Nerea Toledo

Toward an SDN-enabled NFV architecture

This article presents the progressive evolution of NFV from the initial SDN-agnostic initiative to a fully SDN-enabled NFV solution, where SDN is not only used as infrastructure support but also influences how virtual network functions (VNFs) are designed. In the latest approach, when possible, stateless processing in the VNF shifts from the computing element to the networking element. To support these claims, the article presents the implementation of a flow-based network access control solution, with an SDN-enabled VNF built on IEEE 802.1x, which establishes services as sets of flow definitions that are authorized as the result of an end user authentication process. Enforcing the access to the network is done at the network element, while the authentication and authorization state is maintained at the compute element. The application of this proposal allows the performance to be enhanced, while traffic in the control channel is reduced to a minimum. The SDN-enabled NFV approach sets the foundation to increase the areas of application of NFV, in particular in those areas where massive stateless processing of packets is expected.

FlowNAC: Flow-based Network Access Control

This paper presents FlowNAC, a Flow-based Network Access Control solution that allows to grant users the rights to access the network depending on the target service requested. Each service, defined univocally as a set of flows, can be independently requested and multiple services can be authorized simultaneously. Building this proposal over SDN principles has several benefits: SDN adds the appropriate granularity (fine-or coarse-grained) depending on the target scenario and flexibility to dynamically identify the services at data plane as a set of flows to enforce the adequate policy. FlowNAC uses a modified version of IEEE 802.1X (novel EAPoL-in-EAPoL encapsulation) to authenticate the users (without the need of a captive portal) and service level access control based on proactive deployment of flows (instead of reactive). Explicit service request avoids misidentifying the target service, as it could happen by analyzing the traffic (e.g. private services). The proposal is evaluated in a challenging scenario (concurrent authentication and authorization processes) with promising results.

Implementing Layer 2 Network Virtualization Using OpenFlow: Challenges and Solutions

Novel approaches for network virtualization at Layer 2 which are not based on VLAN have became a real possibility since the appearance of Software Defined Networking and OpenFlow in particular. We have deployed our own network virtualization facility based on Layer 2 prefixes using OpenFlow: the EHU OpenFlow Enabled Facility (EHU-OEF). We have implemented a solution that allows research and production traffic to share the same infrastructure without interfering with each other. It requires minimum configuration in the case of researchers and none in the case of non-technical users. In our deployment we found several challenges with Layer 2 protocols that use broadcast/multicast addresses due to the use of OpenFlow. In order to solve those challenges, we developed several custom modules for the OpenFlow controller and made some changes in the Flow Visor. Finally, the design of the EHU-OEF facility as well as some configuration details are described.

The EHU-OEF: An OpenFlow-based Layer-2 experimental facility

Abstract The current limitations of the Internet have prompted the appearance of the Future Internet initiative, which promotes the deployment of newly proposed infrastructures. In this context, experimental facilities emerge to provide realistic scenarios that allow the testing and advance the research of these novel approaches. From a technical standpoint, building a facility’s infrastructure is challenging and demanding because several requirements, such as its flexibility, support for multiple experiments, isolation and virtualisation, must be fulfilled. To investigate potential Future Internet initiatives, we designed, developed, and deployed our own experimental facility that addresses the aforementioned requirements: the EHU OpenFlow Enabled Facility (EHU-OEF). In this article, we present the EHU-OEF, which is a campus-wide facility based on OpenFlow that simultaneously supports both research and production traffic over the same infrastructure. Because this facility is based, in particular, on the OpenFlow technology and, more generally, follows the Software Defined Networking paradigm, the EHU-OEF provides researchers with the ability to programme the network. Thanks to this property, flexibility and isolation of both the control and the data planes among the experiments are addressed. This article also presents a novel method of network virtualisation at the link layer, the L2PNV approach, which ensures scalability by aggregating MAC addresses. This approach has been implemented with a modification of the FlowVisor controller originally developed at Stanford, which is a special-purpose OpenFlow controller that introduces a software slicing layer between OpenFlow switches and multiple OpenFlow controllers. This article also presents other contributions that have been developed through a successful deployment methodology in the facility, including an authentication and authorisation module, a MAC configuration module and a Prefix-Based Forwarding Decision module. In conclusion, the EHU-OEF facility possesses an excellent infrastructure designed to test and to validate novel proposals under real conditions, and this facility acts as a stepping stone for Future Internet testbeds.

Analytical Evaluation of a HIP Registration Enhancement for NEMO Scenarios

Covering NEtwork MObility (NEMO) scenarios based on end-to-end mobility management protocols such as the Host Identity Protocol (HIP) is not straightforward. However, it has been demonstrated that HIP based NEMO solutions outperform NEMO Basic Support (NEMO BS), hence, HIP is being considered also for addressing NEMO scenario necessities. In this work we focus on the Registration Extension process of HIP, which is mandatory for providing reachability of HIP enabled mobile nodes. More specifically, we describe our proposal, the Bulk Registration process, which has been analytically modeled to show that it outperforms other registration approaches in more than 90% in terms of delay and signaling overhead. Obtained results are highly valuable for a common NEMO scenario where several nodes are present in a vehicle to control its operation.

Design and formal security evaluation of NeMHIP

NEtwork MObility Basic Support (NEMO BS) is a standardized protocol for managing the mobility of a set of nodes that move together as a whole while having continuous connectivity to the Internet through one or more Mobile Routers (MRs). Because it is based on Mobile IPv6 (MIPv6), it inherits the properties of MIPv6, such as the use of IPsec. However, NEMO BS does not address all the features required by the demanding Intelligent Transportation Systems (ITS) scenario to provide an integrated and global secure mobility management framework. In addition, unlike MIPv6, the routing in NEMO BS is suboptimal, which makes difficult the provision of an adequate service performance. These characteristics make the application of the NEMO BS protocol not optimum in this scenario. An interesting strategy to provide security and good service performance is to consider a protocol that establishes and maintains Security Associations (SAs), such as the Host Identity Protocol (HIP). Different HIP-based approaches have been defined. However, these HIP-based network mobility solutions still present unsolved issues. In this article, we present a secure and efficient network mobility protocol named NeMHIP. NeMHIP provides secure and optimum mobility management and efficient end-to-end confidentiality and integrity protection apart from the basic security properties inherited from HIP. To evaluate the security provisions of NeMHIP, we have conducted a belief-based formal evaluation. The results demonstrate that the defined security goals are achieved by the protocol. Furthermore, we have performed an automated formal evaluation to validate additional security aspects of NeMHIP. Thus, we have modeled NeMHIP using the AVISPA tool and assessed its security when an intruder is present. The results confirm that NeMHIP is a secure protocol that ensures end-to-end confidentiality and integrity without introducing security leaks to the basic HIP. Thus, we have addressed the need found in the literature for providing security and efficiency in the network mobility scenario.

Scanning on handover enhancement issues in video application deployments on WiMAX mobile networks

WiMAX evolution is expected to go through Wireless broadband last mile access, backhaul solutions ending with handset integration. This paper outlines the challenging scenario WiMAX networks face when deploying mobile Internet applications, including the most demanding in terms of latency and data rate: the video applications. The proposed strategy to enhance global network performance has been to apply new handover policies. Several validation methodologies have been approached: testbeds, simulation scenario and a mixed real-to- simulation scenario.

A high performance link layer mobility management strategy for professional private broadband networks

Abstract In this paper, we present an innovative approach to solving the mobility management problem in the context of professional private broadband networks in the vehicular scenario. These heterogeneous communication networks are commonly deployed and managed by mission-critical organisations with the aim of supporting their specific and highly demanding services. Taking advantage of the specific characteristics of these networks, we propose to solve the mobility problem at Layer 2. This way, the mobility management overhead is reduced compared to solutions that operate at Layer 3 or above and therefore, shorter handover delays and better end-to-end application performances are achieved. The core element of our proposal is an intelligent mobile switch that makes use of the services provided by the IEEE 802.21 protocol to enhance vertical or heterogeneous handover performance. To validate our approach, we have developed a prototype implementation of the designed mobile switch with IEEE 802.11 and IEEE 802.16 support. Using this mobile switch implementation, we have carried out a set of experiments over a real testbed and measured some key indicators to assess the mobility management process. The obtained results show that our handover strategy comfortably meets the requirements of the ITU-T Y.1541 recommendation for highly demanding applications and ITU-R report M.2134 for high-speed handover. To the best of our knowledge, our contribution is the first proposal that solves the mobility management problem at Layer 2 while addressing the multi-access technology context in the vehicular professional private network scenario.

The cross layer RMPA handover: a reliable mobility pattern aware handover strategy for broadband wireless communication in a high-speed railway domain

Enhancing the handover process in broadband wireless communication deployment has traditionally motivated many research initiatives. In a high-speed railway domain, the challenge is even greater. Owing to the long distances covered, the mobile node gets involved in a compulsory sequence of handover processes. Consequently, poor performance during the execution of these handover processes significantly degrades the global end-to-end performance. This article proposes a new handover strategy for the railway domain: the RMPA handover, a Reliable Mobility Pattern Aware IEEE 802.16 handover strategy “customized” for a high-speed mobility scenario. The stringent high mobility feature is balanced with three other positive features in a high-speed context: mobility pattern awareness, different sources for location discovery techniques, and a previously known traffic data profile. To the best of the authors’ knowledge, there is no IEEE 802.16 handover scheme that simultaneously covers the optimization of the handover process itself and the efficient timing of the handover process. Our strategy covers both areas of research while providing a cost-effective and standards-based solution. To schedule the handover process efficiently, the RMPA strategy makes use of a context aware handover policy; that is, a handover policy based on the mobile node mobility pattern, the time required to perform the handover, the neighboring network conditions, the data traffic profile, the received power signal, and current location and speed information of the train. Our proposal merges all these variables in a cross layer interaction in the handover policy engine. It also enhances the handover process itself by establishing the values for the set of handover configuration parameters and mechanisms of the handover process. RMPA is a cost-effective strategy because compatibility with standards-based equipment is guaranteed. The major contributions of the RMPA handover are in areas that have been left open to the handover designer’s discretion. Our simulation analysis validates the RMPA handover decision rules and design choices. Our results supporting a high-demand video application in the uplink stream show a significant improvement in the end-to-end quality of service parameters, including end-to-end delay (22%) and jitter (80%), when compared with a policy based on signal-to-noise-ratio information.

A novel architecture for secure, always-best connected ship-shore communications

Together with the IMOs future navigation system implementation strategy, the e-navigation, wireless access technologies are proliferating on the maritime scenario, covering last mile communications. In the near future, we foresee that communication technologies will coexist and will be available in overlapping areas through the maritime last mile. Therefore, in order to enhace ship-shore communications, always-best-connected procedures and an efficient mobility management protocol is required to satisfy maritime context peculiarities such as safety and security. In this article we analyze the most suitable mobility management protocol in terms of security and handover efficiency and propose a novel architecture that integrates the HIP protocol and always-best-connected procedures to best achieve maritime context specifications.