A Multi-perspective Analysis of Carrier-Grade NAT Deployment

As ISPs face IPv4 address scarcity they increasingly turn to network address translation (NAT) to accommodate the address needs of their customers. Recently, ISPs have moved beyond employing NATs only directly at individual customers and instead begun deploying Carrier-Grade NATs (CGNs) to apply address translation to many independent and disparate endpoints spanning physical locations, a phenomenon that so far has received little in the way of empirical assessment. In this work we present a broad and systematic study of the deployment and behavior of these middleboxes. We develop a methodology to detect the existence of hosts behind CGNs by extracting non-routable IP addresses from peer lists we obtain by crawling the BitTorrent DHT. We complement this approach with improvements to our Netalyzr troubleshooting service, enabling us to determine a range of indicators of CGN presence as well as detailed insights into key properties of CGNs. Combining the two data sources we illustrate the scope of CGN deployment on today's Internet, and report on characteristics of commonly deployed CGNs and their effect on end users

Secure and Distributed Multicast Address Allocation on IPv6 Networks

Address allocation has been a limiting factor in the deployment of multicast solutions, and, as other multicast technologies advance, a general solution to this problem becomes more urgent. This study examines the current state of address allocation and finds impediments in many of the proposed solutions. A number of the weaknesses can be traced back to the rapidly ageing Internet Protocol version 4, and therefore it was decided that a new approach is required. A central part of this work relies on the newer Internet Protocol version 6, specifically the Unicast prefix based multicast address format. The primary aim of this study was to develop an architecture for secure distributed IPv6 multicast address allocation. The architecture should be usable by client applications to retrieve addresses which are globally unique. The product of this work was the Distributed Allocation Of Multicast Addresses Protocol, or DAOMAP. It is a system whichcan be deployed on nodes which wish to take part in multicast address allocation and an implementation was developed. Analysis and simulations determined that the devised model fitted the stated requirements, and security testing determinedthat DAOMAP was safe from a series of attacks.Dissertation (MSc (Computer Science))--University of Pretoria, 2006.Computer Scienceunrestricte

Mobility management across converged IP-based heterogeneous access networks

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University, 8/2/2010.In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme

Private Realm Gateway

IPv4-osoitteiden loppuminen on ollut maailmanlaajuinen huoli jo viimeisen kahden vuosikymmenen ajan. Lisääntynyt käyttäjien ja palvelujen lukumäärä on kuluttanut jo lähes kaikki mahdolliset osoitteet. Useita ratkaisuja on esitetty ongelman ratkaisemiseksi. Aikajärjestyksessä nämä ovat luokaton reititys (CIDR), osoitteenmuunnos (NAT) ja uusi versio IP protokollasta, IPv6. Osoitteenmuunnoksen käyttöönottaminen jakoi alueet yksityisiin ja julkisiin. NAT laitteet sallivat yksityisen verkon käyttäjien kommunikoida julkisen verkon käyttäjien kanssa jaetun IP osoitteen välityksellä. NAT toimii myös yksinkertaisena palomuurina estäen sisääntulevan liikenteen ja siten aiheuttaen ongelmia saavutettavuuden kanssa. Useista ratkaisuista huolimatta, yksikään ratkaisu ei ole täysin ongelmaton. Tässä työssä esitellään ratkaisu osoitteenmuutoksen aiheuttamaan saavutettavuusongelmaan. Ratkaisu on nimeltään Yksityisen Alueen Yhdyskäytävä (PRGW). Ratkaisun pääkomponentti on nimeltään kiertävä (renkaanmuotoinen) osoitevaranto joka käyttää rajoitettua määrää julkisia osoitteita mahdollistaen päästä-päähän kommunikoinnin useimmille sovelluksille. Loput sovellukset tarvitsevat sovellustason yhdyskäytävän tai välipalvelimen liitettävyyden luomiseksi. Prototyypin arviointi todistaa teorian ja toteutuksen toimivan erittäin hyvin. Yksityisen alueen yhdyskäytävä tarjoaa mekanismit saavutettavuuden ratkaisemiseksi ja samalla edistää ratkaisua osoitteiden loppumiseen.The IPv4 address exhaustion has been a global concern for the last two decades. The increased number of connected users and services has depleted almost entirely the addresses available. There have been several attempts to solve this problem. Chronologically they are Classless Inter-Domain Routing (CIDR), Network Address Translation (NAT) and a new version of the IP protocol, IPv6. The adoption of NAT introduced the separation of private and public realms. NAT devices allow the hosts located in the private realm to connect with hosts or services in the public realm by sharing a public IP address. NAT also provides the foremost kind of firewall blocking incoming connections towards the private realms and introducing the reachability problem. Although several alternatives have been developed to overcome this issue, none of them are exempt of drawbacks. This thesis introduces a new concept that solves the reachability problem introduced by NAT. The solution is called Private Realm Gateway (PRGW). The main component is called Circular Pool and it uses a limited number of public IP addresses to enable end-to-end communication to most applications. Other applications require the use of Application Layer Gateway (ALG) or proxy servers to grant connectivity. The evaluation of the prototype proves the concept and the implementation highly successful. The Private Realm Gateway provides mechanisms to overcome the reachability problem and also contributes to the solution of the address exhaustion problem

Mobility management across converged IP-based heterogeneous access networks

In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Mobility management across converged IP-based heterogeneous access networks

In order to satisfy customer demand for a high performance “global” mobility service, network operators (ISPs, carriers, mobile operators, etc.) are facing the need to evolve to a converged “all-IP” centric heterogeneous access infrastructure. However, the integration of such heterogeneous access networks (e.g. 802.11, 802.16e, UMTS etc) brings major mobility issues. This thesis tackles issues plaguing existing mobility management solutions in converged IP-based heterogeneous networks. In order to do so, the thesis firstly proposes a cross-layer mechanism using the upcoming IEEE802.21 MIH services to make intelligent and optimized handovers. In this respect, FMIPv6 is integrated with the IEEE802.21 mechanism to provide seamless mobility during the overall handover process. The proposed solution is then applied in a simulated vehicular environment to optimize the NEMO handover process. It is shown through analysis and simulations of the signalling process that the overall expected handover (both L2 and L3) latency in FMIPv6 can be reduced by the proposed mechanism by 69%. Secondly, it is expected that the operator of a Next Generation Network will provide mobility as a service that will generate significant revenues. As a result, dynamic service bootstrapping and authorization mechanisms must be in place to efficiently deploy a mobility service (without static provisioning), which will allow only legitimate users to access the service. A GNU Linux based test-bed has been implemented to demonstrate this. The experiments presented show the handover performance of the secured FMIPv6 over the implemented test-bed compared to plain FMIPv6 and MIPv6 by providing quantitative measurements and results on the quality of experience perceived by the users of IPv6 multimedia applications. The results show the inclusion of the additional signalling of the proposed architecture for the purpose of authorization and bootstrapping (i.e. key distribution using HOKEY) has no adverse effect on the overall handover process. Also, using a formal security analysis tool, it is shown that the proposed mechanism is safe/secure from the induced security threats. Lastly, a novel IEEE802.21 assisted EAP based re-authentication scheme over a service authorization and bootstrapping framework is presented. AAA based authentication mechanisms like EAP incur signalling overheads due to large RTTs. As a result, overall handover latency also increases. Therefore, a fast re-authentication scheme is presented which utilizes IEEE802.21 MIH services to minimize the EAP authentication process delays and as a result reduce the overall handover latency. Analysis of the signalling process based on analytical results shows that the overall handover latency for mobility protocols will be approximately reduced by 70% by the proposed scheme.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Secure mobility at multiple granularity levels over heterogeneous datacom networks

The goal of this thesis is to define a set of changes to the TCP/IP stack that allow connections between legacy applications to be sustained in a contemporary heterogeneous datacom environment embodying multiple granularities of mobility. In particular, the thesis presents a number of solutions for flow mobility, local mobility, network mobility, and address family agility that is mobility between different IP versions. The presented mobility solutions are based on the so-called identifier-locator split approach. Due to the split, the mobile and multi-homed hosts that employ the presented solution are able to simultaneously communicate via multiple access networks, even supporting different IP versions and link layer technologies. In addition to the mobility solutions, the thesis also defines a set of weak and strong security mechanisms. They are used to protect the mobility protocols from redirection, Denial-of-Service (DoS), and privacy related attacks. The defined security mechanisms are tightly bound to the presented mobility architecture, providing alternative ways to optimize mobility management signalling. The focus is on minimizing end-to-end signalling latency, optimizing the amount of signalling and optimizing packet forwarding paths. In addition, the architecture provides identity and location privacy for hosts. The presented work defines one specific kind of engineering balance between the security, privacy, and efficient mobility signalling requirements. This thesis indicates that the added security, indirection, backwards compatibility, and inter-operable mobility solutions can overcome several of the current TCP/IP restrictions. The presented mobility architecture also provides a migration path from the existing Internet architecture to a new cryptographic-identifier-based architecture

Recent Advances in Wireless Communications and Networks

This book focuses on the current hottest issues from the lowest layers to the upper layers of wireless communication networks and provides "real-time" research progress on these issues. The authors have made every effort to systematically organize the information on these topics to make it easily accessible to readers of any level. This book also maintains the balance between current research results and their theoretical support. In this book, a variety of novel techniques in wireless communications and networks are investigated. The authors attempt to present these topics in detail. Insightful and reader-friendly descriptions are presented to nourish readers of any level, from practicing and knowledgeable communication engineers to beginning or professional researchers. All interested readers can easily find noteworthy materials in much greater detail than in previous publications and in the references cited in these chapters