Markus Legner


Last Name

Legner

First Name

Markus

ORCID

0000-0003-4565-1133

Organisational unit

Filters

2020 - 202518
Reset filters

Search Results

Publications 1 - 10 of 18
  • Pervasive Internet-Wide Low-Latency Authentication
    Item type: Conference Paper
    Krähenbühl, Cyrill; Legner, Markus; Bitterli, Silvan; et al. (2021)
    2021 International Conference on Computer Communications and Networks (ICCCN)
    In a world with increasing simplicity to store, transfer, and analyze large volumes of data, it becomes more and more important that data confidentiality and integrity be preserved in transit by default. Unfortunately, a large security gap exists between unprotected or low-security communication, such as opportunistic encryption and trust-on-first-use (TOFU) security, and high-security communication, such as TLS using server certificates or DNSSEC. Our goal is to reduce this gap and achieve a base layer for authentication and secrecy that is strictly better than TOFU security. We achieve this by designing PILA, a novel authentication method with dynamic trust anchors, which leverages irrefutable cryptographic proof of misbehavior to incentivize benign behavior. We implement PILA extensions for SSH, TLS, and DNS and show that the overhead for a typical SSH and TLS connection establishment is negligible, and that PILA only causes a marginal processing overhead of \sim 100\ \mu \mathrm{s} per DNS response at the endpoints.
  • Magnetic topological Kondo semimetal phases of matter
    Item type: Journal Article
    Ok, Seulgi; Legner, Markus; Vergniory, Maia G.; et al. (2024)
    Applied Physics Letters
    Kondo physics has long been interesting for studying correlated topology in isolation, as it occurs in heavy fermion compounds where myriad phenomena are well-separated in energy. We introduce magnetic topological Kondo semimetal phases of matter into the literature in this work to advance the understanding of correlated topological semimetal physics by studying a layered three-dimensional heterostructure in which two types of Kondo insulators are stacked alternatingly. In the heterostructures considered, one of these Kondo insulators is SmB6, a potential topological Kondo insulator, and the other one is an isostructural Kondo insulator AB6, where A is a rare-earth element, e.g., Eu, Yb, or Ce. We find that if the latter Kondo insulator orders ferromagnetically, the heterostructure generically becomes a magnetic Weyl Kondo semimetal, while antiferromagnetic order can yield a magnetic Dirac Kondo semimetal. We also confirm the realization of the magnetic Weyl (Dirac) Kondo semimetal phase in density functional theory calculations of the heterostructure of SmB6 and EuB6 (CeB6). Our results demonstrate that Kondo insulator heterostructures are a versatile platform for realizing correlated topological semimetal phases.
  • Global Distributed Secure Mapping of Network Addresses
    Item type: Conference Paper
    Sridhara, Supraja; Wirz, François; de Ruiter, Joeri; et al. (2021)
    Proceedings of the 2021 ACM SIGCOMM Workshop on Technologies, Applications, and Uses of a Responsible Internet (TAURIN '21)
    Next-generation Internet architectures are being designed and deployed to overcome limitations of today's Internet. One such architecture with an increasing production deployment is SCION [23], which also includes a transition mechanism to support an incremental deployment and coexistence with the legacy IP-based Internet: the SCION-IP gateway. This mechanism - -and similar mechanisms in other next-generation architectures - -requires a distributed system to translate between old (IP) and new (SCION) addresses at an Internet scale and must connect the different public-key infrastructures to enable secure operation. In this paper, we describe such a system for the SCION architecture. A gossip protocol distributes mappings between legacy IP and SCION addresses throughout the SCION network, and SCION's control-plane PKI and the Resource Public Key Infrastructure (RPKI) protect the authenticity of the individual mappings. We provide a prototype implementation and demonstrate that it scales to today's Internet with approximately one million IP prefixes.
  • GMA: A Pareto Optimal Distributed Resource-Allocation Algorithm
    Item type: Conference Paper
    Giuliari, Giacomo; Wyss, Marc; Legner, Markus; et al. (2021)
    Lecture Notes in Computer Science ~ Structural Information and Communication Complexity
    To address the raising demand for strong packet delivery guarantees in networking, we study a novel way to perform graph resource allocation. We first introduce allocation graphs, in which nodes can independently set local resource limits based on physical constraints or policy decisions. In this scenario we formalize the distributed path-allocation (PA dist ) problem, which consists in allocating resources to paths considering only local on-path information—importantly, not knowing which other paths could have an allocation—while at the same time achieving the global property of never exceeding available resources. Our core contribution, the global myopic allocation (GMA) algorithm, is a solution to this problem. We prove that GMA can compute unconditional allocations for all paths on a graph, while never over-allocating resources. Further, we prove that GMA is Pareto optimal with respect to the allocation size, and it has linear complexity in the input size. Finally, we show with simulations that this theoretical result could be indeed applied to practical scenarios, as the resulting path allocations are large enough to fit the requirements of practically relevant applications.
  • Incentivizing stable path selection in future Internet architectures
    Item type: Conference Paper
    Scherrer, Simon; Legner, Markus; Perrig, Adrian; et al. (2020)
    Performance evaluation
  • SCIONLAB: A Next-Generation Internet Testbed
    Item type: Conference Paper
    Kwon, Jonghoon; García-Pardo, Juan A.; Legner, Markus; et al. (2020)
    2020 IEEE 28th International Conference on Network Protocols (ICNP)
    Network testbeds have empowered networking research and facilitated scientific progress. However, current testbeds focus mainly on experiments involving the current Internet. In this paper, we propose SCIONLAB, a novel global network testbed that enables exciting research opportunities and experimentation with the SCION next-generation Internet architecture. New users can join SCIONLAB as a full-fledged autonomous system with minimal effort and administrative overhead, and directly gain unfettered access to its inter-domain routing system. Based on a well-connected network topology consisting of globally distributed nodes, SCIONLAB enables new experiments, such as inter-domain multipath communication, path-aware networking, exploration of novel routing policies, and new approaches for DDoS defense. SCIONLAB has been operational since 2016 and has supported diverse research projects. We describe the design and implementation of SCIONLAB, and present use cases that illustrate exciting research opportunities.
  • Secure and Scalable QoS for Critical Applications
    Item type: Conference Paper
    Wyss, Marc; Giuliari, Giacomo; Legner, Markus; et al. (2021)
    2021 IEEE/ACM 29th International Symposium on Quality of Service (IWQOS)
    With the proliferation of online payment systems, the emergence of globally distributed consensus algorithms, and the increase of remotely managed critical IoT infrastructure, the need for critical-yet-frugal communication - high-availability and low-rate - is becoming increasingly pressing. For many of these applications, the use of leased lines or SD-WAN solutions is impractical due to their inflexibility and high costs, while standard Internet communication lacks the necessary reliability and attack resilience.To address this rising demand for strong quality-of-service (QoS) guarantees, we develop the GMA-based light-weight communication protocol (GLWP), building on a recent theoretical result, the GMA algorithm. GLWP is a capability-based protocol which is able to bootstrap network-wide bandwidth allocations in single round-trip times, and achieves high availability even under active attacks. Due to its clever use of cryptographic mechanisms, GLWP introduces minimal state in the network and causes low computation and communication overhead. We implement a GLWP prototype using Intel DPDK and show that it achieves line rate on a 40 Gbps link running on commodity hardware, thus showing that GLWP is a viable solution to provide strong QoS guarantees for critical-yet-frugal communications.
  • DoCile: Taming Denial-of-Capability Attacks in Inter-Domain Communications
    Item type: Conference Paper
    Wyss, Marc; Giuliari, Giacomo; Legner, Markus; et al. (2022)
    2022 IEEE/ACM 30th International Symposium on Quality of Service (IWQoS)
    In recent years, much progress has been made in the field of Internet bandwidth reservation systems. While early designs were neither secure nor scalable, newer proposals promise attack resilience and Internet-wide scalability by using cryptographic access tokens (capabilities) that represent permissions to send at a guaranteed rate. Once a capability-based bandwidth reservation is established, the corresponding traffic is protected from both naturally occurring congestion and distributed denialof-service attacks, with positive consequences on the end-to-end quality of service (QoS) of the communication. However, high network utilization ‒ possibly caused by adversaries ‒ can still preclude the initial unprotected establishment of capabilities. To prevent such denial-of-capability (DoC) attacks, we present DoCile, a framework for the protection of capability establishment on Internet paths, irrespective of network utilization. We believe that DoCile, deployed alongside a capability-based bandwidth reservation system, can be the foundation of the next generation of secure and scalable QoS protocols.
  • PISKES: Pragmatic Internet-Scale Key-Establishment System
    Item type: Conference Paper
    Rothenberger, Benjamin; Roos, Dominik; Legner, Markus; et al. (2020)
    Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
    Denial-of-service attacks have become increasingly prevalent in the Internet. In many cases they are enabled or facilitated by the lack of source authentication?it is often easy for an attacker to spoof its own IP address and thus launch reflection attacks or evade detection. There have been attempts in the past to resolve this issue through filtering or cryptography-based techniques; however, there is still no sufficiently strong system in place today-all proposals either provide weak security guarantees, are not efficient enough, or lack incentives for deployment. In this paper we present PISKES, a pragmatic Internet-scale key-establishment system enabling firstpacket authentication. Through the PISKES infrastructure, any host can locally obtain a symmetric key to enable a remote service to perform source-address authentication. The remote service can itself locally derive the same key with efficient cryptographic operations. PISKES thus enables packet authentication for a wide variety of systems including high-throughput applications like DNS. We have implemented a prototype system that enables a DNS server to verify the source of every received packet within 85 ns, which is over 220 times faster than a system based on asymmetric cryptography. PISKES has been developed for the SCION secure Internet architecture but is also applicable to today's Internet. With its strong source-authentication properties and highly efficient operation it has the potential to finally bring network-layer authentication to the Internet
  • An Axiomatic Perspective on the Performance Effects of End-Host Path Selection
    Item type: Journal Article
    Scherrer, Simon; Legner, Markus; Perrig, Adrian; et al. (2021)
    Performance Evaluation Review
    In various contexts of networking research, end-host path selection has recently regained momentum as a design principle. While such path selection has the potential to increase performance and security of networks, there is a prominent concern that it could also lead to network instability (i.e., flow-volume oscillation) if paths are selected in a greedy, load-adaptive fashion. However, the extent and the impact vectors of instability caused by path selection are rarely concretized or quantified, which is essential to discuss the merits and drawbacks of end-host path selection. In this work, we investigate the effect of end-host path selection on various metrics of networks both qualitatively and quantitatively. To achieve general and fundamental insights, we leverage the recently introduced axiomatic perspective on congestion control and adapt it to accommodate joint algorithms for path selection and congestion control, i.e., multi-path congestion-control protocols. Using this approach, we identify equilibria of the multi-path congestioncontrol dynamics and analytically characterize these equilibria with respect to important metrics of interest in networks (the "axioms") such as efficiency, fairness, and loss avoidance. We analyze how these axiomatic ratings for a general network change compared to a scenario without path selection, thereby obtaining an interpretable and quantititative formalization of the performance impact of end-host path-selection. Finally, we show that there is a fundamental trade-off in multi-path congestion-control protocol design between efficiency, stability, and loss avoidance on one side and fairness and responsiveness on the other side.
Publications 1 - 10 of 18