Performance evaluation of HIP-based network security solutions

Abstract. Host Identity Protocol (HIP) is a networking technology that systematically separates the identifier and locator roles of IP addresses and introduces a Host Identity (HI) name space based on a public key security infrastructure. This modification offers a series of benefits such as mobility, multi-homing, end-to-end security, signaling, control/data plane separation, firewall security, e.t.c. Although HIP has not yet been sufficiently applied in mainstream communication networks, industry experts foresee its potential as an integral part of next generation networks. HIP can be used in various HIP-aware applications as well as in traditional IP-address-based applications and networking technologies, taking middle boxes into account. One of such applications is in Virtual Private LAN Service (VPLS), VPLS is a widely used method of providing Ethernet-based Virtual Private Network that supports the connection of geographically separated sites into a single bridged domain over an IP/MPLS network. The popularity of VPLS among commercial and defense organizations underscores the need for robust security features to protect both data and control information. After investigating the different approaches to HIP, a real world testbed is implemented. Two experiment scenarios were evaluated, one is performed on two open source Linux-based HIP implementations (HIPL and OpenHIP) and the other on two sets of enterprise equipment from two different companies (Tempered Networks and Byres Security). To account for a heterogeneous mix of network types, the Open source HIP implementations were evaluated on different network environments, namely Local Area Network (LAN), Wireless LAN (WLAN), and Wide Area Network (WAN). Each scenario is tested and evaluated for performance in terms of throughput, latency, and jitter. The measurement results confirmed the assumption that no single solution is optimal in all considered aspects and scenarios. For instance, in the open source implementations, the performance penalty of security on TCP throughput for WLAN scenario is less in HIPL than in OpenHIP, while for WAN scenario the reverse is the case. A similar outcome is observed for the UDP throughput. However, on latency, HIPL showed lower latency for all three network test scenarios. For the legacy equipment experiment, the penalty of security on TCP throughput is about 19% compared with the non-secure scenario while latency is increased by about 87%. This work therefore provides viable information for researchers and decision makers on the optimal solution to securing their VPNs based on the application scenarios and the potential performance penalties that come with each approach.HIP-pohjaisten tietoliikenneverkkojen turvallisuusratkaisujen suorituskyvyn arviointi. Tiivistelmä. Koneen identiteettiprotokolla (HIP, Host Identity Protocol) on tietoliikenneverkkoteknologia, joka käyttää erillistä kerrosta kuljetusprotokollan ja Internet-protokollan (IP) välissä TCP/IP-protokollapinossa. HIP erottaa systemaattisesti IP-osoitteen verkko- ja laite-osat, sekä käyttää koneen identiteetti (HI) -osaa perustuen julkisen avainnuksen turvallisuusrakenteeseen. Tämän hyötyjä ovat esimerkiksi mobiliteetti, moniliittyminen, päästä päähän (end-to-end) turvallisuus, kontrolli-informaation ja datan erottelu, kohtaaminen, osoitteenmuutos sekä palomuurin turvallisuus. Teollisuudessa HIP-protokolla nähdään osana seuraavan sukupolven tietoliikenneverkkoja, vaikka se ei vielä olekaan yleistynyt laajaan kaupalliseen käyttöön. HIP–protokollaa voidaan käyttää paitsi erilaisissa HIP-tietoisissa, myös perinteisissä IP-osoitteeseen perustuvissa sovelluksissa ja verkkoteknologioissa. Eräs tällainen sovellus on virtuaalinen LAN-erillisverkko (VPLS), joka on laajasti käytössä oleva menetelmä Ethernet-pohjaisen, erillisten yksikköjen ja yhden sillan välistä yhteyttä tukevan, virtuaalisen erillisverkon luomiseen IP/MPLS-verkon yli. VPLS:n yleisyys sekä kaupallisissa- että puolustusorganisaatioissa korostaa vastustuskykyisten turvallisuusominaisuuksien tarpeellisuutta tiedon ja kontrolliinformaation suojauksessa. Tässä työssä tutkitaan aluksi HIP-protokollan erilaisia lähestymistapoja. Teoreettisen tarkastelun jälkeen käytännön testejä suoritetaan itse rakennetulla testipenkillä. Tarkasteltavat skenaariot ovat verrata Linux-pohjaisia avoimen lähdekoodin HIP-implementaatioita (HIPL ja OpenHIP) sekä verrata kahden eri valmistajan laitteita (Tempered Networks ja Byres Security). HIP-implementaatiot arvioidaan eri verkkoympäristöissä, jota ovat LAN, WLAN sekä WAN. Kaikki testatut tapaukset arvioidaan tiedonsiirtonopeuden, sen vaihtelun (jitter) sekä latenssin perusteella. Mittaustulokset osoittavat, että sama ratkaisu ei ole optimaalinen kaikissa tarkastelluissa tapauksissa. Esimerkiksi WLAN-verkkoa käytettäessä turvallisuuden aiheuttama häviö tiedonsiirtonopeudessa on HIPL:n tapauksessa OpenHIP:iä pirnempi, kun taas WAN-verkon tapauksessa tilanne on toisinpäin. Samanlaista käyttäytymistä havaitaan myös UDP-tiedonsiirtonopeudessa. HIPL antaa kuitenkin pienimmän latenssin kaikissa testiskenaarioissa. Eri valmistajien laitteita vertailtaessa huomataan, että TCP-tiedonsiirtonopeus huononee 19 ja latenssi 87 prosenttia verrattuna tapaukseen, jossa turvallisuusratkaisua ei käytetä. Näin ollen tämän työn tuottama tärkeä tieto voi auttaa alan toimijoita optimaalisen verkkoturvallisuusratkaisun löytämisessä VPN-pohjaisiin sovelluksiin

Метод підвищення безпеки та масштабування VPLS мереж

Метою даної роботи є створення архітектури для забезпечення безпеки при масштабованості VPLS мереж.The method of this work is to create an architecture to ensure security at the scalability of the VPLS network

A survey of Virtual Private LAN Services (VPLS): Past, present and future

Virtual Private LAN services (VPLS) is a Layer 2 Virtual Private Network (L2VPN) service that has gained immense popularity due to a number of its features, such as protocol independence, multipoint-to-multipoint mesh connectivity, robust security, low operational cost (in terms of optimal resource utilization), and high scalability. In addition to the traditional VPLS architectures, novel VPLS solutions have been designed leveraging new emerging paradigms, such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), to keep up with the increasing demand. These emerging solutions help in enhancing scalability, strengthening security, and optimizing resource utilization. This paper aims to conduct an in-depth survey of various VPLS architectures and highlight different characteristics through insightful comparisons. Moreover, the article discusses numerous technical aspects such as security, scalability, compatibility, tunnel management, operational issues, and complexity, along with the lessons learned. Finally, the paper outlines future research directions related to VPLS. To the best of our knowledge, this paper is the first to furnish a detailed survey of VPLS.University College DublinAcademy of Finlan

Multi Protocol Label Switching: Quality of Service, Traffic Engineering application, and Virtual Private Network application

This thesis discusses the QoS feature, Traffic Engineering (TE) application, and Virtual Private Network (VPN) application of the Multi Protocol Label Switching (MPLS) protocol. This thesis concentrates on comparing MPLS with other prominent technologies such as Internet Protocol (IP), Asynchronous Transfer Mode (ATM), and Frame Relay (FR). MPLS combines the flexibility of Internet Protocol (IP) with the connection oriented approach of Asynchronous Transfer Mode (ATM) or Frame Relay (FR). Section 1 lists several advantages MPLS brings over other technologies. Section 2 covers architecture and a brief description of the key components of MPLS. The information provided in Section 2 builds a background to compare MPLS with the other technologies in the rest of the sections. Since it is anticipate that MPLS will be a main core network technology, MPLS is required to work with two currently available QoS architectures: Integrated Service (IntServ) architecture and Differentiated Service (DiffServ) architecture. Even though the MPLS does not introduce a new QoS architecture or enhance the existing QoS architectures, it works seamlessly with both QoS architectures and provides proper QoS support to the customer. Section 3 provides the details of how MPLS supports various functions of the IntServ and DiffServ architectures. TE helps Internet Service Provider (ISP) optimize the use of available resources, minimize the operational costs, and maximize the revenues. MPLS provides efficient TE functions which prove to be superior to IP and ATM/FR. Section 4 discusses how MPLS supports the TE functionality and what makes MPLS superior to other competitive technologies. ATM and FR are still required as a backbone technology in some areas where converting the backbone to IP or MPLS does not make sense or customer demands simply require ATM or FR. In this case, it is important for MPLS to work with ATM and FR. Section 5 highlights the interoperability issues and solutions for MPLS while working in conjunction with ATM and FR. In section 6, various VPN tunnel types are discussed and compared with the MPLS VPN tunnel type. The MPLS VPN tunnel type is concluded as an optimal tunnel approach because it provides security, multiplexing, and the other important features that are reburied by the VPN customer and the ISP. Various MPLS layer 2 and layer 3 VPN solutions are also briefly discussed. In section 7 I conclude with the details of an actual implementation of a layer 3 MPLS VPN solution that works in conjunction with Border Gateway Protocol (BGP)

Wireless Ad Hoc Federated Learning: A Fully Distributed Cooperative Machine Learning

Privacy-sensitive data is stored in autonomous vehicles, smart devices, or sensor nodes that can move around with making opportunistic contact with each other. Federation among such nodes was mainly discussed in the context of federated learning with a centralized mechanism in many works. However, because of multi-vendor issues, those nodes do not want to rely on a specific server operated by a third party for this purpose. In this paper, we propose a wireless ad hoc federated learning (WAFL) -- a fully distributed cooperative machine learning organized by the nodes physically nearby. WAFL can develop generalized models from Non-IID datasets stored in distributed nodes locally by exchanging and aggregating them with each other over opportunistic node-to-node contacts. In our benchmark-based evaluation with various opportunistic networks, WAFL has achieved higher accuracy of 94.8-96.3% than the self-training case of 84.7%. All our evaluation results show that WAFL can train and converge the model parameters from highly-partitioned Non-IID datasets over opportunistic networks without any centralized mechanisms.Comment: 14 pages, 8 figures, 2 table

Comparing Interconnecting Methods for Multiprotocol Label Switched Virtual Private Networks

Operaattorit tarjoavat leimakytkentää hyödyntäviä virtuaaliverkkopalveluita asiakkailleen. Lisäksi operaattorit hyödyntävät niitä omien palveluidensa tuottamisessa. Sekä leimakytkentä että sitä hyödyntävät virtuaaliverkkopalvelut on määritelty toimiviksi yhden autonomisen alueen sisällä. Tässä työssä vertaillaan neljää erilaista tapaa liittää virtuaaliverkot toimimaan yli AS-rajojen. Vertailu tehdään tietoturvallisuuden näkökulmasta. Työssä paneudutaan kolmeen eri virtuaaliverkkopalveluun ja siihen, miten näiden toteutustekniikat vaikuttavat yhteenliittämiseen. Vertailu on pyritty tekemään niin, että se on sovellettavissa kaikille palveluille. Kaikilta osilta näin ei ole, sillä palveluiden toteutustavat poikkeavat liikaa toisistaan. Vertailu paljasti, että yhteenliittämistavoilla on erilaisia vahvuuksia tietoturvan suhteen. Yhteenliittämistapaa valitessa operaattorin tulee määritellä, mitä tietoturvauhkia painottaa. Osa tietoturvauhista johtuu laitevalmistajien toteutuksien heikkouksista, mutta osa on standardeille ominaisia. Tietoturvariskit tiedostaen, ja ottamalla huomioon yhteenliittämisen aiheuttamat lisäriskit tietoturvalle, operaattorin on mahdollista tarjota tietoturvallisia leimakytkentäisiä virtuaaliverkkopalveluita, jotka kattavat useamman autonomisen alueen.Telecommunication operators offer Multiprotocol Label Switched Virtual Private Networks to their customers. Also, MPLS VPN technologies can be used for operators' internal purposes, to enable them to offer wider range of services in single infrastructure. Both MPLS and MPLS based VPNs are defined to be used inside single autonomous system, AS. The aim of this thesis is to compare four different interconnection methods for MPLS VPNs in different AS's. The focus is on security. Three different MPLS VPN services are looked into closely. Each service's technology's effect on interconnection is of interest. The comparison tries to incorporate all three services. But, since the services differ from each other, not all criteria concern all services. The comparison revealed that the interconnection methods have different strengths concerning security. When choosing the interconnection method, an operator needs to define what areas of security it finds relevant. A portion of security issues are implementation specific, but some come directly from the standards. When operator is aware of the security issues related to chosen interconnection method, it is safe to offer MPLS VPNs that cover multiple autonomous systems

Contribuciones basadas en el análisis biplot al diseño y gestión de redes de telecomunicación

[ES] La importancia de la redes de telecomunicación en nuestra sociedad es innegable. Desde la telefonía, tanto fija como móvil, hasta la red Internet están presentes en la mayoría de los hogares, empresas y administraciones públicas. Garantizar su correcto funcionamiento es de una importancia clave y la herramienta fundamental para este objetivo es un adecuado diseño y gestión de la red. Los métodos biplot, formulados por Gabriel en 1971, permiten representar una matriz de datos en forma de un gráfico que utiliza marcadores individuales para cada una de las filas y las columnas de la matriz de partida, respetando determinadas propiedades de los datos originales. En el diseño y gestión de redes se pueden utilizar múltiples tipos de matrices conteniendo diversos datos sobre su operación y configuración. Destacan entre ellas las matrices de tráfico, las matrices de topología y combinaciones de ambas. Por otro lado, las representaciones gráficas permiten a los diseñadores y gestores de la red identificar de manera eficiente y eficaz el estado de la red de comunicaciones. Esta tesis doctoral propone la utilización de los métodos biplot, en general, y del HJ-Biplot, propuesto por Galindo en 1986, en particular, en los procesos de diseño y gestión de redes de comunicación, presentando aplicaciones sobre las redes de datos más habituales hoy en día. Las propuestas se centran en tres casuísticas generales que cubren un amplio espectro de posibles aplicaciones: detección de anomalías, análisis de series temporales de tráfico y análisis de la topología de redes. La detección de anomalías se aplica en un primer ejemplo sobre datos de una red Ethernet real. Se demuestra que es posible utilizar la representación HJ-Biplot con dos objetivos: modelar la red con una representación adecuadamente robusta y detectar incidencias con la suficiente sensibilidad. En un segundo supuesto se aplica a la detección de un ataque de negación de servicio, como caso especial de anomalía, para lo que se utiliza un juego de datos publicados para la verificación del funcionamiento de este tipo de sistemas. En este apartado se incluye la aplicación del método STATIS para la detección de la anomalía, y finalmente el HJ-Biplot para la diagnosis concreta de la incidencia ocurrida en la red. El análisis de series temporales utilizando el HJ-Biplot mejora la propuesta realizada por Lakhina et al en 2004 y siguientes, que aplicaba el Análisis de Componentes Principales (ACP) a una matriz de tráfico Origen-Destino. El HJ-Biplot tiene en consideración la existencia simultánea de correlaciones temporales y espaciales en la matriz de tráfico y además permite localizar el punto de ocurrencia de la incidencia. Finalmente, la combinación de la teoría espectral de grafos, aplicada a redes de comunicación, y la metodología biplot en general, y el HJ-Biplot en particular, permite obtener representaciones gráficas de las redes de comunicación con información sobre su topología, incluso incorporando información sobre tráfico cursado, simétrico o asimétrico, entre nodos. La tesis doctoral presenta algunas contribuciones de los métodos biplot al análisis y gestión de las redes de comunicación más utilizadas en nuestros días. La herramienta propuesta permite mejorar los procedimientos de diseño y gestión de redes constituyendo una potente herramienta de visualización del estado de la red de comunicación

Non-coding RNA regulatory networks

It is well established that the vast majority of human RNA transcripts do not encode for proteins and that non-coding RNAs regulate cell physiology and shape cellular functions. A subset of them is involved in gene regulation at different levels, from epigenetic gene silencing to post-transcriptional regulation of mRNA stability. Notably, the aberrant expression of many non-coding RNAs has been associated with aggressive pathologies. Rapid advances in network biology indicates that the robustness of cellular processes is the result of specific properties of biological networks such as scale-free degree distribution and hierarchical modularity, suggesting that regulatory network analyses could provide new insights on gene regulation and dysfunction mechanisms. In this study we present an overview of public repositories where non-coding RNA-regulatory interactions are collected and annotated, we discuss unresolved questions for data integration and we recall existing resources to build and analyse networks