Addressing Devices in Mobile Networks

Mobiilterminalide arengust tingitud vhenenud energiakulu, sisseehitatud sensorite kasutusvimalus, suurenenud ttlusjudlus ja mlumaht vimaldavad mobiilide laialdase kasutuse erinevates domeenides nagu mobiilne sotsiaalvrgustik, mobiilne pilvandmettlus ja Internet of Things (IoT). Selleks, et antud seadmeid oleks vimalik edukalt informatsiooni pakkumise ja ttlemise vahenditena kasutada, on vaja identitseerimiseks ja adresseerimiseks lesandele kohaseid vahendeid, mis vimaldaksid ligipsu seadmetele ja teenustele ka vljaspool mobiilsidevrku. Enamuse ajast, kui kasutajad kasutavad Internetiga hendamiseks mobiilivrke, paiknevad kasutajate seadmed tulemride ja vrguaadressi translaatorite (NAT ehk Network Address Translator) taga, mis takistavad otsese henduse loomist. Kasutajate hendamist mobiilsetes vrkudes on aastaid phjalikult uuritud ja selle tulemusena on leitud mitmeid lahendusi. IP-aadress, mis on levinuim adresseerimise mehhanism Internetis, on htlasi laialdaselt kasutusel mobiilivrkudes (3G/4G), kuid sellel on omad piirangud: ajutine kttesaadavus, piiratud kasutus ainult mobiilioperaatorite vrkudes ja vrguaadresside tlkimine (NAT). Nende piirangute krvaldamiseks pakume vlja mned teistsugused lhenemised: Session Initiation Protocol (SIP), Rendezvous serveri toel toimiv UDP/TCP Hole Punching ja UDP/TCP Relaying. Neidsaab kasutada erinevate mobiilsidevrkude tpide puhul. Kesolevas magistrits ksitletakse praktilist paigaldust, testide tulemusi ja iga lhenemise nrku ning tugevaid klgi.The emergence of mobile terminals with enhanced features like high processing power, more memory, inbuilt sensors, low power consumption, etc. have led to their extensive usage in different domains like mobile social networking, mobile cloud and Internet of Things (IoT). However, to successfully utilize these devices as information providing/processing entities, we need proper means of identification and addressing, so that the devices and their offered data/services are accessible also from outside the mobile network. But most of the times, when the peers connecting to the internet through cellular networks, peer devices locate behind the common components like firewalls and Network Address Translators (NATs) that prevent establishing direct connections. Setting up connection between peers in mobile networks has been examined extensively over the years and there are several solutions one can conceive. However, the most popular and widely used addressing mechanism for internet, IP address, is also being extensively used in mobile data networks (3G/4G) but ends up with barriers like their temporarily availability, known only within the mobile operators network, Network Address Translation (NAT) etc. To address such kind of limitations we proposed few different approaches such as Session Initiation Protocol (SIP), UDP/TCP hole punching with help from the Rendezvous server and UDP/TCP Relaying those can be applied to different types of mobile networks. In this thesis we discuss practical implementation, test results and evaluation of strengths and limitations of each approach

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

Security Mechanisms for a Cooperative Firewall

The growing number of mobile users and mobile broadband subscriptions around the world calls for support of mobility in the Internet and also demands more addresses from the already depleting IP address space. The deployment of Network Address Translation (NAT) at network edges to extend the lifetime of IPv4 address space introduced the reachability problem in the Internet. While various NAT traversal proposals have attempted to solve the reachability problem, no perfect solution for mobile devices has been proposed. A solution is proposed at COMNET department of Aalto University, which is called Customer Edge Switching and it has resulted in a prototype called Customer Edge Switches (CES). While it addresses many of the current Internet issues i.e. reachability problem, IPv4 address space depletion, so far security has generally been considered out of scope. This thesis aims at identifying the security vulnerabilities present within the CES architecture. The architecture is secured against various network attacks by presenting a set of security models. The evaluation and performance analysis of these security models proves that the CES architecture is secured against various network attacks only by introducing minimal delay in connection establishment. The delay introduced does not affect the normal communication pattern and the sending host does not notice a difference compared to the current situation. For legacy interworking a CES can have the Private Realm Gateway (PRGW) function. The security mechanisms for PRGW also generate promising results in terms of security. The thesis further contributes towards security by discussing a set of deployment models for PRGW and CES-to-CES communication

Host Identity Protocol-based Network Address Translator traversal in peer-to-peer environments

Osoitteenmuuntajat aiheuttavat ongelmia vertaisverkkojen yhteyksien luomiselle. Myös koneen identiteetti protokolla (HIP) kärsii osoitteenmuuntajien aiheuttamista ongelmista, mutta sopivilla laajennuksilla sitä voidaan käyttää yleisenä osoitteenmuuntajien läpäisymenetelmänä. Interaktiivinen yhteyden luominen (ICE) on tehokas osoitteenmuuntajien läpäisymenetelmä, joka toimii monissa erilaisissa tilanteissa. Tämän diplomityön tavoitteena on mahdollistaa HIP-pohjainen osoitteenmuuntajien läpäisy käyttämällä ICE-menetelmää, ja arvioida menetelmän toimivuutta implementoinnin ja mittausten avulla. Implementoimme ICE-prototyypin ja testasimme sitä eri tyyppisten osoitteenmuuntajien kanssa. Käytimme mittauksissa verkkoa, jossa kaksi isäntäkonetta olivat eri aliverkoissa, ja suoritimme ICE-yhteystestejä näiden koneiden välillä. Mittasimme testeissä lähetettyjen viestien ja tavujen määrän sekä käytetyn ajan. Mittaustulosten perusteella laskimme myös arvion ICE:n ja HIP:in aiheuttamalle ylimääräisten viestien ja ajankäytön määrälle. ICE onnistui luomaan yhteyden kaikissa testaamissamme tilanteissa, mutta käytti välillä enemmän viestejä ja aikaa kuin olisi tarpeen. Selvitimme työssä syyt ylimääräisille viesteille ja esitimme keinoja viestien määrän vähentämiselle. Saimme myös selville, että suuressa osassa tilanteista 4-5 yhteystestiviestiä riittää yhteyden luomiseksi, mutta tietynlaista osoitteenmuunnosta käyttävät osoitteenmuuntajat voivat helposti tuplata viestien määrän. Joka tapauksessa, yhteystestien luomat liikennemäärät ovat vähäisiä, ja käyttämällä lyhyempiä ajastinaikoja kuin mitä ICE spesifikaatio ehdottaa, voidaan ICE:n tehokkuutta kasvattaa merkittävästi. Käyttämällä HIP:iä ICE:n kanssa vertaisverkko-ohjelmat voivat saada käyttöönsä tehokkaan osoitteenmuuntajien läpäisymenetelmän, joka tukee myös yhteyden turvaominaisuuksia, mobiliteettia, sekä useita yhtäaikaisia verkkoliitäntöjä.Network Address Translators (NATs) cause problems when peer-to-peer (P2P) connections are created between hosts. Also the Host Identity Protocol (HIP) has problems traversing NATs but, with suitable extensions, it can be used as a generic NAT traversal solution. The Interactive Connectivity Establishment (ICE) is a robust NAT traversal mechanism that can enable connectivity in various NAT scenarios. The goal of this thesis is to enable HIP-based NAT traversal using ICE and to evaluate the applicability of the approach by implementation and measurements. We implemented an ICE prototype and tested it with different types of NATs. We used a network where two hosts were in different subnets and run ICE connectivity checks between them. The amount of messages and bytes sent during the process, and also how long the process took, was measured and analyzed. Based on the measurements, we calculated the overhead of using HIP with ICE for NAT traversal. ICE was able to create a connection in all the scenarios, but sometimes using more messages and longer time than expected or necessary. We found reasons why too many messages are exchanged and presented solutions on how some of these redundant messages could be avoided. We also found out that while 4-5 connectivity check messages are enough in many scenarios, NATs with specific address mapping behavior can easily double the amount of needed checks. Still, the generated traffic bitrate is modest, and using shorter timeout values than what the ICE specification suggests can have a significant positive impact on performance. By using HIP with ICE, P2P programs can get an efficient NAT traversal solution that additionally supports security, mobility and multihoming