Jasone Astorga

A survey on the contributions of Software-Defined Networking to Traffic Engineering

Since the appearance of OpenFlow back in 2008, software-defined networking (SDN) has gained momentum. Although there are some discrepancies between the standards developing organizations working with SDN about what SDN is and how it is defined, they all outline traffic engineering (TE) as a key application. One of the most common objectives of TE is the congestion minimization, where techniques such as traffic splitting among multiple paths or advanced reservation systems are used. In such a scenario, this manuscript surveys the role of a comprehensive list of SDN protocols in TE solutions, in order to assess how these protocols can benefit TE. The SDN protocols have been categorized using the SDN architecture proposed by the open networking foundation, which differentiates among data-controller plane interfaces, application-controller plane interfaces, and management interfaces, in order to state how the interface type in which they operate influences TE. In addition, the impact of the SDN protocols on TE has been evaluated by comparing them with the path computation element (PCE)-based architecture. The PCE-based architecture has been selected to measure the impact of SDN on TE because it is the most novel TE architecture until the date, and because it already defines a set of metrics to measure the performance of TE solutions. We conclude that using the three types of interfaces simultaneously will result in more powerful and enhanced TE solutions, since they benefit TE in complementary ways.

Ladon 1 : end-to-end authorisation support for resource-deprived environments

The authors present Ladon, an enhanced version of Kerberos which extends the original protocol with authorisation capacity and relaxes the necessity of clock synchronisation by adding to the protocol special limited-lifetime nonces. This way, although all entities need timers, only the clocks of the two servers that constitute the key distribution centre must be synchronised with each other. The design of this protocol is motivated by the emergence of a new trend of applications in which sensors and low-capacity devices become tiny information or application servers directly addressable by any Internet-connected entity. Despite the huge potential of these environments, security is probably the greatest barrier to their long-term success. To address this issue, Ladon allows for end-to-end pair-wise key establishment in an authenticated and authorised manner, while keeping the introduced storage, computational and communication overhead very low. The security analysis with the AVISPA formal validation tool shows that the protocol meets the stated security goals, whereas the performance analysis shows that the overhead of the protocol is bounded and comparable to that of other security protocols which provide even less functionalities.

Design and formal security evaluation of NeMHIP

NEtwork MObility Basic Support (NEMO BS) is a standardized protocol for managing the mobility of a set of nodes that move together as a whole while having continuous connectivity to the Internet through one or more Mobile Routers (MRs). Because it is based on Mobile IPv6 (MIPv6), it inherits the properties of MIPv6, such as the use of IPsec. However, NEMO BS does not address all the features required by the demanding Intelligent Transportation Systems (ITS) scenario to provide an integrated and global secure mobility management framework. In addition, unlike MIPv6, the routing in NEMO BS is suboptimal, which makes difficult the provision of an adequate service performance. These characteristics make the application of the NEMO BS protocol not optimum in this scenario. An interesting strategy to provide security and good service performance is to consider a protocol that establishes and maintains Security Associations (SAs), such as the Host Identity Protocol (HIP). Different HIP-based approaches have been defined. However, these HIP-based network mobility solutions still present unsolved issues. In this article, we present a secure and efficient network mobility protocol named NeMHIP. NeMHIP provides secure and optimum mobility management and efficient end-to-end confidentiality and integrity protection apart from the basic security properties inherited from HIP. To evaluate the security provisions of NeMHIP, we have conducted a belief-based formal evaluation. The results demonstrate that the defined security goals are achieved by the protocol. Furthermore, we have performed an automated formal evaluation to validate additional security aspects of NeMHIP. Thus, we have modeled NeMHIP using the AVISPA tool and assessed its security when an intruder is present. The results confirm that NeMHIP is a secure protocol that ensures end-to-end confidentiality and integrity without introducing security leaks to the basic HIP. Thus, we have addressed the need found in the literature for providing security and efficiency in the network mobility scenario.

A high performance link layer mobility management strategy for professional private broadband networks

Abstract In this paper, we present an innovative approach to solving the mobility management problem in the context of professional private broadband networks in the vehicular scenario. These heterogeneous communication networks are commonly deployed and managed by mission-critical organisations with the aim of supporting their specific and highly demanding services. Taking advantage of the specific characteristics of these networks, we propose to solve the mobility problem at Layer 2. This way, the mobility management overhead is reduced compared to solutions that operate at Layer 3 or above and therefore, shorter handover delays and better end-to-end application performances are achieved. The core element of our proposal is an intelligent mobile switch that makes use of the services provided by the IEEE 802.21 protocol to enhance vertical or heterogeneous handover performance. To validate our approach, we have developed a prototype implementation of the designed mobile switch with IEEE 802.11 and IEEE 802.16 support. Using this mobile switch implementation, we have carried out a set of experiments over a real testbed and measured some key indicators to assess the mobility management process. The obtained results show that our handover strategy comfortably meets the requirements of the ITU-T Y.1541 recommendation for highly demanding applications and ITU-R report M.2134 for high-speed handover. To the best of our knowledge, our contribution is the first proposal that solves the mobility management problem at Layer 2 while addressing the multi-access technology context in the vehicular professional private network scenario.

The cross layer RMPA handover: a reliable mobility pattern aware handover strategy for broadband wireless communication in a high-speed railway domain

Enhancing the handover process in broadband wireless communication deployment has traditionally motivated many research initiatives. In a high-speed railway domain, the challenge is even greater. Owing to the long distances covered, the mobile node gets involved in a compulsory sequence of handover processes. Consequently, poor performance during the execution of these handover processes significantly degrades the global end-to-end performance. This article proposes a new handover strategy for the railway domain: the RMPA handover, a Reliable Mobility Pattern Aware IEEE 802.16 handover strategy “customized” for a high-speed mobility scenario. The stringent high mobility feature is balanced with three other positive features in a high-speed context: mobility pattern awareness, different sources for location discovery techniques, and a previously known traffic data profile. To the best of the authors’ knowledge, there is no IEEE 802.16 handover scheme that simultaneously covers the optimization of the handover process itself and the efficient timing of the handover process. Our strategy covers both areas of research while providing a cost-effective and standards-based solution. To schedule the handover process efficiently, the RMPA strategy makes use of a context aware handover policy; that is, a handover policy based on the mobile node mobility pattern, the time required to perform the handover, the neighboring network conditions, the data traffic profile, the received power signal, and current location and speed information of the train. Our proposal merges all these variables in a cross layer interaction in the handover policy engine. It also enhances the handover process itself by establishing the values for the set of handover configuration parameters and mechanisms of the handover process. RMPA is a cost-effective strategy because compatibility with standards-based equipment is guaranteed. The major contributions of the RMPA handover are in areas that have been left open to the handover designer’s discretion. Our simulation analysis validates the RMPA handover decision rules and design choices. Our results supporting a high-demand video application in the uplink stream show a significant improvement in the end-to-end quality of service parameters, including end-to-end delay (22%) and jitter (80%), when compared with a policy based on signal-to-noise-ratio information.

Securing access to next generation IP-enabled pacemakers and ICDs using Ladon

The upcoming development of the Internet of Things IoT envisions IP-enabled pacemakers and ICDs, giving place to a completely new scenario in the field of remote monitoring of patients implanted with these devices. Apart from the costs saved thanks to the reduction of in-clinic visits, this new approach will help improving the quality of life of chronic patients that depend on such devices. However, this scenario cannot be conceived without an effective mechanism to protect the privacy of the health information collected by implanted sensors, understanding privacy as the capacity to determine when, how and to what extent information is communicated to others. In this paper, we show how the Ladon authentication, authorization and key establishment protocol can be successfully applied to achieve this purpose. The Ladon protocol is based on Kerberos, but appropriately modified and extended to support independence of clock synchronization and authorization functionalities. In order to demonstrate the feasibility of introducing Ladon in the targeted scenarios, a prototype implementation based on general purpose sensors has been developed. The obtained results show that the performance penalty introduced by the protocol in terms of energy and time consumption is negligible.

Simulation framework for performance evaluation of broadband communication architectures for next generation railway communication services

In the last few years, in the European context, railway communication architectures have migrated from a juxtaposition of different, and mostly proprietary, technological solutions — each of them addressing the particular requirements of a specific railway IT service — to a single unique and integrated telecom open architecture based on GSM-R (Global System for Mobile Communications - Railways). Next envisaged movement is to integrate the current different railway IT services and emerging railway needs in a global open and standard 4th generation mobile communication architecture. However, in-depth studies are necessary to validate these packet switched technologies and architectures as usable for the highly demanding railway operational communications such as the Automatic Train Control service. The standardized version of this service in the European context, is known as ETCS service (European Train Control System). These packet switched technologies, since they are based on a different philosophy, they need adequate engineering rules. This paper is focused on building a simulation framework able to carry out these in-depth performance evaluation studies.

Expressive Policy-Based Access Control for Resource-Constrained Devices

Upcoming smart scenarios enabled by the Internet of Things envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multi-stakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Therefore, strong security is a must. Nevertheless, existing feasible approaches do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In this paper, we propose an access control model that comprises a policy language that provides dynamic fine-grained policy enforcement in the sensors based on local context conditions. This dynamic policy cycle requires a secure, efficient, and traceable message exchange protocol. For that purpose, a security protocol called Hidra is also proposed. A security and performance evaluation demonstrates the feasibility and adequacy of the proposed protocol and access control model.

Towards an SDN-based bandwidth on demand service for the European research community

Geant, the pan-European Research and Education Network (REN) is working on a Software-Defined Networking (SDN) solution to improve the provisioning of the Bandwidth on Demand (BoD) service. The SDN-based solution will integrate with the current provisioning tool, AutoBAHN, to add support for OpenFlow domains. One of the main benefits of this approach is that the solution will still be compliant with the Network Services Interface (NSI-CS) protocol to support multi-domain service provisioning. The core element of the solution is the Dynamic Path Computation (DynPaC) framework, an advanced reservation system for OpenFlow domains that allows the establishment of resilient Layer 2 services with bandwidth and VLAN constraints. This paper presents all the phases in the deployment of this SDN solution: the functional requirements definition, the evaluation of OpenDaylight and ONOS to select the appropriate network operating system, and the evolution of the DynPaC framework from its first implementation to the future integration in ONOS.

Eurobalise-Train communication modelling to assess interferences in railway control signalling systems

The evolution of the railway sector depends, to a great extent, on the deployment of advanced railway signalling systems. These signalling systems are based on communication architectures that must cope with complex electromagnetical environments. This paper is outlined in the context of developing the necessary tools to allow the quick deployment of these signalling systems by contributing to an easier analysis of their behaviour under the effect of electromagnetical interferences. Specifically, this paper presents the modelling of the Eurobalise-train communication flow in a general purpose simulation tool. It is critical to guarantee this communication link since any lack of communication may lead to a stop of the train and availability problems. In order to model precisely this communication link we used real measurements done in a laboratory equipped with elements defined in the suitable subsets. Through the simulation study carried out, we obtained performance indicators of the physical layer such as the received power, SNR and BER. The modelling presented in this paper is a required step to be able to provide quality of service indicators related to perturbed scenarios.