SBSCET, Firozpur (Punjab), India

Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Layer Based MPLS VPN Security Under Flooding Attack in Wireless Mesh Network Narender Singh 1, Krishan Kumar 2 1,2 Department of Computer Science & Engineering, SBSCET, Firozpur (Punjab), India Abstract - Wireless Mesh Network (WMN) is a network of network and heterogeneous in nature. Due to its heterogeneous nature and openness, it is more severe to attacks. There are multiple points over which an attacker can easily attacked. Many security techniques have been proposed up to now for WMN. Virtual Private Network (VPN) provides security by creating ownership of client over network by creating virtual tunnels over the network between clients. But traditional VPN is unable to provide all security features. Now a day, MPLS provides traffic engineering features with the VPN and provides more security features and faster traffic rerouting. But many attacks have their impact over these security techniques. In this paper, we analyzed the performance of these security techniques and effects of flooding attack. Keywords - WMN, MPLS, MPLS-VPN, MPLS-VPN-IPv6. I. Introduction Multiple network type has emerged today's world but everyone has its own characteristics and challenges. Wireless Mesh Network is also distinguished from other network by its features and in architecture. WMN is made up of multiple wireless networks and connected over a large region. WMN is made up of multiple mobile as well as static clients over dispersed geographical region connected via static or low mobility routers. Clients may be part of a private or public network. These mesh routers collectively define the backbone of the WMN. WMN is somehow similar to mobile Adhoc network and like MANET it is a multi hop in nature. But there is difference in many terms such as multiple interfaces, multiple radio frequencies used at different points. It has large geographical area and unlike MANET, it is scalable to large area by just adding routers. If a network or client wants to connect to WMN network then it has to connect to a router or gateway and to cater the load of multiple client due to scalability, extra router can be implemented over WMN backbone [1]. Fig.1 Wireless Mesh Network Topological Infrastructure There is no need to change the configuration of multiple clients due to minor changes in the network so it is a decentralized network. In the real world, there is much more demand of real data transmission such as multimedia data, voice calling and live transactions. WMN is a simple, easy to configure, cheap to establish network which makes it more demanding for such real time applications. The demand makes WMN to provide better security features. So there 2013, IJARCSSE All Rights Reserved Page 1181

becomes a huge demand of security in WMN. Due to the openness of WMN, it is more severe to attack like DDOS attack, integrity damage, bandwidth utilization etc. when a client or node send data to a remote node than it use globally unique IP address. But if the data are sent in same network then there is no need to use IP address, MAC address can be used for data transmission. In WMN data is sent to the remote node via routers and gateways. Node hand over its data to the approached router then using routing table available at the router is used to send data to the next hop and when a home router of the destination node is reached it then send data to appropriate destination node by its MAC address. Packets can be sent via different routers in WMN when the node is a mobile node because mobile node can approaches to another router region while moving then during communication handoff happens and a new connection is established to the new router. The handoff should be fast enough so that communication delay should be less. Routing protocols used in WMN are same as MANET but some new protocol suitable for WMN are also present such as Mesh networking routing protocol, Heat Protocol etc. [2]. II. Security Techniques WMN is a wide network. There are multiple points before reaching to destination node so it is more open to attack at many points. There are many security techniques discovered for WMN but each has its own shortcomings. Security is provided at different IP layers such as MAC layer, Network layer, and application layer. But the most affected part is MAC layer and Network layer because these layers are responsible for data transmission. Much security technique has been defined for these layers. Virtual Private Network is a security framework which creates secure virtual tunnels between clients but only VPN is not enough to provide complete security, new technique needs to define with VPN so that it can provide secure communication. Multi-protocol label switching (MPLS) is a technique which helps fast data transmission under load condition. So if virtual tunnels are used with MPLS based traffic engineering technique then it can provide better security [2.3]. MPLS-VPN provides better security and Quality of Services (QOS). It is mainly two based on layer 2 and layer 3. A. Multi-Protocol Label Switching (MPLS) Multi-Protocol label Switching is a traffic engineering technique which provides quality of services by fast switching of data over the network. It provides fast data transfer than traditional IP packet transfer. MPLS is a switching technique which is in between layer 2 and layer 3 of IP. It can be used with any data link layer switching technique such as ATM, PSTN etc. MPLS can also used by the network layer as routing protocol. MPLS is based on a tag technique in which a Tag or label is used to route packets over routers. When packets are routed over routers then packets are encapsulated with tag and then routers just check the tag to route the packets rather than header of each packet. So it makes routers to take less time as there is no need to look up long routing table [2,3,4]. MPLS is configured over the backbone of WMN and router at the edge of the backbone is used to configure MPLS. The packets are then switched via label switched routers (LSR). The packets forwarding decision is made by LSR based on the tag attached. MPLS based technique has two planes, one is labeled forwarding plan and another are routing plans. As these are separate from each other so it is easy to modify or add new technique [2,5]. B. Layer 2 MPLS VPN Virtual private network is like a private network which is specially created for specific client based on their need. A VPN is a virtual connection established between clients or private networks. Virtual tunnels are created of available bandwidth and each virtual channel works as a wired link. A VPN alone cannot provide much security and cannot deal with real time problems. MPLS provides solution of real time problems and congestion with VPN provides more secure communication of real time data. MPLS VPN also deals with denial of services (DDOS) attack [3]. MPLS VPN depends upon the type of layer used to configure VPN. Different service providers provide their services based on the IP layer. Data link layer based VPN uses the services of Mac layer. The VPN tunnels are created on this layer and it is the responsibility of provider to send VPN data over the network. VPN secure data is send like simple IP packets. There is no distinction between these two types of packets. These packets transmit over MPLS enabled network. So layer 2 type MPLS VPN is not depending upon layer 3. Any type of data such as ATM, PSTN, SONET frame can be sent over virtual channels [2,3,4]. MPLS VPN in WMN routes its data through different type of routers based on their working as well as functionality. Customer edge Router customer edge router is the router situated at the edge of the network or in the network. It provides communication between intra nodes and connects the network to the internet. It shares information with provider edge routers. Provider Edge Router These routers are situated at the backbone of provider network or a group of routers and gateways. Which connects to the customer edge routers and share routing and VPN related information. The provider edge router is responsible to maintain label stack used to route packets based on VPN and MPLS labels. The provider Provider is an intermediate router in the MPLS enabled network which routes the VPN and MPLS data to the next hop. The provider doesn t need to arm with MPLS functionality. It is used like a normal router and route all the packets [2,6]. In Layer 2 MPLS VPN, internet is look likes a switch. A Layer2 MPLS VPN can be point-to-point or point-to multipoint. In point-to-point VPN consists of direct connection to the nodes or with MPLS network and in multipoint multiple clients connect via one-to-many configuration. Each private network is connected to a switch and switch sends its data to the MPLS core network [5,6]. C. Layer 3 MPLS VPN Layer 3 MPLS VPN is based on network layer routing. In it, VPN packets are routed by service provider using routing protocol of network layer. It is the responsibility of service provider to route VPN encrypted packets by global IP 2013, IJARCSSE All Rights Reserved Page 1182

address. Many protocols such as OSPF, RIP etc. are used for routing purpose. MPLS is used as routing purpose in which label is used t route packets. VPN data is transferred over the MPLS core network. MPLS VPN share same address space with other technologies without changing the core MPLS devices which are configured with MPLS functionalities [3]. In VPN the data is separated from other packets as VPN encrypted packets are have different communicating address made by VPN identifier plus global IP address. Like layer 2 MPLS VPN, it also consist of customer edge router, provider edge router, and provider routers. Each provider edge router contain a VPN Routing and Forwarding (VRF) table which contain routing and forwarding information. Each network has a single VRF table. VRF table is maintained by provider edge router. Each router contains more than one VRF tables, each for network directly connected to it. MPLS VPN at layer 3 uses Border gateway protocol to distribute route among routers. Using BP protocol, VPN route are distributed [2,5]. When a client send data to another remote client then he customer edge router send data to provider edge router which then lookup into the VRF table and send data to the corresponding route then each router lookup the VPN Identifier in the label stack and according to that value, the data is send through corresponding VPN. At the end provider network VPN id is pop up from the stack and using header information packets are send to destination node [4,5]. D. Layer 3 MPLS VPN Operation MPLS-VPN is operated in following steps: 1. Route distribution- Border gateway protocol (BGP) is used to distribute the route among MPLS backbone routers. When a client sends data, the client sends it by look up in routing table to provider edge router and then by lookup in VRF table, provider edge router send it to corresponding VPN through MPLS enable network and to another site corresponding to destination client. 2. Label Switched Path (LSP) construction - A control flow is responsible for the establishment of Label switched Path (LSP) through MPLS backbone. LSPs are used to forward MPLS traffic through wireless mesh network. LSPs are created and maintained by many protocols such as Label Distribution Protocol (LDP) and Resource reservation Protocol (RSVP). 3. Data Forwarding- Data traffic is forwarded through LSPs over the MPLS enable provider network. When a client sends data to a remote client then data is routed from VRF table and at the edge of the backbone and then using routing table to the remote client [2,7]. III. Simulation Environment And Analysis Figure 2 described WMN which is made up of mobile wireless nodes and static wireless routers. WMN is created in OPNET 14.5 simulator environment. Wireless node has a client server application running over TCP/IP. IP addresses are assigned to all mobile nodes as well as routers. OSPF is used as a routing protocol to distribute routing information. Mobile nodes support data rate of 11 Mbps. Mobile nodes move with random waypoint mobility at an average speed of 3m/Sec. The scenario consists of 60 mobile nodes and 25 routers. There are 18 source nodes move with random waypoint mobility with average speed of 3 m/sec and with pause time of 15 Sec. The mesh routers are enabled with the Access point functionality. Each mobile node and router has transmitted power of.005 Watt. Each node has a buffer size of 256000 bits. Access point has a reception power threshold set to -95 db. Addresses are auto assigned to nodes by simulating. In this environment, 802.11a, MPLS, MPLS VPN at layer2 and layer 3 and MPLS VPN at IPv6 are simulated. Traffic is flowing at a constant bit rate (CBR) of 4 packets /Sec. Each node has an FTP source port and destination port. The network is simulated for the duration of one hour. There are different scenarios created for different technologies. MPLS is configured over nodes and LSPs are created between nodes using MPLS protocol configuration. Different scenarios are created for MPLS VPN layer 2 and MPLS VPN layer 3. Then MPLS VPN is analyzed at IPv6 address family. IPv6 is enabled at each node and router in WMN topology. Figure2. Wireless Mesh Network Topology in OPNET Modular 2013, IJARCSSE All Rights Reserved Page 1183

Security techniques are analyzed based on following statistics Throughput - Represents the total number of bits (in bits/sec) forwarded from wireless LAN layers to higher layers in all WLAN nodes of the network. End-to-end delay - Represents the end to end delay of all the packets received by the wireless LAN MACs of all WLAN nodes in the network and forwarded to the higher layer. This delay includes medium access delay at the source MAC, reception of all the fragments individually, and transfers of the frames via Access Point. Average Load - Represents the average load (in bits/sec) submitted to wireless LAN layers by all higher layers in all WLAN nodes of the network. Routing data sent Represent the total routing data sent by a routing protocol such as OSPF. Average Hop count - It represents the average of hop count for a packet to send from source to destination node. Packet delivered - Total number of packets received against the total packet sent by the source node. IV. Simulation Result Throughput As shown in Figure.3, throughput of MPLS VPN at layer 3 is best while simple wireless mesh network performs worst. Due to different VPN channels, there is less probability of collision. But in MPLS, there is a fast packet routing scheme so due to fast routing, more packet will be burst so cause more collision and less throughput overall which cause more packet transmission also in MPLS. While MPLS VPN at layer 2 has a medium throughput because there is one common routing for all packets as well as for VPN data so it has a less throughput. Fig. 3 Throughput of Various security techniques End -To- End Delay As shown in figure 4, End-to-End delay of the simple wireless mesh network is found more than other security enabled network under simulation where MPLS enabled network has less as there is less calculation one each router which cause fast packet routing. In case of layer 2based VPN based network has more average end-to-end delay than layer 3 VPN network under same simulation conditions and delay increase with the increasing average load (bits) over the network. Figure 4. Average end-to-end Delay VS. Average Load Delivery ratio delivery ratio as shown in figure 5, MPLS-VPN layer 2 network has better performance than MPLS- VPN layer 3 enabled networks. There is a VPN identifier is added at access point which takes more time for processing the data so MPLS-VPN at layer 3 has less delivery ratio. 2013, IJARCSSE All Rights Reserved Page 1184

Figure 5. Delivery ratio of WMN security techniques In WMN, denial of service attack is implemented on the network for 200 Sec. Flooding attack is launched for 200 Sec on the network. There are always effects on the network after an attack has put off. Each technique behaves differently and takes different time to come its original position. In this paper, network simulated for first 500 Sec as it is in normal conditions but between 500-700 Sec, flooding attack has launched and then for 700-1500 Sec network simulated in its original condition. End-to- End Delay (Under flooding Attack) as shown in figure 6 Simple wireless network has a highest average delay while the MPLS network has least. VPN technology at layer 2 has less average delay than VP at layer 3. After flooding attack, there are different times taken by the network under different technologies. VPN at layer 2 takes less time to regain its original position while simple Mesh network takes more time. Figure 6. End to-end delay with and without flooding Attack Download Response Time (Under Flooding Attack) download response time as shown in figure 7, is highest for simple mesh network while VPN at layer 3 has least. But VPN at layer 2 infected late than other technologies. So overall under flooding attack VPN at layer 2 is better than VPN at layer 3. Figure 7. Download response time with and without flooding attack 2013, IJARCSSE All Rights Reserved Page 1185

V. Conclusion In this paper, we explained the security issues and their security techniques. WMN is an open network and unguided media is used for communication. But WMN is also open to many threats. An intruder can affect network from many points in the network due to multi-hop characteristic. In it, VPN security techniques are used in wireless mesh network. Virtual private network provides security by establishing VPN tunnels to provide secure communication without external interference. In this paper, VPN technology at layer 2 and at layer 3 is analyzed and simple wireless mesh network with MPLS enabled network is also analyzed. Simple wireless mesh network works better in simple condition than VPN technologies but in case of Denial of service attack, simple WMN performed worst while security enabled network performed better. VPN with MPLS technology at layer 2 performed better than at layer 3 in overall analysis using matrices. As under attack, security enabled network is less affected. As analyzed, there is very difficult to provide security to WMN like multi hop wireless network. Acknowlegement The author expresses gratitude to other faculty members of computer science and engineering, SBSTC for their intellectual support throughout the course of this work. Reference [1]. Ian F. Akyildiz, Xudong Wang, Weilin Wang Wireless mesh Networks: A survey Computer Network 2005; 47 (4): 445-487. [2]. K. Vats, N. Singh, Jasvinder, L. Jaiswal Different Security Mechanisms for Different Type of Security Lapses in Wireless Mesh Network - A Review IJCSE 2012; ISSN: 0976-5166. [3]. Okechukwu E.muogilim, kok-keong loo, Richard comely Wireless Mesh Network security: a traffic engineering management approach Journal of Network and Computer Applications 34 (2011) 478 491. [4]. D. Grayson, D. Guernsey, J. Butts, M. Spainhower, S. Shenoi, Analysis of security threats to MPLS virtual private networks International Journal of critical infrastructure protection 2(2009) 146±153. [5]. S.P. Carrasco, Partner, Carrasco & Associates MPLS VPN Services PW, VPLS and BGP MPLS/IP VPNs : Technology White Paper, Copyright 2003-2006. [6]. Cisco IP Solution Center L2VPN User Guide Copyright 2005 Cisco Systems, Inc. [7]. C. Semeria, RFC 2547bis: BGP/MPLS VPN Fundamentals Juniper Network, 200012-001 03/01. 2013, IJARCSSE All Rights Reserved Page 1186