Performance evaluation of HIP-based network security solutions

Abstract. Host Identity Protocol (HIP) is a networking technology that systematically separates the identifier and locator roles of IP addresses and introduces a Host Identity (HI) name space based on a public key security infrastructure. This modification offers a series of benefits such as mobility, multi-homing, end-to-end security, signaling, control/data plane separation, firewall security, e.t.c. Although HIP has not yet been sufficiently applied in mainstream communication networks, industry experts foresee its potential as an integral part of next generation networks. HIP can be used in various HIP-aware applications as well as in traditional IP-address-based applications and networking technologies, taking middle boxes into account. One of such applications is in Virtual Private LAN Service (VPLS), VPLS is a widely used method of providing Ethernet-based Virtual Private Network that supports the connection of geographically separated sites into a single bridged domain over an IP/MPLS network. The popularity of VPLS among commercial and defense organizations underscores the need for robust security features to protect both data and control information. After investigating the different approaches to HIP, a real world testbed is implemented. Two experiment scenarios were evaluated, one is performed on two open source Linux-based HIP implementations (HIPL and OpenHIP) and the other on two sets of enterprise equipment from two different companies (Tempered Networks and Byres Security). To account for a heterogeneous mix of network types, the Open source HIP implementations were evaluated on different network environments, namely Local Area Network (LAN), Wireless LAN (WLAN), and Wide Area Network (WAN). Each scenario is tested and evaluated for performance in terms of throughput, latency, and jitter. The measurement results confirmed the assumption that no single solution is optimal in all considered aspects and scenarios. For instance, in the open source implementations, the performance penalty of security on TCP throughput for WLAN scenario is less in HIPL than in OpenHIP, while for WAN scenario the reverse is the case. A similar outcome is observed for the UDP throughput. However, on latency, HIPL showed lower latency for all three network test scenarios. For the legacy equipment experiment, the penalty of security on TCP throughput is about 19% compared with the non-secure scenario while latency is increased by about 87%. This work therefore provides viable information for researchers and decision makers on the optimal solution to securing their VPNs based on the application scenarios and the potential performance penalties that come with each approach.HIP-pohjaisten tietoliikenneverkkojen turvallisuusratkaisujen suorituskyvyn arviointi. Tiivistelmä. Koneen identiteettiprotokolla (HIP, Host Identity Protocol) on tietoliikenneverkkoteknologia, joka käyttää erillistä kerrosta kuljetusprotokollan ja Internet-protokollan (IP) välissä TCP/IP-protokollapinossa. HIP erottaa systemaattisesti IP-osoitteen verkko- ja laite-osat, sekä käyttää koneen identiteetti (HI) -osaa perustuen julkisen avainnuksen turvallisuusrakenteeseen. Tämän hyötyjä ovat esimerkiksi mobiliteetti, moniliittyminen, päästä päähän (end-to-end) turvallisuus, kontrolli-informaation ja datan erottelu, kohtaaminen, osoitteenmuutos sekä palomuurin turvallisuus. Teollisuudessa HIP-protokolla nähdään osana seuraavan sukupolven tietoliikenneverkkoja, vaikka se ei vielä olekaan yleistynyt laajaan kaupalliseen käyttöön. HIP–protokollaa voidaan käyttää paitsi erilaisissa HIP-tietoisissa, myös perinteisissä IP-osoitteeseen perustuvissa sovelluksissa ja verkkoteknologioissa. Eräs tällainen sovellus on virtuaalinen LAN-erillisverkko (VPLS), joka on laajasti käytössä oleva menetelmä Ethernet-pohjaisen, erillisten yksikköjen ja yhden sillan välistä yhteyttä tukevan, virtuaalisen erillisverkon luomiseen IP/MPLS-verkon yli. VPLS:n yleisyys sekä kaupallisissa- että puolustusorganisaatioissa korostaa vastustuskykyisten turvallisuusominaisuuksien tarpeellisuutta tiedon ja kontrolliinformaation suojauksessa. Tässä työssä tutkitaan aluksi HIP-protokollan erilaisia lähestymistapoja. Teoreettisen tarkastelun jälkeen käytännön testejä suoritetaan itse rakennetulla testipenkillä. Tarkasteltavat skenaariot ovat verrata Linux-pohjaisia avoimen lähdekoodin HIP-implementaatioita (HIPL ja OpenHIP) sekä verrata kahden eri valmistajan laitteita (Tempered Networks ja Byres Security). HIP-implementaatiot arvioidaan eri verkkoympäristöissä, jota ovat LAN, WLAN sekä WAN. Kaikki testatut tapaukset arvioidaan tiedonsiirtonopeuden, sen vaihtelun (jitter) sekä latenssin perusteella. Mittaustulokset osoittavat, että sama ratkaisu ei ole optimaalinen kaikissa tarkastelluissa tapauksissa. Esimerkiksi WLAN-verkkoa käytettäessä turvallisuuden aiheuttama häviö tiedonsiirtonopeudessa on HIPL:n tapauksessa OpenHIP:iä pirnempi, kun taas WAN-verkon tapauksessa tilanne on toisinpäin. Samanlaista käyttäytymistä havaitaan myös UDP-tiedonsiirtonopeudessa. HIPL antaa kuitenkin pienimmän latenssin kaikissa testiskenaarioissa. Eri valmistajien laitteita vertailtaessa huomataan, että TCP-tiedonsiirtonopeus huononee 19 ja latenssi 87 prosenttia verrattuna tapaukseen, jossa turvallisuusratkaisua ei käytetä. Näin ollen tämän työn tuottama tärkeä tieto voi auttaa alan toimijoita optimaalisen verkkoturvallisuusratkaisun löytämisessä VPN-pohjaisiin sovelluksiin

Orchestrating Service Migration for Low Power MEC-Enabled IoT Devices

Multi-Access Edge Computing (MEC) is a key enabling technology for Fifth Generation (5G) mobile networks. MEC facilitates distributed cloud computing capabilities and information technology service environment for applications and services at the edges of mobile networks. This architectural modification serves to reduce congestion, latency, and improve the performance of such edge colocated applications and devices. In this paper, we demonstrate how reactive service migration can be orchestrated for low-power MEC-enabled Internet of Things (IoT) devices. Here, we use open-source Kubernetes as container orchestration system. Our demo is based on traditional client-server system from user equipment (UE) over Long Term Evolution (LTE) to the MEC server. As the use case scenario, we post-process live video received over web real-time communication (WebRTC). Next, we integrate orchestration by Kubernetes with S1 handovers, demonstrating MEC-based software defined network (SDN). Now, edge applications may reactively follow the UE within the radio access network (RAN), expediting low-latency. The collected data is used to analyze the benefits of the low-power MEC-enabled IoT device scheme, in which end-to-end (E2E) latency and power requirements of the UE are improved. We further discuss the challenges of implementing such schemes and future research directions therein

Software-defined resource management for industrial internet of things

Abstract The Industrial Internet of Things (IIoT) and Industry 4.0 aim to streamline production processes and keep manufacturing viable and profitable. This presents enterprises with the opportunity to boost productivity while improving efficiency and safety and reducing costs. With heightened interest from both researchers and industry experts, IIoT has witnessed remarkable advances over the recent years thanks to developments in related technologies such as Industrial Wireless Networks (IWNs), Software-Defined Networking (SDN), cloud computing, and Multi Access Edge Computing (MEC). Despite the proven ability of these technologies to advance the course of IIoT and Industry 4.0, an equally important but less investigated problem is ensuring that the resources upon which these technologies depend are optimally allocated and efficiently utilized. This doctoral dissertation proposes a software-defined approach towards improving resource management and efficiency in IIoT systems. First, an SDN-based data offloading scheme is designed to coordinate data offloading for IIoT applications. This will enable constrained IIoT devices to relay their more demanding operations for energy and resource optimization. Second, a system model is developed to leverage the synergy between SDN, MEC, and containerization technologies in advancing IIoT applications for better resource management, more specifically for containerized edge microservices. Third, a novel SDN-enabled Resource Management (SDRM) scheme is developed based on Satisfiability Modulo Theory (SMT) constraint programming. With this scheme, SDRM will be able to automatically compute the optimal resource allocation for different IIoT network models and dynamically adjust assigned resources based on predefined constraints to ensure Service Level Agreements (SLAs). Lastly, the effects of collaborative edge-cloud computing for such SDN-based IIoT implementations are examined. The results from our implementation models demonstrate the feasibility, efficiency, and performance improvements of utilizing SDN-based solutions for resource opti- mization in IIoT implementations. Hence, the outcome of this dissertation will help both researchers and system designers gravitate towards more resource-efficient IIoT solutions.Tiivistelmä Teollisen esineiden internetin (IIoT) ja Teollisuus 4.0:n tarkoituksena on virtaviivaistaa tuotantoprosesseja ja pitää valmistus kannattavana ja kannattavana. Tämä tarjoaa yrityksille mahdollisuuden lisätä tuottavuutta ja samalla parantaa tehokkuutta, turval- lisuutta ja vähentää kustannuksia. IIoT on osoittanut huomattavaa edistystä viime vuosina sekä tutkimuksen että teollisuuden lisääntyneen kiinnostuksen ansiosta, mikä on tapahtunut asiaan liittyvien teknologioiden, kuten teollisten langattomien verkko- jen (IWN), ohjelmisto-ohjattujen verkkojen (SDN), pilvipalvelujen ja reunalasken- nan (MEC) ansiosta. Huolimatta näiden teknologioiden todistetusta kyvystä edistää IIoT:n ja Industry 4.0:n kulkua, yhtä tärkeä mutta vähemmän tutkittu ongelma on varmistaa, että resurssit, joista nämä tekniikat ovat riippuvaisia, kohdennetaan opti- maalisesti ja käytetään tehokkaasti. Tässä väitöskirjassa ehdotetaan ohjelmistojen määrittelemää lähestymistapaa IIoT-järjestelmien resurssienhallinnan ja tehokkuuden parantamiseksi. Ensinnäkin SDN-pohjainen tietojen purkujärjestelmä on suunniteltu koordinoimaan tietojen purkua IIoT-sovelluksille. Näin rajoitetut IIoT-laitteet voivat välittää vaativampia toimintojaan energian ja resurssien optimointiin. Toiseksi ke- hitetään järjestelmämalli, joka hyödyntää SDN-, MEC- ja konttiteknologioiden välistä synergiaa IIoT-sovellusten edistämisessä resurssien hallinnan lisäämiseksi, erityisesti konttien reunamikropalveluissa. Kolmanneksi kehitetään uusi SDN-yhteensopiva resurssienhallintajärjestelmä (SDRM), joka perustuu SMT (Satisfiability Modulo The- ory) -rajoitusohjelmointiin. Tämän avulla SDRM pystyy automaattisesti laskemaan optimaalisen resurssien kohdistuksen eri IIoT-verkkomalleille ja säätämään dynaamisesti varattuja resursseja ennalta määritettyjen rajoitusten perusteella palvelutasosopimuksen (SLA) varmistamiseksi. Lopuksi tarkastellaan yhteistyöhön perustuvan reunapilvi- laskennan vaikutuksia tällaisiin SDN-pohjaisiin IIoT-toteutuksian. Toteutusmalliemme tulokset osoittavat SDN-pohjaisten ratkaisujen käytön toteutettavuuden, tehokkuuden ja suorituskyvyn parantamisen resurssien optimoinnissa IIoT-toteutuksissa. Näin ollen tämän tutkimuksen tulokset auttavat sekä tutkijoita että järjestelmäsuunnittelijoita kehittämään resurssitehokkaampia IIoT-ratkaisuja

SDN based operator assisted offloading platform for multi-controller 5G networks

Abstract This paper presents an operator-assisted data offloading platform for 5G mobile networks by using Software Defined Networking (SDN). By enabling lateral communication between multiple SDN controllers, operators are able to perform the offloading process without the intervention of the user. Moreover, the offloading decision of proposed platform is based on accurate real time network conditions. The proposed mechanism is implemented on a testbed to verify feasibility and performance

Survey on multi-access edge computing for Internet of Things realization

Abstract The Internet of Things (IoT) has recently advanced from an experimental technology to what will become the backbone of future customer value for both product and service sector businesses. This underscores the cardinal role of IoT on the journey toward the fifth generation of wireless communication systems. IoT technologies augmented with intelligent and big data analytics are expected to rapidly change the landscape of myriads of application domains ranging from health care to smart cities and industrial automations. The emergence of multi-access edge computing (MEC) technology aims at extending cloud computing capabilities to the edge of the radio access network, hence providing real-time, high-bandwidth, low-latency access to radio network resources. IoT is identified as a key use case of MEC, given MEC’s ability to provide cloud platform and gateway services at the network edge. MEC will inspire the development of myriads of applications and services with demand for ultralow latency and high quality of service due to its dense geographical distribution and wide support for mobility. MEC is therefore an important enabler of IoT applications and services which require real-time operations. In this survey, we provide a holistic overview on the exploitation of MEC technology for the realization of IoT applications and their synergies. We further discuss the technical aspects of enabling MEC in IoT and provide some insight into various other integration technologies therein

SDN enhanced resource orchestration of containerized edge applications for industrial IoT

Abstract With the rise of the Industrial Internet of Things (IIoT), there is an intense pressure on resource and performance optimization leveraging on existing technologies, such as Software Defined Networking (SDN), edge computing, and container orchestration. Industry 4.0 emphasizes the importance of lean and efficient operations for sustainable manufacturing. Achieving this goal would require engineers to consider all layers of the system, from hardware to software, and optimizing for resource efficiency at all levels. This emphasizes the need for container-based virtualization tools such as Docker and Kubernetes, offering Platform as a Service (PaaS), while simultaneously leveraging on edge technologies to reduce related latencies. For network management, SDN is poised to offer a cost-effective and dynamic scalability solution by customizing packet handling for various edge applications and services. In this paper, we investigate the energy and latency trade-offs involved in combining these technologies for industrial applications. As a use case, we emulate a 3D-drone-based monitoring system aimed at providing real-time visual monitoring of industrial automation. We compare a native implementation to a containerized implementation where video processing is orchestrated while streaming is handled by an external UE representing the IIoT device. We compare these two scenarios for energy utilization, latency, and responsiveness. Our test results show that only roughly 16 percent of the total power consumption happens on the mobile node when orchestrated. Virtualization adds up about 4.5 percent of the total power consumption while the latency difference between the two approaches becomes negligible after the streaming session is initialized

Security for 5G and beyond

Abstract The development of the fifth generation (5G) wireless networks is gaining momentum to connect almost all aspects of life through the network with much higher speed, very low latency and ubiquitous connectivity. Due to its crucial role in our lives, the network must secure its users, components, and services. The security threat landscape of 5G has grown enormously due to the unprecedented increase in types of services and in the number of devices. Therefore, security solutions if not developed yet must be envisioned already to cope with diverse threats on various services, novel technologies, and increased user information accessible by the network. This paper outlines the 5G network threat landscape, the security vulnerabilities in the new technological concepts that will be adopted by 5G, and provides either solutions to those threats or future directions to cope with those security challenges. We also provide a brief outline of the post-5G cellular technologies and their security vulnerabilities which is referred to as future generations (XG) in this paper. In brief, this paper highlights the present and future security challenges in wireless networks, mainly in 5G, and future directions to secure wireless networks beyond 5G