Performance Evaluation of SNMPv1/2c/3 using Different Security Models on Raspberry Pi

The Simple Network Management Protocol (SNMP) is one of the dominant protocols for network monitoring and configuration. The first two versions of SNMP (v1 and v2c) use the Community-based Security Model (CSM), where the community is transferred in clear text, resulting in a low level of security. With the release of SNMPv3, the User-based Security Model (USM) and Transport Security Model (TSM) were proposed, with strong authentication and privacy at different levels. The Raspberry Pi family of Single-Board Computers (SBCs) is widely used for many applications. To help their integration into network management systems, it is essential to study the impact of the different versions and security models of SNMP on these SBCs. In this work, we carried out a performance analysis of SNMP agents running in three different Raspberry Pis (Pi Zero W, Pi 3 Model B, and Pi 3 Model B+). Our comparisons are based on the response time, defined as the time required to complete a request/response exchange between a manager and an agent. Since we did not find an adequate tool for our assessments, we developed our own benchmarking tool. We did numerous experiments, varying different parameters such as the type of requests, the number of objects involved per request, the security levels of SNMPv3/USM, the authentication and privacy protocols of SNMPv3/USM, the transport protocols, and the versions and security models of SNMP. Our experiments were executed with Net-SNMP, an open-source and comprehensive distribution of SNMP. Our tests indicate that SNMPv1 and SNMPv2c have similar performance. SNMPv3 has a longer response time, due to the overhead caused by the security services (authentication and privacy). The Pi 3 Model B and Pi 3 Model B+ have comparable performance, and significantly outperform the Pi Zero W

Secure Configuration and Management of Linux Systems using a Network Service Orchestrator.

Manual management of the configuration of network devices and computing devices (hosts) is an error-prone task. Centralized automation of these tasks can lower the costs of management, but can also introduce unknown or unanticipated security risks. Misconfiguration (deliberate (by outsiders) or inadvertent (by insiders)) can expose a system to significant risks. Centralized network management has seen significant progress in recent years, resulting in model-driven approaches that are clearly superior to previous "craft" methods. Host management has seen less development. The tools available have developed in separate task-specific ways. This thesis explores two aspects of the configuration management problem for hosts: (1) implementing host management using the model-driven (network) management tools; (2) establishing the relative security of traditional methods and the above proposal for model driven host management. It is shown that the model-driven approach is feasible, and the security of the model driven approach is significantly higher than that of existing approaches

Using Internet Protocols to Implement IEC 60870-5 Telecontrol Functions

The telecommunication networks of telecontrol systems in electric utilities have undergone an innovation process. This has removed many of their technical restrictions and made it possible to consider carrying out telecontrol tasks with general standard protocols instead of the specific ones that are used currently. These are defined in the standards 60870-5, 60870-6, and 61850 from the International Electrotechnical Commission, among others. This paper is about the implementation, using the services of general standard protocols, of the telecontrol application functions defined by the standard IEC 60870-5-104. The general protocols used to carry out telecontrol tasks are those used in the Internet: the telecommunication network-management protocol SNMPv3 (simple network management protocol version 3), the clock synchronization protocol network time protocol and Secure SHell. With this new implementation, we have achieved, among others, two important aims: 1) to improve performance and, above all, 2) to solve the serious security problems present in the telecontrol protocols currently being used. These problems were presented by IEEE in an article published in the website of the IEEE Standards Association. In this paper, the use of general standard protocols to perform the telecontrol of electrical networks is justified. The development of this paper—its achievements and conclusions and the tools used—is detailed.Junta de Andalucía EXC-2005-TIC-1023Ministerio de Educación y Ciencia TEC2006-0843

Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

Centralized model driven trace route mechanism for TCP/IP routers : Remote traceroute invocation using NETCONF API and YANG data model

During the recent years, utilizing programmable APIs and YANG data model for service configuration and monitoring of TCP/IP open network devices from a centralized network management system as an alternative to SNMP based network management solutions has gained popularity among service providers and network engineers. However, both SNMP and YANG lacks any data model for tracing the routes between different routers inside and outside the network that has not addressed. Having a centralized traceroute tool provides a central troubleshooting point in the network. And rather than having to individually connect to each router terminal, traceroute can be invoked remotely on different routers. And the responses can be collected on the network management system. The aim of this thesis is to develop a centralized traceroute tool called Trace that invokes traceroute CLI tool with a unique syntax from a centralized network management system on a TCP/IP router, traces the hops and BGP AS and measures RTT between a router and specific destination and returns the response back to the network management system. And evaluates the possibility of utilizing this traceroute tool along with YANG based network management solutions. This implementation has shown that YANG based data models enables a unique syntax on the network management system for invoking traceroute command on different TCP/IP devices. This unique syntax can be used to invoke the traceroute CLI command on the routers with the different operating systems. And the evaluation has shown that using NETCONF as an API between the network management system and the network devices, enables the Trace to be utilized in YANG and NETCONF based network management solutions

Centralized model driven trace route mechanism for TCP/IP routers : Remote traceroute invocation using NETCONF API and YANG data model

During the recent years, utilizing programmable APIs and YANG data model for service configuration and monitoring of TCP/IP open network devices from a centralized network management system as an alternative to SNMP based network management solutions has gained popularity among service providers and network engineers. However, both SNMP and YANG lacks any data model for tracing the routes between different routers inside and outside the network that has not addressed. Having a centralized traceroute tool provides a central troubleshooting point in the network. And rather than having to individually connect to each router terminal, traceroute can be invoked remotely on different routers. And the responses can be collected on the network management system. The aim of this thesis is to develop a centralized traceroute tool called Trace that invokes traceroute CLI tool with a unique syntax from a centralized network management system on a TCP/IP router, traces the hops and BGP AS and measures RTT between a router and specific destination and returns the response back to the network management system. And evaluates the possibility of utilizing this traceroute tool along with YANG based network management solutions. This implementation has shown that YANG based data models enables a unique syntax on the network management system for invoking traceroute command on different TCP/IP devices. This unique syntax can be used to invoke the traceroute CLI command on the routers with the different operating systems. And the evaluation has shown that using NETCONF as an API between the network management system and the network devices, enables the Trace to be utilized in YANG and NETCONF based network management solutions

An ICT-oriented Management Solution for NGNs

NGN architecture reused several standards from the IP world, as exemplified by the Session Initiation Protocol SIP, which is ubiquitous in the majority of these network components. However, the NGN management architecture simply presented a very generic management model that follows TMN. Several management technologies are proposed, such as Web services, CORBA and SNMP, to implement management solutions. Network and systems management standardizing bodies currently promote newer technologies that aim to solve known shortcomings to these. This paper proposes a management solution for NGNs based on recent IP world technologies. The presented solution was implemented in the form of a middleware to manage NGN elements. This middleware was used in the management of an element belonging to the IP Multimedia Subsystem platform, namely the Policy and Charging Rules Function

An Analisys of Business VPN Case Studies

A VPN (Virtual Private Network) simulates a secure private network through a shared public insecure infrastructure like the Internet. The VPN protocol provides a secure and reliable access from home/office on any networking technology transporting IP packets. In this article we study the standards for VPN implementation and analyze two case studies regarding a VPN between two routers and two firewalls.VPN; Network; Protocol.

Automation for incorporating assets into monitoring tools

The project consists of an analysis of the different monitoring tools and automation functions in them to find the best tool for incorporating assets. These tools have been tested in a controlled environment to determine their capabilities. It all started with a study of automation needs and a search for monitoring tools. Subsequently, I made the choice of the tool according to established criteria and an adjusted result was obtained, so it was decided to incorporate the second-best option. Then, the configuration and implementation of both were carried out in a controlled environment and a test of both was proposed and executed. Finally, after analyzing and testing the two best options, it has been seen that both Nagios Core and Zabbix have offered similar results, but it has been determined that the best option for implementation in the client network is to meet the established needs is Zabbix.El proyecto consiste en un análisis de las diferentes herramientas de monitorización y funciones de automatización de las mismas para encontrar la mejor herramienta para la incorporación de activos. Estas herramientas se han probado en un entorno controlado para determinar sus capacidades. Todo comenzó con un estudio de necesidades de automatización y una búsqueda de herramientas de monitoreo. Posteriormente, realicé la elección de la herramienta según criterios establecidos y se obtuvo un resultado ajustado, por lo que se decidió incorporar la segunda mejor opción. Luego, se realizó la configuración e implementación de ambas en un ambiente controlado y se propuso y ejecutó un testeo para ambas. Finalmente, tras analizar y testear las dos mejores opciones, se ha visto que tanto Nagios Core como Zabbix han ofrecido resultados similares, pero se ha determinado que la mejor opción de implementación en la red del cliente para cubrir las necesidades establecidas es Zabbix.El projecte consisteix en una anàlisi de les diferents eines de monitorització i funcions d'automatització per trobar la millor eina per a la incorporació d'actius. Aquestes eines s'han provat en un entorn controlat per determinar-ne les capacitats. Tot va començar amb un estudi de necessitats d'automatització i una cerca d'eines de monitorització. Posteriorment, vaig fer l'elecció de l'eina segons criteris establerts i es va obtenir un resultat ajustat, per la qual cosa es va decidir incorporar-hi la segona millor opció. Després, es va realitzar la configuració i implementació de totes dues en un ambient controlat i es va proposar i executar un testeig d'ambdues. Finalment, després d'analitzar i testejar les dues millors opcions, s'ha vist que tant Nagios Core com Zabbix han ofert resultats similars, però s'ha determinat que la millor opció d'implementació a la xarxa del client per cobrir les necessitats establertes és Zabbix