Traversing NAT: A Problem

This quasi-experimental before-and-after study measured and analyzed the impacts of adding security to a new bi-directional Network Address Translation (NAT). Literature revolves around various types of NAT, their advantages and disadvantages, their security models, and networking technologies’ adoption. The study of the newly created secure bi-directional model of NAT showed statistically significant changes in the variables than another model using port forwarding. Future research of how data will traverse networks is crucial in an ever-changing world of technology

Simplified Network Signaling Architecture

The wheel has been reinvented several times in signaling protocols. Most signaling protocols re-invent, e.g., their own signaling transport methods, end-point discovery, measures for reliable exchange of messages and security features. Next Steps In Signaling (NSIS) framework was created in the IETF to design a single unified framework for various network signaling needs. The signaling transport layer of NSIS, the General Internet Signaling Transport (GIST), was specified in the IETF to provide a common transport service for signaling applications. The NSIS suite also includes two signaling protocols, NSIS Signaling Layer Protocols (NSLP), one for Quality of Service provisioning and one to configure middleboxes, in particular Network Address Translators and firewalls. The different signaling applications use GIST message delivery services through an API that consists of several operations. On top of common operations for sending and receiving data, the API also covers network events, errors and session state management. The API covers all GIST aspects, and allows application developers to have adequate knowledge of network state. However, as a result the API is very cumbersome to use, and an application developer needs to take care of non-trivial amount of details. A further challenge is that to create a new signaling application, one needs to acquire and register a unique NSLP identifier with the Internet Assigned Numbers Authority (IANA). This thesis presents the Messaging NSLP, that provides an abstraction layer to hide complex GIST features from the signaling application. Developers of Messaging Applications can use a simple Messaging API to open and close sessions and to transfer application data from one Messaging Application node to another. Prototype implementations of NSLP API and Messaging NSLP were created and tested to verify the protocol operation with various network scenarios. Overhead analysis of GIST and Messaging NSLP were performed, and results are compatible with earlier, third-party analysis. The Messaging NSLP can introduce up to 938 bytes of overhead to initiate a signaling session, but later signaling only introduces 78 bytes of header overhead

Firewall Traversal in Mobile IPv6 Networks

Middleboxes, wie zum Beispiel Firewalls, sind ein wichtiger Aspekt für eine Großzahl moderner IP-Netzwerke. Heute IP-Netzwerke basieren überwiegend auf IPv4 Technologien, daher sind viele Firewalls und Network Address Translators (NATs) ursprünglich für diese Netzwerke entwickelt worden. Die Entwicklung von IPv6 Netzwerken findet zur Zeit statt. Da Mobile IPv6 ein relativ neuer Standard ist, unterstützen die meisten Firewalls die für IPv6 Netzwerke verfügbar sind, noch kein Mobile IPv6. Sofern Firewalls sich nicht der Details des Mobile IPv6 Protokolls bewusst sind, werden sie entweder Mobile IPv6 Kommunikation blockieren oder diesen sorgfältig handhaben. Dieses stellt einen der Haupthinderunggründe zum erfolgreichen Einsatz von Mobile IPv6 da.Diese Arbeit beschreibt die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen. Dazu wird zuerst erklärt welche Arten von Middleboxes es gibt, was genau eine Middlebox ist und wie eine solche Middlebox arbeiten und zweitens die Probleme identifiziert und die Auswirkungen des Vorhandenseins von Firewalls in Mobile IPv6 Umgebungen erklärt. Anschließend werden einige State-of-the-Art Middlebox Traversal Ansätze untersucht, die als mögliche Lösungen um die Mobile IPv6 Firewall Traversal Probleme zu bewältigen betrachtet werden können. Es wird detailiert erklärt wie diese Lösungen arbeiten und ihre Anwendbarkeit für Mobile IPv6 Firewall Traversal evaluiert.Als Hauptbeitrag bringt diese Arbeit zwei detailierte Lösungsansätze ein, welche das Mobile IPv6 Firewall Traversal Problem bewältigen können. Der erste Lösungsansatz, der NSIS basierte Mobile IPv6 Firewall Traversal, basiert auf dem Next Steps in Signaling (NSIS) Rahmenwerk und dem NAT/Firewall NSIS Signaling Layer Protocol (NAT/FW NSLP). Anschließend wird der zweite Lösungsansatz vorgestellt, der Mobile IPv6 Application Layer Gateway. Diese Arbeit erklärt detailiert, wie diese Lösungsansätze die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen bewältigen. Desweitern stellt diese Arbeit vor, wie die NSIS basierte Mobile IPv6 Firewall Traversal und die Mobile IPv6 Application Layer Gateway Proof-of-Concept Implementierungen, die im Rahmen dieser Arbeit entwicklet wurden, implementiert wurden. Abschließend werden die Proof-of-Concept Implementierungen sowie die beiden Lösungsansätze allgemein evaluiert und analysiert

VCare: A Personal Emergency Response System to Promote Safe and Independent Living Among Elders Staying by Themselves in Community or Residential Settings

‘Population aging’ is a growing concern for most of us living in the twenty first century, primarily because many of us in the next few years will have a senior person to care for - spending money towards their healthcare expenditures AND/OR having to balance a full-time job with the responsibility of care-giving, travelling from another city to be with this elderly citizen who might be our parent, grand-parent or even community elders. As informal care-givers, if somehow we were able to monitor the day-to-day activities of our elderly dependents, and be alerted when wrong happens to them that would be of great help and lower the care-giving burden considerably. Information and Communication Technology (ICT) can certainly help in such a scenario, with tools and techniques that ensure safe living for the individual we are caring for, and save us from a lot of worry by providing us with anytime access into their lives or activities, and as a result check their functional state. However, we should be mindful of the tactics that could be adopted by harm causers to steal data stored in these products and try to curb the associated service costs. In short, we are in need of robust, cost-effective, useful, and secure solutions to help elders in our society to ‘age gracefully’. This work is a little step taken towards that direction. ‘Population aging’ is a growing concern for most of us living in the twenty first century, primarily because many of us in the next few years will have a senior person to care for - spending money towards their healthcare expenditures AND/OR having to balance a full-time job with the responsibility of care-giving, travelling from another city to be with this elderly citizen who might be our parent, grand-parent or even community elders. As informal care-givers, if somehow we were able to monitor the day-to-day activities of our elderly dependents, and be alerted when wrong happens to them that would be of great help and lower the care-giving burden considerably. Information and Communication Technology (ICT) can certainly help in such a scenario, with tools and techniques that ensure safe living for the individual we are caring for, and save us from a lot of worry by providing us with anytime access into their lives or activities, and as a result check their functional state. However, we should be mindful of the tactics that could be adopted by harm causers to steal data stored in these products and try to curb the associated service costs. In short, we are in need of robust, cost-effective, useful, and secure solutions to help elders in our society to ‘age gracefully’. This work is a little step taken towards that direction. Advisor: Tadeusz Wysock

Security Mechanisms for a Cooperative Firewall

The growing number of mobile users and mobile broadband subscriptions around the world calls for support of mobility in the Internet and also demands more addresses from the already depleting IP address space. The deployment of Network Address Translation (NAT) at network edges to extend the lifetime of IPv4 address space introduced the reachability problem in the Internet. While various NAT traversal proposals have attempted to solve the reachability problem, no perfect solution for mobile devices has been proposed. A solution is proposed at COMNET department of Aalto University, which is called Customer Edge Switching and it has resulted in a prototype called Customer Edge Switches (CES). While it addresses many of the current Internet issues i.e. reachability problem, IPv4 address space depletion, so far security has generally been considered out of scope. This thesis aims at identifying the security vulnerabilities present within the CES architecture. The architecture is secured against various network attacks by presenting a set of security models. The evaluation and performance analysis of these security models proves that the CES architecture is secured against various network attacks only by introducing minimal delay in connection establishment. The delay introduced does not affect the normal communication pattern and the sending host does not notice a difference compared to the current situation. For legacy interworking a CES can have the Private Realm Gateway (PRGW) function. The security mechanisms for PRGW also generate promising results in terms of security. The thesis further contributes towards security by discussing a set of deployment models for PRGW and CES-to-CES communication

Network Address Translator Traversal for the Peer-to-Peer Session Initiation Protocol on Mobile Phones

Osoitteenmuuntajat sallivat useiden isäntäkoneiden jakavan yhden tai useamman IP osoitteen. Päätös käyttää osoitteenmuuntajia yhtenä ratkaisuna IP osoitteiden ehtymiseen, on myöhemmin tuonut mukanaan lisähaasteita; osoitteenmuuntajat ovat erityisen ongelmallisia vertaisyhteyksille. ICE (Interactive Connectivity Establishment) on osoitteenmuuntajien läpäisymenetelmä, joka auttaa vertaiskoneita luomaan suoran polun osoitteenmuuntajien läsnä ollessa. ICE perustuu suurilta osin STUN (Session Traversal Utilities for NAT) ja TURN (Traversal Using Relays around NAT) -protokolliin. Nykyään vertaissovellukset ovat levinneet matkapuhelimiin, joilla voi myös olla osoitemuutettu osoite. Matkapuhelinten rajoitukset tietäen, on kiinnostavaa tietää osoitteenmuuntajien läpäisymenetelmien soveltuvuus matkapuhelimille P2PSIP:n (Peer-to-Peer Session Initiation Protocol) yhteydessä. SIP:iä käytettiin kommunikointi-istuntojen hallintaan vertaiskoneiden välillä. Toteutimme ICE-prototyypin mitataksemme STUN tai TURN asiakkaana tai palvelimena toimivan matkapuhelimen suorituskykyä huomioiden keskusyksikön kuorman, muistinkäytön, pakettien pudotusmäärän ja akun kulutuksen. Lisäksi työssä tutkittiin ICE:n vaikutusta P2PSIP:n viiveisiin. TURN välityspalvelimen käytön haittapuoli on kasvanut viive ja STUN koteloinnista johtuvat ylimääräiset tavut. Puhelimessa toimivan TURN palvelimen tulee rajoittaa asiakkaiden määrä sekä millaista dataa se voi välittää. Puhelin toimii hyvin STUN palvelimena, etenkin jos yhteyden ylläpitoviestit voidaan jättää huomiotta. Puhelimet voivat toimia osana P2PSIP-verkkoa myös osoitteenmuuntajien läsnä ollessa. On kuitenkin suotavaa, että osoitteenmuuntajat käyttäisivät osoite- ja porttiriippumatonta kuvausta, koska silloin välitystä ei tarvita.Network Address Translators (NATs) allow multiple hosts to share one or more IP addresses. The initial decision to use NATs as one of the solutions to Internet Protocol (IP) address depletion, has later induced further challenges; NATs are specially problematic in connection with peer-to-peer (P2P) communication. Interactive Connectivity Establishment (ICE) is a NAT traversal mechanism that helps peers in creating a direct path in the presence of NATs. ICE largely relies upon utilizing the mechanisms of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols. Nowadays P2P applications are speading to mobile phones that can also have a NATed address. Knowing the constraints of mobile phones, we were interested in the applicability of NAT traversal mechanisms for mobile phones in the context of Peer-to-Peer Session Initiation Protocol (P2PSIP). SIP was used for controlling communication sessions between the peers. We implemented an ICE prototype for measuring CPU load, memory consumption, packet drop rate and battery consumption of a mobile phone acting as a STUN or TURN client or server. Additionally, we measured the impact of ICE on delays in P2PSIP. The downside of relaying messages via a TURN server is the increase in delay and the increased overhead due to STUN encapsulation. A TURN server running on a mobile phone has to limit the number of allocations and the type of data being transmitted through it. A mobile phone works well as STUN server, especially if keepalives can simply be ignored. Mobile phones can act as P2PSIP peers and TURN servers, even in the presence of NATs, however, it is preferable to have NATs using address and port-independent mapping, since then no relaying is needed. [

Security Policy Management for a Cooperative Firewall

Increasing popularity of the Internet service and increased number of connected devices along with the introduction of IoT are making the society ever more dependent on the Internet services availability. Therefore, we need to ensure the minimum level of security and reliability of services. Ultra-Reliable Communication (URC) refers to the availability of life and business critical services nearly 100 percent of the time. These requirements are an integral part of upcoming 5th generation (5G) mobile networks. 5G is the future mobile network, which at the same time is part of the future Internet. As an extension to the conventional communication architecture, 5G needs to provide ultra-high reliability of services where; it needs to perform better than the currently available solutions in terms of security, confidentiality, integrity and reliability and it should mitigate the risks of Internet attack and malicious activities. To achieve such requirements, Customer Edge Switching (CES) architecture is presented. It proposes that the Internet user’s agent in the network provider needs to have prior information about the expected traffic of users to mitigate maximum attacks and only allow expected communication between hosts. CES executes communication security policies of each user or device acting as the user’s agent. The policy describes with fine granularity what traffic is expected by the device. The policies are sourced as automatically as possible but can also be modified by the user. Stored policies will follow the mobile user and will be executed at the network edge node executing Customer Edge Switch functions to stop all unexpected traffic from entering the mobile network. State-of-the-art in mobile network architectures utilizes the Quality of Service (QoS) policies of users. This thesis motivates the extension of current architecture to accommodate security and communication policy of end-users. The thesis presents an experimental implementation of a policy management system which is termed as Security Policy Management (SPM) to handle above-mentioned policies of users. We describe the architecture, implementation and integration of SPM with the Customer Edge Switching. Additionally, SPM has been evaluated in terms of performance, scalability, reliability and security offered via 5G customer edge nodes. Finally, the system has been analyzed for feasibility in the 5G architecture

Design of Application Layer Gateways for Collaborative Firewalls

Huoli IPv4 osoitteiden loppumisesta on ollut esillä jo parin viimeisen vuosikymmenen ajan. Lisääntynyt käyttäjien ja palvelujen määrä on kuluttanut osoitteita melko ripeästi. Tätä ongelmaa on pyritty ratkaisemaan, osoitteenmuutoksilla (NAT), luokattomalla reitityksellä (CIDR) ja uudella IP versiolla, tarkemmin IPv6. NAT muuttaa lähdeosoitteen ja usein myös portin numeron julkisen verkon osoitteeksi. Tämä aiheuttaa ongelmia sovellustason protokollissa, jotka viittaavat käyttäjiin yksityisen verkon osoitteiden pohjalta. Usein yksityisen verkon käyttäjät eivät ole saavutettavissa julkisesta verkosta. Siten NAT toimiikin yksinkertaisimpana mahdollisena palomuurina: estäen kaiken sisäänpäin tulevan liikenteen sallien kuitenkin yksityisen verkon käyttäjien olla yhteydessä julkiseen Internetiin. Tämä estää esimerkiksi kaikki sisään tulevat VoIP puhelut. IETF on kehittänyt osoitteenmuutoksen, mutta tällä ratkaisulla on kuitenkin haittansa. Customer Edge Switching (CES) esittelee uudenlaisen tilallisen palomuuri, jonka tarkoituksena on korvata NAT-laitteet, pyrkii poistamaan haittoja nykysissä ratkaisuissa. Useta protokolla, CES mukaan lukien, pyrkivät tarjoamaan yleisen ratkaisun NAT-laitteiden läpäisyyn. Protokollat, jotka kuljettavat yhteystietoja sovellustasolla tarvitsevat ylimääräisiä toiminnallisuuksia reunalaitteisiin. Tässä työssä prototyyppiä on kehitetty tarjoamaan sovellustason yhdyskäytävä kahdelle sovellustason protokollalle. Nämä protokollat ovat Session Initiation Protocol (SIP) ja File Transfer Protocol (FTP). Näiden sovellustason yhdyskäytävien testauksen perusteella voidaan osoittaa, että kehitetty prototyyppi pystyy toimimaan myös sellaisten protokollien kanssa jotka kuljettavat yhteystietoa tietosisällössään, mahdollistaen eri verkkoihin sijoittuneiden käyttäjien keskinäisen kommunikaation.IPv4 address exhaustion has been a common concern for a couple of last decades. The increased number of users and services has consumed the remaining addresses rather rapidly. To alleviate the problem of address exhaustion, Network Address Translation (NAT) Classless Inter-Domain Routing and a new version of IP, namely IPv6 have been proposed. NATs translate the source address and often also the port number of the client sending an IP-packet to a server in the public address space. This is a problem for application layer protocols that refer to the hosts in the private address space using IP addresses. Usually, hosts that reside in the private address space are not reachable from the public network. Thus, a NAT is the crudest kind of firewall: it blocks all incoming traffic while it lets hosts in the private network access the public Internet. This, for example, blocks all incoming VoIP calls to hosts in the private realm. The IETF has a solution to NAT traversal but this solution has drawbacks. Customer Edge Switching (CES) introduces a new type of collaborative firewall that is meant to replace NATs and tries to remove the drawbacks in known NAT traversal solutions. For many protocols, CES as such, provides a generic traversal mechanism. For protocols that carry address information on application layer additional algorithms are needed at the edge node. In this thesis a prototype is developed to include Application Layer Gateway Functions to support two application layer protocols. These protocols are Session Initiation Protocol (SIP) and File Transfer Protocol (FTP). The testing done with these Application Layer Gateways proves that the developed prototype works with the protocols that carry contact information inside the payload, letting the hosts in different private address realms to communicate

Inter-domain interoperability framework based on WebRTC

Nowadays, the communications paradigm is changing with the convergence of communication services to a model based on IP networks. Applications such as messaging or voice over IP are increasing its popularity and Communication Service Providers are focusing on offering this kind of services. Moreover, Web Real Time Communication (WebRTC) has emerged as a technology that eases the creation of web applications featuring Real-Time Communications over IP networks without the need to develop and install any plug-in. It lacks of specifications in the control plane, leaving the possibility to use WebRTC over tailored web signalling solutions or legacy networks such as IP Multimedia Subsystem (IMS). This technology brings a wide range of possibilities for web developers, but Communication Service Providers are adviced to develop solutions based on the WebRTC technology as described in the Eurescom Study P2252. The lack of WebRTC specifications on the signalling platform together with the threats and opportunities that this technology represents for Communication Service Providers, makes evident the need of research on interoperability solutions for the different kind of signalling implementations and experimentation on the best way for Communication Service Providers to obtain the maximum benefit from WebRTC technology. The main goal of this thesis is precisely to develop a WebRTC interoperability framework and perform experiments on whether the Communication Service Providers should use their existing IMS solutions or develop tailored web signalling platforms for WebRTC deployments. In particular, the work developed in this thesis was completed under the framework of the Webrtc interOperability tested in coNtradictive DEployment scenaRios (WONDER) experimentation for the OpenLab project. OpenLab is a Large-scale integrating project (IP) and is part of the European Union Framework Programme 7 for Research and Development (FP7) addressing the work programme topic Future Internet Research and Experimentation.Actualmente, el paradigma de comunicaciones está cambiando gracias a la convergencia de los servicios de comunicaciones hacia un modelo basado en redes IP. Aplicaciones tales como la mensajería y la voz sobre IP están creciendo en popularidad mientras los proveedores de servicios de comunicaciones se centran en ofrecer este tipo de servicios basados en redes IP. Por otra parte, la tecnología WebRTC ha surgido para facilitar la creación de aplicaciones web que incluyan comunicaciones en tiempo real sobre redes IP sin la necesidad de desarrollar o instalar ningún complemento. Esta tecnología no especifica los protocolos o sistemas a utilizar en el plano de control, dejando a los desarrolladores la posibilidad de usar WebRTC sobre soluciones de señalizaci on web específicas o utilizar las redes de señalización existentes, tales como IMS. WebRTC abre un gran abanico de posibilidades a los desarrolladores web, aunque también se recomienda a los proveedores de servicios de comunicaciones que desarrollen soluciones basadas en WebRTC como se describe en el estudio P2252 de Eurescom. La falta de especificaciones en el plano de señalización junto a las oportunidades y amenazas que WebRTC representa para los proveedores de servicios de comunicaciones, hacen evidente la necesidad de investigar soluciones de interoperabilidad para las distintas implementaciones de las plataformas de señalización y de experimentar c omo los proveedores de servicios de comunicaciones pueden obtener el máximo provecho de la tecnología WebRTC. El objetivo principal de este Proyecto Fin de Carrera es desarrollar un marco de interoperabilidad para WebRTC y realizar experimentos que permitan determinar bajo que condiciones los proveedores de servicios de comunicaciones deben utilizar las plataformas de se~nalizaci on existentes (en este caso IMS) o desarrollar plataformas de señalización a medida basadas en tecnologías web para sus despliegues de WebRTC. En particular, el trabajo realizado en este Proyecto Fin de Carrera se llevó a cabo bajo el marco del proyecto WONDER para el programa OpenLab. OpenLab es un proyecto de integración a gran escala en el cual se desarrollan investigaciones y experimentos en el ámbito del futuro Internet y que forma parte del programa FP7 de la Unión Europea.Ingeniería de Telecomunicació

A service-enabling framework for the session initiation protocol (SIP)

In this dissertation, we propose a framework to provide multimedia communication services. Our proposed framework is based on SIP (Session Initiation Protocol) and has four fundamental properties: it is available, secure, high performing, and oriented to innovations. The framework is not an architecture with a rigid structure. Instead, the framework is a toolkit made up of a set of tools that can be combined in different ways. The combination of these tools provides applications and services with functionality needed to implement a wide variety of multimedia communication services. Applications and services built on top of the framework use different tools within the toolkit in order to provide their desired overall functionality. The functionality provided by the framework includes a number of primitives to be used by applications and services. These primitives mostly relate to multiparty communications and include floor control. The framework also offers support functions that relate to PSTN (Public Switched Telephony Network) interworking, policy control, and consent-based communications. Additionally, the framework contains functions that relate to signalling transport, multihoming, mobility, security, and NAT (Network Address Translation) traversal. The framework also allows building overlay networks when a SIP network infrastructure is not available. In order to test and refine the ideas presented in this dissertation, we have implemented most of them in proof-of-concept prototypes. We have used experiments and simulations to validate our assumptions and obtain new insights