A High-Throughput Hardware Implementation of NAT Traversal For IPSEC VPN

In this paper, we present a high-throughput FPGA implementation of IPSec core. The core supports both NAT and non-NAT mode and can be used in high speed security gateway devices. Although IPSec ESP is very computing intensive for its cryptography process, our implementation shows that it can achieve high throughput and low lantency. The system is realized on the Zynq XC7Z045 from Xilinx and was verified and tested in practice. Results show that the design can gives a peak throughput of 5.721 Gbps for the IPSec ESP tunnel mode in NAT mode and 7.753 Gbps in non-NAT mode using one single AES encrypt core. We also compare the performance of the core when running in other mode of encryption

Securing Internet of Things with Lightweight IPsec

Real-world deployments of wireless sensor networks (WSNs) require secure communication. It is important that a receiver is able to verify that sensor data was generated by trusted nodes. In some cases it may also be necessary to encrypt sensor data in transit. Recently, WSNs and traditional IP networks are more tightly integrated using IPv6 and 6LoWPAN. Available IPv6 protocol stacks can use IPsec to secure data exchange. Thus, it is desirable to extend 6LoWPAN such that IPsec communication with IPv6 nodes is possible. It is beneficial to use IPsec because the existing end-points on the Internet do not need to be modified to communicate securely with the WSN. Moreover, using IPsec, true end-to-end security is implemented and the need for a trustworthy gateway is removed. In this paper we provide End-to-End (E2E) secure communication between an IP enabled sensor nodes and a device on traditional Internet. This is the first compressed lightweight design, implementation, and evaluation of 6LoWPAN extension for IPsec on Contiki. Our extension supports both IPsec's Authentication Header (AH) and Encapsulation Security Payload (ESP). Thus, communication endpoints are able to authenticate, encrypt and check the integrity of messages using standardized and established IPv6 mechanisms

Wireless backhaul in future cellular communication

Abstract. In 5G technology, huge number of connected devices are needed to be considered where the expected throughput is also very ambitious. Capacity is needed and thus used frequencies are expected to get higher (above 6 GHz even up to 80 GHz), the Cell size getting smaller and number of cells arising significantly. Therefore, it is expected that wireless backhaul will be one option for Network operators to deliver capacity and coverage for high subscriber density areas with reduced cost. Wireless backhaul optimization, performance and scalability will be on the critical path on such cellular system. This master’s thesis work includes connecting a base station by using the wireless backhaul by introducing a VPN in the proposed network. We find the bottleneck and its solution. The network is using 3.5 GHz wireless link instead of LAN wire for backhaul link between the EnodeB and the core network (OpenEPC). LTE TDD band 42 acting as a Wireless Backhaul (Link between EnodeB and Band 42 CPE Router). The status and attachment procedure are observed from different nodes of the openEPC and from the VPN machine. Step by step we have established a tunnel between the CPE device and the VPN server using PPTP and L2TP with IPSec tunneling protocol. The progression towards the final implementation brings in step by step all difficulties and bottlenecks are documented in the study

Mobile IP: state of the art report

Due to roaming, a mobile device may change its network attachment each time it moves to a new link. This might cause a disruption for the Internet data packets that have to reach the mobile node. Mobile IP is a protocol, developed by the Mobile IP Internet Engineering Task Force (IETF) working group, that is able to inform the network about this change in network attachment such that the Internet data packets will be delivered in a seamless way to the new point of attachment. This document presents current developments and research activities in the Mobile IP area

Extension of IPSec for Port Control

インターネットは現代社会において欠くことのできない存在となっている。最近では、外出先などからインターネットを使って安全に社内へアクセスしたり、特定のビジネスパートナーに対して安全に情報提供したりするニーズが高まっている。このようなニーズに対して専用線を用いる方法があるが、コストが高いという問題があった。インターネットを利用した場合にはコストの削減が可能であるが、データの盗聴・改ざんの危険が存在する。この両方の問題を改善するものとしてVPN (Virtual Private Network)が考えられた。VPNに使われる技術の１つにIPsecがある。本論文では、このIPsecについて、アプリケーションごとに制御できるように機能の追加を行う。修士論

Methods of information protection in telecommunication systems

The manual covers the basics of information security in ITS. Examples of practical implementation of modern methods and means of providing security in local networks are given. Each example is designed as a laboratory work. Laboratory work contains basic information about methods of information protection in local networks, methodical instructions on the procedure for its implementation and requirements for the formulation of conclusions. The material is aimed at a wide range of researchers and pedagogical staff who deal with information security and ITS safety issues, as well as graduate students and undergraduates of higher education institutions who study the specialty "Information and Communication Systems Security" in specialty 125 "Cybersecurity" in the field of knowledge " Information Technology"

A Repeater Encryption Unit for IPv4 and IPv6

IPsec is a powerful mechanism for protecting network communications. However, it is often viewed as difficult to use due to the elaborate configuration that is needed to ensure correct (and secure) operation. In this paper, we seek to answer the question of how to build IPsec VPNs without affecting the network assets. We exploit "repeater-encryption", which is similar to the IPsec bump-in-the-wire mode of operation. Our IPsec encryption unit works at Layer-2 of the network stack and does not encrypt control packets that are used for routing, address resolution and resource reservation. Although this is fairly straightforward for IPv4 networks, IPv6 introduces several new features and messages that complicate the operation of such a box. We report our findings of implementing transparent, repeater-based IPsec protection for IPv4 and IPv6. Our approach requires no configuration changes to other devices in the network, making it an attractive mechanism for security network traffic. We discuss the features of our IPsec encryption unit and show how it adapts to IPv4 and IPv6 networks. We also implement our approach on the OpenBSD IPsec stack to demonstrate its feasibility. We show that our transparent IPsec box can easily support speeds in excess of 100 Mbps

Visually Managing IPsec

The United States Air Force relies heavily on computer networks to transmit vast amounts of information throughout its organizations and with agencies throughout the Department of Defense. The data take many forms, utilize different protocols, and originate from various platforms and applications. It is not practical to apply security measures specific to individual applications, platforms, and protocols. Internet Protocol Security (IPsec) is a set of protocols designed to secure data traveling over IP networks, including the Internet. By applying security at the network layer of communications, data packets can be secured regardless of what application generated the data or which protocol is used to transport it. However, the complexity of managing IPsec on a production network, particularly using the basic command-line tools available today, is the limiting factor to widespread deployment. This thesis explores several visualizations of IPsec data, evaluates the viability of using visualization to represent and manage IPsec, and proposes an interface for a visual IPsec management application to simplify IPsec management and make this powerful security option more accessible to the information warfighter

Rationale, Scenarios, and Profiles for the Application of the Internet Protocol Suite (IPS) in Space Operations

This greenbook captures some of the current, planned and possible future uses of the Internet Protocol (IP) as part of Space Operations. It attempts to describe how the Internet Protocol is used in specific scenarios. Of primary focus is low-earth-orbit space operations, which is referred to here as the design reference mission (DRM). This is because most of the program experience drawn upon derives from this type of mission. Application profiles are provided. This includes parameter settings programs have proposed for sending IP datagrams over CCSDS links, the minimal subsets and features of the IP protocol suite and applications expected for interoperability between projects, and the configuration, operations and maintenance of these IP functions. Of special interest is capturing the lessons learned from the Constellation Program in this area, since that program included a fairly ambitious use of the Internet Protocol