Mobility research group

Similar documents

Protecting Critical Information Infrastructures

Packet Level Authentication Overview

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Chapter 9. IP Secure

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract

Frequently Asked Questions

Applications that Benefit from IPv6

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Cisco Integrated Services Routers Performance Overview

QoS Parameters. Quality of Service in the Internet. Traffic Shaping: Congestion Control. Keeping the QoS

Introduction VOIP in an Network VOIP 3

10CS64: COMPUTER NETWORKS - II

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

Quality of Service in the Internet. QoS Parameters. Keeping the QoS. Traffic Shaping: Leaky Bucket Algorithm

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Voice over IP: RTP/RTCP The transport layer

Review: Lecture 1 - Internet History

Media Exchange really puts the power in the hands of our creative users, enabling them to collaborate globally regardless of location and file size.

z/os V1R11 Communications Server system management and monitoring

Network Simulation Traffic, Paths and Impairment

SAN/iQ Remote Copy Networking Requirements OPEN iscsi SANs 1

Advanced Networking Voice over IP: RTP/RTCP The transport layer

UVOIP: CROSS-LAYER OPTIMIZATION OF BUFFER OPERATIONS FOR PROVIDING SECURE VOIP SERVICES ON CONSTRAINED EMBEDDED DEVICES

Voice over Internet Protocol (VoIP) systems can be built up in numerous forms and these systems include mobile units, conferencing units and

EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Achieving Low-Latency Security

CDMA-based network video surveillance System Solutions

Performance of Host Identity Protocol on Nokia Internet Tablet

Influence of Load Balancing on Quality of Real Time Data Transmission*

Midterm. Name: Andrew user id:

Content Distribution Management

Network performance in virtual infrastructures

Network Performance Evaluation of Latest Windows Operating Systems

Performance Evaluation of AODV, OLSR Routing Protocol in VOIP Over Ad Hoc

Network Performance: Networks must be fast. What are the essential network performance metrics: bandwidth and latency

Module 7 Internet And Internet Protocol Suite

How To Protect A Dns Authority Server From A Flood Attack

Surviving DNS DDoS Attacks. Introducing self-protecting servers

[Download Tech Notes TN-11, TN-18 and TN-25 for more information on D-TA s Record & Playback solution] SENSOR PROCESSING FOR DEMANDING APPLICATIONS 29

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Contents. Connection Guide. What is Dante? Connections Network Set Up System Examples Copyright 2015 ROLAND CORPORATION

Network Layer: Network Layer and IP Protocol

Three Key Design Considerations of IP Video Surveillance Systems

TDM services over IP networks

Enabling Technologies for Distributed Computing

Distributed Denial of Service Attacks & Defenses

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Distributed Systems 3. Network Quality of Service (QoS)

Performance Analysis of IPv4 v/s IPv6 in Virtual Environment Using UBUNTU

Operating System Support for Multiprocessor Systems-on-Chip

How To Secure My Data

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

AGIPD Interface Electronic Prototyping

Networking Virtualization Using FPGAs

Adapt Support Managed Service Programs

Final for ECE374 05/06/13 Solution!!

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Multimedia Networking and Network Security

UPPER LAYER SWITCHING

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Chapter 8 Router and Network Management

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Mobile IP Network Layer Lesson 01 OSI (open systems interconnection) Seven Layer Model and Internet Protocol Layers

Bit Chat: A Peer-to-Peer Instant Messenger

Abstract. Introduction. Section I. What is Denial of Service Attack?

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

HP LeftHand SAN Solutions

OPNET Network Simulator

Improving the Performance of TCP Using Window Adjustment Procedure and Bandwidth Estimation

Availability Digest. Redundant Load Balancing for High Availability July 2013

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Protocols. Packets. What's in an IP packet

Enabling Technologies for Distributed and Cloud Computing

Lecture 33. Streaming Media. Streaming Media. Real-Time. Streaming Stored Multimedia. Streaming Stored Multimedia

Implementation and Evaluation of Certificate Revocation List Distribution for Vehicular Ad-hoc Networks

Intro to Linux Kernel Firewall

VOICE OVER IP AND NETWORK CONVERGENCE

Traffic Analyzer Based on Data Flow Patterns

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

High Speed Encryption Made in Germany

APPENDIX 1 USER LEVEL IMPLEMENTATION OF PPATPAN IN LINUX SYSTEM

Using Fuzzy Logic Control to Provide Intelligent Traffic Management Service for High-Speed Networks ABSTRACT:

PARALLELS SERVER BARE METAL 5.0 README

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Remus: : High Availability via Asynchronous Virtual Machine Replication

IPV6 流量分析探讨北京大学计算中心周昌令

A Robust Multimedia Contents Distribution over IP based Mobile Networks

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

FlexPath Network Processor

Transcription:

Mobility research group professor Hannu H. Kari Helsinki University (HUT) Department of Computer Science and Engineering Laboratory for Theoretical Computer Science Hannu H. Kari/HUT/CS/TCS Page 1/36

Research areas of HUT s mobility group Ongoing research Traditional mobility management research Mobile IP, ad hoc routing protocols, mobile networks,... Packet Level Authentication (PLA) Strong control and proof of the origin of packets Reliable delivery of content Enhanced multicast delivery engine Hannu H. Kari/HUT/CS/TCS Page 2/36

Traditional mobility management research Hannu H. Kari/HUT/CS/TCS Page 3/36

Traditional mobility management research Implementations (for Linux environment) Mobile IPv6 Ad hoc routing protocols (AODVv6) Global-v6 (connectivity of ad hoc and fixed networks) Network mobility (NeMo) Host Identity Protocol (HIP) Network simulation (with NS-2 simulator) Mobility patterns New clustering protocols Access point selection methods Radio propagation in urban environment Hannu H. Kari/HUT/CS/TCS Page 4/36

Packet Level Authentication Hannu H. Kari/HUT/CS/TCS Page 5/36

Protecting infrastructure: Main principle Target Communication between two legitimate computers shall work in all the time despite any hostile attacks, that manipulate packets, jam the network, cut the communication links, or by other means try to disturb legitimate communication The network (i.e., routers) shall distinguish whether a packet is generated by a legitimate computer (and packet shall be forwarded further) generated or modified by attackers (record/discard that packet and optionally rise an alarm) Network shall be capable of prioritizing traffic based on importance of packets (Qos) and user not every computer or packet is equal Hannu H. Kari/HUT/CS/TCS Page 6/36

Original concept of PLA Without PLA: illegal duplicates cause flooding With PLA: discard illegal duplicates S D S D Hannu H. Kari/HUT/CS/TCS Page 7/36

Packet level authentication Analogy: Security measures on notes Holograms Microprint Watermarks UV-light... Any receiver of notes can verify the authenticity of every note without consulting with banks or other authorities Hannu H. Kari/HUT/CS/TCS Page 8/36

Packet level authentication: Implementation IP packet IP HDR IP HDR TTP Pub-Key TTP-sig Seq #, time Packet-sig New PLA Header PLA header inserted the same way as Mobile IP, IPsec,... protocols PLA header is transparent to standard IP routers (that do not understand PLA) PLA header is transparent to all upper level protocols (UDP, TCP, SCTP,...) PLA can be used in both IPv4 and IPv6 networks Hannu H. Kari/HUT/CS/TCS Page 9/36

Packet level authentication: Implementation IP packet IP HDR IP HDR TTP Pub-Key TTP-sig Seq #, time Packet-sig Authority identity (trusted 3 rd party) sender s public key Authority s certificate (short or chain) and validity time for sender s public key Timeliness and uniqueness of the packet Digital signature with private key to protect integrity of the packet Hannu H. Kari/HUT/CS/TCS Page 10/36

Performance Elliptic curve implementation at ECE department of HUT FPGA with 350 000 gates Clock speed 66MHz 167 bit ECC multiplication on 100 µs using 167 bit arithmetics Estimate: one signature in less than 1 ms Actually it is closer to 200 µs Performance is thus (in order of magnitude) 1000 packets/s With 500 Byte packet size, 4 Mbps Hannu H. Kari/HUT/CS/TCS Page 11/36

Performance How about scaling up? Pentium IV class silicon Clock speed 66MHz -> 3 GHz (speedup factor 45) Dice size 350 000 gates -> 55 M gates (160 parallel signature units) 350kG 66MHz 55MG 3GHz 1 C 1ms C new ref G G new ref = 1 1ms 3GHz 66Mhz 55 000 000 350 000 = 7.14 Msignature / s Hannu H. Kari/HUT/CS/TCS Page 12/36

Performance Throughput of Pentium IV-class PLA accelerator Throughput [Gbps] Signatures Packet size validated per packet 150B 500B 1500B One (*) 8.6 28.6 85.7 Two (**) 4.3 14.3 42.9 (**) For the first packet from a given sender (*) For the subsequent packets from the same sender Hannu H. Kari/HUT/CS/TCS Page 13/36

Reliable delivery of content Hannu H. Kari/HUT/CS/TCS Page 14/36

Multichannel data delivery: today Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Authorities Citizens Hannu H. Kari/HUT/CS/TCS Page 15/36

Multichannel data delivery: in the future Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Authorities Citizens Hannu H. Kari/HUT/CS/TCS Page 16/36

Reliable delivery of one document document Sender Add FEC Signatures multichannel network check signatures Receiver data reconstruction defragmentation...... fragmentation............ document Hannu H. Kari/HUT/CS/TCS Page 17/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information Hannu H. Kari/HUT/CS/TCS Page 18/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information Hannu H. Kari/HUT/CS/TCS Page 19/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information Hannu H. Kari/HUT/CS/TCS Page 20/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information Hannu H. Kari/HUT/CS/TCS Page 21/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Information Hannu H. Kari/HUT/CS/TCS Page 22/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV Regenerating missing data by using error correction information in other packets locally Information Hannu H. Kari/HUT/CS/TCS Page 23/36

Multichannel data delivery Actual data Military networks TETRA/ VIRVE GSM Internet Radio/TV correct and up to date information Information Hannu H. Kari/HUT/CS/TCS Page 24/36

Example: Structured document Any information can be converted into structured docment Download only updated parts Download adaptively based on transfer capacity, cost, situation, user needs,... Check whether document is up to date Download deltas Update notifications Digitally signed containers, can be transferred separately CityEmergencySituation-2005/05/10 art 1 art2 TOP SECRET art N Hannu H. Kari/HUT/CS/TCS Page 25/36

Controlled consumption of digital content Hannu H. Kari/HUT/CS/TCS Page 26/36

Basic operating principles Separation of data transmission and consumption Protected/controlled content Video movie IP-based multitechnology network Live audio/video PDF-document Web-page Large capacity, large scale efficient data delivery, multicast-capable network content Potentially low speed, long delays, Key management of content and expensive network keys Hannu H. Kari/HUT/CS/TCS Page 27/36

Basic operating principles Public content storage Protected content Content controller Certificate (proof of subscription) New certificate (decryption key for content) User id based content manager Watermarked unprotected content Hannu H. Kari/HUT/CS/TCS Page 28/36

New project concept: Nomadic Applications Hannu H. Kari/HUT/CS/TCS Page 29/36

Traditional migrating operating systems OS 1 Windows OS 2 Linux OS n Linux Several operating systems can be run on top of the same physical with help of special VMM module. Commercial example VMWare and XEN. Virtual Machine Management (XEN, VMWare) Physical Input Output Disks NET... Hannu H. Kari/HUT/CS/TCS Page 30/36

Traditional migrating operating systems OS 1 Windows OS 2 Linux OS n Linux XEN enables smooth transfer of an entire operating system from a computer to another without interruption of service (e.g., WWWserver) OS n Linux Virtual Machine Management (XEN, VMWARE) Physical Virtual Machine Management (XEN, VMWARE) Physical -2 Input Output Disks CPU NET... Input Output Disks CPU NET... Hannu H. Kari/HUT/CS/TCS Page 31/36

Virtual computers and nomadic applications Virtual computer Dynamically created computer from local computing resources. Each devices we can select out of 0 N instances Virtual I/O devices, virtual network interface, virtual disk,... Nomadic applications Session continuity/mobility Snapshot of applications (reincarnation of application after crash). Home storage/resting place A program can be started in one computer, then suspended and moved into an other computer New ways to develop applications (ultra dynamicity). Events to trigger also I/O device changes (display-> audio output, files offline) Hannu H. Kari/HUT/CS/TCS Page 32/36

Concept of virtual computer OS 1 Windows OS 2 Linux OS n Linux Virtual Machine Management (XEN++) Nomadic applications platform enables smooth transfer from one virtual computer setting to an other without interruption of service (e.g., videophoning) OS 1 Windows OS 2 Linux OS n Linux Virtual Machine Management (XEN++) Virtual Input Output Disks CPU NET... Virtual Input Output Disks CPU NET... Any network Any network Input1 Input2 Output DisksN Net 1 Net 2 Input1 Input2 Output Output N Net 1 Net 2 Hannu H. Kari/HUT/CS/TCS Page 33/36

Concept of nomadic applications OS n Linux A nomadic application may create a backup ( snapshot ) of itself for safety reasons or to go to hibernation Network storage Virtual Machine Management (XEN++) Virtual Input Output Disks CPU NET... A nomadic application can be then resumed or re-incarnated into the same or different virtual computer OS n Linux Any network Virtual Machine Management (XEN++) Input1 Input2 Output DisksN Net 1 Net 2 Virtual Input Output Disks CPU NET Input1 Input2 Any network Output DisksN... Net 1 Net 2 Hannu H. Kari/HUT/CS/TCS Page 34/36

Concept of nomadic applications OS n Linux Virtual Machine Management (XEN++) A nomadic application may migrate from one virtual computing platform to an other without interruption OS 1 Windows Virtual Machine Management (XEN++) Virtual Input Output Disks CPU NET... Virtual Input Output Disks CPU NET... Any network Any network Input1 Input2 Output DisksN Net 1 Net 2 Input3 Output M Net 3 Hannu H. Kari/HUT/CS/TCS Page 35/36

Operating model for open source research Customer needs Military requirements Protocol analysis/ verification Protocol testing Protocol design and validation Civilian requirements Protocol specifications Protocol implementations Reference implementations Open source code Standards Business opportunities Idea Companies Solutions Hannu H. Kari/HUT/CS/TCS Page 36/36

Questions, Comments,? Hannu H. Kari/HUT/CS/TCS Page 37/36