Secure Election Infrastructures Based on IPv6 Clouds



Similar documents
t Thick,intelligent,or thin access points? t WLAN switch or no WLAN switch? t WLAN appliance with 3rd party APs?

PolicyCore. Putting Innovation and Customer Service at the Core of Your Policy Administration and Underwriting

Performance Center Overview. Performance Center Overview 1

Task is a schedulable entity, i.e., a thread

ClaimCore. Putting Customers at the Core of Your Claims Processes. Integrated Customer Database. R es y me. Ad j u d ic ati o n

Automatic measurement and detection of GSM interferences

Model-Based Monitoring in Large-Scale Distributed Systems

Advanced Traffic Routing as Part of the USA Intelligent Telecommunications Network

Distributing Human Resources among Software Development Projects 1

System Performance Improvement By Server Virtualization

DDoS Attacks Detection Model and its Application

Private Cloud Computing for Enterprises: Meet the Demands of High Utilization and Rapid Change

Trends in TCP/IP Retransmissions and Resets

The Journey. Roadmaps. 2 Architecture. 3 Innovation. Smart City

Towards Intrusion Detection in Wireless Sensor Networks

Efficient big data processing strategy based on Hadoop for electronic commerce logistics

Multiprocessor Systems-on-Chips

GoRA. For more information on genetics and on Rheumatoid Arthritis: Genetics of Rheumatoid Arthritis. Published work referred to in the results:

How To Optimize Time For A Service In 4G Nework

USE OF EDUCATION TECHNOLOGY IN ENGLISH CLASSES

For individuals, we provide peace-of-mind by physically recovering stolen computers and remotely deleting sensitive files from them.

TSG-RAN Working Group 1 (Radio Layer 1) meeting #3 Nynashamn, Sweden 22 nd 26 th March 1999

Market Liquidity and the Impacts of the Computerized Trading System: Evidence from the Stock Exchange of Thailand

The Grantor Retained Annuity Trust (GRAT)

Information Systems for Business Integration: ERP Systems

Ecotopia: An Ecological Framework for Change Management in Distributed Systems

The Complete VoIP Telecom Service Provider The Evolution of a SIP Trunking Provider

The Architecture of a Churn Prediction System Based on Stream Mining

This is the author s version of a work that was submitted/accepted for publication in the following source:

Building an E- Commerce Strategy for the Office Equipment and Printer Marketplace. CAPt CAP VENTURES

Ecological Scheduling Decision Support System Based on RIA and Cloud Computing on the YaLong River Cascade Project

OPERATION MANUAL. Indoor unit for air to water heat pump system and options EKHBRD011ABV1 EKHBRD014ABV1 EKHBRD016ABV1

CRISES AND THE FLEXIBLE PRICE MONETARY MODEL. Sarantis Kalyvitis

PSI U Series. Programmable DC Power Supplies W to 3000 W THE POWER TEST EXPERTS.

SELF-EVALUATION FOR VIDEO TRACKING SYSTEMS

Research and Development for Critical Infrastructure Protection. John Davis Commissioner

Software Project Management tools: A Comparative Analysis

Automated Allocation of ESA Ground Station Network Services

Load Prediction Using Hybrid Model for Computational Grid

Task-Execution Scheduling Schemes for Network Measurement and Monitoring

Activity-Based Scheduling of IT Changes

Chapter 8: Regression with Lagged Explanatory Variables

SERVERIRON LINK BALANCER

PROFIT TEST MODELLING IN LIFE ASSURANCE USING SPREADSHEETS PART ONE

Measuring macroeconomic volatility Applications to export revenue data,

MODEL AND ALGORITHMS FOR THE REAL TIME MANAGEMENT OF RESIDENTIAL ELECTRICITY DEMAND. A. Barbato, G. Carpentieri

Botnet Detection by Monitoring Group Activities in DNS Traffic

The Application of Multi Shifts and Break Windows in Employees Scheduling

II.1. Debt reduction and fiscal multipliers. dbt da dpbal da dg. bal

Research Article Survey for Sensor-Cloud System from Business Process Outsourcing Perspective

Towards a Generic Trust Model Comparison of Various Trust Update Algorithms

An Agent-based Bayesian Forecasting Model for Enhanced Network Security

VST5000W5028W. Wireless Survey Tools User Guide

Highlights. t FWS X-series is available in two models:24-port 10/100/1000-Mbps (RJ-45) with the FWS X424,

Wireless Survey Tools User Guide

Integration of Electronic Foreign Exchange Trading and Corporate Treasury Systems with Web Services

Stochastic Volatility Option Pricing ASAP

Making Use of Gate Charge Information in MOSFET and IGBT Data Sheets

Duration and Convexity ( ) 20 = Bond B has a maturity of 5 years and also has a required rate of return of 10%. Its price is $613.

Analysis of Pricing and Efficiency Control Strategy between Internet Retailer and Conventional Retailer

Spectrum-Aware Data Replication in Intermittently Connected Cognitive Radio Networks

Dopamine, dobutamine, digitalis, and diuretics during intraaortic balloon support

CALCULATION OF OMX TALLINN

Large-Scale Network Traffic Monitoring with DBStream, a System for Rolling Big Data Analysis

CAPt. Print e-procurement: Changing the Face of the Printing Industry CAP VENTURES. Market Forecast for Web-Based Print e-procurement

Appendix D Flexibility Factor/Margin of Choice Desktop Research

BALANCE OF PAYMENTS. First quarter Balance of payments

Making a Faster Cryptanalytic Time-Memory Trade-Off

Mobile and Ubiquitous Compu3ng. Mul3plexing for wireless. George Roussos.

MACROECONOMIC FORECASTS AT THE MOF A LOOK INTO THE REAR VIEW MIRROR

GUIDE GOVERNING SMI RISK CONTROL INDICES

Improvement of a TCP Incast Avoidance Method for Data Center Networks

Packet-Oriented Communication Protocols for Smart Grid Services over Low-Speed PLC

TEMPORAL PATTERN IDENTIFICATION OF TIME SERIES DATA USING PATTERN WAVELETS AND GENETIC ALGORITHMS

Chapter 1.6 Financial Management

Information Theoretic Evaluation of Change Prediction Models for Large-Scale Software

A Resource Delegation Framework for Software Defined Networks

Using SAS/ACCESS with Controlled Access Multiple Oracle Instances on DEC V AXlVMS Systems. Abstract

PRACTICES AND ISSUES IN OPERATIONAL RISK MODELING UNDER BASEL II

Ceramic Modules And Trends In Efficient Compuing

Working Paper No Net Intergenerational Transfers from an Increase in Social Security Benefits

Capacity Planning and Performance Benchmark Reference Guide v. 1.8

Statistical Analysis with Little s Law. Supplementary Material: More on the Call Center Data. by Song-Hee Kim and Ward Whitt

Internal and external value evaluation of E-business strategy in enterprise

A Component-Based Navigation-Guidance-Control Architecture for Mobile Robots

Advise on the development of a Learning Technologies Strategy at the Leopold-Franzens-Universität Innsbruck

Heuristics for dimensioning large-scale MPLS networks

Distributed Echo Cancellation in Multimedia Conferencing System

Impact of scripless trading on business practices of Sub-brokers.

LLC Resonant Converter Reference Design using the dspic DSC

Relationships between Stock Prices and Accounting Information: A Review of the Residual Income and Ohlson Models. Scott Pirie* and Malcolm Smith**

Experimental exploration of decision making in production-inventory system

Strategic Optimization of a Transportation Distribution Network

Real-time Particle Filters

A Scalable and Lightweight QoS Monitoring Technique Combining Passive and Active Approaches

INTRODUCTION TO MARKETING PERSONALIZATION. How to increase your sales with personalized triggered s

DOES TRADING VOLUME INFLUENCE GARCH EFFECTS? SOME EVIDENCE FROM THE GREEK MARKET WITH SPECIAL REFERENCE TO BANKING SECTOR

The Complete VoIP Telecom Service Provider. Myth: SIP Trunks are Hard to Configure

Research on Inventory Sharing and Pricing Strategy of Multichannel Retailer with Channel Preference in Internet Environment

To Sponsor or Not to Sponsor: Sponsored Search Auctions with Organic Links and Firm Dependent Click-Through Rates

Transcription:

Secure Elecion Infrasrucures Based on IPv6 Clouds Firs IPv6-only OpenSack Cloud used o deliver producion services is de-ployed by Nephos6, Cikomm and SnT-Universiy of Luxembourg. Laif Ladid, Presiden, IPv6 Forum; Research Fellow and Gabriela Gheorghe, Researcher, SnT, Universiy of Luxembourg discuss Why? IPv6 iself enables addressabiliy and hus helps endo-end conneciviy, when i comes o many heerogeneous compuing resources (for example, mobile devices and Inerne of Things). Cloud sysems help reduce spending on infrasrucure, improve accessibiliy, and enable scaling. Cloud sofware o deploy and manage flees of virual resources is already available, eiher proprieary or opensource; his echnology is already offering managemen feaures ha nework adminisraors were only dreaming abou before. Togeher, cloud and IPv6 make sense ogeher be-cause he resources ha IPv6 can access, can be virualised in he cloud and conrolled remoely. Laif Ladid, IPv6 Forum Presiden During he 2014 elecions in Germany, a producion ready, IPv6-based Opensack Cloud esablished a he Universiy of Luxembourg successfully delivered elecion resuls o German voers, a World Firs o pioneer he fuure of he open world of cloud compuing! said Laif Ladid, Presiden, IPv6 Forum and Research Fellow a he Universiy of Luxembourg. Cloud and IPv6 make sense ogeher For public adminisraions engaged in building fuure-proof infrasrucures, IPv6 and cloud sysems managed in-house are worh o consider ogeher. Boh cloud infrasrucures and IPv6 are echnologies of he presen and i is ime o make hem par of he fuure. Elecion pilo based on an IPv6-enabled cloud The Universiy of Luxembourg (UL) hosed he firs IPv6-only cloud in a producion environmen, in cooperaion wih Cikomm and Nephos6. This cloud sysem served he May 2014 elecions in Germany for he Cikomm cusomers, and successfully served 5% of he requess of all he ciizens accessing he elecion resuls presened here. The service showcased by his pilo is he presenaion of he elecion websie. Throughou he elecion days, ciizens of various municipaliies in Norh-Rhine Wesfalia could access he curren voing coun on a Cikomm-hosed websie (hp://wahlen.cikomm.de/). The backend webserver for his websie has radiionally been IPv4-only, and wih his pilo we showcased wo novelies a he same ime: IPv6 enablemen of websie needed especially by hose ciizens accessing i from machines ha are IPv6 enabled; 28 InerComms www.inercomms.ne

DEVELOPMENT NEW SERVICE DELIVERY Cloud compuing assurance (availabiliy, resilience, scalabiliy, securiy) when i comes o handling large amouns of user raffic. The pilo achieved is purpose fully. I employed an open-source cloud disribuion, OpenSack Havana, ha was adaped in-house o suppor IPv6, as naive IPv6 suppor is no ye official. The pilo has passed an inensive esing phase ha covered heavy load generaion and handling. During he es and producion phase, he pilo was subjec o exensive QoS monioring and performance daa collecion. The pilo gahered ogeher a number of presenaion servers on he Cikomm sie, and wo ohers on he Luxembourg sie. This is shown in figure 1 below. The firs figure shows how resources from differen locaions (one is QSC, he oher is he Luxembourg sie) were inegraed ogeher under he same cikomm.de domain. The QSC resources are all IPv4-only, while he Luxembourg ones were addressable only via IPv6. Figure 2 below shows he deploymen a he UL sie in more deails: on 4 physical servers (of which one is a cloud conroller and he oher 3 are cloud nodes) here are a number of virual resources in he cloud. These resources are virual machines: images of complee operaing sysem and applicaions running on op of i. These virual resources are managed inernally by he cloud operaing sysem OpenSack in his case and are siuaed in he same nework segmen in he universiy nework, proeced by a firewall. Transiion o IPv6 The ransiion o IPv6 can be of he applicaion o be virualized and deployed in he cloud, on he secropensack sysem iself. In our case, he applicaion o be run in he cloud was Figure 2 he presenaion websie. This was HTML code and hence was independen of he IP proocol undersood by he browser. The inegraion of IPv6 in OpenSack is no ye officially achieved in he open-source communiy. A UL, he OpenSack Havana esbed has been pached for full IPv6 suppor wih he help from Nephos6, an IT company based in Raleigh, USA. All deails of he pach can be found in a previously published whiepaper (hp://www.nephos6.com/ pdf/opensack-havana-on-ipv6.pdf) and hey cover he address assignmen, and some rouing issues in OpenSack. The pach is relaively easy o deploy and, once insalled, i is possible o launch virual machines wih naive IPv6 addresses. The pach will be officially inegraed in he nex version of he OpenSack sofware. When virual machines can have IPv6 addresses, hey can be accessible direcly, wihou any need for inermediae (proxy) configuraions, by boh users and nework adminisraors. In oher words, everyhing ha is se up wihin hese virual machines becomes immediaely accessible o everybody. Think of a virual machine as a virual compuer, where any applicaion can run o serve user, and communicae wih oher virual machines o achieve a common purpose. Complex infrasrucure monioring a your fingerips As ypical cloud-based sofware goes, OpenSack gives a very granular way o manage virualized resources. Virual resources in his scenario hos he webserver of he elecion resuls websie, and here hey are virual machines wih a Linux operaing sysem on op. Some of he managemen feaures offered by OpenSack for virual machines cover: Virual machines can be swiched on, off, can be paused, can be replicaed a various saes in heir lifecycle, Virual machines can be firewalled in differen ways from he OpenSack dashboard, Virual machines can change nework configuraions (one-by-one or in groups). For example, machine insances can be assigned differen virual IPv4 or IPv6 addresses, Virual machines can be moniored individually or in groups a hypervisor level, Virual machines can be made o execue scrip acions a booup, Virual machines can be migraed from one physical hos o anoher, wihou losing sae. Figure 1 29 InerComms www.inercomms.ne www.inercomms.ne InerComms 29

Figure 3 shows one view from he OpenSack dashboard he conrol room of he cloud from where he cloud adminisraor can visualize he exising resources, une hem, or change various parameers of he infrasrucure. These feaures are included in he ou-of-he-box OpenSack sofware. Therefore, wih cloud feaures, e-governmen infrasrucures can be managed beer han ever before: he adminisraor can access virual resources, baremeal sysem and nework informaion a any ime and a differen levels of granulariy (virual machines, virualizaion level, hardware moniors on he physical machines on which he virual resources reside), scaling (up or down) of resources can be achieved a runime wih he press of a buon, since elasiciy is one of he main feaures of cloud sysems, and is implemened in OpenSack as is, essenial informaion in he area of runime QoS monioring and assurance. As a proof of concep, UL has experimened on he monioring feaures ha already exis and ha can be added on op of his cloud disribuion. This work was done ogeher wih Cikomm and Nephos6. We have insrumened he ypical OpenSack monioring so ha an e-governmen infrasrucure adminisraor can be offered more informaion abou he disribued sysem in a cenralized way. In his work, and in he following figures, we have used Sonar, a Nephos6 Service Assurance ool. During he acual elecions, we moniored he enduser experience from several locaions in Europe and in he US. We measured HTTP response ime hroughou he elecion day for all virual resources ha users could access (one single URL could direc end-users o he UL infrasrucure when he connecion was over IPv6), and correlaed his ime wih some informaion from wihin he UL deploymen. This approach is useful for several main reasons: firs, he adminisraor can have a concree idea of he user-side experience of he applicaion running on op of he virualized infrasrucure. This can be seen in figure 4, showing he user-side experience of he Cikomm URL hp://wahlen.cikomm.de/ during he elecion on he 25h of May, beween 8pm and 9:45pm. Second, he adminisraion can compare user experience from differen locaions. Figure 5 shows how, in our proof of concep, he adminisraor can experience a cloud dashboard: a map of Europe wih he marks for where he monioring scrips are deployed, and a diagram showing he performance experienced from he differen locaions when accessing he resource in he cloud (in his case, he elecions websie a he URL indicaed above). This informaion can provide hins abou poenial problems (e.g., i is likely a nework problem if he user experience Figure 3 Figure 4 30 InerComms www.inercomms.ne

Figure 5 is bad from some locaions, while i can be a server-side problem if he user experience is bad from all locaions). For example, in he figure below he red line, corresponding o he Gen6 OpenSack locally-deployed measuremen scrip, has a much beer performance han he oher wo, which are subjec o nework delays associaed wih heir locaion. Third, he adminisraor can ac on he observed issues, wheher by invesigaing a he server-side, or by moving resources from one virual/physical nework o anoher, or by saring up new resources. These possibiliies are no available in radiional neworks. In our proof of concep, we could visualize differen ypes of monioring daa in he same dashboard: HTTP daa and ping, for he applicaion running on op of he cloud infrasrucure, Daa repored by monioring ools such as Munin, ha look a disk, CPU and nework operaions when virual machines run, Physical infrasrucure daa (he physical machines on which he virual resources are running) ha is gahered and repored by a service wihin OpenSack called Ceilomeer, which is in charge of reporing sysem saisics. This rich palee of daa is exremely useful for he infrasrucure adminisraor, as i can be used for roo-case analysis and miigaion in case here is an infrasrucure inciden. Moreover, wih muliple virual resources addressable by IPv6, he roubleshooing process is becoming easier because addressing is now sraighforward: every virual machine can be direcly accessed and queried. Wih radiional IP addresses, he adminisraor had a much harder ime o configure NAT and firewalls on individual middleboxes in he infrasrucure. Securiy consideraions Securiy requiremens of he elecion infrasrucure in our experimen cover several aspecs: Firewalling over he physical and virual resources, o preven unauhorized access a nework level. Even hough IPv6 eliminaes NATs, he need for a correcly configured firewall is jus as dire when using IPv6 as when using IPv4, Access conrols when i comes o accessing he virual resources (e.g., he websie and is up-daes, he backend connecion, log daa backups), Resource exhausion deecion / prevenion are paricularly needed in a cloud conex in which illegiimaely demanding resources can exhaus he physical capabiliies, because he cloud s inner elasiciy mechanisms would be riggered easily, Securiy monioring and esing, which are pars of common securiy and reliabiliy pracices. Firewalling in OpenSack can be done from he main adminisraor dashboard, he Securiy groups seings ab. Figure 6 shows how an adminisraor can view and edi securiy group rules for virual machines and se consrains on he inbound and oubound raffic on IP level and above. Advanced access conrols for auhenicaion and auhorizaion are available in OpenSack s command line inerface. OpenSack s ideniy service can be conneced wih an LDAP server, exernal muli-facor auhenicaion services or Kerberos sysems. A super-adminisraor can creae accouns and associae permissions o wha OpenSack calls enans isolaed projecs (i.e., ses of virual resources managed by a single adminisraor) in he cloud. Tenans are subjec o quoa conrols (e.g., number of virual machines hey can launch, number of processor cores hey can occupy, IP address space hey can use, disk space, ec). Tenans resric, herefore, a user s access o cerain virual resources; access key pairs for resources are available per user, bu, as he OpenSack manual menioned, quoas conrol resource www.inercomms.ne InerComms 31

Figure 6 consumpion of each enan across hardware resources, o ensure enan isolaion. Advanced logging and monioring feaures o view user aciviy are also available. For cloud enans such as elecion esbeds, resource exhausion evens can be highly damaging because hey affec he elecion websie and hence ciizens will no longer be able o access i. The enan-based design ha comes naively wih OpenSack can isolae damage from one enan o anoher, hence he spreading of he problem is limied o he physical resources ha he paricular enan is using. Neverheless, exhausing resources wihin a enan says problemaic, and ha is usually brough by Denial of Service (DoS) aacks. In he elecion scenario, UL has been considering how analyics on monioring daa can be used o enable reliabiliy and sysem securiy in he face of DoS aacks. In our approach, by periodically probing he elecion websie i can be inferred if he websie is accessible from all virual sies; if ha is no working as expeced (e.g., response ime wihin a given ime hreshold), i is possible o infer, by disribued monioring, wha resources are underperforming. There are several ways o reac o his siuaion: spawn new resources on he fly and reroue raffic here, migrae virual machines o differen physical hoss, resar virual machines. OpenSack makes i easy and painless o perform such reacions, depending on he siuaion a hand. Conclusions from his GEN6 pilo Wih his experimen, we have shown ha exising e-governmen services can be enabled wih IPv6 and ha open-source cloud disribuions can successfully face real-world requiremens for he public secor. Moreover, our proof of concep shows ha i is possible o inegrae cloud-based services ino a real infrasrucure and add o is scalabiliy, and wih OpenSack hose operaions are now a realiy. The resuling sysem, wih a mix of physical and virual resources working ogeher, can successfully handle real-world peak load, and boh IPv4 and IPv6 "islands" can co-exis in he same infrasrucure and bring added value. In all, we have shown ha i is possible o build fuure proof infrasrucures wih boh IPv6 and cloud echnologies. For more informaion visi: www.io6.eu Furher resources OpenSack Adminisraor s Guide: hp://docs.opensack.org/admin-guide-cloud/conen/ch_preface.hml OpenSack Securiy Guide, hp://docs.opensack.org/securiy-guide/securiy-guide.pdf Press release on Cikomm-UL-Nephos6 elecion cloud esbed, hp://www.gen6-projec.eu/fileadmin/gen6/flyer_gen6/pressemieilung_gen6_02.06.14.pdf Cikomm video-repor on he May 25h 2014 elecion (in German), hp://www.cikomm.de/ueber-uns/news/deailansich/aricle/video-vom-cikomm-wahlabend.hml 32 InerComms www.inercomms.ne

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information