Performance evaluation of HIP-based network security solutions

Abstract. Host Identity Protocol (HIP) is a networking technology that systematically separates the identifier and locator roles of IP addresses and introduces a Host Identity (HI) name space based on a public key security infrastructure. This modification offers a series of benefits such as mobility, multi-homing, end-to-end security, signaling, control/data plane separation, firewall security, e.t.c. Although HIP has not yet been sufficiently applied in mainstream communication networks, industry experts foresee its potential as an integral part of next generation networks. HIP can be used in various HIP-aware applications as well as in traditional IP-address-based applications and networking technologies, taking middle boxes into account. One of such applications is in Virtual Private LAN Service (VPLS), VPLS is a widely used method of providing Ethernet-based Virtual Private Network that supports the connection of geographically separated sites into a single bridged domain over an IP/MPLS network. The popularity of VPLS among commercial and defense organizations underscores the need for robust security features to protect both data and control information. After investigating the different approaches to HIP, a real world testbed is implemented. Two experiment scenarios were evaluated, one is performed on two open source Linux-based HIP implementations (HIPL and OpenHIP) and the other on two sets of enterprise equipment from two different companies (Tempered Networks and Byres Security). To account for a heterogeneous mix of network types, the Open source HIP implementations were evaluated on different network environments, namely Local Area Network (LAN), Wireless LAN (WLAN), and Wide Area Network (WAN). Each scenario is tested and evaluated for performance in terms of throughput, latency, and jitter. The measurement results confirmed the assumption that no single solution is optimal in all considered aspects and scenarios. For instance, in the open source implementations, the performance penalty of security on TCP throughput for WLAN scenario is less in HIPL than in OpenHIP, while for WAN scenario the reverse is the case. A similar outcome is observed for the UDP throughput. However, on latency, HIPL showed lower latency for all three network test scenarios. For the legacy equipment experiment, the penalty of security on TCP throughput is about 19% compared with the non-secure scenario while latency is increased by about 87%. This work therefore provides viable information for researchers and decision makers on the optimal solution to securing their VPNs based on the application scenarios and the potential performance penalties that come with each approach.HIP-pohjaisten tietoliikenneverkkojen turvallisuusratkaisujen suorituskyvyn arviointi. Tiivistelmä. Koneen identiteettiprotokolla (HIP, Host Identity Protocol) on tietoliikenneverkkoteknologia, joka käyttää erillistä kerrosta kuljetusprotokollan ja Internet-protokollan (IP) välissä TCP/IP-protokollapinossa. HIP erottaa systemaattisesti IP-osoitteen verkko- ja laite-osat, sekä käyttää koneen identiteetti (HI) -osaa perustuen julkisen avainnuksen turvallisuusrakenteeseen. Tämän hyötyjä ovat esimerkiksi mobiliteetti, moniliittyminen, päästä päähän (end-to-end) turvallisuus, kontrolli-informaation ja datan erottelu, kohtaaminen, osoitteenmuutos sekä palomuurin turvallisuus. Teollisuudessa HIP-protokolla nähdään osana seuraavan sukupolven tietoliikenneverkkoja, vaikka se ei vielä olekaan yleistynyt laajaan kaupalliseen käyttöön. HIP–protokollaa voidaan käyttää paitsi erilaisissa HIP-tietoisissa, myös perinteisissä IP-osoitteeseen perustuvissa sovelluksissa ja verkkoteknologioissa. Eräs tällainen sovellus on virtuaalinen LAN-erillisverkko (VPLS), joka on laajasti käytössä oleva menetelmä Ethernet-pohjaisen, erillisten yksikköjen ja yhden sillan välistä yhteyttä tukevan, virtuaalisen erillisverkon luomiseen IP/MPLS-verkon yli. VPLS:n yleisyys sekä kaupallisissa- että puolustusorganisaatioissa korostaa vastustuskykyisten turvallisuusominaisuuksien tarpeellisuutta tiedon ja kontrolliinformaation suojauksessa. Tässä työssä tutkitaan aluksi HIP-protokollan erilaisia lähestymistapoja. Teoreettisen tarkastelun jälkeen käytännön testejä suoritetaan itse rakennetulla testipenkillä. Tarkasteltavat skenaariot ovat verrata Linux-pohjaisia avoimen lähdekoodin HIP-implementaatioita (HIPL ja OpenHIP) sekä verrata kahden eri valmistajan laitteita (Tempered Networks ja Byres Security). HIP-implementaatiot arvioidaan eri verkkoympäristöissä, jota ovat LAN, WLAN sekä WAN. Kaikki testatut tapaukset arvioidaan tiedonsiirtonopeuden, sen vaihtelun (jitter) sekä latenssin perusteella. Mittaustulokset osoittavat, että sama ratkaisu ei ole optimaalinen kaikissa tarkastelluissa tapauksissa. Esimerkiksi WLAN-verkkoa käytettäessä turvallisuuden aiheuttama häviö tiedonsiirtonopeudessa on HIPL:n tapauksessa OpenHIP:iä pirnempi, kun taas WAN-verkon tapauksessa tilanne on toisinpäin. Samanlaista käyttäytymistä havaitaan myös UDP-tiedonsiirtonopeudessa. HIPL antaa kuitenkin pienimmän latenssin kaikissa testiskenaarioissa. Eri valmistajien laitteita vertailtaessa huomataan, että TCP-tiedonsiirtonopeus huononee 19 ja latenssi 87 prosenttia verrattuna tapaukseen, jossa turvallisuusratkaisua ei käytetä. Näin ollen tämän työn tuottama tärkeä tieto voi auttaa alan toimijoita optimaalisen verkkoturvallisuusratkaisun löytämisessä VPN-pohjaisiin sovelluksiin

Software-defined resource management for industrial internet of things

Abstract The Industrial Internet of Things (IIoT) and Industry 4.0 aim to streamline production processes and keep manufacturing viable and profitable. This presents enterprises with the opportunity to boost productivity while improving efficiency and safety and reducing costs. With heightened interest from both researchers and industry experts, IIoT has witnessed remarkable advances over the recent years thanks to developments in related technologies such as Industrial Wireless Networks (IWNs), Software-Defined Networking (SDN), cloud computing, and Multi Access Edge Computing (MEC). Despite the proven ability of these technologies to advance the course of IIoT and Industry 4.0, an equally important but less investigated problem is ensuring that the resources upon which these technologies depend are optimally allocated and efficiently utilized. This doctoral dissertation proposes a software-defined approach towards improving resource management and efficiency in IIoT systems. First, an SDN-based data offloading scheme is designed to coordinate data offloading for IIoT applications. This will enable constrained IIoT devices to relay their more demanding operations for energy and resource optimization. Second, a system model is developed to leverage the synergy between SDN, MEC, and containerization technologies in advancing IIoT applications for better resource management, more specifically for containerized edge microservices. Third, a novel SDN-enabled Resource Management (SDRM) scheme is developed based on Satisfiability Modulo Theory (SMT) constraint programming. With this scheme, SDRM will be able to automatically compute the optimal resource allocation for different IIoT network models and dynamically adjust assigned resources based on predefined constraints to ensure Service Level Agreements (SLAs). Lastly, the effects of collaborative edge-cloud computing for such SDN-based IIoT implementations are examined. The results from our implementation models demonstrate the feasibility, efficiency, and performance improvements of utilizing SDN-based solutions for resource opti- mization in IIoT implementations. Hence, the outcome of this dissertation will help both researchers and system designers gravitate towards more resource-efficient IIoT solutions.Tiivistelmä Teollisen esineiden internetin (IIoT) ja Teollisuus 4.0:n tarkoituksena on virtaviivaistaa tuotantoprosesseja ja pitää valmistus kannattavana ja kannattavana. Tämä tarjoaa yrityksille mahdollisuuden lisätä tuottavuutta ja samalla parantaa tehokkuutta, turval- lisuutta ja vähentää kustannuksia. IIoT on osoittanut huomattavaa edistystä viime vuosina sekä tutkimuksen että teollisuuden lisääntyneen kiinnostuksen ansiosta, mikä on tapahtunut asiaan liittyvien teknologioiden, kuten teollisten langattomien verkko- jen (IWN), ohjelmisto-ohjattujen verkkojen (SDN), pilvipalvelujen ja reunalasken- nan (MEC) ansiosta. Huolimatta näiden teknologioiden todistetusta kyvystä edistää IIoT:n ja Industry 4.0:n kulkua, yhtä tärkeä mutta vähemmän tutkittu ongelma on varmistaa, että resurssit, joista nämä tekniikat ovat riippuvaisia, kohdennetaan opti- maalisesti ja käytetään tehokkaasti. Tässä väitöskirjassa ehdotetaan ohjelmistojen määrittelemää lähestymistapaa IIoT-järjestelmien resurssienhallinnan ja tehokkuuden parantamiseksi. Ensinnäkin SDN-pohjainen tietojen purkujärjestelmä on suunniteltu koordinoimaan tietojen purkua IIoT-sovelluksille. Näin rajoitetut IIoT-laitteet voivat välittää vaativampia toimintojaan energian ja resurssien optimointiin. Toiseksi ke- hitetään järjestelmämalli, joka hyödyntää SDN-, MEC- ja konttiteknologioiden välistä synergiaa IIoT-sovellusten edistämisessä resurssien hallinnan lisäämiseksi, erityisesti konttien reunamikropalveluissa. Kolmanneksi kehitetään uusi SDN-yhteensopiva resurssienhallintajärjestelmä (SDRM), joka perustuu SMT (Satisfiability Modulo The- ory) -rajoitusohjelmointiin. Tämän avulla SDRM pystyy automaattisesti laskemaan optimaalisen resurssien kohdistuksen eri IIoT-verkkomalleille ja säätämään dynaamisesti varattuja resursseja ennalta määritettyjen rajoitusten perusteella palvelutasosopimuksen (SLA) varmistamiseksi. Lopuksi tarkastellaan yhteistyöhön perustuvan reunapilvi- laskennan vaikutuksia tällaisiin SDN-pohjaisiin IIoT-toteutuksian. Toteutusmalliemme tulokset osoittavat SDN-pohjaisten ratkaisujen käytön toteutettavuuden, tehokkuuden ja suorituskyvyn parantamisen resurssien optimoinnissa IIoT-toteutuksissa. Näin ollen tämän tutkimuksen tulokset auttavat sekä tutkijoita että järjestelmäsuunnittelijoita kehittämään resurssitehokkaampia IIoT-ratkaisuja

SDN based operator assisted offloading platform for multi-controller 5G networks

Abstract This paper presents an operator-assisted data offloading platform for 5G mobile networks by using Software Defined Networking (SDN). By enabling lateral communication between multiple SDN controllers, operators are able to perform the offloading process without the intervention of the user. Moreover, the offloading decision of proposed platform is based on accurate real time network conditions. The proposed mechanism is implemented on a testbed to verify feasibility and performance

SDN enhanced resource orchestration of containerized edge applications for industrial IoT

Abstract With the rise of the Industrial Internet of Things (IIoT), there is an intense pressure on resource and performance optimization leveraging on existing technologies, such as Software Defined Networking (SDN), edge computing, and container orchestration. Industry 4.0 emphasizes the importance of lean and efficient operations for sustainable manufacturing. Achieving this goal would require engineers to consider all layers of the system, from hardware to software, and optimizing for resource efficiency at all levels. This emphasizes the need for container-based virtualization tools such as Docker and Kubernetes, offering Platform as a Service (PaaS), while simultaneously leveraging on edge technologies to reduce related latencies. For network management, SDN is poised to offer a cost-effective and dynamic scalability solution by customizing packet handling for various edge applications and services. In this paper, we investigate the energy and latency trade-offs involved in combining these technologies for industrial applications. As a use case, we emulate a 3D-drone-based monitoring system aimed at providing real-time visual monitoring of industrial automation. We compare a native implementation to a containerized implementation where video processing is orchestrated while streaming is handled by an external UE representing the IIoT device. We compare these two scenarios for energy utilization, latency, and responsiveness. Our test results show that only roughly 16 percent of the total power consumption happens on the mobile node when orchestrated. Virtualization adds up about 4.5 percent of the total power consumption while the latency difference between the two approaches becomes negligible after the streaming session is initialized

Survey on multi-access edge computing for Internet of Things realization

Abstract The Internet of Things (IoT) has recently advanced from an experimental technology to what will become the backbone of future customer value for both product and service sector businesses. This underscores the cardinal role of IoT on the journey toward the fifth generation of wireless communication systems. IoT technologies augmented with intelligent and big data analytics are expected to rapidly change the landscape of myriads of application domains ranging from health care to smart cities and industrial automations. The emergence of multi-access edge computing (MEC) technology aims at extending cloud computing capabilities to the edge of the radio access network, hence providing real-time, high-bandwidth, low-latency access to radio network resources. IoT is identified as a key use case of MEC, given MEC’s ability to provide cloud platform and gateway services at the network edge. MEC will inspire the development of myriads of applications and services with demand for ultralow latency and high quality of service due to its dense geographical distribution and wide support for mobility. MEC is therefore an important enabler of IoT applications and services which require real-time operations. In this survey, we provide a holistic overview on the exploitation of MEC technology for the realization of IoT applications and their synergies. We further discuss the technical aspects of enabling MEC in IoT and provide some insight into various other integration technologies therein

Security for 5G and beyond

Abstract The development of the fifth generation (5G) wireless networks is gaining momentum to connect almost all aspects of life through the network with much higher speed, very low latency and ubiquitous connectivity. Due to its crucial role in our lives, the network must secure its users, components, and services. The security threat landscape of 5G has grown enormously due to the unprecedented increase in types of services and in the number of devices. Therefore, security solutions if not developed yet must be envisioned already to cope with diverse threats on various services, novel technologies, and increased user information accessible by the network. This paper outlines the 5G network threat landscape, the security vulnerabilities in the new technological concepts that will be adopted by 5G, and provides either solutions to those threats or future directions to cope with those security challenges. We also provide a brief outline of the post-5G cellular technologies and their security vulnerabilities which is referred to as future generations (XG) in this paper. In brief, this paper highlights the present and future security challenges in wireless networks, mainly in 5G, and future directions to secure wireless networks beyond 5G

Overview of 5G security challenges and solutions

Abstract 5G networks will use novel technological concepts to meet the requirements of broadband access everywhere, high user and device mobility, and connectivity of massive number of devices (e.g., the Internet of Things) in an ultra-reliable and affordable way. Software defined networking and network functions virtualization leveraging the advances in cloud computing such as mobile edge computing are the most sought out technologies to meet these requirements. However, securely using these technologies and providing user privacy in future wireless networks are the new concerns. Therefore, this article provides an overview of the security challenges in clouds, software defined networking, and network functions virtualization, and the challenges of user privacy. Henceforth, this article presents solutions to these challenges and future directions for secure 5G systems

SDN-enabled resource orchestration for industrial IoT in collaborative edge-cloud networks

Abstract Effective, long-lasting Industrial IoT (IIoT) solutions start with short-term gains and progressively mature with added capabilities and value. The heterogeneous nature of IIoT devices and services suggests frequent changes in resource requirements for different services, applications, and use cases. With such unpredictability, resource orchestration can be quite complicated even in basic use cases and almost impossible to handle in some extensively dynamic use cases. In this paper, we propose SDRM; an SDN-enabled Resource Management scheme. This novel orchestration methodology automatically computes the optimal resource allocation for different IIoT network models and dynamically adjust assigned resources based on predefined constraints to ensure Service Level Agreement (SLA). The proposed approach models resource allocation as a Constraint Satisfaction Problem (CSP) where optimality is based on the solution of a predefined Satisfiability (SAT) problem. This model supports centralized management of all resources using a software defined approach. Such resources include memory, power, bandwidth, and edge-cloud resources. SDRM aims at accelerating efficient resource orchestration through dynamic workload balancing and edge-cloud resource utilization, thereby reducing the cost of IIoT system deployment and improving the overall ROI for adopting IIoT solutions. We model our resource allocation approach on SAVILE ROW using ESSENSE PRIME modeling language, we then implement the network model on CloudSimSDN and PureEdgeSim. We present a detailed analysis of the system architecture and the key technologies of the model. We finally demonstrate the efficiency of the model by presenting experimental results from a prototype system. Our test results show an extremely low solver time ranging from 0.47 ms to 0.5 ms for nodes ranging from 100 to 500 nodes. With edge-cloud collaboration, our results show about 4 percent improvement in overall task success rates

5G security:analysis of threats and solutions

Abstract 5G will provide broadband access everywhere, entertain higher user mobility, and enable connectivity of massive number of devices (e.g. Internet of Things (IoT)) in an ultrareliable and affordable way. The main technological enablers such as cloud computing, Software Defined Networking (SDN) and Network Function Virtualization (NFV) are maturing towards their use in 5G. However, there are pressing security challenges in these technologies besides the growing concerns for user privacy. In this paper, we provide an overview of the security challenges in these technologies and the issues of privacy in 5G. Furthermore, we present security solutions to these challenges and future directions for secure 5G systems

Software Defined Monitoring (SDM) for 5G mobile backhaul networks

Abstract Software Defined Network (SDN) is an advanced approach to designing dynamic, manageable, cost-effective, and adaptable network architectures. SDN will play a key role as an enabler for 5G and future networks. Transferring network monitoring functions to a software entity working in conjunction with configurable hardware accelerators through a scheme called Software Defined Monitoring (SDM) is one promising way to attain the dynamism necessary for the monitoring of the next generation-networks. In this paper, we propose a novel SDM architecture for future mobile backhual networks. As an SDN solution, the proposed architecture provides more granular and dynamic network management functions through its programmable interface, centralized control, and virtualized abstractions. At the same time, the SDM framework intuitively seem prone to various challenges that come with the separation of the control and data planes of middleboxes. This paper collects specific opportunities, vulnerabilities as well as challenges related to SDM. It also highlights how SDM can be used to solve the current limitations in legacy monitoring systems. The feasibility of the proposed SDM architecture is verified by using a testbed implementation