Traversing NAT: A Problem

This quasi-experimental before-and-after study measured and analyzed the impacts of adding security to a new bi-directional Network Address Translation (NAT). Literature revolves around various types of NAT, their advantages and disadvantages, their security models, and networking technologies’ adoption. The study of the newly created secure bi-directional model of NAT showed statistically significant changes in the variables than another model using port forwarding. Future research of how data will traverse networks is crucial in an ever-changing world of technology

Evaluating the performance of Netfilter architecture in Private Realm Gateway.

Network address translation(NAT) was introduced to decelerate the IPv4 ad- dresses depletion through separation of a network into the public and private realm. The hosts in a private network connect to the public Internet by sharing a pool of public IP addresses, and NAT acts as a gateway between the public and the private networks. Although NAT alleviates the problem of addresses deple- tion, it leads to a reachability problem as NAT would generally block any outside connections to the private network from the Internet. This thesis examines a new concept called Private Realm Gateway(PRGW) which is developed to overcome the shortcoming of NAT. PRGW imitates the NAT func- tionality and allows the inbound connections initiated from the public networks towards a private realm via the Circular Pool of Public Addresses (CPPA). PRGW provides interoperability between the legacy IP network and hosts in the private networks and vice-versa, using pre-existing TCP/IP protocols and applications. PRGW has been implemented on top of Linux operating system, and therefore, the primary approach in this thesis is to evaluate the forwarding performance of Linux kernel networking (Netfilter subsystem), as well as inspect the possible performance tuning methods to achieve higher packets processing rates. The performance of Netfilter is evaluated by offering heavy traffic load to measure packet forwarding capability, memory usage by IP traffic as well as overloading the CPU process. In addition, the stateful mechanism for packet filtering and NAT routing was evaluated using appropriate iptables lookup and packets traversing through different chains. When conducting the various tests, by adjusting different parameters in Linux Netfilter subsystem revels that the PRGW can be deployed over the Linux architecture

Migration to a New Internet Protocol in Operator Network

This thesis explains the differences between IPv4 and IPv6. Another important part of the thesis is to review the current readiness of IPv6 for worldwide production use. The status (in terms of readiness, adaptability, compatibility and co-existence) of IPv6 in TeliaSonera is discussed in more detail. The most important reason for migrating to IPv6 is the address exhaustion of IPv4. This may not be a big problem in the developed countries but in developing countries the growth of Internet is fast and lots of more addresses are needed. The need for addresses is not only from computers but from many devices connected to the Internet. Attempts to slow down the exhaustion of free addresses have been made but current solutions are not enough. IPv6 will solve the problem by using much longer addresses. It will also add security features and simplify headers to speed up routing. TeliaSonera has started to roll out IPv6 services. At the beginning the corporate customers will receive IPv6 connectivity and consumers will follow later. TeliaSonera International Carrier is already serving its customers with IPv6. It seems that IPv6 is ready, standards have been ready for years and support in devices and software is prevalent. To achieve and keep up the global connectivity, IPv6 is a must and should not be avoided

Asiakasreunakytkennän testausalustan kehitys

Customer Edge Switching (CES) and Realm Gateway (RGW) are technologies designed to solve core challenges of the modern Internet. Challenges include the ever increasing amount of devices connected to the Internet and risks created by malicious parties. CES and RGW leverage existing technologies like Domain Name System (DNS). Software testing is critical for ensuring correctness of software. It aims to ensure that products and protocols operate correctly. Testing also aims to find any critical vulnerabilities in the products. Fuzz testing is a field of software testing allowing automatic iteration of unexpected inputs. In this thesis work we evaluate two CES versions in performance, in susceptibility of Denial of Service (DoS) and in weaknesses related to use of DNS. Performance is an important metric for switches. Denial of Service is a very common attack vector and use of DNS in new ways requires critical evaluation. The performance of the old version was sufficient. Some clear issues were found. The version was vulnerable against DoS. Oversights in DNS operation were found. The new version shows improvement over the old one. We also evaluated suitability of expanding Robot Framework for fuzz testing Customer Edge Traversal Protocol (CETP). We conclude that the use of the Framework was not the best approach. We also developed a new testing framework using Robot Framework for the new version of CES.Customer Edge Switching (CES) asiakasreunakytkentä ja Realm Gateway (RGW) alueen yhdyskäytävä tarjoavat ratkaisuja modernin Internetin ydinongelmiin. Ydinongelmiin kuuluvat kytkettyjen laitteiden määrän jatkuva kasvu ja pahantahtoisten tahojen luomat riskit. CES ja RGW hyödyntävät olemassa olevia tekniikoita kuten nimipalvelua (DNS). Ohjelmistojen oikeellisuuden varmistuksessa testaus on välttämätöntä. Sen tavoitteena on varmistaa tuotteiden ja protokollien oikea toiminnallisuus. Testaus myös yrittää löytää kriittiset haavoittuvuudet ohjelmistoissa. Sumea testaus on ohjelmistotestauksen alue, joka mahdollistaa odottamattomien syötteiden automaattisen läpikäynnin. Tässä työssä arvioimme kahden CES version suorituskykyä, palvelunestohyökkäyksien sietoa ja nimipalvelun käyttöön liittyviä heikkouksia. Suorituskyky on tärkeä mittari kytkimille. Palvelunesto on erittäin yleinen hyökkäystapa ja nimipalvelun uudenlainen käyttö vaatii kriittistä arviointia. Vanhan version suorituskyky oli riittävä. Joitain selviä ongelmia löydettiin. Versio oli haavoittuvainen palvelunestohyökkäyksille. Löysimme epätarkkuuksia nimipalveluiden toiminnassa. Uusi versio vaikuttaa paremmalta kuin vanha versio. Arvioimme työssä myös Robot Framework testausalustan laajentamisen soveltuvuutta Customer Edge Traversal Protocol (CETP) asiakasreunalävistysprotokollan sumeaan testaukseen. Toteamme, ettei alustan käyttö ollut paras lähestymistapa. Esitämme myös työmme Robot Framework alustaa hyödyntävän testausalustan kehityksessä nykyiselle CES versiolle. Kehitimme myös uuden testausalustan uudelle CES versiolle hyödyntäen Robot Frameworkia

IPv6 : prospects and problems : a technical and management investigation into the deployment of IPv6

Masteroppgave i informasjons- og kommunikasjonsteknologi 2003 - Høgskolen i Agder, GrimstadIPv4 has been used for over twenty years, and will most likely be used in many years ahead. However, we are now experiencing that the IPv4 address space is running out, resulting in restrictions on who will be able to get these types of addresses assigned to them. Methods such as Network Address Translator (NAT) have been developed and implemented in order to save the IPv4 address space. It is said that this is not a good enough solution, as such techniques introduce new problems at the same time solving some. A new version of the Internet Protocol, IPv6, has been developed and is likely to replace IPv4. IPv6 has been developed to solve the address problem, but also new features are designed to supposedly enhance network traffic. In our thesis we give an overview of the problems with IPv4. This includes the limited address space and the limited quality of service. Further we present the features of IPv6 that are meant to solve these problems and add new possibilities. These are: New address format, the IPv6 header and Extension headers to mention some. Further we have investigated and here present how the transition from IPv4 to IPv6 is expected to take place, followed by a thorough description of the transition mechanisms. One of the original intentions on the development of IPv6 was that IPv4 and IPv6 have to be able to coexist for a long period of time. Transition mechanisms have therefore been designed to make this possible. There are three main types of mechanisms: - Tunnelling - Translation - Dual-stack. Each of these mechanisms requires different configuration and implementations in hosts and network. Technical research on transition mechanisms states that these are not good enough for all IPv6/IPv4 scenarios and need improvements in order to make IPv4 and IPv6 coexist smoothly. There are a lot of transition mechanisms that are agreed upon as being good for general use and then there are transition mechanisms that are good for certain scenarios and not for others. Some scenarios still lack a good translation mechanism. As a result of this, IPv6 networks are being built separately from IPv4 networks. In Asia commercial IPv6 networks are offered, while the process is slower in other parts of the world. The reasons for not building IPv6 networks are many, and not agreed upon. Some believe it is because of economical restrictions, while others claim it is technical reasons and that it exists far too few applications supporting IPv6. The number of IPv6 enabled applications is growing. Large companies like; Microsoft Corporation, Cisco Systems Inc, Apple Computers Inc., Sun Microsystems Inc and various versions of Linux include support for IPv6. The deployment of IPv6 is expected to happen at different times in different parts of the world. We have investigated the status of IPv6 globally and in Norway. The main results are that the roll-out has reached the furthest in Asia where commercial IPv6 networks already are offered. The activity in Norway is still small, but growing. It was desired to run an experiment in order to prove or disprove some of the information we gathered on how IPv6 interoperates with IPv4, but because of limitations in the network at Heriot-Watt University we were not able to do this. Instead we have focused on a project by Telenor R&D; “IPv6 migration of unmanaged networks-The Tromsø IPv6 Pilot”. We also gathered some information from people working at Norwegian ISPs in order to address some of the aspects of the upgrading

IP Mobility in Wireless Operator Networks

Wireless network access is gaining increased heterogeneity in terms of the types of IP capable access technologies. The access network heterogeneity is an outcome of incremental and evolutionary approach of building new infrastructure. The recent success of multi-radio terminals drives both building a new infrastructure and implicit deployment of heterogeneous access networks. Typically there is no economical reason to replace the existing infrastructure when building a new one. The gradual migration phase usually takes several years. IP-based mobility across different access networks may involve both horizontal and vertical handovers. Depending on the networking environment, the mobile terminal may be attached to the network through multiple access technologies. Consequently, the terminal may send and receive packets through multiple networks simultaneously. This dissertation addresses the introduction of IP Mobility paradigm into the existing mobile operator network infrastructure that have not originally been designed for multi-access and IP Mobility. We propose a model for the future wireless networking and roaming architecture that does not require revolutionary technology changes and can be deployed without unnecessary complexity. The model proposes a clear separation of operator roles: (i) access operator, (ii) service operator, and (iii) inter-connection and roaming provider. The separation allows each type of an operator to have their own development path and business models without artificial bindings with each other. We also propose minimum requirements for the new model. We present the state of the art of IP Mobility. We also present results of standardization efforts in IP-based wireless architectures. Finally, we present experimentation results of IP-level mobility in various wireless operator deployments.Erilaiset langattomat verkkoyhteydet lisääntyvät Internet-kykyisten teknologioiden muodossa. Lukuisten eri teknologioiden päällekkäinen käyttö johtuu vähitellen ja tarpeen mukaan rakennetusta verkkoinfrastruktuurista. Useita radioteknologioita (kuten WLAN, GSM ja UMTS) sisältävien päätelaitteiden (kuten älypuhelimet ja kannettavat tietokoneet) viimeaikainen kaupallinen menestys edesauttaa uuden verkkoinfrastruktuurin rakentamista, sekä mahdollisesti johtaa verkkoteknologioiden kirjon lisääntymiseen. Olemassa olevaa verkkoinfrastruktuuria ei kaupallisista syistä kannata korvata uudella teknologialla yhdellä kertaa, vaan vaiheittainen siirtymävaihe kestää tyypillisesti useita vuosia. Internet-kykyiset päätelaitteet voivat liikkua joko saman verkkoteknologian sisällä tai eri verkkoteknologioiden välillä. Verkkoympäristöstä riippuen liikkuvat päätelaitteet voivat liittyä verkkoon useiden verkkoyhteyksien kautta. Näin ollen päätelaite voi lähettää ja vastaanottaa tietoliikennepaketteja yhtäaikaisesti lukuisia verkkoja pitkin. Tämä väitöskirja käsittelee Internet-teknologioiden liikkuvuutta ja näiden teknologioiden tuomista olemassa oleviin langattomien verkko-operaattorien verkkoinfrastruktuureihin. Käsiteltäviä verkkoinfrastruktuureita ei alun perin ole suunniteltu Internet-teknologian liikkuvuuden ja monien yhtäaikaisten yhteyksien ehdoilla. Tässä työssä ehdotetaan tulevaisuuden langattomien verkkojen arkkitehtuurimallia ja ratkaisuja verkkovierailujen toteuttamiseksi. Ehdotettu arkkitehtuuri voidaan toteuttaa ilman mittavia teknologisia mullistuksia. Mallin mukaisessa ehdotuksessa verkko-operaattorin roolit jaetaan selkeästi (i) verkko-operaattoriin, (ii) palveluoperaattoriin ja (iii) yhteys- sekä verkkovierailuoperaattoriin. Roolijako mahdollistaa sen, että kukin operaattorityyppi voi kehittyä itsenäisesti, ja että teennäiset verkkoteknologiasidonnaisuudet poistuvat palveluiden tuottamisessa. Työssä esitetään myös alustava vaatimuslista ehdotetulle mallille, esimerkiksi yhteysoperaattorien laatuvaatimukset. Väitöskirja esittelee myös liikkuvien Internet-teknologioiden viimeisimmän kehityksen. Työssä näytetään lisäksi standardointituloksia Internet-kykyisissä langattomissa arkkitehtuureissa

Investigation into performance of IPV4 and IPV6 transition mechanisms and distributed NAT-PT implementation

Master'sMASTER OF SCIENC