Network research at college of computing and digital media
Download
1 / 34

Network Research at College of Computing and Digital Media - PowerPoint PPT Presentation


  • 143 Views
  • Uploaded on

Network Research at College of Computing and Digital Media. James Yu, Ph.D. Associate Professor DePaul University [email protected] 3/11/2014. 1. Outline. Wireless LAN Security Protection against DoS Attacks VoIP Traffic Engineering Netconf for Configuration Validation

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network Research at College of Computing and Digital Media' - nani


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Network research at college of computing and digital media l.jpg

Network Researchat College of Computing and Digital Media

James Yu, Ph.D.

Associate Professor

DePaul University

[email protected]

3/11/2014

1

DePaul University


Outline l.jpg
Outline

DePaul University

Wireless LAN Security Protection against DoS Attacks

VoIP Traffic Engineering

Netconf for Configuration Validation

Hybrid Routing for MANET


Wlan security problem statement l.jpg
WLAN Security: Problem Statement

  • It is relatively easy for a hacker to send a faked deauthenitcaiton or disaasoication frame to a wireless client, and to terminate its connection to the Wireless Access Point (WAP).

  • Making it worse, a hacker could flood a wireless client with deauthentication or disassociatation frames.

  • During the attacks, communications to the client are dead.

  • 802.11i provides an effective mechanism to address crypto attacks, but it does not prevent most DoS attacks.

DePaul University


Research approach l.jpg
Research Approach

  • Building an empirical framework to study DoS attacks over WLANs.

  • Investigation of DoS attacks on wireless communication.

  • 802.11w – a draft solution to the problem

  • Network simulation of WLAN DoS Attacks

  • Implementation and improvement of 802.11w to resolve DoS attacks.

  • Verification and Validation

DePaul University


Deauthf and disassf dos attacks l.jpg
DeauthF and DisassF DoS attacks

  • Deauthentication Flooding (DeauthF): A hacker floods the WLAN with faked deauthentication frames to force authenticated wireless clients to drop their connections with the AP.

  • Disassociation Flooding (DisassF): The attacker floods disassociation frames to wireless clients to force them to disconnect from the AP.

DePaul University




802 11w draft l.jpg
802.11w (draft)

  • A new draft standard to enhance 802.11i capability

  • 802.11w extends the security protection to 802.11 management frames

  • Deauthentication or disassociation frames are encrypted and sent to the client. The client check for the authenticity of the management frame and then accept (or reject) it.

DePaul University


Implementation and analyses of 802 11w l.jpg
Implementation and Analyses of 802.11w

  • We implement and investigate the performance and effectiveness of 802.11w to protect the management frames of deauthentication and disassociation.

  • We use the ns-2 simulator to analyze 802.11w under four cases. They are the

    • normal WLAN,

    • the WLAN under DeauthF,

    • the WLAN under DeauthF-802.11w, and

    • the WLAN under DeauthF-802.11w w/ Traffic Shaping.

DePaul University


Wlan under deauthentication attacks l.jpg
WLAN under Deauthentication Attacks

DePaul University



Traffic shaping l.jpg
Traffic Shaping

  • An enhancement implemented in the 802.1w solution.

  • Monitor the DoS attacking rate.

  • When the attacking rate is higher than a threshold value (which is configurable), the client will shape the traffic to no more than 10 fps.

  • When the attacking rate is below the threshold value, the standard 802.11w operation continues.

DePaul University


Wlan under protection of 802 11w and traffic shaping l.jpg
WLAN under Protection of802.11w and Traffic Shaping

DePaul University


Contribution and future research l.jpg
Contribution and Future Research

  • Empirical work

  • Implementation of 802.11w

  • To develop a queuing model to explain the attacking scenarios.

    • The queuing model is to be validated by the empirical results and also the ns-2 simulation model.

DePaul University


Voice traffic engineering l.jpg
Voice Traffic Engineering

  • Goal: Design the network with sufficient capacity to meet the traffic demand with satisfactory performance

  • Demand (A) - Traffic Intensity

    number of calls × duration of average calls

    Erlang

  • Resources (N) – Number of Trunks

  • Grade of Service (GoS) – blocking probability

  • Erlang B Model

DePaul University


Voip network l.jpg

SS7

SS7

IP (public)

IP (internal)

IP (private)

VoIP Network

PSTN Switch

PSTN Switch

SoftSwitch

SoftSwitch

Carrier VoIP

Network

Trunk MG

Trunk MG

Call Manager

(SIP Proxy)

Q.931

Access MG

Call Manager

(Enterprise)

MG: Media Gateway

DePaul University


Call admission control cac l.jpg
Call Admission Control (CAC)

  • The network (call manager or softswitch) accepts a call request only if it could guarantee the quality of service (QoS) of the call.

  • In a network with dedicated bandwidth for VoIP, we can calculate the max number of simultaneous calls based on the allocated bandwidth.

    • This is the parameter N of the Erlang-B model

    • Maximum Call Load

  • When there are N calls in the network, any new call request will be rejected –

    • Same as no trunks are available to route the call.

DePaul University


Experimental results bandwidth utilization l.jpg
Experimental Results(Bandwidth Utilization)

Problem!

Bandwidth Utilization = observed max call load ÷ expected max call load

DePaul University


Analysis limiting resource l.jpg
Analysis – Limiting Resource

  • Most studies consider the bandwidth (bps) as the limiting resource for the VoIP network.

  • In our experiment, the device (router) is the limiting resource.

    • Packet Throughput of Cisco 2600 router: 15,000 pps

15,000 ÷ (1000 ÷ 20) ÷ 4 = 75 calls/sec

Packet sampling rate: 20 ms

DePaul University


Current research l.jpg
Current Research

  • Establish a research project with Neutral Tandem – a Telecommunications Service Provider which has an IP-code network for voice traffic.

  • Collect and analyze the real traffic data

  • Build a traffic engineering model

    • Model development

    • Model validation

DePaul University


Netconf for network management l.jpg
Netconffor Network Management

DePaul University


Network management requirements l.jpg
Network Management Requirements

  • Easy to use

  • Ability to manipulate complete device configuration rather than individual entities

  • Support multiple configurations

  • Configuration transactions across multiple devices simultaneously

  • Human-readable format

  • Integration with existing security infrastructure

DePaul University


Evolution of network management l.jpg
Evolution of Network Management

Command-Oriented

Vendor specific

SNMP/MIB

Variable-Oriented

CORBA

Object-Oriented

Document-Oriented

XML-Based

Transaction-Oriented

NETCONF

DePaul University


Netconf transport l.jpg
NETCONF Transport

SSH

  • Secure Shell (SSH)

    • Mandatory for NETCONF implementation

    • Secured

  • Simple Object Access Protocol (SOAP)

    • SOAP over HTTP(s)

    • Web Services support

  • Blocks Extensible Exchange Protocol (BEEP)

    • peers on the transport level

NETCONF

Manager

NETCONF

Agent

SOAP

BEEP

DePaul University




Current research27 l.jpg
Current Research

  • Joint Research work with Tail-f which provides the Netconf manager and Netconf agent.

  • Developing a formal language (based on Yang) to specify the data requirements.

  • Software Modules

    • Parsers (requirements)

    • Data aggregator (device configuration data)

    • Validation

  • 2nd phase: automation of configuration.

DePaul University


Position based routing background l.jpg
Position-based RoutingBackground

  • The cost of collecting and maintaining routing information in MANET is high.

  • On demand routing solves the problem partially, but still costly when mobility is involved.

  • Location Based Routing (using geographical information) became feasible with the spread of location-aware devices

MANET: Mobile Ad Hoc Network

DePaul University


Location based routing l.jpg
Location-Based Routing

  • Greedy Forwarding: move the packet to the node closer to destination.

    • Pros:

      • No topology information is required

      • No routing loops

         used by many location-based routing protocols

    • Cons:

      • Cannot recover dead ends (when the node holding the packet is closer to the destination than its neighbors)

      • Difficult to get the destination location

DePaul University


Hmrp approach l.jpg
HMRP Approach

Integration of both location-based routing and on demand routing

Two forwarding modes

Default is Greedy Forwarding

Location information is required for first hop only

Obtained by exchanging a periodic hello message

On Demand shortest-path

Used to recover greedy dead-ends

Controlled broadcast mechanism to obtain route and geographical information in one request/reply pair

Shortest path will be cached and served as a backup route

DePaul University


Hmrp approach cont d l.jpg
HMRP Approach (cont’d)

  • HMRP optionally utilizes a Minimum Connected Dominating Set (MCDS)

    • Limit location and route requests to MCDS

    • HMRP can automatically detect and adopt to MCDS if exist

    • HMRP adopts the concept of clustering in a loose manner where a child node can accept replies from any neighboring Dominating nodes if they provide better route information

    • When a child node needs to send information requests, it forwards the request to its dominator which invokes the broadcast mechanism

    •  Improved scalability and less overhead

DePaul University


Performance evaluation l.jpg
Performance Evaluation

Packet loss

End-to-End Latency

Performance results are from the ns2 simulator.

DePaul University


Performance evaluation33 l.jpg
Performance Evaluation

Path Length

Overhead

DePaul University


Hmrp summary l.jpg
HMRP Summary

  • A new approach that combines on demand and location based routing:

    • HMRP has the benefits of both approaches

    • Performance improvement over both Location-Based and On-Demand

    • Provide a new metric (routing capability) which is exchanged in the hello message. This metric is used to improve routing decisions. It is calculated based on several factors such as available node power, and number of packets forwarded

DePaul University


ad