Erlang-based dimensioning for IPv4 Address+Port translation

International audienceAs the IPv4 address pool is being exhausted, it becomes urgent to find a way to migrate IPv4 network architectures to IPv6, or to reduce the use of IPv4 addresses. In this paper, we discuss a strategy known as ''Address + Port'' translation, which consists in several users sharing the same IPv4 address and being distinguished by a range of port numbers. Of critical importance for the feasibility of such a mechanism is the knowledge of the minimum number of ports to allocate to users so that no service degradation is perceived. To that extent, we analyse the port consumption of the most port-consuming Internet applications, web browsing, and present some aggregate port consumption curves for the student population of our campus. Our results suggest that a port range of 1000 ports is totally transparent to users (which would allow to share a single IPv4 address among 64 users),while 400 ports (i.e., 150 users per address) is sufficient for most of users. Finally, the number of users per address could be further improved by benefiting from statistical multiplexing, i.e., using dynamical instead of fixed port range allocation

Multiprotocol Label Switching Virtual Private Networks

U ovom diplomskom radu opisana je arhitektura mreža pružatelja telekomunikacijskih usluga. Nadalje, definiran je način rada, ciljevi razvoja te prednosti primjene MPLS tehnologije. Također, definirani su osnovni elementi MPLS mreže, protokoli koji se primjenjuju za distribuciju oznaka i usmjeravanje paketa te neka od MPLS aplikacijskih proširenja. Budući da se MPLS VPN smatra najprihvaćenijim aplikacijskim proširenjem, opisane su njegove inačice po slojevima: MPLS Layer 3 VPN, MPLS Layer 2 VPN, Virtual Private Wire Service i Virtual private LAN service. Osim toga, opisan je proces planiranja mreže koji se sastoji od telekomunikacijskog predviđanja dimenzioniranja te tehnika upravljanja mrežnim prometom, pri čemu su opisana dva najčešće korištena alata za planiranje MPLS mreže: IP/MPLSView i iVNT. U praktičnom djelu rada odrađena je OSPF, MPLS i VPLS konfiguracija MikroTik-ova prema zadanoj testnoj mrežnoj topologiji (Slika 8.1.) te je omogućen pristup Internetu putem MikroTik-a P1.This graduate thesis is based on trends according to Internet service provider's core networks – ISP, MPLS development, operation mode, some of it's development goals and advantages of it's application. Also, in this thesis are defined some of main elements of MPLS networks, main MPLS protocols which are used for distribution and routing, and some of MPLS application extensions. Since we consider MPLS VNP as most successful application extension, here are desribed his variants by layers: MPLS Layer 3 VPN, MPLS Layer 2 VPN, Virtual Private Wire Service and Virtual private LAN service. Beside that, this thesis is describing network planning process which consists of telecommunication predictions, dimensioning and traffic engineering whereby are described two most used tools for MPLS network planning: IP/MPLSView and iVNT. Practical part of this thesis consist of OSPF, MPLS and VPLS configuration of MikroTik's according to default network topology (picture 8.1.) and Internet access is enabled via MicroTik P1

Address spreading in future Internet supporting both the unlinkability of communication relations and the filtering of non legitimate traffic

The rotation of identifiers is a common security mechanism to protect telecommunication; one example is the frequency hopping in wireless communication, used against interception, radio jamming and interferences. In this thesis, we extend this rotation concept to the Internet. We use the large IPv6 address space to build pseudo-random sequences of IPv6 addresses, known only by senders and receivers. The sequences are used to periodically generate new identifiers, each of them being ephemeral. It provides a new solution to identify a flow of data, packets not following the sequence of addresses will be rejected. We called this technique “address spreading”. Since the attackers cannot guess the next addresses, it is no longer possible to inject packets. The real IPv6 addresses are obfuscated, protecting against targeted attacks and against identification of the computer sending a flow of data. We have not modified the routing part of IPv6 addresses, so the spreading can be easily deployed on the Internet. The “address spreading” needs a synchronization between devices, and it has to take care of latency in the network. Otherwise, the identification will reject the packets (false positive detection). We evaluate this risk with a theoretical estimation of packet loss and by running tests on the Internet. We propose a solution to provide a synchronization between devices. Since the address spreading cannot be deployed without cooperation of end networks, we propose to use ephemeral addresses. Such addresses have a lifetime limited to the communication lifetime between two devices. The ephemeral addresses are based on a cooperation between end devices, they add a tag to each flow of packets, and an intermediate device on the path of the communication, which obfuscates the real address of data flows. The tagging is based on the Flow Label field of IPv6 packets. We propose an evaluation of the current implementations on common operating systems. We fixed on the Linux Kernel behaviours not following the current standards, and bugs on the TCP stack for flow labels. We also provide new features like reading the incoming flow labels and reflecting the flow labels on a socket

Red convergente de datos, voz y video vigilancia bajo el protocolo IP para el hospital IESS - Ibarra administrado con software libre

Diseñar una red convergente de voz, video y datos, basada en el protocolo IP, el cual permitirá mejorar la calidad de comunicación, transmisión de datos y obtener video vigilancia en el Hospital de Ibarra - IESS.El Hospital de Ibarra Nivel II del Instituto Ecuatoriano de Seguridad Social Regional 8., es un edificio que empezó a brindar sus servicios de forma progresiva a la ciudadanía y de igual manera fue expandiendo sus servicios médicos y de personal conforme la necesidad les iba obligando a cubrir estos servicios. Con el pasar del tiempo la infraestructura del hospital como oficinas y consultorios fueron utilizadas en su totalidad hasta llegar a saturarse, precisando al hospital a crear nuevas dependencias en diferentes espacios del hospital. Todo esto hace que la infraestructura de cableado y comunicación telefónica se haya desarrollado de una manera deficiente e improvisada. El presente proyecto entrega un diseño de una red convergente el cual soporte datos, voz y video vigilancia bajo software libre a la red del Hospital de Ibarra Nivel II del Instituto Ecuatoriano de Seguridad Social Regional 8., mejorando así la infraestructura de datos y comunicación actual, además de brindar nuevos servicios como el de video vigilancia, los cuales ayuden a un mejor desenvolvimiento del personal médico y administrativo del hospital, así como de sus usuarios. Este diseño ayudará a tener un cableado estructurado actualizado, etiquetado y monitoreado con lo cual se puede responder de una manera más eficaz al momento de algún daño detectado en la red, además la comunicación entre consultorios, oficinas y diferentes dependencias serán más fluidas y se podrá tener un mayor control sobre la seguridad tanto de las instalaciones como del personal médico, administrativo y usuarios.Ingenierí

Journal of Telecommunications and Information Technology, nr 3

kwartalni