Realistic, Extensible DNS and mDNS Models for INET/OMNeT++

The domain name system (DNS) is one of the core services in today's network structures. In local and ad-hoc networks DNS is often enhanced or replaced by mDNS. As of yet, no simulation models for DNS and mDNS have been developed for INET/OMNeT++. We introduce DNS and mDNS simulation models for OMNeT++, which allow researchers to easily prototype and evaluate extensions for these protocols. In addition, we present models for our own experimental extensions, namely Stateless DNS and Privacy-Enhanced mDNS, that are based on the aforementioned models. Using our models we were able to further improve the efficiency of our protocol extensions.Comment: Published in: A. F\"orster, C. Minkenberg, G. R. Herrera, M. Kirsche (Eds.), Proc. of the 2nd OMNeT++ Community Summit, IBM Research - Zurich, Switzerland, September 3-4, 201

Building a test bed for simulation analysis for the internet of things

Mestrado com dupla diplomação com a Universidade Tecnológica e Federal do ParanáThe Internet of Things (IoT) enables the mix between the physical and informational world. Physical objects will be able to see, hear, think together, share information and coordinate decisions, without human interference in a variety of domains. To enable this vision of IoT in large scale is expected of the equipment to be low-cost, mobile, power efficient, computational constrained, and wireless communication enabled. This project performs an extensive overview of the state-of-the-art in communication technologies for IoT, simulation theory and tools. It also describes test bed for IoT simulation and its implementation. The simulation was built with Castalia Simulator (i.e. Wireless Sensor Networks (WSN) network) and INET framework (i.e. IP network), both extends OMNeT++ features. There are two independent networks that communicate through files and exchange information about source, destination, payload and simulation time. Analyzing the outputs is possible to assure that the routing protocol that is provided in the Castalia Simulator does not provide any advantage in terms of packets loss, packets reception or energy consumption.A Internet das Coisas (IoT) permite a mistura entre o mundo físico e informacional. Objetos físicos serão capazes de ver, ouvir, pensar juntos, compartilhar informações e coordenar decisões, sem interferência humana em uma variedade de domínios. Para permitir essa visão de IoT em larga escala, espera-se que o equipamento seja de baixo custo, móvel, eficiente em termos de energia, com restrições computacionais e possibilite a comunicação sem fio. Este projeto faz uma extensa visão geral do estado da arte em tecnologias de comunicação para IoT, teoria de simulação e ferramentas. Também descreve o banco de testes para simulação de IoT e sua implementação. A simulação foi construída com o Simulador Castalia (ou seja, rede WSN) e o framework INET (ou seja, rede IP), ambos estendem os recursos do OMNeT ++. Existem duas redes independentes que se comunicam através de arquivos e trocam informações sobre origem, destino, carga útil e tempo de simulação. Analisando os resultados é possível garantir que o protocolo de roteamento que é fornecido no Simulador Castalia não oferece qualquer vantagem em termos de quebra de pacotes, recepção de pacotes ou consumo de energia

Mitigating Network Service Disruptions in High-bandwidth, Intermittently Connected, and Peer-to-Peer Networks

Users demand high-bandwidth, ubiquitous and low-cost network services. This demand has pushed ISPs and application providers to offer more bandwidth, allow users to access the Internet almost everywhere, and provide cheap or free network services using peer-to-peer networks. These three trends underlie the growing success of today's Internet. However, (1) high-bandwidth can empower more effective denial-of-service attacks; (2) Internet access is widespread, but still not ubiquitous; and (3) peer-to-peer network services need to solve the service discovery problem. This thesis addresses these three challenges. First, we tackle denial-of-service attacks. The high bandwidth available in many parts of the Internet allows denial-of-service attacks to be effective, and the large scale of the Internet makes detecting and preventing these attacks difficult. Anonymity and openness of the Internet worsens this problem because anyone can send anything to anybody. To prevent these denial-of-service attacks, we propose Permission-Based-Sending (PBS), a signaling architecture for network traffic authorization. PBS uses the explicit permission to give legitimate users the authority to send packets. Signaling is used to configure this permission in the data path. This signaling approach enables easy installation for granting authorization to flows, and allows PBS to be deployed in existing networks. In addition, a monitoring mechanism provides a second line of defense against attacks. Next, we strive to make Internet access more ubiquitous. When public transportation stations have access points to provide Internet access to passengers, public transportation becomes a more attractive travel and commute option. However, the Internet connectivity is intermittent because passengers can access the Internet only when a bus or train is within the networking coverage of an AP at a stop. To efficiently handle this intermittent network for the public transit system, we develop Internet Cache on Wheels (ICOW), a system that provides a low-cost way for bus and train operators to offer access to Internet content. Each bus and train car is equipped with a smart cache that serves popular content to passengers. The cache updates its content based on passenger requests when it is within range of Internet access points placed at bus stops, train stations or depots. This aggregated Internet access is significantly more efficient than having passengers contact Internet access points individually and ensures continuous availability of content throughout the journey. Finally, we consider peer-to-peer services. Typical service discovery mechanisms in peer-to-peer networks cause significant overhead, consuming energy and bandwidth: (1) in highly mobile networks, service discovery consumes the energy of mobile devices to discover services that newly joined members provide; and (2) peer-to-peer network systems consumes bandwidth during service discovery. To resolve and analyze these service discovery problems, (1) we design an efficient service discovery mechanism that reduces energy consumption of mobile devices; and (2) we evaluate the bandwidth consumption caused by service discovery in real-world peer-to-peer networks

Investigating common SCADA security vulnerabilities using penetration testing

Supervisory Control and Data Acquisition (SCADA) systems were developed to assist in the management, control and monitor of critical infrastructure functions such as gas, water, waste, railway, electricity and traffic. In the past, these systems had little connectivity to the Internet because they ran on dedicated networks with proprietary control protocols and used hardware and software specific to the vendor. As a result, SCADA systems were secure, and did not face challenging vulnerabilities associated with the Internet. The need for remote connectedness, in order to collect and analyse data from remote locations, resulted in SCADA systems being increasingly getting connected to the Internet and corporate networks. Therefore, SCADA systems are no longer immune to cyber-attacks. There are reported cases on cyber-attacks targeted at SCADA systems. This research utilises penetration testing to investigate common SCADA security vulnerabilities. The investigation is conducted through experiments, under two different scenarios. Experiments were conducted using virtual plant environment. The results revealed vulnerabilities which are considered as common by the Idaho National Laboratory and others which are not common. Recommendations are provided on how to mitigate the vulnerabilities discovered in this research

ETSI SmartM2M Technical Report 103716; oneM2M Discovery and Query solution(s) simulation and performance evaluation

oneM2M has currently native discovery capabilities that work properly only if the search is related to specific known sources of information (e.g. searching for the values of a known set of containers) or if the discovery is well scoped and designed (e.g. the lights in a house). When oneM2M is used to discover wide sets of data or unknown sets of data, the functionality is typically integrated by ad hoc applications that are expanding the oneM2M functionality. This means that this core function may be implemented with different flavours and this is not optimal for interworking and interoperability.The objective of the present document [i.3] in conjunction with three other ones ETSI TR 103 714 [i.1], ETSITR 103 715 [i.2] and ETSI TR 103 717 [i.4] is the study and development of semantic Discovery and Query capabilities for oneM2M and its contribution to the oneM2M standard.The goal is to enable an easy and efficient discovery of information and a proper interworking with external source/consumers of information (e.g. a distributed data base in a smart city or in a firm), or to directly search information in the oneM2M system for big data purposes.A simulation phase is conducted in parallel and "circular" feedback with respect to the study phase, with the goal to provide a proof of concept, run suitable scenarios provided by previous phases and a performance evaluation to support the selection/development of the Discovery and Query solution. The simulator and the simulation results are documented in ETSI TR 103 716 [i.3] (the present document). An extract of the simulation results is included ETSI TR 103 715 [i.2] and ETSI TR 103 717 [i.4]. A selection of the use cases includes a set of oneM2M relevant configurations scenarios to be considered for the simulation activity described below

Information-centric communication in mobile and wireless networks

Information-centric networking (ICN) is a new communication paradigm that has been proposed to cope with drawbacks of host-based communication protocols, namely scalability and security. In this thesis, we base our work on Named Data Networking (NDN), which is a popular ICN architecture, and investigate NDN in the context of wireless and mobile ad hoc networks. In a first part, we focus on NDN efficiency (and potential improvements) in wireless environments by investigating NDN in wireless one-hop communication, i.e., without any routing protocols. A basic requirement to initiate informationcentric communication is the knowledge of existing and available content names. Therefore, we develop three opportunistic content discovery algorithms and evaluate them in diverse scenarios for different node densities and content distributions. After content names are known, requesters can retrieve content opportunistically from any neighbor node that provides the content. However, in case of short contact times to content sources, content retrieval may be disrupted. Therefore, we develop a requester application that keeps meta information of disrupted content retrievals and enables resume operations when a new content source has been found. Besides message efficiency, we also evaluate power consumption of information-centric broadcast and unicast communication. Based on our findings, we develop two mechanisms to increase efficiency of information-centric wireless one-hop communication. The first approach called Dynamic Unicast (DU) avoids broadcast communication whenever possible since broadcast transmissions result in more duplicate Data transmissions, lower data rates and higher energy consumption on mobile nodes, which are not interested in overheard Data, compared to unicast communication. Hence, DU uses broadcast communication only until a content source has been found and then retrieves content directly via unicast from the same source. The second approach called RC-NDN targets efficiency of wireless broadcast communication by reducing the number of duplicate Data transmissions. In particular, RC-NDN is a Data encoding scheme for content sources that increases diversity in wireless broadcast transmissions such that multiple concurrent requesters can profit from each others’ (overheard) message transmissions. If requesters and content sources are not in one-hop distance to each other, requests need to be forwarded via multi-hop routing. Therefore, in a second part of this thesis, we investigate information-centric wireless multi-hop communication. First, we consider multi-hop broadcast communication in the context of rather static community networks. We introduce the concept of preferred forwarders, which relay Interest messages slightly faster than non-preferred forwarders to reduce redundant duplicate message transmissions. While this approach works well in static networks, the performance may degrade in mobile networks if preferred forwarders may regularly move away. Thus, to enable routing in mobile ad hoc networks, we extend DU for multi-hop communication. Compared to one-hop communication, multi-hop DU requires efficient path update mechanisms (since multi-hop paths may expire quickly) and new forwarding strategies to maintain NDN benefits (request aggregation and caching) such that only a few messages need to be transmitted over the entire end-to-end path even in case of multiple concurrent requesters. To perform quick retransmission in case of collisions or other transmission errors, we implement and evaluate retransmission timers from related work and compare them to CCNTimer, which is a new algorithm that enables shorter content retrieval times in information-centric wireless multi-hop communication. Yet, in case of intermittent connectivity between requesters and content sources, multi-hop routing protocols may not work because they require continuous end-to-end paths. Therefore, we present agent-based content retrieval (ACR) for delay-tolerant networks. In ACR, requester nodes can delegate content retrieval to mobile agent nodes, which move closer to content sources, can retrieve content and return it to requesters. Thus, ACR exploits the mobility of agent nodes to retrieve content from remote locations. To enable delay-tolerant communication via agents, retrieved content needs to be stored persistently such that requesters can verify its authenticity via original publisher signatures. To achieve this, we develop a persistent caching concept that maintains received popular content in repositories and deletes unpopular content if free space is required. Since our persistent caching concept can complement regular short-term caching in the content store, it can also be used for network caching to store popular delay-tolerant content at edge routers (to reduce network traffic and improve network performance) while real-time traffic can still be maintained and served from the content store

Verteilter Namensdienst für dezentrale IP-Telefonie

Internet-Telefonie setzt bislang die Bereitstellung einer Infrastruktur mit zentralen Servern voraus. Gegenstand dieser Arbeit ist der Entwurf eines dezentralen Systems, das mit Hilfe von Peer-to-Peer-Technologien zukünftig die kostengünstige Erbringung vollständig dezentraler Telefoniedienste über das Internet ermöglicht. Der Schwerpunkt des Entwurfs liegt dabei auf den beiden Aspekten Sicherheit und Effizienz, die sich gegenseitig beeinflussen und somit im Zusammenspiel betrachtet werden

Verteilter Namensdienst für dezentrale IP-Telefonie

Internet-Telefonie setzt bislang die Bereitstellung einer Infrastruktur mit zentralen Servern voraus. Gegenstand dieser Arbeit ist der Entwurf eines dezentralen Systems, das mit Hilfe von Peer-to-Peer-Technologien zukünftig die kostengünstige Erbringung vollständig dezentraler Telefoniedienste über das Internet ermöglicht. Der Schwerpunkt des Entwurfs liegt dabei auf den beiden Aspekten Sicherheit und Effizienz, die sich gegenseitig beeinflussen und somit im Zusammenspiel betrachtet werden

Discovery and Group Communication for Constrained Internet of Things Devices using the Constrained Application Protocol

The ubiquitous Internet is rapidly spreading to new domains. This expansion of the Internet is comparable in scale to the spread of the Internet in the ’90s. The resulting Internet is now commonly referred to as the Internet of Things (IoT) and is expected to connect about 50 billion devices by the year 2020. This means that in just five years from the time of writing this PhD the number of interconnected devices will exceed the number of humans by sevenfold. It is further expected that the majority of these IoT devices will be resource constrained embedded devices such as sensors and actuators. Sensors collect information about the physical world and inject this information into the virtual world. Next processing and reasoning can occur and decisions can be taken to enact upon the physical world by injecting feedback to actuators. The integration of embedded devices into the Internet introduces new challenges, since many of the existing Internet technologies and protocols were not designed for this class of constrained devices. These devices are typically optimized for low cost and power consumption and thus have very limited power, memory, and processing resources and have long sleep periods. The networks formed by these embedded devices are also constrained and have different characteristics than those typical in todays Internet. These constrained networks have high packet loss, low throughput, frequent topology changes and small useful payload sizes. They are referred to as LLN. Therefore, it is in most cases unfeasible to run standard Internet protocols on this class of constrained devices and/or LLNs. New or adapted protocols that take into consideration the capabilities of the constrained devices and the characteristics of LLNs, are required. In the past few years, there were many efforts to enable the extension of the Internet technologies to constrained devices. Initially, most of these efforts were focusing on the networking layer. However, the expansion of the Internet in the 90s was not due to introducing new or better networking protocols. It was a result of introducing the World Wide Web (WWW), which made it easy to integrate services and applications. One of the essential technologies underpinning the WWW was the Hypertext Transfer Protocol (HTTP). Today, HTTP has become a key protocol in the realization of scalable web services building around the Representational State Transfer (REST) paradigm. The REST architectural style enables the realization of scalable and well-performing services using uniform and simple interfaces. The availability of an embedded counterpart of HTTP and the REST architecture could boost the uptake of the IoT. Therefore, more recently, work started to allow the integration of constrained devices in the Internet at the service level. The Internet Engineering Task Force (IETF) Constrained RESTful Environments (CoRE) working group has realized the REST architecture in a suitable form for the most constrained nodes and networks. To that end the Constrained Application Protocol (CoAP) was introduced, a specialized RESTful web transfer protocol for use with constrained networks and nodes. CoAP realizes a subset of the REST mechanisms offered by HTTP, but is optimized for Machine-to-Machine (M2M) applications. This PhD research builds upon CoAP to enable a better integration of constrained devices in the IoT and examines proposed CoAP solutions theoretically and experimentally proposing alternatives when appropriate. The first part of this PhD proposes a mechanism that facilitates the deployment of sensor networks and enables the discovery, end-to-end connectivity and service usage of newly deployed sensor nodes. The proposed approach makes use of CoAP and combines it with Domain Name System (DNS) in order to enable the use of userfriendly Fully Qualified Domain Names (FQDNs) for addressing sensor nodes. It includes the automatic discovery of sensors and sensor gateways and the translation of HTTP to CoAP, thus making the sensor resources globally discoverable and accessible from any Internet-connected client using either IPv6 addresses or DNS names both via HTTP or CoAP. As such, the proposed approach provides a feasible and flexible solution to achieve hierarchical self-organization with a minimum of pre-configuration. By doing so we minimize costly human interventions and eliminate the need for introducing new protocols dedicated for the discovery and organization of resources. This reduces both cost and the implementation footprint on the constrained devices. The second, larger, part of this PhD focuses on using CoAP to realize communication with groups of resources. In many IoT application domains, sensors or actuators need to be addressed as groups rather than individually, since individual resources might not be sufficient or useful. A simple example is that all lights in a room should go on or off as a result of the user toggling the light switch. As not all IoT applications may need group communication, the CoRE working group did not include it in the base CoAP specification. This way the base protocol is kept as efficient and as simple as possible so it would run on even the most constrained devices. Group communication and other features that might not be needed by all devices are standardized in a set of optional separate extensions. We first examined the proposed CoAP extension for group communication, which utilizes Internet Protocol version 6 (IPv6) multicasts. We highlight its strengths and weaknesses and propose our own complementary solution that uses unicast to realize group communication. Our solution offers capabilities beyond simple group communication. For example, we provide a validation mechanism that performs several checks on the group members, to make sure that combining them together is possible. We also allow the client to request that results of the individual members are processed before they are sent to the client. For example, the client can request to obtain only the maximum value of all individual members. Another important optional extension to CoAP allows clients to continuously observe resources by registering their interest in receiving notifications from CoAP servers once there are changes to the values of the observed resources. By using this publish/subscribe mechanism the client does not need to continuously poll the resource to find out whether it has changed its value. This typically leads to more efficient communication patterns that preserve valuable device and LLN resources. Unfortunately CoAP observe does not work together with the CoAP group communication extension, since the observe extension assumes unicast communication while the group communication extension only support multicast communication. In this PhD we propose to extend our own group communication solution to offer group observation capabilities. By combining group observation with group processing features, it becomes possible to notify the client only about certain changes to the observed group (e.g., the maximum value of all group members has changed). Acknowledging that the use of multicast as well as unicast has strengths and weaknesses we propose to extend our unicast based solution with certain multicast features. By doing so we try to combine the strengths of both approaches to obtain a better overall group communication that is flexible and that can be tailored according to the use case needs. Together, the proposed mechanisms represent a powerful and comprehensive solution to the challenging problem of group communication with constrained devices. We have evaluated the solutions proposed in this PhD extensively and in a variety of forms. Where possible, we have derived theoretical models and have conducted numerous simulations to validate them. We have also experimentally evaluated those solutions and compared them with other proposed solutions using a small demo box and later on two large scale wireless sensor testbeds and under different test conditions. The first testbed is located in a large, shielded room, which allows testing under controlled environments. The second testbed is located inside an operational office building and thus allows testing under normal operation conditions. Those tests revealed performance issues and some other problems. We have provided some solutions and suggestions for tackling those problems. Apart from the main contributions, two other relevant outcomes of this PhD are described in the appendices. In the first appendix we review the most important IETF standardization efforts related to the IoT and show that with the introduction of CoAP a complete set of standard protocols has become available to cover the complete networking stack and thus making the step from the IoT into the Web of Things (WoT). Using only standard protocols makes it possible to integrate devices from various vendors into one bigWoT accessible to humans and machines alike. In the second appendix, we provide an alternative solution for grouping constrained devices by using virtualization techniques. Our approach focuses on the objects, both resource-constrained and non-constrained, that need to cooperate by integrating them into a secured virtual network, named an Internet of Things Virtual Network or IoT-VN. Inside this IoT-VN full end-to-end communication can take place through the use of protocols that take the limitations of the most resource-constrained devices into account. We describe how this concept maps to several generic use cases and, as such, can constitute a valid alternative approach for supporting selected applications