Handling of IP-Addresses in the Context of Remote Access

Masteroppgave i informasjons- og kommunikasjonsteknologi 2008 – Universitetet i Agder, GrimstadFor various reasons (e.g., security, lack of IPv4-addresses) the services in the home smart space only use private IP addresses. This is unfortunate in the remote service access since these addresses frequently appear in responses sent from a service in the remote smart space (e.g., your home) to the visited smart space (e.g., your friend’s home).The Internet Engineering Task Force (IETF) provides some solutions and workarounds for the problem caused by NAT. In this project, the challenge to me is to summarize the available options, rank the options according to which one is preferred for the RA-scenario. I will come up with my practical NAT traversal techniques by testing and gathering data on the reliability of NAT traversal techniques since none of the existing ones seems to work well. A demonstration of the key features will be shown in the thesis. NAT traversal techniques apply to TCP and UDP need to be researched in advance. Handling of peers behind all kinds of NAT need to be tested and determined for the communication. The result of the paper will well improve the evaluation of specific issues on NAT and the creating of an UNSAF proposal

Authentication in virtual private networks based on quantum key distribution methods

Quantum physics has a major influence on modern computer science and communications. New quantum-based solutions continue to be proposed by researchers. However, only a few techniques are possible to implement in practice. One of them is quantum key distribution, which ensures the confidentiality of digital data. This article introduces a new concept: quantum distribution of pre-shared keys. This approach provides end-users with very secure authentication, impossible to achieve using currently-available techniques. Secure authentication is a key requirement in virtual private networks (VPN)—popular protection in computer networks. The authors simulated quantum-based distribution of a shared secret in a typical VPN connection. Using a dedicated simulator, all individual steps of the quantum key distribution process were presented. Based on the created secret, a secure IPsec tunnel in a StrongSwan environment was established between AGH (Poland) and VSB (Czech Republic). It allows end-users to communicate at very high security levels.Web of Science7517107071069

Security architecture for law enforcement agencies

In order to carry out their duty to serve and protect, law enforcement agencies (LEAs) must deploy new tools and applications to keep up with the pace of evolving technologies. However, police information and communication technology (ICT) systems have stringent security requirements that may delay the deployment of these new applications, since necessary security measures must be implemented first. This paper presents an integrated security architecture for LEAs that is able to provide common security services to novel and legacy ICT applications, while fulfilling the high security requirements of police forces. By reusing the security services provided by this architecture, new systems do not have to implement custom security mechanisms themselves, and can be easily integrated into existing police ICT infrastructures. The proposed LEA security architecture features state-of-the-art technologies, such as encrypted communications at network and application levels, or multifactor authentication based on certificates stored in smart cards.Web of Science7517107321070

Further Improvements of an existing IPv6 Network Mobility Test-bed

Projecte final de carrera fet en col.laboració amb TriaGnosys Gmb

Descubrimiento dinámico de servidores basado en información de localización usando una tabla de Hash distribuida balanceada

The current Internet includes a large number of distributed services. In order to guarantee the QoS of the communications in these services, a client has to select a close-by server with enough available resources. To achieve this objective, in this Thesis, we propose a simple and practical solution for Dynamic and Location Aware Server Discovery based on a Distributed Hash Table (DHT). Specifically, we decide to use a Chord DHT system (although any other DHT scheme can be used). In more detail, the solution works as follows. The servers offering a given service S form a Chord-like DHT. In addition, they register their location (topological and/or geographical) information in the DHT. Each client using the service S is connected to at least one server from the DHT. Eventually, a given client C realizes that it is connected to a server providing a bad QoS, then, it queries the DHT in order to find an appropriate server (i.e. a close-by server with enough available resources). We define 11 design criteria, and compare our solution to the Related Work based on them. We show that our solution is the most complete one. Furthermore, we validate the performance of our solution in two different scenarios: (i) NAT Traversal Server Discovery and (ii) Home Agent Discovery in Mobile IP scenarios. The former serves to validate our solution in a highly dynamic environment whereas the latter demonstrates the appropriateness of our solution in more classical environments where the servers are typically always-on hosts. The extra overhead suffered from the servers involved in our system comes from their participation in the Chord DHT. Therefore, it is critical to fairly balance the load among all the servers. In our system as well as in other P2P systems (e.g. P2PSIP) the stored objects are small, then routing dominates the cost of publishing and retrieving objects. Therefore, in the second part of this Thesis, we address the issue of fairly balancing the routing load in Chord DHTs. We present an analytical model to evaluate the routing fairness of Chord based on the well accepted Jain’s Fairness Index (FI). Our model shows that Chord performs poorly. Following this observation, we propose a simple enhancement to the Chord finger selection algorithm with the goal of mitigating this effect. The key advantage of our proposal as compared to previous approaches is that it adds a neglible overhead to the basic Chord algorithm. We validate the goodness of the proposed solution analytically and by large scale simulations.-------------------------------------------------------------------------------------------------------------------------------------------------------------En los últimos años un gran número de servicios distribuídos han aparecido en Internet. Para garantizar la Calidad de Servicio de las comunicaciones en estos servicios sus clientes deben conectarse a un servidor cercano con suficientes recursos disponibles. Para alcanzar este objetivo, en esta Tesis, se propone una solución simple y práctica para el Descubrimiento Dinámico de Servidores basado en Información de Localizació usando una Tabla de Hash Distribuída (DHT). En concreto, hemos decidido usar una DHT de tipo Chord (aunque cualquier otro tipo de DHT puede usarse). A continuación describimos brevemente nuestra solución. Los servidores que ofrecen un servicio específico S forman una DHT tipo Chord donde registran su información de localización (topológica y/o geográfica). Cada cliente que usa el servicio S está conectado al menos a un servidor de la DHT. En caso de que un cliente C perciba que el servidor al que está conectado está ofreciendo una mala Calidad de Servicio, C consulta la DHT para encontrar un servidor más apropiado (p.ej. un servidor cercano con suficientes recursos disponibles). En la Tesis se definen 11 criterios de diseño y se compara nuestra solución con las soluciones existentes en base a ellos, demostrando que la nuestra es la solución más completa. Además, validamos el rendimiento de nuestra solución en dos escenarios diferentes: (i) Descubrimiento de Servidores para atravesar Traductores de Direcciones de Red (NATs) y (ii) Descubrimiento de Agentes Hogar (HAs) en escenarios de Movilidad IP. El primero sirve para validar el rendimiento de nuestra solución en escenarios altamente dinámicos mientras que el segundo demuestra la validez de la solución en un escenario más clásico donde los servidores son máquinas que están ininterrumpidamente funcionando. Los servidores involucrados en nuestro sistema sufren una sobrecarga debido a su participación en la DHT tipo Chord. Desafortunadamente, esta sobrecarga es inherente al sistema anteriormente descrito y no se puede eliminar. En cambio lo que sí podemos hacer es balancear la carga de la manera más justa posible entre todos los servidores. En nuestro sistema, al igual que en otros sistemas P2P (p.ej. P2PSIP) los objetos almacenados tienen un tamaño pequeño, produciendo que sea la tarea de enrutamiento la que domina el coste de publicar y obtener objetos. Por lo tanto, en la segunda parte de esta Tesis abordamos el reparto equilibrado de la carga de enrutamiento en DHTs tipo Chord. En primer lugar, definimos un modelo analítico para evaluar el reparto de la carga de enrutamiento entre los nodos que forman una DHT tipo Chord. Para ello nos basamos en una métrica aceptada por la comunidad investigadora como es el Jain’s Fairness Index (FI). El modelo resultante demuestra que Chord tiene un rendimiento pobre en el reparto justo de la carga de enrutamiento. Basándonos en esta observación proponemos una modificación simple al algoritmo de selección de punteros de Chord para mejorar el reparto de la carga de enrutamiento. La ventaja fundamental de nuestra solución en comparación con otras propuestas anteriores es que nuestra solución añade un coste despreciable al algoritmo básico de Chord. Finalmente, validamos el rendimiento de nuestra solución analíticamente y por medio de simulaciones a gran escala

Network Security Automation

L'abstract è presente nell'allegato / the abstract is in the attachmen

An improved locator identifier split architecture (ILISA) to enhance mobility

The increased use of mobile devices has prompted the need for efficient mobility management protocols to ensure continuity of communication sessions as users switch connection between available wireless access networks in an area. Locator/Identifier (LOC/ID) split architectures are designed to, among other functions, enable the mobility of nodes on the Internet. The protocols based on these architectures enable mobility by ensuring that the identifier (IP address) used for creating a communication session is maintained throughout the lifetime of the session and only the location of a mobile node (MN) is updated as the device moves. While the LOC/ID protocols ensure session continuity during handover, they experience packet loss and long service disruption times as the MN moves from one access network to another. The mobility event causes degradation of throughput, poor network utilisation, and affects the stability of some applications, such as video players. This poor performance was confirmed from the experiments we conducted on a laboratory testbed running Locator Identifier Separation Protocol MN (LISP-MN) and Mobile IPv6 (MIPv6). The MIPv6, as the standardised IETF mobility protocol, was used to benchmark the performance of LISP-MN. The poor performance recorded is owed to the design of the LISP-MN’s architecture, with no specific way of handling packets that arrive during handover events. Our main aim in this thesis is to introduce an Improved Locator/Identifier Split Architecture (ILISA) designed to enhance the mobility of nodes running a LOC/ID protocol by mitigating packet loss and reducing service disruption in handovers. A new network node, Loc-server, is central to the new architecture with the task of buffering incoming packets during handover and forwarding the packets to the MN on the completion of the node’s movement process. We implemented ILISA with LISP-MN on a laboratory testbed to evaluate its performance in different mobility scenarios. Our experimental results show a significant improvement in the mobility performance of MNs as reflected by the different network parameters investigated

Privacy-preserving Cooperative Services for Smart Traffic

Communication technology and the increasing intelligence of things enable new qualities of cooperation. However, it is often unclear how complex functionality can be realized in a reliable and abuse-resistant manner without harming users\u27 privacy in the face of strong adversaries. This thesis focuses on three functional building blocks that are especially challenging in this respect: cooperative planning, geographic addressing and the decentralized provision of pseudonymous identifiers

Infrastructure sharing of 5G mobile core networks on an SDN/NFV platform

When looking towards the deployment of 5G network architectures, mobile network operators will continue to face many challenges. The number of customers is approaching maximum market penetration, the number of devices per customer is increasing, and the number of non-human operated devices estimated to approach towards the tens of billions, network operators have a formidable task ahead of them. The proliferation of cloud computing techniques has created a multitude of applications for network services deployments, and at the forefront is the adoption of Software-Defined Networking (SDN) and Network Functions Virtualisation (NFV). Mobile network operators (MNO) have the opportunity to leverage these technologies so that they can enable the delivery of traditional networking functionality in cloud environments. The benefit of this is reductions seen in the capital and operational expenditures of network infrastructure. When going for NFV, how a Virtualised Network Function (VNF) is designed, implemented, and placed over physical infrastructure can play a vital role on the performance metrics achieved by the network function. Not paying careful attention to this aspect could lead to the drastically reduced performance of network functions thus defeating the purpose of going for virtualisation solutions. The success of mobile network operators in the 5G arena will depend heavily on their ability to shift from their old operational models and embrace new technologies, design principles and innovation in both the business and technical aspects of the environment. The primary goal of this thesis is to design, implement and evaluate the viability of data centre and cloud network infrastructure sharing use case. More specifically, the core question addressed by this thesis is how virtualisation of network functions in a shared infrastructure environment can be achieved without adverse performance degradation. 5G should be operational with high penetration beyond the year 2020 with data traffic rates increasing exponentially and the number of connected devices expected to surpass tens of billions. Requirements for 5G mobile networks include higher flexibility, scalability, cost effectiveness and energy efficiency. Towards these goals, Software Defined Networking (SDN) and Network Functions Virtualisation have been adopted in recent proposals for future mobile networks architectures because they are considered critical technologies for 5G. A Shared Infrastructure Management Framework was designed and implemented for this purpose. This framework was further enhanced for performance optimisation of network functions and underlying physical infrastructure. The objective achieved was the identification of requirements for the design and development of an experimental testbed for future 5G mobile networks. This testbed deploys high performance virtualised network functions (VNFs) while catering for the infrastructure sharing use case of multiple network operators. The management and orchestration of the VNFs allow for automation, scalability, fault recovery, and security to be evaluated. The testbed developed is readily re-creatable and based on open-source software