Fernando Pereniguez-Garcia

A Framework for Supporting Network Continuity in Vehicular IPv6 Communications

The appearance of recent standards about cooperative ITS architectures towards a reference communication stack has been an inflection point in the research about vehicular networks. The ISO Communication Access for Land Mobiles (CALM) and the ETSI European ITS communication architecture have paved the way towards real and interoperable vehicular cooperative systems. Within these convergent proposals, IPv6 communications are recognized as a key component to enable traffic efficiency and infotainment applications. The proper operation of these applications and the achievement of value-added ITS services require an uninterrupted network connectivity. This paper addresses this problem by proposing a novel communication stack to support the provision of continuous and secure IPv6 vehicular communications. The solution follows the ISO/ETSI guidelines for the development of cooperative ITS systems and is based on standardized technologies such as Network Mobility (NEMO) protocol to provide an integral management of IPv6mobility. The solution integrates IEEE 802.21 media independent handover services for optimizing the handover process. While the support to the handover optimization offered by the proposed ITS communication stack is demonstrated through a mobility use case, a real testbed supporting most of the communications features is developed to validate and assess the real performance of the stack design.

Network access security for the internet: protocol for carrying authentication for network access

Network access authentication is a key procedure for network operators to control user access to the network service. The IETFs recently finished its major work in this area by standardizing an IP-based protocol named Protocol for Carrying Authentication for Network Access (PANA). We provide a comprehensive survey of PANA based on developed IETF standards, and describe its applicability to both existing and emerging network environments.

Teaching Advanced Concepts in Computer Networks: VNUML-UM Virtualization Tool

In the teaching of computer networks the main problem that arises is the high price and limited number of network devices the students can work with in the laboratories. Nowadays, with virtualization we can overcome this limitation. In this paper, we present a methodology that allows students to learn advanced computer network concepts through hands-on experience with the VNUML-UM virtualization tool, which is offered freely as a resource for the practical teaching of mobility, load balancing, and high availability. To verify the utility of using the VNUML-UM virtualization tool in the teaching of advanced computer network concepts, we have performed some opinion polls to the students during the last three academic years. The obtained results confirm that our students agree that the VNUML-UM enables an enhanced learning process of the different concepts and their practical skills. This perception is also confirmed by the final marks obtained by the students, which have considerably improved along the years. To the best our knowledge, this paper presents the first experience that provides results on the use of virtualization to teach advanced concepts in the field of computer networks.

Identity Federations Beyond the Web: A Survey

Internet service providers have, in recent years, adopted identity federation technologies with a high degree of success. A typical Internet user will regularly use these in her daily use of the Internet, even if she does not notice it. For example, she will use these technologies when publishing a picture in Flickr, when sharing it with her friends in her Facebook wall, when she performs a roaming telephone call over the 3G network, or when she obtains access to the eduroam network at her university. Until recently, identity federation technologies were mainly applicable to web and network access services. However, the proliferation of new emerging infrastructures, such as the cloud and grids, is motivating service providers to consider new solutions capable of satisfying identity federation for any almost kind of Internet service (SSH, NFS, SMTP, Cloud, Grid, etc.). This has been called identity federation beyond the Web. International projects and standardization bodies have also been considering ways to satisfy this urgent need. This paper describes the unmet requirement for federating any other kind of (non-Web-based) Internet service. In particular, it provides a detailed survey of the two main proposals, i.e., Application Bridging for Federated Access Beyond Web (ABFAB) and Federated Kerberos (FedKERB), which are currently discussed to provide a solution for this new type of federation, known as Identity Federations beyond the Web. Finally, this paper shows a fair comparison between both alternatives.

KAMU: providing advanced user privacy in Kerberos multi-domain scenarios

In Next Generation Networks, Kerberos is becoming a key component to support authentication and key distribution for Internet application services. However, for this purpose, Kerberos needs to rectify certain deficiencies, especially in the area of privacy, which allow an eavesdropper to obtain information of the services users are accessing. This paper presents a comprehensive privacy framework that guarantees user anonymity, service access unlinkability and message exchange unlinkability in Kerberos both in single-domain and multi-domain scenarios. This proposal is based on different extensibility mechanisms already defined for Kerberos, which facilitate its adoption in already deployed systems. Apart from evaluating our proposal in terms of performance to prove its lightweight nature, we demonstrate its capability to work in perfect harmony with a widely used anonymous communication system like Tor.

Out-of-band federated authentication for Kerberos based on PANA

Nowadays, network operators and educational and research communities are extending the access to their Internet application services to external end users by deploying, with other domains, the so-called identity federations. In these federations, end users use the identity and authentication credentials registered in their home organizations for accessing resources managed by a remote service provider. However, current identity federation solutions focus mainly on assisting network access and web services, while a significant number of services are left aside (e.g., SSH, FTP, Jabber, etc.). Taking advantage of the widespread adoption of Kerberos by current application services, this paper presents a solution to provide federated access to any kind of application service by using existing Authentication, Authorization and Accounting (AAA) infrastructures. The solution bootstraps a security association, in the service provider which enables the acquisition of a Kerberos credential to access the service. To link the end user authentication with the AAA infrastructure and the bootstrapping of the security association the solution uses the so-called Protocol for Carrying Authentication for Network Access (PANA).

A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe network

Eduroam has become one of the main examples of network federations around the world, where hundred of institutions allow roaming end users to access the local network if they belong to any other eduroam member institution. In this context, this paper proposes how, once the end user is authenticated by the network, she can access additional federated application services (beyond the web) by means of Kerberos, without deploying additional cross-realm infrastructures. With the support of existing eduroam architecture, this proposal prevents the end user from being fully authenticated by her home institution again to access the application services, which do not need to be modified. Finally, optional advanced authorization can be used to provide added value services to end users.

Architectures and Protocols for Secure Information Technology Infrastructures

Antonio Ruiz Martínez is an assistant lecturer in the Department of Information and Communications Engineering at the University of Murcia, where he also serves as ViceDean of Quality Affairs and Innovation at the Faculty of Computer Science. He received his B.E., M.E. and Ph.D. degrees in Computer Sciences from the University of Murcia, as well. His main research interests include electronic commerce, electronic payment systems, security, privacy, electronic government and Web services, where he has participated in several research projects in the national and international areas. He has published several papers in international conferences and journals, serves as a technical program committee member in various conferences, and is a reviewer and member of the editorial board for several international journals. Released: September 2013 An Excellent Addition to Your Library!

A network access control solution based on PANA for intelligent transportation systems

The International Standards Organization (ISO) and the European Telecommunications Standards Institute (ETSI) have defined a common ITS reference communications stack which have paved the way to new research lines in vehicular networks. Currently, most of the efforts have focused on the definition and testing of ITS applications operating over Internet Protocol version 6 (IPv6) communication technologies. Unfortunately, little attention has been payed to ensure that only authenticated systems are granted access the network in Vehicular-to-Infrastructure (V2I) communications. This paper addresses this problem by improving the ISO/ETSI ITS communication architecture to support network access control functionality. The proposal is based on the standard Protocol for Carrying Authentication for Network Access (PANA), which is the most representative contribution of the Internet Engineering Task Force (IETF) to this security problem. Moreover, this proposal has been tested in a real environment in order to validate its performance and suitability for ITS.

Improving Kerberos Ticket Acquisition during Application Service Access Control

Kerberos is one of the most deployed protocols to achieve a controlled access to application services by ensuring a secure authentication and key distribution process. Given its growing popularity, Kerberos is envisaged to become a widespread solution for single sign-on access. For this reason, the evolution of the protocol still continues in order to address new features or challenges which were not considered when initially designed. This paper focuses on the ticket acquisition process and proposes a new mechanism called Kerberos Ticket Pre-distribution that reduces the time required to recover tickets from the Key Distribution Center KDC. We offer a flexible solution which is able to work in three different modes of operation, depending on what entity the user, the network or both controls the pre-distribution process. By employing the extensibility mechanisms available in Kerberos, we maintain interoperability with current implementations without compromising the security and robustness of the protocol. Using an implemented prototype, we evaluate our solution and demonstrate that our proposal significantly improves the standard Kerberos ticket acquisition process.