Evaluating IP security and mobility on lightweight hardware

This work presents an empirical evaluation of applicability of selected existing IP security and mobility mechanisms to lightweight mobile devices and network components with limited resources and capabilities. In particular, we consider the Host Identity Protocol (HIP), recently specified by the IETF for achieving authentication, secure mobility and multihoming, data protection and prevention of several types of attacks. HIP uses the Diffie-Hellman protocol to establish a shared secret for two hosts, digital signatures to provide integrity of control plane and IPsec ESP encryption to protect user data. These computationally expensive operations might easily stress CPU, memory and battery resources of a lightweight client, as well as negatively affect data throughput and latency.We describe our porting experience with HIP on an embedded Linux PDA, a Symbian-based smartphone and two OpenWrt Wi-Fi access routers, thereby contributing to the protocol deployment. We present a set of measurement results of different HIP operations on these devices and evaluate the impact of public-key cryptography on the processor load, memory usage and battery lifetime, as well as the influence of the IPsec encryption on Round-Trip Time and TCP throughput. In addition, we assess how the lightweight hardware of a mobile handheld or a Wi-Fi access router in turn affects the duration of certain protocol operations including HIP base exchange, HIP mobility update, puzzle solving procedure and generation of an asymmetric key pair. After analyzing the empirical results we make conclusions and recommendations on applicability of unmodified HIP and IPsec to resource-constrained mobile devices. We also survey related work and draw parallels with our own research results

Evaluating IP security on lightweight hardware

TCP/IP communications stack is being increasingly used to interconnect mobile phones, PDAs, sensor motes and other wireless embedded devices. Although the core functionality of communications protocols has been successfully adopted to lightweight hardware from the traditional Internet and desktop computers, suitability of strong security mechanisms on such devices remains questionable. Insufficient processor, memory and battery resources, as well as constraints of wireless communications limit the applicability of many existing security protocols that involve computationally intensive operations. Varying capabilities of devices and application scenarios with different security and operational requirements complicate the situation further and call for agile and flexible security systems. This study does an empirical evaluation of applicability of selected existing IP security mechanisms to lightweight (resource-constrained) devices. In particular, we evaluate various components of the Host Identity Protocol (HIP), standardized by the Internet Engineering Task Force for achieving authentication, shared key negotiation, secure mobility and multihoming and, if used with IPsec, integrity and confidentiality of user data. Involving a set of cryptographic operations, HIP might easily stress a lightweight client, while affecting performance of applications running on it and shortening battery lifetime of the device. We present a background and related work on network-layer security, as well as a set of measurement results of various security components obtained on devices representing lightweight hardware: embedded Linux PDAs, Symbian-based smartphones, OpenWrt Wi-Fi access routers and wireless sensor platforms. To improve computational and energy efficiency of HIP, we evaluate several lightweight mechanisms that can substitute standard protocol components and provide a good trade-off between security and performance in particular application scenarios. We describe cases where existing HIP security mechanisms (i) can be used unmodified and (ii) should be tailored or replaced to suit resource-constrained environments. The combination of presented security components and empirical results on their applicability can serve as a reference framework for building adaptable and flexible security services for future lightweight communication systems

Internet of Things for enabling smart environments: a technology-centric perspective

The Internet of Things (IoT) is a computing paradigm whereby everyday life objects are augmented with computational and wireless communication capabilities, typically through the incorporation of resource-constrained devices including sensors and actuators, which enable their connection to the Internet. The IoT is seen as the key ingredient for the development of smart environments. Nevertheless, the current IoT ecosystem offers many alternative communication solutions with diverse performance characteristics. This situation presents a major challenge to identifying the most suitable IoT communication solution(s) for a particular smart environment. In this paper we consider the distinct requirements of key smart environments, namely the smart home, smart health, smart cities and smart factories, and relate them to current IoT communication solutions. Specifically, we describe the core characteristics of these smart environments and then proceed to provide a comprehensive survey of relevant IoT communication technologies and architectures. We conclude with our reflections on the crucial features of IoT solutions in this setting and a discussion of challenges that remain open for research

Infraestrutura de beira de estrada para apoio a sistemas cooperativos e inteligentes de transportes

The growing need of mobility along with the evolution of the automotive industry and the massification of the personal vehicle amplifies some of the road-related problems such as safety and traffic congestion. To mitigate such issues, the evolution towards cooperative communicating technologies and autonomous systems is considered a solution to overcome the human physical limitations and the limited perception horizon of on-board sensors. Short-range vehicular communications such as Vehicle-to-Vehicle or Vehicle-to-Infrastructure (ETSI ITS-G5) in conjunction with long-range cellular communications (LTE,5G) and standardized messages, emerge as viable solutions to amplify the benefits that standalone technologies can bring to the road environment, by covering a wide array of applications and use cases. In compliance with the standardization work from European Telecommunications Standards Institute (ETSI), this dissertation describes the implementation of the collective perception service in a real road infrastructure to assist the maneuvers of autonomous vehicles and provide information to a central road operator. This work is focused on building standardized collective perception messages (CPM) by retrieving information from traffic classification radars (installed in the PASMO project) for local dissemination using ETSI ITS-G5 radio technology and creating a redundant communication channel between the road infrastructure and a central traffic control centre, located at the Instituto de Telecomunicações - Aveiro, taking advantage of cellular, point-to-point radio links and optical fiber communications. The output of the messages are shown to the user by a mobile application. The service is further improved by building an algorithm for optimizing the message dissemination to improve channel efficiency in more demanding scenarios. The results of the experimental tests showed that the time delay between the production event of the collective perception message and the reception by other ITS stations is within the boundaries defined by ETSI standards. Moreover, the algorithm for message dissemination also shows to increase radio channel efficiency by limiting the number of objects disseminated by CPM messages. The collective perception service developed and the road infrastructure are therefore, a valuable asset to provide useful information for improving road safety and fostering the deployment of intelligent cooperative transportation systems.A crescente necessidade de mobilidade em paralelo com a evolução da indústria automóvel e com a massificação do uso de meios de transportes pessoais, têm vindo a amplificar alguns problemas dos transportes rodoviários, tais como a segurança e o congestionamento do tráfego. Para mitigar estas questões, a evolução das tecnologias de comunicação cooperativas e dos sistemas autónomos é vista como uma potencial solução para ultrapassar limitações dos condutores e do horizonte de perceção dos sensores veículares. Comunicações de curto alcance, tais como Veículo-a-Veículo ou Veículo-a-Infrastrutura (ETSI ITS-G5), em conjunto com comunicações móveis de longo alcance (LTE,5G) e mensagens padrão, emergem como soluções viáveis para amplificar todos os beneficios que tecnologias independentes podem trazer para o ambiente rodoviário, cobrindo um grande leque de aplicações e casos de uso da estrada. Em conformidade com o trabalho de padronização da European Telecommunications Standards Institute, esta dissertação descreve a implementação do serviço de perceção coletiva, numa infrastrutura rodoviária real, para suporte a manobras de veículos autónomos e para fornecer informações aos operadores de estradas. Este trabalho foca-se na construção de mensagens de perceção coletiva a partir de informação gerada por radares de classificação de tráfego (instalados no âmbito do projeto PASMO) para disseminação local usando a tecnologia rádio ETSI ITS-G5 e criando um canal de comunicação redundante entre a infraestrutura rodóviaria e um centro de controlo de tráfego localizado no Instituto de Telecomunicações - Aveiro, usando para isso: redes móveis, ligações rádio ponto a ponto e fibra ótica. O conteúdo destas messagens é mostrado ao utilizador através de uma aplicação móvel. O serviço é ainda melhorado, tendo-se para tal desenvolvido um algoritmo de otimização de disseminação das mensagens, tendo em vista melhorar a eficiência do canal de transmissão em cenários mais exigentes. Os resultados dos testes experimentais efetuados revelaram que o tempo de atraso entre o evento de produção de uma mensagem de perceção coletiva e a receção por outra estação ITS, usando comunicações ITS-G5, se encontra dentro dos limites definidos pelos padrões da ETSI. Além disso, o algoritmo para disseminação de mensagens também mostrou aumentar a eficiência do canal de rádio, limitando o número de objetos disseminados pelas mesmas. Assim, o serviço de perceção coletiva desenvolvido poderá ser uma ferramenta valiosa, contribuindo para o aumento da segurança rodóviaria e para a disseminação da utilização dos sistemas cooperativos de transporte inteligente.Mestrado em Engenharia Eletrónica e Telecomunicaçõe

A session-based architecture for Internet mobility

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 2003.Includes bibliographical references (p. 179-189).The proliferation of mobile computing devices and wireless networking products over the past decade has led to an increasingly nomadic computing lifestyle. A computer is no longer an immobile, gargantuan machine that remains in one place for the lifetime of its operation. Today's personal computing devices are portable, and Internet access is becoming ubiquitous. A well-traveled laptop user might use half a dozen different networks throughout the course of a day: a cable modem from home, wide-area wireless on the commute, wired Ethernet at the office, a Bluetooth network in the car, and a wireless, local-area network at the airport or the neighborhood coffee shop. Mobile hosts are prone to frequent, unexpected disconnections that vary greatly in duration. Despite the prevalence of these multi-homed mobile devices, today's operating systems on both mobile hosts and fixed Internet servers lack fine-grained support for network applications on intermittently connected hosts. We argue that network communication is well-modeled by a session abstraction, and present Migrate, an architecture based on system support for a flexible session primitive. Migrate works with application-selected naming services to enable seamless, mobile "suspend/resume" operation of legacy applications and provide enhanced functionality for mobile-aware, session-based network applications, enabling adaptive operation of mobile clients and allowing Internet servers to support large numbers of intermittently connected sessions. We describe our UNIX-based implementation of Migrate and show that sessions are a flexible, robust, and efficient way to manage mobile end points, even for legacy applications.(cont.) In addition, we demonstrate two popular Internet servers that have been extended to leverage our novel notion of session continuations to enable support for large numbers of suspended clients with only minimal resource impact. Experimental results show that Migrate introduces only minor throughput degradation (less than 2% for moderate block sizes) when used over popular access link technologies, gracefully detects and suspends disconnected sessions, rapidly resumes from suspension, and integrates well with existing applications.by Mark Alexander Connell Snoeren.Ph.D

Demystifying Internet of Things Security

Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms

Measuring the IPv4-IPV6 IVI Translation Overhead

ABSTRACT While IPv6 deployment in the Internet continues to grow slowly at present, the imminent exhaustion of IPv4 addresses will encourage its increased use over the next several years. However, due to the predominance of IPv4 in the Internet, the transition to IPv6 is likely to take a long time. During the transition period, translation mechanisms will enable IPv6 hosts and IPv4 hosts to communicate with each other. For example, translation can be used when a server or application works with IPv4 but not with IPv6, and the effort or cost to modify the code is large. Stateless and stateful translation is the subject of several recent IETF RFCs. We measure the overhead due to the new IVI translator, which is viewed as a design for stateless translation, by measuring the internal timing for a freely available Linux implementation of IVI. To study the impact of operating system overhead on IVI translation, we also implement the IVI translator on a bare PC that runs applications without an operating system or kernel. Our results show that translating IPv4 packets into IPv6 packets is more expensive than the reverse, and that address mapping is the most expensive IVI operation. While both implementations of IVI have low overhead, a modest performance gain is obtained due to using a bare PC