Daniel Palomares scite author profile

Herbert

et al. 2012

When mobile End Users are offloaded from a Radio Access Network (RAN) to a WLAN, current I-WLAN [1] offloaded architectures consider traffic converging to a common Security Gateway. In this paper, we propose an alternative End-to-End security (E2E) architecture based on the MOBIKE-X [2] protocol, which extends the MOBIKE [3] Mobility and Multihoming features to Multiple Interfaces and to the Transport mode of IPsec. The benefits of this E2E architecture are mostly load reduction and a better End User experience. First, E2E offloads the ISP CORE and backhaul networks, then E2E uses IPsec Transport mode instead of Tunnel mode, which removes networking and security overhead. This reduces CPU load by 20%, enhances Mobility and Multihoming operations by about 15%, and makes the system 2.9 times more reactive for detecting modifications of interfaces.

Elastic virtual private cloud

Hendrik

et al. 2014

Virtual Private Networks (VPN) are usually based on IPsec. However, IPsec has not been designed with elasticity in mind, which makes cluster of security gateways hard to manage for providing high Service Level Agreement (SLA). Cluster of SGs must be handled, for example, ISPs use VPNs to secure millions of communications when offloading EndUsers from Radio Access Networks to alternative access networks as WLAN. Additionally, Virtual Private Cloud (VPC) providers also handle thousands of VPN connections when remote EUs access private clouds. This paper describes how to provide Traffic Management (TM) and High Availability (HA) for VPN infrastructures by sharing an IPsec context. TM and HA have been implemented and evaluated over a 2-node cluster. We measured their impact on a real time audio streaming service simulating a phone conversation. We found out that over a 3 minute conversation, the impact on QoS measured with POLQA is less than 3%.

ISP Offload Infrastructure to minimize cost and time deployment

Herbert

et al. 2012

To face the huge demand on mobile traffic, ISPs are looking to offload traffic of their Radio Access Network to WLAN. Currently I-WLAN is the proposed offload architecture by 3GPP which tunnels the traffic to a Security Gateway. This paper proposes for ISPs an ISP Offload Infrastructure which minimizes the infrastructure cost deployment, and which can be deployed in a very short term. The ISP Offload Infrastructure classifies the EU traffic into 3 distinct classes and assigns each class a specific and adapted offload architecture: ForWarD Architecture (FWDA), Offload Service Architecture (OSA) and Offload Access Architecture (OAA). This paper shows how to deploy each Offload Architecture by using SCTP in conjunction to MOBIKE(-X) or only MOBIKE(-X). Then we measure how each Offload Architecture may affect the EU experience, and provide recommendations on how to deploy and implement the ISP Offload Infrastructure.

High Availability for IPsec VPN Platforms: ClusterIP Evaluation

Palomares¹,

Migault²,

Velasquez³

et al. 2013

To manage the huge demand on traffic, the Internet Service Providers (ISP) are offloading its mobile data from Radio Access Networks (RAN) to Wireless Access Networks (WLAN). While these RANs are considered trusted networks, WLANs need to build a similar trusted zone in order to offer the same security level and Quality of Service (QoS) to End-Users (EU). Although IPsec is widely implemented to create trusted environments through untrusted networks, the industry is increasingly interested in providing IPsec-based services with High Availability (HA) features in order to ensure reliability, QoS and security. Even though IPsec is not originally well suited to provide HA features, some mechanisms like VRRP or ClusterIP can work together with IPsec in order to offer HA capabilities. ClusterIP is actually used by strongSwan (an open source IPsecbased VPN solution) to build a cluster of IPsec Security Gateways (SG) offering HA features.This paper concentrates on how to build a cluster of IPsec SGs based on ClusterIP. We describe the main issues to overcome HA within IPsec. Then, we measure how HA may affect the EU experience, and provide recommendations on how to deploy ClusterIP. Finally, our tests over an HTTP connection showed that ClusterIP allows fast recovering during a failure.

Failure preventive mechanism for IPsec gateways

Laurent

2013

Operators are mainly using IPsec Virtual Private Networks (VPNs) to extend a security domain over untrusted networks. A VPN is usually established when an End-User (EU) and a Security Gateway (SG) negotiate security associations (SA). For a better QoS, the SGs are geographically distributed so they are as close as possible to EU. As such, the higher is the level of responsibility of the SG, the higher is the risk to be overloaded and to break down.This paper presents a mechanism for extracting and reinstalling security associations as well as a mechanism to transfer a given IPsec traffic from one SG to another. We also propose an additional mechanism for solving the mis-synchronization of IPsec anti-replay counters and IKEv2 Messages ID counters. Finally some performance measurements are provided in terms of delays, and packet loss, and prove feasibility of the approach. Results obtained through real implementation showed that the system time to extract an IKEv2/IPsec session is in a range of 5ms up to 15ms whereas the system time to restore an IKEv2/IPsec session can take 2ms up to 22ms.