Is DNS Ready for Ubiquitous Internet of Things?

The vision of the Internet of Things (IoT) covers not only the well-regulated processes of specific applications in different areas but also includes ubiquitous connectivity of more generic objects (or things and devices) in the physical world and the related information in the virtual world. For example, a typical IoT application, such as a smart city, includes smarter urban transport networks, upgraded water supply, and waste-disposal facilities, along with more efficient ways to light and heat buildings. For smart city applications and others, we require unique naming of every object and a secure, scalable, and efficient name resolution which can provide access to any object\u27s inherent attributes with its name. Based on different motivations, many naming principles and name resolution schemes have been proposed. Some of them are based on the well-known domain name system (DNS), which is the most important infrastructure in the current Internet, while others are based on novel designing principles to evolve the Internet. Although the DNS is evolving in its functionality and performance, it was not originally designed for the IoT applications. Then, a fundamental question that arises is: can current DNS adequately provide the name service support for IoT in the future? To address this question, we analyze the strengths and challenges of DNS when it is used to support ubiquitous IoT. First, we analyze the requirements of the IoT name service by using five characteristics, namely security, mobility, infrastructure independence, localization, and efficiency, which we collectively refer to as SMILE. Then, we discuss the pros and cons of the DNS in satisfying SMILE in the context of the future evolution of the IoT environment

IETF standardization in the field of the Internet of Things (IoT): a survey

Smart embedded objects will become an important part of what is called the Internet of Things. However, the integration of embedded devices into the Internet introduces several challenges, since many of the existing Internet technologies and protocols were not designed for this class of devices. In the past few years, there have been many efforts to enable the extension of Internet technologies to constrained devices. Initially, this resulted in proprietary protocols and architectures. Later, the integration of constrained devices into the Internet was embraced by IETF, moving towards standardized IP-based protocols. In this paper, we will briefly review the history of integrating constrained devices into the Internet, followed by an extensive overview of IETF standardization work in the 6LoWPAN, ROLL and CoRE working groups. This is complemented with a broad overview of related research results that illustrate how this work can be extended or used to tackle other problems and with a discussion on open issues and challenges. As such the aim of this paper is twofold: apart from giving readers solid insights in IETF standardization work on the Internet of Things, it also aims to encourage readers to further explore the world of Internet-connected objects, pointing to future research opportunities

Secure Certificate Management and Device Enrollment at IoT Scale.

The Internet of Things (IoT) is expected to comprise of over 20 billion devices connected to the Internet by the year 2020, and support mission critical applications such as health care, road safety and emergency services to name a few. This massive scale of IoT device deployment, heterogeneity of devices and applications, and the autonomous nature of the decision making process introduces new security requirements and challenges. The devices must be securely bootstrapped in to the network to provide secure inter--device communication and also, the applications must be able to authenticate and authorize these devices to provide the relevant services. In today's Internet, Public Key Infrastructure (PKI) is widely used to provide authenticity, encryption and data integrity during network communication through the use of digital certificates. This thesis investigates the key aspects for deploying a PKI security solution in an IoT ecosystem, ranging from deploying certificates on new devices (bootstrapping) to complete life cycle management of these certificates. We believe that the current PKI can be, with suitable enhancements, used to provide the efficiency, scalability and flexibility needed for IoT security. This thesis provides a survey of key aspects for deploying PKI security solution in IoT ecosystem. We investigate different certificate management protocols and motivate the applicability of enhanced security over transport (EST) protocol for IoT PKI solution. In addition, we propose a PKI deployment model and the bootstrap mechanism to bring up an IoT device and provision it with a digital certificate. Furthermore, we provide a prototype implementation to demonstrate certificate enrollment procedure with an EST server

Efficient IPv6 Neighbor Discovery in Wireless Environment

As the address space of IPv4 is being depleted with the development of IoT (Internet Of Things), there is an increasing need for permanent transition to the IPv6 protocol as soon as possible. Nowadays, many 3GPP (3rd Generation Partnership Project) Networks have implemented or will implement IPv6 in the near future for Internet access. These networks will also use NDP (Neighbor Discovery Protocol), which is the IPv6 tailored version of ARP (Address Resolution Protocol). The protocol is responsible for address auto-configuration, maintaining lists of all neighbors connected to a network, verifying if they are still reachable, managing prefixes and duplicate address detection. The protocol is defined in RFC 4861 and although it works fine for wired connected devices, it has been proven highly inefficient in terms of battery lifetime saving, when wireless networks came to the market and its use increased tremendously. This thesis work is a continuation of a previous master thesis and complements the work done previously by showing how the solutions suggested in the new draft can be implemented at the router and host side and practically confirms the previous results of the theoretical analysis through simulation scenarios of sleep and wake-up of the nodes, performed in OMNeT++. Subsequently, the scalability of the system as a whole was analyzed with a simulation model containing a range of hosts from 1 to 100, and shows it can operate efficiently on a larger scale, reducing multicast messaging by almost 100%, presumably saving their battery power.The introduction and rise of Internet of Things (IoT), and the use of more and more wireless devices in the communication between users, has depleted the available addresses of IPv4. The introduction of the new IPv6 protocol solves the address depletion problem, but on the other hand, many of the existing protocols have to be redesigned. This thesis is based on RFC 4861’s NDP (Neighbor Discovery Protocol for IPv6 Networks, the equivalent protocol of ARP (Address Resolution Protocol) for IPv4 Networks. Like ARP, NDP is used in all Networks, wired or wireless, and it’s main feature is to check and update periodically the state of the Network, provide L2 addresses to hosts in the same Network and verify their reachability. While wired devices experience no issues regarding power supply, as they are constantly hooked to a power source and rarely experience network failures, wireless devices have limited power, as they rely on battery lifetime. This is also the case of machines running NDP - the protocol relies on periodic exchange of multicast ICMPv6 (Internet Control Message Protocol version 6) control messages, creating unnecessary traffic overhead in the Network, as all hosts in a Network would receive those messages, regardless if they are meant for them or not. As a general working mode of a battery operated device, one enters predefined sleeping cycles (stand-by), which are designed by each manufacturer in different ways. Therefore, multicast signaling inside Networks disrupt those sleeping cycles, causing increased battery consumption, as a result of more required processing power and more consumed bandwidth. RFC 6775, together with [3], propose updates to NDP, which would solve the problems mentioned above. The major update is that each host can update the router about its state, by sending unicast messages, without involving the other hosts in the Network. The router, instead of sending periodic control messages to every host, it sends control messages to each host separately in specific time intervals. Only when a major change occurs in the Network, for instance an addition of a new host, or when a host leaves the Network, multicast messages are sent to every host to update their state. Together with the establishment of unicast signaling, a new method of address registration is introduced in the documents cited above, called Address Registration Option. This registration method is fully compatible with the two standard mechanism which provide the L3 addresses to hosts - Stateless Address Autoconfiguration (SLAAC) and Dynamic Host Configuration Protocol (DHCP). The previous thesis work took the first steps in implementing the proposed protocol changes, by investigating functions inside RADVD - the Router Advertisement Daemon, run on all routers and responsible for sending the multicast periodic control messages to the hosts (Router Advertisements). A full implementation of the proposed changes require covering both sides of the Network, i.e Host and Router. While RADVD is handling the Router side, the implementation at the Host side needs to be done inside the Linux Kernel. In this thesis work, the RADVD implementation was completed and possible implementation methods were shown inside the Linux Kernel. Due to the overall complexity of the Linux Kernel, while the proposed code could cover most aspects from RFC 6775, it wasn’t possible to test it, in order to conclude how much workload is left. Simulations took place to compare the two protocols and verify, in what extend these proposed changes can potentially improve battery lifetime. So, sleep and wake up scenario was tested in same time intervals in order to observe Network traffic. The goal was to have a decrease in control messages in the case where the suggested changes were applied. Different number of hosts were selected to see if these changes can be applied to larger network. In both cases, the best case scenario was tested and parameters which would normally hinder network performance were neglected. This decision was made to reduce the complexity of the Network as well. The results of the simulations indicated that there could be a decrease in control messages and the Network seems stable and scalable as number of host increases

IP addressing, transition and security in 5G networks

The number of devices on the Internet is always increasing and there is need for reliable IP addressing. 5G network will be built on two main technologies; SDN and NFV which will make it elastic and agile compared to its predecessors. Elasticity will ensure that additional devices can always be added to the network. IPv4 addresses are already depleted and cannot support the expansion of the Internet to ensure the realization of future networks. IPv6 addressing has been proposed to support 5G networking because of the sufficient number of addresses that the protocol provides. However, IPv4 addressing will still be used concurrently with IPv6 addressing in networks until they become fully IPv6 based. The structure of IPv4 header is different from IPv6 header hence the two protocols are incompatible. There is need for seamless intercommunication between devices running IPv4 and IPv6 in future networks. Three technologies namely; Dual Stack, Tunneling and Translation have been proposed to ensure that there is smooth transition from IPv4 to IPv6 protocol. This dissertation demonstrates Tunneling of IPv6 over IPv4. Also, this research work reviews network security threats of past networks that are likely to be experienced in 5G networks. To counter them, reliable IP security strategies used in current networks are proposed for use in next generation networks. This dissertation evaluates and analyzes IPv4, IPv6 network and Tunneling models in an SDN network environment. The performance of an IPv4 only network is compared to the IPv6 only network. Also, devices addressed with both protocols are connected. The results obtained illustrate that IPv4 and IPv6 devices can effectively communicate in a 5G network environment. In addition, a tunnel is used to run IPv6 protocol over an IPv4 network. The devices on both ends of the tunnel could communicate with each other effectively

NAT64/DNS64 in the Networks with DNSSEC

Zvyšuj?c? se pod?l resolverů a aplikac? použ?vaj?c? DNS-over-HTTPSvede k vyš?mu pod?lu klientů použ?vaj?c?ch DNS resolvery třet?chstran. Kvůli tomu ovšem selhává nejpouž?vanějš? NAT64 detekčn?metoda RFC7050[1], což vede u klientů použ?vaj?c?ch přechodovémechanismy NAT64/DNS64 nebo 464XLAT k neschopnosti tytopřechodové mechanismy správně detekovat, a t?m k nedostupnostiobsahu dostupného pouze po IPv4. C?lem této práce je navrhnoutnovou detekčn? metodu postavenou na DNS, která bude pracovati s resolvery třet?ch stran, a bude schopná využ?t zabezpečen? DNSdat pomoc? technologie DNSSEC. Práce popisuje aktuálně standardizovanémetody, protokoly na kterých závis?, jejich omezen?a interakce s ostatn?mi metodami. Navrhovaná metoda použ?vá SRVzáznamy k přenosu informace o použitém NAT64 prefixu v globáln?mDNS stromu. Protože navržená metoda použ?vá již standardizovanéprotokoly a typy záznamů, je snadno nasaditelná bez nutnostimodifikovat jak DNS server, tak s?t'ovou infrastrukturu. Protožemetoda použ?vá k distribuci informace o použitém prefixu globáln?DNS strom, umožňuje to metodě použ?t k zabezpečen? technologiiDNSSEC. To této metodě dává lepš? bezpečnostn? vlastnosti nežjaké vykazuj? předchoz? metody. Tato práce vytvář? standardizačn?bázi pro standardizaci v rámci IETF.The rising number of DNS-over-HTTPS capable resolvers and applicationsresults in the higher use of third-party DNS resolvers byclients. Because of that, the currently most deployed method of theNAT64 prefix detection, the RFC7050[1], fails to detect the NAT64prefix. As a result, clients using either NAT64/DNS64 or 464XLATtransition mechanisms fail to detect the NAT64 prefix properly,making the IPv4-only resources inaccessible. The aim of this thesisis to develop a new DNS-based detection method that would workwith foreign DNS and utilize added security by the DNS securityextension, the DNSSEC. The thesis describes current methods ofthe NAT64 prefix detection, their underlying protocols, and theirlimitations in their coexistence with other network protocols. Thedeveloped method uses the SRV record type to transmit the NAT64prefix in the global DNS tree. Because the proposed method usesalready existing protocols and record types, the method is easilydeployable without any modification of the server or the transportinfrastructure. Due to the global DNS tree usage, the developedmethod can utilize the security provided by the DNSSEC and thereforeshows better security characteristics than previous methods.This thesis forms the basis for standardization effort in the IETF.

IETF standardization in the field of the internet of things (IoT): a survey

Smart embedded objects will become an important part of what is called the Internet of Things. However, the integration of embedded devices into the Internet introduces several challenges, since many of the existing Internet technologies and protocols were not designed for this class of devices. In the past few years, there have been many efforts to enable the extension of Internet technologies to constrained devices. Initially, this resulted in proprietary protocols and architectures. Later, the integration of constrained devices into the Internet was embraced by IETF, moving towards standardized IP-based protocols. In this paper, we will briefly review the history of integrating constrained devices into the Internet, followed by an extensive overview of IETF standardization work in the 6LoWPAN, ROLL and CoRE working groups. This is complemented with a broad overview of related research results that illustrate how this work can be extended or used to tackle other problems and with a discussion on open issues and challenges. As such the aim of this paper is twofold: apart from giving readers solid insights in IETF standardization work on the Internet of Things, it also aims to encourage readers to further explore the world of Internet-connected objects, pointing to future research opportunities.The research leading to these results has received funding from the European Union’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no 258885 (SPITFIRE project), from the iMinds ICON projects GreenWeCan and O’CareCloudS, a FWO postdoc grant for Eli De Poorter and a VLIR PhD scholarship to Isam Ishaq

Data Communications and Network Technologies

This open access book is written according to the examination outline for Huawei HCIA-Routing Switching V2.5 certification, aiming to help readers master the basics of network communications and use Huawei network devices to set up enterprise LANs and WANs, wired networks, and wireless networks, ensure network security for enterprises, and grasp cutting-edge computer network technologies. The content of this book includes: network communication fundamentals, TCP/IP protocol, Huawei VRP operating system, IP addresses and subnetting, static and dynamic routing, Ethernet networking technology, ACL and AAA, network address translation, DHCP server, WLAN, IPv6, WAN PPP and PPPoE protocol, typical networking architecture and design cases of campus networks, SNMP protocol used by network management, operation and maintenance, network time protocol NTP, SND and NFV, programming, and automation. As the world’s leading provider of ICT (information and communication technology) infrastructure and smart terminals, Huawei’s products range from digital data communication, cyber security, wireless technology, data storage, cloud-computing, and smart computing to artificial intelligence