Jukka Ylitalo

Dynamic network interface selection in multihomed mobile hosts

Current mobile devices are often equipped with several network interfaces, which may be of different access technologies, both wireless and cellular. Different requirements of different applications can result in a different preference of the interface that should be used. Network connections should be placed in the best possible interface based on these requirements. During communication, changes in the availability or characteristics of an access network behind an interface may result in a situation where already established connections should to be moved from one interface to another. For this purpose, a variety of mobility management protocols supporting handoffs between interfaces have been proposed. Some of these protocols move all traffic from one interface to another at once, while some protocols allow simultaneous communication over different interfaces. However, the current solutions do not propose any means for the user or application to be able to dynamically influence the interface selection during the operation of a mobile device. In this paper, we present an interface selection mechanism for multihomed mobile hosts. The mechanism allows for dynamic decision-making during the operation of a mobile device. In our solution, the local routing is controlled by user-defined rules defining which interface to be used for a certain traffic flow. The actual decision is based on the adaptation of these rules into availability and characteristics of the interfaces and access networks at any given time.

OpenID authentication as a service in OpenStack

The evolution of cloud computing is driving the next generation of internet services. OpenStack is one of the largest open-source cloud computing middleware development communities. Currently, OpenStack supports platform specific signatures and tokens for user authentication. In this paper, we aim to introduce a cloud platform independent, flexible, and decentralized authentication mechanism, using OpenID as an open-source authentication mechanism in OpenStack. OpenID allows a decentralized framework for user authentication. It has its own advantages for web services, which include improvements in usability and seamless Single-Sign-On experience for the users. This paper presents the OpenlD-Authentication-as-a-Service APIs in OpenStack for front-end GUI servers, and performs the authentication in the back-end at a single Policy Decision Point (PDP). Our implementation allows users to use their OpenID Identifiers from standard OpenTD providers and log into the Dashboard/Django-Nova graphical interface of OpenStack.

Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters

In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.

BLIND: a complete identity protection framework for end-points

In this paper, we present a security framework that provides identity protection against active and passive attacks for end-points. The framework is based on a two-round-trip authenticated Diffie-Hellman key exchange protocol that identifies the end-points to each other and creates a security association between the peers. The protocol hides the public key based identifiers from attackers and eavesdroppers by blinding the identifiers. We complete the identity protection by offering location privacy with forwarding agents. To our knowledge, our privacy enhanced protocol is the first denial-of-service resistant two-round-trip key exchange protocol that offers identity protection for both communicating peers.

Re-thinking security in IP based micro-mobility

Security problems in micro-mobility are mostly related to trust establishment between mobile nodes and middle-boxes, i.e. mobile anchor points. In this paper, we present a secure micro-mobility architecture that scales well between administrative domains, which are already using different kind of network access authentication techniques. The trust between the mobile nodes and middle boxes is established using one-way hash chains and a technique known as secret splitting. Our protocol protects the middle-boxes from traffic re-direction and related Denial-of-Service attacks. The hierarchical scheme supports signaling optimization and secure fast hand-offs. The implementation and simulation results are based on an enhanced version of Host Identity Protocol (HIP). To our knowledge, our micro-mobility protocol is the first one-and-half round-trip protocol that establishes simultaneously a trust relationship between a mobile node and an anchor point, and updates address bindings at the anchor point and at a peer node in a secure way.

An experimental evaluation of a HIP based network mobility scheme

In this paper, the authors present and evaluate a network mobility scheme based on Host Identity Protocol (HIP). The cryptographic host identifiers are combined with an authorization mechanism and used for delegating the mobility management signalling rights between nodes in the architecture. While the delegation of the signalling rights scheme itself is a known concept, the trust model presented in this paper differs from the MIPv6 NEMO solution. In the presented approach, the mobile routers are authorized to send location updates directly to peer hosts on behalf of the mobile hosts without opening the solution for re-direction attacks. This is the first time the characteristics of the new scheme is measured in the HIP moving network context using a real implementation. The trust model makes it possible to support route optimization and minimize over-the-air signalling and renumbering events in the moving network. The measurements also reveal new kinds of anomalies in the protocol implementation and design when data integrity and confidentiality protection are integrated into signalling aggregation. The authors propose solutions for these anomalies.

Towards Building an Automated Security Compliance Tool for the Cloud

Security, especially security compliance, is a major concern that is slowing down large scale adoption of cloud computing in the enterprise environment. Governmental regulations, business requirements and trust are among the reasons why enterprises require certain levels of security compliance from cloud providers. So far, security compliance or auditing information has been generated manually by security specialists. This involves manual data collection and assessment, which is slow and expensive. Thus, there is a need for an automated security compliance tool (ASCT) to verify and express the compliance of various cloud providers. Such a tool can reduce the human intervention and eventually reduce the cost and time by verifying the compliance automatically. Also, the tool will enable transparency of the cloud vendors to the customers which in turn will help grow confidence on the cloud vendors. Having these goals in mind, we have developed an architecture to build an ASCT for a cloud computing platform. We have also outlined four possible approaches to achieve this automation. These possible four approaches refer to four data collection mechanisms to collect data from the cloud systems and these are: API, vulnerability scanning, log analysis and manual entry. Finally, we have implemented a proof-of-concept prototype of this ASCT based on the proposed architecture. The prototype is integrated with OpenStack cloud platform and the results are exposed using the CloudAudit API.

SPINAT: Integrating IPsec into Overlay Routing

Tackling the major Internet security, scalability and mobility problems without essentially changing the existing Internet architecture has turned out to be a very challenging task. The overlay routing approaches fortunately seem to offer a sound way to mitigate most of these issues. Basically, they decouple the end-point identifiers from locators by defining a new namespace. Overlay routing is based on the dynamic binding, at middle-boxes, between the two namespaces. The approach is very close to Network Address Translation (NAT) principles. Therefore, the IPsec NAT traversal related problems apply also to overlay architectures. In this paper, we integrate IPsec into the overlay routing using Security Parameter Index (SPI) multiplexed NAT (SPINAT). Our approach reduces tunneling overhead and supports asymmetric communication paths. We believe that the SPINAT will be a key component in securing overlay routing infrastructures, like in the Internet Indirection Infrastructure (i^3).

Fast inter-domain mobility with in-packet bloom filters

We propose a fast inter-domain mobility signaling protocol using in-packet Bloom filters. The intermediate routers collect a bi-directional Bloom filter on the first message, and on subsequent mobility signaling messages. The Bloom filter describes the path from the sender to the receiver and is used to forward the subsequent data packets in the session. In the case of single mobile node, a single message is sufficient to prove authenticity and return routability. For dual mobility scenarios, return routability tests can be delayed until after restarting communications. The protocol also makes bicasting simple, requiring the sender to simply bitwise OR the two Bloom filters describing paths to the old and new locations.

Traversing middleboxes with the host identity protocol

The limited flexibility of the Internet to support mobility has motivated many researchers to look for alternative architectures. One such effort that combines security and multihoming together is the Host Identity Protocol (HIP). HIP is a signaling protocol that adds a new protocol layer to the Internet stack between the transport and the network layer. HIP establishes IPsec associations to protect subsequent data traffic. Though the security associations are established solely between the communicating end hosts, HIP also aims to interwork with middleboxes such as NATs and firewalls. This paper investigates this interworking aspect and proposes a solution for secure middlebox traversal.