Michael Menth

Lukas Köder, Nils Lohmiller, Phil Schmieder et al.

The advent of large-scale quantum computers poses a significant threat to contemporary network security protocols, including Wi-Fi Protected Access (WPA)-Enterprise authentication. To mitigate this threat, the adoption of Post-Quantum Cryptography (PQC) is critical. In this work, we investigate the performance impact of PQC algorithms on WPA-Enterprise-based authentication. To this end, we conduct an experimental evaluation of authentication latency using a testbed built with the open-source tools FreeRADIUS and hostapd, measuring the time spent at the client, access point, and RADIUS server. We evaluate multiple combinations of PQC algorithms and analyze their performance overhead in comparison to currently deployed cryptographic schemes. Beyond performance, we assess the security implications of these algorithm choices by relating authentication mechanisms to the quantum effort required for their exploitation. This perspective enables a systematic categorization of PQ-relevant weaknesses in WPA-Enterprise according to their practical urgency. The evaluation results show that, although PQC introduces additional authentication latency, combinations such as ML-DSA-65 and Falcon-1024 used in conjunction with ML-KEM provide a favorable trade-off between security and performance. Furthermore, we demonstrate that the resulting overhead can be effectively mitigated through session resumption. Overall, this work presents a first real-world performance evaluation of PQC-enabled WPA-Enterprise authentication and demonstrates its practical feasibility for enterprise Wi-Fi deployments.

Fabian Ihle, Moritz Flüchter, Michael Menth

Time-sensitive networking (TSN) is a set of IEEE standards that extends Ethernet with real-time capabilities. Among its mechanisms, the time-aware shaper (TAS) periodically opens and closes egress queues to protect scheduled traffic from lower-priority flows, ensuring low latency and bounded delay. Deterministic networking (DetNet), standardized by the IETF, provides similar guarantees at Layer 3 and can leverage TSN mechanisms such as the TAS. Commercially available TSN-capable switches implement TAS in hardware but rarely disclose internal delays in the TAS mechanism itself. Such delays directly affect scheduling precision, yet information about them is largely unavailable to system designers. In this work, we present P4-TAS, a P4-based implementation of the TAS on the Intel Tofino 2 switching ASIC that additionally supports per-stream filtering and policing (PSFP) and PTP time synchronization. First, we design a novel mechanism for periodic queue control that uses a continuous stream of internally generated control frames for time-triggered queue state updates. To the best of our knowledge, this enables TAS on a P4-programmable ASIC for the first time. P4-TAS additionally provides an MPLS/TSN translation layer that enables TSN time-based shaping to be applied at the boundary between TSN and DetNet domains, supporting line rates up to 400 Gb/s per port. Second, we identify and quantify three sources of internal delay that affect the precision of TAS gate transitions, providing transparency that enables more accurate TAS configuration. Our evaluation demonstrates a worst-case accumulated internal delay of 86 ns between time slices, which is well below values reported for commercial switches. Third, we propose a measurement methodology to externally measure TAS time slice accuracy, and introduce gate switching intervals (GSIs) to mitigate overlap between consecutive time slices.

Fabian Ihle, Michael Menth

In MPLS, packets are encapsulated with labels that add domain-specific forwarding information. Special purpose labels were introduced to trigger special behavior in MPLS nodes but their number is limited. Therefore, the IETF proposed the MPLS Network Actions (MNA) framework. It extends MPLS with new features, some of which have already been defined to support relevant use cases. This paper provides a comprehensive technological overview of MNA concepts and use cases. It compares MNA to IPv6 extension headers (EHs) that serve a similar purpose, and argues that MNA can be better deployed than EHs. It then presents P4-MNA, a first hardware implementation running at 400 Gb/s per port. Scalability and performance of P4-MNA are evaluated, showing negligible impact on processing delay caused by network actions. Moreover, the applicability of MNA is demonstrated by implementing the use cases of link-specific packet loss measurement using the alternate-marking-method (AMM) and bandwidth reservation using network slicing. We identify header stacking constraints resulting from hardware resources and from the number of network actions that must be supported according to the MNA encoding. They make an implementation for hardware that can only parse a few MPLS headers infeasible. We propose to make the number of supported network actions a node parameter and signal this in the network. Then, an upgrade to MNA is also feasible for hardware with fewer available resources. We explain that for MNA with in-stack data (ISD), some header bits must remain unchanged during forwarding, and give an outlook on post-stack data (PSD).

Sabrina Kaniewski, Fabian Schmidt, Markus Enzweiler et al.

The increasing adoption of Large Language Models (LLMs) in software engineering has sparked interest in their use for software vulnerability detection. However, the rapid development of this field has resulted in a fragmented research landscape, with diverse studies that are difficult to compare due to differences in, e.g., system designs and dataset usage. This fragmentation makes it difficult to obtain a clear overview of the state-of-the-art or compare and categorize studies meaningfully. In this work, we present a comprehensive systematic literature review (SLR) of LLM-based software vulnerability detection. We analyze 227 studies published between January 2020 and June 2025, categorizing them by task formulation, input representation, system architecture, and adaptation techniques. Further, we analyze the datasets used, including their characteristics, vulnerability coverage, and diversity. We present a fine-grained taxonomy of vulnerability detection approaches, identify key limitations, and outline actionable future research opportunities. By providing a structured overview of the field, this review improves transparency and serves as a practical guide for researchers and practitioners aiming to conduct more comparable and reproducible research. We publicly release all artifacts and maintain a living repository of LLM-based software vulnerability detection studies.

Frederik Hauser, Mark Schmidt, Michael Menth

We propose xRAC to permit users to run special applications on managed hosts and to grant them access to protected network resources. We use restricted application containers (RACs) for that purpose. A RAC is a virtualization container with only a selected set of applications. Authentication verifies the RAC user's identity and the integrity of the RAC image. If the user is permitted to use the RAC on a managed host, launching the RAC is authorized and access to protected network resources may be given, e.g., to internal networks, servers, or the Internet. xRAC simplifies traffic control as the traffic of a RAC has a unique IPv6 address so that it can be easily identified in the network. The architecture of xRAC reuses standard technologies, protocols, and infrastructure. Those are the Docker virtualization platform and 802.1X including EAP-over-UDP and RADIUS. Thus, xRAC improves network security without modifying core parts of applications, hosts, and infrastructure. In this paper, we review the technological background of xRAC, explain its architecture, discuss selected use cases, and investigate on the performance. To demonstrate the feasibility of xRAC, we implement it based on standard components with only a few modifications. Finally, we validate xRAC through experiments.