Jesus Llorente Santos

SDN and NFV integration in generalized mobile network architecture

The main drivers for the mobile core network evolution is to serve the future challenges and set the way to 5G networks with need for high capacity and low latency. Different technologies such as Network Functions Virtualization (NFV) and Software Defined Networking (SDN) are being considered to address the future needs of 5G networks. However, future applications such as Internet of Things (IoT), video services and others still unveiled will have different requirements, which emphasize the need for the dynamic scalability of the network functionality. The means for efficient network resource operability seems to be even more important than the future network element costs. This paper provides the analysis of different technologies such as SDN and NFV that offer different architectural options to address the needs of 5G networks. The options under consideration in this paper may differ mainly in the extent of what SDN principles are applied to mobile specific functions or to transport network functions only.

Security for Future Software Defined Mobile Networks

5G constitutes the next revolution in mobile communications. It is expected to deliver ultra-fast, ultra-reliable network access supporting a massive increase of data traffic and connected nodes. Different technologies are emerging to address the requirements of future mobile networks, such as Software Defined Networking (SDN), Network Function Virtualization (NFV) and cloud computing concepts. In this paper, we introduce the security challenges these new technologies are facing, inherent to the new telecommunication paradigm. We also present a multitier approach to secure Software Defined Mobile Network (SDMN) by tackling security at different levels to protect the network itself and its users. First, we secure the communication channels between network elements by leveraging Host Identity Protocol (HIP) and IPSec tunnelling. Then, we restrict the unwanted access to the mobile backhaul network with policy based communications. It also protects the backhaul devices from source address spoofing and Denial of Service (DoS) attacks. Finally, we leverage Software Defined Monitoring (SDM) and data collection to detect, prevent and react to security threats.

Security Mechanisms for a Cooperative Firewall

Customer Edge Switching (CES) is a proposed replacement of Network Address Translators (NAT) that overcomes the drawbacks of traditional NAT traversal schemes. CES enabled networks assure policy based reach ability of hosts in private realms, without requiring keep-alive signaling. CES aims at improving security in the Internet by balancing the interests of the receiver with the interests of the sender, unlike the traditional best effort Internet that solely attends to the interests of the sender. The architecture substantially helps with the scalability limitations of IPv4 due to the generalization of private addressing of the hosts. This paper relates to the specifics of security in Customer Edge Switches and presents security models that protect hosts in private realms against attacks. The presented work is a part of a larger project that addresses many issues of the current Internet and proposes the use of CES as collaborative firewalls to reduce volume of unwanted traffic and mitigate Denial of Service (DoS) attacks in the Internet.

Implementing NAT traversal with Private Realm Gateway

A Network Address Translator (NAT) allows hosts in a private address space to communicate with servers in the public Internet. There is no accepted solution for an arbitrary host in the Internet to initiate a communication with a host located in a private address space despite the efforts to create one. This paper proposes to replace NATs with a new concept we call Private Realm Gateway (PRGW). Private Realm Gateway creates connection state based on incoming DNS queries towards the hosts in the private network. The state gives means for the private network operator to apply elaborate access control to packet flows arriving from the Internet to the private network. PRGW does not require changes in the hosts and the deployment can take place one network at a time. The paper shows that the PRGW is most applicable for connecting mobile and other wireless hosts to the Internet.

Software defined networks based 5G backhaul architecture

In this paper, we propose the usage of Software Defined Network as mobile backhaul for 5G networks. Mobile networks are facing major challenges to handle the increasing traffic demand. The mobile operators need to improve the effectiveness of their infrastructure. Moreover, they need to enable new business models with their existing network. In this paper we propose Software Defined Networks to be integrated as part of the mobile backhaul to address these two requirements. Firstly, we completely virtualize and move the core mobile network, as it is known today, directly to the cloud. Secondly we integrate Software Define network technology in the mobile backhaul. Adding SDN simplifies the access network formed by base stations i.e. eNodeBs, interconnected through a backhaul network composed by SDN forwarding planes managed from the cloud. Each access network will be managed from the SDN controller and rest of the network element in the cloud, thus reducing the Operative Expenses (OPEX). Finally, we present the benefits of using SDN in mobile networks to support multiple Mobile Virtual Network Operators (MVNO) in their network infrastructure.

Policy-based communications for 5G mobile with customer edge switching

Besides more capacity and faster connections, 5G is expected to provide ultra-reliable services, for example, for machine-to-machine communications. In this paper, we advocate that 5G must do its best to eliminate malicious traffic as a cause of failure of legitimate services. This paper proposes that all communications in 5G should be controlled by policy. The policies facilitate cooperation of customer networks against misbehaving actors and collecting evidence of malicious activity. Dynamic policies can react to hosts that are used in attacks. We propose a system controlled by policy that overcomes the classical weaknesses in the Internet, namely source address spoofing and denial of service attacks. We propose to improve the mobile device experience by new methods of network address translator traversal suitable for battery-powered mobile devices. We believe that 5G will be the major driver for the future Internet, which is why we relate our approach to other proposals for future Internet architecture. Our approach can be deployed one network at a time as it limits the changes to edge nodes; no compulsory changes are proposed to hosts. The paper reports the experience from experimentation and evaluates scalability and security including initial results on performance.

Mobile backhaul transport streamlined through SDN

In this paper, we describe the integration of Software Defined Networking (SDN) in the mobile backhaul as a disruptive approach to streamline the transport network. In this work we leverage SDN to optimize the mobile backhaul transport by removing all mobile specific tunnelling and replace it with more efficient MPLS or Carrier Grade Ethernet deployed either over electrical or optical networks. The paper also presents the testbed with complete end to end system including off the shelf base stations, SDN enabled mobile backhaul switches and virtualize network elements (i.e. Mobility Management Entity (MME), Serving/Packet Gateway (S/P-GW)) running on the cloud. This testbed is currently accepted as European Telecommunication Standards (ETSI) Proof of Concept and the results are used to describe the benefits for operators and end users. Moreover, an initial design of services based on the proposed virtualized mobile network architecture is proposed. The results of the testbed show the benefits for mobile operators in terms of Capital Expenditure (CAPEX) and Operational Expenditure (OPEX) savings but more importantly the development of services that benefit from optimal usage of resources.

Traversal of the customer edge with NAT-unfriendly protocols

Customer Edge Switching (CES) provides policy based reachability to hosts in a private network without the disadvantages caused by traditional mechanisms for traversing Network Address Translators (NAT). The solution enables transparent communication across address realms without keep-alive signalling and application layer code in end systems as required by the current recommended approach to NAT traversal. Although most protocols traverse the customer edge correctly, we identify a few protocols that require special processing because of the IP addresses carried in the user data. This paper first presents the results of protocol compatibility testing with CES and selects two protocols, SIP and FTP, for further study. The paper then reports the implementation of Application Layer Gateways for these two protocols and provides guidelines for processing other protocols. The proposed approach significantly cuts the session establishment delays typical in SIP. The presented work is a part of a larger project that proposes the Customer Edge Switching to replace NATs and introduce co-operative firewalls for protecting customer networks.

Transition to IPv6 with Realm Gateway 64

The IPv4 address space has been depleted and the usage of IPv6 is still very limited, however increasing. Smooth coexistence of IPv4 and IPv6 can support the development of the next generation Internet. During the transition there will be IPv4-only, IPv6-only and dual-stack hosts and network segments. This paper presents Realm Gateway 64 (RGW64) ? a solution for interconnecting heterogeneous network realms as defined by the IETF, which does not require changes in end-hosts. RGW64 relies on stateful DNS64/NAT64 translation and DNS resolution for establishing inbound connections. An analysis of the scalability and the security is also presented. The paper shows that RGW64 is suitable for operators who want to gradually migrate customer networks to IPv6 yet maintaining reachability with the IPv4 Internet.

Enhancing Security of Software Defined Mobile Networks

Traffic volumes in mobile networks are rising and end-user needs are rapidly changing. Mobile network operators need more flexibility, lower network operating costs, faster service roll-out cycles, and new revenue sources. The 5th Generation (5G) and future networks aim to deliver ultra-fast and ultra-reliable network access capable of supporting the anticipated surge in data traffic and connected nodes in years to come. Several technologies have been developed to meet these emergent demands of future mobile networks, among these are software defined networking, network function virtualization, and cloud computing. In this paper, we discuss the security challenges these new technologies are prone to in the context of the new telecommunication paradigm. We present a multi-tier component-based security architecture to address these challenges and secure 5G software defined mobile network (SDMN), by handling security at different levels to protect the network and its users. The proposed architecture contains five components, i.e., secure communication, policy-based communication, security information and event management, security defined monitoring, and deep packet inspection components for elevated security in the control and the data planes of SDMNs. Finally, the proposed security mechanisms are validated using test bed experiments.