Laurent Toutain

Dynamic deployment of context-aware access control policies for constrained security devices

Abstract: Securing the access to a server, guaranteeing a certain level of protection over an encrypted communication channel, executing particular counter measures when attacks are detected are examples of security requirements. Such requirements are identified based on organizational purposes and expectations in terms of resource access and availability and also on system vulnerabilities and threats. All these requirements belong to the so-called security policy. Deploying the policy means enforcing, i.e., configuring, those security components and mechanisms so that the system behavior be finally the one specified by the policy. The deployment issue becomes more difficult as the growing organizational requirements and expectations generally leave behind the integration of new security functionalities in the information system: the information system will not always embed the necessary security functionalities for the proper deployment of contextual security requirements. To overcome this issue, our solution is based on a central entity approach which takes in charge unmanaged contextual requirements and dynamically redeploys the policy when context changes are detected by this central entity. We also present an improvement over the OrBAC (Organization-Based Access Control) model. Up to now, a controller based on a contextual OrBAC policy is passive, in the sense that it assumes policy evaluation triggered by access requests. Therefore, it does not allow reasoning about policy state evolution when actions occur. The modifications introduced by our work overcome this limitation and provide a proactive version of the model by integrating concepts from action specification languages.

Methods for IPv4-IPv6 transition

The future Internet networks are expected to use IPv6 version rather than the IPv4 one. This is mainly due to the limitations of IPv4 in terms of addresses, routing and security QoS issues developed by the Internet community are also tailored for both versions and will be easily deployed in both sides. Since a huge amount of sub-networks are already installed for the v4 version, it is difficult to imagine ISPs starting deploying the v6 version without some assurance that old legacy networks will still be able to connect to the Internet. In this paper we present some mechanisms that have been proposed to ease this transition especially for v4 users that still want to communicate with their old applications. We present also an IPv6 tunneling mechanism that has some advantages over the other models. We show how one could use such a mechanism to transparently establish hybrid communications between two worlds in both ways and discuss some important issues like scalability and performance.

Configuration and analysis of robust header compression in UMTS

ROHC Bormann C., et al. (2001) is the new standard for header compression proposed by the IETF (Internet engineering task force) to compress different protocol headers. ROHC needs to be configured to afford the changes in the characteristics of the UMTS radio link and to enable a better compression of the IPv6 flows. In this document we will introduce the characteristics and the behavior of ROHC. Also we study the compression parameters that are recommended as implementation dependent in the ROHC specification and we show how to configure them. This study can help to improve the efficiency and robustness of ROHC when it is used in scarce resources links, such as UMTS.

Semantic context aware security policy deployment

The successful deployment of a security policy is closely related not only to the complexity of the security requirements but also to the capabilities/functionalities of the security devices. The complexity of the security requirements is additionally increased when contextual constraints are taken into account. Such situations appear when addressing the dynamism of some security requirements or when searching a finer granularity for the security rules. The context denotes those specific conditions in which the security requirements are to be met. (Re)deploying a contextual security policy depends on the security device functionalities: either (1) the devices include all functionalities necessary to deal with a context and the policy is consequently deployed for ensuring its automatic changes or (2) the devices do not have the right functionalities to entirely interpret a contextual requirement. We present a solution to cope with this issue: the (re)deployment of access control policies in a system that lacks the necessary functionalities to deal with contexts.

Generating realistic Smart Grid communication topologies based on real-data

Todays electricity grid must undergo substantial changes in order to keep pace with the rising demand for energy. The vision of the smart grid aims to increase the efficiency and reliability of todays electricity grid, e.g. by integrating renewable energies and distributed micro-generations. The backbone of this effort is the facilitation of information and communication technologies to allow two-way communication and an automated control of devices. The underlying communication topology is essential for the smart grid and is what enables the smart grid to be smart. Analyzing, simulating, designing, and comparing smart grid infrastructures but also optimizing routing algorithms, and predicating impacts of failures, all of this relies on deep knowledge of a smart grids communication topology. However, since smart grids are still in a research and test phase, it is very difficult to get access to real-world topology data. In this paper we provide a comprehensive analysis of the power-line communication topology of a real-world smart grid, the one currently deployed and tested in Luxembourg. Building on the results of this analysis we implement a generator to automatically create random but realistic smart grid communication topologies. These can be used by researchers and industrial professionals to analyze, simulate, design, compare, and improve smart grid infrastructures.

Performance Analysis of a Header Compression Protocol: The ROHC Unidirectional Mode

The performance of IPv6 in the radio link can be improved using header compression algorithms. The 3GPP (3rd Generation Partnership Project) consortium in its technical specification has adopted the ROHC (RObust Header Compression) protocol of the IETF (Internet Engineering Task Force) standard track for real-time applications using RTP/UDP/IPv6 and UDP/IPv6. This paper presents the analysis of the proposed standard ROHC deployed in an UMTS radio link and discusses different schemes to increase compression performance. The results are based on our IPv6 implementation of the ROHC header compression algorithm and on a simple and accurate analytical model used to evaluate the packet loss probability.

Model-Driven security policy deployment: property oriented approach

We address the issue of formally validating the deployment of access control security policies. We show how the use of a formal expression of the security requirements, related to a given system, ensures the deployment of an anomaly free abstract security policy. We also describe how to develop appropriate algorithms by using a theorem proving approach with a modeling language allowing the specification of the system, of the link between the system and the policy, and of certain target security properties. The result is a set of proved algorithms that constitute the certified technique for a reliable security policy deployment.

Network security probe

Many current approach to access control assume all external access are dangerous. As a consequence they stop all communication and check for authorisation. We present an optimistic approach to provide security services in a network environment that do not interject the security services into the operational sequence, rather, the security services are established as a parallel set of services/steps. This optimistic approach let go the communication and checks in parallel for authorization, illegal communication will be stopped latter. Provided that the checking is fast enough the potential danger may be kept as low as necessary. This presentation exhibits the concepts, properties, advantages of an optimistic access control. An implementation called “Network Security Probe” NSP is described.

Measurements, performance and analysis of LoRa FABIAN, a real-world implementation of LPWAN

Up to recently, two main approaches were used for connecting the “things” in the growing Internet of Things (IoT) — one based on multi-hop mesh networks, using short-range technologies and unlicensed spectrum, and the other based on long-range cellular network technologies using corresponding licensed frequency bands. New type of connectivity used in Low-Power Wide Area networks (LPWAN), challenges these approaches by using low-rate long-range transmission technologies in unlicensed sub-GHz frequency bands. In this paper, we do performance testing on one such star-topology network, based on Semtechs LoRa™ technology, and deployed in the city of Rennes — LoRa FABIAN. In order to check the quality of service (QoS) that this network can provide, generally and in given conditions, we conducted a set of performance measurements. We performed our tests by generating and then observing the traffic between IoT nodes and LoRa IoT stations using our LoRa FABIAN protocol stack. With our experimental setup, we were able to generate traffic very similar to the one that can be used by real application such as sensor monitoring. This let us extract basic performance metrics, such as packet error rate (PER), but also metrics related specifically to the LoRa physical layer, such as the Received Signal Strength Indicator (RSSI) and Signal to Noise ratio (SNR), within various conditions. Our findings provide insight about the performance of LoRa networks, but also about evaluation methods for these type of networks. We gathered measurement data that we make freely available together with the tools we used.

Available Bandwidth Probing for path selection in heterogeneous home Networks

The time-varying capacity links, such as wireless links and power line communication (PLC) links, which are integrated to emergent connectivity devices of Home Networks (HNs) require QoS mechanisms to protect sensitive and critical HN flows. In this paper, we couple the “Iperf in lightweight TCP mode” probing technique (developed in a previous work to estimate available bandwidth) with the path selection procedure of the “Inter-MAC” software (which was derived from the European OMEGA project, to handle heterogeneous HN technologies). As we have shown in our previous work, the lightweight TCP Iperf probing is accurate over time-varying capacity links. On the contrary, the Inter-MAC default implementation biases the measurements, because it computes the available bandwidth by subtracting the bit counters of local home network interfaces from their correspondent physical capacities, which are supposed constants. We show that coupling our lightweight TCP Iperf technique with the Inter-MAC software is really convenient to avoid performance blind spots on HN paths. Additionally, we show a realistic use case on test bed with HN extenders based on WiFi/PLC dual-links. We show the possibility of efficiently protecting sensitive IPTV flows and enhancing the link utilization, when the PLC/WiFi links capacities are strongly degraded.