs-framework-l2tpv2-08,.Work inProgress.[2] Chelius, G., Fleury, E., and L. Toutain, "NoAdministration Protocol (NAP) for IPv6 RouterAuto-Configuration", AINA 2005 IEEE 19thInternational Conference on AdvancedInformation Networking and Applications,March 2005.Pracom’s Annual Report 2008 7

Loss Synchronization and Router Buffer Sizing with High-SpeedVersions of TCPResearch Staff : David Ros – Ph.D. Student : Sofiane HassayounKeywords : TCP, congestion control, high-speed networksApplications : high-speed networks, Grid networkingIntroductionThe Transmission Control Protocol (TCP) [1-2]is the most widely used transport protocol inIP networks. Indeed, many measurementstudies show that more than 90% of theInternet traffic is carried by TCP. TCP is theprotocol of choice of most data applications(web, e-mail, file transfer, …), and it is evenused for multimedia applications like audio andvideo streaming.In order to react to packet losses, TCPperforms congestion control; that is, a TCPsender cuts its data sending rate (at least) byhalf whenever it detects that packets are lost.The goal of this rate-control mechanism is tohelp in alleviating network congestion (which isimplicitly assumed as being the cause ofpacket loss). In the absence of losses, thesender steadily increases its rate: the goal inthis case is to use as much availablebandwidth as possible.In very high-speed networks, drastic ratereductions—which are inherent of thecongestion control mechanisms—often result inpoor performance. This is because TCPsenders cannot fully utilize the link capacityand, moreover, after a loss is detected theymay take a long time before reaching again ahigh sending rate.In recent years, a good deal of research workhas thus been devoted to studying andimproving the performance of TCP over veryhigh-speed links. Several variants of theprotocol have been proposed in order to adaptTCP’s congestion control mechanisms to Gb/sspeeds and beyond.RealizationDrop synchronization between TCP flowshappens whenever two or more flowsexperience packet loss in a short time interval.Such phenomenon has been the object ofseveral studies and proposals because of itspotential performance implications. Indeed,perfectly-synchronized losses among flowswould result in TCP senders reducing theirwindow in unison; hence, in poor throughputand low link utilization. In practice, however,such highly-correlated loss patterns are rarelyobserved in the Internet. Factors likefluctuations in round-trip times (RTTs) andhigh levels of statistical multiplexing tend tobreak the synchronization among flows.Nonetheless, given that previous studies onsynchronization have focused on “low-speed”TCP, one may wonder whether packet dropsmay become more correlated when high-speedvariants of TCP are used. Indeed, it has beenconjectured [3] that a higher synchronizationmight be a side effect of the increasedaggressiveness of the congestion controlalgorithms in those variants.We have thus performed a preliminary study ofthe relation between drop synchronization andbuffer sizes, when high-speed TCPs are used.By means of ns-2 simulations, the dependenceof synchronization on the TCP version wasexplored. We used finely-tuned simulationscenarios, designed to avoid synchronizationas much as possible; the idea was to capturedrop correlations induced mainly by theversion of TCP in use.One of our main motivations for looking intothis problem was that, contrary to the commoncase in the general Internet, Grid networks areprone to synchronization. Moreover, the factthat such networks are prime candidates fordeploying high-speed versions of TCP, makesthe subject of the study yet more compelling.We evaluated three high-speed protocols:HSTCP, H-TCP and BIC (the latter has beenadopted in the standard Linux kernel); SACKTCP was used as a sort of “low-speedbenchmark”. In order to assess the impact ofthe bottleneck buffer size, we explored a widerange of buffers, going from very small ones(50 packets) to very large ones (150,000packets).The figure below shows the CDF (cumulativedistribution function) of the so-called global8 Extract of Pracom’s Annual Report 2008

synchronization rate R, measuring theproportion of flows that experience packetdrops in a loss event. The figure compares thebehavior of HSTCP with that of SACK, when alarge buffer is used. Similar trends wereobtained with the other two high-speedprotocols. In the simulations, 40 flows arecompeting for bandwidth in the bottleneck; forinstance, R = 1/40 (i.e., the lowest value of Rin the curves) corresponds to one flowsuffering packet drops in a loss event.ConclusionOur preliminary findings suggest that highspeedversions of TCP do yield higher levels ofsynchronization. However, in spite of a strongcorrelation of packet drops among flows, wefound that such TCP versions can achieve bothhigh goodput and link utilization, as long asenough buffering is provided.References[1] D. Ros. TCP : performance et évolution duprotocole (in French). In: Techniques del'Ingénieur, vol. TEA3, no. TE7572, 2006.[2] D. Ros. TCP : impact des caractéristiquesdes liaisons (in French). In: Techniques del'Ingénieur, vol. TEA3, no. TE7573, 2007.Curves in this figure are to be interpreted asfollows: a CDF value of y corresponds to theprobability that at most x = R*100% of theflows lose packets in every loss event. Hence,a high value of CDF for a low value of R meansthat drops are not strongly correlated betweenflows (i.e., in many cases, just a few flows losepackets in a loss event). Note that this is thecase of SACK TCP, since in ≈ 40% of the lossevents there is only one flow (R = 1/40) thatloses packets.[3] S. Floyd and E. Kohler (eds.). “Tools forthe evaluation of simulation and testbedscenarios,” Internet Draft draft-irtf-tmrg-tools,work in progress, February 2008. Available at:http://tools.ietf.org/html/draft-irtf-tmrg-tools[4] S. Hassayoun and D. Ros. LossSynchronization and Router Buffer Sizing withHigh-Speed Versions of TCP. In Proceedings ofthe IEEE INFOCOM High-Speed NetworksWorkshop (HSN 2008), Phoenix (AZ), USA,April 2008.Conversely, a low CDF value for a high valueof R implies a strong drop synchronizationbetween different flows—that is, in most casesmany flows suffer “simultaneous” loses. Thiscorresponds to the case of HSTCP, becauseonly ≈ 10% of the loss events concerned lessthan 60% (R = 0.6) of the flows; in otherwords, in ≈ 90% of the cases more than 60%of the flows experienced packet loss in a shorttime interval.This work [4] earned the Best Paper Award ofthe HSN 2008 Workshop of the IEEE INFOCOMconference.Pracom’s Annual Report 2008 9

Sensor NetworksRandom Walk Techniques for Data Delivery in Wireless SensorNetworksResearch Staff : Xavier Lagrange Gwillerm Froc (Mitsubishi Electric)Ph.D. Student: Issam MabroukiKeywords : Wireless Sensor networks, Random Walk Theory, Performance EvaluationPartners & Funding : CIFRE MitsubishiIntroductionWireless Sensor Networks (WSN) have beenone of the most prosperous research areas inrecent years thanks to its wide spectrum ofpotential applications, including environmentand habitat monitoring, healthcare application,home or industrial automation and control,precision agriculture and inventory tracking.Faced to this general trend of applicationdiversification, large amounts of researchbeing done in the WSN area are trying toprovide useful tools and design methods forbetter architectures and protocols.Most application scenarios for WSN involvesmall devices called sensor nodes, which areequipped with sensing capabilities, wirelesscommunication and limited power supply, CPUand memory. On top of that, sensor nodes areoften supposed to operate unattended andunder strict energy constraints. Such adverseconditions make the design of robust, scalableand energy efficient systems a considerablechallenge.Taking advantage of the fact that computationis much less energy expensive thancommunication, most existing designs consistof distributed systems, which delegate a largeportion of the information processing to thenodes themselves. However, this technique ischaracterized by its dependence on stateinformation stored in the nodes for properoperation. In a highly dynamic environment,which generally characterizes WSN, thistechnique should require the development ofsophisticated failure recovery mechanisms,thereby significantly increasing the complexityof sensor nodes, and have dramatic impact onthe overall performance.In the search of an alternative solution, manyearlier recent research efforts haveinvestigated the use of randomization to buildrobust, scalable and energy efficient protocolsin the context of WSN. One example consistsof the use of random walks to convey datafrom a source node to a destination one. Theuse of this technique is not new and has beenextensively explored in many networkingmodels [1,2]. However, throughout the varietyof research works that assess the effectivenessof this technique, most results are derived bymeans of simulations. Furthermore whenanalytical tools are used, the obtained resultsoften provide bounds on various performancemetrics of interest. Clearly, results of thisnature may have little consequences forpractical applications.Instead, our take in this work is to obtain afundamental insight into the random walktechnique by building various models in orderto assess the effectives of this technique basedon the derivation of closed-form expressionsfor various performance metrics. To this end,we have extensively used the powerfulmathematical tools developed in the physicscommunity [3].RealizationThe general model consists of a typicalnetwork made of two kinds of nodes: a largenumber of sensor nodes and a smaller numberof sink nodes with more complex capabilities togather, process and control data. Each sensornode performs some sensing of a particularconfined area, and sends messages to sinknodes in a multihop fashion, using othersensor nodes as relays and without anyspecific mapping between sensor and sinknodes. A generated message will be trapped atthe first encounter of a sink node. We lookmore specifically at a common regular andperiodic deployment topology where nodes arespread over an area of interest with a squarepattern. As illustrated in Figure 1, this patternis formed by periodically repeated square unitcells of size N*N containing N 2 nodes of which(N 2 – 1) are sensor nodes and one is a sinknode. Clearly, c = 1/N 2 represents theconcentration of sink nodes, i.e., the ratio10 Extract of Pracom’s Annual Report 2008

etween the number of sink nodes and thetotal number of nodes in the network.Figure 1. Pattern of sensor and sink nodesWhen a message reaches a given sensor node,the next hop occurs uniformly at random onlyto the nearest-neighbors. Thus, in the case of4-connectivity all the 4 nearest-neighbors awayfrom the current sensor node are equally likelywith transition probability 1/4. A messagegenerated at a given sensor node performsthen a random walk until it reaches for the firsttime a sink node where it will be trapped andnever leaves. At this moment, we consider thatthe data delivery process has been occurredwith success.There are many motivations that prompted usto choose this network structure. First, manyWSN applications are often desired to followregular patterns for at least two reasons: (i)convenience of deployment and (ii) to achievea higher degree of connectivity and coverage.Second, this division of the network into unitcells suggests a very natural way of groupingnodes together (clustering). Such a clusteringis often required by protocols in order to dealwith the large number of nodes. Third, it isnatural to start with regular patterns beforeaddressing more complex ones. Finally, thispattern is simple enough to allow a completeanalytical treatment of the random walktechnique while still being useful to incorporatespecific key issues of WSN such as theconnectivity and the coverage.To investigate the performance of theproposed data delivery based on the randomwalk techniques, we have exploited heavily inthis work the method of generating functionsto derive insightful results. The main idea wasto characterize the random walk induced onthe network by determining the generatingfunctions associated with node occupationprobabilities and first-passage probabilitiesrespectively. Once determined, thesequantities enabled us to derive closed-formexpressions for some performance metricssuch as the expected delay required for amessage to be gathered by a sink node andthe energy cost incurred by this operation.These metrics were expressed as a function ofthe key parameters of the model. For example,the expected delay is found to be ~2N 2 Log(N)/. This can be put into practicaluse for WSN dimensioning with respect tocrucial parameters such as the minimum ratioof sink nodes to be deployed over the totalnumber of sensor nodes while ensuring arequired level of performance. As regards tothe energy cost, the main result was that therandom walk techniques achieve a goodbalancing property and present no criticalpoints of failure compared to deterministictechniques.ConclusionThere are several interesting directions thatmay extend the model presented in this work.This consists for instance in considering morecomplex topologies where sink nodes aredeployed at random or a constrained randomwalk to prevent messages from return back tothe initial territory.References[1 D. Braginsky and D. Estrin. "Rumor RoutingAlgorithms for Sensor Networks." Firstinternational Workshop on Sensor Networksand Applications (in conjunction with ACMMobiCom '02). pp. 22-31, 2002.[2] S. D. Servetto, G. Barrenechea,Constrained random walks on random graphs:routing algorithms for large scale wirelesssensor networks, in: Proc. of the 1st ACMinternational workshop on Wireless sensornetworks and applications, ACM Press, NY,USA, 2002, pp. 12–21.[3] H. Scher, M. Lax, Stochastic Transport in aDisordered Solid. I. Theory, Phys. Rev. B 7(10) (1973) 4491–4502.Pracom’s Annual Report 2008 11

Suppressing Neighbor Discovery in Wireless Sensor NetworksResearch Staff : Laurent Toutain, Bruno Stevant, E. Gallet de SanterreKeywords : Wireless IPv6, IPv6-IPv4 transitionApplications : Sensor networks,Partners & Funding : partially funded in the framework of STIC Asia programIntroductionDescription of the problemWireless sensor networks have recently paid alot of attention by specification organizations,in particular IEEE. IEEE 802.15.4 is atechnology designed to reduce powerconsumption based on CSMA-CA (CarrierSense Multiple Access with CollisionAdvoidance) with a throughput between 20and 250 kbit/s. Several independent networkscan be deployed on the same area. They areidentified by a PANid value. Each of thesenetworks have a single PAN Coordinator (PC)that is in charge of managing attachment ofnew sensors, address allocation and optionallybandwidth allocation for some kind ofsynchronous traffic. The PC may also assureinterconnection with other networktechnologies. In our architecture, the borderequipment between the full IPv6 world and theSensor Network will be the PC.Zigbee has been defined by the Zigbee forumto allow applications running on top of thisMAC layer. Zigbee provides addressingcapabilities, routing and defines someapplications. Zigbee is not an end-to-endarchitecture; an equipment connected to theInternet will contact a Zigbee coordinatorwhich will generate Zigbee traffic. IETFapproach with 6lowpan working group is quitedifferent, the goal is to re-establish full end-toendconnectivity between IEEE 802.15.4equipments and others.The 6lowpan protocol [3] is an adaptationlayer used to allow the transport of IPv6packet on Wireless Sensor Network andparticularly IEEE 802.15.4.Neighbor Discovery Protocol is used in IPv6 toestablish relation between a host and itsneighbors to find the relation between theIPv6 address and the MAC address. NDP isalso widely used during the bootstrap to autoconfigureinterfaces. A vast majority ofequipments are using this protocol to configuretheir global IPv6 address and the defaultrouter. A host activating its interface, creates aLink Local address and after verifying itsuniqueness, multicasts a Router Solicitation tothe well-known router group (FF02::2address). Routers answer directly to therequesting host with a Router Advertisementmessage (RA) that may contain the prefix(es)used on the link. The host concatenates theprefix(es) with its Interface ID to generate aglobal address. The host selects also one ofthe routers as the default router. This way, thehost gains connectivity at layer 3 and is able tosend packets world wide on the network.Other parameters such as DNS server may belearnt through DHCPv6 protocol or morerecently this parameter can be included by therouter in the RA message.In WSN, this periodic message could lead tobad performances in terms of bandwitdhusage, but also in terms of batteryconsumption. The goal of this work is to studythe consequences of period RA suppressionand to limit the solicited RS/RA to WSN reallyrequiring it and ensure end-to-endcommunications with any other deviceconnected on the Internet.Currently, WSN network are simple and mainlyarranged around the PAN Coordinator. IETFhas almost finished the definition of theadaptation layer but routing inside the WSN iscurrently not standardized.The aim of this work is to propose a betterintegration of IPv6 in IEEE 802.14.5.12 Extract of Pracom’s Annual Report 2008

Realization[3] Montenegro G., Kushalnagar N., Hui J.,Culler D., "Transmission of IPv6 Packets overIEEE 802.15.4 Networks", IETF, September2007, RFC 4944.We propose a better integration of IPv6 inIEEE 802.14.5 to reduce the need for NeighborDiscovery protocol in WSN. This approachallows the application to select the behavior ofthe network. Some simple application sendinginformation at a low rate may send theirpackets without layer 3 configuration. The PCwill construct the appropriate Layer 3 header.Once identified outside they benefit from theend-to-end paradigm and can also receivepackets. In that case, the overhead energyconsumption due configuration andmanagement protocol is drastically reduced. Inthe same network, some sensors may decideto get full IPv6 connectivity by using NeighborDiscovery Protocol, but we have shown thatthe sending of periodic messages is notnecessary. Mobile Sensor devices can alsobenefit from this approach and may continueto detect hand-over by listening to IEEE802.15.4 frame instead of RA messages. Theproposed procedures have been implementedin a testbed (see figure). This work is includedin a more general work of new mediaintegration into the Internet network. We arecurrently working on Sensor localization usingpaging and DNS servers.References[1] IEEE Standard 802.15.4-2003, Part15.4: Wireless Medium Access Control (MAC)and Physical Layer (PHY) Specifications forLow-Rate Wireless Personal Area Networks(LR-WPANs, May 2003[2] Zigbee, ZigBee Specification Version1.0, ZigBee Alliance, December 2004,http://www.zigbee.orgPracom’s Annual Report 2008 13

Media and NetworksIP-based transmission of real-time services over wireless linksResearch Staff : Loutfi Nuaymi, Xavier Lagrange, Kevin Perros – Ph.D. Students : Neila El Héni,Elizabeth Martinez FernandezKeywords : UMTS, Header compressions, ROHCApplications : Real-time services, Video streaming, VoIPPartners & Funding : TELECOM Bretagne (RSM), FT R&D (project leader), Thales Communications,IRISA, Alcatel and Eurecom. Funded by French Government RNRT as COSINUS ProjectIntroductionCellular and Wireless networks provide bothnon real time and real time services (Voice,video). For the latter the quality of service isan important issue. In UMTS real time servicesare generally based on a circuit-switchedapproach. However as IP-based solutions willbe generalized in a near future it is necessaryto study real-time services over IP.COSINUS (COmmunications de Servicestemps-réel / IP dans uN réseaU Sans fil) is anRNRT (Réseau National de Recherche enTélécommunications) project. The main topicis the study of IPv6-based real time services,both audio and video, over third-generationcellular network, UMTS and over WLAN(Wireless Local Area Network) 802.11/WiFi. Inparticular, the received quality will beobserved, controlled, and improved thanks tothe use of adequate protection means, theimprovement in multimedia codec robustnessand the integration of new mechanisms suchas header compression. The specific nature ofthe radio link is taken into account. The use ofthe frequency spectrum is a major constraintin the optimization of the transmission over thewireless link. The transmission servicesconsidered in COSINUS are conversational IPservices (e. g., phone, visiophony) and differedreal-time IP services (e.g., audio and videostreaming). In a period where these servicesare often mentioned as highly promising andwhere some of them are already proposed tothe public by operators, there is a lack ofstudies and results on this subject.RealizationTransmission on the UMTS radio interface isbased on the concept of RAB: Radio AccessBearer. A RAB mainly includes the definition ofthe channel coding and a set of possible datablock sizes. The possible error correcting codesare specified in the 3GPP recommendationsbut nothing is said about the RAB format for agiven service.The first part of the work investigated theUMTS RAB configurations for VoIMS (VoIP overIP Multimedia Sub-system) used in the 3GUMTS System. This has been done with afocus on the ROHC header compressionimpacts, different RAB multiplexingmethodologies, rate matching algorithms andother UMTS radio protocols [2].The quality of service is analyzed within theproject with a real-time platform built on thebasis of the Rhodos UMTS testbed developpedby Eurecom [1]. TELECOM Bretagne is incharge of integrating the ROHC mechanism inthat testbed. This integration was completed in2007. Several hardware and system problemswere solved before a stable new ROHCincludingUMTS Platform was obtained. Thisnew platform was used for UMTS voice andvideo transmissions to evaluate theperformance of the ROHC mechanism. TheTELECOM Bretagne part of COSINUS wasconcluded in Sept 2007. COSINUS projectended completely in the beginning of 2008.Future WorkNow that COSINUS has ended, investigationsare done for new research studies about ROHCand UMTS. The platform obtained in COSINUSwill be very useful for this kind of research.References[1] M Wetterwald et al., “A UMTS TDDsoftware radio platform”, in ReconfigurableMobile Radio Systems, G. Vivier (editors),2007, ISTE, ISBN 9781905209460.[2] N. El Héni, B. Badard, V. Diascorn, L.Nuaymi, "Performance of RAB mapping andROHC for the support of VoIP over UMTS, "18th annual IEEE international symposium onpersonal, indoor and mobile radiocommunications PIMRC'07, September 3-7,Athens, Greece, 200714 Extract of Pracom’s Annual Report 2008

Video on Demand in IP Multimedia SubsystemResearch Staff : Géraldine Texier Ph.D. Student : Gilles BertrandKeywords : Video on Demand, IMS, QoSApplications : Video on Demand, Fixe-mobile convergent networksPartners & Funding : Alcatel Lucent (leader), Devoteam SRIT, France Telecom R&D, InstitutTELECOM/TELECOM Bretagne, JCP-Consult, Thomson R&D, Thomson Broadcast & Multimedia.IntroductionThe emergence of new services proposed byfixed and mobile networks implies theevolution of both the transport chain and thecommand chain. Normalization organisms forfix (TISPAN) and mobile (3GPP) networks havedefined the IP Multimedia Subsystem (IMS)[4]as the reference architecture for nextgeneration services based on SIP (SessionInitiation Protocol) protocol.The goal of the VoD@IMS project is to addressthe issues of the conception, theimplementation and the experimentation ofnew usages generated by the combination ofthe on-demand content distribution domainand the convergence of fix and mobilenetworks. This project is funded in theframework of the competitiveness cluster“Media and networks” and constitutes anatural complement to Mobim@ges andDistrim@ges projects.VoD@IMS project’s main issues focus on:• the design and the implementation of aplatform prototype. This demonstrationplatform enables the validation of thearchitecture and the proposition made inthe project. The platform is designed inaccordance to the “IMS based”architecture currently understandardization.RealizationThe main contribution of TELECOM Bretagne isrelated to the network architecture analysisand more precisely on the quality of service(QoS) management in IMS and NGNarchitectures. The first realization is thecoordination and the contribution to the stateof the art on QoS by first presenting theexisting QoS mechanisms in the networks andthen by a precise analysis of the QoS in IMSand in the NGN architecture, according toTISPAN. This first document has beencompleted by the study of the transport layerto guarantee QoS in TISPAN NGN architectureaccording to three axes:• the definition of new services based onnew technologies and new architectures(IMS, fix-mobile convergence, …) implyingon demand audio-video contents (personalvideo hosting by the ISP network, sharingand common preview of videos ondifferent sites, interactive services, …) andexploiting interactions between thedifferent services;• the analysis of network architecturesneeded to service providing (IMSarchitecture, IPTV, …) in accordance withon going standardization efforts;• the validation of the proposed conceptsand the verification of the feasibility and ofthe acceptability of the comportment andthe performances of some functionalitiesof the system;• Within a domain. This lead to theproposition of an algorithm to allocate andshare the domain resources between theflows according to the QoS. [1]• In the inter-domain context. TELECOMBretagne proposed an architecture tooptimize inter-domain routing of the flowswith QoS and evaluated its performance.[2],[3]• The interactions between the protocols.The proposed architecture has beenapplied to the scenarios defined in theproject.In the project, TELECOM Bretagne has focusedon the relationships between the IMS core andthe transport layer and on the mechanisms toprovide in the transport layer to provide QoS inan efficient manner for multimedia sessions.Pracom’s Annual Report 2008 15

One of the most difficult aspects ofguaranteeing QoS from end-to-end during amultimedia session is to obtain an interdomainpath with the appropriate QoSguarantees. This implies a negotiation betweenthe chain of domains and the allocation of theresources for the flow. The traditional interdomainrouting protocol BGP (Border GatewayProtocol) is a solution to find an inter-domainpath but it is not able to provide any QoSindication, nor guarantee. The IETF is currentlyworking on the definition of a new element inthe network to solve the problem of finding aninter-domain path with constrains. Thiselement, called PCE (Path ComputationElement) can be seen as an overlay, eachdomain having one or several PCE,communicating together in order to compute apath with required properties. These propertiescan be related to QoS, to networkoptimization, to traffic engineering issues, …[2] BERTRAND Gilles, TEXIER Géraldine. AdhocRecursive PCE Based Inter-domain PathComputation (ARPC) Methods. FifthInternational Working Conference onPerformance Modeling and Evaluation ofHeterogeneous Networks (HET-NETs), 18-20of February, Karlskrona, Sweden, 2008[3] BERTRAND Gilles, TEXIER Géraldine.Intégration du routage PCE aux réseaux deprochaine génération avec IMS. . 9èmesJournées Doctorales en Informatique etRéseaux (JDIR'08), 17-18 January 2008,Villeneuve d'Ascq, France, 2008[4] BERTRAND Gilles, The IP MultimediaSubsystem in Next Generation Networks.http://www.rennes.enstbretagne.fr/~gbertran/files/IMS_an_overview.pdfConclusionThis project has given the opportunity to studyand immerge ourselves in the IMS and NGNarchitecture. These subjects are especiallyactive and mobilize the main operators andactors of the network community as well asthe content delivery community. TELECOMBretagne focused on the interaction of the IMScore with the transport layer, especially in aninter-domain context, to guarantee QoS forsome very important flows. The consortiumhas been very active and the dynamicgenerated has led to the submission of theNextTV4all project by DGE. NextTV4all is aproject that aims at constructing high-valueservice offers The objective is to develop anaudio-video content delivery system based onIMS and the fix-mobile convergence fornetwork and services and following theanywhere/anytime concept. The activity oninter-domain networking with QoS, developedat TELECOM Bretagne, will be continued in theNextTV4All project within the multi-X axis(multi-AS, multi-devices, multi-users, multiproviders).References[1] BERTRAND Gilles, TEXIER Géraldine.DiffServ-Aware Flow Admission Control andResource Allocation Modeling. Workshop on IPQoS and Traffic Control, 6-7 December 2007,Lisbon, Portugal, IST Press, 200716 Extract of Pracom’s Annual Report 2008

Radio Resource Management in WirelessNetworksWiMAX Radio Resources Management and Capacity EstimationResearch Staff : Xavier Lagrange, Patrick Maillé, Loutfi Nuaymi – Ph.D. Student: Aymen BelghithKeywords : WiMAX, scheduling, QoS, capacity estimation, resource management, pricingApplications : Wireless Internet AccessPartners & Funding : Region BretagneIntroductionWiMAX (Worldwide Interoperability forMicrowave Access) Broadband Wireless AccessTechnology is based on 802.16-2004 standardand its amendment 802.16e [1].This standard defines the physical (PHY) andmedium access control (MAC) layer for fixedand mobile broadband wireless accesssystems. Devices set up a so-called serviceflow to transfer data. A service flow is a MACtransport service that provides unidirectionaltransport of packets with a given quality ofservice either on uplink (packets transmittedby the SS, Subscriber Station) or on downlink(packets transmitted by the BS, Base Station).The dynamic service management is used toadd a new service flow, change the QoSparameters of an existing flow service anddelete an existing service flow.WiMAX radio resource system is very open andmany algorithms are important for capacity:admission control, scheduling, power control,pricing, etc. In this work, we intend to studysome parts of WiMAX radio resourcemanagement and then propose estimations ofWiMAX capacity for some scenarios andenvironments. This work is made in theframework of a PhD study with partial fundingof Région Bretagne.includes many tools. Classical schedulingalgorithms such as Round Robin, Max SIR(Signal-to-Interference Ratio) can be adaptedor associated with other algorithms forWIMAX. Another trend is to define schedulingalgorithms specifically for WiMAX.An important software development effortallowed the integration of various MACfunctionalities in an existing NS-2 (NetworkSimulator) WiMAX module [2]. We introducedseveral WiMAX QoS features and theimplementation of some schedulers and theevaluation of some parameters. Our modifiedWiMAX NS-2 module is described in detail in[3]. New interesting simulation results aboutWiMAX scheduling were obtained and will bepublished in [4]. The spectrum efficiency andmean sojourn time performance measures aredetermined through simulations. Spectrumefficiency is plotted for different schedulers(see Fig.1). We verify that scheduling based onthe maximum SIR (mSiR)) scheduler providesthe highest spectrum efficiency and the worstdelay to deliver data frames, independently ofthe quality of the channel.RealizationFirst, a study of dynamic service managementhas been realized. The power control in theWirelessMAN-OFDM PHY layer has beenstudied. The power control has two stages: theinitial calibration and the periodic adjustmentprocedure. Then, a review of WiMAXscheduling techniques has been made. TheWiMAX scheduling environment as defined inthe IEEE 802.16 standard is very open andFuture WorkFig.1: Spectrum efficiencyOther WiMAX scheduling studies are currentlyfinalized and will be submitted to two Researchconferences.Pracom’s Annual Report 2008 17

Another direction is the association of WiMAXresource allocation and pricing. As alreadymentioned,WiMAX has different QoS classeseach having different parameters. Pricingpolicies can be designed in order to optimizevarious criterions: data rate sum, operatorrevenue, QoS considerations, etc.References[1] L. Nuaymi, WiMAX, Wiley, 2007.[2]Seamless and Secure Mobility,http://www.antd.nist.gov/seamlessandsecure.shtml, Last visit : September 2007[3] A. Belghith and L. Nuaymi, "Design andImplementation of a QoS-included WiMAXModule for NS-2 Simulator," in Proc. ofSimuTools 2008, Marseille, France, 3 - 7 March2008.[4] A. Belghith, L. Nuaymi, "WiMAX capacityestimations and simulation results," VTC2008-Spring, Singapore, May 0818 Extract of Pracom’s Annual Report 2008

Packet scheduling and resource sharing in HSDPAResearch Staff : David Ros, Laurent Toutain – Ph.D. Student : Kamal Deep Singh (IRISA)Keywords : HSDPA, scheduling, video streaming, subjective video qualityApplications : UMTS network, mobile multimediaPartners & Funding : in collaboration with IRISAIntroductionHigh Speed Downlink Packet Access (HSDPA)is a packet-based data service in UMTSnetworks that supports data rates of severalMbit/s, making it suitable for data applicationsranging from file transfer to multimediastreaming. In spite of the fairly high data ratesthat HSDPA offers, the shared downlink radiochannel used in HSDPA is still a challengingenvironment for delay- and loss-sensitiveapplications like video streaming.The first issue we have dealt with is thegeneral problem of resource partitioning forshared wireless links like HSDPA. Weconsidered different QoS classes or usergroups, as shown in the figure below. We havestudied how resource allocation among thosegroups, as well as between individual users,may be done using HSDPA MAC-layerscheduling.In the past, we have looked at several issuesrelated to the streaming of video over wirelesslinks in general, and HSDPA in particular. Themore recent work reported here concerns thecomplementary issues of packet schedulingand resource sharing in HSDPA.This work was performed in the framework ofa Ph.D. thesis funded by the Conseil Régionalde Bretagne, co-advised by two staff membersof the RSM department. The thesis has beenfinished on December 2007 [1].RealizationIn wired links, the task of partitioningresources (e.g., bandwidth) among flows, flowaggregates, users, etc. is relatively easy sincethe link capacity is known and fixed.Nevertheless, such partitioning is complex forwireless links with variable capacity; due to thedynamic nature of the link, it is difficult toeffectively allocate the resources (i.e., timeslots) between users who may be payingdifferent prices for different services.One of the salient points of HSDPA is the useof MAC-layer scheduling to perform resourcemanagement (i.e., bandwidth allocationbetween terminals), taking into account theradio channel conditions of all users. In someproposals, additional factors like fairnessbetween users, cell throughput or quality-ofservice(QoS) parameters are also consideredin the scheduling mechanism.Without loss of generality, we have focused onthe case in which there are two classes: oneconsists in best-effort (BE) users, and theother class in video streaming users. Existingscheduling schemes often allocate resources insuch a way that the BE users are notguaranteed any time slots; they only get theresidual time slots after the QoS requirementsof the other users are satisfied. This type ofresource allocation can cause instability, in thesense that during congestion periods the BEusers will be starved. Note that even a singleuser in a higher-QoS class, suffering with badchannel quality (even if temporarily), cancause starvation to the BE users. Starvationwill last at least for the time needed by theRNC to step in and take appropriatecongestion control measuresIn order to perform hierarchical link sharing(i.e., between QoS classes and then betweenusers in each class), a variant of an existingscheduler, the so-called Required ActivityDetection scheduler [2], was introduced in [3].Also, in order to avoid the starvation problemdescribed above, we proposed that a lowerclass be considered a single virtual user of thenext higher-QoS class. This type of allocation isthen applied iteratively for all the otherPracom’s Annual Report 2008 19

classes. In our simple study case, the wholeBE class is considered as a single virtual userof the next higher-QoS class. The resourcesallocated to this virtual user are then furtherdivided among the “real” users in that class.Thus, the resources guaranteed to every BEuser are not nil, since some amount of timeslots are reserved for the whole class. Duringcongestion, the degradation in service will beshared in proportion to the resources allocatedto the virtual user and all the BE users.The proposed scheme was evaluated bymeans of simulations using the well-known ns-2 tool. The results of out study, presented in[3], show that our scheme gives a lowprobability of unsatisfied QoS users in theoperable region, and prevents the starvation ofbest-effort users.Secondly, we have proposed an improvementof another existing QoS scheduler [4]. Whenallocating the available bandwidth, ourproposed mechanism, called Normalized RateGuarantee (NRG) scheduler [5], takes intoaccount the fact that QoS requirements (interms of minimum bandwidth) may vary fromone flow to the other. It tries to apportion lossrates in a fairer way during congestion.Another goal of NRG is to avoid thedeterioration of QoS when best-effort load isincreased.Performance evaluation of NRG was doneusing traces of a real reference video encodedusing the H.264 format. We verified theinsensitivity of the loss rate to the BE load, asshown in the figure below.The next figure shows how, with NRG, theaverage PSNR (peak signal-to-noise ratio) ofthe video is kept stable while the BE loadincreases. A similar improvement was alsoobserved in terms of the subjective videoquality, as assessed by means of the Pseudo-Subjective Quality Assessment (PSQA) metric.As can be seen in the two figures, the originalscheduler (labeled “hosein”) does not possesssuch desirable properties.ConclusionThe work presented above is related to theproblem of resource sharing in HSDPAnetworks by means of MAC-level scheduling.We have introduced improvements to existingschedulers that can yield significantperformance benefits. Moreover, we haveproposed a way of sharing bandwidth thatavoids starvation of best-effort users, while atthe same time taking into account QoSconstraints of video streaming users.References[1] K.D. Singh. Improving Quality of Serviceand Resource Utilization for MultimediaStreaming over Third Generation MobileNetworks. PhD thesis, Université de Rennes 1,December 2007.[2] T.E. Kolding. QoS-aware proportional fairpacket scheduling with Required ActivityDetection. In Proceedings of IEEE VTC 2006Fall, Montréal, September 2006.[3] K.D. Singh, D. Ros, L. Toutain and C. Viho.Proportional Resource Partitioning over SharedWireless Links. In Proceedings of IEEE VTC2007 Fall, Baltimore, September 2007.[4] P. Hosein. QoS Control for WCDMA HighSpeed Packet Data. In Proceedings of 4 th IEEEInternational Workshop on Mobile and WirelessCommunication Network, Stockholm,September 2002.[5] K.D. Singh and D. Ros. Normalized RateGuarantee Scheduler for High Speed DownlinkPacket Access. In Proceedings of IEEEGLOBECOM, Washington, December 2007.20 Extract of Pracom’s Annual Report 2008

Multicast for high speed wireless networksResearch Staff : Xavier Lagrange – Ph.D. Student : Neila El HéniKeywords : multicast, scheduling, QoS, resource management, HSDPAApplications : Wireless Internet AccessPartners & Funding : TELECOM BretagneIntroductionMulticast services have paid a lot of attentionfor a few years. MBMS (MultimediaBroadcast/Multicast Service) is currentlyspecified in the 3GPP recommendation.However, the focus is on the access and thecore network rather then on the radiointerface.In parallel, high speed data transmission hasbeen specified on existing radio interfaces: forinstance HSDPA (High Speed Data PacketAccess) is defined for UMTS (Universal MobileTelecommunications Systems). The mainprinciple is to split data in short blocks and touse statistical time-based multiplexing: at eachTTI (Time Transmission Interval) a schedulerdecides which user to serve based on thestates of the different queues and on theinstantaneous quality of the channel of eachuser. Furthermore HSDPA includes linkadaptation: the level of redundancy is reducedif the channel quality is good and hence theuser-data block size is higher.The standard way to manage multicastservices on the radio interface is to duplicatetransmissions to the different User Equipments(UEs). We call this approach "multiple unicast".This may however considerably waste radioresource if there are several users registeredto the same service in the same cell as onlyone user is served at each TTI. In this work,we then study how real multicast may bedefined on the radio interface and what itsperformance is.RealizationIn order to avoid packets loss, a multicastscheduler must consider the worst case; i.e.adapt the block size (hence the level ofredundancy) to the mobile of the multicastgroup that has the lowest SNR. On theopposite, in multiple unicast the scheduler maychoose to serve the user that has the best SNRat each TTI. Hence, the gain of using such aconservative multicast scheduling standardsystems is not easily predictable compared toan optimal multiple unicast.We compared the performance of multicastand multiple unicast for several UEs that havethe same mean SNR but random instantaneousvalues due to different fading conditions. Wedefine the multicast gain as the ratio betweenthe maximum user rate at the base station formulticast and the equivalent rate for multipleunicast. It can be seen on figure 1 that belowa mean SNR of approximately 5 dB multipleunicast must be preferred. Above this value,multicast is better. The gain is higher if alarger number of user is considered.Figure 1. Multicast gain as a function of themean SNRThe performance was studied [2] for a genericsystem by using the Shannon formula butresults was confirmed by a simulation on theEurane simulator [1].Future WorkThe study will be extended to a more generalcase with different mean SNR. Differentscheduling policies will be studied formulticast. An interesting extension is also toconsider how macro-diversity can improve theperformance of multicast.References[1] Eurane website. http://www.tiwmc.nl/eurane/[2] N. El Héni, X. Lagrange, "Multicast vsmultiple unicast scheduling in high-speedcellular networks," VTC2008-Spring,Singapore, May 08Pracom’s Annual Report 2008 21

Management of Multiple Access NetworksNetwork centric QoS management in an operatorheterogeneous mobile networkResearch Staff : Jean-Marie Bonnin – Ph.D. student: Anis ZouariKeywords : heterogeneous access networks, QoS, vertical handover, seamless mobilityApplications : mobile operator networksPartners & Funding : CIFRE France Telecom R&DIntroductionIn the current-generation wireless communicationsystems, users have a large choiceof the access technology for their Internetconnections: cellular networks, as theUniversal Mobile Telecommunications System(UMTS), wireless local networks, as thewireless local area networks (WLAN) or WorldInteroperability for Microwave Access(WiMAX). As a result, many research activitiesare investigating the issues of using mobileterminals which may have multiple wirelesscards in current networks. However, deliveringadvanced services, preferably seamlessly andin the "best" manner, over these variousaccess technologies requires both enhancednetworks decision and execution capabilities aswell as much more functionalities in the endterminals.RealizationA functional definition of the QoS and mobilitymechanisms to be specified has been issued.This step leverages on a survey of various QoSmanagement approaches such as the onesproposed in DAIDALOS [1] and AmbientNetwork [2] European projects. Then, thecomplete specifications of the mechanismspreviously defined have been designed.In the new proposed architecture, thehandover decisions are distributed dynamicallybetween several entities according to the loadconditions of the network and therequirements of the applications and the users.We specified a solution compatible with theexperimental models developed at Orange-Lab: the proposed QoS mechanisms is to beintegrated into the mobility managementmodel called Hierarchical and DistributedHandover management [3].Then we integrated the QoS mechanisms intothe hierarchical and distributed architecturedesigned in the first phase of this work: thesemechanisms are distributed throughout thedifferent entities of the proposed architecture.The QoS and mobility managementmechanisms have been enhanced by thefollowing functional processes:1) Algorithm used to decide which handovertype should be performed: Indeed theproposed architecture supports multiple typesof handover execution such as Make-beforebreakhandover, Break-before-make handover,Anticipated handover and Unanticipatedhandover. In this case, the handover to beperformed will be chosen according to theapplication and client type, this, in order tosatisfying the requirements of any applications.2) QoS data transfer (such as QoSparameters): QoS data needed during ahandover will be divided into several partsaccording to the current informationlocalization. For example, parameters relatedto the core network, parameters related to theIP access network (transmission delay),parameters related to the radio access network(bandwidth) and parameters related to thepoint of attachment (class of service). In orderto improve the performance of the mechanismfor transferring QoS data, some informationcan be broadcast either to a list of IP accessnetwork manager or a list of radio accessmanager or a list of candidate point ofattachment.3) Proactive distributed negotiation: QoSparameters will be shared between severallevels. At each level, the negotiation process isperformed for the parameters associated tothis level. In addition, a controlled or assistednetwork negotiation is integrated into thisarchitecture.We compared the negociation processdesigned in the new architecture to the oneapplied in UMTS Release 5 [4]. And the results22 Extract of Pracom’s Annual Report 2008

show that our approach is more scalable thanthe UMTS one since the amount of data needto achieve a negotiation is reduced underdifferent scenarios.be focused on the validation of the developedimplementation by performing scenarios testsand list of measurementsReferences[1] Gustavo Carneiro, Carlos García, PedroNeves, Zhikui Chen, Michelle Wetterwald,Manuel Ricardo1, Pablo Serrano, SusanaSargento, Albert Banchs, "The DAIDALOSArchitecture for QoS over HeterogeneousWireless Networks", 14th IST Mobile &Wireless Communications Summit, June 2005,Dresden, Germany.[2] IST-Ambient Networks, "MobilityArchitecture and Concepts Annex", InternalDeliverable D4.2, March 2005.PerspectivesThe future works will be focused at first on theimplementation of these Mobility and QoSmanagement mechanisms. OPNET will be usedas a simulation tool for developing modulesneeded to define entities of the proposedarchitecture. These modules incorporate newdefined mechanisms. As an example ofmodules to be developed, we can cite the QoSnegotiation module, the transfer moduleneeded for broadcasting necessary QoS dataduring a handover and QoS context mappingmodule used to hide the diversity of radionetworks and QoS protocol integrated into theIP network. In the second phase, the work will[3] L. Suciu and K. Guillouard. A hierarchicaland distributed handover managementapproach for heterogeneous networkingenvironments. The 3 International Conferenceon Networking and Services, Athens, Greece,June 2007.[4] A. Zouari, K. Guillouard, and J.-M. Bonnin.Performance analysis of distributed QoSnegotiation during session establishment. In 3-rd ACM International Workshop on QoS andSecurity for Wireless and Mobile Networks(Q2SWinet 2007), Chania, Crete Island,Greece, October 22 2007.Pracom’s Annual Report 2008 23

Adaptation of Multimedia Flows in a Seamless Mobility ContextResearch Staff : Jean-Marie Bonnin – Ph.D. Student: Dominique PichonKeywords : heterogeneous access networks, service adaptation, seamless mobility, multimediastreamingApplications : mobile operator networksPartners & Funding : CIFRE France Telecom R&DIntroductionIn the past few years several techniques havebeen designed in order to enable sessioncontinuity during mobility events. Neverthelesssuch events often entail long-term effects onthe terminal execution environment, which canresult in severe repercussions on services asusual as the video streaming.This work aims at proposing, simulating andimplementing a generic architecture that wouldallow any kind of services to face with mobilityevents. During the first part of this work acomprehensive survey has been achieved anda first version of a new architecture has beendesigned, which is currently under evaluation.AchievementsA survey of works dealing with serviceadaptation in the mobile network context havebeen achieved. Its conclusions led us to definea generic architecture complying with the NextGeneration Network paradigm. This model iscurrently used as a basis to specify, simulateand implement simple scenarios to show offthe potential advantages of the proposedgeneric architecture.Services, such as multimedia streaming,require specific architecture to run inheterogeneous environment. Usually QoSarchitectures are implemented to guarantee acertain level of performance, which mayinclude adaptation mechanisms, such as theones used in proxies to adapt the multimediacontent to the best achievable quality.However, mobility makes this environmentdynamic. This causes important changes in theservice environment and leads to majordisruptions in their execution.A mobility intelligence is therefore required tomanage complex decisions such as the choiceof the best datapath in the operator network.In a similar way a service intelligence is alsoneeded as well to analyze the service runningenvironment (e.g., user profiles and so on)and to determine the way a service should runto allow the best user experience. Theseintelligences are distributed from the source tothe terminal, including any entity taking part tothe service and should closely collaborate astheir decisions are linked.The adaptation architecture must becompatible with any service platform. In thiscontext, the IP Multimedia Subsystemrepresents a good candidate to determine theadaptation chain throughout its lifetime fromthe service negotiation to its invocation andexecution. The adaptation architecture shouldnot be tied to any mobility protocols, but itcould take this factor into account, for instanceto determine the adaptation entity localization.These conclusions resulted in a genericarchitecture, wherein a mobility manager anda service manager dedicated to the sessionmanagement work together in order toaccurately adapt a service according to itsruntime execution environment. Thisarchitecture and its motivations are detailed ina paper to be presented at HET-NETS'08 [1].Future worksThis model has also been used to specify ademonstration that will show a basicadaptation of a scalable video in a reaction tohandovers between heterogeneous networks,such as WiFi and UMTS.Extensive simulation works (under OPNET)have been planed to demonstrate the interestof the proposed architecture and to proposetypical deployment.Reference[1] Dominique Pichon, Karine Guillouard,Pierrick Seité, Jean-Marie Bonnin, HET-NETS'08, "Adaptation of Multimedia Flows in aSeamless Mobility Context Using OverlayNetworks", February 200824 Extract of Pracom’s Annual Report 2008

Rethought Mobility Management in Future Multi-technologiesAccess NetworksResearch Staff : Xavier Lagrange, Jean-Marie Bonnin – Ph.D. Student: Philippe BertinKeywords : ambient networks, mobile networks, heterogeneous access networksPartners & Funding : France Telecom Thesis with PracomDescriptionIn the near future, our network environmentwill be undoubtedly highly heterogeneous interms of access technologies of course, butalso regarding the functional architecture. Asdifferent access networks have beenstandardized by different organizations, theyoperate in ways which are based on differentassumptions and with a diversity ofoptimization goals and means.The aim of this work is to define a common(minimal) access network functionalarchitecture able to integrate different accesstechnologies coming from differentstandardization bodies. This architectureshould be able to benefit from mesh as well ascollaborative network to extend its coverage.The mobility management should take intoaccount resources and QoS management in anetwork centric way to allow integratedoperators to offer a seamless service to itscustomer.AchievementsA state of the art on the fixed and mobileaccess network architecture have beenachieved. A list of essential functions we foundin the different architecture is on the way witha focus on those related to mobilitymanagement.setup and maintain tunnels in the network foreach attached or active mobile node. Otheralternatives to tunneling where proposed someyears ago based on per-host routingapproaches (Cellular IP, Hawaii) but did notmeet standards adoption yet. Per-host routinghas the advantage of being easily introducedin existing IP routing protocols withoutmodifications. We evaluated both approachesin a WLAN environment thanks to simulations.Results show that handover delay is negligiblyimpacted in our per-host scheme, whereas it isstrongly penalized in tunneling approaches.Future worksFor the following of the work, a multitechnologiesaccess architecture will beproposed. Its aim is to support neighboringbased connectivity management schemesbetween Base Stations and Access Points fromdifferent technologies (e.g. 2G, WCDMA, LTE,Wimas, WiFi, any new 4/5G technology…). Weconsider that access network entities will bepart of the same access network in order toallow a given terminal and communication flowto make use of optimized connectivity adaptedto its own requirements. In this novelapproach, any new technology could be easilydeployed using the common networkinfrastructure, architecture and protocols whileinter-technologies convergence mechanismsimpacts becomes negligible.A preliminary study has been completed on theuse of host routing approaches to supportmobility management in packet based wirelessnetworks where it is generally realized withvarious tunneling protocols. Tunnelingapproaches requires specific mechanisms toPracom’s Annual Report 2008 25

Optimized mobility management in heterogeneous accessnetworksResearch Staff : Nicolas Montavont, Jean-Marie Bonnin, Xavier LagrangePh.D. student: Richard RouilKeywords : heterogeneous access networks, seamless mobility, IEEE 802.21, wireless networksimulation, NS-2Applications : ITS, transportation systemPartners & Funding : NIST (National Institute of Standards and Technology, USA)IntroductionRealizationThe main objective of this project is the designand the simulation of a unified framework tomanage handover across heterogeneousenvironment. The target scenario is themanagement of multiple mobile nodes thataccess the Internet through variouscommunication technologies. In this context, itis important for mobile nodes to learn theenvironment characteristics to help flowdistribution over available networkattachments. In this learning process, we needto focus on the delay of handover in order tomake mobility as seamless as possible. Inorder to faster the flow redirection acrossvarious interfaces, we will then develop stronginteraction between layers.In addition to the environment discovery, aninformation exchange mechanism among thedifferent nodes in the system need to bedeveloped in order to enhance the globalknowledge of the network topology on eachnode. This work is then tied to standardizationeffort of IEEE 802.21 that designs mechanismsto enable handover and interoperabilitybetween heterogeneous network typesincluding both 802 and non 802 networks.The second major topic of this project is thesimulation framework. Research intelecommunication has always relied onsimulation for evaluation purpose. Would it befor deployment of wireless base stations or forthe investigation of corner cases of a particularprotocol, the simulation tool brings animportant evaluation framework to a validationprocess. It is a complementary study ofanalysis performance and it allows focusing ona set of parameters to adjust the specificationof a protocol. In this project several scenariosare simulated to investigate all aspects ofmobility.A new IEEE 802.16 model has been designedfor the network simulator NS-2 [1]. Thissimulation framework has been adopted by theWiMAX forum as the official IEEE 802.16simulation model. It provides the MAC andPHY layers on both Base Station and MobileStation. We also proposed a set of schedulingalgorithms for the base stations to control slotallocation in the WiMAX system [2].Lately, we focus on the MIH messagetransport. In the standard, the actual transportmechanism is not specified but the MIHmessages can be carried over layer 2, layer 3,or any layer above. The low packet latencyand reliability dictate the selection of thetransport protocol. If the necessary signaling isnot completed prior to losing connectivity, themobile node relies solely on local informationand may connect to an invalid network. Themain reason to trigger a handover is adegredation in signal quality. This also meansthat the connection is suffering from higherpacket loss rate. Thus the transport protocolcarrying the MIH messages must be able tomaintain its service under conditions of highpacket loss rate. Traditional transportprotocols, namely User Datagram Protocol(UDP) and Transmission Control Protocol (TCP)provide communication between two InternetProtocol (IP) addresses and rely on additionalmechanisms such as Mobile IP to handlemobility. This means that the performance ofthese protocols is dependant on the mobilityprotocol located at the network layer. Incontrast, Stream Control Transport Protocol(SCTP) embeds multihoming andmultistreaming capabilities. The DynamicAddress Reconfiguration also allows SCTP toperform layer 4 handovers. Thus we arestudying the advantages and performances ofthese transport protocols in order to provide acomprehensive analysis. This analysis hasbeen presented at the IETF, in the MIPSHOP26 Extract of Pracom’s Annual Report 2008

working group, in order to initiate discussionon the choice of the transport protocol.ConclusionThe project will finish at the end of 2008, andwe cover several IEEE 802.21 issues. Thestudy of Layer 2 handover in different accesstechnologies (IEEE 802.11, 802.16) and theusage of MIH functions allow to performefficient and seamless handover. In order totransport the MIH messages, which mayinclude decision policies, we study availabletransport protocols. SCTP seems to be a goodcandidate in terms of security, reliability,multihoming and mobility support.References[1] Richard Rouil, IEEE 802.16implementation in NS-2,http://w3.antd.nist.gov/[2] Richard Rouil, Nada Golmie, AdaptiveChannel Scanning for IEEE 802.16e, MilitaryCommunications Conference (MILCOM 2006),Oct. 2006, Washington, DC[3] Nicolas Montavont, Badii Jouaber, andRichard Rouil. “Gemoth technical report”,https://labo4g.enstb.fr/twiki/pub/Labo4G/ProjetsGemoth/gemoth-technical-report.pdf.Mobility and Multihoming: interaction and benefitsResearch Staff : Nicolas Montavont – Ph.D. Student: Amine DhraiefKeywords : heterogeneous access networks, IPv6, multihoming, mobile IPv6Applications : ITS, transportationPartners & Funding : Region BretagneIntroductionA new digital but especially wireless world isknocking at the door. Wireless technologiesoffer now high performance and allow to getrid of cable. However, there is no singlecommunication technology that can puttogether all users needs, such as widecoverage areas, high data rate and support formobility. Instead, terminals integrate severalmeans of communication, which allow takingadvantage of each independent technology.This results in multihomed terminals that canaccess network resources through differentroutes. Multihoming is an important featurethat allows to distribute communication flowsover a set of paths (or interfaces), or torecover upon failure. However, while IPv6offers a framework for multihoming, standardsystems do not take as many benefits asmultihoming can offer.This project is tackling this problem byenabling a full multihoming support, especiallyin a mobile context. The typical scenario that isconsidered is a mobile network, which canaccess the Internet via different paths anddistribute its traffic according to a set ofpreferences. Location management, failurediscovery or flow redirection are some of theissues this project is focusing on.This work is conducted in the framework of theMoshi PhD project (MObility and SHIm) fundedby région Bretagne. It began in September2006.Prefix delegation2001:660:7301:3728/642001:660:220:101/64ISP1Address 1 = 2001:660:7301:3728:250:daff:fede:f7b4Address 2 = 2001:660:220:101:250:daff:fede:f7b4Address 3 = 2001:660:220:102:250:daff:fede:f7b4RealizationInternetISP2Prefix delegation2001:660:220:102/64IPv6 prefix Interface identifierDuring the first year of the project, we studiedthe bibliography and evaluated severalprotocols (SHIM6, HIP, SCTP). This evaluationmade us choose SHIM6 as the basic protocolfor the remaining work. SHIM6 was chosenPracom’s Annual Report 2008 27

ecause it offers a generic framework overIPv6 that can be easily deployed.In 2007, we focus on mobility impacts on theSHIM6 operations. SHIM6 is a protocoldesigned to support multihoming. However,we envision that most nodes in the Internetwill be mobile, therefore we analyze the SHIM6operation in mobile environment.On one hand, we may consider to associateSHIM6 with a mobility protocol, such as MobileIP. However, such a combination mightintroduce an important overhead in terms ofconception and implementation (two abstractlayers in the IP layer) and in terms ofoverhead since a packet may be encapsulatedseveral times. Therefore, we propose in [2] thestudy of SHIM6 operation on a mobile node.We conclude that with a proper use of UpdateRequest and Update Acknowledgementmessages, a SHIM6 context can be updatedwith new IPv6 addresses that are acquiredwhile the node is on the move. The mainconcern of such a usage is the handoverlatency. The new network discovery seems tobe the major part of the handover process,and we find out that IPv6 optimizations forrouter and prefix discovery that were designedto enhanced mobility protocols can be usedwith SHIM6 as well.References[1] Geoff Huston, Multi-Homing and Identity inIPv6, Internet Society Publications, June 2004[2] Amine Dhraief, Nicolas Montavont, TowardMobility and Multihoming Unification: theSHIM6 protocol : a case study, IEEE WirelessCommunications and Networking Conference(WCNC 2008), March 31 - Avril 3 2008, LasVegas, USAThe experimentations we performed gave usnew perspective and highlighted someadditional issues. In a multihomedenvironment, when a mobile node acquires anew address, we need a decision algorithmthat indicates whether the new address mustbe used or not. We are currently investigatingthis decision algorithm.ConclusionWith the large amout of network protocols thathave recently been proposed, it is important toevaluate the features and the overheadintroduced by each of them. While we envisionthat in a near future most nodes will be mobileand multihomed, we need to support bothmechanisms. Instead of putting togetherseveral protocols, we showed that SHIM6 maybe used for both mobility and multihomingsupport. Now, we still need to determine theoverhead of this protocol compared to others,and we also need to adjust some parametersof the SHIM6 protocol, such as the decisionalgorithm or the movement detectionmechanism.28 Extract of Pracom’s Annual Report 2008

Security & MobilityUse of a Context Transfer Protocol to reduce operational cost ofaccess controlResearch Staff : Jean-Marie Bonnin – Ph.D. students: Fabien AllardKeywords : heterogeneous access networks, seamless handover, secured handover, contexttransfer, IPsec, PANAApplications : mobile operator networksPartners & Funding : CIFRE France Telecom R&DIntroductionWhen moving, a wireless user may need toswitch from an access point to another one.The radio link is generally secured(authentication of the user, ciphering,…) andthe same level of security must be kept afterany kind of handover. Two solutions may beused: setting up a new secured link during thehandover or transferring security informationto re-establish security context."Context transfer" refers to a technique inwhich information regarding a mobile terminalis transferred in the infrastructure networkbetween two points of attachment. The goal isto avoid service disruption due to time neededto re-establish the context in the new point ofattachment during a handover. The contexttransfer mechanism is particularly suited forsecurity services.The goal of this work is to implement a securehandover schemes based on the contexttransfer protocol defined by IETF and thencompare it with pre-authentication-basedsolutions through simulation and actual testbed.This work contributes to the DAIDALOS IIEuropean project.RealizationThe principle of the context transfermechanism is the following: when a mobilenode moves to a new access equipment, itneeds to continue flows that have alreadybeen established at the previous accessequipment. These services are known as"context transfer candidate services". We limitour scope to context related to security, likeIPsec, PANA, 802.1X, etc. and we mainly focuson the solution defined by the IETF: theContext Transfer Protocol (CXTP – RFC 4067)[1].We implementated IPsec context transfer withCXTP. An article on the IPsec context transferin a IPv6 mobility environment has beenpublished in the BWIA07 workshop and in theIJCNDS journal [3]. It presents the IPseccontexts and the test-bed where the IPseccontext transfer is implemented.For the DAIDALOS II European project, CXTPhas been fully implemented under OMNET++,in order to compare CXTP to preauthenticationmechanisms. Optimizations ofCXTP for intra and inter domain cases havebeen proposed in order to improve theprotocol security: improvement of theauthorization token management, decrease ofthe ‘domino effect’ vulnerability window size,interaction with PANA and IPsec regarding themobility protocol (NETLMM or MIPv6). A studyof the use of MOBIKE (another mobilitymanagement scheme) with CXTP has beenrealized. A security proof of CXTP in predictivemode (MIHO and NIHO cases) has been donein HLPSL using the AVISPA project tools [2].Regarding the implementation work, SPD(security policy database) context transfer hasbeen implemented and other improvementshave been done : automatic management ofthe mobile node and the access routers IPaddresses during the execution, inter processcommunication using signals, transfer andconfiguration of both contexts (i.e. SAD andSPD) in one execution. These improvementswere made in order to begin the last step ofthis implementation: the transfer of the IKEcontext. These works are done in the scope ofthe french-japanese collaborative projectNAUTILUS6.Pracom’s Annual Report 2008 29

Future workOur next step is to finalize the implementationof CXTP for IPsec and particularly the IKEv1context transfer. Then we finalize thesimulation implementation with support oflevel 3 protocols, and to perform an extensiveevaluation of proposed solutions.References[1] J. Loughney et al., “Context TransferProtocol”, RFC 4067, IETF, 2005[2] Automated Validation of Internet SecurityProtocols and Applications (AVISPA)http://www.avispa-project.org/[3] F. Allard, JM. Bonnin, “An application ofthe Context Transfer Protocol: IPsec in aIPv6 mobility environment”, Internationaljournal of communication networks anddistributed systems, 2008, vol. 1, n°1, pp.110-126Optimization of Wi-Fi-WiMAX vertical handoverResearch Staff : Jean-Marie Bonnin – Ph.D. Student: Mohamed KassabKeywords : heterogeneous access networks, vertical handover, secured handover, IEEE 802.11i,WiMAX, Wi-Fi, event-driven simulation.Applications : ambient networksPartners & Funding : project funded by France Telecom R&DIntroductionNowadays, terminals often include severalnetwork interfaces with different wirelesstechnologies such as GSM-GPRS, UMTS, IEEE802.11 (WiFi) or IEEE 802.16 (WiMAX).Wireless network operators wish to use thetechnology diversity in order to improve theircoverage and the experience of their clients. Ifsome areas may be simultaneously covered byseveral access networks that use differenttechnologies, network devices may be verydistant from each other in term of number ofhops and may use different mobilitymanagement mechanisms. Therefore,operators need an efficient vertical handover(i.e. inter technologies) that allows them tomix devices of different technologies in thesame access network or in close accessnetworks. It should allow transparenthandovers between technologies as efficient ashorizontal handover in terms of signaling costand handover latency while ensuring a goodnetwork services continuity.The “WiFi-WiMAX project” is a researchcontract initiated with France Telecom R&D inApril 2006. The main goal of the project is topropose vertical handover managementsolutions operating at the layer 2 level. Inparticular, we aim at ensuring fast and securehandover between IEEE 802.11 and IEEE802.16 networks.ObjectivesThe objectives of the project are:• Propose a state of the art of the proposedhandover (HO) management solution inthe literature and specially layer-2 andlayer-3 solutions,• Develop handover intra-technologyhandover management solutions related tothe IEEE 802.11 and IEEE 802.16networks,• Extend the proposed solutions to theheterogeneous handovers over bothtechnologies.• Propose an evaluation of proposedsolutions through analytic and simulationstudies,30 Extract of Pracom’s Annual Report 2008

• Set up a test-bed integrating andimplementation of proposed solutions.RealizationThe project started with the study of verticalhandover management solutions in theliterature. We proposed a classification of thedescribed solutions based on the layer wherethey operate. We demonstrated the interest toinvestigate the possibility to manage verticalhandover at a layer-2 level (without theinvolvement of layer 3 mobility managementmechanism).Based on this study, we propose a generalframework to optimize the HO execution inlayer-2 level over proactive mechanismsperformances.In a second step, we apply the solutionsproposed in the framework to mange fast andsecure handover under the IEEE 802.11networks. This work results into two fast reauthenticationmethods under the IEEE802.11i security framework. These differentproposals have been analytically evaluatedunder different network architectures.We develop an implementation of the IEEE802.11 handover management solutions underthe network simulator SimulX. SimulX is anevent-driven network simulator developedTELECOM Bretagne, which is especiallydesigned for heterogeneous wireless accessnetworks and IPv6 mobility. We conductsimulation test and propose a performanceevaluation of the proposed mechanism under alarge-scale environment.Additionally, we proposed a realimplementation of the proposed fast reauthenticationmethods based on a set of opensource software’s that we modify. We usedthis test bed to perform functional tests thatattest of the good working of our mechanismsin a realistic environment.In a third step, we based on the proposed HOoptimization framework to specify intertechnologyhandover managementmechanisms for wireless networks based onthe IEEE 802.11 and IEEE 802.16 network.These mechanisms ensure a fast and securehandover for mobile station while preservingQoS management continuity.We develop an implementation of intertechnologyHO management mechanismsunder Simulx. Our goal is to conductperformance evaluation of these mechanisms.Future workNext steps in our works mainly consist of theevaluation of inter-technology HOmanagement mechanisms over simulationtests and analytic study to evaluate thebenefits of these mechanisms and also todetermine their limits. Based on evaluation ofinter and intra technology HO managementmechanisms, we hope to propose a generalevaluation of the general framework for HOmanagement proposed in the first step.References[1] F. Siddiqui, S. Zeadally, “Mobilitymanagement across hybrid wirelss networks:Trends and challenges”, Elsevier, ComputerCommunications, Volume 29, 2006[2] M. Kassab, A. Belghith, J.-M. Bonnin, andS. Sassi. “Fast Pre-Authentication Based onProactive Key Distribution for 802.11Infrastructure Networks”. In 1st ACMInternational Workshop on Wireless MultimediaNetworking and Performance Modeling(WMuNeP 2005), Montreal, Canada, October2005.[3] M. Kassab, A. Belghith, J.M. Bonnin,Implémentation de méthodes d'authentificationrapides sur un réseau IEEE 802.11. GEI'06,Hammemet-Tunisie mars 2006.[4] Nicolas Montavont, Julien Montavont, SafaàHachana, “Wireless IPv6 simulator: SimulX”,10th Communications and NetworkingSimulation Symposium (CNS07), March 2007,Norfolk, Virginia, USA.[5] M. Kassab and J.M. Bonnin and K.Guillouard, Securing fast handover in WLANs:a ticket based proactive authenticationscheme. Security and privacy in 4G networksworkshop - Globecom'07. November 2007[5] M. Kassab, J.M. Bonnin, A. Belghith, Fastand secure handover in WLANs: An evaluationof the signaling overhead. CCNC’08, LasVegas-USA, January 2008.Pracom’s Annual Report 2008 31

Security Analysis and ValidationAnalysis and deployment of security policiesResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Laurent ToutainPh.D. Students: Stere PredaKeywords : Security component configuration, rule rewriting, policy aggregationApplications : Automatic deployment of security policiesPartners & Funding : partially funded by ANR in the framework of the RNRT Politess project and byConseil Régional de Bretagne through the Sec6 grant.IntroductionThe configuration of network securitycomponents, such as firewalls and networkintrusion detection systems (NIDSs), is usuallybased on the distribution of security rules thatstate what is permitted and what is prohibitedin a system during normal operations. Thisconfiguration must be consistent, addressingthe same decisions under equivalentconditions, and not repeating the same actionsmore than once. Otherwise, the existence ofanomalies in these rules may lead to weaksecurity policies (potentially easy to be evadedby unauthorized parties). Our research workproposes the combination of two mainstrategies in order to manage this problem.The first strategy is the use of an auditmechanism that analyzes already deployedconfigurations, signals inconsistencies, andyields consistent configurations. Moreover,through this mechanism we can fold existingpolicies and create a consistent and global setof rules — easy to maintain and manage byusing a single syntax. The second strategy isthe use of a refinement mechanism thatguarantees the proper deployment of suchrules into the system, yet free ofinconsistencies.This work was partially done in Politess(POLitiques de sécurité pour des systèmesd’information en réseau: modélisation,déploiement, TESt et surveillance), a RNRTproject, which aims at improving theconfidence in security policies by the use ofdeployment, monitoring techniques andconformance testing.RealizationTo achieve the automatic deployment ofsecurity rules, we first express formally thesecurity policy to be enforced using the OrBACmodel (Organization Base Access Control).Then we take advantage of the hierarchicalstructure of OrBAC entities (organizations,roles, activities, views contexts, permissionsand prohibitions) to automatically derive otherprivileges using the inheritance mechanisms.So the inheritance of positive or negativeauthorizations (permissions and prohibitions)has been analyzed and formally stated [1].Conflict Management has also been studied.The derivation of the security rules is a threephaseprocess (see figure below).Or-BAC NetworkSecurity policyXMLGenericXSLTXSLTrulesfirewallXMLCheckpoint . . . PIX rules NetFilter IpFilter . . .rulesrulesrulesThe process has been used to generatesecurity rules for an open source firewall(Netfilter), Netasq IPS (Intrusion ProtectionSystem) and also for the intrusion detectionsystem Snort [2].Our proposed strategies have beenimplemented as an extension of a softwareprototype called MIRAGE (which stands forMIconfiguRAtion manaGEr). Actually, MIRAGEimplements two different approaches. First,MIRAGE implements an audit process to detectand fix configuration errors over componentsalready deployed. Second, MIRAGE alsoimplements a refinement process to properlydeploy the global set of rules over the system'scomponents [3]. This refinement mechanismguarantees that the set of rules deployed over32 Extract of Pracom’s Annual Report 2008

the different components is consistent and notredundant.ConclusionAs work in progress, we are currently studyinghow to extend our approach in the case wherethe security architecture includes IPv6 devices.More specifically, the construction of new VPNtunnels (e.g., IPv6-over-IPv4) for IPv6networks must be revised, and moreinvestigation has to be done in order to extendthe approach aforementioned. In parallel tothis work, we are also extending our approachto make cooperate routing and tunnellingpolicies.and deploy a network security policy. SecondWorkshop on Formal Aspects in Security andTrust (FAST). Toulouse, France. August 2004.[2] S. Preda, N. Cuppens-Boulahia, F.Cuppens, J. Garcia-Alfaro, L. Toutain. ReliableProcess for Security Policy Deployment.International Conference on Security andCryptography (Secrypt 2007), Barcelona,Spain, July 2007.[3] J. G. Alfaro, F. Cuppens, and N. Cuppens-Boulahia. “Aggregating and Deploying NetworkAccess Control Policies”. In 2nd InternationalConference on Availability, Reliability andSecurity (ARES 2007), April 2007.References[1] F. Cuppens, N. Cuppens-Boulahia, T. Sansand A. Miège. A formal approach to specifyExpression of security policiesResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Fabien AutrelKeywords : Security policy, OrBACApplications : Security policy specificationPartners & Funding : partially funded by ANR in the framework ot the SETIN Polux projectIntroductionCurrent information systems have to facemany threats that attempt to exploit theirvulnerabilities. Moreover, since informationsystems tend to be increasingly complex,specifying their security policy is a tedious anderror-prone task. In this context, specifyingconsistent, relevant and complete securitypolicies of information systems is a majorchallenge for researchers.There are many advantages of using a formalapproach to specify the policy: (1) It providesnon ambiguous specification of securityrequirements, (2) It is possible to developsupport tools to formally analyze theserequirements, (3) It is also possible to developsupport tools to assist the securityadministrator in the task of automaticallydeploying these requirements over a securityarchitecture.A security policy may actually specify verydifferent security requirements. The literaturehas primarily focused on access control andinformation flow control requirements andmore recently on authentication and usagecontrol requirements. Specifying administrationand delegation policies is also a more andmore important issue, especially in the contextof pervasive distributed systems. Finally, thesecurity policy should also specifyrequirements that apply when some intrusionsoccur. They are called reaction requirementsand are also part of the security policy.The ANR SETIN POLUX project (Policy UnifiedExpression) aims to define an environment toexpress access and usage control policies andapply it to a set of components performingprotection, detection and reactionfunctionalities. The security policy must bespecified using precise and non ambiguousformal languages in order to prove the formalverification and validation of the security policydeployment over heterogeneous systems.Pracom’s Annual Report 2008 33

RealizationFigure 1 shows a classification we havedefined in Polux of the various requirements asecurity policy may contain. We are currentlydefining an integrated formalism to specifythese different requirements in a uniqueframework.A new version of MotOrBAC has been writtenin pure java and relies on the OrBAC java API.The OrBAC java API uses the Jena library torepresent the OrBAC policy through an RDFgraph and uses the Jena inference engine. TheOrBAC java API has been created to allowdeveloppers to integrate the OrBAC securitymodel into their applications.Our work on MotOrBAC also focuses on theproblem of policy deployment. Actually we areworking on policy translation mechanisms tointegrate into MotOrBAC the possibility totranslate parts of a concrete policy inferedfrom an abstract OrBAC policy into variouslanguages used to configure security softwares(iptables for instance).Figure 1: Security policy structureThe approach suggested in the POLUX projectis to define this framework as an extension ofthe OrBAC model [1]. For a system to bedeveloped, OrBAC describes the permissions orprohibitions for people to any of the resourcesof the system (it may apply to configure afirewall as well as to define who can access agiven service or database). These rules specifypermissions or prohibitions that apply only tospecific circumstances, called contexts [2].OrBAC also provides means to specify thedifferent security policies applicable to thevarious parts of an organization (suborganizations).At the end of this specificationprocess, the security policy specifies whatshould be permitted or prohibitied in thesystem, in function of contexts, roles, activitiesand views.An administration model for the OrBAC model,called AdOrBAC [3] has also been defined anda support tool called MotOrBAC has beenimplemented and is available as an opensource software. MotOrBAC [4] is an opensource tool which can be used to write securitypolicies expressed using the OrBAC model. Itprovides functionalities to edit a policy, todetect and solve the potential policy conflictsand to simulate the policy.ConclusionWe plan to further develop the OrBAC model,especially to specify information flowrequirements, usage control requirements andreaction requirements. The MotOrBAC tool kitwill be extended to support the specification ofthese different requirements.References[1] A. Abou El Kalam, R. El Baida, P. Balbiani,S. Benferhat, F. Cuppens, Y. Deswarte, A.Miège, C. Saurel and G. Trouessin.Organization Based Access Control. IEEE 4thInternational Workshop on Policies forDistributed Systems and Networks (Policy2003), Lake Come, Italy, June 2003.[2] F. Cuppens and A. Miège. Modelingcontexts in the Or-BAC model . 19th AnnualComputer Security Applications Conference,Las Vegas, December 2003.[3] F. Cuppens et A. Miège. AdministrationModel for Or-BAC. International Journal ofComputer Systems Science and Engineering(CSSE), 19(4), Mai 2004.[4] F. Cuppens, N. Cuppens-Boulahia et C.Coma. MotOrBAC : un outil d’administration etde simulation de politiques de sécurité. SAR-SSI. Seignosse, France, Juin 2006.34 Extract of Pracom’s Annual Report 2008

Security Testing: criteria, fault models and test generationResearch Staff : Yves Le Traon – Ph.D. Students : Tejeddine MouelhiKeywords : Security testing, security flaws, mutation analysis, test generation, security policyApplications : Information System SecurityPartners & Funding : : Tejeddine Mouelhi’s PhD thesis is co-advised with Benoit Baudry (INRIA-Rennes Bretagne Atlantique)IntroductionWhile important efforts are dedicated tosystem functional testing, very few worksstudy how to test specifically securitymechanisms implementing a security policy. Inthis thesis, we study how to adapt testingtechniques to test such security mechanisms.The testing techniques that have proven theireffectiveness in the field of functional testingare adapted in order to be applied to testsecurity mechanisms.RealizationWe applied mutation analysis to the context oftesting security policies [1]. The objective is tomake test cases efficient enough to revealerroneous implementations of a security policy.We adapted mutation analysis – which consistsof seeding security faults in the system –andproposed a fault model specific to accesscontrol security policies.Any security policy is strongly connected tosystem functionality: testing functions includesexercising many security mechanisms.However, testing functionality does not intendat putting to the test security aspects. Weproposed thus two strategies for producingsecurity policy test cases [2], depending if theyare built in complement of existing functionaltest cases or independently from them. Wealso proposed test selection criteria to producetests from a security policy. To quantify theeffectiveness of a set of test cases to detectsecurity policy flaws, we used mutationanalysis on three empirical studies. The overallapproach has been applied to OrBAC accesscontrol policies using the associated Motorbactool (http://www.orbac.org/).In collaboration with Alexander Pretschner,during its sabbatical at TELECOM Bretagne, webegan to study the test generation issue byproposing a new model-based approach thatuses combinatorial testing [3]. Test cases aregenerated using pair-wise testing and wecompare them to several random testgeneration. Mixed-feeling results show that wemust still study this problem.In the same collaboration, we also studied howto use security tests to detect hidden securitymechanisms in legacy systems [4]. In fact, ifaccess control policy decision points are notneatly separated from the business logic of asystem, the evolution of a security policy likelyleads to the necessity of changing the system’scode base. This is often the case with legacysystems. We analyzed the notion of flexibilitywhich is related to the presence of hidden andimplicit security mechanisms in the businesslogic. This first work suggested the use of atest-driven methodology to detect such hiddenmechanisms, and drive the incrementalevolution of a security policy.ConclusionAs a future work, we will focus on using metamodelsto offer a complete framework toproduce, in a generic way, a tool for mutationanalysis of interoperable security policies (firstresults in [5]). We will also study and proposenew approaches to automatically generatesecurity tests targeting the implementation ofsecurity policies.References[1] Mouelhi Tejeddine, Le Traon Yves, BaudryBenoit: Mutation analysis for security testsqualification. Mutation'07, third workshop onmutation analysist, September 10-11, CumberlandLodge, Windsor, UK, 2007.[2] Le Traon Yves, Mouelhi Tejeddine, BaudryBenoit: Testing security policies : going beyondfunctional testing. ISSRE'07: The 18th IEEEInternational Symposium on Software ReliabilityEngineering, November 5-9, Trollhätan, Sweden,2007.[3] Mouelhi Tejeddine, Le Traon Yves, PretschnerAlexander: Model-Based Tests for Access ControlPolicies. ICST 2008 : First IEEE InternationalConference on Software, Testing, Verification andValidation, April 9-11, Lillehammer, Norway, 2008.[4] Mouelhi Tejeddine, Le Traon Yves, PretschnerAlexander, Baudry Benoit: Test-Driven Assessmentof Access Control in Legacy Applications. ICST2008 : First IEEE International Conference onSoftware, Testing, Verification and Validation(ICST), April 9-11, Lillehammer, Norway, 2008.[5] Mouelhi Tejeddine, Fleurey Franck, BaudryBenoit: A Generic Metamodel For Security PoliciesMutation, SecTest 08: 1st International ICSTworkshop on Security Testing, April 9, Lillehammer,Norway, 2008.Rapport d’activités Pracom 2005-2006 - Department of Networks Security Multimedia - page n°35

Policy AdministrationResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia– Ph.D. Student: Meriam Ben GhorbelKeywords : Security policy, security configuration analysis, delegation, OrBACApplications : information system administrationPartners & Funding : Meriam Ben Ghorbel’s PhD thesis is co-advised with SupCom Tunis.IntroductionThe OrBAC model (Organization Based AccessControl) is an access control model developedin the RSM department of TELECOM Bretagne.This model is based on the concept oforganization. In this manner, the policyspecification is completely parameterized bythe organization so that it is possible to handlesimultaneously several security policiesassociated with different organizations. Inother words, the security policy does notdirectly apply to subjects, actions and objects.Instead, it defines authorizations that applywithin an organization to control the activitiesperformed by roles on views.The OrBAC model is self administrated, that isthe concepts used to define an administrationpolicy, in the Administration model for OrBAC(AdOrBAC), are similar to the ones used todefine the remainder of the security policy.RealizationThe main purpose of this work is to provide acomplete framework to specify delegationrequirements in the OrBAC model. Thedelegation is the process whereby a userwithout any administrative prerogativesobtains the ability to grant someauthorizations.We have shown, in [1,3], that it is possible tomanage administration requirements, includingdelegation requirements, in a unique model.This is thanks to the fact that the OrBAC modeloffers facilities, such as multi-granular license,contextual license, use of views, etc., whichprovide means to specify delegationcharacteristics without adding newcomponents or modifying the exiting ones.Therefore our approach is more flexible, moresimple and more complete than previousdelegation models. However, adding adelegation rules in the OrBAC model can beconflicting with administration rules.The approach used to manage conflicts inOrBAC is based on assigning priorities toaccess control rules. Nevertheless, toovercome difficulties encountered in Rule-BAC,we restate, in [2], the problems of ruleredundancy and potential conflicts usinginheritance mechanisms and separatedconstraints specification. We show that, usingthis approach, rule redundancy and potentialconflicts are tractable problems computable inpolynomial time.ConclusionThe future work will be dedicated to enrich ourdelegation model and more precisely therevocation mechanism.Moreover, since in the OrBAC model it is alsopossible to specify obligations, our model canbe enriched by the study of the delegation ofobligations. The notion of context is also veryuseful to deal with this aspect, for instance, wecan specify the bilateral agreement using aprovisional context. In further work we willdevelop this point.Future work also includes the enforcement ofthe delegation policies in MotOrBAC, theapplication prototype designed to manage Or-BAC policies.References[1] M. Ben Ghorbel-Talbi, F. Cuppens, N.Cuppens-Boulahia and A. Bouhoula. "ManagingDelegation in Access Control Models". InProceedings of the 15th InternationalConference on Advanced Computing andCommunication (ADCOM'07), Guwahati, Inde,December 2007. IEEE Computer Society.[2] F. Cuppens, N. Cuppens-Boulahia, M. BenGhorbel. "High Level Conflict ManagementStrategies in Advanced Access Control Models".Electronic Notes in Theoretical ComputerScience (ENTCS), Volume 186, Pages 3-26,Juillet 2007. Elsevier Science Publishers.[3] F. Cuppens, N. Cuppens, A. Bouhoula, M.Ben Ghorbel. “Delegation Model for ORBACModel : Extended Abstract”. In Proceedings ofthe 7th Tunisia-Japan Symposium on Science,Society and Technology (TJASST'06), Sousse,Tunisia, December 2006.36 Extract of Pracom’s Annual Report 2008

Specifying and deploying security in workflow managementsystemsResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia– Ph.D. Student : Samiha AyedKeywords : Workflow Management, OrBAC, context-awarenessApplications : Security of workflow management systems, Web service securityPartners & Funding : partially funded by Conseil Régional de BretagneIntroductionWorkflow Management Systems (WFMSs) arebeing more and more used in industry andresearch domain. WFMSs are used tocoordinate and streamline different processes.Very large WFMSs are often used inorganizations. So, they need to be executed ina secure manner especially because executionsof different tasks defining them are muchrelated [1].For instance, let us consider a workflowcomposed of tasks T1, T2 and T3 which must beexecuted in a sequential order. If we supposethat these three tasks act on the samedocuments, the access to these documentsmust be controlled according to the order ofexecution of tasks. In other words, this accesscontrol must be synchronized with executionprogression of the workflow. In addition, theexecution of a task is related to the executionof precedent tasks. So, a workflowspecification must be correlatively defined witha security policy. This policy has to expressthese different requirements. On the onehand, it has to deal with access controlrequirements. On the other hand, it must takeinto account information flow requirements.To manage security in workflow systems manyresearch works have been based on differentapproaches. In particular, the RBAC model hasbeen used to define their security policy.Because of a lack of native means to expressconfinement and dynamic securityrequirements of workflow systems, the RBACmodel is not fully satisfactory. These works aregenerally based on (1) specifying the globalsecurity policy and (2) defining a centralizedmanagement procedure that controls theworkflow execution. So, they do not deal withmanaging the information flow control.To remedy to these limitations, we suggestmanaging the workflow security policy usingthe OrBAC (Organization Based AccessControl) model and using a DTE (Domain TypeEnforcement) approach to take into accountthe information flow control.RealizationThe OrBAC model defines two useful notionsfor workflow security management. The first isthe organization which can be seen as anorganized group of active entities. Workflowtasks may be executed in the same or differentorganizations. If they are executed within thesame organization, the policy has to managesecurity in this organization. The notionbecomes more useful if workflow tasks areexecuted in independent organizations. In thiscase, flows between different organizationsmust be managed. The second useful notiondefined in OrBAC is the context. A context is anentity used to express permissions orprohibitions that depend on some specificcircumstances. A context corresponds to anyconstraint or extra conditions that join anexpression of a rule in the access controlpolicy. OrBAC classifies contexts according totheir type. A provisional context depends onprevious actions the subject has performed inthe system. In other words, it is considered asa history of execution. Provisional contexts arevery interesting in the domain of WFMS sincethe execution of a task depends on the historyof execution of precedent tasks. Also, itpermits the definition of a dynamic securitypolicy according to contexts, a very usefulrequirement in WFMS.Using these OrBAC concepts, we define amodel for specifying workflow processes [2].Then, we define the WFMS security policy thatwe have to associate with the workflow model.Such a policy deals with access andinformation flow control. It is based on OrBACrules. The information flow control part isbased on a DTE (Domain Type Enforcement)approach [3]. It uses DTE principles, especiallythe "Entry point" concept, to defineinformation flow control rules.Afterwards, we show how to manage thisWFMS security policy to control the workflowPracom’s Annual Report 2007 37

execution in a distributed manner. For thispurpose, we define an algorithm to generatethe local security policy associated with theexecution of each task that composes theworkflow. The global policy and the petri netmodel associated with the workflow executionare provided as inputs of the algorithm [4].Our approach differs from previous works bydefining a dynamic management of workflowauthorizations and by considering a securitypolicy that takes into account information flowcontrol. This approach based on the DTEmodel is more robust and flexible than the MLS(Multi-Level Security) approach used in otherworks.ConclusionUntil now, we have presented a petri netbased model for moddeling workflows and wehave defined the associated security policy.This model and security policy are based onOrBAC concepts. Thus, they reuse organizationand context notions defined in this accesscontrol model. Our security policy takes intoaccount different temporal constraints betweentwo tasks. It is composed of a general securitypolicy, a coordination security policy and aninformation flow control policy. In a secondpart, we have presented an algorithm allowingus to synchronize authorization flows withworkflow execution. This algorithm defineshow to execute the suggested model in adistributed WFMS environment.As part of future work, we shall enrich ouralgorithm by handling information flowsbetween different organizations. Indeed,organizations must exchange flows to haveknowledge of what is happening globally in thesystem. These flows must be managed inorder to keep a secure execution environmentof the process. Exchanging flows betweenorganizations must be compliant with theconfinement principle. Thus, these exchangeshave to be controlled in order to keep a secureenvironment of execution processes.References[1] Workflow Management Coalition. WorkflowSecurity Considerations. White Paper.Document number WFMC-TC-1019, DocumentStatus – Issue 1.0. 1998.[2] Samiha Ayed, Nora Cuppens-Boulahia,Frédéric Cuppens. Deploying Access Control inDistributed Workflow. Australian InformationSecurity Conference, Wollongong, Australia(AISC), January 2008.[3] Samiha Ayed, Nora Cuppens-Boulahia,Frédéric Cuppens. An integrated model foraccess control and information flowrequirements. 12th Annual Asian ComputingScience Conference Focusing on SecureSoftware and Related Issues (ASIAN), Doha,Qatar, December 2007.[4] Samiha Ayed, Nora Cuppens-Boulahia,Frédéric Cuppens. Managing access and flowcontrol requirements in distributed workflows.6th ACS/IEEE International Conference onComputer Systems and Applications (AICCSA)Doha, Qatar, March 2008.PROTEKTO : Security platform for content providersResearch Staff : Nora et Frédéric Cuppens, François WangKeywords : Authentication, Authorization, OpenId, SAML, OrBACApplications : Secure content managementPartners & Funding : Partial funding in the framework of Carnot institutesIntroductionThe Protekto project's goal is to create aplatform for content providers which integratesthe recent technologies for authentication andauthorization, capitalising on TélécomBretagne work and competences of the SWIDcompany. Regarding authentication, Protektowill use the OASIS standard SAML 2.0(Security Assertion Markup Language) [1] andthe OpenID 2.0 protocol (seehttp://openid.net/developers/specs/) adoptedby users. And for the authorization part of38 Extract of Pracom’s Annual Report 2008

Protekto, the OrBAC model and the XACMLstandard will be used.Delegation of this security functions is asolution that reduces costs and increasessecurity, moreover users will take advantage ofthe last technological advancements insecurity. The content provider’s work will befacilitated with only the contents productionand the users will appreciate the single sign onand the identity management.RealisationThe first part of the project is aboutauthentication, researches about how tointegrate OpenID and SAML together in theplatform were performed. SAML 2.0 is anadvanced solution for exchanging securityinformation but is also more complex thanOpenID. As for OpenID, the number of usersand sites is growing and potential usersnumber is more than 350 millions, this recentprotocol is very interesting for users with themanaging of their identity.We made an OpenID identity provider (usingthe version 2.0 of OpenID), allowing users tocreate their identity, manage attributes withprofiles and information sent to sites they visit,and personalized their OpenID identity page.Interaction between users was also a concern,users can manage a buddy list and sendmessages to friends registered on this identityprovider. Moreover in order to ease the use ofour provider, efforts were made for theinterface and two different implementations inXHTML and flash were developed.Protekto is also an OpenID consumer, andthen users registered to another OpenIDprovider are able to use our platform. AsOpenID is a fully decentralized system, wewere able to validate our work with differentOpenID enabled sites on the Internet.Regarding security requirement, OpenID is aweak form of authentication, and then it is notappropriate for sensitive transactions likeelectronic payment. SAML 2.0 is more securefor these operations, it permits assertionsabout authorization and can be used with theXACML standard. But it is less practical for theuser who needs to be registered to a providerbelonging to the circle of trust. That is why ourplatform uses these two protocols, OpenIDvery interesting for users and SAML moresecure for providers with sensitive contents.We began an authentication server using SAMLwith an OpenID consumer part. We let userschoose if they want to be authenticated usingtheir OpenID identity (from our OpenIDidentity provider but also from otherproviders). After authentication, informationare exchanged using SAML 2.0 and if anOpenID identity is used then a specific SAML2.0 authentication context for OpenID isneeded.A registration of Protekto at the Agency forProtection of Programs (APP) was made byNora Boulahia-Cuppens, Frédéric Cuppens,François Wang (Télécom Bretagne), andStéphane Morucci (SWID).Future workFuture work will consist in addingfunctionalities to our OpenID identity provider,and finishing to integrate SAML 2.0 to theProtekto platform. Then the second partconcerning authorization, the XACML profilewill be added for access control. TélécomBretagne work on the OrBAC model will bevalued thanks to their tools they developedwhich adapt OrBAC policies to XACML.Reference[1] Assertions and Protocols for the OASISSAML V2.0. OASIS SSTC, March 2005.Pracom’s Annual Report 2008 39

Intrusion DetectionDetection and correlation of intrusionsResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Fabien Autrel, Yacine Bouzida, AurélienCroissantPh.D. Students: Wael KanounKeywords : Intrusion detection, alert correlation, attack response and correlation, CRIMApplications : Security Information Management (SIM)Partners & Funding : partially funded by the European programme CELTIC in the RED project(Reaction after Detection). partially funded by Alcatel-Lucent, ANRT through a CIFRE grant.IntroductionIntrusion detection is achieved through the useof network probes and host-based probeswhich detect suspicious or malicious actions.Those probes generate messages upon thedetection of such actions. Such messages arecalled intrusion detection alerts and must beprocessed by the system administrator tomonitor attempts to violate the security policy.However, this task becomes almost impossibledue to the high number of alerts generated perday (up to several thousands), most of thembeing false positives, i.e alerts not related toreal attacks. Intrusions can be very complexand detecting them involves the correlation ofseveral alerts.• alert correlation: alerts related to the sameintrusion are linked and ponderated topresent a comprehensible scenario to thesystem administrator• attack anticipation: this module generatesvirtual alerts to anticipate the evolution ofincomplete scenarios of attacks• response to scenarios: this module findsthe most effective responses to block ascenario or cancel the effects of an attackscenarioIn this context we have designed the CRIMmodule (Correlation and Reaction to MaliciousIntrusion) to help the system administratormanage the intrusion detection alerts.This research work is partially funded by theEuropean CELTIC project RED (Reaction AfterDetection). It is also part of a thesis supportedby ANRT through a CIFRE grant andundertaken within a collaboration betweenTELECOM Bretagne and ALCATEL-LUCENT.RealizationThe CRIM module [1] is composed of severalmodules which accomplish the following tasks(see figure 1):• alert management: alerts generated byseveral probes are centralized in adatabase for further processing• alert aggregation and fusion: similar alertsare grouped and then merged to lower thenumber of alerts to processFigure 1: The CRIM architectureThe aggregation/fusion module uses similarityfunctions between alert attributes and asimilarity threshold to aggregate similar alerts.Weights are defined over alert attributes tocomply with the fact that some attributes havedifferent meanings. Compared to other rulebasedaggregation systems, this module canprocess previously unseen alerts.The correlation and response modules rely ona semi-explicit approach based on thedescription of elementary attacks instead ofcomplete scenarios of attacks [2]. Elementaryattacks are described through the expressionof their pre-condition and post-condition. Firstorder logic is used to describe those conditionsand we have already identified a set ofpredicates allowing us to describe several40 Extract of Pracom’s Annual Report 2008

attacks. This approach automatically discoversbased on the description of elementaryattacks. In order to describe the attacks andthe counter-measures available to theresponse module, we have designed theLAMBDA language.We have defined a set of predicates to specifyboth network and system attacks in LAMBDAand developed a CRIM module that provides afriendly interface to specify attacks in LAMBDA.This module is currently being tested in thecontext of ad-networks and VOIP (Voice OverIP) intrusions.The response functionality implemented inCRIM is based on the anti-correlation principlewhich provides means to automatically selectpossible counter-measures capable of endingthe detected intrusion [3]. This approach usesa library of counter-measures also specified inthe LAMBDA language. However, countermeasuresmay actually have side effects andcan be as harmful as the detected attack. Todeal with this issue, we improve the reactionselection process by giving means to quantifythe effectiveness and select the countermeasurethat has the minimum negative sideeffect on the information system. To achievethis goal, we adopt a risk assessment andanalysis approach [4].The various CRIM modules presented abovehave been implemented in C++ and tested onseveral realistic scenarios. The software isregistered at the APP (Agence pour laProtection des Programmes) with referenceIDDN.FR.001.250007.000.R.P.2005.000.10000.ConclusionThe CRIM modules have all been implementedand tested on alerts generated by open sourceprobe, especially Snort and Bro. Researchesare still ongoing in the RED project to testCRIM and enhance the response function.References[1] F. Autrel, F. Cuppens. CRIM: un module decorrélation d'alertes et de réaction auxattaques. Annals of Telecommunications. Vol.61, no. 9-10. September-October 2006.[2] F. Cuppens et A. Miège. Alert correlation ina cooperative intrusion detection framework.IEEE Symposium on Research in Security andPrivacy, Oakland, May 2002.[3] F. Cuppens, F. Autrel, Y. Bouzida, J. García,S. Gombault, and T. Sans. Anti-correlation as acriterion to select appropriate countermeasuresin an intrusion detection framework.Annals of Telecommunications. Vol. 61, no. 1-2. January-February 2006.[4] W. Kanoun, N. Cuppens-Boulahia, F.Cuppens, F. Autrel. Advanced Reaction usingRisk Assessment in Intrusion DetectionSystems. 2nd International Workshop onCritical Information Infrastructures Security(CRITIS), Malaga, Spain, October, 2007.Threat response by policy revisionResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia – Ph.D. Students: Yohann ThomasKeywords : Alert management, attack response, security policy, OrBACApplications : Security Information Management (SIM), Intrusion Detection System (IDS)Partners & Funding : partially funded by France Telecom R&D and ANRT through CIFRE conventionIntroductionInformation systems security is realizedthrough the use of different technologies,some of them being preventive, such asauthentication, encryption and access control,and others being corrective, such as antivirusesand intrusion detection systems. Thesedifferent tools are deployed with respect to apredefined security policy, which aims atdescribing what should be done to preserveconfidentiality, integrity and availability of theresources and services.Intrusion detection aims at reporting alertscharacterizing violations of the security policy,in particular linked with malicious activity(attacks) [1]. However, most of the time,Pracom’s report 2008 41

eported alerts have to be managed by thesecurity administrator, which has to manuallylaunch countermeasures ensuring that thesecurity policy is no longer violated. However,triggering the most adequate countermeasureis far from being trivial, for at least tworeasons: (1) the security administrator requiresa strong expertise of the information systemconfiguration, and (2) he has to analyze ahuge number of alerts to select acountermeasure. This opens a time window ofopportunity for an attacker to successfullyexploit its advantage. Consequently, we arguethat one should focus on automated reactiontowards threat. Our work is based on the factthat a lot of work has been done both in thefields of intrusion detection and securitypolicies formalization. We assume thatintrusion detection diagnosis is reliable enoughto provide dynamic reconfiguration of thesecurity policy in order to respond to threat.This work is realized between InstitutTELECOM/TELECOM Bretagne and FranceTelecom R&D, through the PhD thesis ofYohann Thomas. It is also supported by ANRT(CIFRE convention).RealizationWe propose to make use of OrBAC(Organization-based Access Control) to definea security policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion detection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [2]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concrete level. This methodology facilitatesthe deployment of the policy at a large scale,and ensures to take local countermeasures,which are well-suited to face the detectedthreat.Figure 1. Threat response system architectureFigure 1 shows the proposed architecture for athreat response system. An Alert CorrelationEngine (ACE) is due to collect events fromvarious sensors on the network and to providerelevant alerts as an input for the system. APolicy Instantiation Engine (PIE) is in charge oftriggering threat contexts considering alertsand activating new policy rules ensuringresponse to threat. Policy rules instantiated atthe PIE level are then processed by a PolicyDecision Point (PDP), which is able to decidehow to manage enforcement. Thus, asopposed to the PIE, the PDP is a localdecisional entity, aware of the PolicyEnforcement Points (PEPs) capabilities. ThePDP decides what configurations are to beactually pushed to the PEPs to effectively applythe new policy rules. Note that PEPs may be ofvarious kinds: a firewall, an authenticationserver, a mailserver, a router, a quarantinesystem, etc.ConclusionIn this work, we aim at connecting monitoringsystems (intrusion detection) with securitypolicies in order to provide response to threat.We show that the OrBAC formalism allows toaccomplish this task. A prototype of the threatresponse system is developed [3] todynamically activate security rules in responseto alerts thanks to a mapping strategy whichprovides means not only to react specifically toa considered intrusion, but also to protectother threatened entities of the informationsystem.References[1] H. Debar, B. Morin, F. Cuppens, F. Autrel,L. Mé, B. Vivinis, S. Benferhat, M. Ducassé etR. Ortalo. Corrélation d'alertes en détectiond'intrusions . TSI, éditions Hermes. June 2004.[2] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Using contextualsecurity policies for threat response . ThirdInternational Conference on Detection ofIntrusions & Malware, and VulnerabilityAssessment (DIMVA). Berlin, Germany. Juillet2006.[3] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Threat response throughthe use of a dynamic security policy. Journal ofComputer Virology, Srpinger, 2007.42 Extract of Pracom’s Annual Report 2008

Reaction after detectionResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Yacine Bouzida, Aurélien CroissantKeywords : Alert management, attack response, security policy, OrBACApplications : Security Information Management (SIM), Intrusion Detection System (IDS)Partners & Funding : funded by European RED (Reaction After Detection) Celtic project.IntroductionRecent advances in intrusion detection havemade it possible to assess the different alertsgenerated from heterogeneous IDSs and reactefficiently against some a priori known threats.However, current prevention techniquesprovide restrictive responses that apply a localaction in a limited information systeminfrastructure.RED (Reaction After Detection) is a CELTICproject that aims to define an in depth andcomprehensive approach for responding tointrusions in a precise and efficient way. Thisnew direction considers not only the threat andthe architecture of the monitored informationsystem, but also the security policy; thecorresponding security objectives, thecontextal data and the different operationalconstraints. The proposed reaction workflowlinks the lowest level of the information systemcorresponding to intrusion detectionmechanisms, including misuse and anomalytechniques, and access control machanismswith the higher level of the security policy. Theproposed reaction workflow evaluates theintrusion alerts in three different levels: thelocal, intermediate and global levels. It thenreacts against threats with appropriate countermeasures in each level accordingly.This research work is funded by the EuropeanCELTIC project RED (Reaction After Detection).RealizationThe reaction mechanisms may be seen indifferent ways. One may react directly andlocally but the threat may propagate due tothe malicious strategy followed by the intruder.The second idea consists in considering thesecurity policy of the monitored informationsystem and reacting against the threats bytaking advantage of the security policy and itsflexibility to adapt the current specificationwith the detected threat.In RED, we suggest a mechanism that may beseen as an auto adaptive model that startsfrom the security policy management of themonitored information system. The differentspecifications of this information system areexpressed using the different securityobjectives and requirements in addition to thedifferent security rules that are expressed aspermissions, prohibitions and obligations.We suggest using the OrBAC (OrganizationbasedAccess Control) model to define asecurity policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion detection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [1]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concrete level. This methodology facilitatesthe deployment of the policy at a large scale,and ensures to trigger different levels ofreactions, which are well-suited to face thedetected threat.The low level tools include intrusion detectionand access control mechanisms that areimplemented locally to monitor the informationsystem are configured according to the highlevel security specifications. Then, according tothe different alerts generated, the alerts areforwarded to the upper level whenever it isnecessary, after traversing the differentreaction levels, to evaluate the current systemstate where either direct responses arelaunched or the whole security policy ischanged according to the detected threat.We define three levels of reaction; (1) lowlevel reaction, (2) intermediate level reaction,and (3) high level reaction. Each levelconsiders particular security requirements anddeploys appropriate security components andmechanisms to react against the detectedthreats.The low level reaction corresponds to actionsthat are executed automatically just after anintrusion is detected. Therefore, it is possibleto immediately respond to an attack. This maybe done, for example, by adding a reaction tagPracom’s Annual Report 2008 43

inside the corresponding detection rulesignature managed by some IntrusionDetection System. We should note here thatthe reaction must be consistent with theminimal security policy. As a matter of fact, if aservice should be active for any circumstancethen a reaction, which consists in stopping thisservice, should not be launched.The intermediate level of reaction is based ona diagnosis of the intrusion process (forinstance provided by CRIM) and used toimprove the reaction process. Activating anautomatic or a manual response depends onthe confidence level of the diagnosis and theautomatic choice may be performed bymeasuring the impact of the correspondingreaction. At the intermediate level, anticorrelation[10] may be used as a way to findautomatically a set of reactions in order to stopa global attack scenario. Some correlation andfusion tools, implemented during the lastdecade, provide a set of counter measures thatmay be either activated automatically or let theadministrator choose the appropriate ones forsecurity agility considerations.Finally, the global level reaction aims todynamivally trigger new rules of the securitypolicy according to the current threat. For thisgoal, contexts are used for renewing thesecurity policy according to the detectedthreat. Three steps are performed at this level;activating contexts, triggering generic policyrules accordingly and producing a coherent setof rules to deploy while ensuring conflictresolution with the minimal securityrequirements. As a result of this level, a newpolicy security is redeployed as long as thethreat or its consequences remain present. Areturn to a non threat situation is thenperformed by the threat context deactivationoperation.ConclusionIn this work, we aim at connecting monitoringsystems (intrusion detection) with securitypolicies in order to provide response to threat.The OrBAC formalism is used to accomplishthis task. A prototype of the threat responsesystem is developed [2] to dynamicallyactivate security rules in response to alertsthanks to a mapping strategy which providesmeans not only to react specifically to aconsidered intrusion, but also to goballyprotect other threatened entities of theinformation system.References[1] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Using contextualsecurity policies for threat response . ThirdInternational Conference on Detection ofIntrusions & Malware, and VulnerabilityAssessment (DIMVA). Berlin, Germany. Juillet2006.[2] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Threat response throughthe use of a dynamic security policy. Journal ofComputer Virology, Springer, 2007.44 Extract of Pracom’s Annual Report 2008

Dependable Anomaly Detection with DiagnosisResearch Staff : Frédéric Cuppens, Sylvain Gombault, Jean-Pierre Le Narzul –Post. Doc.: Wei WangKeywords : Dependability, Agreement Services, Intrusion detection, Anomaly detectionApplications : Dependable Web Servers, Anomaly Detection SystemPartners & Funding : partially funded by ANR in the framework of the ACI DADDi (Action ConcertéeIncitative)IntroductionMost current intrusion detection systems aresignature-based. The major limitation of thistechnique is its incapacity to detect newattacks, which by definition cannot be in thedatabase of signatures. Facing this problem,anomaly detection is particularly interesting.The main principle of anomaly detection is tobuild a reference model of a given entitybehavior (user, machine, service, orapplication). A deviation from this model isconsidered as an attack attempt.DADDi (Dependable Anomaly Detection withDiagnosis) is an ACI project funded by theANR (2004-2007) that deals with intrusiondetection techniques. The project consortiumincludes 4 academic institutes (Supélec, CRIL,TELECOM Bretagne, IRISA) and one industrialpartner (Orange Labs).The first objective of this ACI is to proposenew anomaly detection explicit approaches.Such approach exhibits several problems. First,it is difficult to define what is explicitlysignificant in the modeled behavior. Then, it isnecessary to take into account the normalevolutions of the observed behavior.Enhancing the explicit approach is thus a firstobjective of this project.As a second objective, DADDi suggests tointroduce an implicit approach based on aclassical approach of the dependabilitydomain: the design diversity. The goal is toforward any request to several modulesimplementing the same functionality, butthrough diverse designs (diversified COTSservers). Any difference between the resultsobtained can be interpreted as a possiblecorruption of one or several modules. In bothcases (explicit and implicit), the dependabilityproperties of the Intrusion Detection System(IDS) are also a main concern. Studying theseproperties is the third objective of this project,in order to bring intrusion tolerance propertiesto the anomaly detector.RealizationFig 1: New attack detection with explicit approachA first part of our work focused on anomalydetection with explicit reference model. Wehave investigated new methods and testedthem over the DARPA 98 traffic database. Wehave proven their efficiency and theirapplication have exceeded the wining entry ofthe KDD 99 data intrusion detection contest.Our contribution in this project is threefold.The first is the necessity to improve machinelearningmethods by adding a new class. Newinstances should be classified since theyshould not be classified as any of the knownclasses present in the learning data set [2].The second contribution consists in introducingsome necessary conditions that should beverified by a rich transformation function. Thislast point was not taken into account duringthe transformation of the DARPA98 into KDD99data sets. As a result, many attacks trafficbecame identical to normal traffic aftertransformation. We have shown that SNMPattacks were classified as normal traffic for thisreason [2]. We have then modified thetransformation function to detect attacks onSNMP traffic, to match the necessaryconditions for this service. By modifying onlythe method of calculation of two attributes, weimproved in a considerable way the rate ofdetection of the attacks on this service. But inspite of these good results the transformationPracom’s Annual Report 2008 45

function has a limitation that it depends onservices that are considered [1].The third contribution deals with attackidentification. We consider individual attacksinstead of attack categories. This may help totake some appropriate reactions afterdetection according to the specific attacks. K-Nearest Neighbor (kNN) and PrincipalComponent Analysis (PCA) methods are usedand compared for intrusion detection. KDD 99network data are used for validating the twomethods.The second part of our work in the DADDiproject focuses on the dependability of anintrusion detection architecture based on theimplicit approach. We use an architecture thatensures both confidentiality and integrity atthe COTS server level and we extend it toenhance availability. Replication techniquesimplemented on top of agreement services(based on a consensus protocol) are used toavoid any single point of failure. On the onehand we assume that COTS servers arecomplex softwares that contain somevulnerabilities and thus may exhibit arbitrarybehaviors. While on the other hand other basiccomponents of the proposed architecture aresimple enough to be exhaustively verified [3].We have conducted performance evaluationsto measure the additional cost induced by themechanisms used to ensure the availability ofthe secure architecture. As each HTTP requestinvolves the use of the atomic broadcastservice, its cost had to be carefully evaluated.Moreover, since HTTP requests aresequentially executed, the throughput of theservice can be severly degraded. We aimed atidentifying some of the parameters that mayimpact the cost of the atomic broadcastservice. We measured the mean requestdelivering duration for a fixed arrival frequencyof external requests. We sampled this measurefor a varying number of processes anddifferent consensus round durations. We foundthat the number of processes in the group onlyslightly influences the overall performance ofthe atomic broadcast service. In thisexperiment, the arrival frequency of externalresquests is rather low (one request every400ms). In this case, the consensus roundduration is of limited influence. This parameteris of major influence only when a failureoccurs. In another experiment, we haveconsidered a fixed value for the duration of theconsensus round (1000ms) and we sample themean delivering duration for various arrivalfrequencies of the externam requests and avarying number of processes. We found thatwhen the arrival frequency of requests reachesa critical value, the mean request deliveringduration increases significantly (to bepublished in 2008).ConclusionIn the last period of the project, we haveplanned to apply these new results in explicitand implicit approach to web-based real-lifetraffic to compare and show thecomplementarities of the implicit and explicitapproaches.The web-based traffic has been generated. Itcontains “normal” data, collected with noplayed attack in front of a web serverconnected to Internet. Besides that, attackshave been played directly in front of the webserver. This traffic has been transformed bythe transformation function and will be studiedvery soon.References[1] A. Bsila, S. Gombault and A. Belghith.Improving traffic transformation function todetect novel attacks. SETIT'07: 4thInternational Conference on Sciences ofElectronics, Technologies of Information andTelecommunications, March 25-29,Hammamet, Tunisia, 2007[2] Yacine Bouzida. Application de l’analyse encomposante principale pour la détectiond’intrusion et détection de nouvelles attaquespar apprentissage supervisé. PhD thesis,TELECOM Bretagne, 2006.[3] M. Hurfin, J.-P. Le Narzul, F. Majorczyk, L.Mé, A. Saydane, E. Totel, F. Tronel. ADependable Intrusion Detection ArchitectureBased on Agreement Services. InternationalSymposium on Stabilization, Safety andSecurity of Distributed Systems. November17 th -19 Th , 2006. Dallas (Texas, USA).[4] Wei Wang, Sylvain Gombault and AmineBsila. Building multiple behavioral models fornetwork intrusion detection. 2nd IEEEWorkshop on "Monitoring, Attack Detectionand Mitigation", Toulouse, France, November2007.46 Extract of Pracom’s Annual Report 2008

Malicious behavior detection in ad-hoc networksResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia– Ph.D. Students: Tony RamardKeywords : Intrusion detection, Specification-based detection, Aspect-Oriented Programming, OLSRApplications : Ad-hoc networkPartners & Funding : partially funded by RED Celtic projet and a French DGA (Direction Générale del'armement) grant.IntroductionA Mobile Ad-hoc NETwork (MANET) is acollection of nodes that are able to connect toa wireless medium forming an arbitrary anddynamic network. The routing protocol ensuresthat all nodes at all times can reach alldestinations in the network.In this context, several attacks can occuragainst security in order to disrupt thenetwork. We especially investigate securityproperties of the Optimized Link-State Routing(OLSR) Protocol, a proactive routing protocolfor MANETs. We analyze the possible attacksagainst the integrity of the network routinginfrastructure, and present techniques tocounter some attacks. Our main approach isbased on a formal model to describe normaland incorrect node behaviors. This modelallows us to derive security properties. Thealgorithm checks if these security propertiesare violated. If they are, detection occurs toallow the normal node to find a path withoutincorrect node behavior.This work is supported by the RED Celticproject and a French DGA (Direction Généralede l'armement) grant.RealizationThe Optimized Link State Routing protocol(OLSR) is the most popular routing protocol forMANETS. OLSR is based on an optimizedflooding mechanism for diffusing link-stateinformation. The core optimization is that ofMultipoint Relays (MPRs): Each node mustselect MPRs from among its neighbor nodessuch that a message emitted by a node andrepeated by the MPR nodes will be received byall nodes two hops away.The availability properties in MANET routingprotocols, especially OLSR, have been studied.Our approach is based on specifying theseproperties thanks to node profiles (honest andcooperative nodes). For this purpose, we usethe Nomad model [1] to express nodebehaviors (normal and incorrect behaviors).Nomad combines deontic and temporal logics.Deontic logic is used to model permissions,prohibitions and obligations whereas temporallogic provides means to specify temporal andtemporized constraints about actions occurringin the model. In Nomad, we model conditionalprivileges and obligations with deadlines. Wealso formally analyze how privileges on nonatomic actions can be decomposed into morebasic privileges on elementary actions.From these expressions, we can deriveproperties to specify a security policy [2].These properties are woven into the OLSRprotocol using Aspect-Oriented Programming(AOP) languages such as AspectJ. Theseproperties are checked when a message isreceived in order to detect intrusions. Usingthis approach, a node can detect severalmalicious behavior of other nodes includinglazy, selfish, lying and secretive nodes.If a property is violated, a reaction occurs andthe node attempts to find another path orMultipoint Relay (MPR) keeping the maliciousnode away. In this case, the node sendsrelevant information related to the detection toits neighborhood. The neighbors of this noderecord this information but do not fully trust it.A function allows nodes to compute thereputation in their neighbors. The reputationquantification allows nodes to choose the bestpath to reach another node.This approach has been validated throughsimulation. The simulation results show thedifferent contents in the routing tables ofnodes following two modes: (1) when theanalysis mechanism is activated (i.e. nodescheck if the security properties are violated)and (2) when the analysis mechanism isdeactivated. We then analyze the topologywith the normal node behavior, the topologywith an intruder and without the analysismechanism, and finally the topology with anintruder and the analysis mechanism.Pracom’s Annual Report 2008 47

1) Normal Node behavior simulation: Westarted our simulation with the normalbehaviors of nodes without any attack. In thiscase, we noticed that none of the nodeschooses the future malicious node as MPR.2) Attack simulation: A malicious mechanism isnow implemented in the OLSR code of onenode which plays the role of a lying node byclaiming incorrect links. This time, weobserved that the malicious node achievedmanipulating the routing tables of other nodes.A normal node changes its routing table with afalse routing information. This change affectsthe routing tables of its neighbors. Without ouranalysis mechanism, none of the nodes candetect the malicious behavior.3) Use of the analysis mechanism: In thisstep, all nodes except the malicious node runthe same OLSR code in which the detectionmechanism is implemented. As for the normalnode behavior simulation, we notice that noneof the nodes chooses the malicious node asMPR. Our approach can thus detect anincorrect node behavior and the algorithmchooses another path where this incorrectnode behavior is not included.Conclusion and future workIn [3], our approach to detect maliciousbehaviors in MANET is further explained.Through this study, we chose the OLSRprotocol to analyze the availabilityrequirements for MANETs. Several propertiesrelated to the availability have been expressedbased on the specification of the protocolOLSR (these properties are compliant with theRFC3626) and malicious node profiles andused to deploy an intrusion detection andresponse technique. Each MANET nodeobserves the messages received by itsneighbors which provides means to check if itsneighbor is malicious or not. This approachseems the most adapted for MANETs.As a main result, we provide a securityextension to OLSR. Our primary issue withrespect to securing MANET routing protocols isto ensure the network integrity, even inpresence of malicious nodes.We are currently investigating secury protocolfor group management, in large and dynamicad hoc networks [4]. The protocol we suggestrelies on the TGDH protocol. In comparisonwith the previous solution, our algorithm helpsto uniformly dispatch the group key calculuson each node, and the global cryptographictree is optimized. Moreover, we propose anauthentication algorithm. Our algorithmprovides several well-known securityproperties, such as nodes authentication,messages freshness, passive attacks resistanceand known key attack resistance.As future work, we plan to develop reputationevaluation for such goup management protocoland define actice reaction mechanisms,including automatic exclusion of a maliciousnode from its group, based on this reputationevaluation.References[1] F. Cuppens, N. Cuppens-Boulahia et T.Sans. Nomad: A Security Model with NonAtomic Actions and Deadlines. 18th IEEEComputer Security Foundations Workshop(CSFW'05), Aix-en-Provence, France, June2005.[2] F. Cuppens, N. Cuppens-Boulahia, S. Nuonand T. Ramard. Property Based IntrusionDetection to Secure OLSR. Third InternationalConference on Wireless and MobileCommunications (ICWMC), Gosier,Guadeloupe, March 2007.[3] F. Cuppens, N. Cuppens-Boulahia, T.Ramard. Misbehaviors Detection to EnsureAvailability in OLSR. The 3rd InternationalConference on Mobile Ad-hoc and SensorNetworks (MSN), Beijing, China, December2007.[4] F. Cuppens, N. Cuppens-Boulahia, J.Thomas. S-TGDH, secure enhanced groupmanagement protocol in ad hoc networks.International Conference on Risk and Securityof Internet and Systems (CRiSIS). Marrakech,Morocco. 2-5 July 2007.48 Extract of Pracom’s Annual Report 2008

Access ControlSecurity of Web ServicesResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia – Ph.D. Student: Diala Abi HaidarKeywords : Access Control, XACML, Trust negotiationApplications : Web Service SecurityPartners & Funding : partially funded by France Telecom R&D, ANRT through a CIFRE grant, part ofresearch work within the RNRT project POLITESS.IntroductionWith the emergence of web services, sharingdata between entities from different securitydomains raises the issue of protecting sensitiveresources. Access control and trustmanagement are research topics that offersolutions to such an issue. Access controlmodels offer a way of defining policies andrules for accessing protected data. In addition,many works have been done concerning thelanguages used to express the securityrequirements. These works have lead to anOASIS (Organization for the Advancement ofStructured Information Standards) standard,the eXtensible Access Control MarkupLanguage (XACML). Furthermore, trustmanagement is essential in a public worldinteraction. That is, entities need to negotiateto establish a certain level of trust betweenthem. A prototype for trust establishmentcalled TrustBuilder was proposed in theliterature [1]. It allows negotiating trust acrossorganizational boundaries due to iterativeexchanges of policies and certified attributes.Access control is important for private dataprotection and trust management isunavoidable if one needs to negotiate theaccess. This is why access control and trustmanagement should be done simultaneously inheterogeneous worlds such as the webservices. We consider that the negotiation fortrust establishment is an usptream of accesscontrol management. We have been workingon this idea to find a flexible framework thatallows the expression of multiple accesscontrol models in web services.This research work is part of a thesisundertaken within a collaboration betweenTELECOM Bretagne and France Telecom R&D.It is also supported by ANRT through CIFREunder a contract number 1026/2005. It is alsopart of research work within the RNRT projectPOLITESS.RealizationWe have defined XeNA [2, 3] (XACMLNegotiation of Access), a framework tointegrate the negotiation for trustestablishment within an access controlarchitecture based on XACML. XeNAincorporates our proposed negotiationarchitecture [4] based on two modules; (1) thenegotiation module that implements a resourceclassification based negotiation methodologyand (2) the exception treatment module that iscalled whenever exceptions are raised in thenegotiation process.According to our proposed resourceclassification based negotiation, resources areclassified at three different levels. Ressourcesclassified at level 1 are managed by directpolicies without negotiation. Ressources atlevel 2 are managed by public access controlpolicies that can be revealed. Within the class3 are resources managed by policies thatcannot be revealed. That is, we have definedtwo strategies for obfuscation that are used toobfuscate such resources' negotiation policies.Besides, we have formalized a derivationprocess that allows obtaining attribute-basedpolicies, i.e. negotiation policies, used withinthe negotiation process. This derivationprocess is a correlation between the accesscontrol policies and the mapping policies.These mapping policies define the conditionsof mapping concrete entities (subject, action,and object) into corresponding organizationalentities (role, activity, view and context).Furthermore, we have specified thenegotiation protocol that is used at the level ofthe negotiation module. This protocol canimplement four different strategies ofPracom’s Annual Report 2008 49

negotiation. These strategies specify whatshould be negotiated given a negotiationpolicy. The negotiation protocol negotiatesattributes in order to activate a permissionrule. That is, we suppose that the accesscontrol policies contain only permissions. Weproposed an algorithm [5] to rewrite policiescontaining prohibitions and permissions into anequivalent set of policies containing onlypermissions. Finally, a prototype wasdevelopped in order to implement and test theXeNA framework.Future WorkWe are aiming to specify the alternatives thatare used at the level of the exceptiontreatment module. Many possibilities may bestudied such as defining classes of similaritybetween the resources. In case the accessedresource cannot be revealed, a possiblealternative may be to propose a resourcebelonging to the accessed resource's classe ofsimilarity. Furthermore, we need to specify themetrics that are used in order to choosebetween different negotiation's strategies.Finally, these improvements must be takeninto account at the level of the proposedprototype.References[1] T. Yu, M. Winslett, and K. E. Seamons.Supporting structured credentials and sensitivepolicies through interoperable strategies forautomated trust negotiation. ACM Transactionson Information and System Security (TISSEC),6(1):1–42, February 2003.[2] D. Abi Haidar, F. Cuppens, N. Cuppens-Boulahia, H. Debar. An Extended RBAC Profileof XACML. ACM Workshop on Secure WebServices (SWS), in conjunction with the 13thACM Conference on Computer andCommunications Security (CCS-13), Fairfax VA,USA, November 2006.[3] D. Abi Haidar, F. Cuppens, N. Cuppens-Boulahia, H. Debar. Access Negotiation withinXACML Architecture. Second Joint Conferenceon Security in Networks Architectures andSecurity of Information Systems (SARSSI),Annecy, France, June 2007.[4] D. Abi Haidar, F. Cuppens, N. Cuppens-Boulahia, H. Debar. Resource ClassificationBased Negotiation in Web Services. ThirdInternational Symposium on InformationAssurance and Security, 2007 (IAS 2007),Manchester, UK, August 2007.[5] N. Cuppens-Boulahia, F. Cuppens, D. AbiHaidar, H. Debar. Negotiation of Prohibition:An approach Based on Policy Rewriting. Inproceedings of the IFIP InternationalInformation Security Conference SEC'08, Milan,Italy, September 2008.50 Extract of Pracom’s Annual Report 2008

Security of NGN servicesResearch Staff : Ahmed Bouabdallah, Frédéric Cuppens, Nora Cuppens – Ph.D. Student: Nabil AjamKeywords : location-based service, location privacy, Parlay gateway, web serviceApplications : B2B application, NGN platform, Service composition policy, parlay gatewaysPartners & Funding : partially funded by FNADTcommands into particular signalling protocolsIntroductiondepending on the specificity of networks.Next Generation Network (NGN) constitutesthe convergence between telecommunicationand IT infrastructures, which is a looselycoupled layered architecture. The keyevolution is the service creation in thosenetworks where now third parties manage iteither by operators.This approach drastically differs from the oneused in traditional circuit networks where thevertical integration induces a centralization ofthe computational resource, of the servicecreation process and of the underlyingbusiness model.Service providers can now access corenetwork capabilities through open andstandardized interfaces, the parlay gatewaybased on APIs or through the parlay Xgateway based on web services.On the other hand, location service is one ofthe most important capabilities provided byoperator cellular networks. We studied thearchitecture and the added nodes that allowaccuracy up to 5 meters in indoor and outdoorareas. It is expected that locations basedservices will be the killer application in NGN.Location information is a sensitive informationthat can imperil user integrity. We areinterested on one security issue of thoseservices delivered through Parlay X gateway,which is the privacy of end users.To secure service creation in NGN, we have tointroduce some strict constraints on the accessof third parties on operator networks throughparlay gateways. In this way, privacy issue isinvestigated in service creation.This work is part of a Ph.D, funded by theFNADT project “Platform of securitysupervision and application to web service”,dedicated to securing service creation forParlay and Parlay X which began in March2006.RealizationWe studied Parlay gateways. Parlay and ParlayX gateways play two essential roles: (1)protect operator networks from maliciousmanipulation of networks, and (2) map serviceThe location-based services are presented asthe future killer application [1]. Thisapplication uses a sensitive personal data sothat protecting privacy of subscribers isrequired. To secure this application, we firststudied the network architectures that provideusers positioning. We then specify securityproperties and personal data to enforcesecurity. We suggested to use pseudonymitywhen location based services are used throughParlay X gateway. So, we proposed to add anew "Privacy web service" to Parlay X gatewayto act as a proxy between third parties andend user that ensures the use of pseudonymsof subscribers [2].We are currently investigating how to improveprivacy web service to permit end userconfigure their privacy policy and how it canact as a complete retailer of location service.Future workWe planned in future work to formally describeend user privacy and privacy providers. Weintend to prove formally that end user privacyis ensured in services provided through ParlayX gateway. We tend to model privacy policyusing the Orbac model.We also investigate the security requirementsof composition. No standards and consensusexist. Many researchers suggest includingsecurity aspects in semantics for compositions.We aim to prove that a composed serviceobeys the security policies of each composedservice. The service creation throughcomposition is a new research field wheresecurity is not addressed. The expression of aglobal privacy policy of composed services canbe addressed in future works.References[1] 3 rd Generation Partnership Project,"Technical Report: Enhanced support for UserPrivacy in Location Service," 2002.[2] Nabil Ajam, "Privacy based access to ParlayX locations based services", ICNS, Guadeloupe,2008.Pracom’s Annual Report 2008 51

A Fast Adaptative Secure Technology for high-speed NetworkResearch Staff : Sylvain GombaultKeywords : Traffic filtering, Packet classification, Reconfigurable components, String matchingApplications : Intrusion detection sensor and Firewall for high speed networkPartners & Funding : IRISA, partially funded by Région Bretagne in the framework of PRIR FastnetIntroductionThe development of high-speedcommunication networks led to a growinginterest for the deployment of securitymechanisms related to the specificity of theseenvironments. The Fastnet project (FastAdaptative Secure Technology for high-speedNETwork) tackles the problematic of high-ratenetwork traffic analysis: the proposedapproach is to combine software security ruleanalysis and hardware architectures based onreconfigurable components. Network intrusiondetection probe (NIDS) Snort [2] has beenchosen as a use case, and the considerednetwork link is Ethernet 10 Gb/s, up to 40Gb/s.Fastnet is a PRIR (PRojet d’Intérêt Régional)project funded by the Britany Region (2005-2008). In this project, TELECOM Bretagne isassociated with the R2D2 project (IRISA).RealizationWe carried out a state of the art on thesoftware algorithms used or which could beused in Snort. Based on this work, a firstselection of hardware filtering and stringmatching techniques adapted to the needs ofsnort was proposed [3].We have designed a new hardwareimplementation of a string matching enginebased on a multi-character variant of the wellknownAho-Corasick algorithm [4]. Theproposed architecture model optimally exploitsthe current FPGA reconfigurable components.It combines in an efficient way, the use of thelogic and memory resources of the FPGA. It issuited for searches on very large set of strings(tens of thousand of strings) and the proposeddesign has been validated through theimplementation of a search engine suited tothe processing of a subset of the Snort rules.An Altera Stratix FPGA component is targeted.By using traffic parallelization and circuitretiming techniques, we then show that 40Gbit/s traffic content scanning can besustained [4].fig. 1 : Preprocessor Polsec in Snort ArchitectureWe have also proposed a new functionality toSnort : a preprocessor dealing with « networkpolicy monitoring ». To ensure the security ofits information system, an orgnisation definesa security policy which applies to all itsequipments. This policy is then translated insecurity mechanisms on each equipment. Onetranslation of this policy applies to networktraffic : it describes allowed and prohibitedtraffic in network policy rules. With these rules,we can describe both internal andinbound/outbound trafic. The role of IDS is tocheck that no policy violation occurs. As snortrules cannot be used to write network policyrules, thanks to its flexibility, we havedevelopped a snort software preprocessorbased on policy rules which monitors thenetwork trafic [5].ConclusionAs a future work, we plan to process byhardware all the parameters of a Snort rule.This means that we have to combine packetclassification to select packets into whichlooking for string matching. Packetclassification is also useful to monitor networkpolicy and we will see how to implement oursnort preprocessor in hardware.References[1] Alfred V. Aho and Margaret J.Corasick.1975, Efficient string matching: An aidto bibliographic search, Communications of the52 Pracom’s Annual Report 2008

ACM, vol. 18, issue 6, pages 333–340, June1975[2] “Snort - The Open Source NetworkIntrusion Detection System,” inhttp://www.snort.org/[3] Georges Adouko, François Charot, SylvainGombault, Tony Ramard and ChristopheWolinski. “Panorama des algorithmes efficaceset architectures matérielles pour le filtrageréseau haut débit et la détection d'intrusions ».MAJECSTIC 2006, Lorient, France, 22--24November 2006.[4] Georges Adouko and François Charot, andChristophe Wolinski. « Exploitation optimaledes circuits reconfigurables FPGA pour la miseen oeuvre d'un moteur de recherche demotifs ». SYMPA 2008, Fribourg, Allemagne,Février 2008.[5] Clément Cresteaux, Thomas Gautier,Mamadou Sanoussy Diallo, Pierre Tasson.« Projet Snort : Ajout d’un préprocesseur ».Rapport de projet Master 2 Université deRennes 1, Février 2007.Consistency and interoperability in security policiesResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia – PhD. Student: Céline ComaKeywords : security policy, secured interoperability, OrBAC, Ontology, Sphere of authorityApplications : Web service securityPartners & Funding : partially funding from the French RNRT project Politess and by a grant fromthe Institut TELECOMIntroductionCurrent information systems are more andmore distributed and require more interactionswith external services to achieve businesscontinuity. In this context, we have to securethe access to and usage of exchangedinformation and, insure that each partyinvolved in some interoperability session mustat least maintain its security level. Toguarantee good interoperability exchanges,organizations need to share information withother participant about the services theyprovide. In addition, to be compliant withsecurity requirements during interoperability,security policies have to be dynamic. Onepurpose of our recent works is to provide thisdynamic behavior by taking care about contextof access parameters. The context-awaresecurity requirements may be met by using acontextual access control model to define thesecurity policy of each party involved in theinteraction, and OrBAC (Organization basedAccess Control) is an adequate model for thispurpose. Elaborating an ontology basedsecurity model provides a mean to ensuresharing of understandable knowledge, inparticular knowledge needed to derive theauthorized accesses and usages during theinteroperability sessions. We thus suggestcontext ontology to be combined with anontological representation of the OrBAC modeland show how it can be used to ease thesecurity rules definition and derivation duringinteroperability sessions.RealizationWe suggest a formal approach called O2O(Organization to Organization) to deal withaccess control in an interoperability context. Itis based on the concept of Virtual PrivateOrganization (VPO) that enables anyorganization undertaking an interoperationwith other organizations to keep control overthe resources accessed during theinteroperability phases. Thus, using O2O, eachorganization can define and enforce its owninteroperability security policy. Thisinteroperability security policy defines howsubjects from some organization can accessand use resources owned by otherorganizations in the VPO. In the O2Oapproach, VPO policies are expressed by useof the OrBAC model. Its built-in confinementprinciple ensures a secure interoperation andits structure based on organizations, roles,activities, views and contexts makesspecifications of fine grained access controleasier. In OrBAC due to the confinementprinciple, the scope of every security rule isPracom’s report 2006 53

estricted to the organization to which the ruleapplies.We claim that many works for the securityinteroperability do not establish a clearseparation between (1) the definition of thesecurity policy to be applied in this context, (2)how it is expressed, (3) how it is administeredand (4) how it can be managed. Our O2Oapproach gives a response to each of theseissues.In the O2O approach, interoperability policiesare always defined by the VPO parentorganization and administered by a VPO. Inthis way, the VPO controls all the externalaccesses to the resources of the parentorganization that is involved in aninteroperation. Other issues are discussed inthe published papers [1, 2]. In particular, themanagement of interoperability securitypolicies is based on the concept of sphere ofauthority: each organization defines andmanages its interoperability policies that arewithin its sphere of authority. At each moment,a VPO is within the sphere of authority of theorganization which provides the access to itsresources. An organization A is in the sphere ofauthority of another organization B if thesecurity policy that applies to A is defined andadministrated by B. Furthermore, O2O isflexible because it offers centralized,decentralized and hybrid management.To share understandable knowledge requiredto derive the permitted accesses and usages ofthe information during the interoperabilitysessions, we suggest context ontology to becombined with the OrBAC model and showhow it can be used to ease the security rulesdefinition and derivation during aninteroperability session [3].For this purpose, mapping between contextontologies has been defined [4]. This mappingis based on detection of compatibility relationsbetween ontologies and context revisionoperators. Context revision operators are usedto adapt the mapping between security rulesso that each organization involved in theinteroperation can always enforce its securitypolicy. This approach provides a framework todefine interoperability security policies assuggested in the O2O model. Collaborativeactivities in a P2P environment are used as anexample to illustrate our approach.ConclusionThis is only a short overview of the mainprinciples of the O2O approach. We arecurrently implementing our context ontologyand mapping relations in MotOrBAC [5] suchthat the interoperability is acces control modelindependent. So, two organizations caninteroperate although they do not apply bothan organisation access control. Other issuesare discussed in the referenced papers below.In particular, the collaboration of severalorganizations in a VPO may lead to creation ofnew objects. Clearly, these new objects do notbelong to any of the members of the VPO.Managing accesses to new resources createdin a VPO is an issue we are currentlyinvestigating.References[1] F. Cuppens, N. Cuppens-Boulahia and C.Coma. O2O: Managing Security PolicyInteroperability with Virtual PrivateOrganizations. In 13th Annual Workshop of HPOpen-View University Association (HP-OVUA),May 2006.[2] F. Cuppens, N. Cuppens-Boulahia and C.Coma. O2O: Virtual Private Organizations toManage Security Policy Interoperability. InSecond International Conference onInformation Systems Security (ICISS'06),December 2006.[3] C. Coma, N. Cuppens-Boulahia and F.Cuppens. A context ontology based approachfor secure interoperability. In 14th AnnualWorkshop of HP Software UniversityAssociation (HP-SUA) 2007, July 2007.[4] C. Coma, N. Cuppens-Boulahia and F.Cuppens. Context Ontology for SecureInteroperability. Third International Conferenceon Availability, Reliability and Security (AReS2007). Barcelona, Spain. March 2007.[5] F. Cuppens, N. Cuppens-Boulahia et C.Coma. MotOrBAC : un outil d’administration etde simulation de politiques de sécurité.SARSSI. Seignosse, France, Juin 2006.54 Pracom’s Annual Report 2008

Information flow control in organizationResearch Staff : Frédéric Cuppens, Nor a Cuppens-Boulahia – Ph.D. Student: JulienThomasKeywords : DRM, declassification, information flow controlApplications : Multi level security, Secure content managementPartners & Funding : funded by a French DGA (Direction Générale de l'armement) grant.IntroductionProtection of sensitive data to ensureconfidentiality, integrity and availability is animportant issue for governmental organizationssuch as the French MoD. Solutions mustguarantee the enforcement of security policies(such as the multi level security) establishedby these organizations to manage sensitiveinformation. The notion of traceability is alsoan important challenge and even more whensensitive data have to flow through securitylevels (declassification).In this context, TELECOM Bretagne has beenworking for several year on information flowcontrol models for multi-level security policies[1] and management of dynamic classificationof data [2].We are currently investigating applicability ofDRM techniques for managing sensitive data.This work is part of a thesis whose mainobjectives are to formalize how informationflow control may be addressed by DRMtechniques and develop relevant use cases forthese techniques.RealizationWe start the research work by a state of theart of the different domains bound to thethesis subject.Non interferenceSince Non Interference is the most frequentlyused model to deal with information flowcontrol the main variations of non interference(Generalized non Interference, Intransitive NonInterference, Abstract Non Interference) havebeen studied.Several extensions of non interference to dealwith secure declassification of sensitiveinformation have also been recently suggested.The notions of Who? What? Where? When? [3]are the main dimensions to analyze thesedifferent declassification proposals. Though thestate of the art is quite debatable, it definesthe main requirements of a declassificationbased model.DRM techniquesWe have performed an overview of main DRMproposals, MPEG-REL, OMA-DRM,LicenseScript. These approaches are mostlyused to protect commercial content withcopyright (audio or video contents).More recently, it has also been suggested touse DRM techniques in enterprises to protecttheir sensitive data. Thus, existing EDRM(Enterprise DRM) solutions have been listedand several categories have been defined.Among the Open Source platforms, weinvestigate AXMEDIS (supported by anEuropean Consortium) and OpenIPMP (OpenSource project supported by Open MobileAlliance) which are two interesting solutionsRegarding applicability of DRM in Frenchgovernmental organizations, we notice thatseveral referential have been published. Weespecially investigate the RGI (RéférentielGénéral d'Interopérabilité) and the RGS(Référentiel Général de Sécurité) with PRIS(politique de référencement intersectoriel desécurité). These referentials define the Frenchgovernment models, which are compliant withRFCs and Open Source solutions.Future WorkFrom a theoretical point of view, thespecification of declassification properties willbe one of our major concern. Regarding DRM,we will work on the comparison of existingDRM models and the analyzes of citedplatforms. We shall also investigate theapplicability of the Federated Rights ExpressionModel (FORM) [4], which allows a contentprovider to decide to trust external renderingPracom’s Annual Report 2008 55

ights and external identities, and Onion PolicyAdministration Model (OPA) [5], a new modelfor super-distribution which provides acomplete traceability of the contentdistribution. The Applicability of the (E)DRMmodels to Governmental Organizations willalso be a direction of future work.References[1] P. Bieber et F. Cuppens. A Logical View ofSecure Dependencies. Journal of ComputerSecurity, 1(1), IOS press, 1992.[2] P. Bieber et F. Cuppens. SecureDependencies with Dynamic LevelAssignements. 5 th IEEE Computer SecurityFoundations Workshop, Franconia, 1992.[3] A. Sabelfeld and D. Sands. Dimensions andPrinciples of Declassification. In 18 th IEEEWorkshop on Computer Security Foundations,June 20 - 22, 2005.[4] T. Sans, F. Cuppens and N. Cuppens-Boulahia. FORM: A Federated RightsExpression Model for Open DRM Frameworks.ASIAN'06. Tokyo, Japan. December 2006.[5] T. Sans, F. Cuppens and N. Cuppens-Boulahia. OPA: Onion Policy AdministrationModel - Another approach to manage rights inDRM. IFIP/SEC. May 2007.Dynamic access and usage control in pervasive environmentsResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia – Ph.D. Student: Yehia El RakaibyKeywords : Usage Control, Dynamic Access ControlApplications : Security of ubiquitous computing and pervasive environmentPartners & Funding : partially funded Conseil Régional de BretagneIntroductionOver the previous several years, the world haswitnessed an important evolution in theexchange of digital information due toadvances in networks and communication.Networks localization and presence servicesand the increase in the computing capabilitiesof the different electronic devices made way tohighly intelligent context-aware applications.Capturing security requirements of suchapplications in a policy-based securityframework represent an interesting challenge.One of those new security requirements isusage control. Usage control refers to thecontrols over data after it is released to somethird party. It is undeniable that usage controlin today's digital environment is of utmostimportance and is needed in many applicationssuch as: DRM applications, P2P, availabilityrequirements, etc. Essentially, usage controldefine requirements that must be met before,while or after the use of some resource.Examples of possible usage controls are "theuser must keep watching an advertisementwindow while watching the video" or "Withinthirty days after the use of the resource, theuser must pay for the use of the service".Among previous works on usage control are[1, 2].Salient features of future applications are mostlikely to include context-awareness andinteractivity between the different serviceactors. Therefore it seems reasonable toassume that for a policy-based system toadequately meet those requirements, it mustenable the expression of some sort of dynamiccontextual security rules such as “from 9AM to18PM, if any of my family members requestsaccess to my files, I would like to be contactedto authorize the access”. One may justly saythat traditional access control systems relyingon MAC, DAC or RBAC policies are too rigid forthe expression of such security policies. Othermore recent policy-based systems whoseexpressivity is arguably better suited for theexpression of such policies are [3, 4, 5].In this thesis, we have focused our attentionon the study of the different security56 Pracom’s Annual Report 2008

equirements in pervasive environments. Inparticular, we studied the best means for theexpression of usage control and dynamicaccess control within an integrated singlesecurity framework.RealizationWe have first analyzed the securityrequirements of future applications, namelyusage and dynamic access control, and studiedthe current policy-based security frameworks.We aim to develop an intuitive language withformal semantics for the representation ofdynamic security requirements and provideoperational formal interpretation of thedeveloped language. From our analysis of thenature of dynamic access control and usagecontrol, the notion of obligations appeared tobe fundamental (the same conclusion wasreached by previous works on usage control[1, 2]). Therefore, we have worked on thespecification of an obligation controller for theinterpretation of the dynamic part of ourpolicy. In order to give formal operationalsemantics to the controller, we have studiedthe well established ECA paradigm from activedatabases and identified how active rules canadequately provide the controller clear formaloperational semantics. Our final goal was tointegrate the obligation controller with acontext-aware access controller in a singlesecurity framework.Future workFuture work consists of the finalization of ourapproach in order to have a single policybasedsecurity framework which encompassestraditional access control, dynamic accesscontrol and usage control.References[1] J. Park and R. Sandhu. The UCON ABCusage control model. ACM Trans. InformationSystems Security, 2004.[2] M. Hilty, A. Pretschner, D. Basin, C.Schaefer and T. Walter. A Policy Language forDistributed Usage Control. ESORICS, 2007.[3] A. Abou El Kalam, R. El Baida, P. Balbiani,S. Benferhat, F. Cuppens, Y. Deswarte, A.Miege, C. Saurel and G. Trouessin.Organization based access control. Policy,2003.[4] F. Cuppens, N. Cuppens-Boulahia and T.Sans. Nomad: A Security Model with NonAtomic Actions and Deadlines. 18th IEEECSFW, Aix-en-Provence, France, Juin 2005.[5] L. Kagal, T. Fini and A. Joshi. A policylanguage for a pervasive computingenvironment. Policy, 2003.Pracom’s Annual Report 2008 57

Peer 2 peerP2PIm@gesResearch Staff : Frédéric Cuppens, Nor a Cuppens-Boulahia, Fabien AutrelKeywords : Peer to Peer, Access and Usage Controls, Digital Rights Management (DRM), File SharingApplications : Video on Demand, Video Live, IPTV, games.Partners & Funding : Thomson R&D France, Thomson Broadcast & Multimedia, Mitsubishi Electric,Devoteam, France Telecom, Marsouin, IRISA, IPdiva, TMG. It is funded by the DGEIntroductionPeer-to-peer refers to a class of systems andapplications that employ distributed resourcesto perform a function in a decentralizedmanner. The resources encompass inparticular computing power, data, networkbandwidth and computers. The critical functioncan be distributed computing, data/contentsharing, communication and collaboration, orplatform services.The objective of the P2Pim@ges projectrelates to the definition and the developmentof a legal delivery system of music and videocontents by using techniques of peer to peer(P2P). Even if the concept of P2P becameincreasingly popular these last years (In 2004,in a tier-1 ISP, P2P file sharing accounted formore than 60% of traffic in the USA and morethan 80% of the traffic in Asia), it remainedconfined to a more or less legal use ofdownloading files. The objective ofP2Pim@age project is to study this technologyin order to make of it a new electronic deliverysystem of contents.RealizationSERES brings to the project its expertise in thefield of the security of systems and networks,in particular its work related to the expressionand the deployment of security policies incollaborative networks such as peer to peer,and its knowledge of expression andinterpretation digital rights languages andmanagement of super distribution.A first step towards securing P2Pim@gesystem was to perform a risk assessment. Wehave specified the different actors ofP2Pim@ges system. We classified P2P-specificattacks according to their intent, target andgravity (see Fig.1). Illicit Modification ofContent by a Peer, Reverse Engineering andCloning for Intellectual Property Theft, Obtainthe Private Key of the Certification Server,Attacks on Data Related to Legal Issues,Intrusion and Takeover of the ManagementServer are The Top 5 of attacks that we haveto mitigate.Fig.1: P2Pim@ges actors and relevant attacksHowever, P2P systems are exposed to anunusually broad range of attacks because oftheir lack of central control or administration.So, besides the need to be robust againstfaults and sudden departure of nodes, as theyare currently being designed, P2P systems alsoneed to be robust against security threats.SERES coordinates and contributes to thesecurity tasks of P2Pim@age to bring togethera broad range of techniques, none whollyoriginal, that can help to resist on attacks onP2Pim@ge system, identify synergies amongthem, and specify how they can beimplemented.Some security requirements have also beenspecified. They rest on P2Pim@ge client,content and network, privacy and legalaspects, DRM usage and agnosticity.We shall use risk analysis and securityrequirements results as inputs to the other58 Pracom’s Annual Report 2008

security tasks (authentication and identitymanagement, intrusion detection, superdistributionand legacy) that they have kickedoffrecently.Future Work and ConclusionWe will use Data Rights Management (DRM) toaddress security issues of P2Pim@ge project.Our Federated Rights Expression Model(FORM) [1], allows a content provider todecide to trust external rendering rights andexternal identities. We then go furtherintroducing identity providers, actionsproviders as we consider content providers.Thus, all kind of providers can define licensesspecifying what can be done with the contentthey provide. FORM defines a new licensemodel and interpretation mechanism takinginto account all licenses issued by a federationof content providers.We will also make use of our new superdistributionmodel called Onion PolicyAdministration Model (OPA) [2]. OPA providesa complete traceability of the contentdistribution. The content must keep track of allthird-parties it crosses in the distribution chain.In this case, everyone can distribute thecontent and define a new license without anyrestriction. This administration model is easierto grasp than other super-distributionmechanisms especially when many distributorsare involved in the super-distribution chain ofgiven information content as it is the case in aP2P system. OPA is an adequate administrationmodel upon FORM as it can be extended tohandle data, methods and user profiles aswell.The protocols associated to FORM and OPA willbe specified, customized to P2Pim@ageplatform and implemented.The authentication of P2Pim@ge actors andthe federation of identity of pairs are keyproblems in the projects. We intend to use ourresearch works on interoperability of securitypolicies, and developments performed in ourplatform Protekto (see the next sheet) toleverage P2Pim@ge tasks related to theseaspects.References[1] Thierry Sans, Frédéric Cuppens and NoraCuppens-Boulahia. FORM: A Federated RightsExpression Model for Open DRM Frameworks.ASIAN'06. 11th Annual Asian ComputingScience Conference, focusing on SecureSoftware and Related Issues. Tokyo, Japan.December 2006.[2] Thierry Sans, Frédéric Cuppens and NoraCuppens-Boulahia. OPA: Onion PolicyAdministration Model - Another approach tomanage rights in DRM. IFIP/SEC 2007, 21stIFIP TC-11 International Information SecurityConference. Sandton, South Africa. May 2007.Pracom’s Annual Report 2008 59

Managing a Peer-to-Peer Storage System in a Selfish SocietyResearch Staff : Patrick Maillé, Laszlo TokaKeywords : Peer-to-peer, pricing, incentives, game theoryApplications : Network pricing and optimizationPartners & Funding : Institut TELECOM project DisPairSeIntroductionThe possibility of storing data online appearsas a value-adding service in the context of thesoaring “society of information”. Indeed,having access to the Internet becomes moreand more easy, with higher and higheravailable transmission rates in accessnetworks, which renders transfer timesreasonable, even for large files. Moreover,online storage systems are able to cope withdocument versioning, and to protect data notonly against user device failures but alsoagainst disk failures, through the use of datareplicates stored on different disks.For those reasons, many companies nowpropose a service of online data storage.However, while creating such a storage serviceimplies owning huge memory capacities andaffording the associated energy andwarehouse costs, one can imagine using thesmaller but numerous possible storage spacesof the service users themselves, as is done inpeer-to-peer file sharing systems. In such apeer-to-peer storage system, the participantsare at the same time the providers and theusers of the service. To work properly, a peerto-peerstorage network needs thatparticipants offer a sufficient part of their diskspace to the system, and remain online oftenenough. However, both of those requirementsimply costs (or at least constraints) forparticipants, who may be reluctant to devotesome of their storage capacity to the systeminstead of using it for their own needs.Note that the economic models developed forpeer-to-peer file sharing systems do not applyto peer-to-peer storage services: in file sharingsystems, the data offered by a peer canbenefit to all other peers; in that sense theresource offered to the system is a publicgood. On the contrary, in a peer-to-peerstorage system the memory space offered by apeer is a private good: it can be shared amongdifferent users but each part is then devotedto only one user. Therefore the economicimplications of those systems are necessarilydifferent.Eliciting participants to contributeWe consider two possible incentive schemes,by suggesting that either each peer's use ofthe service should be limited to hercontribution level (symmetric schemes), or thatstorage space be bought from and sold topeers by a system operator that seeks tomaximize profit.The figure presented next illustrates thequantity C i * that is exchanged by user i withdemand function d i and supply function s i inthe case of a symmetric scheme, and thequantity of storing capacity C i o (resp. C i s ) thathe offers (resp. buys) if an operator buys fromand sells storing capacity to participants withunit price p o (resp. p s ).RealizationIn this work, we consider that users behaveselfishly, i.e. are only sensitive to the quality ofservice they experience, regardless of theeffects of their actions on the other users. Theframework of noncooperative Game Theory [1]is therefore particularly well-suited to study theinteractions among peers.We therefore focus on the incentives that canbe introduced to make participants contributeto the system, i.e. the changes that can bebrought to the game to modify its outcomes.Which scheme to prefer?The main question addressed in this work iswhether it is socially better to impose asymmetric scheme or to let a profit-maximizing60 Pracom’s Annual Report 2008

monopoly set prices. The performancemeasure we consider is social welfare, i.e. thetotal value that the system has for allparticipants. Under some assumptions on thepeers utility functions, we derive a necessaryand sufficient condition for symmetry-basedsystems to outperform revenue-orientedmanagement.The figure below compares social welfare Wobtained by using each scheme to the maximalreachable value of social welfare W*(assuming user preferences are parameterisedby two independent values, a and b, with anexponential distribution of respective mean1/µ a and 1/µ b ).for a type of management to be preferable tothe other: it appears that profit orientedpayment-based schemes may be socially betterthan symmetric ones under some specificcircumstances, namely if the heterogeneityamong user profiles is high.References[1] D. Fudenberg and J. Tirole. Game theory.MIT Press, 1991[2] L. Toka and P. Maillé. Managing a Peer-to-Peer Backup System: Does Imposed FairnessSocially Outperform a Revenue-DrivenMonopoly?, in Proc. of the 4th InternationalWorkshop on Grid Economics and BusinessModels (Gecon’2007, Rennes, France), August2007.[3] P. Maillé and L. Toka. Managing a Peer-to-Peer Storage System in a Selfish Society.Submitted.We obtain that user heterogeneity tends tofavor pricing-based schemes that are moreflexible, and above a given user heterogeneitythreshold even a monopoly-managed systemwill be socially better than a system imposingsymmetry. Those results have been presentedin [2], and a generalized version of the modelhas been submitted.ConclusionsIn this work we have addressed the problem ofuser incentives in a peer-to-peer storagesystem. Using a game theoretical model todescribe selfish reactions of all systems actors(users and the operator), we have studied andcompared the outcomes of two possiblemanaging schemes, namely symmetry-basedand profit oriented payment-based. Not onlythe size of the offered storage space wastargeted with incentives, but as the availabilityand reliability is a particularly important issuein storage systems, the model also aimed toreduce churn. By comparing the social welfarelevel at the outcome in the two cases, undersome assumptions on user preferences weexhibited a necessary and sufficient conditionPracom’s Annual Report 2008 61

Applications of networks to transportsLocalization and Communication for emergency servicesResearch Staff : Jean-Marie Bonnin, Yvon-Marie Le Roux, Patrick Lassudrie-Duchesne, DanielBourreauKeywords : mobile networks, geo-localization, geographical information systemsApplications : ITS, emergency services,Partners & Funding : with partial funding of Région BretagneIntroductionIn case of an accident or a disaster occurringeither on the road, in a factory, in a city, in aharbor or on a boat cruising close to the coast,three points are of the highest importance: therapidity of the intervention of the brigade, theexactness, the completeness and the topicalityof the critical information available at the levelof the headquarter vehicle and the possibilityfor intervening agents to remain in permanentcontact with that vehicle.The LoCoss project (Localisation etCommunication pour les Services de Secours)deals with geo-localization, geographicalinformation systems and wirelesscommunication applied to disaster responsemanagement and coordination. LoCoSS aimsat bringing significant improvements to therescue brigades operations, terrestrial as wellas maritime. The project includes severaldepartments of Pracom (RSM, MO, ELEC) andseveral partners, École Navale, ENSIETA, LCPCNantes, Véhipôle Saint Brieuc. It is a 3-yearproject, which is funded by Region Bretagneand which started on April 2006.trace their movements from the vehicle and tooptimize operations management and thesecurity of the persons. Since all pieces ofequipment (in vehicles and on members of theteam) will be provided with a full IPv6connectivity, the commanding vehicle or theheadquarter will be allowed to directly requestinformation from them.We made an in-depth study of the needsexpressed by the rescue services that areinvolved in the project as client of the solutionsand as experimenters. We identified severalpoints that have to be developed in order toimprove the viability of such a solution forcritical missions. One of the strongrequirements is the ability to give a priority tothe flows depending on the relative importanceof the data exchanged. It is also necessary toincrease the availably of the network service,when one vehicle is out of range for all accessnetworks, it is needed to provide it with IPconnectivity through another truck acting as arelay.Networks aspectsThe RSM team is involved in the networkingaspect of this project. Many wirelesscommunication technologies standards (GPRS,Wi-Fi, WiMAX, DSRC, UMTS…) could be usedto offer a permanent IPv6 connectivity toonboard equipments through NEMOtechnology (Network mobility) and adequateinterface selection mechanism. Therefore, thecommanding vehicle is able to downloadcontinuously the necessary information into itslocal database, before the departure, during itstravel and during the operation. Wirelessduplex links will also be established betweenthe vehicle and some members of the teamequipped with a positioning pack, in order to62 Pracom’s Annual Report 2008

Geo-localization aspectsThanks to the positioning technologies, basedon EGNOS, aided by additional sensors toensure a high level of integrity, the interveningvehicles will be able to navigate precisely andaccurately up to the accident or disasterlocation and the main stationary headquarters(typically the fire station) will be informedprecisely about their progress. For the difficultissue of tracking the firemen inside a big sitesuch as a factory of a ship, novel positioningtechniques such as high-sensitivity or assistedGPS receivers, combined with inertial sensorsand 3D map-matching will be developed andexperimented.As far as research on positioning is concerned,partner ENSIETA is presently investigatingdifferent positioning technologies that could beutilized for the challenging indoor navigation.The basic idea is to combine severaltechnologies: high-sensitivity GNSS receiversfor the areas where GNSS signals arepenetrating, MEMS inertial measurement unitsfor the traveled distance based upon thenumber and size of steps, the directionprovided by the gyros and magnetometers andadvanced map-matching algorithms basedupon the 2D or 3D map of the area and thetopological constraints (1). First results fromthe LoCoSS project concern the firemenlocalization in constrained environment (forest,indoor, city…) where GPS position is notprecise enough. TELECOM Bretagneinvestigates also together with ENSIETAtechnical methods to improve localizationaccuracy within multipath environments.Geographical InformationSystem aspectsFinally, on top of the geolocalisation andcommunication infrastructure, a GeographicalInformation System (GIS) will act ascomputing software able to integrate, store,model, analyze and visualize spatially relateddata. The information system of the LoCoSSproject will be used to build and to update anon-board database limited to the necessaryinformation to support the operations in agiven area. This “mobile database” will have tobe extracted from the main one at securityheadquarters. Similarly, the main databaselocated at the fire station will have to beinteractively updated in real-time during theprogress of the rescue operations. Amongstthe interesting dynamic data to integratewithin databases are firemen and vehiclespositions and movements. The continuousrecording of such data is essential for real-timefollowing of actual operations. These studiesare mainly covered by IRENAV from ÉcoleNavale.ConclusionThe project will develop mechanisms toacquire the real-time data coming from thegeo-localized vehicles and people through thewireless communication links and to storethem in an appropriate database. Spatiotemporalqueries to database will be developedto handle and display these dynamic data onthe existing firemen’s interface. Overallobjective will be to visualize the progress ofthe deployed forces and to make decisions inreal-time thanks to the global view of thesituation. A prototype system is planned to bebuilt next two years to demonstrate with thepartnership of fire brigades of Côtes d’Armorand Finistère departments the efficiency of theproposed security services.References[1] L. Suciu, J.-M. Bonnin, K. Guillouard,and T. Ernst. Multiple Network InterfacesManagement for Mobile Routers. In 5thInternational Conference on ITSTelecommunications (ITST 2005), Brest,France, June 2005.[2] M. Mahamat-faki, J.-M. Bonnin, and R.Ben Rayana. Traffic flow control on multitunneledmobile router. In short paper inWNEPT06 (Workshop on Networking in PublicTransport), Waterloo, Canada, August 2006.[3] Patrick Bosc, Olivier Sentieys, FrançoisPeyret, Cyril Ray, Jean-Marie Bonnin, Yvon-Marie Le Roux. GIS ITS Bretagne: status andperspectives, 6th International Conference onITS Telecommunications, Chengdu, China, 21-23 June, 2006.[4] R. Garello, Y. Le Roux, G. Landrac, C.Claramunt, R. Person, F. Vallée. GalileOcean,6th International Conference on ITSTelecommunications, Chengdu, China, 21-23June, 2006.Pracom’s Annual Report 2008 63

Adaptive Application Support in Mobile NetworksResearch Staff : Jean-Marie Bonnin, Nicolas Montavont, Namhoon Kim, Mathieu PeressePh.D. Student: Rayène Ben RayanaKeywords : ambient networks, network mobility, heterogeneous access networks, IPv6, adaptativeapplicationsApplications : ITS, entertainmentPartners & Funding : TELECOM Bretagne (RSM), France Telecom R&D (project leader), ThalesCommunications, ARTAL, ULP (LSIIT) partially funded by ANR.IntroductionThe number of devices that rely on theInternet in order to provide the service usersexpect continue to growth in an astonishingrate. Unfortunately, as these services are usedwhile traveling each device has to manage themobility on its own. This is not efficient:• in terms of power consumption since eachdevice has to reach a base station or anaccess point;• in terms of network burden, since thenumber of mobility events the network hasto manage increase with the number ofmobile terminals;• in terms of deployment complexity sinceeach mobile device has to manage themobility and then, has to be configuredthrough an interface. Or simplest devicesuch as sensor could use some autoconfigurationmechanisms.In order to solve these problems, IETF hasdesigned a protocol call NEMO Basic Support.This protocol free mobile terminal of mobilitymanagement introducing a Mobile Router thatwill provide Internet connectivity to allequipments embarked in the mobile network.It will manage transparently mobility events,taking in charge the tunnel setup and tierdown,the signaling with the Home Agent andthe routing stuff. Embarked terminals will onlyhave to manage their Internet connectivity inthe same way they would do in a LAN.The REMORA ANR-RNRT project aims atdeveloping technical solutions for completemanagement of the whole network mobility setof issues. The new capabilities implementedinside REMORA shall enable clevermanagement of mobile networks and of theirinterconnection with multiple access networks.Technical approachThe network mobility mechanism is based onthe solution defined by the NEMO workinggroup at the IETF. Extension related tomultiple access management (MCoA: MultipleCare-of Address) and routing policies exchangehave been integrated in the core architecture.The project specifically considers the followingaspects:• mobility management on a flow-by-flowbasis while improving reliability of thewhole architecture. These capabilities willallow permanent access to the Internet fordevices with reduced functionalities.mobilenetworkmobilerouter• providing adaptive applications running onnested devices with connectivityinformation in order to allow them toadapt.• making application able to declare theirneeds to the mobile router, which takes64 Pracom’s Annual Report 2008

them into account to manage the multipleinterfaces and to route flows.RealizationThe team is mainly involved in this project inorder to study and design the relation betweenmobile routers and applications running onnodes attached to the mobile network. It isalso in charge to develop the multipleinterfaces and policies management systemson the mobile router.Last year, a second version of thespecifications have been issued. They coverthe global architecture specification, themultiple interfaces management at the mobilerouter and the protocols used to announcenetwork characteristics to the applications orto declare application needs to the mobilerouter. The API used by the applications todialogue with the local connectivity managerand then with the mobile router has also beendefined.The development of the policies managementin the mobile router is on the way. The firstversion of the POLicy handler for Nemo,Application REsponsiveness and Fun(POLNAREF) has been provided to partners. Itis responsible for making flow by flow routingdecisions based on the environmentsurrounding the mobile router (NetworkAvailability, Speed, Time of the day...), as wellas predefined rules given by the administratoror the network operator.The Flow Protocol, which is the piece ofsoftware that will enable applications to adaptto the mobile network’s environment, is nowready to be integrated in POLNAREF and in themobile nodes.Future WorkIn the next steps our work will be integratedwith the components provided by the otherpartners.A final step would be the settlement of ademonstration testbed on which severalexperiments will be achieved in order toevaluate our global architecture and tocompare it with existing proposals.ConclusionThe new solutions defined by the REMORAproject will be actively supported andpromoted by each partner in the ad'hocstandardization bodies. REMORA will also relyon the close relationship between some of itsmembers and the WIDE Japanese consortium,especially the NAUTILUS6 working groupwhose R&D activities focus on standardizingNEMO mechanisms and testing them. REMORAachievement will provide input to improve theCALM standard (ISO TC204 WG16). It couldhelp with two of the main challenges faced bythis on going standard. The distribution thedecision process between embarked devicesand OBU (On Board Unit) is one of them.Another one stands in the way to exchangeinformation between layers through themanagement plane as well as between entitiesinside the vehicle.The results of the project will lead to newapproaches for a new generation mobileInternet. And those will allow mobile users tobenefit from services that are morepersonalized. Thanks to its federative aninnovative aspects, REMORA is reallyinteresting for both the French academic andtelecom industry communities. REMORA willalso contribute to promote the IPv6deployment and the creation of new servicesassociating information, entertainment andtelecommunications.References[1] Ernst, Thierry, “The InformationTechnology Era of the Vehicular Industry”,ACM SIGCOMM Computer CommunicationReview (CCR) Volume 36, Issue 2, April 2006.[2] V. Devarapalli et al, "Network Mobility(NEMO) Basic Support Protocol", IETF RFC3963, http://www.ietf.org/rfc/rfc3963.txt,January 2005.[3] Suciu, Lucian and Bonnin, Jean-Marie andGuillouard, Karine and Ernst, Thierry, “MultipleNetwork Interfaces Management for MobileRouters”, 3rd 5th International Conference onITS Telecommunications (ITST), Brest, France,27-29 June 2005.Pracom’s Annual Report 2008 65

Wireless Mesh NetworksResearch Staff : S. Houcke, Nicolas Montavont, Yvon Le Roux, Fabien Nicolas, Jacky Ménard, JeanpierreJolivet, Claude Toquin.Phd Students: Bui Quoc Anh, Safaa Hachana.Keywords : Mesh, Ad-Hoc, WIMAX, routing.Applications : Wireless CommunicationsPartners and Funding : Pôle de compétitivité mer, with Alcatel, Thomson GrassValley, MorganConseil, C2 Innovativ System, IFREMER, Aker Yards, TELECOM BretagneIntroductionWireless Mesh Network (WMN) is a promisingwireless technology for several emerging andcommercially interesting applications. It isgaining significant attention as a possible wayfor Internet service providers and other endusersto establish robust and reliable wirelessbroadband service access at a reasonnablecost. Different from traditional wirelessnetworks, WMN is dynamically self-organizedand self-configurable. In other words, thenodes in a mesh network automaticallyestablish and maintain network connectivity.Ex-trem projectThe goal of the project is to give to the boatsthe continuity of communication services overthe sea. First of all, the effort is focused to theharbour area and the area close to the coast.Indeed the main requests are coming fromthose areas. The system is based on WiMAXtechnology. This project is linked to the « pôlede compétitivité Mer » with Alcatel, ThomsonGrassValley, Morgan Conseil, C2 InnovativSystem, IFREMER, Aker Yards, TELECOMBretagne. The project is planned from 01/2007to 01/2010. The project is made of two stagesas explained below.The first phase lasts from March 2007 toSeptember 2007 and was dedicated to thestudy of what is already deployed in boatcompanies. This phase was very useful as wediscovered that many services are alreadyavailable, but they usually do not use IP. Inaddition, we gathered the demand for newservices in these companies.The second phase started in September 2007and is dedicated to the definition of newservices. The project is especially interestedinto the WiMAX technology, because it wouldallow covering larger areas at higher bit ratethan the Wifi technology. Therefore, animportant effort in the project is dedicated tostudy WiMAX transmission over the sea, tostudy how it can be improved, and to providean architecture for its deployment. The actionof TELECOM Bretagne in this project is splitinto 3 tasks.The Signal & Communication department willstudy the mesh capability with WiMAX. Indeed,although the range of WiMAX is much higherthan with Wi-Fi, it will not be enough to coverlarge sea areas. Each boat having theproposed system acts as a node and is a relayfor ships out of range of the Earth Basedstation. This will allow us to increase thecover of the proposed services. In order tominimize the overhead communication forsetting-up the network, we will developapproaches based on Ad-hoc networks and tryto get an adaptative network. Our first task isto propose a multiple access technique whereall the users will have the same code, sameinterleaver etc... the separation of the users isdone by the unsynchronization of the differentusers [1]. This approach is based onInterleaved Division Multiple Access initialyproposed by L. Ping in 2002. The mainadvantage is that we won't need to allocateany spreading code to the different users.The second task of TELECOM Bretagne is thestudy of complementarity of heterogeneousnetworks for services support and theadaptation of the quality of the service inaccordance with the network capacity. Thiswork is conducted in the RSM department. Itwill contribute to the mesh network workconducted by the department of Signal &Communication by providing an automatic anddynamic routing protocol for boats. In order todo so, we are studying the state of the art ofthe mesh and ad-hoc routing protocols topropose an adequate solution that fits ourcase. Indeed, several techniques have alreadybeen defined for neighbor discovery, addressauto-configuration and dynamic routing in66 Pracom’s Annual Report 2008

infrastructure-less networks. The first task ofthis work will be to list all these proposalswhether they are standard or researchconcepts, and evaluate them.The last task of TELECOM Bretagne is theimplementation of a platform andexperimentations which allows the acquisitionof real data. This task is conducted by theElectronic. Wireless mobile transmissionsystems are particularly sensitive to the stateof the propagation medium and environment,which is generally highly variable both in timeand space. The advent of digitalcommunications raises new questions aboutthe channel characteristics that require furtherstudies.So, radio soundings and experimental radiolinks are routinely used to observe thetransmission channels structure and theirvariations. For this purpose, a new wide bandsounding system is presently being built. It willcover the whole bandwidth, from VLF to EHF.First experimental results have yet beenobtained with the basic version of thissounding system between 5.4 and 5.8 GHzover radio links between a shore station and amoving ship.References[1] S. Houcke, G. Sicot and M. Debbah, Blinddetection for block coded Interleaved DivisionMultiple Access, GLOBECOM 2006, SanFrancisco, USA.[2] H. Doukkali, L. Nuaymi, S. Houcke, A crosslayer approach with CSMA/CA based protocoland CDMA transmission for underwateracoustic networks. PIMRC, Athens, Greece,2007[3] H. Doukkali, L. Nuaymi, S. HouckeDistributed MAC Protocols for UnderwaterAcoustic Data Networks. IEEE. VTC 2006, , 25-28 September, Montréal, Canada, 2006Pracom’s Annual Report 2008 67

TestbedsA showroom for practical IPv6 deployementResearch Staff : Laurent Toutain, Bruno StevantKeywords : IPv6, IPv6-IPv4 transitionApplications : Home networks, SME networks,Partners & Funding : funded by Conseil Régional de Bretagne and European Commission.presentation and meeting facilities, called theIntroductionIPv6 Showroom.As IPv4 address space exhaustion becomes ashort-term reality, the transition to IPv6 is nowa major concern for Internet Access Providers,in order to sustain the growth of demand forconnectivity. But large scale organizations arealso concerned now by this transition, becausethe size of their infrastructure requires them asmuch anticipation. As an example, the USFederal administration is working on IPv6integration till the last 3 years [1]. In a 3 yeartime-frame, which is the current estimation forIPv4 address space exhaustion [2], SME,Home Networks, Administration Networks, allkind of organization will be concerned by IPv6integration, first to be visible by new IPv6customers and second to provide new servicesusing IPv6. But what should be the strategy toadopt inside these networks to integrate IPv6 ?RealizationFollowing the Point6 project, funded in 2005and 2006 by the Brittany Region Council, wejoined a European funded project calledTrain2Cert. This project aims to define acommon set of technical courses and practicalsfor students seeking certification. Ourcontribution to this project is to define coursesand practicals focused on IPv6 deployement.These courses are dedicated to networktechnicians and engineers, who are theindividuals directly concerned by IPv6integration. To define the practical approach toIPv6 deployement, we decided to reproduce ina laboratory the network infrastructure of aSME office and demonstrate how IPv6 can beintegrated in such network. This plateform isavailable in a dedicated room withOn this plateform, we demonstrate the abilityof the different services for an organization(front-office and back-office) to be available inIPv6 but also to be back-compatible withlegacy IPv4 client. The network infrastructureof the showroom allows a service to bemigrated from IPv4-only network to dual-stack(IPv4 and IPv6) network and finally to IPv6-only networks. Clients of the plateform areavailable with the current offer of operatingsystem (Linux, XP, Vista, MacOS X) and mayalso migrate from an IPv4-only network to anIPv6-only netwoks. With such plateform, weare able to experience any transition scenariofor services and show the impact of thistransition on any kind of clients.Future worksWe are currently working at expanding thenumber of scenario to be demonstrated in thisshowroom. At the moment, this plateform candemonstrate the migration of a web-service toIPv6. We plan to include services such asremote authentication, file-sharing and VoIP.References[1] http://www.gcn.com/IPv6/ GovernmentComputer News – IPv6 Section[2] http://www.potaroo.net/tools/ipv4/ IPv4address report68 Pracom’s Annual Report 2008

An Advanced Next Generation Mobile Open NetworkResearch Staff : Nicolas Montavont, Jean-Marie Bonnin, Benoit Le Texier, Tanguy RopitaultKeywords : mobile IPv6 testbed, 4G networks, heterogeneous access networks, seamless mobility,multihomingApplications : ambiant networks, Voice over IP, Video on Demand,Partners & Funding : Thales, Budapest University, VTT, INRIA, TELECOM Bretagne in theframework of an IST STREP European projectIntroductionThe current challenges of the Internet are toaccommodate future needs and usages suchas i) billions of fixed and mobile users anddevices, ii) reliable transport of all type of dataand iii) ubiquitous, seamless and uninterruptedaccess. This results in a growing demand ofresearchers and developers for an opentestbed to validate complex applications,innovative services and new devices in awireless mobile context. That is the goal of the2-year ANEMONE STREP project (AdvancedNext gEneration Mobile Open NEtwork) thatstarted in June 2006.The ANEMONE project will realize a large-scaletestbed that provides the support of mobileusers and devices and enhanced services byintegrating cutting edge IPv6 mobility andmultihoming initiatives together with themajority of current and future wireless accesstechnologies. It will cover several campusesand metropolitan areas with a large spectrumof real end users for a pertinent evaluation ofadvanced services and applications. It will alsooffer a wide range of multimodal and openterminals such as laptops, PDAs, smartphonesand an e-vehicle with a mobile router and localdevices. The ANEMONE testbed will be firstlyused by the ANEMONE consortium membersfor research activities in the domain ofadvanced mobility and related security issues.It will then be open to external researchersand will propose a complete infrastructure ofservice.RealizationIn 2007, we made lot of progress in theAnemone project. First, we deploy severalservices for IPv6 mobility and applications. Wepropose several servers (Home Agent, SIPPracom’s Annual Report 2008 69

egistrar and proxies, video streaming) forend-users. We develop a web interface for theuse of these services, so any user can createan account and take advantage of the mobilitysupport for example.Second, we proposed the design and theimplementation of the Flow Bindingmechanism [3]. This protocol allows amultihomed mobile node to distribute its flowsamong multiple interfaces. Thus a mobile nodecan spread its load over all active connectionsit may have.Third, we dedicated lot of effort to thepromotion of the testbed. In that purpose, wedevelop two demonstrations, and organize apromotion day for Anemone. The firstdemonstration took place at the PRACOMseminar in June 26th and 27th 2007, wherethree bicycles were equipped with tablet PCand PDA. They were communicating with theaudience via VoIP and instantaneousmessaging applications. A special bicycle wasequipped with a mobile router that managesthe mobility of all bicycles. The seconddemonstration took place at Rennes during theAnemone Promotion Day on December the12th 2007. The Anemone Promotion Day wasan event to gather academic and industrialsinterested in IPv6 services. Its goal was todisseminate the Anemone testbed and to showwhat can be used by a third party. Thedemonstration consisted of two cars equippedwith mobile routers. We were able to followthe itinerary of the cars on a map via Internetin real time. The Anemone Promotion Day wasa success with more than 100 participants.Future workThe Anemone project ends in October 2008.2008 will be dedicated to the integration ofthird party experiments, and the gathering ofall IPv6 services. In that purpose, we developa web interface where a user can selectmultiple services from the Anemone testbed atonce. We also work on an application whichembed all the services that we provide.References[1] https://labo4g.enstb.fr/,[2] http://ist-anemone.org/,[3] Implementation of a Flow BindingMechanism, Tanguy Ropitault, NicolasMontavont, the 4th IEEE PercomWorkshop onPervasive Wireless Networking, March 17-212008, Hong-Kong70 Pracom’s Annual Report 2008

Pracom’s Annual Report 2008 71