Layer 2 Ethernet Communication Tunneling Possibilities in Automation Systems

Future trends in energy generation are renewable energy sources and distributed energy generation. In control systems, these changes require higher automatization, more intelligent devices and secure and reliable communication. Another requirement is faster communication. Building a system that is able to fulfill real-time communication requirements over network layer is a hindrance to automation systems. There are multiple protocols that can manage the requirements, but many of them have limitations and requirements of their own. The limitations can be related to packet sizes, used devices or they may require a license. Tunneling protocols can bring a more general solution for the real-time problem. Tunneling Ethernet communication over network layer and letting the tunneling protocol to handle the network layer packaging instead of the communication protocol removes the need of a layer 3 protocol. Layer 2 tunneling provides a direct connection between separate local area networks. It enables a way for devices to communicate with each other over network layer using layer 2 communication protocols. Tunnel uses a pre-configured route to the destination gateway device making the routing of messages simpler and faster than with traditional IP routing. Layer 2 tunneling can be used in any communication system that utilizes layer 2 and layer 3 communication. This thesis focuses on use of tunneling in automation systems. The purpose of this thesis is to provide information and possible solutions for layer 2 Ethernet tunneling. The main focus is in suitable tunneling protocols and communication protocols, but also security and resilience solutions are studied. This thesis is composed of published studies, researches, articles and books that address the topic

Optimization of low-efficiency traffic in OpenFlow Software Defined Networks

Abstract — This paper proposes a method for optimizing bandwidth usage in Software Defined Networks (SDNs) based on OpenFlow. Flows of small packets presenting a high overhead, as the ones generated by emerging services, can be identified by the SDN controller, in order to remove header fields that are common to any packet in the flow, only during their way through the SDN. At the same time, several packets can be multiplexed together in the same frame, thus reducing the number of sent frames. Four kinds of small-packet traffic flows are considered (VoIP, UDP and TCP-based online games, and ACKs from TCP flows). Both IPv4 and IPv6 are tested, and significant bandwidth savings (up to 68 % for IPv4 and 78 % for IPv6) can be obtained for the considered kinds of traffic

Cyber-Security Solutions for Ensuring Smart Grid Distribution Automation Functions

The future generation of the electrical network is known as the smart grid. The distribution domain of the smart grid intelligently supplies electricity to the end-users with the aid of the decentralized Distribution Automation (DA) in which intelligent control functions are distributed and accomplished via real-time communication between the DA components. Internet-based communication via the open protocols is the latest trend for decentralized DA communication. Internet communication has many benefits, but it exposes the critical infrastructure’s data to cyber-security threats. Security attacks may not only make DA services unreachable but may also result in undesirable physical consequences and serious damage to the distribution network environment. Therefore, it is compulsory to protect DA communication against such attacks. There is no single model for securing DA communication. In fact, the security level depends on several factors such as application requirements, communication media, and, of course, the cost.There are several smart grid security frameworks and standards, which are under development by different organizations. However, smart grid cyber-security field has not yet reached full maturity and, it is still in the early phase of its progress. Security protocols in IT and computer networks can be utilized to secure DA communication because industrial ICT standards have been designed in accordance with Open Systems Interconnection model. Furthermore, state-of-the-art DA concepts such as Active distribution network tend to integrate processing data into IT systems.This dissertation addresses cyber-security issues in the following DA functions: substation automation, feeder automation, Logic Selectivity, customer automation and Smart Metering. Real-time simulation of the distribution network along with actual automation and data networking devices are used to create hardware-in-the-loop simulation, and experiment the mentioned DA functions with the Internet communication. This communication is secured by proposing the following cyber-security solutions.This dissertation proposes security solutions for substation automation by developing IEC61850-TLS proxy and adding OPen Connectivity Unified Architecture (OPC UA) Wrapper to Station Gateway. Secured messages by Transport Layer Security (TLS) and OPC UA security are created for protecting substation local and remote communications. Data availability is main concern that is solved by designing redundant networks.The dissertation also proposes cyber-security solutions for feeder automation and Logic Selectivity. In feeder automation, Centralized Protection System (CPS) is proposed as the place for making Decentralized feeder automation decisions. In addition, applying IP security (IPsec) in Tunnel mode is proposed to establish a secure communication path for feeder automation messages. In Logic Selectivity, Generic Object Oriented Substation Events (GOOSE) are exchanged between the substations. First, Logic Selectivity functional characteristics are analyzed. Then, Layer 2 Tunneling over IPsec in Transport mode is proposed to create a secure communication path for exchanging GOOSE over the Internet. Next, communication impact on Logic Selectivity performance is investigated by measuring the jitter and latency in the GOOSE communication. Lastly, reliability improvement by Logic Selectivity is evaluated by calculating reliability indices.Customer automation is the additional extension to the smart grid DA. This dissertation proposes an integration solution for the heterogeneous communication parties (TCP/IP and Controller Area Network) in Home Area Network. The developed solution applies Secure Socket Layer in order to create secured messages.The dissertation also proposes Secondary Substation Automation Unit (SSAU) for realtime communication of low voltage data to metering database. Point-to-Point Tunneling Protocol is proposed to create a secure communication path for Smart Metering data.The security analysis shows that the proposed security solutions provide the security requirements (Confidentiality, Integrity and Availability) for DA communication. Thus, communication is protected against security attacks and DA functions are ensured. In addition, CPS and SSAU are proposed to distribute intelligence over the substations level

Virtualización de redes en la empresa

Las empresas disponen de distintos grupos de usuarios con necesidades específicas. Muchas de las diferencias entre ellos se traducen en requerimientos específicos de “networking”. Dentro de la misma empresa, estos requerimientos suelen ser tan diferentes, que los diferentes grupos deben ser tratados como clientes distintos por el departamento de TI. A medida que el número de grupos aumenta, mantenerlos separados y seguros es un gran desafío. El término virtualización es usado en varios contextos tales como virtualización de servidores, aplicaciones, dispositivos de almacenamiento e infraestructura de redes. La virtualización de redes delinea la virtualización de arquitecturas, tecnologías y técnicas correspondientes a la infraestructura de las mismas. La virtualización de redes en la empresa apunta a resolver situaciones que aseguren una óptima utilización de los recursos existentes, tales como Reducción de costos. Simplificación de tareas operativas, de administración y gerenciamiento. Alta disponibilidad Creación de nuevos modelos de negocios. Instalación de parques industriales con múltiples clientes. Organización de Datacenters virtualizados. En este sentido se debe proveer guías de diseño para las redes empresariales virtualizadas teniendo en cuenta las distintas tecnologías y los requerimientos de negocio a los cuales debe atender. Asimismo, un aspecto fundamental a considerar es la interacción con el Proveedor de Servicio de conectividad, a los efectos de garantizar tanto el Nivel de Servicio (especificado en mediante Niveles de Servicio – SLA, OLA) como el nivel de seguridad apropiado. A lo largo del presente documento se estudia el estado del arte de la virtualización de redes, realizando un desglose de las diferentes tecnologías utilizadas para su implementación. Tanto en las tecnologías tradicionales de “networking” como en las nuevas tendencias, se pude observar una mezcla bastante compleja, donde existen muchas opciones disponibles para el diseñador / implementador de redes virtualizadas. Uno de los objetivos que se cubre en este trabajo es intentar plantear escenarios concretos junto con las tecnologías y técnicas que se entienden las más apropiadas para resolverlos. En ese sentido se proveen como forma de resumen, tablas que pueden utilizarse como guías para poder resolver un escenario particular. Estas son utilizadas en el caso de estudio donde se aplican técnicas de virtualización de redes para resolver un escenario dado con ciertas restricciones

Small-Packet Flows in Software Defined Networks: Traffic Profile Optimization

This paper proposes a method for optimizing bandwidth usage in Software Defined Networks (SDNs) based on OpenFlow. Flows of small packets presenting a high overhead, as the ones generated by emerging services, can be identified by the SDN controller, in order to remove header fields that are common to any packet in the flow, only during their way through the SDN. At the same time, several packets can be multiplexed together in the same frame, thus reducing the overall number of frames. The method can be useful for providing QoS while the packets are traversing the SDN. Four kinds of small-packet traffic flows are considered (VoIP, UDP and TCP-based online games, and ACKs from TCP flows). Both IPv4 and IPv6 are studied, and significant bandwidth savings (up to 68 % for IPv4 and 78 % for IPv6) can be obtained for the considered kinds of traffic. The optimization method is also applied to different public Internet traffic traces, and significant reductions in terms of packets per second are achieved. Results show that bandwidth consumption is also reduced, especially in those traces where the percentage of small packets is high. Regarding the effect on QoS, the additional delay can be kept very low (below 1 millisecond) when the throughput is high, but it may become significant for low- throughput scenarios. Thus, a trade-off between bandwidth saving and additional delay appears in those cases

Design and Performance Analysis of Functional Split in Virtualized Access Networks

abstract: Emerging modular cable network architectures distribute some cable headend functions to remote nodes that are located close to the broadcast cable links reaching the cable modems (CMs) in the subscriber homes and businesses. In the Remote- PHY (R-PHY) architecture, a Remote PHY Device (RPD) conducts the physical layer processing for the analog cable transmissions, while the headend runs the DOCSIS medium access control (MAC) for the upstream transmissions of the distributed CMs over the shared cable link. In contrast, in the Remote MACPHY (R-MACPHY) ar- chitecture, a Remote MACPHY Device (RMD) conducts both the physical and MAC layer processing. The dissertation objective is to conduct a comprehensive perfor- mance comparison of the R-PHY and R-MACPHY architectures. Also, development of analytical delay models for the polling-based MAC with Gated bandwidth alloca- tion of Poisson traffic in the R-PHY and R-MACPHY architectures and conducting extensive simulations to assess the accuracy of the analytical model and to evaluate the delay-throughput performance of the R-PHY and R-MACPHY architectures for a wide range of deployment and operating scenarios. Performance evaluations ex- tend to the use of Ethernet Passive Optical Network (EPON) as transport network between remote nodes and headend. The results show that for long CIN distances above 100 miles, the R-MACPHY architecture achieves significantly shorter mean up- stream packet delays than the R-PHY architecture, especially for bursty traffic. The extensive comparative R-PHY and R-MACPHY comparative evaluation can serve as a basis for the planning of modular broadcast cable based access networks.Dissertation/ThesisDoctoral Dissertation Electrical Engineering 201

Multi Protocol Label Switching: Quality of Service, Traffic Engineering application, and Virtual Private Network application

This thesis discusses the QoS feature, Traffic Engineering (TE) application, and Virtual Private Network (VPN) application of the Multi Protocol Label Switching (MPLS) protocol. This thesis concentrates on comparing MPLS with other prominent technologies such as Internet Protocol (IP), Asynchronous Transfer Mode (ATM), and Frame Relay (FR). MPLS combines the flexibility of Internet Protocol (IP) with the connection oriented approach of Asynchronous Transfer Mode (ATM) or Frame Relay (FR). Section 1 lists several advantages MPLS brings over other technologies. Section 2 covers architecture and a brief description of the key components of MPLS. The information provided in Section 2 builds a background to compare MPLS with the other technologies in the rest of the sections. Since it is anticipate that MPLS will be a main core network technology, MPLS is required to work with two currently available QoS architectures: Integrated Service (IntServ) architecture and Differentiated Service (DiffServ) architecture. Even though the MPLS does not introduce a new QoS architecture or enhance the existing QoS architectures, it works seamlessly with both QoS architectures and provides proper QoS support to the customer. Section 3 provides the details of how MPLS supports various functions of the IntServ and DiffServ architectures. TE helps Internet Service Provider (ISP) optimize the use of available resources, minimize the operational costs, and maximize the revenues. MPLS provides efficient TE functions which prove to be superior to IP and ATM/FR. Section 4 discusses how MPLS supports the TE functionality and what makes MPLS superior to other competitive technologies. ATM and FR are still required as a backbone technology in some areas where converting the backbone to IP or MPLS does not make sense or customer demands simply require ATM or FR. In this case, it is important for MPLS to work with ATM and FR. Section 5 highlights the interoperability issues and solutions for MPLS while working in conjunction with ATM and FR. In section 6, various VPN tunnel types are discussed and compared with the MPLS VPN tunnel type. The MPLS VPN tunnel type is concluded as an optimal tunnel approach because it provides security, multiplexing, and the other important features that are reburied by the VPN customer and the ISP. Various MPLS layer 2 and layer 3 VPN solutions are also briefly discussed. In section 7 I conclude with the details of an actual implementation of a layer 3 MPLS VPN solution that works in conjunction with Border Gateway Protocol (BGP)

Building mobile L2TP/IPsec tunnels

Wireless networks introduce a whole range of challenges to the traditional TCP/IP network, especially Virtual Private Network (VPN). Changing IP address is a difficult issue for VPNs in wireless networks because IP addresses are used as one of the identifiers of a VPN connection and the change of IP addresses will break the original connection. The current solution to this problem is to run VPN tunnels over Mobile IP (MIP). However, Mobile IP itself has significant problems in performance and security and that solution is inefficient due to double tunneling. This thesis proposes and implements a new and novel solution on simulators and real devices to solve the mobility problem in a VPN. The new solution adds mobility support to existing L2TP/IPsec (Layer 2 Tunneling Protocol/IP Security) tunnels. The new solution tunnels Layer 2 packets between VPN clients and a VPN server without using Mobile IP, without incurring tunnel-re-establishment at handoff, without losing packets during handoff, achieves better security than current mobility solutions for VPN, and supports fast handoff in IPv4 networks. Experimental results on a VMware simulation showed the handoff time for the VPN tunnel to be 0.08 seconds, much better than the current method which requires a new tunnel establishment at a cost of 1.56 seconds. Experimental results with a real network of computers showed the handoff time for the VPN tunnel to be 4.8 seconds. This delay was mainly caused by getting an IP address from DHCP servers via wireless access points (4.6 seconds). The time for VPN negotiation was only 0.2 seconds. The experimental result proves that the proposed mobility solution greatly reduces the VPN negotiation time but getting an IP address from DHCP servers is a large delay which obstructs the real world application. This problem can be solved by introducing fast DHCP or supplying an IP address from a new wireless access point with a strong signal while the current Internet connection is weak. Currently, there is little work on fast DHCP and this may open a range of new research opportunities

A survey of the interaction between security protocols and transport services

This document provides a survey of commonly used or notable network security protocols, with a focus on how they interact and integrate with applications and transport protocols. Its goal is to supplement efforts to define and catalog Transport Services by describing the interfaces required to add security protocols. This survey is not limited to protocols developed within the scope or context of the IETF, and those included represent a superset of features a Transport Services system may need to support