IP Mobility in Wireless Operator Networks

Wireless network access is gaining increased heterogeneity in terms of the types of IP capable access technologies. The access network heterogeneity is an outcome of incremental and evolutionary approach of building new infrastructure. The recent success of multi-radio terminals drives both building a new infrastructure and implicit deployment of heterogeneous access networks. Typically there is no economical reason to replace the existing infrastructure when building a new one. The gradual migration phase usually takes several years. IP-based mobility across different access networks may involve both horizontal and vertical handovers. Depending on the networking environment, the mobile terminal may be attached to the network through multiple access technologies. Consequently, the terminal may send and receive packets through multiple networks simultaneously. This dissertation addresses the introduction of IP Mobility paradigm into the existing mobile operator network infrastructure that have not originally been designed for multi-access and IP Mobility. We propose a model for the future wireless networking and roaming architecture that does not require revolutionary technology changes and can be deployed without unnecessary complexity. The model proposes a clear separation of operator roles: (i) access operator, (ii) service operator, and (iii) inter-connection and roaming provider. The separation allows each type of an operator to have their own development path and business models without artificial bindings with each other. We also propose minimum requirements for the new model. We present the state of the art of IP Mobility. We also present results of standardization efforts in IP-based wireless architectures. Finally, we present experimentation results of IP-level mobility in various wireless operator deployments.Erilaiset langattomat verkkoyhteydet lisääntyvät Internet-kykyisten teknologioiden muodossa. Lukuisten eri teknologioiden päällekkäinen käyttö johtuu vähitellen ja tarpeen mukaan rakennetusta verkkoinfrastruktuurista. Useita radioteknologioita (kuten WLAN, GSM ja UMTS) sisältävien päätelaitteiden (kuten älypuhelimet ja kannettavat tietokoneet) viimeaikainen kaupallinen menestys edesauttaa uuden verkkoinfrastruktuurin rakentamista, sekä mahdollisesti johtaa verkkoteknologioiden kirjon lisääntymiseen. Olemassa olevaa verkkoinfrastruktuuria ei kaupallisista syistä kannata korvata uudella teknologialla yhdellä kertaa, vaan vaiheittainen siirtymävaihe kestää tyypillisesti useita vuosia. Internet-kykyiset päätelaitteet voivat liikkua joko saman verkkoteknologian sisällä tai eri verkkoteknologioiden välillä. Verkkoympäristöstä riippuen liikkuvat päätelaitteet voivat liittyä verkkoon useiden verkkoyhteyksien kautta. Näin ollen päätelaite voi lähettää ja vastaanottaa tietoliikennepaketteja yhtäaikaisesti lukuisia verkkoja pitkin. Tämä väitöskirja käsittelee Internet-teknologioiden liikkuvuutta ja näiden teknologioiden tuomista olemassa oleviin langattomien verkko-operaattorien verkkoinfrastruktuureihin. Käsiteltäviä verkkoinfrastruktuureita ei alun perin ole suunniteltu Internet-teknologian liikkuvuuden ja monien yhtäaikaisten yhteyksien ehdoilla. Tässä työssä ehdotetaan tulevaisuuden langattomien verkkojen arkkitehtuurimallia ja ratkaisuja verkkovierailujen toteuttamiseksi. Ehdotettu arkkitehtuuri voidaan toteuttaa ilman mittavia teknologisia mullistuksia. Mallin mukaisessa ehdotuksessa verkko-operaattorin roolit jaetaan selkeästi (i) verkko-operaattoriin, (ii) palveluoperaattoriin ja (iii) yhteys- sekä verkkovierailuoperaattoriin. Roolijako mahdollistaa sen, että kukin operaattorityyppi voi kehittyä itsenäisesti, ja että teennäiset verkkoteknologiasidonnaisuudet poistuvat palveluiden tuottamisessa. Työssä esitetään myös alustava vaatimuslista ehdotetulle mallille, esimerkiksi yhteysoperaattorien laatuvaatimukset. Väitöskirja esittelee myös liikkuvien Internet-teknologioiden viimeisimmän kehityksen. Työssä näytetään lisäksi standardointituloksia Internet-kykyisissä langattomissa arkkitehtuureissa

A security protocol for authentication of binding updates in Mobile IPv6.

Wireless communication technologies have come along way, improving with every generational leap. As communications evolve so do the system architectures, models and paradigms. Improvements have been seen in the jump from 2G to 3G networks in terms of security. Yet these issues persist and will continue to plague mobile communications into the leap towards 4G networks if not addressed. 4G will be based on the transmission of Internet packets only, using an architecture known as mobile IP. This will feature many advantages, however security is still a fundamental issue to be resolved. One particular security issue involves the route optimisation technique, which deals with binding updates. This allows the corresponding node to by-pass the home agent router to communicate directly with the mobile node. There are a variety of security vulnerabilities with binding updates, which include the interception of data packets, which would allow an attacker to eavesdrop on its contents, breaching the users confidentiality, or to modify transmitted packets for the attackers own malicious purposes. Other possible vulnerabilities with mobile IP include address spoofing, redirection and denial of service attacks. For many of these attacks, all the attacker needs to know is the IPv6 addresses of the mobile’s home agent and the corresponding node. There are a variety of security solutions to prevent these attacks from occurring. Two of the main solutions are cryptography and authentication. Cryptography allows the transmitted data to be scrambled in an undecipherable way resulting in any intercepted packets being illegible to the attacker. Only the party possessing the relevant key will be able to decrypt the message. Authentication is the process of verifying the identity of the user or device one is in communication with. Different authentication architectures exist however many of them rely on a central server to verify the users, resulting in a possible single point of attack. Decentralised authentication mechanisms would be more appropriate for the nature of mobile IP and several protocols are discussed. However they all posses’ flaws, whether they be overly resource intensive or give away vital address data, which can be used to mount an attack. As a result location privacy is investigated in a possible attempt at hiding this sensitive data. Finally, a security solution is proposed to address the security vulnerabilities found in binding updates and attempts to overcome the weaknesses of the examined security solutions. The security protocol proposed in this research involves three new security techniques. The first is a combined solution using Cryptographically Generated Addresses and Return Routability, which are already established solutions, and then introduces a new authentication procedure, to create the Distributed Authentication Protocol to aid with privacy, integrity and authentication. The second is an enhancement to Return Routability called Dual Identity Return Routability, which provides location verification authentication for multiple identities on the same device. The third security technique is called Mobile Home Agents, which provides device and user authentication while introducing location privacy and optimised communication routing. All three security techniques can be used together or individually and each needs to be passed before the binding update is accepted. Cryptographically Generated Addresses asserts the users ownership of the IPv6 address by generating the interface identifier by computing a cryptographic one-way hash function from the users’ public key and auxiliary parameters. The binding between the public key and the address can be verified by recomputing the hash value and by comparing the hash with the interface identifier. This method proves ownership of the address, however it does not prove the address is reachable. After establishing address ownership, Return Routability would then send two security tokens to the mobile node, one directly and one via the home agent. The mobile node would then combine them together to create an encryption key called the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides a validation to the mobile nodes’ location and proves its ownership of the home agent. Return Routability provides a test to verify that the node is reachable. It does not verify that the IPv6 address is owned by the user. This method is combined with Cryptographically Generated Addresses to provide best of both worlds. The third aspect of the first security solution introduces a decentralised authentication mechanism. The correspondent requests the authentication data from both the mobile node and home agent. The mobile sends the data in plain text, which could be encrypted with the binding key and the home agent sends a hash of the data. The correspondent then converts the data so both are hashes and compares them. If they are the same, authentication is successful. This provides device and user authentication which when combined with Cryptographically Generated Addresses and Return Routability create a robust security solution called the Distributed Authentication Protocol. The second new technique was designed to provide an enhancement to a current security solution. Dual Identity Return Routability builds on the concept of Return Routability by providing two Mobile IPv6 addresses on a mobile device, giving the user two separate identities. After establishing address ownership with Cryptographically Generated Addresses, Dual Identity Return Routability would then send security data to both identities, each on a separate network and each having heir own home agents, and the mobile node would then combine them together to create the binding key allowing the binding update to be sent securely to the correspondent node. This technique provides protection against address spoofing as an attacker needs two separate ip addresses, which are linked together. Spoofing only a single address will not pass this security solution. One drawback of the security techniques described, however, is that none of them provide location privacy to hide the users IP address from attackers. An attacker cannot mount a direct attack if the user is invisible. The third new security solution designed is Mobile Home Agents. These are software agents, which provide location privacy to the mobile node by acting as a proxy between it and the network. The Mobile Home Agent resides on the point of attachment and migrates to a new point of attachment at the same time as the mobile node. This provides reduced latency communication and a secure environment for the mobile node. These solutions can be used separately or combined together to form a super security solution, which is demonstrated in this thesis and attempts to provide proof of address ownership, reachability, user and device authentication, location privacy and reduction in communication latency. All these security features are design to protect against one the most devastating attacks in Mobile IPv6, the false binding update, which can allow an attacker to impersonate and deny service to the mobile node by redirecting all data packets to itself. The solutions are all simulated with different scenarios and network configurations and with a variety of attacks, which attempt to send a false binding update to the correspondent node. The results were then collected and analysed to provide conclusive proof that the proposed solutions are effective and robust in protecting against the false binding updates creating a safe and secure network for all

Junos Pulse Secure Access Service Administration Guide

This guide describes basic configuration procedures for Juniper Networks Secure Access Secure Access Service. This document was formerly titled Secure Access Administration Guide. This document is now part of the Junos Pulse documentation set. This guide is designed for network administrators who are configuring and maintaining a Juniper Networks Secure Access Service device. To use this guide, you need a broad understanding of networks in general and the Internet in particular, networking principles, and network configuration. Any detailed discussion of these concepts is beyond the scope of this guide.The Juniper Networks Secure Access Service enable you to give employees, partners, and customers secure and controlled access to your corporate data and applications including file servers, Web servers, native messaging and e-mail clients, hosted servers, and more from outside your trusted network using just a Web browser. Secure Access Service provide robust security by intermediating the data that flows between external users and your company’s internal resources. Users gain authenticated access to authorized resources through an extranet session hosted by the appliance. During intermediation, Secure Access Service receives secure requests from the external, authenticated users and then makes requests to the internal resources on behalf of those users. By intermediating content in this way, Secure Access Service eliminates the need to deploy extranet toolkits in a traditional DMZ or provision a remote access VPN for employees. To access the intuitive Secure Access Service home page, your employees, partners, and customers need only a Web browser that supports SSL and an Internet connection. This page provides the window from which your users can securely browse Web or file servers, use HTML-enabled enterprise applications, start the client/server application proxy, begin a Windows, Citrix, or Telnet/SSH terminal session, access corporate e-mail servers, start a secured layer 3 tunnel, or schedule or attend a secure online meeting

ROVER: a DNS-based method to detect and prevent IP hijacks

2013 Fall.Includes bibliographical references.The Border Gateway Protocol (BGP) is critical to the global internet infrastructure. Unfortunately BGP routing was designed with limited regard for security. As a result, IP route hijacking has been observed for more than 16 years. Well known incidents include a 2008 hijack of YouTube, loss of connectivity for Australia in February 2012, and an event that partially crippled Google in November 2012. Concern has been escalating as critical national infrastructure is reliant on a secure foundation for the Internet. Disruptions to military, banking, utilities, industry, and commerce can be catastrophic. In this dissertation we propose ROVER (Route Origin VERification System), a novel and practical solution for detecting and preventing origin and sub-prefix hijacks. ROVER exploits the reverse DNS for storing route origin data and provides a fail-safe, best effort approach to authentication. This approach can be used with a variety of operational models including fully dynamic in-line BGP filtering, periodically updated authenticated route filters, and real-time notifications for network operators. Our thesis is that ROVER systems can be deployed by a small number of institutions in an incremental fashion and still effectively thwart origin and sub-prefix IP hijacking despite non-participation by the majority of Autonomous System owners. We then present research results supporting this statement. We evaluate the effectiveness of ROVER using simulations on an Internet scale topology as well as with tests on real operational systems. Analyses include a study of IP hijack propagation patterns, effectiveness of various deployment models, critical mass requirements, and an examination of ROVER resilience and scalability

Algorithmes d'adressage et routage pour des réseaux fortement mobiles à grande échelle

After successfully connecting machines and people later (world wide web), the new era of In-ternet is about connecting things. Due to increasing demands in terms of addresses, mobility, scalability, security and other new unattended challenges, the evolution of current Internet archi-tecture is subject to major debate worldwide. The Internet Architecture Board (IAB) workshop on Routing and Addressing report described the serious scalability problems faced by large backbone operators in terms of routing and addressing, illustrated by the unsustainable growth of the Default Free Zone (DFZ) routing tables. Some proposals tackled the scalability and IP semantics overload issues with two different approaches: evolutionary approach (backward com-patibility) or a revolutionary approach. Several design objectives (technical or high-level) guided researchers in their proposals. Mobility is definitely one of the main challenges.Inter-Vehicle Communication (IVC) attracts considerable attention from the research com-munity and the industry for its potential in providing Intelligent Transportation Systems (ITS) and passengers services. Vehicular Ad-Hoc Networks (VANETs) are emerging as a class of wire-less network, formed between moving vehicles equipped with wireless interfaces (cellular and WiFi) employing heterogeneous communication systems. A VANET is a form of mobile ad-hoc network that provides IVC among nearby vehicles and may involve the use of a nearby fixed equipment on the roadside. The impact of Internet-based vehicular services (infotainment) are quickly developing. Some of these applications, driver assistance services or traffic reports, have been there for a while. But market-enabling applications may also be an argument in favor of a more convenient journey. Such use cases are viewed as a motivation to further adoption of the ITS standards developed within IEEE, ETSI, and ISO.This thesis focuses on applying Future Internet paradigm to vehicle-to-Internet communica-tions in an attempt to define the solution space of Future Vehicular Internet. We first introduce two possible vehicle-to-Internet use cases and great enablers for IP based services : eHealth and Fully-electric Vehicles. We show how to integrate those use cases into IPv6 enabled networks. We further focus on the mobility architectures and determine the fundamental components of a mobility architecture. We then classify those approaches into centralized and distributed to show the current trends in terms of network mobility extension, an essential component to vehicular networking. We eventually analyze the performance of these proposals. In order to define an identifier namespace for vehicular communications, we introduce the Vehicle Identification Numbers are possible candidates. We then propose a conversion algorithm that preserves the VIN characteristics while mapping it onto usable IPv6 networking objects (ad-dresses, prefixes, and Mobile Node Identifiers). We make use of this result to extend LISP-MN protocol with the support of our VIN6 addressing architecture. We also apply those results to group IP-based communications, when the cluster head is in charge of a group of followers.Cette thèse a pour objectif de faire avancer l'état de l'art des communications basée sur Internet Protocol version 6 (IPv6) dans le domaine des réseaux véhiculaires, et ce dans le cadre des évolutions récentes de IP, notamment l'avènement du Future Internet. Le Future Internet (F.I.) définit un ensemble d'approches pour faire évoluer l'Internet actuel , en particulier l'émergence d'un Internet mobile exigeant en ressources. Les acteurs de ce domaine définissent les contraintes inhérentes aux approches utilisées historiquement dans l'évolution de l'architecture d'Internet et tentent d'y remédier soit de manière évolutive soit par une rupture technologique (révolutionnaire). Un des problèmes au centre de cette nouvelle évolution d'Internet est la question du nommage et de l'adressage dans le réseau. Nous avons entrepris dans cette thèse l'étude de ce problème, dans le cadre restreint des communications véhiculaires Internet.Dans ce contexte, l'état de l'art du Future Internet a mis en avant les distinctions des approches révolutionnaires comparées aux propositions évolutives basées sur IPv6. Les réseaux véhiculaires étant d'ores-et-déjà dotés de piles protocolaires comprenant une extension IPv6, nous avons entamé une approche évolutive visant à intégrer les réseaux véhiculaires au Future Internet. Une première proposition a été de convertir un identifiant présent dans le monde automobile (VIN, Numéro d'Identification de Véhicule) en un lot d'adresses réseau propres à chaque véhicule (qui est donc propriétaire de son adressage issu de son identifiant). Cette proposition étant centrée sur le véhicule, nous avons ensuite intégré ces communications basés dans une architecture globale Future Internet basée sur IPv6 (protocole LISP). En particulier, et avec l'adressage VIN, nous avons défini un espace d'adressage indépendant des fournisseurs d'accès à Internet où le constructeur automobile devient acteur économique fournissant des services IPv6 à sa flotte de véhicules conjointement avec les opérateurs réseau dont il dépend pour transporter son trafic IP. Nous nous sommes ensuite intéressés à l'entourage proche du véhicule afin de définir un nouveau mode de communication inter-véhiculaire à Internet: le V2V2I (Angl. Vehicle-to-Vehicle-to-Infrastructure). Jusqu'à présent, les modes de transmission de données à Internet dans le monde du véhicule consistaient en des topologies V2I, à savoir véhicule à Internet, où le véhicule accède à l'infrastructure directement sans intermédiaire. Dans le cadre des communications véhiculaires à Internet, nous proposons une taxonomie des méthodes existantes dans l'état de l'art. Les techniques du Future Internet étant récentes, nous avons étendu notre taxonomie par une nouvelle approche basée sur la séparation de l'adressage topologique dans le cluster de celui de l'infrastructure. Le leader du cluster s'occupe d'affecter les adresses (de son VIN) et de gérer le routage à l'intérieur de son cluster. La dernière contribution consiste en la comparaison des performances des protocoles de gestion de mobilité, notamment pour les réseaux de véhicules et des communications de type vehicule-à-Internet. Dans ce cadre, nous avons proposé une classification des protocoles de gestion de mobilité selon leur déploiement: centralisé (basé réseau ou host) et distribué. Nous avons ensuite évalué les performances en modélisant les durées de configurations et de reconfigurations des différents protocoles concernés

Distributed mobility management for a flat architecture in 5G mobile networks: solutions, analysis and experimental validation

In the last years, the commercial deployment of data services in mobile networks has been evolving quickly, providing enhanced radio access technologies and more efficient network architectures. Nowadays, mobile users enjoy broadband and ubiquitous wireless access through their portable devices, like smartphones and tablets, exploiting the connectivity offered by the modern 4G network. Nevertheless, the technological evolution keeps moving towards the development of next generation networks, or 5G, aiming at further improving the current system in order to cope with the huge data traffic growth foreseen in the future years. One of the possible research guidelines aims at innovating the mobile networks architecture by designing a flat system. Indeed, current systems are built upon a centralized and hierarchical structure, where multiple access networks are connected to a central core hosting crucial network functions, e.g., charging, control and maintenance, as well as mobility management, which is the main topic of this thesis. In such a central mobility management system, users’ traffic is aggregated at some key nodes in the core, called mobility anchors. Thus, an anchor can easily handle user’s mobility by redirecting traffic flows to his/her location, but i) it poses scalability issues, ii) it represents a single point of failure, and iii) the routing path is in general suboptimal. These problems can be overcome moving to a flat architecture, adopting a Distributed Mobility Management (DMM) system, where the centralized anchor is removed. This thesis develops within the DMM framework, presenting the design, analysis, implementation and experimental validation of several DMM protocols. In this work we describe original protocols for client-based and network-based mobility management, as well as a hybrid solution. We study analytically our solutions to evaluate their signaling cost, the packet delivery cost, and the latency introduced to handle a handover event. Finally, we assess the validity of some of our protocols with experiments run over a network prototype built in our lab implementing such solutions.El despliegue comercial de los servicios de datos en las redes móviles ha evolucionado rápidamente en los últimos años, proporcionando tecnologías de acceso radio más avanzadas y arquitecturas de red más eficientes. Los usuarios ya pueden disfrutar de los servicios de banda ancha desde sus dispositivos móviles, como smartphones y tablets, aprovechando la conectividad de las modernas redes 4G. Sin embargo, la evolución tecnológica sigue trazando su camino hasta el desarrollo de las redes de próxima generación, o 5G, en previsión del enorme aumento del tráfico de los años futuros. Una de las innovaciones bajo estudio aborda la arquitectura de las redes móviles, con el objetivo de diseñar un sistema plano. Efectivamente, el sistema actual se basa en una estructura centralizada y jerárquica, en la cual múltiples redes de acceso se conectan al núcleo central, dónde residen funciones cruciales para el control de la red y facturación, así como la gestión de la movilidad, que es el tema central de esta tesis. En un sistema con gestión centralizada de la movilidad, se agregan los flujos de tráfico en algunos nodos claves situados en el núcleo de la red, llamados anclas de movilidad. De este modo, un ancla puede fácilmente redirigir los flujos al lugar donde se halla el usuario, pero i) supone problemas de escalabilidad, ii) representa un punto único de fallo, y iii) el encaminamiento es en general sub-óptimo. Estos problemas se pueden resolver pasando a una arquitectura plana, cambiándose a un sistema de gestión distribuida de la movilidad (Distributed Mobility Management – DMM), donde no hay anclas centralizadas. Esta tesis se desarrolla dentro el marco propuesto por DMM, presentando el diseño, el análisis, la implementación y la validación experimental de varios protocolos de movilidad distribuida. Se describen soluciones basadas en el cliente y en la red, así como una solución híbrida. El funcionamiento de las soluciones ha sido estudiado analíticamente, para evaluar los costes de señalización, el coste del transporte de los paquetes y la latencia para gestionar el traspaso de los usuarios de una red a otra. Finalmente, la validez de los protocolos ha sido demostrada con experimentos sobre un prototipo donde se implementan algunas de las soluciones utilizando el equipamiento de nuestro laboratorio.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: Arturo Azcorra Saloña.- Secretario: Ramón Agüero Calvo.- Vocal: Jouni Korhone

Älypuhelin kotiverkkojen luottamusankkurina

Kun tietoverkot kodeissa monimutkaistuvat, eivät kotikäyttäjät osaa tai halua enää ylläpitää niitä. Kotiverkkojen ylläpito ei eroa nykyisin paljon yritysympäristöistä. Käyttäjältä vaaditaan läsnäolo, tunnukset ja tietämys laitteiden operointiin. Näitä vaatimuksia täytyy soveltaa, jos ylläpito ulkoistettaisiin ja pääsy kotiverkkoihin sallittaisiin. Luotettava toimija on palkattava ja jaettava tälle tunnistautumiskeino sekä pääsy kohdelaitteelle ulkoa käsin. Tämä edellyttää ennakkotoimia ja tunnistautumisavainten jakelua. Käyttäjän älypuhelimessa toimiva sovellus toimii tässä luotettuna toimijana. Matkapuhelinliittymällään käyttäjä on jo osa luotettua tilaajarekisteriä, ja tätä ominaisuutta käytetään hyväksi työssä luottamuksen rakentajana. Matkapuhelintunnistuksena käytetään SIM-kortin tilaajatietoa EAP-menetelmällä. EAP-SIM-pohjaisen tunnistuksen toimivuus esitetään käyttöympäristössä, jossa on simuloitu SIM-kortti ja matkapuhelinoperaattori. Periaatteena on ollut käyttää olemassaolevia tekniikoita yhdistäen niitä uusiin alueisiin, kuten homenet-määritysten kotiverkkoihin ja edustajalle ulkoistettuun hallintaan. Tunnistus- ja valtuutustietojen välittämisen hoitaa WPA2 Enterprise RADIUS-ympäristössä. Välttääksemme monimutkaisuutta ja tarpeetonta hienorakeisuutta, käytämme yksinkertaista hallintaverkkomallia, jonka rajalla on kotiverkosta muuten erillään oleva älypuhelin. Tuloksena näytetään, että matkapuhelimella tehty tunnistautuminen luo luottamusankkurin ulkoisen edustajan ja kodin hallintaverkon välille avaten edustajalle hallintayhteyden kotikäyttäjän valvonnassa. SIM-tunnistuksen hyötyjä ovat vahva tunnistus ja laaja käyttäjäkanta. Haittoina ovat riippuvuus teleoperaattorista, käyttäjän identiteetin paljastumisen uhka ja ei-toivottu automaattinen tunnistautuminen.Today, home networks are complex, and the home owners do not necessarily want to administer all aspects of their networks. Configuring home network devices does not differ much from configuring enterprise devices. One needs access, credentials to login and knowledge to operate the device. If the configuration is outsourced to external parties and done remotely, those requirements need adaptation. Access to an end device from the outside must be provided, a trusted operator must be hired, and login credentials shared. For this purpose, some previously set provisioning and distribution of authentication keys is needed. In this work, an application running on a user's smartphone represents this trusted operator. The fact that the mobile phone subscribers already are part of a reliable infrastructure is used in the study as a trusted base. To benefit from the mobile identification, it is shown how the authentication and authorization are done using an extendable authentication profile (EAP) and a SIM card. A theory to use EAP-SIM authentication at home is presented, and to demonstrate that it works, a simulated testbed is built, tested, and analyzed. The idea is to reuse existing techniques by combining them with such new areas as homenet and delegated management. Authentication claims are transported with WPA2 Enterprise. To further avoid complexity and granularity, we only use a simple model of management network. As a result, we show that the smartphone authentication provides a trust anchor between a configuration agent and the home network. The home network management can be controlled via the smartphone while keeping the local phone user still in control. The benefits of using the SIM are that it is considered strong, and it has a large existing user base, while its disadvantages include dependency onto the mobile operator. Additionally, there remain challenges in keeping the SIM's identity private and in disabling unwanted re-authentications

Estabelecimento de redes de comunidades sobreponíveis

Doutoramento em Engenharia InformáticaUma das áreas de investigação em Telecomunicações de interesse crescente prende-se com os futuros sistemas de comunicações móveis de 4a geração e além destes. Nos últimos anos tem sido desenvolvido o conceito de redes comunitárias, no qual os utilizadores se agregam de acordo com interesses comuns. Estes conceitos têm sido explorados de uma forma horizontal em diferentes camadas da comunicação, desde as redes comunitárias de comunicação (Seattle Wireless ou Personal Telco, p.ex.) até às redes de interesses peer-to-peer. No entanto, estas redes são usualmente vistas como redes de overlay, ou simplesmente redes de associação livre. Na prática, a noção de uma rede auto-organizada, completamente orientada ao serviço/comunidade, integralmente suportada em termos de arquitetura, não existe. Assim este trabalho apresenta uma realização original nesta área de criação de redes comunitárias, com uma arquitetura subjacente orientada a serviço, e que suporta integralmente múltiplas redes comunitárias no mesmo dispositivo, com todas as características de segurança, confiança e disponibilização de serviço necessárias neste tipo de cenários (um nó pode pertencer simultaneamente a mais do que uma rede comunitária). Devido à sua importância para os sistemas de redes comunitárias, foi dado particular atenção a aspetos de gestão de recursos e controlo de acessos. Ambos realizados de uma forma descentralizada e considerando mecanismos dotados de grande escalabilidade. Para isso, é apresentada uma linguagem de políticas que suporta a criação de comunidades virtuais. Esta linguagem não é apenas utilizada para o mapeamento da estrutura social dos membros da comunidade, como para, gerir dispositivos, recursos e serviços detidos pelos membros, de uma forma controlada e distribuída.One of the research areas with increasing interest in the field of telecommunications, are the ones related to future telecommunication systems, both 4th generation and beyond. In parallel, during the last years, several concepts have been developed related to clustering of users according to their interested, in the form of community networks. Solutions proposed for these concepts tackle the challenges horizontally, for each layer of the communication stack, ranging from community based communication networks (e.g. Seattle Wireless, or Personal Telco), to interest networks based on peer-to-peer protocols. However, these networks are presented either as free joining, or overlay networks. In practice, the notion of a self-organized, service and community oriented network, with these principles embedded in its design principles, is yet to be developed. This work presents an novel instantiation of a solution in the area of community networks, with a underlying architecture which is fully service oriented, and envisions the support for multiple community networks in the same device. Considerations regarding security, trust and service availability for this type of environments are also taken. Due to the importance of resource management and access control, in the context of community driven communication networks, a special focus was given to the support of scalable and decentralized management and access control methods. For this purpose, it is presented a policy language which supports the creation and management of virtual communities. The language is not only used for mapping the social structure of the community members, but also to, following a distributed approach, manage devices, resources and services owned by each community member

Decentralized Identity and Access Management Framework for Internet of Things Devices

The emerging Internet of Things (IoT) domain is about connecting people and devices and systems together via sensors and actuators, to collect meaningful information from the devices surrounding environment and take actions to enhance productivity and efficiency. The proliferation of IoT devices from around few billion devices today to over 25 billion in the next few years spanning over heterogeneous networks defines a new paradigm shift for many industrial and smart connectivity applications. The existing IoT networks faces a number of operational challenges linked to devices management and the capability of devices’ mutual authentication and authorization. While significant progress has been made in adopting existing connectivity and management frameworks, most of these frameworks are designed to work for unconstrained devices connected in centralized networks. On the other hand, IoT devices are constrained devices with tendency to work and operate in decentralized and peer-to-peer arrangement. This tendency towards peer-to-peer service exchange resulted that many of the existing frameworks fails to address the main challenges faced by the need to offer ownership of devices and the generated data to the actual users. Moreover, the diversified list of devices and offered services impose that more granular access control mechanisms are required to limit the exposure of the devices to external threats and provide finer access control policies under control of the device owner without the need for a middleman. This work addresses these challenges by utilizing the concepts of decentralization introduced in Distributed Ledger (DLT) technologies and capability of automating business flows through smart contracts. The proposed work utilizes the concepts of decentralized identifiers (DIDs) for establishing a decentralized devices identity management framework and exploits Blockchain tokenization through both fungible and non-fungible tokens (NFTs) to build a self-controlled and self-contained access control policy based on capability-based access control model (CapBAC). The defined framework provides a layered approach that builds on identity management as the foundation to enable authentication and authorization processes and establish a mechanism for accounting through the adoption of standardized DLT tokenization structure. The proposed framework is demonstrated through implementing a number of use cases that addresses issues related identity management in industries that suffer losses in billions of dollars due to counterfeiting and lack of global and immutable identity records. The framework extension to support applications for building verifiable data paths in the application layer were addressed through two simple examples. The system has been analyzed in the case of issuing authorization tokens where it is expected that DLT consensus mechanisms will introduce major performance hurdles. A proof of concept emulating establishing concurrent connections to a single device presented no timed-out requests at 200 concurrent connections and a rise in the timed-out requests ratio to 5% at 600 connections. The analysis showed also that a considerable overhead in the data link budget of 10.4% is recorded due to the use of self-contained policy token which is a trade-off between building self-contained access tokens with no middleman and link cost

Methods for revealing and reshaping the African Internet Ecosystem as a case study for developing regions: from isolated networks to a connected continent

Mención Internacional en el título de doctorWhile connecting end-users worldwide, the Internet increasingly promotes local development by making challenges much simpler to overcome, regardless of the field in which it is used: governance, economy, education, health, etc. However, African Network Information Centre (AfriNIC), the Regional Internet Registry (RIR) of Africa, is characterized by the lowest Internet penetration: 28.6% as of March 2017 compared to an average of 49.7% worldwide according to the International Telecommunication Union (ITU) estimates [139]. Moreover, end-users experience a poor Quality of Service (QoS) provided at high costs. It is thus of interest to enlarge the Internet footprint in such under-connected regions and determine where the situation can be improved. Along these lines, this doctoral thesis thoroughly inspects, using both active and passive data analysis, the critical aspects of the African Internet ecosystem and outlines the milestones of a methodology that could be adopted for achieving similar purposes in other developing regions. The thesis first presents our efforts to help build measurements infrastructures for alleviating the shortage of a diversified range of Vantage Points (VPs) in the region, as we cannot improve what we can not measure. It then unveils our timely and longitudinal inspection of the African interdomain routing using the enhanced RIPE Atlas measurements infrastructure for filling the lack of knowledge of both IPv4 and IPv6 topologies interconnecting local Internet Service Providers (ISPs). It notably proposes reproducible data analysis techniques suitable for the treatment of any set of similar measurements to infer the behavior of ISPs in the region. The results show a large variety of transit habits, which depend on socio-economic factors such as the language, the currency area, or the geographic location of the country in which the ISP operates. They indicate the prevailing dominance of ISPs based outside Africa for the provision of intracontinental paths, but also shed light on the efforts of stakeholders for traffic localization. Next, the thesis investigates the causes and impacts of congestion in the African IXP substrate, as the prevalence of this endemic phenomenon in local Internet markets may hinder their growth. Towards this end, Ark monitors were deployed at six strategically selected local Internet eXchange Points (IXPs) and used for collecting Time-Sequence Latency Probes (TSLP) measurements during a whole year. The analysis of these datasets reveals no evidence of widespread congestion: only 2.2% of the monitored links experienced noticeable indication of congestion, thus promoting peering. The causes of these events were identified during IXP operator interviews, showing how essential collaboration with stakeholders is to understanding the causes of performance degradations. As part of the Internet Society (ISOC) strategy to allow the Internet community to profile the IXPs of a particular region and monitor their evolution, a route-collector data analyzer was then developed and afterward, it was deployed and tested in AfriNIC. This open source web platform titled the “African” Route-collectors Data Analyzer (ARDA) provides metrics, which picture in real-time the status of interconnection at different levels, using public routing information available at local route-collectors with a peering viewpoint of the Internet. The results highlight that a small proportion of Autonomous System Numbers (ASNs) assigned by AfriNIC (17 %) are peering in the region, a fraction that remained static from April to September 2017 despite the significant growth of IXPs in some countries. They show how ARDA can help detect the impact of a policy on the IXP substrate and help ISPs worldwide identify new interconnection opportunities in Africa, the targeted region. Since broadening the underlying network is not useful without appropriately provisioned services to exploit it, the thesis then delves into the availability and utilization of the web infrastructure serving the continent. Towards this end, a comprehensive measurement methodology is applied to collect data from various sources. A focus on Google reveals that its content infrastructure in Africa is, indeed, expanding; nevertheless, much of its web content is still served from the United States (US) and Europe, although being the most popular content source in many African countries. Further, the same analysis is repeated across top global and regional websites, showing that even top African websites prefer to host their content abroad. Following that, the primary bottlenecks faced by Content Providers (CPs) in the region such as the lack of peering between the networks hosting our probes and poorly configured DNS resolvers are explored to outline proposals for further ISP and CP deployments. Considering the above, an option to enrich connectivity and incentivize CPs to establish a presence in the region is to interconnect ISPs present at isolated IXPs by creating a distributed IXP layout spanning the continent. In this respect, the thesis finally provides a four-step interconnection scheme, which parameterizes socio-economic, geographical, and political factors using public datasets. It demonstrates that this constrained solution doubles the percentage of continental intra-African paths, reduces their length, and drastically decreases the median of their Round Trip Times (RTTs) as well as RTTs to ASes hosting the top 10 global and top 10 regional Alexa websites. We hope that quantitatively demonstrating the benefits of this framework will incentivize ISPs to intensify peering and CPs to increase their presence, for enabling fast, affordable, and available access at the Internet frontier.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: David Fernández Cambronero.- Secretario: Alberto García Martínez.- Vocal: Cristel Pelsse