Advanced Wireless Networks - 4G Technologies
.pdf628 SECURITY
[77]T. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigen-baum (ed.), Advances in Cryptology – Proc. Crypto’91, the 11th Annual International Cryptology Conference, Santa Barbara, CA, 11–15 August 1991, vol. 576 of Lecture Notes in Computer Science. Springer: Berlin, 1992, pp. 129–140.
[78]B. Kumar, Integration of security in network routing protocols. SIGSAC Rev., vol. 11, 1993, pp. 18–25.
[79]K.E. Sirois and S.T. Kent, Securing the Nimrod routing architecture, in Proc. Symp. Network and Distributed System Security, Los Alamitos, CA, February 1997. The Internet Society, IEEE Computer Society Press, 1997, pp. 74–84.
[80]B.R. Smith, S. Murphy and J.J. Garcia-Luna-aceves, Securing distance-vector routing protocols. In Proc. Symp. Network and Distributed System Security, Los Alamitos, CA, February 1997. The Internet Society, IEEE Computer Society Press, 1997, pp. 85–92.
[81]R. Hauser, T. Przygienda and G. Tsudik, Lowering security overhead in link state routing. Comput. Networks, vol. 31, 1999, pp. 885–894.
[82]M.K. Reiter, Distributing trust with the Rampart toolkit, Commun. ACM, vol. 39, 1996, pp. 71–74.
[83]M.K. Reiter, M.K. Franklin, J.B. Lacy and R.N. Wright. The key management service, J. Comput. Security, vol. 4, 1996, pp. 267–297.
[84]L. Gong, Increasing availability and security of an authentication service. IEEE J. Select. Areas Commun., vol. 11, 1993, pp. 657–662.
[85]S. Capkun, L. Butty´an and J.-P. Hubaux, Self-organized public-key management for mobile ad hoc networks, IEEE Trans. Mobile Comput., vol. 2, no. 1, 2003, pp. 52–64.
[86]C. Karlof and D. Wagner, Secure routing in wireless sensor networks: attacks and countermeasures, Proc. First IEEE Int. Workshop on Sensor Network Protocols and Applications, 11 May 2003, pp. 113–127.
[87]J. Kulik, W. Heinzelman and H. Balabishnan, Negotiation-based protocols for disseminating information in wireless sensor networks, Wireless Networks, vol. 8, nos 2–3, 2002, pp. 169–185.
|
|
|
|
|
PROGRAMABLE NETWORKS REFERENCE MODELS |
631 |
|||||||||
|
|
|
|
|
|
|
Route |
|
|
|
|
IP |
|
||
|
|
|
|
|
|
|
|
|
IP router/ |
|
|
||||
|
|
|
Route |
|
|
update |
|
|
forwarder |
|
|
|
|
||
|
|
|
Active routerRouter |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
update |
controlController |
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
IP |
|
|
|
|
|
|
|
IP |
|
|
|
|
||
|
IP router/ |
|
IP |
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
forwarder |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IP router/ |
|
|
|
|
|
|
|
|
|
|
|
|
Active |
|
forwarder |
|
|
IP |
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
packets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IP |
|
|
|
|
IP |
|
|
|
|
|
|
IP |
|
|
|
|
|
|
|
|
|
|
|
||
|
|
IP router/ |
|
Active |
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
forwarder |
|
Active Routerrouter |
|
|
|
|
||||
|
|
|
|
|
|
packets |
|
|
|
|
|||||
|
|
|
|
|
|
|
Controcontrolller |
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
Route |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
IP router/ |
|
IP |
|||
|
|
|
|
|
|
|
|
|
update IP |
|
forwarder |
|
|
||
IP |
|
|
|
|
|
|
IP router/ |
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
IP router/ |
|
|
|
|
forwarder |
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
forwarder |
|
|
|
|
IP |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Figure 16.2 ARCs distributed throughout an Internet.
In this configuration, choices of routes are made by the ARC. A significant advantage is that specialized forwarding tables can be loaded into each forwarder; these tables can be small since entries must exist only for adjacent nodes.
A key advantage of the ARC model is that, for computationally centered tasks (routing, or more general computations if the programmability of ARCs is exploited), a computer which tracks computer technology trend exponentials (faster CPU, larger RAM) is used, while the forwarders independently track networking technology trend exponentials such as bandwidth improvements.
The basic distributed control architecture of Figure 16.1 can be replicated throughout an Internetwork, with the active elements using the managed Internet routes as link layers. This is shown in Figure 16.2, where a set of active nodes has been grafted into a larger collection of forwarders to create an active Internet.
16.2 PROGRAMABLE NETWORKS REFERENCE MODELS
IEEE P1520 is formalized by the IEEE Project 1520 standards initiative for programmable network interfaces and its corresponding reference model [22]. The IEEE P1520 RM, depicted in Figure 16.3, defines the following four interfaces.
(1)CCM interface – the connection control and management interface is a collection of protocols that enable the exchange of state and control information at a very low level between the NE and an external agent.
632 |
ACTIVE NETWORKS |
|
|
|
|
|
|
|
|
||
|
V |
|
USERS |
|
|
|
|||||
|
interface |
|
|
|
|
|
|
|
|
|
|
|
|
Applications invoking methods on objects below |
|
||||||||
|
U |
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
interface |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Policy-based |
|
|
|
|
|
RSVP |
|
|
|
|
|
differentiated |
|
Customized |
|
Routing |
|
or other |
|
|
|
|
|
services |
|
routing |
|
algorithms |
|
per-flow |
|
|
|
|
|
scheduling |
|
|
|
|
|
protocol |
|
|
|
L |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Interface |
|
|
|
|
|
|
|
|
Low |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Service specific |
|
|
|
|
|
|
|
|
abstraction |
|
|
building blocks |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
Resource |
|
|
|
|
|
|
|
|
|
|
|
building blocks |
|
|
|
|
|
|
|
|
Degree of |
|
|
Base |
|
|
|
|
|
|
|
|
||
|
building blocks |
|
|
|
|
|
|
|
|
High |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
Controller |
|
|
|
|||
|
|
|
Hardware and |
|
|
|
Routing |
Data |
|||
|
|
|
other resources |
|
|
|
table |
||||
|
|
|
|
|
|
|
Figure 16.3 P1520 reference model and the L-interface abstraction model.
(2)L-interface – this defines an application program interface (API) that consists of methods for manipulating local network resources abstracted as objects. This abstraction isolates upper layers from hardware dependencies or other proprietary interfaces.
(3)U-interface – this mainly provides an API that deals with connection setup issues. The U-interface isolates the diversity of connection set-up requests from the actual algorithms that implement them.
(4)V-interface – it provides a rich set of APIs to write highly customized software, often in the form of value-added services.
CCM and L-interfaces fall under the category of NE (network element) interfaces, whereas U- and V-interfaces constitute network-wide interfaces. Initial efforts through the ATM sub-working group (P1520.2) focused on telecommunication networks based on ATM and introduced programmability in the control plane [23]. Later, the IP Sub-working Group extended these principles to IP networks and routers.
16.2.1 IETF ForCES
Recently, a working group of IETF, called forwarding and control element separation (ForCES) was formed with a similar objective to that of P1520 [24, 25]. Document [25] classifies the NE as a collection of components of two types: control elements (CE) and forwarding elements (FE) operating in the control and forwarding (transport) planes, respectively. CE’s host controls functionality, like routing and signaling protocols, whereas FEs perform operations on packets, like header processing, metering, scheduling, etc., when
PROGRAMABLE NETWORKS REFERENCE MODELS |
633 |
|
Network element |
|
|
Fr |
|
CE 1 |
CE 2 |
CE 3 |
|
Fp |
|
|
Fi |
|
FE 1 |
FE 2 |
FE 3 |
Figure 16.4 ForCES architectural representation of NE.
passing through them. CEs and FEs may be interconnected with each other in every possible combination (CE-CE, CE-FE, FE-FE), thus forming arbitrary types of logical topologies (see Figure 16.4). Every distinct combination defines a reference point, namely, Fr , Fp and Fi . Each one of these reference points may define a protocol or a collection thereof, but ForCES protocol is only defined for the Fp reference point.
16.2.2 Active networks reference architecture
Active networks transform the store-and-forward network into store-compute-and-forward network. The difference here is that packets are no longer passive but rather active in the sense that they carry executable code together with their data payload. This code is dispatched and executed at designated (active) nodes performing operations on the packet data as well as changing the current state of the node to be found by the packets that follow. Two approaches are possible based on whether programs and data are carried discretely, within program and data packets (out-of-band) or in an integrated manner, i.e. in-band.
In the discrete case, injecting code into the node and processing packets are two separated jobs. The user or network operator first injects his customized code into the routers along a path. Then the data packet arrives, its header is examined and the appropriate preinstalled code is loaded to operate on its contents [26, 27]. Separate mechanisms for loading and executing may be required for the control thereof. This separation enables network operators to dynamically download code to extend a node’s capabilities, which in turn become available to customers through execution.
At the other extreme lies the integrated approach where code and data are carried by the same packet [28]. In this context, when a packet arrives at a node, code and data are separated, and the code is loaded to operate on the packet or change the state of the node. A hybrid approach has also been proposed [29].
The active networks reference architecture model [30, 31] is shown in Figure 16.5. An active network is a mixture of active and legacy (nonactive) nodes. The active nodes run the node operating system (NodeOS) – not necessarily the same, while a number of execution environments (EE) coexist at the same node. Finally a number of active applications (AA) make use of services offered by the EEs.
EVOLUTION TO 4G WIRELESS NETWORKS |
637 |
that must be sent by the application is [36]:
fun getToAgent(dest, payload, port) = try
let val fagent = lookupTuple(dest) in
OnRemote(|FoundFA|(dest, payload, port), fagent, getRB( ), defRoute) end
handle NotFound =>
if (thisHostIs(dest)) then deliver(payload, port) else
let val next = defaultRoute(dest) in
OnNeighbor(|getToAgent|(dest, payload, port), #1 next, getRB( ),#2 next)) end
fun FoundFA(dest, payload, port) = let val hop = defaultRoute(dest) in
OnNeighbor(|deliver|(payload, port), #1 hop, getRB(), #2 hop)) end
GetToAgent is the main function and, when it executes, it first looks up dest in the softstore using lookupTuple. If that succeeds, it has found the home agent and it uses OnRemote to send a new packet, the tunnel, that will execute FoundFA at the foreign agent with the same arguments as getToAgent.
OnRemote provides multihop transmission of the packet without execution until it reaches the foreign agent. If the lookup fails the handle will execute. If we have actually reached the host then we deliver the packet. Otherwise, it looks up the next hop toward dest. It then uses OnNeighbor, which only transmits a packet one hop, to send the packet. Thus the packet travels hop-by-hop looking for the home agent. FoundFA function executes on the foreign agent, which in this case is the mobile host, but might be some other node on the same sub-net. It sends a packet to the dest that does the delivery. This is where the original packet is removed from the tunnel. Notice that all of that functionality is encoded in the tunnel packet program itself; the foreign agent does not need to have any knowledge of its role as a tunnel endpoint – it just has to support PLAN.
If a node defines an extensible interface, new extensions can be loaded and plugged into this interface to provide extended or enhanced functionality. This is the essence of plug-in extension evolution. As an illustration consider the pseudocode shown below for a simple AP that implements route discovery [36]:
Route Discover(Simple DSR)
procedure Route Request(Target,RouteRec)
if Duplicate Request Packet Or My Address Already In Route Rec then Discard
if This Host is Target
then Route Reply(RouteRec)
else
else
Append My Address To Route
Flood To All Neighbours
The packet itself embodies many key aspects of the protocol directly. In particular, it does duplicate elimination, tests for routing loops, detects termination and sends a reply,