Research Topics

Technologies Supporting Sustainable Network Evolution Using Programmable Network Technologies

Computer networks are becoming increasingly complex. This is not only due to the growing complexity of packet forwarding mechanisms and their control components, but also because coordination with other systems (notably network security systems) is required. Combined with network scale expansion, management and operational aspects are also becoming more complex. Furthermore, I believe that one contributing factor is that network technologies are designed to be as generic as possible to meet diverse needs, resulting in unnecessary complexity and requiring advanced expertise when combining them.

With technologies that enable high-speed programmable packet processing represented by OpenFlow and P4, as well as high-speed software packet processing technologies such as XDP and DPDK, packet forwarding can now be flexibly customized not by network equipment vendors but by those closer to network operators. I believe this technology has the potential to realize packet forwarding and its management/operation with necessary and sufficient functionality for each use case, thereby simplifying network control, management, and operation. I am researching technologies to achieve this.

Research Examples

• Acila
  • Proposal of a method to simplify access control processing by attaching host identity (a set of attributes) to packets for use in access control
• NI-SPA
  • Proposal of a method to attach host behavior information observable within the network to packets and use it for risk-based access control

Zero Trust and Identity Federation/Authorization Technologies

Zero Trust is a security paradigm that eliminates implicit trust as much as possible, verifies that all access is appropriate, and permits only the minimum necessary access based on verification results. It is a type of risk-based authentication and authorization, and it is crucial to collect necessary and sufficient information to verify whether access is appropriate. In particular, strengthening security in situations involving important information is critical, and adopting a risk-based approach is required. In environments where access environments and data are centrally managed, such as in enterprises, it is believed that information can be collected to some extent. In other situations (BtoC services and universities are typical examples), collecting information is difficult due to privacy concerns. I research on architectures and identity federation/authorization federation technologies aiming to realize access control based on Zero Trust even in such situations.

Research Examples

• Zero Trust Federation
  • Proposal of a framework to collect information necessary for access control based on Zero Trust principles with user consent
• Key Management Based on Ownership of Multiple Authenticators in Public Key Authentication
  • Proposal of a key management method to reconcile public key authentication based on device-bound key management and public key registration to services (such as FIDO and WebAuthn) with scenarios like user device replacement
• Putting Authorization Servers on User-owned Devices in User-Managed Access
  • Proposal of a method to collectively issue access tokens for multiple services within user devices

Cloud and Container Platforms

Ultra-large-scale computing environments that enable on-demand use of computing resources, such as cloud and container platforms, play an important role in supporting society. However, technologies to build, manage, operate, and control computer systems that can handle such scale continue to be a major challenge. I am researching cloud and container technologies through a dual-lens approach, encompassing both the Control Plane and the Data Plane.

Research Examples

• Distributed Tracing for Cascading Changes of Objects in the Kubernetes Control Plane
  • Proposal of a method to trace which Objects were affected by changes to other Objects in the Kubernetes Control Plane
• Tiaccoon
  • Proposal of a method to realize a framework that switches between various transports (RDMA, TCP/IP, UNIX Domain Socket) according to the situation in container platform networks, while maintaining compatibility with access control
• PiCoP
  • Proposal of a communication control method to share reusable microservices for efficiently deploying multiple identical systems composed of microservices

Research Facilities

I conduct my research utilizing the following facilities:

• 2 x servers equipped with 400GbE NICs
• 4 x servers equipped with 100GbE NICs
  • One server is also equipped with a BlueField-2 DPU
• Network switches running SONiC
• 10 Gbps connection to the university network
• Independent Internet connectivity (AS number, IP addresses, etc.) separated from the university network