Dynamic setup of IPsec VPNs in service function chaining

Gunleifsen, Håkon; Kemmerich, Thomas; Gkioulos, Vasileios

doi:10.1016/j.comnet.2019.05.015

Cited by 17 publications

(11 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…From the encryption perspective, no protocols have been found for providing micro-segmented and flow-based encryption per SFC. However, our previous work [7] that originated from Software-Defined IPsec Flow Protection in SDN [26] and IPsec Key Exchange using a Controller [27], showed how encryption and Software-Defined Security Associations (SD-SA) could be adapted to an NFV domain.…”

Section: Related Workmentioning

confidence: 99%

“…In this paper, we combine this SD-SA encryption architecture [7] with our new SFC header [3] and a new flow distribution control plane. The security features of the architecture are verified by demonstrating how the requirements such as isolation and encryption comply with a use case scenario.…”

Section: Related Workmentioning

confidence: 99%

“…From a network infrastructure perspective, the EF is a copy of the SF, except for being responsible for a different network layer (the additional NSH layer). In addition to the P4 networking functionalities, the EF adopts the Software-Defined IPsec application (SD-SA) functionality that we have presented in our previous work [7]. In summary, this application has the following features:…”

Section: The Encryption Service Functionmentioning

confidence: 99%

“…Due to the non-bidirectional NSH communication channel between EFs [2], an IPsec IKE channel is not possible to establish on the data plane. Hence, we adopt the aforementioned SD-SA application from our previous work [7] in order to replace IKE in IPsec. In summary, this application includes the following functionality.…”

Section: The Authentication Centre (Auc)mentioning

confidence: 99%

“…Thirdly (C), an automated forwarding architecture has been developed based on a web service architecture, aiming to accommodate the requirements and the constraints [3]. The fourth step (D) in our studies was to develop a security protocol for exchanging encryption keys between SFs [7]. This article (E) integrates the previous results into a customised NFV environment and combines it with SFC routing [8].…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

A Proof-of-Concept Demonstration of Isolated and Encrypted Service Function Chains

2019

Self Cite

View full text Add to dashboard Cite

Contemporary Service Function Chaining (SFC), and the requirements arising from privacy concerns, call for the increasing integration of security features such as encryption and isolation across Network Function Virtualisation (NFV) domains. Therefore, suitable adaptations of automation and encryption concepts for the development of interconnected data centre infrastructures are essential. Nevertheless, packet isolation constraints related to the current NFV infrastructure and SFC protocols, render current NFV standards insecure. Accordingly, the goal of our work was an experimental demonstration of a new SFC packet forwarding standard that enables contemporary data centres to overcome these constraints. This article presents a comprehensive view of the developed architecture, focusing on the elements that constitute a new forwarding standard of encrypted SFC packets. Through a Proof-of-Concept demonstration, we present our closing experimental results of how the architecture fulfils the requirements defined in our use case.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: The Encryption Service Functionmentioning

confidence: 99%

Section: The Authentication Centre (Auc)mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Proof-of-Concept Demonstration of Isolated and Encrypted Service Function Chains

2019

Self Cite

View full text Add to dashboard Cite

show abstract

Considerations on Evaluation of Practical Cloud Data Protection

Rui

Yan

et al. 2022

Communications in Computer and Information Science

View full text Add to dashboard Cite

With the continuous growth of enterprises’ digital transformation, business-driven cloud computing has seen tremendous growth. The security community has proposed a large body of technical mechanisms, operational processes, and practical solutions to achieve cloud security. In addition, diverse jurisdictions also present regulatory requirements on data protection to mitigate possible risks, for instance, unauthorized access, data leakage, sensitive information and privacy disclosure. In view of this, several practical standards, frameworks, and best practices in the industry are proposed to evaluate and improve the protection level of cloud data. However, few evaluation models can conduct a comprehensive quantitative evaluation for cloud data protection that includes security, privacy, and even ethical considerations. In this paper, we first make a comprehensive review of cloud data security and privacy issues, especially also including ethical concerns that we consider as a type of specific risks caused by human factors, which refers to acting honorably, honestly, justly, and legally, due diligence, and due care. Then, we propose a novel evaluation model for cloud data protection that can quantitatively assess the protection level. Finally, based on the parallel evaluation between manual assessment by experts and our evaluation model, results show that our evaluation model is consistent with the manual evaluation conclusion.

show abstract