Implementing NAT traversal with Private Realm Gateway

Santos, Jesús Llorente; Kantola, Raimo; Beijar, Nicklas; Leppaaho, Petri

doi:10.1109/icc.2013.6655107

Cited by 10 publications

(9 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Multiple approaches are discussed in [2] that allow devices behind NATs to become reachable for hosts in the public domain. An overview of the existing NAT traversal solutions including Session Traversal Utilities for NAT (STUN), Traversal Using Relays around NAT (TURN) and User Datagram Protocol (UDP) hole punching is presented in [12].…”

Section: A Nat Middleboxesmentioning

confidence: 99%

“…The existing NAT traversal solutions either require a separate Application Layer Gateway (ALG) for handling application layer traffic through NAT, bypass the firewall/NAT functionality for NAT unfriendly protocols, or require polling of the network on application layer making them undesirable. After careful analysis of the existing NAT traversal mechanisms we developed a custom NAT solution called Realm Gateway (RGW) [2] [3] for establishing end-to-end connectivity between the hosts in public address realm and private address realm. RGW acts as a traditional Source NAT (SNAT) for the outbound connections and behaves as a Destination NAT (DNAT) for inbound connections.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Sec-ALG: An Open-source Application Layer Gateway for Secure Access to Private Networks

Riaz

Tilli

Kantola

2020

2020 29th International Conference on Computer Communications and Networks (ICCCN)

Self Cite

View full text Add to dashboard Cite

The middleboxes offer proprietary solutions and encrypted traffic poses a challenge when middleboxes employ packet payload inspection techniques for connection establishment. Session key sharing and decryption followed by re-encryption of the traffic, for correctly routing to the private host, increases the connection latency and also poses a higher threat in case of traffic interception by a malicious third-party. In this paper, we present a novel open-source ALG, called Sec-ALG, for providing secure end-to-end communication to the web servers situated in the private address space. Sec-ALG relies on the technique of light Deep Packet Inspection (DPI) for protocol detection and session establishment using a novel parser-lexer generator called YaLe. The proposed approach offers increased security by maintaining end-to-end encryption for an HTTPS connection. Our experimental analysis demonstrates that Sec-ALG reduces the HTTPS connection latency in comparison to the NGINX reverse proxy using a 24-core host machine. Moreover, Sec-ALG handles requests at a threefold increased rate than NGINX proxy when tested with 100 concurrent connections. The ALG can be used either as a standalone solution or a component of the Realm Gateway, that is a generic interworking solution between public and private networks. The presented work is part of an extensive ongoing research at Aalto University focusing on embedding policy based trust into the network.

show abstract

Section: A Nat Middleboxesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Sec-ALG: An Open-source Application Layer Gateway for Secure Access to Private Networks

Riaz

Tilli

Kantola

2020

2020 29th International Conference on Computer Communications and Networks (ICCCN)

Self Cite

View full text Add to dashboard Cite

show abstract

“…The adoption of CES does not require changes to end hosts. To this end, a customer edge switch can be complemented with a realm gateway (RG), [19][20][21][22] which allows dynamic and unilateral initiation of communication by legacy Internet hosts to the servers located in the private networks. The behavior of CES for outbound connections to legacy hosts is the same as NAT.…”

Section: Trust-oriented Approach To Network Securitymentioning

confidence: 99%

“…The CES can contribute to meet the energy challenge of 5G 58 : facilitating longer battery lifetimes for wireless devices, such as mobile hosts or sensors, by allowing them to sleep as long as possible. 20 This is because the hosts in the private realm will have an improved network-based firewall, which can filter the malicious flows before they reach the end devices, and because hosts are only reachable via a policy.…”

Section: Trust-oriented Approach To Network Securitymentioning

confidence: 99%

“…To outline the feasibility of cooperation among Internet networks, the paper briefly describes the implementation of our solution particularly in 5G. The overall 2-tier security solution proposes: (1) a network-based firewall (Customer Edge Switching [CES] [17][18][19][20][21][22][23][24] ) that addresses inherent Internet vulnerabilities and security at the level of interaction between customer networks and (2) an Internet-wide evidence collection, aggregation, and reputation system. This paper concerns with the latter, i.e.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Cooperation and end‐to‐end in the Internet

Kantola

Kabir

Loiseau

2017

Int J Communication

Self Cite

View full text Add to dashboard Cite

Summary This paper analyzes the motivation and strategies for ensuring cooperative behavior among hosts and customer networks in the Internet and 5G networks. The hypothesis is that better cooperation among the benevolent entities could improve the overall Internet welfare, motivating the need for adoption of cooperative security. However, in state of the art, the prevalent security approach in the Internet is based on self‐help, while the adoption of cooperative methods is progressing slowly. At the same time, the ubiquitous reliance on 5G and mission critical nature of some of the new services, for example, ultrareliable (machine‐to‐machine) communication and Internet of things, requires that 5G will do its best to curb the malicious (noncooperative) behavior from becoming a cause of failure to the legitimate services. In this paper, we relate our analysis of the conditions for sustainable cooperation in the Internet with the famous end‐to‐end principle, and present the hypothesis that there is no end‐to‐end solution to the problem of ensuring cooperation among Internet hosts. Game theory allows studying the outcomes of interactions among the players with conflicting interests. We use it to study the hypothesis and show that introducing the reputation of Internet nodes and customer networks can lead to cooperation, which improves the overall Internet welfare and reduces the payoffs of malicious actors. We study the possible response of noncooperative users with advanced defection strategies and the resulting outcomes. We argue that 5G shall make significant progress towards uprooting the selfish behavior and malicious activities using cooperation and relate it with motivation for providing ubiquitous connectivity and ultrareliable services. The paper concludes by summarizing our earlier work on the application of the proposed methods of cooperation to 5G and the Internet; outlining how cooperation in security is not only desirable but also feasible.

show abstract