Towards a reliable seamless mobility support in heterogeneous IP networks

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.Next Generation networks (3G and beyond) are evolving towards all IP based systems with the aim to provide global coverage. For Mobility in IP based networks, Mobile IPv6 is considered as a standard by both industry and research community, but this mobility protocol has some reliability issues. There are a number of elements that can interrupt the communication between Mobile Node (MN) and Corresponding Node (CN), however the scope of this research is limited to the following issues only: • Reliability of Mobility Protocol • Home Agent Management • Handovers • Path failures between MN and CN First entity that can disrupt Mobile IPv6 based communication is the Mobility Anchor point itself, i.e. Home Agent. Reliability of Home Agent is addressed first because if this mobility agent is not reliable there would be no reliability of mobile communication. Next scenario where mobile communication can get disrupted is created by MN itself and it is due to its mobility. When a MN moves around, at some point it will be out of range of its active base station and at the same time it may enter the coverage area of another base station. In such a situation, the MN should perform a handover, which is a very slow process. This handover delay is reduced by introducing a “make before break” style handover in IP network. Another situation in which the Mobile IPv6 based communication can fail is when there is a path failure between MN and CN. This situation can be addressed by utilizing multiple interfaces of MN at the same time. One such protocol which can utilize multiple interfaces is SHIM6 but it was not designed to work on mobile node. It was designed for core networks but after some modification in the protocol , it can be deployed on mobile nodes. In this thesis, these issues related to reliability of IPv6 based mobile communication have been addressed

New Mobility Trends in Data Networks

Dizertační práce se zabývá návrhem nového algoritmu řízení handoveru v rámci protokolu Mobile IPv6, který umožní nasazení tohoto protokolu v leteckých datových sítích. Existující algoritmy řízení handoveru sice dosahují dostatečné výkonnosti v konvenčních pozemních bezdrátových sítích disponujích velkou šířkou pásma a nízkou latencí, jako jsou WiFi nebo UMTS, ale jak ukazuje tato práce, nasazení těchto algoritmů prostředí leteckých datových sítí nepřináší očekávané výhody. Analýza ukazuje, že v úzkopásmových leteckých sítích trpí tyto algoritmy řízení handoveru velkou latencí a způsobují značnou režii. Nový algoritmus řízení handoveru v MIPv6 navržený v této práci je založený na jednoduché myšlence: ''Já jsem letadlo, já vím, kam letím!'' To znamená, že pohyb letadla není náhodný, ale vysoce předvídatelný. Díky tomu je možno předvídat handovery mezi přístupovými sítěmi podél očekávané trajektorie letadla a vykonat nezbytné operace pro přípravu handoverů již na zemi, kde je letadlo připojeno k širokopásmové síti letiště. Tato dizertační práce dále uvádí porovnání existujících algoritmů řízení handoveru s nově navrženým pomocí analytické metody ohodnocení handoveru. Díky tomu je možno kvantifikovat výhody, které nový algoritmus přináší a taktéž popsat slabiny algoritmů existujících.The doctoral thesis is focused on a design of novel Mobile IPv6 handover strategy suitable for deployment in aeronautical data networks. The current handover strategies provide sufficient performance in the conventional ground networks such as WiFi or UMTS that dispose high bandwidth and low latency. However, as this thesis shows, deploying these handover strategies in aeronautical data link environment does not bring desired benefits - the handover latency is high and the related overhead gets high as well. The novel MIPv6 handover strategy presented in this thesis is based on a simple thought: ''I am an aircraft, I know where I'm flying!'' This means that the movement of the aircraft is not random, it is highly predictable. Thanks to that, inter-network handovers may be anticipated and necessary IP handover related actions can be taken in advance, while the aircraft is connected via a broadband ground link at the origination airport. The thesis also presents a comparison of the existing handover strategies with the proposed new one conducted using an analytical approach. This allows to quantify the benefits of the novel handover strategy and the drawbacks of the current ones.

Towards a reliable seamless mobility support in heterogeneous IP networks

Next Generation networks (3G and beyond) are evolving towards all IP based systems with the aim to provide global coverage. For Mobility in IP based networks, Mobile IPv6 is considered as a standard by both industry and research community, but this mobility protocol has some reliability issues. There are a number of elements that can interrupt the communication between Mobile Node (MN) and Corresponding Node (CN), however the scope of this research is limited to the following issues only: • Reliability of Mobility Protocol • Home Agent Management • Handovers • Path failures between MN and CN First entity that can disrupt Mobile IPv6 based communication is the Mobility Anchor point itself, i.e. Home Agent. Reliability of Home Agent is addressed first because if this mobility agent is not reliable there would be no reliability of mobile communication. Next scenario where mobile communication can get disrupted is created by MN itself and it is due to its mobility. When a MN moves around, at some point it will be out of range of its active base station and at the same time it may enter the coverage area of another base station. In such a situation, the MN should perform a handover, which is a very slow process. This handover delay is reduced by introducing a “make before break” style handover in IP network. Another situation in which the Mobile IPv6 based communication can fail is when there is a path failure between MN and CN. This situation can be addressed by utilizing multiple interfaces of MN at the same time. One such protocol which can utilize multiple interfaces is SHIM6 but it was not designed to work on mobile node. It was designed for core networks but after some modification in the protocol , it can be deployed on mobile nodes. In this thesis, these issues related to reliability of IPv6 based mobile communication have been addressed.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Fast and seamless mobility management in IPV6-based next-generation wireless networks

Introduction -- Access router tunnelling protocol (ARTP) -- Proposed integrated architecture for next generation wireless networks -- Proposed seamless handoff schemes in next generation wireless networks -- Proposed fast mac layer handoff scheme for MIPV6/WLANs

Improving and distributing key management on mobile networks

We address the problem of mobile network key management and authentication that negatively affects the handoff performance, adds overhead to the system in terms of key exchange signaling, authentication, and key distribution. We aim to improve the efficiency of the key management subsystem and to reduce investment pressure on core network elements. We address all these problems successfully. Our novel SKC key management mechanism is the best key management mechanism among the ones we found in reducing signaling load from the KD and making the mobility system independent of the AP-KD link delay. It is a significant contribution to the mobile network key management with fast handoffs when separate keys for APs are required and has many useful applications. Our novel receiver and sender ID binding protocol with symmetric keys is new and shows analogy with Identity Based Cryptography. It is a generalization of the identity binding that SKC is using. Furthermore, our distributed AAA architecture with SKC, certificates, and hardware-based security is a disruptive proposal and show how the mobile network KD can be distributed to the edge nodes. Our quantitative analysis and comparison of SKC and LTE key management is new and not seen before. Our research affected the LTE Security standardization and contributes to the research and development of home base stations, community and municipal Wi-Fi access points

Securing IP Mobility Management for Vehicular Ad Hoc Networks

The proliferation of Intelligent Transportation Systems (ITSs) applications, such as Internet access and Infotainment, highlights the requirements for improving the underlying mobility management protocols for Vehicular Ad Hoc Networks (VANETs). Mobility management protocols in VANETs are envisioned to support mobile nodes (MNs), i.e., vehicles, with seamless communications, in which service continuity is guaranteed while vehicles are roaming through different RoadSide Units (RSUs) with heterogeneous wireless technologies. Due to its standardization and widely deployment, IP mobility (also called Mobile IP (MIP)) is the most popular mobility management protocol used for mobile networks including VANETs. In addition, because of the diversity of possible applications, the Internet Engineering Task Force (IETF) issues many MIP's standardizations, such as MIPv6 and NEMO for global mobility, and Proxy MIP (PMIPv6) for localized mobility. However, many challenges have been posed for integrating IP mobility with VANETs, including the vehicle's high speeds, multi-hop communications, scalability, and ef ficiency. From a security perspective, we observe three main challenges: 1) each vehicle's anonymity and location privacy, 2) authenticating vehicles in multi-hop communications, and 3) physical-layer location privacy. In transmitting mobile IPv6 binding update signaling messages, the mobile node's Home Address (HoA) and Care-of Address (CoA) are transmitted as plain-text, hence they can be revealed by other network entities and attackers. The mobile node's HoA and CoA represent its identity and its current location, respectively, therefore revealing an MN's HoA means breaking its anonymity while revealing an MN's CoA means breaking its location privacy. On one hand, some existing anonymity and location privacy schemes require intensive computations, which means they cannot be used in such time-restricted seamless communications. On the other hand, some schemes only achieve seamless communication through low anonymity and location privacy levels. Therefore, the trade-off between the network performance, on one side, and the MN's anonymity and location privacy, on the other side, makes preservation of privacy a challenging issue. In addition, for PMIPv6 to provide IP mobility in an infrastructure-connected multi-hop VANET, an MN uses a relay node (RN) for communicating with its Mobile Access Gateway (MAG). Therefore, a mutual authentication between the MN and RN is required to thwart authentication attacks early in such scenarios. Furthermore, for a NEMO-based VANET infrastructure, which is used in public hotspots installed inside moving vehicles, protecting physical-layer location privacy is a prerequisite for achieving privacy in upper-layers such as the IP-layer. Due to the open nature of the wireless environment, a physical-layer attacker can easily localize users by employing signals transmitted from these users. In this dissertation, we address those security challenges by proposing three security schemes to be employed for different mobility management scenarios in VANETs, namely, the MIPv6, PMIPv6, and Network Mobility (NEMO) protocols. First, for MIPv6 protocol and based on the onion routing and anonymizer, we propose an anonymous and location privacy-preserving scheme (ALPP) that involves two complementary sub-schemes: anonymous home binding update (AHBU) and anonymous return routability (ARR). In addition, anonymous mutual authentication and key establishment schemes have been proposed, to authenticate a mobile node to its foreign gateway and create a shared key between them. Unlike existing schemes, ALPP alleviates the tradeoff between the networking performance and the achieved privacy level. Combining onion routing and the anonymizer in the ALPP scheme increases the achieved location privacy level, in which no entity in the network except the mobile node itself can identify this node's location. Using the entropy model, we show that ALPP achieves a higher degree of anonymity than that achieved by the mix-based scheme. Compared to existing schemes, the AHBU and ARR sub-schemes achieve smaller computation overheads and thwart both internal and external adversaries. Simulation results demonstrate that our sub-schemes have low control-packets routing delays, and are suitable for seamless communications. Second, for the multi-hop authentication problem in PMIPv6-based VANET, we propose EM3A, a novel mutual authentication scheme that guarantees the authenticity of both MN and RN. EM3A thwarts authentication attacks, including Denial of service (DoS), collusion, impersonation, replay, and man-in-the-middle attacks. EM3A works in conjunction with a proposed scheme for key establishment based on symmetric polynomials, to generate a shared secret key between an MN and an RN. This scheme achieves lower revocation overhead than that achieved by existing symmetric polynomial-based schemes. For a PMIP domain with n points of attachment and a symmetric polynomial of degree t, our scheme achieves t x 2^n-secrecy, whereas the existing symmetric polynomial-based authentication schemes achieve only t-secrecy. Computation and communication overhead analysis as well as simulation results show that EM3A achieves low authentication delay and is suitable for seamless multi-hop IP communications. Furthermore, we present a case study of a multi-hop authentication PMIP (MA-PMIP) implemented in vehicular networks. EM3A represents the multi-hop authentication in MA-PMIP to mutually authenticate the roaming vehicle and its relay vehicle. Compared to other authentication schemes, we show that our MA-PMIP protocol with EM3A achieves 99.6% and 96.8% reductions in authentication delay and communication overhead, respectively. Finally, we consider the physical-layer location privacy attacks in the NEMO-based VANETs scenario, such as would be presented by a public hotspot installed inside a moving vehicle. We modify the obfuscation, i.e., concealment, and power variability ideas and propose a new physical-layer location privacy scheme, the fake point-cluster based scheme, to prevent attackers from localizing users inside NEMO-based VANET hotspots. Involving the fake point and cluster based sub-schemes, the proposed scheme can: 1) confuse the attackers by increasing the estimation errors of their Received Signal Strength (RSSs) measurements, and 2) prevent attackers' monitoring devices from detecting the user's transmitted signals. We show that our scheme not only achieves higher location privacy, but also increases the overall network performance. Employing correctness, accuracy, and certainty as three different metrics, we analytically measure the location privacy achieved by our proposed scheme. In addition, using extensive simulations, we demonstrate that the fake point-cluster based scheme can be practically implemented in high-speed VANETs' scenarios

Sécurité dans les réseaux mobiles de nouvelle génération

RÉSUMÉ Les réseaux de nouvelle génération visent à converger les réseaux fixes et mobiles hétérogènes afin d’offrir tous les services à travers un réseau coeur tout IP. Faisant parti du réseau d’accès mobile, un des principaux objectifs du réseau 4G est de permettre une relève ininterrompue entre les réseaux cellulaires et WIFI pour ainsi favoriser l’apprivoisement de services vidéo mobiles exigeant des critères de qualité de service très stricts à moindres coûts. Cependant, l’uniformisation du trafic au niveau de la couche réseau favorise sa centralisation à travers un réseau coeur IP partagé par tous les opérateurs, la rendant ainsi comme une cible vulnérable de choix pour les pirates informatiques. La conception de solutions sécuritaires dans un environnement où les entités ne se connaissent pas à priori s’annonce comme une tâche très ardue. La thèse se penche sur quatre problématiques importantes dans les réseaux de nouvelle génération dont chacune est traitée dans un article distinct. Les deux premiers articles touchent à la sécurité dans un contexte décentralisé, à savoir les réseaux mobiles ad hoc (MANETs), alors que les deux derniers proposent des mécanismes innovateurs pour sécuriser des solutions visant à réduire la consommation de bande passante et d’énergie, en conformité avec le virage vert informatique promu par les opérateurs réseautiques. Plus précisément, le troisième article traite de la sécurisation des flots multicast dans un environnement à haut taux de perte de paquet et le dernier propose une solution d’optimisation de route sécuritaire pour mobile IPv6 (MIPv6) utilisant une version améliorée de l’algorithme de genération d’adresses cryptographiques (CGA) et les extensions de sécurité du système de nom de domaine (DNSSEC). Les systèmes de détection d’intrusion (IDS) pour les MANETs basés sur la réputation des noeuds classifient les participants du réseau selon leur degré de confiance. Cependant, ils partagent tous une vulnérabilité commune : l’impossibilité de détecter et de réagir aux attaques complices. Le premier article propose un IDS qui intègre efficacement le risque de collusion entre deux ou plusieurs noeuds malveillants dans le calcul de la fiabilité d’un chemin. L’algorithme propos´e ne se limite pas qu’au nombre et à la réputation des noeuds intermédiaires formant un chemin, mais intègre également d’autres informations pertinentes sur les voisins des noeuds intermédiaires d’un chemin pouvant superviser le message original et celui retransmis. Le IDS proposé détecte efficacement les noeuds malicieux et complices dans le but de les isoler rapidement du réseau. Les simulations lancées dans divers environnements MANETs contenant une proportion variable d’attaquants complices montrent bien l’efficacité du IDS proposée en offrant un gain en débit considérable comparativement aux solutions existantes. À l’instar de prévenir les comportements égoïstes des noeuds par la menace d’être privés de certaines fonctions, voire même isolés du réseau, due à une baisse de réputation, le second article opte pour un incitatif non-punitif en la monnaie virtuelle plus communément appelée nuglets. Plus précisément, l’article présente un cadre de travail issu de la théorie des jeux basé sur la compétition de Bertrand pour inciter les noeuds intermédiaires à retransmettre les messages selon les requis de QoS demandés par la source. Pour qu’un noeud source envoie ou accède à un flot sensible à la QoS comme par exemple les applications en temps réel, il débute par envoyer un contrat qui spécifie les critères de QoS, sa durée et son prix de réserve. Sur réception du contrat, les noeuds intermédiaires formant une route entre la source et la destination partagent les informations sur eux-mêmes et celles recueillies sur les noeuds voisins, anciens et courants pour estimer la probabilité de bris de contrat ainsi que le nombre de compétiteurs actifs. Ces deux paramètres sont cruciaux dans le processus de fixation des prix. Une fois les réponses de route recueillies, la source choisit la route la moins chère. Le cadre de travail multijoueur proposé, basé sur la compétition de Bertrand avec des firmes asymétriques et ayant accès à de l’information imparfaite, possède un équilibre de Nash en stratégies mixtes dans lequel le profit des firmes est positif et baisse non seulement avec le nombre de compétiteurs, mais aussi avec l’impression d’une précision accrue que les compétiteurs ont sur le coût de production du joueur. Les résultats montrent que l’incertitude sur les coûts augmente le taux de la marge brute et la fluctuation des prix tout en diminuant les chances d’honorer le contrat. Dans un autre ordre d’idée, l’intérêt sans cesse grandissant des opérateurs à converger les réseaux fixes et mobiles dans le but d’offrir une relève sans interruption favorise l’utilisation des applications vidéo mobiles qui surchargeront rapidement leurs réseaux. Dans un contexte du virage vert qui prend de plus en plus d’ampleur dans le domaine des télécommunications, la transmission des flots en multidiffusion (multicast) devient essentiel dans le but de réduire la consommation de bande passante et la congestion du réseau en rejoignant simultanément plusieurs destinataires. La sécurisation des flots en multidiffusion a été largement étudiée dans la littérature antérieure, cependant aucune des solutions proposées ne tient compte des contraintes imposées par les liaisons sans fil et la mobilité des noeuds, en particulier le haut taux de perte de paquets. La nécessité d’un mécanisme de distribution de clés régénératrices efficace et pouvant supporter un grand bassin d’abonnés pour les réseaux mobiles n’aura jamais été aussi urgent avec l’arrivée de la convergence fixe-mobile dans les réseaux 4G. Le troisième article présente deux algorithmes de clés régénératrices basés sur les chaînes de hachage bidirectionnelles pour le protocole de distribution de clés logical key hierarchy (LKH). Ainsi, un membre ayant perdu jusqu’à un certain nombre de clés de déchiffrement consécutives pourrait lui-même les régénérer sans faire la requête de retransmission au serveur de clés. Les simulations effectuées montrent que les algorithmes proposés offrent des améliorations considérables dans un environnement de réseau mobile à taux de perte de paquet, notamment dans le percentage de messages déchiffrés. Le souci d’efficacité énergétique est également présent pour les opérateurs de réseaux cellulaires. D’ailleurs, près de la moitié des abonnements sur Internet proviennent présentement d’unités mobiles et il est attendu que ce groupe d’utilisateurs deviennent le plus grand bassin d’usagers sur Internet dans la prochaine décennie. Pour supporter cette croissance rapide du nombre d’utilisateurs mobiles, le choix le plus naturel pour les opérateurs serait de remplacer mobile IPv4 par MIPv6. Or, la fonction d’optimisation de route (RO), qui remplace le routage triangulaire inefficace de MIP en permettant au noeud mobile (MN) une communication bidirectionnelle avec le noeud correspondant (CN) sans faire passer les messages à travers l’agent du réseau mère (HA), est déficiente au niveau de la sécurité. L’absence d’informations pré-partagées entre le MN et le CN rend la sécurisation du RO un défi de taille. MIPv6 adopte la routabilité de retour (RR) qui est davantage un mécanisme qui vérifie l’accessibilité du MN sur son adresse du réseau mère (HoA) et du réseau visité (CoA) plutôt qu’une fonction de sécurité. D’autres travaux se sont attaqués aux nombreuses failles de sécurité du RR, mais soit leur conception est fautive, soit leurs suppositions sont irréalistes. Le quatrième article présente une version améliorée de l’algorithme de génération cryptographique d’adresse (ECGA) pour MIPv6 qui intègre une chaîne de hachage arrière et offre de lier plusieurs adresses CGA ensemble. ECGA élimine les attaques de compromis temps-mémoire tout en étant efficace. Ce mécanisme de génération d’adresse fait parti du protocole Secure MIPv6 (SMIPv6) proposé avec un RO sécuritaire et efficace grâce à DNSSEC pour valider les CGAs qui proviennent d’un domaine de confiance et qui permet une authentification forte plutôt que l’invariance de source. Le vérificateur de protocoles cryptographiques dans le modèle formel AVISPA a été utilisé pour montrer qu’aucune faille de sécurité n’est présente tout en limitant au maximum les messages échangés dans le réseau d’accès. ----------ABSTRACT Next generation networks aim at offering all available services through an IP-core network by converging fixed-mobile heterogeneous networks. As part of the mobile access network, one of the main objectives of the 4G network is to provide seamless roaming with wireless local area networks and accommodating quality of service (QoS) specifications for digital video broadcasting systems. Such innovation aims expanding video-based digital services while reducing costs by normalizing the network layer through an all-IP architecture such as Internet. However, centralizing all traffic makes the shared core network a vulnerable target for attackers. Design security solutions in such an environment where entities a priori do not know each other represent a daunting task. This thesis tackles four important security issues in next generation networks each in distinct papers. The first two deal with security in decentralized mobile ad hoc networks (MANETs) while the last two focus on securing solutions aiming at reducing bandwidth and energy consumption, in line with the green shift promoted by network operators. More precisely, the third paper is about protecting multicast flows in a packet-loss environment and the last one proposes a secure route optimization function in mobile IPv6 (MIPv6) using an enhanced version of cryptographically generated address (CGA) and domain name service security extensions (DNSSEC). Most intrusion detection systems (IDS) for MANETs are based on reputation system which classifies nodes according to their degree of trust. However, existing IDS all share the same major weakness: the failure to detect and react on colluding attacks. The first paper proposes an IDS that integrates the colluding risk factor into the computation of the path reliability which considers the number and the reputation of nodes that can compare both the source message and the retransmitted one. Also, the extended architecture effectively detects malicious and colluding nodes in order to isolate them and protect the network. The simulations launched in various MANETs containing various proportions of malicious and colluding nodes show that the proposed solution offers a considerable throughput gain compared to current solutions. By effectively selecting the most reliable route and by promptly detecting colluding attacks, the number of lost messages is decreased, and therefore, offering more efficient transmissions. Instead of thwarting selfishness in MANETs by threatening nodes to limit their network functions, the second paper opts for a non-punishment incentive by compensating nodes for their service through the use of virtual money, more commonly known as nuglets. The last paper presents a game-theoretic framework based on Bertrand competition to incite relaying nodes in forwarding messages according to QoS requirements. For a source to send or access QoS-sensitive flows, such as real-time applications, it starts by sending a contract specifying the QoS requirements, its duration and a reservation price. Upon receiving a contract submission, intermediary nodes forming a route between the source and the destination share their current and past collected information on themselves and on surrounding nodes to estimate the probability of breaching the contract and the number of active competitors. Both parameters are crucial in setting a price. Once the source gets the responses from various routes, it selects the most cheapest one. This multiplayer winner-takes-all framework based on Bertrand competition with firms having asymmetric costs and access imperfect information has a mixed-strategy equilibrium in which industry profits are positive and decline not only with the number of firms having an estimated cost below the reservation price but also with the perception of a greater accuracy on a player’s cost that competitors have. In fact,results show that cost uncertainty increases firms’ gross margin rate and the prices fluctuation while making the contract honoring much riskier. On another topic, with the growing interest in converging fixed and mobile networks, mobile applications will require more and more resources from both the network and the mobile device. In a social-motivated context of shifting into green technologies, using multicast transmissions is essential because it lowers bandwidth consumption by simultaneously reaching a group of multiple recipients. Securing multicast flows has been extensively studied in the past, but none of the existing solutions were meant to handle the constraints imposed by mobile scenarios, in particular the high packet-loss rate. The need for a low overhead selfhealing rekeying mechanism that is scalable, reliable and suitable for mobile environments has never been more urgent than with the arrival of fixed-mobile convergence in 4G networks. The second paper presents two self-healing recovery schemes based on the dual directional hash chains for the logical key hierarchy rekeying protocol. This enables a member that has missed up to m consecutive key updates to recover the missing decryption keys without asking the group controller key server for retransmission. Conducted simulations show considerable improvements in the ratio of decrypted messages and in the rekey message overhead in high packet loss environments. The concern of energy efficiency is also present for mobile access network operators. In fact, nearly half of all Internet subscribers come from mobile units at the moment and it is expected to be the largest pool of Internet users by the next decade. The most obvious choice for mobile operators to support more users would be to replace Mobile IP for IPv4 with MIPv6. However, the Route Optimization (RO) function, which replaces the inefficient triangle routing by allowing a bidirectional communication between a mobile node (MN) and the corresponding node (CN) without passing through its home agent (HA), is not secure and has a high overhead. The lack of pre-shared information between the MN and the CN makes security in RO a difficult challenge. MIPv6 adopts the return routability (RR) mechanism which is more to verify the MN reachability in both its home address (HoA) and care-of address (CoA) than a security feature. Other works attempted to solve the multiple security issues in RR but either their design are flawed, or rely on unrealistic assumptions. The third paper presents an enhanced cryptographically generated address (ECGA) for MIPv6 that integrates a built-in backward key chain and offers support to bind multiple logically-linked CGAs together. ECGA tackles the time-memory tradeoff attacks while being very efficient. It is part of the proposed secure MIPv6 (SMIPv6) with secure and efficient RO which uses DNSSEC to validate CGAs from trusted domains and provide strong authentication rather than sender invariance. The AVISPA on-the-fly model checker (OFMC) tool has been used to show that the proposed solution has no security flaws while still being lightweight in signalling messages in the radio network

A QoS-aware architecture for mobile internet

Tese de doutoramento InformáticaHoje em dia, as pessoas pretendem ter simultaneamente mobilidade, qualidade de serviço e estar sempre connectados à Internet. No intuito, de satisfazer estes clientes muito exigentes, os mercados das telecomunicações estão a impor novos e dificeis desafios às redes móveis, através da demanda, de heterogeneidade em termos de tecnologias de acesso rádio, novos serviços, niveis de qualidade de serviço adequados aos requisitos das aplicações de tempo real, elevada taxa de utilização do recursos disponiveis e melhor capacidade de desempenho. A Internet foi concebida para fornecer serviços sem qualquer tipo de garantias de qualidade às aplicações, apenas se comprometendo em oferecer o melhor serviço possível. No entanto, nos útlimos anos diversos esforços foram levados a cabo no sentido de dotar a Internet com o suporte à qualidade de serviço. Dos esforços desenvolvidos resultaram dois paradigmas para o suporte da qualidade de serviço: o modelo de Serviços Integrados (Integrated Services - IntServ) e o modelo de Serviços Diferenciados (Differentiated Services - DiffServ). Todavia, estes modelos de qualidade de serviço (QoS) foram concebido antes da existência da Internet móvel, portanto o desenvolvimento destes modelos não teve em consideração a questão da mobilidade. Por outro lado, o protocolo padrão actual para a Internet móvel, o MIPv6, revela algumas limitações nos cenários onde os utilizadores estão constantemente a moverem-se para outros pontos de acesso. Neste tipo de cenários, o MIPv6 introduz tempos de latência que não são sustentáveis para aplicações com requisitos de QoS mais restritos. Os factos revelados, demonstram que existe uma emergente necessidade de adaptar o actual protocolo de mobilidade, e também de adaptar os modelos de QoS, ou então criar modelos alternativos de QoS, para satisfazer às exigências do utilizador de hoje de redes móveis. Para alcançar este objectivo o presente trabalho propõe melhorias no sistema de gestão da mobilidade do protocolo MIPv6 e na gestão de recursos do modelo DiffServ. O MIPv6 foi melhorado para os cenários de micro-mobilidade com a abordagem para micro-mobilidade do F-HMIPv6. Enquanto que, o modelo DiffServ foi melhorado para os ambientes móveis com funcionalidades dinâmicas e adaptativas através da utilização de sinalização de QoS e da gestão distribuida dos recursos. A gestão da mobilidade e dos recursos foi também acoplada na solução proposta com o propósito de optimizar a utilização dos recursos num meio onde os recursos são tipicamente escassos. O modelo proposto é simples, é de fácil implementação, tem em consideração os requisitos da Internet móvel, e provou ser eficiente e capaz de fornecer serviços com QoS de elevada fiabilidade às aplicações.Over the last few years, several network communication challenges have arisen as a result of the growing number of users demanding Quality of Service (QoS) and mobility simultaneously. In order to satisfy these very demanding customers, the markets are imposing new challenges to wireless networks by demanding heterogeneity in terms of wireless access technologies, new services, suited QoS levels to real-time applications, high usability and improved performance. However, the Internet has been designed for providing application services without quality guarantees. That explains why, in the last years several efforts have been made to endow Internet with QoS support. From the developed efforts have resulted two QoS paradigms: Integrated Services (IntServ) which offers the guaranteed service model and the Differentiated Services (DiffServ) which offers the predictive service model. Although these QoS models have been designed before the existence of mobile Internet, so they do not consider the mobility issue. For instance, the guaranteed service model requires that whenever a Mobile Node (MN) wants to move to a new location, the allocated resources in the old path must be released and a new resource reservation in a new path must be made, resulting in extra signaling overhead, heavy processing and state load. Therefore, if handovers are frequent, large mobility and QoS signaling messages will be created in the access networks. Consequently, significant scalability problems may arise with this type of service model. The predicted service model, on the other hand, requires an additional features such as dynamic and adaptive resource management in order to be efficient in a very dynamic network such as a mobile network. A QoS solution for mobile environments must provide the capacity to adapt its resource utilization to a changeable nature of wireless networks because they have a more dynamic behavior due to incoming or outgoing handovers. For this reason, a QoS signalization for dynamic resource provisioning is necessary in order to supply adequate QoS levels to mobile users. On the other hand, the current standard protocol for mobile Internet, Mobile IPv6 (MIPv6), reveals limitations in scenarios where users are constantly moving to another point of attachment. In these situations, MIPv6 introduces latency times that are not sustainable for applications with strict QoS requirements. All things considered, reveal the emerging need to adapt the current standard mobility protocol and QoS models to satisfy today’s mobile user’s requirements. To accomplish this goal, the present work proposes enhancements in terms of the MIPv6 protocol mobility management scheme as well as in DiffServ QoS model resource management. The former was enhanced for micro-mobility scenarios with a specific combination of FMIPv6 (Fast Mobile IPv6) and HMIPv6 (Hierarchical Mobile IPv6) protocols. Whereas, the latter was enhanced for mobile environments with dynamic and adaptive features by using QoS signalization as well as distributed resource management. The mobility and resource management has also been coupled in the proposed solution with the objective of optimizing the resource utilization in a environment where resources are typically scarce. In order to assess model performance as well as its parametrization, a simulation model has been designed and implemented in the Network Simulator version two (NS-2). The model´s performance evaluation has been conducted based on the respective data acquired from statistical analysis in order to validate and consolidate the conclusions. Simulation results indicate that the solution avoids network congestion and starvation of less priority DiffServ classes. Moreover, the results also indicate that bandwidth utilization for priority classes increases and the QoS offered to MN’s applications, in each DiffServ class, remains unchangeable with MN mobility. The proposed model is simple and easy to implement. It considers mobile Internet requirements and has proven to be effective and capable of providing services with highly reliable QoS to mobile applications.Fundação para a Ciência e a Tecnologia (FCT) - Bolsa SFRH/BD/35245/200

Host mobility management with identifier-locator split protocols in hierarchical and flat networks

Includes abstractIncludes bibliographical references.As the Internet increasingly becomes more mobile focused and overloaded with mobile hosts, mobile users are bound to roam freely and attach to a variety of networks. These different networks converge over an IP-based core to enable ubiquitous network access, anytime and anywhere, to support the provision of services, that is, any service, to mobile users. Therefore, in this thesis, the researcher proposed network-based mobility solutions at different layers to securely support seamless handovers between heterogeneous networks in hierarchical and flat network architectures

IP Mobility in Wireless Operator Networks

Wireless network access is gaining increased heterogeneity in terms of the types of IP capable access technologies. The access network heterogeneity is an outcome of incremental and evolutionary approach of building new infrastructure. The recent success of multi-radio terminals drives both building a new infrastructure and implicit deployment of heterogeneous access networks. Typically there is no economical reason to replace the existing infrastructure when building a new one. The gradual migration phase usually takes several years. IP-based mobility across different access networks may involve both horizontal and vertical handovers. Depending on the networking environment, the mobile terminal may be attached to the network through multiple access technologies. Consequently, the terminal may send and receive packets through multiple networks simultaneously. This dissertation addresses the introduction of IP Mobility paradigm into the existing mobile operator network infrastructure that have not originally been designed for multi-access and IP Mobility. We propose a model for the future wireless networking and roaming architecture that does not require revolutionary technology changes and can be deployed without unnecessary complexity. The model proposes a clear separation of operator roles: (i) access operator, (ii) service operator, and (iii) inter-connection and roaming provider. The separation allows each type of an operator to have their own development path and business models without artificial bindings with each other. We also propose minimum requirements for the new model. We present the state of the art of IP Mobility. We also present results of standardization efforts in IP-based wireless architectures. Finally, we present experimentation results of IP-level mobility in various wireless operator deployments.Erilaiset langattomat verkkoyhteydet lisääntyvät Internet-kykyisten teknologioiden muodossa. Lukuisten eri teknologioiden päällekkäinen käyttö johtuu vähitellen ja tarpeen mukaan rakennetusta verkkoinfrastruktuurista. Useita radioteknologioita (kuten WLAN, GSM ja UMTS) sisältävien päätelaitteiden (kuten älypuhelimet ja kannettavat tietokoneet) viimeaikainen kaupallinen menestys edesauttaa uuden verkkoinfrastruktuurin rakentamista, sekä mahdollisesti johtaa verkkoteknologioiden kirjon lisääntymiseen. Olemassa olevaa verkkoinfrastruktuuria ei kaupallisista syistä kannata korvata uudella teknologialla yhdellä kertaa, vaan vaiheittainen siirtymävaihe kestää tyypillisesti useita vuosia. Internet-kykyiset päätelaitteet voivat liikkua joko saman verkkoteknologian sisällä tai eri verkkoteknologioiden välillä. Verkkoympäristöstä riippuen liikkuvat päätelaitteet voivat liittyä verkkoon useiden verkkoyhteyksien kautta. Näin ollen päätelaite voi lähettää ja vastaanottaa tietoliikennepaketteja yhtäaikaisesti lukuisia verkkoja pitkin. Tämä väitöskirja käsittelee Internet-teknologioiden liikkuvuutta ja näiden teknologioiden tuomista olemassa oleviin langattomien verkko-operaattorien verkkoinfrastruktuureihin. Käsiteltäviä verkkoinfrastruktuureita ei alun perin ole suunniteltu Internet-teknologian liikkuvuuden ja monien yhtäaikaisten yhteyksien ehdoilla. Tässä työssä ehdotetaan tulevaisuuden langattomien verkkojen arkkitehtuurimallia ja ratkaisuja verkkovierailujen toteuttamiseksi. Ehdotettu arkkitehtuuri voidaan toteuttaa ilman mittavia teknologisia mullistuksia. Mallin mukaisessa ehdotuksessa verkko-operaattorin roolit jaetaan selkeästi (i) verkko-operaattoriin, (ii) palveluoperaattoriin ja (iii) yhteys- sekä verkkovierailuoperaattoriin. Roolijako mahdollistaa sen, että kukin operaattorityyppi voi kehittyä itsenäisesti, ja että teennäiset verkkoteknologiasidonnaisuudet poistuvat palveluiden tuottamisessa. Työssä esitetään myös alustava vaatimuslista ehdotetulle mallille, esimerkiksi yhteysoperaattorien laatuvaatimukset. Väitöskirja esittelee myös liikkuvien Internet-teknologioiden viimeisimmän kehityksen. Työssä näytetään lisäksi standardointituloksia Internet-kykyisissä langattomissa arkkitehtuureissa