Performance evaluation of HIP-based network security solutions

Abstract. Host Identity Protocol (HIP) is a networking technology that systematically separates the identifier and locator roles of IP addresses and introduces a Host Identity (HI) name space based on a public key security infrastructure. This modification offers a series of benefits such as mobility, multi-homing, end-to-end security, signaling, control/data plane separation, firewall security, e.t.c. Although HIP has not yet been sufficiently applied in mainstream communication networks, industry experts foresee its potential as an integral part of next generation networks. HIP can be used in various HIP-aware applications as well as in traditional IP-address-based applications and networking technologies, taking middle boxes into account. One of such applications is in Virtual Private LAN Service (VPLS), VPLS is a widely used method of providing Ethernet-based Virtual Private Network that supports the connection of geographically separated sites into a single bridged domain over an IP/MPLS network. The popularity of VPLS among commercial and defense organizations underscores the need for robust security features to protect both data and control information. After investigating the different approaches to HIP, a real world testbed is implemented. Two experiment scenarios were evaluated, one is performed on two open source Linux-based HIP implementations (HIPL and OpenHIP) and the other on two sets of enterprise equipment from two different companies (Tempered Networks and Byres Security). To account for a heterogeneous mix of network types, the Open source HIP implementations were evaluated on different network environments, namely Local Area Network (LAN), Wireless LAN (WLAN), and Wide Area Network (WAN). Each scenario is tested and evaluated for performance in terms of throughput, latency, and jitter. The measurement results confirmed the assumption that no single solution is optimal in all considered aspects and scenarios. For instance, in the open source implementations, the performance penalty of security on TCP throughput for WLAN scenario is less in HIPL than in OpenHIP, while for WAN scenario the reverse is the case. A similar outcome is observed for the UDP throughput. However, on latency, HIPL showed lower latency for all three network test scenarios. For the legacy equipment experiment, the penalty of security on TCP throughput is about 19% compared with the non-secure scenario while latency is increased by about 87%. This work therefore provides viable information for researchers and decision makers on the optimal solution to securing their VPNs based on the application scenarios and the potential performance penalties that come with each approach.HIP-pohjaisten tietoliikenneverkkojen turvallisuusratkaisujen suorituskyvyn arviointi. Tiivistelmä. Koneen identiteettiprotokolla (HIP, Host Identity Protocol) on tietoliikenneverkkoteknologia, joka käyttää erillistä kerrosta kuljetusprotokollan ja Internet-protokollan (IP) välissä TCP/IP-protokollapinossa. HIP erottaa systemaattisesti IP-osoitteen verkko- ja laite-osat, sekä käyttää koneen identiteetti (HI) -osaa perustuen julkisen avainnuksen turvallisuusrakenteeseen. Tämän hyötyjä ovat esimerkiksi mobiliteetti, moniliittyminen, päästä päähän (end-to-end) turvallisuus, kontrolli-informaation ja datan erottelu, kohtaaminen, osoitteenmuutos sekä palomuurin turvallisuus. Teollisuudessa HIP-protokolla nähdään osana seuraavan sukupolven tietoliikenneverkkoja, vaikka se ei vielä olekaan yleistynyt laajaan kaupalliseen käyttöön. HIP–protokollaa voidaan käyttää paitsi erilaisissa HIP-tietoisissa, myös perinteisissä IP-osoitteeseen perustuvissa sovelluksissa ja verkkoteknologioissa. Eräs tällainen sovellus on virtuaalinen LAN-erillisverkko (VPLS), joka on laajasti käytössä oleva menetelmä Ethernet-pohjaisen, erillisten yksikköjen ja yhden sillan välistä yhteyttä tukevan, virtuaalisen erillisverkon luomiseen IP/MPLS-verkon yli. VPLS:n yleisyys sekä kaupallisissa- että puolustusorganisaatioissa korostaa vastustuskykyisten turvallisuusominaisuuksien tarpeellisuutta tiedon ja kontrolliinformaation suojauksessa. Tässä työssä tutkitaan aluksi HIP-protokollan erilaisia lähestymistapoja. Teoreettisen tarkastelun jälkeen käytännön testejä suoritetaan itse rakennetulla testipenkillä. Tarkasteltavat skenaariot ovat verrata Linux-pohjaisia avoimen lähdekoodin HIP-implementaatioita (HIPL ja OpenHIP) sekä verrata kahden eri valmistajan laitteita (Tempered Networks ja Byres Security). HIP-implementaatiot arvioidaan eri verkkoympäristöissä, jota ovat LAN, WLAN sekä WAN. Kaikki testatut tapaukset arvioidaan tiedonsiirtonopeuden, sen vaihtelun (jitter) sekä latenssin perusteella. Mittaustulokset osoittavat, että sama ratkaisu ei ole optimaalinen kaikissa tarkastelluissa tapauksissa. Esimerkiksi WLAN-verkkoa käytettäessä turvallisuuden aiheuttama häviö tiedonsiirtonopeudessa on HIPL:n tapauksessa OpenHIP:iä pirnempi, kun taas WAN-verkon tapauksessa tilanne on toisinpäin. Samanlaista käyttäytymistä havaitaan myös UDP-tiedonsiirtonopeudessa. HIPL antaa kuitenkin pienimmän latenssin kaikissa testiskenaarioissa. Eri valmistajien laitteita vertailtaessa huomataan, että TCP-tiedonsiirtonopeus huononee 19 ja latenssi 87 prosenttia verrattuna tapaukseen, jossa turvallisuusratkaisua ei käytetä. Näin ollen tämän työn tuottama tärkeä tieto voi auttaa alan toimijoita optimaalisen verkkoturvallisuusratkaisun löytämisessä VPN-pohjaisiin sovelluksiin

Networked Occupancy Sensor System

Energy is often wasted on systems that are used to provide services such as light, heating, air conditioning and ventilation. If these services were intelligently controlled, there is potential for significant improvements in energy conservation. A system including room sensors, database, and webserver was designed, constructed, and implemented over the course of this project. Sensors report occupancy and light status and temperature. Real-time room data is available via the webserver and is archived in the database. The system is networked via Ethernet and powered using the power over Ethernet (802.3af) standard

Concept and design of the hybrid distributed embedded systems testbed

Wireless mesh networks are an emerging and versatile communication technology. The most common application of these networks is to provide access of any number of users to the world wide Internet. They can be set up by Internet service providers or even individuals joined in communities. Due to the wireless medium that is shared by all participants, effects like short-time fading, or the multi-hop property of the network topology many issues are still in the focus of research. Testbeds are a powerful tool to study wireless mesh networks as close as possible to real world application scenarios. In this technical report we describe the design, architecture, and implementation of our work-in-progress wireless testbed at Freie Universität Berlin consisting of 100 mesh routers that span multiple buildings. The testbed is hybrid as it combines wireless mesh network routers with a wireless sensor network

On energy consumption of switch-centric data center networks

Data center network (DCN) is the core of cloud computing and accounts for 40% energy spend when compared to cooling system, power distribution and conversion of the whole data center (DC) facility. It is essential to reduce the energy consumption of DCN to esnure energy-efficient (green) data center can be achieved. An analysis of DC performance and efficiency emphasizing the effect of bandwidth provisioning and throughput on energy proportionality of two most common switch-centric DCN topologies: three-tier (3T) and fat tree (FT) based on the amount of actual energy that is turned into computing power are presented. Energy consumption of switch-centric DCNs by realistic simulations is analyzed using GreenCloud simulator. Power related metrics were derived and adapted for the information technology equipment (ITE) processes within the DCN. These metrics are acknowledged as subset of the major metrics of power usage effectiveness (PUE) and data center infrastructure efficiency (DCIE), known to DCs. This study suggests that despite in overall FT consumes more energy, it spends less energy for transmission of a single bit of information, outperforming 3T

Implementation and Performance Evaluation of an NGN prototype using WiMax as an Access Technology

Telecommunications networks have evolved to IP-based networks, commonly known as Next Generation Networks (NGN). The biggest challenge in providing high quality realtime multimedia applications is achieving a Quality of Service (QoS) consistent with user expectations. One of the key additional factors affecting QoS is the existence of different QoS mechanisms on the heterogeneous technologies used on NGN platforms. This research investigates the techniques used to achieve consistent QoS on network technologies that use different QoS techniques. Numerous proposals for solving the end-to-end QoS problem in IP networks have adopted policy-based management, use of signalling protocols for communicating applications QoS requirements across different Network Elements and QoS provisioning in Network Elements. Such solutions are dependent on the use of traffic classification and knowledge of the QoS requirements of applications and services on the networks. This research identifies the practical difficulties involved in meeting the QoS requirements of network traffic between WiMax and an IP core network. In the work, a solution based on the concept of class-of-service mapping is proposed. In the proposed solution, QoS is implemented on the two networks and the concept of class-of-service mapping is used to integrate the two QoS systems. This essentially provides consistent QoS to applications as they traverse the two network domains and hence meet end-user QoS expectations. The work is evaluated through a NGN prototype to determine the capabilities of the networks to deliver real-time media that meets user expectations

Intelligent LED Display

The goal of this project is to increase the overall redundancy, and ease-of-use during installation and operation, of large-format LED video displays for the professional touring and outdoor display industry. Using design concepts found in large-scale redundant networks, the system dynamically scales video output to the LED display and provides adaptive real-time fault detection and failover behaviors to ensure reliability in rigorous outdoor environments. This ultimately simplifies installation of a system, eliminating the need for the individual addressing of panels and alignment of video content. The designed system is inherently redundant and the ability to sustain failure of its components increases with the size of the display making it ideal for live applications

ACUTA Journal of Telecommunications in Higher Education

In This Issue lT Market Clock for Enterprise Networking lnfrastructure, 2010 Emerging Technology Trends-Finding the Next Big Thing Money and Mobile Access Challenge Community Colleges A Business Perspective on Hosted Communications FMC: Ready to Fly or Flop? Challenges Facing Broadband Wireless Providers Deploying IEEE 802.11n Data and Security Networks Campuswide While Optimizing Energy Efficiency Interview President\u27s Message. From the Executive Director O&A from the CI

Web service control of component-based agile manufacturing systems

Current global business competition has resulted in significant challenges for manufacturing and production sectors focused on shorter product lifecyc1es, more diverse and customized products as well as cost pressures from competitors and customers. To remain competitive, manufacturers, particularly in automotive industry, require the next generation of manufacturing paradigms supporting flexible and reconfigurable production systems that allow quick system changeovers for various types of products. In addition, closer integration of shop floor and business systems is required as indicated by the research efforts in investigating "Agile and Collaborative Manufacturing Systems" in supporting the production unit throughout the manufacturing lifecycles. The integration of a business enterprise with its shop-floor and lifecycle supply partners is currently only achieved through complex proprietary solutions due to differences in technology, particularly between automation and business systems. The situation is further complicated by the diverse types of automation control devices employed. Recently, the emerging technology of Service Oriented Architecture's (SOA's) and Web Services (WS) has been demonstrated and proved successful in linking business applications. The adoption of this Web Services approach at the automation level, that would enable a seamless integration of business enterprise and a shop-floor system, is an active research topic within the automotive domain. If successful, reconfigurable automation systems formed by a network of collaborative autonomous and open control platform in distributed, loosely coupled manufacturing environment can be realized through a unifying platform of WS interfaces for devices communication. The adoption of SOA- Web Services on embedded automation devices can be achieved employing Device Profile for Web Services (DPWS) protocols which encapsulate device control functionality as provided services (e.g. device I/O operation, device state notification, device discovery) and business application interfaces into physical control components of machining automation. This novel approach supports the possibility of integrating pervasive enterprise applications through unifying Web Services interfaces and neutral Simple Object Access Protocol (SOAP) message communication between control systems and business applications over standard Ethernet-Local Area Networks (LAN's). In addition, the re-configurability of the automation system is enhanced via the utilisation of Web Services throughout an automated control, build, installation, test, maintenance and reuse system lifecycle via device self-discovery provided by the DPWS protocol...cont'd

Design and Development of a Multi-Purpose Input Output Controller Board for the SPES Control System

This PhD work has been carried out at the Legnaro National Laboratories (LNL), one of the four national labs of the National Institute for Nuclear Physics (INFN). The mission of LNL is to perform research in the field of nuclear physics and nuclear astrophysics together with emerging technologies. Technological research and innovation are the key to promote excellence in science, to excite competitive industries and to establish a better society. The research activities concerning electronics and computer science are an essential base to develop the control system of the Selective Production of Exotic Species (SPES) project. Nowadays, SPES is the most important project commissioned at LNL and represents the future of the Lab. It is a second generation Isotope Separation On-Line (ISOL) radioactive ion beam facility intended for fundamental nuclear physics research as well as experimental applications in different fields of science, such as nuclear medicine; radio-pharmaceutical production for therapy and diagnostic. The design of the SPES control system demands innovative technologies to embed the control of several appliances with different requirements and performing different tasks spanning from data sharing and visualization, data acquisition and storage, networking, security and surveillance operations, beam transport and diagnostic. The real time applications and fast peripherals control commonly found in the distributed control network of particle accelerators are accompanied by the challenge of developing custom embedded systems. In this context, the proposed PhD work describes the design and development of a multi-purpose Input Output Controller (IOC) board capable of embedding the control of typical accelerator instrumentation involved in the automatic beam transport system foreseen for the SPES project. The idea behind this work is to extend the control reach to the single device level without losing in modularity and standardization. The outcome of the research work is a general purpose embedded computer that will be the base for standardizing the hardware layer of the frontend computers in the SPES distributed control system. The IOC board is a Computer-on-Module (COM) carrier board designed to host any COM Express type 6 module and is equipped with a Field Programmable Gate Array (FPGA) and user application specific I/O connection solutions not found in a desktop pc. All the generic pc functionalities are readily available in off-the-shelf modules and the result is a custom motherboard that bridges the gap between custom developments and commercial personal computers. The end user can deal with a general-purpose pc with a high level of hardware abstraction besides being able to exploit the on-board FPGA potentialities in terms of fast peripherals control and real time digital data processing. This document opens with an introductory chapter about the SPES project and its control system architecture and technology before to describe the IOC board design, prototyping, and characterization. The thesis ends describing the installation in the field of the IOC board which is the core of the new diagnostics data readout and signal processing system. The results of the tests performed under real beam conditions prove that the new hardware extends the current sensitivity to the pA range, addressing the SPES requirements, and prove that the IOC board is a reliable solution to standardize the control of several appliances in the SPES accelerators complex where it will be embedded into physical equipment, or in their proximity, and will control and monitor their operation replacing the legacy VME technology. The installation in the field of the IOC board represents a great personal reward and crowns these years of busy time during which I turned what was just an idea in 2014, into a working embedded computer today

Proposta de um protocolo de roteamento autoconfigurável para redes mesh em Bluetooth Low Energy (BLE) baseado em proactive source routing

Orientador: Yuzo IanoTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: A Internet das Coisas (Internet of Things ¿ IoT) visa a criação de ambientes inteligentes como domótica, comunicação intra-veicular e redes de sensores sem fio (Wireless Sensor Network ¿ WSN), sendo que atualmente essa tecnologia vem crescendo de forma rápida. Uma das tecnologias sem fio utilizada para aplicações de curta distância que se encontra mais acessível à população, em geral, é o Bluetooth. No final de 2010, o Bluetooth Special Interest Group (Bluetooth SIG), lançou a especificação Bluetooth 4.0 e, como parte dessa especificação, tem-se o Bluetooth Low Energy (BLE). O BLE é uma tecnologia sem fio de baixíssimo consumo de potência, que pode ser alimentada por uma bateria tipo moeda, ou até mesmo por indução elétrica (energy harvesting). A natureza do Bluetooth (e BLE) é baseada na conexão do tipo Mestre/Escravo. Muitos estudos mostram como criar redes mesh baseadas no Bluetooth clássico, que são conhecidas como Scatternets, onde alguns nós são utilizados como escravos com o objetivo de repassar os dados entre os mestres. Contudo, o BLE não tinha suporte para a mudança entre mestre e escravo até o lançamento da especificação Bluetooth 4.1, em 2013. A capacidade de uma tecnologia sem fio para IoT de criar uma rede ad-hoc móvel (Mobile Ad-hoc Network ¿ MANET) é vital para poder suportar uma grande quantidade de sensores, periféricos e dispositivos que possam coexistir em qualquer ambiente. Este trabalho visa propor um novo método de autoconfiguração para BLE, com descoberta de mapa de roteamento e manutenção, sem a necessidade de mudanças entre mestre e escravo, sendo compatível com os dispositivos Bluetooth 4.0, assim como com os 4.1 e mais recentes. Qualquer protocolo de mensagens pode aproveitar o método proposto para descobrir e manter a topologia de rede mesh em cada um dos seus nósAbstract: Nowadays, the Internet of Things (IoT) is spreading rapidly towards creating smart environments. Home automation, intra-vehicular interaction, and wireless sensor networks (WSN) are among the most popular applications discussed in IoT literature. One of the most available and popular wireless technologies for short-range operations is Bluetooth. In late 2010, the Bluetooth Special Interest Group (SIG) launched the Bluetooth 4.0 Specification, which brings Bluetooth Low Energy (BLE) as part of the specification. BLE characterises as being a very low power wireless technology, capable of working on a coin-cell or even by energy scavenging. Nevertheless, the nature of Bluetooth (and BLE) has always been a connection-oriented communication in a Master/Slave configuration. Several studies exist showing how to create mesh networks for Classic Bluetooth, called Scatternets, by utilizing some nodes as slaves to relay data between Masters. However, BLE didn¿t support role changing until the 4.1 Specification released in 2013. The capability of a wireless technology to create a Mobile Ad-Hoc Network (MANET) is vital for supporting the plethora of sensors, peripherals, and devices that could coexist in any IoT environment. This work focuses on proposing a new autoconfiguring dynamic address allocation scheme for a BLE Ad-Hoc network, and a network map discovery and maintenance mechanism that doesn¿t require role changing, thus being possible to implement it in 4.0 compliant devices as well as 4.1 or later to develop a MANET. Any ad-hoc routing protocol can utilise the proposed method to discover, keep track, and maintain the mesh network node topology in each of their nodesDoutoradoTelecomunicações e TelemáticaDoutor em Engenharia ElétricaCAPE