Daniel Palomares scite author profile

Herbert

et al. 2012

When mobile End Users are offloaded from a Radio Access Network (RAN) to a WLAN, current I-WLAN [1] offloaded architectures consider traffic converging to a common Security Gateway. In this paper, we propose an alternative End-to-End security (E2E) architecture based on the MOBIKE-X [2] protocol, which extends the MOBIKE [3] Mobility and Multihoming features to Multiple Interfaces and to the Transport mode of IPsec. The benefits of this E2E architecture are mostly load reduction and a better End User experience. First, E2E offloads the ISP CORE and backhaul networks, then E2E uses IPsec Transport mode instead of Tunnel mode, which removes networking and security overhead. This reduces CPU load by 20%, enhances Mobility and Multihoming operations by about 15%, and makes the system 2.9 times more reactive for detecting modifications of interfaces.

Elastic virtual private cloud

Hendrik

et al. 2014

Virtual Private Networks (VPN) are usually based on IPsec. However, IPsec has not been designed with elasticity in mind, which makes cluster of security gateways hard to manage for providing high Service Level Agreement (SLA). Cluster of SGs must be handled, for example, ISPs use VPNs to secure millions of communications when offloading EndUsers from Radio Access Networks to alternative access networks as WLAN. Additionally, Virtual Private Cloud (VPC) providers also handle thousands of VPN connections when remote EUs access private clouds. This paper describes how to provide Traffic Management (TM) and High Availability (HA) for VPN infrastructures by sharing an IPsec context. TM and HA have been implemented and evaluated over a 2-node cluster. We measured their impact on a real time audio streaming service simulating a phone conversation. We found out that over a 3 minute conversation, the impact on QoS measured with POLQA is less than 3%.

ISP Offload Infrastructure to minimize cost and time deployment

Herbert

et al. 2012

To face the huge demand on mobile traffic, ISPs are looking to offload traffic of their Radio Access Network to WLAN. Currently I-WLAN is the proposed offload architecture by 3GPP which tunnels the traffic to a Security Gateway. This paper proposes for ISPs an ISP Offload Infrastructure which minimizes the infrastructure cost deployment, and which can be deployed in a very short term. The ISP Offload Infrastructure classifies the EU traffic into 3 distinct classes and assigns each class a specific and adapted offload architecture: ForWarD Architecture (FWDA), Offload Service Architecture (OSA) and Offload Access Architecture (OAA). This paper shows how to deploy each Offload Architecture by using SCTP in conjunction to MOBIKE(-X) or only MOBIKE(-X). Then we measure how each Offload Architecture may affect the EU experience, and provide recommendations on how to deploy and implement the ISP Offload Infrastructure.

High Availability for IPsec VPN Platforms: ClusterIP Evaluation

Palomares¹,

Migault²,

Velasquez³

et al. 2013

To manage the huge demand on traffic, the Internet Service Providers (ISP) are offloading its mobile data from Radio Access Networks (RAN) to Wireless Access Networks (WLAN). While these RANs are considered trusted networks, WLANs need to build a similar trusted zone in order to offer the same security level and Quality of Service (QoS) to End-Users (EU). Although IPsec is widely implemented to create trusted environments through untrusted networks, the industry is increasingly interested in providing IPsec-based services with High Availability (HA) features in order to ensure reliability, QoS and security. Even though IPsec is not originally well suited to provide HA features, some mechanisms like VRRP or ClusterIP can work together with IPsec in order to offer HA capabilities. ClusterIP is actually used by strongSwan (an open source IPsecbased VPN solution) to build a cluster of IPsec Security Gateways (SG) offering HA features.This paper concentrates on how to build a cluster of IPsec SGs based on ClusterIP. We describe the main issues to overcome HA within IPsec. Then, we measure how HA may affect the EU experience, and provide recommendations on how to deploy ClusterIP. Finally, our tests over an HTTP connection showed that ClusterIP allows fast recovering during a failure.

Failure preventive mechanism for IPsec gateways

Laurent

2013

Operators are mainly using IPsec Virtual Private Networks (VPNs) to extend a security domain over untrusted networks. A VPN is usually established when an End-User (EU) and a Security Gateway (SG) negotiate security associations (SA). For a better QoS, the SGs are geographically distributed so they are as close as possible to EU. As such, the higher is the level of responsibility of the SG, the higher is the risk to be overloaded and to break down.This paper presents a mechanism for extracting and reinstalling security associations as well as a mechanism to transfer a given IPsec traffic from one SG to another. We also propose an additional mechanism for solving the mis-synchronization of IPsec anti-replay counters and IKEv2 Messages ID counters. Finally some performance measurements are provided in terms of delays, and packet loss, and prove feasibility of the approach. Results obtained through real implementation showed that the system time to extract an IKEv2/IPsec session is in a range of 5ms up to 15ms whereas the system time to restore an IKEv2/IPsec session can take 2ms up to 22ms.

Recommendations for IPsec Configuration on Homenet and M2M Devices

Guggemos³

et al. 2015

Although there is a strong need to deploy secure communications in home networks and for Machine-to-Machine (M2M) environment, to our knowledge the impact of authenticated encryption migration has not been evaluated yet. As the security performance issue is especially critical for wireless environment, this paper measures the effect of the security settings on the Quality of Service (QoS) for encrypted communications in a home network environment. Security settings include different configurations of IPsec tested over several hardware platforms. The QoS is evaluated based on CPU time and elapsed time for downloading different sized files.

Secure IPsec based offload architectures for mobile data

Hendrik

et al. 2014

Radio Access Network (RAN) are likely to be overloaded, and some places will not be able to provide the necessary requested bandwidth. In order to respond to the demand of bandwidth, overloaded RAN are currently offloading their traffic on WLAN. WLAN Access Points like (ISP provided xDSL boxes) are untrusted, unreliable and do not handle mobility. As a result, mobility, multihoming, and security cannot be handled by the network anymore, and must be handled by the terminal. This paper positions offload architectures based on IPsec and shows that IPsec can provide end-to-end security, as well as seamless connectivity across IP networks. Then, the remaining of the paper evaluates how mobility on these IPsec based architectures impacts the Quality of Service (QoS) for real time applications such as an audio streaming service. QoS is measured using network interruption time and POLQA. Measurements compare TCP/HLS and UDP/RTSP over various IPsec configurations.