Developing route optimization-based PMIPv6 testbed for reliable packet transmission.

Proxy Mobile IPv6 (PMIPv6) allows a mobile node to communicate directly to its peers while changing the currently used IP address. This mode of operation is called route optimization (RO). In the RO process, the peer node learns a binding between the home address and its current temporary care-of-address. Many schemes have been proposed to support RO in PMIPv6. However, these schemes do not consider the out-of-sequence problem, which may happen between the existing path and the newly established RO path. In this paper, we propose a scheme to solve the out-of-sequence problem with low cost. In our scheme, we use the additional packet sequence number and the time information when the problem occurs. We then run experiments on a reliable packet transmission (RPT) laboratory testbed to evaluate the performance of the proposed scheme, and compare it with the well-known RO-supported PMIPv6 and the out-of-sequence time period scheme. The experimental results show that for most of the cases, our proposed scheme guarantees RPT by preventing the out-of-sequence problem.N/

Segment Routing: a Comprehensive Survey of Research Activities, Standardization Efforts and Implementation Results

Fixed and mobile telecom operators, enterprise network operators and cloud providers strive to face the challenging demands coming from the evolution of IP networks (e.g. huge bandwidth requirements, integration of billions of devices and millions of services in the cloud). Proposed in the early 2010s, Segment Routing (SR) architecture helps face these challenging demands, and it is currently being adopted and deployed. SR architecture is based on the concept of source routing and has interesting scalability properties, as it dramatically reduces the amount of state information to be configured in the core nodes to support complex services. SR architecture was first implemented with the MPLS dataplane and then, quite recently, with the IPv6 dataplane (SRv6). IPv6 SR architecture (SRv6) has been extended from the simple steering of packets across nodes to a general network programming approach, making it very suitable for use cases such as Service Function Chaining and Network Function Virtualization. In this paper we present a tutorial and a comprehensive survey on SR technology, analyzing standardization efforts, patents, research activities and implementation results. We start with an introduction on the motivations for Segment Routing and an overview of its evolution and standardization. Then, we provide a tutorial on Segment Routing technology, with a focus on the novel SRv6 solution. We discuss the standardization efforts and the patents providing details on the most important documents and mentioning other ongoing activities. We then thoroughly analyze research activities according to a taxonomy. We have identified 8 main categories during our analysis of the current state of play: Monitoring, Traffic Engineering, Failure Recovery, Centrally Controlled Architectures, Path Encoding, Network Programming, Performance Evaluation and Miscellaneous...Comment: SUBMITTED TO IEEE COMMUNICATIONS SURVEYS & TUTORIAL

A security protocol for authentication of binding updates in Mobile IPv6.

Wireless communication technologies have come along way, improving with every generational leap. As communications evolve so do the system architectures, models and paradigms. Improvements have been seen in the jump from 2G to 3G networks in terms of security. Yet these issues persist and will continue to plague mobile communications into the leap towards 4G networks if not addressed. 4G will be based on the transmission of Internet packets only, using an architecture known as mobile IP. This will feature many advantages, however security is still a fundamental issue to be resolved. One particular security issue involves the route optimisation technique, which deals with binding updates. This allows the corresponding node to by-pass the home agent router to communicate directly with the mobile node. There are a variety of security vulnerabilities with binding updates, which include the interception of data packets, which would allow an attacker to eavesdrop on its contents, breaching the users confidentiality, or to modify transmitted packets for the attackers own malicious purposes. Other possible vulnerabilities with mobile IP include address spoofing, redirection and denial of service attacks. For many of these attacks, all the attacker needs to know is the IPv6 addresses of the mobile’s home agent and the corresponding node. There are a variety of security solutions to prevent these attacks from occurring. Two of the main solutions are cryptography and authentication. Cryptography allows the transmitted data to be scrambled in an undecipherable way resulting in any intercepted packets being illegible to the attacker. Only the party possessing the relevant key will be able to decrypt the message. Authentication is the process of verifying the identity of the user or device one is in communication with. Different authentication architectures exist however many of them rely on a central server to verify the users, resulting in a possible single point of attack. Decentralised authentication mechanisms would be more appropriate for the nature of mobile IP and several protocols are discussed. However they all posses’ flaws, whether they be overly resource intensive or give away vital address data, which can be used to mount an attack. As a result location privacy is investigated in a possible attempt at hiding this sensitive data. Finally, a security solution is proposed to address the security vulnerabilities found in binding updates and attempts to overcome the weaknesses of the examined security solutions. The security protocol proposed in this research involves three new security techniques. The first is a combined solution using Cryptographically Generated Addresses and Return Routability, which are already established solutions, and then introduces a new authentication procedure, to create the Distributed Authentication Protocol to aid with privacy, integrity and authentication. The second is an enhancement to Return Routability called Dual Identity Return Routability, which provides location verification authentication for multiple identities on the same device. The third security technique is called Mobile Home Agents, which provides device and user authentication while introducing location privacy and optimised communication routing. All three security techniques can be used together or individually and each needs to be passed before the binding update is accepted. Cryptographically Generated Addresses asserts the users ownership of the IPv6 address by generating the interface identifier by computing a cryptographic one-way hash function from the users’ public key and auxiliary parameters. The binding between the public key and the address can be verified by recomputing the hash value and by comparing the hash with the interface identifier. This method proves ownership of the address, however it does not prove the address is reachable. After establishing address ownership, Return Routability would then send two security tokens to the mobile node, one directly and one via the home agent. The mobile node would then combine them together to create an encryption key called the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides a validation to the mobile nodes’ location and proves its ownership of the home agent. Return Routability provides a test to verify that the node is reachable. It does not verify that the IPv6 address is owned by the user. This method is combined with Cryptographically Generated Addresses to provide best of both worlds. The third aspect of the first security solution introduces a decentralised authentication mechanism. The correspondent requests the authentication data from both the mobile node and home agent. The mobile sends the data in plain text, which could be encrypted with the binding key and the home agent sends a hash of the data. The correspondent then converts the data so both are hashes and compares them. If they are the same, authentication is successful. This provides device and user authentication which when combined with Cryptographically Generated Addresses and Return Routability create a robust security solution called the Distributed Authentication Protocol. The second new technique was designed to provide an enhancement to a current security solution. Dual Identity Return Routability builds on the concept of Return Routability by providing two Mobile IPv6 addresses on a mobile device, giving the user two separate identities. After establishing address ownership with Cryptographically Generated Addresses, Dual Identity Return Routability would then send security data to both identities, each on a separate network and each having heir own home agents, and the mobile node would then combine them together to create the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides protection against address spoofing as an attacker needs two separate ip addresses, which are linked together. Spoofing only a single address will not pass this security solution. One drawback of the security techniques described, however, is that none of them provide location privacy to hide the users IP address from attackers. An attacker cannot mount a direct attack if the user is invisible. The third new security solution designed is Mobile Home Agents. These are software agents, which provide location privacy to the mobile node by acting as a proxy between it and the network. The Mobile Home Agent resides on the point of attachment and migrates to a new point of attachment at the same time as the mobile node. This provides reduced latency communication and a secure environment for the mobile node. These solutions can be used separately or combined together to form a super security solution, which is demonstrated in this thesis and attempts to provide proof of address ownership, reachability, user and device authentication, location privacy and reduction in communication latency. All these security features are design to protect against one the most devastating attacks in Mobile IPv6, the false binding update, which can allow an attacker to impersonate and deny service to the mobile node by redirecting all data packets to itself. The solutions are all simulated with different scenarios and network configurations and with a variety of attacks, which attempt to send a false binding update to the correspondent node. The results were then collected and analysed to provide conclusive proof that the proposed solutions are effective and robust in protecting against the false binding updates creating a safe and secure network for all

A network mobility management architecture for a heteregeneous network environment

Network mobility management enables mobility of personal area networks and vehicular networks across heterogeneous access networks using a Mobile Router. This dissertation presents a network mobility management architecture for minimizing the impact of handoffs on the communications of nodes in the mobile network. The architecture addresses mobility in legacy networks without infrastructure support, but can also exploit infrastructure support for improved handoff performance. Further, the proposed architecture increases the efficiency of communications of nodes in the mobile network with counter parts in the fixed network through the use of caching and route optimization. The performance and costs of the proposed architecture are evaluated through empirical and numerical analysis. The analysis shows the feasibility of the architecture in the networks of today and in those of the near future.Verkkojen liikkuuvudenhallinta mahdollistaa henkilökohtaisten ja ajoneuvoihin asennettujen verkkojen liikkuvuuden heterogeenisessä verkkoympäristössä käyttäen liikkuvaa reititintä. Tämä väitöskirja esittää uuden arkkitehtuurin verkkojen liikkuvuudenhallintaan, joka minimoi verkonvaihdon vaikutuksen päätelaitteiden yhteyksiin. Vanhoissa verkoissa, joiden infrastruktuuri ei tue verkkojen liikkuvuutta, verkonvaihdos täytyy hallita liikkuvassa reitittimessa. Standardoitu verkkojen liikkuvuudenhallintaprotokolla NEMO mahdollistaa tämän käyttäen ankkurisolmua kiinteässä verkossa pakettien toimittamiseen päätelaitteiden kommunikaatiokumppaneilta liikkuvalle reitittimelle. NEMO:ssa verkonvaihdos aiheuttaa käynnissä olevien yhteyksien keskeytymisen yli sekunnin mittaiseksi ajaksi, aiheuttaen merkittävää häiriötä viestintäsovelluksille. Esitetyssä arkkitehtuurissa verkonvaihdon vaikutus minimoidaan varustamalla liikkuva reititin kahdella radiolla. Käyttäen kahta radiota liikkuva reititin pystyy suorittamaan verkonvaihdon keskeyttämättä päätelaitteiden yhteyksiä, mikäli verkonvaihtoon on riittävästi aikaa. Käytettävissa oleva aika riippuu liikkuvan reitittimen nopeudesta ja radioverkon rakenteesta. Arkkitehtuuri osaa myös hyödyntää infrastruktuurin tukea saumattomaan verkonvaihtoon. Verkkoinfrastruktuurin tuki nopeuttaa verkonvaihdosprosessia, kasvattaenmaksimaalista verkonvaihdos tahtia. Tällöin liikkuva reitin voi käyttää lyhyen kantaman radioverkkoja, joiden solun säde on yli 80m, ajonopeuksilla 90m/s asti ilman, että verkonvaihdos keskeyttää päätelaitteiden yhteyksiä. Lisäksi ehdotettu arkkitehtuuri tehostaa kommunikaatiota käyttäen cache-palvelimia liikkuvassa ja kiinteässä verkossa ja optimoitua reititystä liikkuvien päätelaitteiden ja kiinteässä verkossa olevien kommunikaatiosolmujen välillä. Cache-palvelinarkkitehtuuri hyödyntää vapaita radioresursseja liikkuvan verkon cache-palvelimen välimuistin päivittämiseen. Heterogeenisessä verkkoympäristossä cache-palvelimen päivitys suoritetaan lyhyen kantaman laajakaistaisia radioverkkoja käyttäen. Liikkuvan reitittimen siirtyessä laajakaistaisen radioverkon peitealueen ulkopuolelle päätelaitteille palvellaan sisältöä, kuten www sivuja tai videota cache-palvelimelta, säästäen laajemman kantaman radioverkon rajoitetumpia resursseja. Arkkitehtuurissa käytetään optimoitua reititystä päätelaitteiden ja niiden kommunikaatiokumppaneiden välillä. Optimoitu reititysmekanismi vähentää liikkuvuudenhallintaan käytettyjen protokollien langattoman verkon resurssien kulutusta. Lisäksi optimoitu reititysmekanismi tehostaa pakettien reititystä käyttäen suorinta reittiä kommunikaatiosolmujen välillä. Esitetyn arkkitehtuurin suorituskyky arvioidaan empiirisen ja numeerisen analyysin avulla. Analyysi arvioi arkkitehtuurin suorituskykyä ja vertaa sitä aikaisemmin ehdotettuihin ratkaisuihin ja osoittaa arkkitehtuurin soveltuvan nykyisiin ja lähitulevaisuuden langattomiin verkkoihin.reviewe

Lossless Multicast Handovers in Proxy Fast Mobile IPv6 Networks

There is a demand in the Public Protection and Disaster Relief (PPDR) community for high bandwidth services on mobile devices. Group communication is an important aspect of PPDR networks. In IP based networks multicast is the preferred method to efficiently transmit data to more than one receiver simultaneously. It is important PPDR users can switch seamlessly between wireless networks. This paper describes improvements to multicast in Fast handovers for Proxy Mobile IPv6 (PFMIPv6) to provide seamless mobility to its users. We also identify and explore the specific problems stemming from difference in end-to-end delay between the old and new path during handovers for multicast traffic. A novel mechanism to determine the delay difference between two paths in a PFMIPv6 system is described and an implementation of this system is evaluated. It is shown the proposed approach can prevent multicast packet loss during a handover

A Secure and Decentralized Registration Scheme for IPv6 Network-Based Mobility Senthil Kumar Mathi 1, M.L.Valarmathi 2

Abstract — For frequent movement of a mobile device, there is a need for a secure registration procedure of the mobile device by announcing its current location to the home network, especially, if it is not in the home domain. While devising the registration procedure for mobile IPv6 (MIPv6) based network, it is essential to consider the security issues for cryptographic approaches and an infrastructure requirement on the network. If a public key based cryptography is used for improving the security, then the key exchange mechanisms of the communicants must be handled appropriately. The infrastructure based approach increases the complexity of the mobile device and the mobility agents and also requires an additional message exchanges. Hence, this paper deals with an infrastructure-less registration scheme with symmetric key approach that acts upon MIPv6 environment consisting of the mobile node, home agent, and correspondent node. The proposed scheme is simulated and evaluated for security using Murphi checker. The correctness of the signaling/message sequences of the proposed scheme are verified by the finite state machine. Finally, the simulation results reveals that better security and mutual authentication between MIPv6 nodes have been achieved, and further, mitigation for the various attack scenarios have also been addressed

Wireless Multi Hop Access Networks and Protocols

As more and more applications and services in our society now depend on the Internet, it is important that dynamically deployed wireless multi hop networks are able to gain access to the Internet and other infrastructure networks and services. This thesis proposes and evaluates solutions for providing multi hop Internet Access. It investigates how ad hoc networks can be combined with wireless and mesh networks in order to create wireless multi hop access networks. When several access points to the Internet are available, and the mobile node roams to a new access point, the node has to make a decision when and how to change its point of attachment. The thesis describes how to consider the rapid fluctuations of the wireless medium, how to handle the fact that other nodes on the path to the access point are also mobile which results in frequent link and route breaks, and the impact the change of attachment has on already existing connections. Medium access and routing protocols have been developed that consider both the long term and the short term variations of a mobile wireless network. The long term variations consider the fact that as nodes are mobile, links will frequently break and new links appear and thus the network topology map is constantly redrawn. The short term variations consider the rapid fluctuations of the wireless channel caused by mobility and multi path propagation deviations. In order to achieve diversity forwarding, protocols are presented which consider the network topology and the state of the wireless channel when decisions about forwarding need to be made. The medium access protocols are able to perform multi dimensional fast link adaptation on a per packet level with forwarding considerations. This i ncludes power, rate, code and channel adaptation. This will enable the type of performance improvements that are of significant importance for the success of multi hop wireless networks

Lossless Multicast Handovers in Proxy Fast Mobile IPv6 Networks

Part 5: Resource Management; International audience; There is a demand in the Public Protection and Disaster Relief (PPDR) community for high bandwidth services on mobile devices. Group communication is an important aspect of PPDR networks. In IP based networks multicast is the preferred method to efficiently transmit data to more than one receiver simultaneously. It is important PPDR users can switch seamlessly between wireless networks. This paper describes improvements to multicast in Fast handovers for Proxy Mobile IPv6 (PFMIPv6) to provide seamless mobility to its users. We also identify and explore the specific problems stemming from difference in end-to-end delay between the old and new path during handovers for multicast traffic. A novel mechanism to determine the delay difference between two paths in a PFMIPv6 system is described and an implementation of this system is evaluated. It is shown the proposed approach can prevent multicast packet loss during a handover. Document type: Part of book or chapter of boo

Mecanismos de mobilidade rápida com suporte de QdS

Mestrado em Engenharia Electrónica e TelecomunicaçõesA área das redes de comunicações está, neste momento, a deparar-se com um novo paradigma causado pela tendência de convergência de redes sem fios e celulares. Desta convergência resultará a existência de uma camada de rede integradora, para facilitar o suporte de mecanismos de Qualidade de Serviço e mobilidade. Aqui, o suporte de mobilidade rápida e transparente, sem ser perceptível pelo utilizador, tem sido alvo de muita atenção, apesar de ainda existirem algumas limitações no seu suporte. A mobilidade transparente entre redes celulares, sem fios e fixas, é ambicionada mas ainda não foi alcançada. O trabalho realizado nesta Dissertação consiste na descrição, especificação, implementação e teste de uma nova arquitectura de mobilidade sobre o protocolo IP. Esta arquitectura é baseada no protocolo de mobilidade Mobility Support for IPv6 e em extensões de Fast Handovers for Mobile IPv6, sendo capaz de efectuar handovers iniciados pelo terminal e pela rede. A mobilidade é transparente entre tecnologias de acesso heterogéneas, através da integração de mecanismos de qualidade de serviço, tais como autorização de handovers, controlo de acesso, reserva e atribuição de recursos no novo ponto de ligação e também integrada com subsistemas de autenticação. São também propostos outros mecanismos de mobilidade rápida que fazem uso do protocolo multicast para distribuir os fluxos de tráfego direccionados ao terminal, pelos routers de acesso vizinhos, permitindo que os terminais móveis mudem para qualquer router de acesso na vizinhança sem interrupção dos serviços em curso. Estes mecanismos foram projectados para terminais móveis com grandes requisitos de mobilidade. No âmbito do projecto IST Daidalos foi efectuada a integração de uma rede de próxima geração (4G) de forma a permitir a realização de testes de desempenho e conformidade aos mecanismos propostos. A presente Dissertação efectua uma avaliação de desempenho de uma arquitectura de mobilidade, em cenários intra- e inter-tecnologia, numa rede de testes real. Nesta avaliação foram utilizadas as métricas de atraso, jitter e perdas de pacotes nas fases de preparação e execução do handover. O impacto deste processo em comunicações de dados sobre TCP e UDP é também analisado. A arquitectura e os resultados obtidos no demonstrador real são apresentados e discutidos. ABSTRACT: The field of network communications is, nowadays, facing a new paradigm caused by the forthcoming convergence of cellular and wireless data networks, which seems unavoidable. This convergence will result on an integration layer, to ease the support for Quality of Service and mobility mechanisms. Here, the support for fast and seamless mobility, not perceptible by the user, has been getting much attention, although several limitations still exist in this support. Seamless mobility between cellular, wireless and wired data networks is envisioned, but not yet achieved. The work performed in the scope of this thesis aims to describe, specify, implement and test a novel mobility architecture based on the IP protocol. This architecture is based on the mobility protocol Mobility Support for IPv6 and on extensions of Fast Handovers for Mobile IPv6 RFCs, and is able to provide mobile terminal and network initiated handovers. The mobility is seamless across heterogeneous access technologies, by integrating Quality of Service mechanisms, such as handover authorization, access control, resources reservation and allocation at the new point of attachment, also integrated with an authentication sub-system. Other novel fast mobility mechanisms are also proposed, which make use of the multicast protocol to distribute the traffic flows directed to the terminal during the handover process among the neighbour access routers, allowing the terminal to handover to any access router in the vicinity without disruption of the ongoing services. These latter mechanisms were designed to mobile terminals with high mobility requirements. In the scope of the IST Daidalos framework an integration process of a next generation (4G) network was carried out in order to perform performance and compliance tests to the proposed mechanisms. Furthermore, this thesis also evaluates the performance of a mobility architecture, both in intra and intertechnology scenarios, in a real testbed. In this evaluation were considered metrics such as packet delay, jitter and loss of the handover in its preparation and execution phases. The impact of the handover on ongoing TCP and UDP data communications is also addressed. The architecture and results obtained from the real demonstrator are also presented and discussed