Analysis and control of middleboxes in the internet

With the growing size and complexity of the Internet several types of middleboxes have been introduced to the network in order to solve a number of urgent problems. Network Address Translation devices fight against the Internet address depletion problem, caches and proxies help to efficiently distribute content and firewalls protect networks from potential attackers. Unfortunately, middleboxes violate the end-to-end connectivity model of the Internet protocol suite and therefore introduce numerous problems for services and applications. The contribution of this thesis is the study and development of concepts and algorithms for understanding and improving the behavior of middleboxes, their traversal, as well as their application to problems that emerged with the growing success of the Internet with a focus on unmanaged networks such as home and small company networks. The first part of this thesis designs and implements tools and algorithms to analyze middlebox behavior. We introduce a processing model for describing functional characteristics and create an information model to structure relevant middlebox behavior parameters. As an experimental analysis, a public field test is conducted to evaluate existing traversal techniques, understand middlebox behavior, to gain knowledge about their deployment and to draw conclusions on how to improve middlebox traversal. The second part of this thesis focuses on the traversal of middleboxes. Existing middlebox traversal methods do not differentiate between different types of applications and therefore deliver suboptimal results in many situations. We claim that the classification of applications into service provisioning categories helps to determine the best matching middlebox traversal technique, not only dependent on the network topology, but also considering user-defined requirements. This thesis presents a framework that improves the communication of existing and future applications and services across middlebox devices. The idea is to use previously acquired knowledge about middlebox behavior and services for setting up new connections. Obtained results show that the knowledge-based approach is not only more flexible and applicable, but due to the decoupled connectivity checks, also significantly faster compared to the state of the art. Based on the findings of our experimental analysis we show how to integrate and adapt existing middlebox traversal techniques into the middlebox traversal framework. Additionally, new middlebox traversal techniques are presented and evaluated. In the third part of this thesis the applicability of middlebox services to unmanaged networks is discussed. A secure service infrastructure is presented based upon a trust model combining the power of centralized Certificate Authorities with the flexibility of the Web of Trust and social networks. This security infrastructure fulfills the security requirements of the middlebox traversal framework and provides secure identities for users, services and hosts in a semi-automatic way. A middlebox service helps establish and coordinate secure communications between different domains according to userdefined access control policies. Three application examples for middleboxes show how existing services can be improved and extended to solve open security, privacy and connectivity issues.