On the security of the Mobile IP protocol family

The Internet Engineering Task Force (IETF) has worked on\ud network layer mobility for more than 10 years and a number\ud of RFCs are available by now. Although the IETF mobility\ud protocols are not present in the Internet infrastructure as of\ud today, deployment seems to be imminent since a number\ud of organizations, including 3GPP, 3GPP2 and Wimax, have\ud realized the need to incorporate these protocols into their architectures.\ud Deployment scenarios reach from mobility support\ud within the network of a single provider to mobility support\ud between different providers and technologies. Current Wimax\ud specifications, for example, already support Mobile IPv4,\ud Proxy Mobile IPv4 and Mobile IPv6. Future specifications will\ud also support Proxy Mobile IPv6. Upcoming specifications in\ud the 3GPP Evolved Packet Core (EPC) will include the use of\ud Mobile IPv4, Dual Stack MIPv6 and Proxy Mobile IPv6 for\ud interworking between 3GPP and non 3GPP networks.\ud This paper provides an overview on the state-of-the-art\ud in IETF mobility protocols as they are being considered by\ud standardization organizations outside the IETF and focusing\ud on security aspects

Quality of Service Authentication, Authorization and Accounting

Abstract. Proper authorization is essential for a QoS signaling protocol. The policy control of future QoS signaling solutions is expected to make use of existing AAA infrastructure for computing the authorization decision. In this paper, we point to two approaches for QoS authorization (based on COPS and Diameter) and present possible extensions and directions for future work

Low-Power IoT Communication Security: On the Performance of DTLS and TLS 1.3

International audienceSimilarly to elsewhere on the Internet, practical security in the Internet of Things (IoT) is achieved by combining an array of mechanisms, at work at all layers of the protocol stack, in system software, and in hardware. Standard protocols such as Datagram Transport Layer Security (DTLS 1.2) and Transport Layer Security (TLS 1.2) are often recommended to secure communications to/from IoT devices. Recently, the TLS 1.3 standard was released and DTLS 1.3 is in the final stages of standardization. In this paper, we give an overview of version 1.3 of these protocols, and we provide the first experimental comparative performance analysis of different implementations and various configurations of these protocols, on real IoT devices based on low-power microcontrollers. We show how different implementations lead to different compromises. We measure and compare bytes-over-the-air, memory footprint, and energy consumption. We show that, when DTLS/TLS 1.3 requires more resources than DTLS/TLS 1.2, this additional overhead is quite reasonable. We also observe that, in some configurations, DTLS/TLS 1.3 actually decreases overhead and resource consumption. All in all, our study indicates that there is still room to optimize the existing implementations of these protocols

A Concise Binary Object Representation (CBOR)-based Serialization Format for the Software Updates for Internet of Things (SUIT) Manifest

CBOR-based Serialization Format for the SUIT Manifes

QoS signaling across heterogeneous wired/wireless networks: resource management in diffserv using the NSIS protocol suite

Reservation-based Quality of Service (QoS) in a mixed wireless and wireline environment requires an end-to-end signaling protocol that is capable of adapting to the idiosyncrasies of the different networks. The QoS NSIS Signaling Protocol (QoSNSLP) has been created by the Next Steps In Signaling working group at the IETF to fulfill this need for an adaptive reservation protocol. It allows reservation requests to be interpreted by equipment implementing different QoS models along the path between a data sender and a data receiver. This paper describes the QoS-NSLP, and an example of a particular QoS model that is based on Resource Management in Diffserv (RMD). RMD provides a scalable dynamic resource management method for Diffserv networks. RMD has two basic functions to control the traffic load in a Diffserv domain: it provides admission control for flows entering the network and it has an algorithm that terminates the required amount of flows in case of congestion caused by failures (e.g. link or router) bandwidth and require per-flow reservations. On the other hand, the wireline networks tend to form the backbones and have relatively abundant bandwidth and carry a large number of flows, where aggregation is necessary since per-flow reservations suffer from scalability constraints

On the security, privacy and usability of online seals

This report analyses the conditions under which online security and privacy seals (OSPS) can be deployed to support users to make an informed trust decision about Web services and their providers with respect to the provided security and privacy. This report is motivated by the numerous policy documents, that mention marks, seals, logos, icons, (collectively referred as OSPS) as a mean enabling users to judge on the trustworthiness of services offered on the Web. The field of OSPSs has also developed in maturity. Therefore, we aim at analysing the current situation and identified key challenges for online signals in practise. Based on these challenges, this report identifies possible solutions and corresponding recommendations and next steps that ENISA and other stakeholders should follow for enabling users in judging on the trustworthiness of services offered on the Web