isbn9789526206370.compressed
TRANSCRIPT
ABCDEFG
UNIVERSITY OF OULU P .O. B 00 F I -90014 UNIVERSITY OF OULU FINLAND
A C T A U N I V E R S I T A T I S O U L U E N S I S
S E R I E S E D I T O R S
SCIENTIAE RERUM NATURALIUM
HUMANIORA
TECHNICA
MEDICA
SCIENTIAE RERUM SOCIALIUM
SCRIPTA ACADEMICA
OECONOMICA
EDITOR IN CHIEF
PUBLICATIONS EDITOR
Professor Esa Hohtola
University Lecturer Santeri Palviainen
Postdoctoral research fellow Sanna Taskila
Professor Olli Vuolteenaho
University Lecturer Veli-Matti Ulvinen
Director Sinikka Eskelinen
Professor Jari Juga
Professor Olli Vuolteenaho
Publications Editor Kirsti Nurkkala
ISBN 978-952-62-0636-3 (Paperback)ISBN 978-952-62-0637-0 (PDF)ISSN 0355-3213 (Print)ISSN 1796-2226 (Online)
U N I V E R S I TAT I S O U L U E N S I SACTAC
TECHNICA
U N I V E R S I TAT I S O U L U E N S I SACTAC
TECHNICA
OULU 2014
C 508
Suneth Namal
ENHANCED COMMUNICATION SECURITY AND MOBILITY MANAGEMENT IN SMALL-CELL NETWORKS
UNIVERSITY OF OULU GRADUATE SCHOOL;UNIVERSITY OF OULU, FACULTY OF INFORMATION TECHNOLOGY AND ELECTRICAL ENGINEERING, DEPARTMENT OF COMMUNICATIONS ENGINEERING;CENTRE FOR WIRELESS COMMUNICATIONS
C 508
ACTA
Suneth Nam
al
A C T A U N I V E R S I T A T I S O U L U E N S I SC Te c h n i c a 5 0 8
SUNETH NAMAL
ENHANCED COMMUNICATION SECURITY AND MOBILITY MANAGEMENT IN SMALL-CELL NETWORKS
Academic dissertation to be presented with the assent ofthe Doctoral Training Committee of Technology andNatural Sciences of the University of Oulu for publicdefence in the Kuusamonsali (YB210), Linnanmaa, on 19December 2014, at 12 noon
UNIVERSITY OF OULU, OULU 2014
Copyright © 2014Acta Univ. Oul. C 508, 2014
Supervised byProfessor Mika YlianttilaProfessor Andrei Gurtov
Reviewed byProfessor Thomas BauschertProfessor Karl Andersson
ISBN 978-952-62-0636-3 (Paperback)ISBN 978-952-62-0637-0 (PDF)
ISSN 0355-3213 (Printed)ISSN 1796-2226 (Online)
Cover DesignRaimo Ahonen
JUVENES PRINTTAMPERE 2014
OpponentProfessor Raimo A. Kantola
Namal, Suneth, Enhanced communication security and mobility management insmall-cell networks. University of Oulu Graduate School; University of Oulu, Faculty of Information Technologyand Electrical Engineering, Department of Communications Engineering; Centre for WirelessCommunicationsActa Univ. Oul. C 508, 2014University of Oulu, P.O. Box 8000, FI-90014 University of Oulu, Finland
Abstract
Software-Defined Networks (SDN) focus on addressing the challenges of increased complexityand unified communication, for which the conventional networks are not optimally suited due totheir static architecture.
This dissertation discusses the methods about how to enhance communication security andmobility management in small-cell networks with IEEE 802.11 backhaul. Although 802.11 hasbecome a mission-critical component of enterprise networks, in many cases it is not managed withthe same rigor as the wired networks. 802.11 networks are thus in need of undergoing the sameunified management as the wired networks.
This dissertation also addresses several new issues from the perspective of mobilitymanagement in 802.11 backhaul. Due to lack of built-in quality of service support, IEEE 802.11experiences serious challenges in meeting the demands of modern services and applications.802.11 networks require significantly longer duration in association compared to what the real-time applications can tolerate. To optimise host mobility in IEEE 802.11, an extension to the initialauthentication is provided by utilising Host Identity Protocol (HIP) based identity attributes andElliptic Curve Cryptography (ECC) based session key generation.
Finally, this dissertation puts forward the concept of SDN based cell mobility and networkfunction virtualization, its counterpart. This is validated by introducing a unified SDN andcognitive radio architecture for harmonized end-to-end resource allocation and managementpresented at the end.
Keywords: authentication, fast initial authentication, Host Identity Protocol, mobilefemtocells, OMNet++, OpenFlow, software defined networking
Namal, Suneth, Viestintäturvallisuuden ja liikkuvuudenhallinnan tehostaminenpienisoluisissa verkoissa. Oulun yliopiston tutkijakoulu; Oulun yliopisto, Tieto- ja sähkötekniikan tiedekunta,Tietoliikennetekniikan osasto; Centre for Wireless CommunicationsActa Univ. Oul. C 508, 2014Oulun yliopisto, PL 8000, 90014 Oulun yliopisto
Tiivistelmä
Ohjelmisto-ohjatut verkot (SDN) keskittyvät ratkaisemaan haasteita liittyen kasvaneeseen verk-kojen monimutkaisuuteen ja yhtenäiseen kommunikaatioon, mihin perinteiset verkot eivät staat-tisen rakenteensa vuoksi sovellu.
Väitöskirja käsittelee menetelmiä, joilla kommunikaation turvallisuutta ja liikkuvuuden hal-lintaa voidaan parantaa IEEE 802.11 langattomissa piensoluverkoissa. Vaikkakin 802.11 onmuodostunut avainkomponentiksi yritysverkoissa, monissa tapauksissa sitä ei hallinnoida yhtätäsmällisesti kuin langallista verkkoa. 802.11 verkoissa on näin ollen tarve samantyyppiselleyhtenäiselle hallinnalle, kuin langallisissa verkoissa on.
Väitöskirja keskittyy myös moniin uusiin liikkuvuuden hallintaan liittyviin ongelmiin 802.11verkoissa. Johtuen sisäänrakennetun yhteyden laatumäärittelyn (QoS) puuttumisesta, IEEE802.11 verkoille on haasteellista vastata modernien palvelujen ja sovellusten vaatimuksiin.802.11 verkot vaativat huomattavasti pidemmän ajan verkkoon liittymisessä, kuin reaaliaikaso-vellukset vaativat. Työssä on esitelty laajennus alustavalle varmennukselle IEEE 802.11-standar-diin isäntälaitteen liikkuvuuden optimoimiseksi, joka hyödyntää Host Identity Protocol (HIP)-pohjaisia identiteettiominaisuuksia sekä elliptisten käyrien salausmenetelmiin (ECC) perustuvaaistunnon avaimen luontia.
Lopuksi työssä esitellään ohjelmisto-ohjattuihin verkkoihin pohjautuva solujen liikkuvuudenkonsepti, sekä siihen olennaisesti liittyvä verkon virtualisointi. Tämä validoidaan esittelemälläyhtenäinen SDN:ään ja kognitiiviseen radioon perustuva arkkitehtuuri harmonisoidulle päästäpäähän resurssien varaamiselle ja hallinnoinnille, joka esitellään lopussa.
Asiasanat: Host Identity Protocol, mobiilit femtosolut, nopea alustava varmennus,ohjelmisto-ohjattu verkko, OMNet++, OpenFlow, varmentaminen
Preface
During the journey towards the moment when I could proudly present this dis-
sertation to a wide audience, I have met and received support from many won-
derful people. I would like to thank all those who knowingly or unknowingly
contributed to the completion of this dissertation. This doctoral dissertation
is the result of the time I have spent undertaking research at the Centre for
Wireless Communication (CWC) at the University of Oulu, Finland.
More than a degree, this work represents to me the level of maturity I have
achieved from my, at many times non-orthodox, readings and learning experi-
ences. These years of research have led to constant, systematic changes in my
life, during which I learned to appreciate the dialectics and contradictions of our
world. Through these lenses, I have started to see the problems in depth, un-
derstanding that whatever phenomena we observe might, and usually do, reflect
over-deterministic relationships that are dynamic over time and space.
At the end of the day, this thesis puts together my subjective beliefs about se-
cure mobile communication. I expect that the technical contributions contained
herein will open new paths of research while my philosophical digressions will
motivate readers to go further and further in their own analysis.
Suneth Namal
Oulu, December 1st, 2014
7
Acknowledgements
The research work carried out in this thesis was done in the Networking group
(NET), Centre for Wireless Communications (CWC), Department of Communi-
cations, University of Oulu, Finland. This work was carried out under the scope
of MEVICO and SIGMONA projects, which are funded by the Finnish Funding
Agency for Technology and Innovation (TEKES) and industrial partners, includ-
ing, Nokia, Alcatel Lucent, Ericsson, Tallabs, Fsecure and Exfo-NetHawk. In
addition, this doctoral thesis has been financially supported by the Nokia Foun-
dation and Tekniikan edistämissäätiö (TES). The importance of these grants
and funding is gratefully acknowledged.
Foremost, I would like to express my great appreciation to my primary super-
visor, Professor Mika Ylianttila and co-supervisor, Professor Andrei Gurtov, for
supervising me through to the completion of this thesis. Their contributions in
supervising and directing my research work carried out here are conclusive. Their
talks and discussions are highly inspiring, and I have found them very beneficial
to my research work. Without their directions and guidance, the work would not
have been possible. I am also very grateful to Professor Matti Latva-aho who
recruited me as a researcher at CWC. I would also like to thank my project team
members for supporting and contributing to my research work being co-authors.
Apart from my team members, I would like to thank Dr. Mehdi Bennis, Dr.
Kaveh Ghaboosi, Prof. Allen B. MacKenzie, Robert Moskowitz, Jani Pellikka,
Marek Skowron, Dr. Carlos Lima and Konstantinos Georgantas for their advice
and contributions to my research work. Besides these people, I wish to express
my gratitude to Dr. Marian Codreanu and Dr. Chathuranga for first interview-
ing me to come to Oulu. I owe thanks to Professor Nandana Rajatheva who
supervised me in my Master’s thesis and motivated me towards PhD studies. I
am also thankful to Arto and Markus for the Finnish abstract.
In addition, I would like to thank all friends and colleagues that I have met
in my years in CWC, specifically Keeth, Manosha, Dr. Pedro, Satya, Sumudu,
Ijaz, Hamidreza, Helal, Ganesh and Hirley, amongst others. They created a
friendly, joyful working atmosphere, which I enjoyed a lot during these years.
I very much appreciate the administrative support in CWC, including Elina
9
Komminaho, Hanna Saarela, Kirsi Ojutkangas, Eija Pajunen, Antero Kanges,
Jari Silanpää and many other.
I would not possibly forget the nice moments I shared throughout these
years with the small Sri Lankan community from Oulu: Prof. Rajatheva and
his family, Keeth, Bhagya, Sahas, Praneeth, Manosha, Dilani, Vinudi, Sumudu,
Inosha, Sandun, Chamari, Senehas, Somnas, Tharanga, Dimuthu, Dilru, Bud-
dhika, Pawani, Upul, Uditha, Madusanka, and Nuwan.
I want to express my unreserved gratitude to my loving father and mother
for their love and support throughout my life. I dedicate this thesis to my
loving son Sadev and wife Himali, thank you Himali, without your love, concern,
understanding, motivation and support none of this would have been possible.
My final thanks go to my pre-examiners and opponent for their valuable
comments regarding this thesis work.
10
List of original articles
This thesis consists of an overview and the following publications which are
referred to in the text by their Roman numerals (I-V).
I Namal S., Pellikka J., & Gurtov A. (2012) Secure and Multihomed Ve-
hicular Femtocells. In proceedings of 75th IEEE Vehicular Technology
Conference (VTC Spring),Yokohama, Japan, pp. 1–5, IEEE, DOI:10.1109/
VETECS.2012.6240063, ISSN: 1550-2252.
II Namal S., Liyanage M., & Gurtov A. (2013) Realization of Mobile Femto-
cells: Operational and Protocol Requirements. Wireless Personal Commu-
nications, Volume 71, Number 1, pp. 339–364, Springer US, DOI:10.1007/
s11277-012-0818-9, ISSN: 0929-6212.
III Namal S., Georgantas K., & Gurtov A. (2013) Lightweight Authentica-
tion and Key Management on 802.11 with Elliptic Curve Cryptography.
In proceedings of Wireless Communications and Networking Conference
(WCNC), Shanghai, China, pp. 1830–1835, IEEE, DOI:10.1109/ WCNC.-
2013.6554842, ISSN: 1525-3511.
IV Namal S., Ahmad I., Gurtov A., & Ylianttila M. (2013) Enabling Secure
Mobility with OpenFlow. In proceedings of IEEE Software Defined Net-
working for Future Networks and Services (SDN4FNS), Trento, Italy, pp. 1–
5, IEEE, DOI:10.1109/SDN4FNS.2013.6702540.
V Namal S., Ahmad I., Jokinen M., Gurtov A., & Ylianttila M. (2014) SDN
Core for Mobility Between Cognitive Radio and 802.11 Networks. In pro-
ceedings of 8th International Conference on Next Generation Mobile Apps,
Services and Technologies (NGMAST’14), in press, 2014
Publication I deals with the problems related to vehicular femtocell backhaul
architectures. This work is further extended in Publication II. Here, we study
the operational and protocol requirements for the realisation of mobile femtocells.
Publication III studies a solution for fast initial authentication in IEEE 802.11
systems. Finally, in Publication IV and V, we study secure and seamless mobility
in OpenFlow enabled software defined networks.
Furthermore, the author of this thesis has participated extensively in the pub-
lication of book chapters and conference papers on this topic and more in various
11
other research areas, including, admission control, load balancing, ubiquitous net-
working, content delivery, and multimedia services. These studies supplement
the research work presented in this thesis from their own perspectives.
12
Contents
Abstract
Tiivistelmä
Preface 7
Acknowledgements 9
1 Introduction 15
1.1 Research problems and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.2 Background of the research history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.3 Contributions of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.4 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.5 Organisation of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
2 Literature Overview 25
2.1 Roadmap to small-cells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.1.1 Roadmap to modern femtocells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
2.1.2 Significant results & standardisation of femtocells . . . . . . . . . . . . 28
2.2 Milestones in the history of communication security . . . . . . . . . . . . . . . . .30
2.3 Towards software-defined networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.4 Host identity protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.5 Mobile IP (MIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3 Summary of research contributions 45
3.1 Vehicular femtocells in EPC architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . .45
3.1.1 Wireless backhaul . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.1.2 Protocol and operational requirements . . . . . . . . . . . . . . . . . . . . . . . 50
3.1.3 Evaluation of vehicular femtocell architecture. . . . . . . . . . . . . . . . .56
3.2 Fast initial authentication in WLAN cells . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.1 Problem statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.2 Design goals and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.2.3 Solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.2.4 Implementation guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
3.2.5 Prototyping and evaluation approach . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.3 OpenFlow based secure mobile backhaul . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.3.1 Problem statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
13
3.3.2 Scenario description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.3.3 Solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.3.4 Security consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.3.5 Evaluation of results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.4 SDN core for secure mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.4.1 SDN for Wi-Fi networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.4.2 Cloudification and wireless device virtualisation . . . . . . . . . . . . . . 78
3.4.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.4.4 Implementation and experimental approach . . . . . . . . . . . . . . . . . . 80
3.4.5 SDN and software-defined radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.4.6 Implementation and evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4 Conclusion and future work 87
4.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.2 Discussion and future Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
References 93
Original articles 105
14
1 Introduction
“I never think of the future. It comes soon enough.”
- Albert Einstein
According to predictions mobile will overtake fixed Internet access by 2014.
To support this demand, the topology and cellular network architecture must
undergo a major paradigm shift from voice-centric, circuit-switched and centrally
optimised for coverage towards data-centric, packet switched and organically
deployed for capacity [1]. While mobile operators are struggling to support
the growth in mobile data traffic, many are using mobile data offloading with
small-cells [2]. However, modern small-cell networks are far beyond the initial
deployment of small-cell networks that can be traced back to the late 1980s.
In this thesis, we investigate how to improve the quality of mobile users ex-
perience in vehicular communication. Furthermore, we discuss future trends of
networking and architectural changes and adaptation of mobile Internet in next
generation services. Small-cell techniques are recognised to be the best way to
deliver high-capacity mobile broadband cellular communication. Security is one
of the critical challenges associated with mobile and Internet applications today.
In this thesis, I share my own view on techniques to enable secure communica-
tion and mobility in small-cell networks with an illustration of unquestionable
performance improvement for corresponding applications.
Initially, the term “small cells” was used to describe the cell size, where a
macrocell is split into a number of smaller cells with reduced transmitting power,
known as metropolitan macrocells or microcells that have a radius of perhaps
several hundred meters. These cells were essentially a small version of macrocells
which required a considerable amount of planning and configuration and inter-
ference management. In 1993, an industry project led by Southwest Bell and
Panasonic revealed an almost similar solution to today’s femtocells that intro-
duced frequency reuse [3]. Implementing smaller cell configurations raises new
challenges in a mobile operator’s backhaul planning. Meanwhile, mobile service
providers are evolving their infrastructures to accommodate new bandwidth-
15
hungry services and support ever-increasing traffic demands, investing heavily
in new base stations, higher bandwidth connections and new backhaul solutions.
Implementing smaller cell configurations raises new challenges for the mobile
operator’s backhaul planning and operational teams. Although, fixed-line back-
haul solutions provide optimal capacity, operators are generally limited by the
lack of copper and optical fibre availability, as well as by the need to deploy base
stations on telephone poles, lampposts, and other structures that limit wireline
access. Generally, in these deployments the backhaul is partially wireless. In this
thesis, I have devoted my effort on vehicular femtocells that utilise cost-effective
802.11 as a solution to backhaul the mobile traffic.
The IP platform and its architecture in future networks, compared with that
of 3G networks, make the backhaul network and mobile core more vulnerable to
security attacks. A wireless backhaul security solution will enable the flexible
deployment of IPsec encryption and firewalling at a scale to secure mobile data
traffic from cell sites to the network core. Backhaul traffic in LTE networks can
be vulnerable to interception, as data and packet encryption is optional unlike
the backhaul in 2G and 3G networks. Similarly, LTE-based vehicular femtocells
shall also come across the same set of IP based vulnerabilities although it may
present in different forms based on the technologies being used. However, my
interest has been mostly concentrated on 802.11 and corresponding services.
For securing backhaul, we identify two options: 1) IPSec VPN located on (or
behind) a dedicated firewall that separates the wireless network from an intranet;
and 2) using a combination of 802.1X authentication with a back-end Internet
authentication server and dynamic keys for encryption. Unlike stationary cells,
mobilised cells are reluctant to frequent disconnections/reconnections and thus,
do not cater well for time constraints imposed by real-time applications. The
descriptions in the first part of this thesis construct a solution to overcome this
problem using multihoming and identity/locator separation.
In 802.11 handover, the largest portion of the delay is associated with re-
connection (mostly authentication/reauthentication). This has motivated us to
investigate and construct a solution to improve the connection/reconnection pro-
cedures. This is seen as a prerequisite for the current and future mobile Internet.
In a later part of this thesis, the focus is drawn towards architectural require-
ments of next generation networks with control and forwarding plane separation
introduced by SDN. OpenFlow as a SDN enabler, has already laid down a flexi-
16
ble framework for mobility management and implementation of network security
solutions. Over the time, mobile services are being heavily researched upon, al-
though verification is difficult. Besides that, the handover between different
wireless technologies has become complicated due to the limitations they pose.
Indeed, the backhaul networks may differ, as networks are built around dif-
ferent technologies. By "flattening" these networks, we show that handover
between heterogeneous wireless networks can be achieved in a simple way. In
particular, we have tested several OpenFlow based vendor products in the uni-
versity ELAB. Our test bed integrates both WLAN and Cognitive networks into
SDN core and proves the flexibility of integrating different network segments
thanks to painless flow management utility.
The later part of the research presented in this dissertation combines different
aspects of mobility and security management in current and future mobile net-
works. Clearly, the time constraints imposed by real-time applications on mobile
Internet and associated services/applications have been our primary interest.
1.1 Research problems and scope
Smartphones and tablets have transformed the way in which the end-users in-
teract with applications and content in their personal lives, and now they are
demanding a similar experience on the move. In this thesis, we try to enhance the
quality of mobile users experience by dealing with the applications and utilising
both network architecture and IP leveraged protocols. We design architectures
and propose techniques to deploy network functions leading to the performance
enhancement of the corresponding applications. This manuscript consists of five
publications, which cover multiple problems of small-cell wireless networks.
In order to enable seamless connectivity, operators may use multiple paths
of communication between connecting hosts. In Publication I, we propose and
validate an extension to the current femtocell backhauling architecture. The so-
lution is based on IEEE 802.11 technology, assuming the Femto access points are
Wi-Fi enabled. We have realised the potential of HIP for multipath scheduling,
seamless overlay connectivity and the protection of IP traffic with IPSec encryp-
tion. This helps to improve the data throughput and communication security.
In Publication II, we propose different architectural options for vehicular
communication. This article describes protocol and operational requirements for
17
femtocell mobility. Since, small-cell mobility is always hindered by the cost and
performance of the wireless backhaul, we expect that the architectural options
proposed here will offer a cost-effective solution with enhanced user experience.
However, by its very nature, 802.11 has performance and delay constraints.
Handover is one of the critical shortfalls in the existing IEEE 802.11 architec-
ture. It has lagged the commercial deployment of 802.11 solutions for real-time
applications. We argue that fast initial authentication is an obligation when a
large number of users are entering to a cell. Thus, it requires the authentication
load to be reduced in terms of processing and message length. This has been
the motivation behind the 802.11-based fast initial authentication scheme which
we have proposed and prototyped in Publication III. In the prototype, the ECC-
based reduced key length and computational efficiency were the reasons behind
the initial thoughts towards extending HIP-DEX for initial authentication. We
also suggest this solution to the Wi-Fi Alliance for future considerations to im-
prove initial authentication procedures and to enable the flexibility in the tightly
connected 802.11 state machine.
As the wireless edge becomes more predominant, wireless operators are forced
to deliver business-class Wi-Fi as a service to mobile users. With scalability,
managed WLANs are failing to provide the agility required to meet the rapidly
changing demands from mobile users and applications. A software-defined mobil-
ity approach enables wireless operators to connect mobile users to the network on
demand and embed application containers for dynamic execution environments.
Mobility is not a straightforward solution offered with current version of Open-
Flow (v 1.3). Cell mobility is a more constrained research topic in this scope.
Because, a mobile cell, such as a mobile Wi-Fi Access Point (AP) or a mobile
femtocell is an unmanaged device without the connectivity to the SDN controller,
because the forwarding elements cannot process actions without its assistance.
As a result, the SDN architecture insists on connectivity to the controller wher-
ever an OpenFlow enabled cell roams. Publication IV proposes a solution for
cell mobility by modifying OpenFlow-based connection establishment.
The actual networks contain multiple different types of physical transmis-
sion channels such as Ethernet, WLAN, Cognitive, WiMAX, etc. Inter-system
communication is a challenge in modern networks due to the explicit network
architectures they support. This is the reason why heterogeneity has been an un-
solved problem so far. LTE, 4G, and 5G networks have reduced the complexity
18
of the network heterogeneity, while SDN has defined a unified architecture with
the isolation of the control and forwarding planes. SDN core is the realisation
of an integrated network system which is presented in Publication V. In this
paper, we further investigate the readiness of networking options for enterprise
exploration with security constraints.
1.2 Background of the research history
I started my research work on small-cells with a major concern in Femto and
WLAN cells in late 2010. I came up with my initial research on admission
control in femtocell networks as a part of my research contributions to the ICT
Befemto project. This research was further fine-tuned after discussions with my
supervisor Professor Gurtov. After studying his book on “Host Identity Protocol
(HIP): Towards the Secure Mobile Internet”, I understood the potential of HIP
as a backhaul solution. We presented the initial design of a mobile femtocell
architecture at IEEE Future Network & Mobile Summit (FutureNetw) in 2011.
This research work was carried out within the scope of the MEVICO project.
It has also been presented to the HIP Research Group (HIPRG) at IETF 81,
Canada. With their comments, this solution was extended to an article with
improved cost-effectiveness. The comments and opinions from HIPRG helped
me to fine-tune the architectural solutions presented in Publications I and II.
Furthermore, the research visits I have paid at the University of Budapest, and
the research team at the Mobile Innovation Center (MIK) helped me to gather
the validation options for this proposal.
In early 2012, Professor Gurtov proposed a few pieces of research works
on fast initial authentication to me. This gave me the motivation towards the
study of 802.11 authentication which was identified to have several open research
questions. Initial authentication delay and security are the major problems in
the current 802.11 architecture. Late 2012, I had a discussion with researcher
Georgantas who was conducting an Internship at Helsinki Institute for IT (HIIT).
He had past research experience in this field. His comments and ideas on this
research were very beneficial to this research. I presented this work (Publication
III) at the IEEE Wireless Communications and Networking Conference (WCNC),
Shanghai, China, 2013.
19
In early 2013, I was involved in contributing to a research project proposal
under the Celtic plus label which was coordinated by Nokia, Finland. There, I
proposed my research topics related to secure mobility with OpenFlow. Discus-
sions with Professor Gurtov always helped me to screen ideas and to construct
solutions. I also appreciate the comments and contributions from the doctoral
thesis researcher Ahmad who was in the same research group with me. The
research visits I paid to Nokia and Aalto University helped me to polish this
idea (Publication IV) and to present it at IEEE SDN4FNS.
In late 2013, I got to know about Tallac Networks, which is a SDN solution
provider in USA. They were interested on my research work and finally, we
ended-up in a research collaboration. Online discussions with Paul Congdon,
the CTO and Matt Davy, the principal solution architect, at Tallac Networks,
helped me in the development of the wireless SDN test bed at University of
Oulu. I implemented Tallac’s software defined mobility solution on the test
bed. Motivated by the discussions with them and under the guidance of my
supervisors, the test bed was extended to integrate an OpenFlow enabled WLAN
with a Cognitive networking platform via SDN core. This research was presented
at NGMAST’14, Oxford, UK.
1.3 Contributions of the thesis
The publications attached to this thesis were originally proposed, validated, and
implemented during the last four years of my doctoral studies. Below, I highlight
my contributions in each of the publications included.
Publication I: I came up with the proposed research idea. Then, I per-
formed simulation using OMNet++ and evaluated the scenario. This work was
also contributed by my co-author Pelikka in terms of proof-reading and contribut-
ing to the literature review included at the beginning of this paper. Professor
Gurtov guided this work by proposing me related subject materials and review-
ing the draft. I proved that the proposed scheme has a 123% of throughput
increment and a 40% of reduction in the packet drop rate.
Publication II: This work is an extension of the previous work. Here I came
up with the problem statement and the described scenarios. I simulated the sce-
narios with OMNet++ and performed the evaluation and completed drafting
the publication. Technical advices were provided by my supervisor, Professor
20
Gurtov while co-author Liyanage helped me with proof-reading of this article.
This work introduced a new research dimension of “vehicular femtocells". I have
described two mobile femtocell architectures, that utilise 802.11 as the backhaul,
and evaluated them with two candidate mobility protocols. The results demon-
strate the benefits of using identity/locator separation on mobile femtocells.
Publication III: The first idea of using HIP for initial authentication was
proposed by co-author Georgantas. However, his design was not feasible for
implementing. Therefore, I came up with a new solution that overcame the
previous problem and prototyped it. That apart, I undertook the writing of
the draft, as well as conducting and describing the experiments. My supervisor,
Professor Gurtov, helped me by reviewing the draft and suggesting the materials.
The novel initial authentication architecture proposed here introduces a radically
new way of authenticating hosts by using Elliptic Curve Cryptography (ECC)
only with two message exchanges, and therefore reduces the authentication delay
by 300% compared to the traditional Wi-Fi Protected Access II (WPA2) which
is used most commonly in Wi-Fi networks today.
Publication IV: My supervisor Professor Gurtov first proposed me the ini-
tial research idea for this publication. I came up with the solution architecture
and implemented it. I also completed the performance evaluation and writing
of the paper. Co-author Ahmad helped me with the literature survey, giving
his suggestions to improve the content, and proof-reading the draft. Professor
Gurtov and Professor Ylianttila also helped me by reviewing the paper and sug-
gesting modifications to improve the description of the results and performance
evaluation. This study proposes a replacement for the existing Secure Socket
Layer (SSL) based secure connection establishment procedure defined between
an OpenFlow controller and a switch, while reducing the latency by 177%.
Publication V: I came up with the initial research idea for this work and de-
fined the problem statement and performed the measurements, and drafting the
paper. This work was an outcome of a pilot project with “Tallac Networks”, who
donated the OpenFlow enabled wireless APs. My co-author Ahmad helped me
in proof-reading the draft and setting up the testbed, while researcher Jokinen
helped in setting up the LE-WARP platform. In regard to this work, I appreci-
ate the comments from Professor Gurtov on the illustration of the results and
the review help given by Professor Ylianttila. In this work, I evaluated the ap-
21
plicability of SDN core for mobility between the WLAN and cognitive networks
and demonstrated a peak throughput of 5.2 Mbps on the test platform.
1.4 Methodology
As with the problem statement, the scope and methodology of this thesis have
three categories: simulation, prototyping and implementation. Firstly, archi-
tectural challenges in introducing seamless and secure mobility into small cell
networks are described in Publications I and II. More specifically the challenges
in realising mobile femtocell concepts are highlighted. Since, a femtocell net-
work requires the remaining cellular systems to be already running, I decided
to evaluate these scenarios using simulations. Initially, it was challenging to se-
lect the most suitable simulation platform since many open-source platforms are
available. After many surveys, I chose OMNet++ tool due to following reasons:
1) the flexible INET framework which allows the implementation of new modules
on top; 2) the added support for HIP and its extensions; 3) the flexibility to run,
evaluate, and analyse application scenarios.
I then started to develop the new modules required for the simulation. A
simulation model is always an approximation of a real-world system, expressing
only a portion of the whole truth of the studied scenario. The estimated per-
formance of the simulation results have a more theoretical value. However, they
can be easily extended to areas that are difficult to measure in a real testbed
environment. It must be stated here that the WLAN mobile backhaul, mobile
femtocells, and relay stations were simulated in the OMNet++ environment.
Secondly, a novel approach for fast initial authentication in 802.11 is proposed
in Publication III. This work is followed by a prototype which needs further
enhancement in order to be deployable on commercial networks. For example, I
propose some optimisations to the IEEE 802.1X/WPA component used in client
stations. In fact, this implements key negotiation with a WPA authenticator and
controls the roaming and IEEE 802.11 authentication/association of the wireless
driver. This work mostly concentrated on working on the codes of the previous
component and integrating a new keying mechanism by eliminating the current
keying mechanism using Open System Authentication (OSA).
Thirdly, in Publication V, an implementation of the SDN platform for seam-
less mobility between 802.11 and cognitive networks is presented. In this case,
22
the WARP platform with an OFDMA reference design is used for the cognitive
implementation. Meanwhile, the 802.11 network was sliced in to several virtual
LANs in order to define unique Service Set IDentifications (SSID) with QoS
profiles. This study involved working with OpenFlow modules, Linux kernel,
and 802.11 wireless configurations. The results obtained here are more reliable,
because they reflect the impact of real world limitations.
1.5 Organisation of the thesis
Chapter 2 presents a literature review. It also contains a detailed description of
the main concepts, definitions and functional models used throughout the thesis.
Chapter 3 discusses the background work and main findings of the publications
at a high level, as well as presenting some practical examples, while many of the
experimental results and technical details are not repeated. Finally, in Chapter 4,
we conclude this thesis and present future work and discussion.
23
2 Literature Overview
This chapter provides an overview of the research topic related to communication
security and mobility in small-cell networks. In order to clarify the description of
the subsequent sections, some related concepts are described in the next sections.
2.1 Roadmap to small-cells
Looking back on the history, the idea of small-cells has been around for nearly
three decades. The first evidence of small-cells is found in [4]. Simultaneously,
in the 1980s “cellular enhancers” or “boosters” were introduced to cover the voids
in cellular networks, especially in important areas [5, 6]. However, their reuse
of the licensed spectrum for backhaul limited the achievable throughput; and
hence, these repeaters were neither helpful for improving system capacity nor
simple to deploy [1]. As a result, in the 1990s, a precursor to pico-cells began to
emerge by limiting the cell size from tens of metres one hundred meters [1, 7].
These small-cells were essentially a re-sized version of macro base-stations
which required considerable planning, management and network interfaces. These
“traditional” small-cells were exclusively used for capacity and coverage infill [1],
i.e. where macro penetration was insufficient to provide a reliable connection
or was overloaded. As a result, coverage inside high-rise buildings or campus
environments became an interesting topic.
In the 1990s, an industry project led by BellSouth and Panasonic developed
a similar solution to an indoor femtocell by reusing the same macrocell spectrum
and a wired backhaul (T1 or PSTN). These parasitic indoor systems were as-
sumed to operate with low power, i.e. where they caused negligible interference
to the outdoor cellular systems [8]. Even though frequency reuse was first recog-
nised as early as 1947, in an internal study at Bell Laboratories [9], this project
was deemed to be the first implementation of a femtocell like solution [8].
The outcome of this project was a technological improvement, although it
was economically unsuccessful, since the cost of deploying and operating a large
number of small-cells outweighed the advantage they provided [1]. Thus, oper-
ators began to rethink reducing the operational and cost aspects of femtocell
25
devices [10]. In 2002, Motorola announced the first 3G home base station prod-
uct which appeared in the market in the second half of 2008 [10–12]1.
Simultaneously, Sprint came-up with their femtocell solution under the name
“Sprint Airave” as a limited roll out of a home-based femtocell built by Sam-
sung [13]. Concurrently, StarHub launched “Home Zone”, the world’s first nation-
wide commercially-available 3G femtocell service [10]. The StarHub 3G femtocell
was a portable cellular access device that connected a user’s 3G mobile phone
directly to a router, so that users could make voice and video calls and send
SMS over StarHub’s cable network from their mobile phones [10].
By the time this thesis was being written, many operators had launched fem-
tocell services, including Vodafone, SFR, AT&T, Sprint Nextel, Verizon, Zain,
Mobile TeleSystems, and Orange. These deployments are more sophisticated
and offer a bulk of applications and services associated with the device.
2.1.1 Roadmap to modern femtocells
Modern femtocell architecture mandates the use of femtocell gateways and other
network infrastructure to appropriately route and serve traffic [1, 14]. Home
NodeB (HNB) and Home eNodeB (HeNB) were first introduced in the 3rd Gen-
eration Partnership Project (3GPP) Release 8 [11, 15]. In early 2008, when the
Femto Forum started discussions on Femto architecture, there were fifteen dif-
ferent variations [15]. Therefore, it is timely important to agree on a common
standardised architecture to enable the success of the product-line.
The operational and cost aspects of femtocells have been the major concerns
in the small-cell industry during the last decade. Femtocells were fundamentally
different from the traditional small-cells in their need to be more autonomous
and self-adaptive [1]. Their major development was the backhaul, which was
IP-based and likely supported a lower rate and higher latency than standard X2
interface connecting macro and pico-cells. This agreement led to the proposal
of the “luh” interface to 3GPP, which then became a 3GPP standard [15, 16].
In the USA, Verizon and AT&T rolled-out their wireless network extender
and 3G micro-cell in 2009 and 2010, respectively. AT&T cooperated with Cisco
1Motorola (2008). Motorola Announces Family of Femtocell Solutions. URI:
http://www.ubiquisys.com/small-cells-media-press-releases-id-118.htm, Last visited on April
2014
26
for the development of their micro-cell which was the first 3G femtocell in the
USA, supporting both voice and High Speed Packet Access (HSPA). Both Sprint
and Verizon also upgraded their solution to 3G Code Division Multiple Access
(CDMA) femtocells during 2010 [14]. The major advances of 3G femtocell stan-
dardisation activities in 3GPP and 3GPP2 led to the next generation of femto-
cells, i.e. 4G, particularly LTE, which was the designated next step for 3GPP
and 3GPP2 based operators [15, 16].
In 2011, Airvana announced a successful demonstration of the world’s first
end-to-end Long-Term Evolution (LTE) femtocell solution in partnership with
Hitachi Communications Technology Americas2. Simultaneously, the European
Union (EU) started funding research on small-cells, for example, the ICT-4-
248523 BeFEMTO project, which focused on the development and analysis of
LTE and LTE-Advanced compliant femtocell architecture [17–19]. Efforts over
three decades have made femtocell technology plug-and-play, i.e. they automat-
ically configure, self-optimise, and integrate themselves into current networks.
According to the forecast by “Telecom lead”, a significant growth3 in the
femtocell market is expected in the near future. The estimated growth of small-
cells is shown in Fig. 1. This market growth will occur because there is no other
way to build out cellular data infrastructure in an economical manner. Delivery
of voice services over LTE networks has not yet been standardised. Operators
continue to deliver voice via their 3G networks even though they move data to
LTE. As a result, subscriber devices are a mix of 3G-only and 4G plus 3G, with
very few 4G-only devices. To support these subscribers comprehensively across
all types of mobile services, operators must deploy a multi-mode radio access
infrastructure, including multi-mode femtocells.
In this thesis, we clarify the essence of small-cell deployment that in par-
ticular enhances network coverage and capacity. It is evident that the mobile
Internet has increased the demand for complete coverage both in and out. There-
fore, operators have found small cells to be an interesting solution for improving
coverage in a more cost-effective manner compared to expensive base stations.
2Airvana (2011). Airvana Demonstrates World’s First End-to-End LTE Femtocell Solution-
(2011 Press Releases). URI: http://www.airvana.com/news-events/press-releases/press-
release-archive/, Last visited in April 2014.3Baburajan K (2013). Tips to telecom operators on small cells and Wi-Fi offload-
ing. URI: http://www.telecomlead.com/telecom-equipment/tips-to-telecom-operators-on-
small-cells-and-wi-fi-offloading-13035/, Last visited in April 2014.
27
Fig 1. The number of small-cell base stations over the world from 2012-2018.
The research outcomes of this thesis demonstrate the benefits of small-cell de-
ployment in terms of Quality of Service (QoS) enhancements.
2.1.2 Signi�cant results & standardisation of femtocells
Early significant results related to femtocells were first presented by Claussen and
co-authors at Bell Labs (UK) [20, 21], which were extended to self-optimisation
strategies and multiple antennas shortly afterward [22, 23]. On the academic
side, there is a growing interest in multi-tier networks, i.e. networks comprising
a conventional cellular network plus embedded femtocell hotspots and remain-
ing network technologies. Spectrum allocation, interference management, self-
organisation, and capacity analysis are a few major research areas related to
multi-tier networks that have been investigated during the last decade [24–27].
In [24], the authors developed an uplink capacity analysis and interference
avoidance strategy in a two-tier CDMA network whereas, in [25], an optimum
decentralised spectrum allocation policy for two-tier networks that employ Fre-
quency Division Multiple Access (including OFDMA) was proposed.
The authors of [26] derived a fundamental relation to provide the largest
feasible cellular Signal-to-Interference-plus-Noise Ratio (SINR), given any set of
feasible femtocell SINRs. With frequency reuse, maximum transmit power is a
major concern that suppresses cross-tier interference at a macrocell station [27].
The next level of fundamental research work related to femtocells was then
extended to enhance handover mechanisms, admission control, security and pri-
28
vacy management [28–31]. Built on these contributions, the technologies have
emerged over time, and the governing standards are discussed subsequently.
Femtocells are not only characterised as short-range base stations, but also
as service enablers with the ability to seamlessly interact with traditional cel-
lular networks and their services, such as seamless handover, self-organisation,
power control, accounting, etc. Seamless interaction is a counterpart of femtocell
standardisation that has been mostly affected by the Femto Forum4.
The Femto Forum is a non-profit organisation formed in 2007 to promote
small-cell technology worldwide. By now, more than 70 network providers, soft-
ware and hardware vendors, mobile operators, and content providers are mem-
bers of the “Femto Forum”. It is actively participating in two major activities:
1) standardisation, regulation, and interoperability; and 2) marketing and pro-
motion of femtocell solutions across the industry and to journalists, analysts,
regulators, special interest groups and standards bodies [1].
Two main Standard Development Organisations (SDOs) are shaping the stan-
dard for Universal Mobile Telecommunications System (UMTS) related (UTRAN)
Femto technology: 3GPP and the Broadband Forum (BBF) [15]. Most attention
and interest is paid to 3G UMTS (the 3G variant of GSM); the first baseline
femtocell standard was completed in 3GPP Release 8 and formally released at
the end of March 2009. In the 3GPP committees, the focus is not just on 3.5G
UMTS/HSPA standards, but work also continues in parallel for 4G LTE femto-
cells. Building on this success, work is already being done to further incorporate
femtocell technology in the 3GPP Release 9 [16] standard, which will address
LTE femtocells, as well as support more advanced functionalities.
Femtocell standards are also being developed by other industry bodies for
additional air interface technologies. 3GPP is now focused on LTE (formally
3GPP Release 8 onwards) and LTE-A technologies (Release 10 onwards), while
3GPP2 activities have now been essentially discontinued [1]. The physical and
MAC layer impact of femtocells on LTE and WiMAX are quite similar, due to
their comparable physical and MAC layer designs, which are based on OFDMA.
Since LTE is likely to be the dominant cellular platform for the foreseeable future,
the smooth integration of femtocells into LTE is particularly important.
4Small Cell Forum. URI: http://www.smallcellforum.org/,(2007-2014), Last visited in April
2014
29
As for the current 3GPP standards, femtocells are fixed in-home base stations
which neither support mobility nor overlay abstractions. These limitations in
the specification bound their capabilities. Thus, now is the time to revisit the
existing femtocell architecture. In this thesis, we have proposed extensions to
the legacy femtocell architecture to make them mobile.
2.2 Milestones in the history of communication security
In this section, we summarise the milestones in the history of communication se-
curity and present them on a time-line that aids in understanding their evolution.
Fig. 2 unfolds the history of communication security while a detailed description
is given below. Communication security is all about preventing unauthorised
interceptors from accessing communications in an intelligible manner, but still
communicating to the intended parties. The first evidence of communication
security was found in 1898, i.e. a demonstration of a radio controlled boat [32]
that allowed secure communication between the transmitter and the receiver.
During warfare, one of the key aspects of communications is the ability to
transmit messages among the military and allies in utter secrecy and security.
Gilbert Vernam, an engineer at the AT&T Bell labs, invented a secure printing
telegraph cipher system and named it the “Vernam cipher” [33]. It was used for
signaling in the US army during World War I in 1917.
In 1936, Bell Telephone Laboratories (BTL) started developing voice signals
into digital data which could be reconstructed back to intelligible voice. This
was called a “vocoder”, which provoked the exploration of true voice security.
This was the first realization of encrypted telephony called “SIGSALY” [34].
“SIGSALY” was first demonstrated in 1942; and later used in World War II for
the highest-level Allied communication. In 1949, Claude Shannon published an
article “Communication Theory of Secrecy Systems” [35], which was the inception
of the mathematical underpinning of modern cryptography.
After studying US government computer security needs, National Institute of
Standards and Technology (NIST) identified the need for a standard encryption
for government-wide unclassified, sensitive information. As a result, in 1970,
the first version of the Data Encryption Standard (DES) [36, 37] was submitted
to NIST by IBM. It was based on the early design of the “Lucifer" cipher [38].
After consulting with National Security Agency (NSA), NIST selected a slightly
30
Fig 2. Milestones in the road-map of communication security. This illustrates the
inventions related to security over time.
modified version, which was then published as a Federal Information Processing
Standard (FIPS). The publication of an NSA-approved encryption standard re-
sulted in the quick adoption of DES internationally and widespread academic
scrutiny. After it was published in the Federal Register, public comments were
requested; and a workshop to discuss proposed standards was held.
Among the criticisms from various parties, the public-key cryptography pi-
oneers, Martin Hellman and Whitfield Diffie, cited the shorter key length and
improper interference from NSA in the design. DES as a symmetric-key crypto-
system works well locally, but not across networks, since the physical medium
the packets cross is insecure. This provoked research in public-key cryptography
since, the symmetric-key algorithm is then considered to be insecure.
In 1976, Diffie and Hellman proposed a method to securely exchange keys be-
tween two parties that have no prior knowledge of each other to jointly establish
a shared secret key over an insecure communications channel [39]. This method
worked only for key exchange, but not for the actual encryption of messages. Fur-
thermore, they discussed the possibility of using this idea for secure public-key
encryption and authentication. Ron Rivest, Adi Shamir, and Leonard Adleman
at MIT publicly described their public-key encryption code in 1977. They named
it “RSA”, the initials of their surnames in the same order as on the paper [37].
They made all of the necessary information publicly available using the idea of
the fledgling field of complexity theory where computing in one direction is easy,
but hard to invert. RSA would be useful not only for encrypting data, but also
for authenticating each other. Unlike Diffie-Hellman, the RSA scheme required
the exchange of a public key beforehand. In 1984, Taher ElGamal described a
public-key encryption code based on the Diffie-Hellman key exchange.
31
The ElGamal cryptosystem [40] could be considered as a hybrid cryptosys-
tem, i.e. where the message itself is encrypted using a symmetric cryptosystem.
ElGamal was used to encrypt the key used for the symmetric cryptosystem.
Simultaneously, ElGamal described a digital signature scheme [40] which took
into account the difficulty of computing discrete logarithms. Even though, both
Diffie-Hellman and RSA were the first footprints of digital signatures, the ElGa-
mal signature scheme underpinned the design of the Digital Signature Algorithm
(DSA), proposed by NIST in 1991 for the Digital Signature Standard (DSS).
One of the RSA developers, Ron Rivest, continued developing a custom ci-
pher for a US company which was approved by NSA in 1989. It was named,
“Ron’s Code” or “Rivest Cipher” (RC2) [41], and was reverse engineered and
anonymously posted to the Internet in 1996. The successor of RC2, RC4 [42],
became the most widely used software stream cipher and is used in popular pro-
tocols, such as Transport Layer Security (TLS) and Wired Equivalent Privacy
(WEP) [43]. The external analysis of RC4 was invoked by the leakage of its
source code in 1994 to a “cypherpunks” mailing list.
In 1989, Ron Rivest described the Message-Digest Algorithm 2 (MD2) cryp-
tographic hash function which was optimised for 8-bit computers. The MD2
algorithm is intended for digital signature applications, where a large file must
be “compressed” in a secure manner before being signed with a private (secret)
key under a public-key cryptosystem such as RSA [44].
In 1990, Rivest published MD4 [45] which handled messages with an arbitrary
number of bits. A variety of cryptanalytic results cast doubt on the complexity
of the MD4 design [46]. Meanwhile, the security of MD4 has been severely
compromised. The first full collision attack against MD4 was published in 1995,
and several newer attacks have been published since then. In 1991, Ron Revest
replaced his earlier hash function with MD5 [47, 48] which made MD4 likely to
be insecure. In 1996, a flaw was found in the design of MD5. While it was not
deemed a fatal weakness at the time, cryptographers began recommending the
use of other algorithms, such as SHA-1, which was later found to be vulnerable.
Therefore, NIST designed and published the successor to SHA-1, SHA-2,
which significantly differs from its predecessor. However, SHA-1 is the most
widely used of the existing SHA hash functions. The SHA-2 functions are not
as widely used as SHA-1, despite their better security approach.
32
By combining the hash function with the Message Authentication Code
(MAC), Mihir Bellare, Ran Canetti, and Hugo Krawczyk published a Hash-
based Message Authentication Code (HMAC) in 1996 [49, 50]. As with any
MAC, HMAC could be used to verify both authentication and integrity. Based
on the hash function used, the resulting MAC algorithm is termed HMAC-MD5
or HMAC-SHA1. In the meantime, NIST continued the development of DES
and came up with Double DES and its successor,Triple DES in 1998 [51].
This time, they improved the key size and made it computationally hard
to break by introducing three DES rounds. Usage of weak keys made DES
vulnerable to attacks, although it may not be nearly as obsolete as deemed by
NIST. However, in 2001, the Triple DES algorithm was replaced by the Advanced
Encryption Standard (AES) which was proposed to NIST. Thus, Triple DES is
now considered to be obsolete.
AES is based on the Rijndael cipher which was developed by two Belgian
cryptographers, Joan Daemen and Vincent Rijmen. After selecting Rijndael
during the AES selection process, NIST decided to change the names of some of
its functions to improve the reliability of the standards. AES has been adopted
by the US government and is now used worldwide. The algorithm described in
AES is a symmetric-key algorithm which superseded the DES [52].
AES survived intensive cryptanalytic efforts for more than a decade until
hashing in AES, i.e. SHA-2, shortened by as little as 25% was found to be
not a one-way function. Meanwhile, developers worked out a new public-key
cryptography algorithm based on the algebraic structure of elliptic curves over
finite fields [53]. The first use of Elliptic Curves in Cryptography (ECC) was
Lenstra’s elliptic curve factoring algorithm, presented in his paper [54].
Inspired by this, in 1985, Koblitz [55] and Miller [56] independently proposed
an application of elliptic curves by using the group of points on an elliptic curve
defined over a finite field in discrete log cryptosystems. In 1999, NIST recom-
mended a collection of elliptic curves which contain choices of private-key length
and underlying fields for the use of federal government. However, elliptic curve
cryptography entered worldwide use in 2004 to 2005.
In the 2000s, many cryptographic algorithms came up; and most of them
were customised for special requirements. Simultaneously, there has been a sig-
nificant growth of proprietary and hybrid cryptosystems developed to be used
with commercial applications and proprietary networks. In particular, the de-
33
velopment of Secure Socket Layer (SSL) [57] in 1995 by Netscape [58] led the
way for Internet security and e-commerce. However, the development of cryptog-
raphy has been paralleled by the development of cryptanalysis. Cryptography
can provide confidentiality, integrity, authentication, and non-repudiation for
communications in public networks, storage, and more.
Some real-world applications include protocols and technologies such as VPN
networks, Hypertext Transfer Protocol Secure (HTTPS) web transactions, and
management through Secure Shell (SSH). HIP is such a cryptosystem with iden-
tity/locator separation in which we have shown a special interest throughout this
thesis. A long way through the development of cryptography, researchers are
now trying to integrate different cryptosystems to collaboratively perform bet-
ter in application-specific scenarios, such as mobile banking, e-commerce, ATM,
e-channelling, etc. In this thesis, we study mobile backhaul security measures
and analyse the standard and potential solutions.
2.3 Towards software-de�ned networks
During the past twenty years or more, SDN has become more perceptible. In
some ways, SDN revisits the ideas from early telephony networks in which control
and data planes are clearly separated [59]. In the early to mid-1990s, the take-off
of the Internet, the production of more diverse applications and greater use by
the general public drew the attention of researchers eager to test and deploy new
ideas into network services [59].
Due to vertically integrated switches and routers, in the mid-1990s, researchers
thought separation between the hardware and control software was challenging
with the closed or proprietary nature which froze the rapid deployment of new
network services [60, 61]. Active networking [62, 63] laid down the initial idea
of a programmable network infrastructure that could be used for customised
services. In 1998, Chen and Jackson [61] identified a clear distinction between
the transport and control planes with an objective to make the control plane
programmable. In 2004, the “4D project” advocated a clean-slate design that
emphasised the isolation of the routing logic and protocols [64–66].
Their objective was to evoke the “decision” plane a global view of the network,
serviced by a “dissemination” and “discovery” plane, for the control of the “data”
plane for forwarding traffic.
34
Fig 3. Decoupling of the control plane from the data-forwarding plane enables
centralised control and management by a network administrator.
The existing SDN architecture with a centralised control plane was directly
inspired by this idea. In 2006, the IETF network configuration group proposed a
network configuration protocol (NETCONF) that configures network elements
through an API [67]. This was seen as a new approach for network manage-
ment that would fix the aforementioned shortcomings in the Simple Network
Management Protocol (SNMP). The immediate predecessor to OpenFlow was
published in 2007 [68] and brought forward the idea of a centralised controller
that determined global network policy. In contrast to the omniscient controller,
the switches are simple and dumb, and they simply forward the packets under
the direction of the controller unless matching flow rules are found.
Driven by past research, researchers at UC Berkeley and Stanford Univer-
sity came-up with a clear distinction between the control and data planes [69].
The most widely used SDN enabler, OpenFlow in [69], puts forward the idea of
providing an open protocol to program the flow-tables in different switches and
routers. Thus, the network administrator could partition traffic into production
and research flows by the routes the flows would follow and get through [69].
Driven by the idea of decoupling control and data planes, OpenFlow standard-
ized information exchange between the planes. The separation of the control and
forwarding planes is shown in Fig. 3. The forwarding elements can contain one
or more flow tables and an abstraction layer that enables secure communication
between the switch and the controller via OpenFlow protocol. The entries in the
flow tables determine how packets are processed or forwarded. Typically, flow
35
tables consist of “match rules” or “fields” that match incoming packet headers,
ingress ports, or meta-data.
The OpenFlow protocol uses “counters” to collect statistics of a particular
flow and “instructions” or “actions” upon matching to a particular match rule.
If a matching entry is not found in the flow tables, the action will follow the
instruction defined by the table-miss flow entry. Each of the flow tables must
contain a table-miss entry to handle table misses. When no match is found,
the dropped packets will be matched against the next flow table or forwarded
to the controller. The switches that are managed by a controller appear to
imply centralisation. Although redundancy is not addressed by OpenFlow, soft-
ware defined networks can implement either a centralised or distributed control
plane [70–72]. Enabling connections from multiple controllers to a switch allows
backup controllers to take over in case of a failure.
A platform called Onix was presented in [70]. Onix describes the imple-
mentation of a distributed management plane through an API. A control plane
using Onix operates on the global view of the network and uses basic state
distribution primitives provided by the platform. HyperFlow [73] realises this
with a physically distributed event-based control plane: it provides scalability
while maintaining the benefits of network control centralisation by passively syn-
chronising networks. The evolution of elastic cloud services, data centres, and
dynamic resource allocation with growing mobile computing and virtualisation
puts forward the need of freedom to move between interfaces without chang-
ing identities or violating specifications. The isolation between the control logic
and data forwarding planes allows network operators to specify network services,
without fusing already complicated specifications with network interfaces.
Network equipment manufacturers have adopted mechanisms for driving net-
work hardware for the purpose of sharing edge between the software-defined
edge and vendor-specific bridging and routing. OpenFlow defines a set of open
commands for forwarding, and globally-aware software controllers, which may
be centralised or distributed to drive the network hardware in order to create a
programmable identity-based overlay on top of the traditional IP core.
Software-defined networking offers a standard interface [74] between con-
troller applications and switch-forwarding tables, and is thus a natural platform
for network virtualisation. Hosted cloud computing and experimental facilities,
such as Global Environment for Network Innovations (GENI), allow researches
36
to come up with large-scale experiments on network “slices” on shared resources.
Virtualisation is a key feature in this infrastructure that brought forward the
idea of sharing physical resources.
Although virtual machines are now the standard abstraction for sharing com-
puting resources, the existing solutions differ in the level of detail they are ex-
posed to individuals [74]. Since, enterprises are now moving towards the cloud,
network providers must go beyond strategies for sharing network bandwidth and
to support a wider range of abstraction. The flexible virtualisation layer supports
various abstractions to rampart arbitrary topologies such as data-centres.
Software-defined data-centres are considered to be the next step in the evolu-
tion of virtualisation and cloud computing, as they provide a solution to support
both legacy enterprise applications and new cloud computing services. The vir-
tualisation needs of software define data centre counts in network, server, and
storage virtualisation. Network virtualisation involves using network resources
through a logical segmentation of a single physical network and treats all servers
and services in the network as a single pool of resources that can be accessed
without regard for its physical components [75]. On the other hand, partitioning
of a physical server to multiple virtual servers helps to dynamically maximise
server resources. In server virtualisation, the resources of the server itself are hid-
den, or masked, from users, and the SDN control layer divides the physical server
into multiple virtual environments, called virtual or private servers [76, 77].
Today, large companies, such as Amazon, Google, Facebook, and Yahoo!, rou-
tinely use data centres for storage, web search, and large-scale computation [75].
Google has already deployed SDN in their data centres [78]. In the context of
virtualised data centres, network programmability provides a modular interface
for separating physical topologies from virtual topologies, allowing each to be
managed and evolved independently [75].
In a nutshell, SDN has already laid down a platform for the future devel-
opment of services and applications. According to our understanding, SDN is
a step towards mobile Internet. However, realising mobile Internet with SDN
is challenging and thus, there is a need to revisit the existing network architec-
ture. We believe that now the job is in the hands of programmers’ or application
developers’ due to the common interface apparent with OpenFlow.
37
The open networking foundation
The Open Networking Foundation (ONF) is a non-profit industry consortium
that is leading the advancement of SDN and standardising critical elements of
the SDN architecture such as the OpenFlow protocol, which structures com-
munication between the control and data planes of supported network devices.
OpenFlow is the first standard interface designed specifically for SDN, providing
high performance and granular traffic control across multiple devices.
The OpenFlow standard is the first and only vendor-neutral standard commu-
nications interface defined between the control and forwarding layers of an SDN
architecture. ONF working groups are also paving the way for interoperable solu-
tion development by collaborating with the world’s leading experts on SDN and
OpenFlow, regarding SDN concepts, frameworks, architecture, and standards.
ONF advocates an open standards-based approach to software-defined network
implementation. The OpenFlowTM Standard is the only open, standard proto-
col that enables SDN by giving administrators software-based access to the flow
control tasks provided by switches and routers in traditional networks.
2.4 Host identity protocol
Internet has grown very quickly during the last twenty or more years and has
become a part of human life. Simultaneously, IP technology has evolved to serve
a huge number of different services and applications. However, the mobility of
Internet hosts among separate IP networks or multiple connections to several
networks was not discussed in the original design of the Internet. Furthermore,
with the growth of small networks many security issues have become apparent.
In particular, a lack of reliable communication has slowed down the develop-
ment of IP mobility extensions. HIP [79–82] was developed with the intention
to overcome these issues in an integrated approach that fits well within TCP/IP
architecture. The original inventor of HIP, Robert Moskowitz [81], published
the draft “draftmoskowitz-hip-00” as an individual submission to the Internet
Engineering Task Force (IETF) in May 1999. The idea behind HIP is based
on decoupling the network layer from the higher layers in the protocol stack, as
seen in Fig. 4.
38
Fig 4. Host Identity Protocol architecture
Fundamentals of HIP
HIP defines a new global name-space, the Host Identity (HI) name space, thereby
splits the double meaning of an IP address [83]. HIP is also a security protocol
that defines host identifiers for naming end-points and for performing authenti-
cation and creating IPSec security associations between them. The new protocol
layer is added to the TCP/IP stack between the network and transport layers.
It maps the Host Identifiers to network addresses and vice-versa.
In this way, HIP attains the main architectural goal, i.e. splitting the IP-
based identity/locator attributes. In the traditional TCP/IP architecture, IP
addresses serve as both identifiers and locators, which create problems for mo-
bility and multihoming. Instead, HIP uses Host Identity (HI) which is a self-
generated public-private key pair serving as both identifier and public-key for
the host. This kind of identifier is self-certifying in the sense that it can be used
to verify signatures without access to certificates or a public-key infrastructure.
The host identity is usually represented by the Host Identity Tag (HIT), which
is a 128-bit hash of the HI. The effect of eliminating IP addresses in application
and transport layers decouples transport layer from inter-networking layer.
To create a HIP association, the endpoints first establish session keys with
the HIP Base Exchange (BEX) [84], after which all packets are protected us-
ing the IPSec Encapsulating Security Payload (ESP). However for mobile hosts,
there is a readdressing mechanism to support IP address updates with mobil-
ity and multihoming [85, 86]. There are situations where a simple end-to-end
39
readdressing functionality is not sufficient (e.g. the initial reachability of mobile
nodes or simultaneous mobility of nodes).
The HIP-BEX consists of four messages (I1, R1, I2, and R2) transferred
between the initiator and the responder. Fig. 4 illustrates the overall HIP ar-
chitecture including the BEX. The initiator may retrieve the HI/HIT of the
responder from a Domain Name System (DNS) directory by sending a Fully
Qualified Domain Name (FQDN) in a DNS query [87]. Instead of resolving the
FQDN to an IP address, the DNS server replies with an HI. The transport layer
creates a packet with the HI as the destination identifier. During the next step
the HI is mapped to an IP address by the HIP daemon in the Host Identity
layer. Finally, the packet is processed in the network layer and routed to the
responder.
IPSec for data encryption
After successfully completing BEX, a pair of IPsec ESP Security Associations
(SAs), one for each direction will be created. HIP uses IPsec ESP Bound End-
to-End Mode (BEET) [88] to provide data encryption and integrity protection
for network applications5. The purpose of the mode is to provide limited tunnel
mode semantics without the overhead associated with the regular tunnel mode.
As the name states, the BEET mode is intended solely for end-to-end use.
In BEET mode, the ESP packet is formatted as a transport mode packet, but
the semantics of the connection are the same as for tunnel mode. The “outer"
addresses of the packet are the IP addresses and the “inner" addresses are the
HITs. For outgoing traffic, after the packet has been encrypted, the packet’s IP
header is changed to a new one that contains IP addresses instead of HITs, and
the packet is sent to the network. When the ESP packet is received, the Security
Parameter Index (SPI) value, together with the integrity protection, allows the
packet to be securely associated with the correct HIT pair. The packet header is
replaced with a new header containing HITs, and the packet is decrypted. SPI
is used in ESP to find the correct security association for received packets. The
ESP SPIs have added significance when used with HIP; they are a compressed
5Melen J & Nikander P (2006) A Bound End-to-End Tunnel (BEET) mode for ESP. IETF
Network Working Group, Internet draft draft-nikander-esp-beet-mode-06 (work in progress).
40
representation of a pair of HITs. Thus, SPIs may be used by intermediary
systems in providing services like address mapping.
HIP diet-exchange
In 2011, Moskowitz came-up with light version of BEX which was named Diet Ex-
change (DEX) 6. DEX used the smallest possible set of established cryptographic
primitives. It was specifically designed to be used with sensor devices [89]; gen-
erally, devices with low processing power. The objectives resemble the earlier
Lightweight HIP (LHIP) mentioned in [79]. However, instead of removing the
public-key cryptosystem, DEX has only removed the expensive Diffie-Hellman
key exchange and replaced it with an ECC variant which is better suited for
sensor nodes [89]. Beyond its capabilities of identity authentication, data encryp-
tion, and message integrity, DEX can be directly used as a keying mechanism
for MAC layer security protocols in sensor devices.
Mobility management with HIP
With HIP, the overlying protocols such as TLS and ESP secure associations are
bounded to Host Identities, while IP addresses are only used for packet forward-
ing. However, each peer must be reachable via at least one IP address used
during the base exchange. As a consequence of this decoupling, network-layer
mobility and host multihoming are simplified. There are a number of situations
where the simple end-to-end readdressing functionality is not sufficient.
These include the initial reachability of a mobile host, location privacy, simul-
taneous mobility, middle-box traversal, and some modes of NAT traversal [90–
92]. In this situation, HIP obtains the support of the Rendezvous Server (RVS)
function [93] to help a HIP node to contact a frequently moving HIP node. The
rendezvous mechanism is a third party function which serves as an initial contact
point (“rendezvous point”) for its clients.
The Rendezvous Server (RVS) stores the HIT-IP bindings for mobile nodes
registered to it by using the HIP Registration Extension [93]. Registration exten-
sion defines how to relay HIP packets arriving for HITs to the node’s registered
6Moskowitz R (2011) HIP Diet EXchange (DEX): draft-moskowitz-hip-rg-dex-05, Internet
Engineering Task Force, Status: Work in progress, Internet draft
41
IP addresses. Every time the host changes its address, its registration with RVS
must be updated. However, a mobile host can directly notify the associated
peers of IP address changes. In that sense, the use of RVS is limited for initial
contact, i.e. only for hosts that do not have active HIP associations with a mo-
bile host. However, when the initiator and receiver are simultaneously moving
with an active HIP association, the function of RVS is clearly envisioned.
Fig 5. Base exchange with registration extension assuming that the responder is
previously registered to RVS with its HITs and current IP addresses.
Fig. 5 describes base exchange via RVS when the initiator does not know the
responder’s IP address. Here, the initiator obtains the responder’s RVS address
from its DNS record and then sends the I1 packet of the base exchange to RVS.
After notifying the initiator’s HIT, RVS checks its registrations to determine
whether it needs to relay the packets. If the arriving I1 packet is not one of
its own and the responder is already in the registered list, RVS relays the I1
packet to the responder’s registered IP address. Accordingly, the responder can
be reached via RVS as it rewrites the destination IP with the responder’s IP.
Then, BEX can be completed without further assistance from RVS by sending
an R1 directly to the initiator’s IP address, as obtained from the I1 packet.
This mechanism allows the HIP layer to maintain the sessions. In our view,
multihoming is deemed an essential part of mobile communication that brings
seamless mobility for the overlay applications. In this thesis, we unfold the
usability of this approach for mobility and backhaul security.
42
2.5 Mobile IP (MIP)
Mobile IP is an IETF standard that has added the roaming capabilities of mobile
nodes in IP networks. It is designed to allow mobile users to move from one
network to another while maintaining a permanent IP address. Each mobile
node is always identified by its home address, regardless of its current point of
attachment to the Internet. While situated away from its home, a mobile node
is also associated with a care-of address, which provides information about its
current point of attachment to the Internet [94]. The protocol registers the care-
of address with a home agent. The home agent sends datagram destined for the
mobile node through a tunnel to the care-of address. After arriving at the end
of the tunnel, each datagram is then delivered to the mobile node. With mobile
IPv4, scalability is limited by the number of available free IP addresses. Mobile
IPv6 eliminates this problem with 128 bits addresses.
On one hand, mobile IPv4 has the problem of triangular routing which still
needs to be optimised. On the other hand, mobile IPv6 uses route optimisation
to eliminate this problem. RFC 3775 [95] has described this standard in detail.
The major benefit of this standard is that the mobile nodes (as IPv6 nodes)
change their point of attachment to the IPv6 Internet without changing their
IP address. This allows mobile devices to move from one network to other and
still maintain the existing overlay connections. Although Mobile IPv6 is mainly
targeted at mobile devices, it is equally applicable for wired environments.
In a fixed network, mobile IPv6 is needed because the mobile nodes can not
maintain the previously connected link (using the address assigned from the pre-
viously connected link) after changing the location (Ex: virtual server migration).
To accomplish the need for mobility, connections to mobile IPv6 nodes are made
(without user interaction) with a specific address that is always assigned to the
mobile node, and through which the mobile node is always reachable. Mobile
IPv6 is expected to be used in IP over WLAN, WiMAX or wireless broadband.
43
3 Summary of research contributions
In this chapter, we summarise our results published in the journal and confer-
ence proceedings. A more detailed analysis of the results is presented in the
corresponding publications attached at the end of this thesis. In Publications I
and II, we evaluate the vehicular femtocell architecture and propose essential
modifications that enable seamless connectivity on the move.
Publication III deals with fast initial authentication-related issues and proto-
typing of an Elliptic Curve Cryptography (ECC) based authentication scheme
for IEEE 802.11 systems. Finally, in Publications IV and V, we address the
problems related to OpenFlow mobile backhaul architecture and develop a wire-
less SDN test bed. We realise seamless mobility on the test bed and implement
an access control mechanism integrated to Floodlight-based DHCP module to
secure OpenFlow enabled wireless networks from unauthorised access.
3.1 Vehicular femtocells in EPC architecture
This section describes the proposed vehicular femtocell architectures in Publi-
cations I and II, and comprehensively describes the protocol and operational
requirements. The publication entitled “Secure and Multihomed Vehicular Fem-
tocells” proposes an Evolved Packet Core (EPC) based mobile femtocell archi-
tecture that is evaluated with the OMNet++ network simulation tool.
Communication between the femtocell and the Secure GateWay (SeGW) is
vulnerable to attacks, since both control and data traffic will be carried over
the same unreliable public Internet. Thus, the 3GPP femtocells establish IPSec
tunnels in either direction through the backhaul to protect the communication
from attackers. Femtocell authentication is generally performed using Extensi-
ble Authentication Protocol method for 3rd generation Authentication and Key
Agreement (EAP-AKA), certificates, or as a combination of both. 3GPP stan-
dard presumes that validation and authentication are performed sequentially.
However, these standard solutions will not fit in the context of vehicular fem-
tocells where they demand seamless connectivity to the Internet with mobility.
The duality attribute of the IP limits the freedom of mobility as a result of
45
Fig 6. HIP in the TCP/IP stack.
the concurrent change of IP layer associations. At this point, it is important
to investigate the possible elimination of the identification or locator attribute
from IP. The identity/locator separation protocols have emerged to overcome
the latter problem, but have not been widely used, since they require additional
APIs to communicate with the application layer. HIP offers multiple advantages
compared to other candidate protocols, such as Locator/ID Separation Protocol
(LISP) or Shim6 [96–99]. HIP multihoming provides a multi-addressing capabil-
ity on HIP-enabled hosts and naturally solves the tasks that are challenging in
any mobile architecture design.
Fig. 6, describes the integration of the HIP layer into the TCP/IP stack. This
includes providing end-to-end security for each flow and facilitating the ability
to traverse NATs and middleboxes, as well as enabling mobility support, which
is inherited from the standard HIP protocol implementation. With mobility,
the active sessions are interrupted by the change of point of attachment to the
network. If IP addresses are only used as geographical locators, only the location
of the mobile node can be identified, but not its identity. Therefore, sessions built
on HITs can still identify the host, even if the locator is updated.
46
Problem statement
Modern mobile applications claim seamless voice and data sessions continuity
when subscribers are on the move. Service continuity is one of the most critical
quality parameters in a cellular system [100]. Quality of service (QoS) is always
hindered by handover latency and packet loss. On one hand, extending cellular
coverage towards signal infills has been a challenge for a long time until the
small cells appeared to be a potential solution. On the other hand, enabling
5-bar signaling for mobile Internet has been expected, but has not yet been
completely accomplished using the available network infrastructure.
We argue that on-site cells are the appropriate solution to overcome this
problem, as the macrocell signal may drop due to shadows. Coverage inside ve-
hicles, trains, metros, and trams is still questionable due to unexpected channel
conditions experienced on the move. Thus, on-site cells could be a promising
solution to overcome this problem. However, the protocol stack on legacy fem-
tocells must be modified to realise its mobility, although this will introduce new
security vulnerabilities and privacy flaws. Among several other approaches, IP
multihoming is a potential solution for seamless mobility that mainly improves
throughput and reduces packet loss. Theoretically, it can reduce service inter-
ruptions and packet loss during handover. The subsequent sections describe the
usability of these concepts towards the realisation of vehicular femtocells.
3.1.1 Wireless backhaul
Conventional femtocells communicate through home broadband access and/or
Internet. The most critical issue related to the realisation of vehicular femtocells
is the wireless backhaul which delivers the aggregated traffic between the femto-
cell device and the core network/Internet [100, 101]. Here, we consider two use
cases: 1) mobile Internet on metro; 2) mobile Internet on vehicles. The success
of such an application would entirely stand on the effectiveness of the wireless
backhaul architecture, where the demand is always towards the cost-efficient and
QoS compatible solutions.
Choosing the right solution for traffic backhauling from the cell-site to the
IP backbone can make or break such a business case for a carrier’s new mobile
service. At the same time, this solution should be scalable enough to deploy in
47
Fig 7. Wireless relay station for traf�c backhaul.
large scale and minimise interference and other limiting factors. Thus, sharing
the same cellular spectrum is problematic, and the ability to limit the coverage
area is important.
Therefore, we have chosen IEEE 802.11 for the wireless backhaul between
the cell-site and the network edge. We believe that this is one of the most cost-
effective solutions for wireless backhaul. It is assumed that the handsets and
femtocells are dual-band accessible (cellular and Wi-Fi). With OMNet++ [102,
103], we develop two new modules, one for wireless relay stations and the other
for vehicular femtocells with the IEEE 802.11 interface. OMNeT++ offers an
Eclipse-based IDE and a graphical run-time environment.
In Fig. 7, we present the relay station and modular implementation of the
IEEE 802.11 interface that we have developed. The IEEE 802.11 compatible
femtocells are simulated by customising the “INET” [104, 105] based IEEE 802.11
access point module7. The relay station performs traffic forwarding between
IEEE 802.11 and wired Ethernet interfaces. This allows simple forwarding of
traffic from the vehicular femtocells to the network’s edge. At this point, the
wireless backhaul is too fragile and vulnerable to on-air security attacks.
Thus, it is important to encrypt data and put in proper authentication and
access control. For evaluation purposes, we have been using HIPSim++ [106,
107] which is a HIP simulation framework for INET/OMNeT++ developed to
7Varga, A et al., INET framework for OMNeT++ 4.0, http://inet.omnetpp.org/, Last visited
on April 2014
48
provide a flexible tool-set for the testing and validation of HIP and its extensions.
HIPSim++ is fully OMNeT++ 4.x compatible as it is built on top of INET
Version 20090325. This modular implementation enables a flexible framework
for developing new modules and testing them on OMNeT++ [108].
Scenario-1:
In the first case, we assume the femtocell devices are located inside the train
carriages. According to the standards, the IEEE 802.11 range can be extended
to at most 300 metres. Thus, theoretically, the maximum distance between two
wireless relay stations is less than 600 metres. These relay stations are mounted
on poles along the railway track. They are connected to the network edge over
a wired line or fibre-optic. For cost-effectiveness, the power lines could be used
to deliver traffic. However, data transmission over power lines is still under
investigation.
The following explanation turns-out the cost-effectiveness of this solution.
Having said that, the theoretical displacement between two relay stations is 600
metres; to avoid problems due to loss of line-of-sight, we assume the maximum
displacement is 500 metres. Assuming the total length of the railway track is “D”
and the displacement between two relay stations is “d”, the total cost of relay
stations required to cover the complete track is given by c[(D/d)+1], where “c” is
the cost per unit. Assuming a track of length 100km, at least 201 relay stations
must be deployed. If a single unit cost 100 USD, the cost of wireless backhaul
would be around 20,000 USD, which an operator would consider worthwhile to
spend to cover such a long track. By utilising the cost model given in [109], the
operational expenditure (OPEX) is calculated to be 50 USD/km.
Scenario-2:
This case describes the use of on-site femtocells in buses and personal automo-
tives. In this case, we assume that the relay stations are mounted on street
poles. Unlike the previous case, here, the deployment cost depends on the target
area. For example, if we consider an area “A”, the total cost for relay stations
can be calculated as [A/(πr2)]*c, where “r” is the radius of the area covered by
a 802.11 relay station. If we assume an area of 4km2, it will require at least
49
Fig 8. HIP registration and RVS extension.
16 relay stations to properly cover the whole area, which means about 1,600
USD to cover 2x2 km2 area. By using the same model in [109], the OPEX is
calculated to be less than 100 USD/km2 which is considerably lower than the
OPEX for 3G or 4G systems. The international speed limit in an urban area
ranges below 40kmph. Thus, the maximum dwell time would be around 50s.
This is almost of the same duration as that of an average voice call. Thus, we
can expect that a cell-site would move to a new relay station only once during a
call. This elaborates the feasibility of using 802.11 as a backhauling mechanism
in an urban environment.
3.1.2 Protocol and operational requirements
As wireless backhaul is open to anyone in range, organising an attack or sniffing
traffic on-air is possible using tools that are freely available on the Internet.
End-to-end communication security is an obligation in enterprise networks, since
confidential information may traverse on-air. To provide end-to-end security that
operates at the packet processing layer to protect the network and higher-layer
applications, IETF has defined a suite of security protocols, collectively known
as IPsec [110, 111]. This is capable of securing communications on host-to-host,
network-to-network and network-to-host basis.
50
IPsec authenticates and encrypts each IP packet within a communications
session. We have proposed IPSec in the ESP mode over HIP identities, thus
HIP-based mutual authentication will generate and share the necessary creden-
tials. The establishment of a secure association between end-hosts is illustrated
in Fig. 8. IPSec ESP in the transport mode can provide protection against DoS,
data origin authenticity, connectionless integrity, anti-replay protection, and lim-
ited traffic flow confidentiality. The ESP header is designed to provide a mix of
security services in IPv4 and IPv6 [88]. The set of services provided depends on
the options selected at the time of security association and on the location of
the implementation in a network.
This provides the same level of security over the wireless backhaul as com-
pared to conventional femtocells and assures that no simple eavesdropping is
possible. The Radio Link Control (RLC) must now use HIP identities, namely
Host Identity Tags (HITs). By the end of successful authentication and IP assign-
ment, a vehicular femtocell must establish a secure association with the Home
eNodeB Management System (H(e)MS) [112, 113].
At this point, the applications can use the HITs instead of IPs. HITs are
self-certified and globally unique; thus, an additional security dimension is given
to the communication. Simultaneously, the globally unique and static identities
on which the applications are built enable enough freedom of mobility, since
they do not change with mobility. The identity/locator separation enabled with
HIP brings seamless mobility for applications developed on top of HIP identities
(HITs). However, now it requires some entity to map the IP addresses to the
HITs, i.e. RVS [83]. Therefore, all HIP-enabled mobile hosts must be registered
to the RVS in the first place in order to initiate mobile communication. In Fig. 9,
the sequence diagram obtained with OMNeT++ presents registration with RVS.
HIP handles change of attachment using the UPDATE method, which in-
volves the exchange of a LOCATOR parameter that carries new address infor-
mation [114]. Using the LOCATOR parameter, the host can inform its peers
of additional (multiple) locators (new address information due to mobility) at
which it can be reached, and can declare the most “preferred” locator [85, 86].
This UPDATE packet must be acknowledged by the peer. The peer can authen-
ticate the contents of the UPDATE packet based on the signature and keyed
hash of the packet. Thus, security back-doors in handover can be minimised.
By using ESP transport format, the host can decide to rekey its security associ-
51
Fig 9. Registration with RVS.This �gure is obtained with OMNeT++ outpu t vector
results and �lers for the RVS registration extension presented in [ 93]. The hori-
zontal axis presents the time.
ation(s) and possibly generate a new Diffie-Hellman key(s). These actions can
be triggered by including additional parameters in the UPDATE packet.
The UPDATE procedure describes the establishment of network layer asso-
ciations. Even though application sessions built on HIP identities do not experi-
ence any discontinuity, the IP layer associations temporarily disconnect during
UPDATE. With IEEE 802.11, re-establishment of IP connectivity may take as
long as 2-3s, which is not favorable for delay-sensitive applications. Therefore, a
mechanism to overcome this delay is crucial.
Here, we can consider of different approaches: 1) a faster handover process,
which would probably require some modifications in IEEE 802.11 implementa-
tion; 2) IP multihoming to establish multiple channels over different paths that
ensure at least one channel is alive while the old association(s) is(are) depreciated.
Thereby, we need to define primary and secondary channels and to interchange
them due to mobility. Modifying IEEE 802.11 is not a scalable solution, since
there are millions of standard devices already in the market and in use. Thus,
the second option, which is evaluated in this dissertation, has the potential to
be deployed in a global scale.
IP multihoming and mobility
IP multihoming could be deployed as an application that runs over the communi-
cation ports which bring scalability. HIP, Stream Control Transmission Protocol
52
(SCTP), LISP, Identity/Locator Network Protocol (ILNP), IKEv2 Mobility and
Multihoming Protocol (MOBIKE) are a few realisations of IP multihoming used
in today’s IP networks [115–117]. Multihoming can be implemented in different
ways, based on the IP context. The HIP multihoming solution needs an IP ad-
dress to be paired with an ESP-SPI [88], so that the packets can be forwarded
to the correct SA for a given address. The SPI is used to associate an incoming
packet with the right HIT, since upper-layer protocols, including TCP and ESP,
are bound to HITs but not IP addresses. The job of the HIP sub-layer is to map
arriving ESP packets to a HIT using the SPI value in the packet and select the
source address and interface according to the SPI value set by ESP.
HIP association includes two uni-directional ESP SAs, one in each direction,
although several IP addresses can be added to an SA, the sender can transmit
and receive HIP data packets through any of these addresses. The most impor-
tant property here is the use of SPI to look-up an SA instead of the source IP
address. It is possible to establish multiple such SAs between two HIP hosts.
Thus, they would have different ESP anti-reply windows to avoid receiving mali-
ciously captured and retransmitted packet duplicates. However, use of multiple
IP addresses over a single SA probably leads to a need to modify the ESP
anti-reply window size to be sufficiently large, since packets sent from separate
interfaces are likely to travel via different paths in the network.
In the case of a link fail-over, a host can start using a spare locator. Lets us
consider a case between two hosts, one singlehomed and the other multihomed.
The multihoming host may decide to inform the singlehomed host of its addi-
tional locator. It is recommended to establish a new SA pair with the new
address. At this point, the multihomed host sends the LOCATOR parameter
with an ESP_INFO parameter indicating the request for a new SA pair to use
the new address. This is followed by setting the OLD SPI value to zero and the
NEW SPI value to the newly created incoming SPI. The multihomed host waits
for an ESP_INFO (new outbound SA) from the peer and an ACK for its own
UPDATE. Simultaneously, the peer host must perform an address verification
before actively using the new address, as illustrated in Fig. 10.
With mobility, the UPDATE message sent from a mobile host includes an
ESP_INFO with the OLD SPI set to the previous SPI and the NEW SPI set to
the desired new SPI value for the incoming SA. When an ESP_INFO arrives to
rekey a particular outbound SA, the corresponding inbound SA should also be
53
Fig 10. Basic multihoming scenario.
rekeyed at the same time. Optionally, as shown in Fig. 10, the host may include
a DIFFIE_HELLMAN parameter for a new Diffie-Hellman key.
The peer completes the request for rekeying as is normally done for HIP rekey-
ing, except that the new address is kept as UNVERIFIED until the UPDATE
nonce challenge is received, as seen in Fig. 10. Thus, the vehicular femtocell
device establishes a HIP association to the network edge, which can be freely
modified on move and utilised for IP multihoming to improve performance dur-
ing handover. Thus, after sensing a new channel, the vehicular femtocell device
may create a new connection which will share the end-to-end bandwidth. On
one hand, this preserves the connectivity to the network on the move, and on
the other hand, it improves the user experience.
Security concerns with IP multihoming and mobility
HIP UPDATE is a secure procedure to update the host’s IP address [86]. By
receiving the first UPDATE packet, a HIP host can cryptographically verify the
sender of an UPDATE. Therefore, forging or replaying a HIP UPDATE packet
is not simple, although impersonation and DoS attacks are still possible in the
UPDATE exchange. An attacker, who is wishing to impersonate another host
will try to mislead its victim by directly communicating with them, or carry out
a Man-in-the-Middle (MitM) attack between the victim and the victim’s desired
communication peer. If the attacker tricks its victim into initiate the connection
over an incorrect routing path, the signatures in the UPDATE message will
prevent this attack.
MitM is always possible if an attacker is present from the initial base-exchange
and if the hosts are not authenticating each other’s identities. However, once the
opportunistic base-exchange has taken place, even a MitM cannot steal the HIP
connection anymore because it is very difficult for an attacker to create an UP-
DATE packet (or any HIP packet) that will be accepted as a legitimate message.
54
UPDATE packets use HMAC and are signed. Even when an attacker snoops
packets to obtain the SPI and HIT/HI, they still cannot forge an UPDATE
packet without knowing the secret keys [118].
Denial-of-Service (DoS) is a general form of resource exhaust of the target
victim such that the victim ceases to operate correctly. DoS attacks are also pos-
sible with HIP hosts, for example by sending many UPDATE packets containing
many IP addresses that are not flagged as preferred. DoS attacks in distributed
form (DDoS) can be even worse, due to their effectiveness in multiplying the
rate of exhausting resources. An attacker may keep sending these packets until
the number of IP addresses associated with the attacker’s HI crashes the system.
Therefore, the maximum number of IP addresses associated with an HI must
be restricted. Besides this, increasing the lifetime of SAs slows lowering the rate
of rekeying UPDATEs, and by increasing the difficulty of cookies may slower
the attack-orientated connections, which ultimately reduces the opportunities
an attacker would get. There is a possibility of a HIP host spoofing the non-HIP
host’s IP address during the base-exchange or set the non-HIP host’s IP address
as its preferred address via an UPDATE.
Simultaneous user mobility
By extending the research in Publication I, we expanded this work further in
to Publication II. In Fig. 11, the time between capturing a TCP packet and an
associated ACK between two mobile hosts during handover is presented. Han-
dover results in long Round Trip Time (RTT) due to packet rerouting, reordering
and buffering. Our solution utilises the IP multihoming attributes and enables
a make-before-break type of handover that results in seamless connectivity to
the end-host. The gap of around 58s-75s in Fig. 11 illustrates the RTT and its
variation during the handover.
At this point, the RTT suddenly increases to around 60ms from 40ms. This is
a variation of around 20ms from the averaged RTT, however it is still within an
acceptable limit (i.e. a 150ms one-way delay for VoIP). Fig. 12 presents a time-
sequence diagram of TCP traffic over the same period. Fig. 12.1 zooms-in the
time-span of the handover event presented in Fig. 11. Note that a set of markers
stacked above each other in Fig. 12.2 represents a series of packets that have
been sent back-to-back by the vehicular femtocell. As TCP acknowledgments
55
Fig 11. TCP Round Trip Time (RTT) and its variation during handover.
are cumulative [119, 120], the femtocell has no information as to whether some
of the data beyond the acknowledged byte has been received.
Fig 12. Time-sequence diagram for TCP traf�c.
3.1.3 Evaluation of vehicular femtocell architecture
In publication I, I have simulated the proposed vehicular femtocell scenario,
where the cells are deployed on train carriages. We have illustrated the re-
sults, including throughput, handover latency, and packet drop rate. With IP
multihoming, compared to singlehomed communication, we could improve the
56
consistency of throughput and simultaneously achieve a 123% of capacity en-
hancement together with a 40% decrement of packet drop rate, while moving at
an average speed of 72kmph. Publication II corresponds to the evaluation of a
different scenario where the femtocells are located on automotives.
This simulation model evaluates different mobility solutions: one with HIP
and the other with Mobile IPv6 (MIPv6). The results reveal a 50% reduction in
location update latency at an average speed of 40kmph. Indeed, location update
is a critical performance measure as many services are context-aware nowadays.
57
3.2 Fast initial authentication in WLAN cells
The growth of IEEE 802.11 wireless networks over the last decade has been
tremendous. Wi-Fi has penetrated into different markets all around the world
due to its performance and cost efficiency. However, there is still much work to be
done, especially around mobility in IEEE 802.11 networks [121–125]. Handover
in the same wireless domain is expected to be seamless although IEEE 802.11
by its design limits the feasibility. In Publication III, we propose a solution that
reduces the time spent in initial authentication.
This is an effort towards optimising the authentication process which shall
be achieved by modifying or improving the existing standard or by introducing a
completely new standard. In this dissertation, after critically evaluating several
proposed solutions, new proposals are made and the most feasible approach is
considered for the implementation and testing. For this purpose, we set up a
802.11 test bed (in enterprise mode) which is described in this section.
3.2.1 Problem statement
VoIP is gaining acceptance in IEEE 802.11 networks due to the cost effective-
ness it provides. When comparing VoIP over cellular and Wi-Fi networks, it
is evident that cellular networks are bandwidth limited; thus, VoIP experiences
bandwidth constraints when used over cellular access, whereas Wi-Fi has enough
free bandwidth, and hence, provides an uninterrupted service [126].
However, the latter statement is not always true in mobile networks where
mobile STAtions (STA) are on the move from one AP to the other, especially
when they experience a short dwell time within an AP’s coverage area, for exam-
ple, a fast moving mobile STA. It is also not true when a large number of users
are simultaneously entering an AP for the first time, for example, the 802.11
APs located in a railway station or subway. The reason for this inconvenience
is the overhead that the current initial authentication process introduces to a
mobile STA when it first enters to an ESS [127].
Fast Initial Authentication (FIA) is what mobile stations demand in order
to merge in real mobile services. The above use cases justify the need for fast
connection setup. Most of the existing solutions improve the current IEEE 802.11
based authentication mechanisms by reducing the number of exchanged messages
58
or by piggybacking upper layer information in the authentication phase [128–132].
However, none of these solutions have achieved optimal, i.e. a single round-trip.
3.2.2 Design goals and challenges
In a nutshell, any FIA solution aims at accomplishing some common goals.
Among them, our proposal, by its design attempts to solve following problems:
– Enabling access for a large number of simultaneously entering mobile STAs,
– Problems with small dwell time because of high velocity (i.e. access from
vehicles) and small cell areas within an Extended Service Area (ESA),
– Securing initial authentication.
Initial authentication is limited to authentication and association phases. In
enterprise networks, eleven out of sixteen of the message exchanges during link
setup are consumed by authentication, and two out of sixteen by association
processes [133, 134] which means that roughly 80% of the message exchange is
related to authentication. Thus, the delay mostly depends on authentication.
There are many doubts about the existence of Open System Authentication
(OSA), which is considered to be a pre-Robust Security Network Association
(RSNA) authentication process, which is no longer acceptable in contemporary
wireless networks [135]. Also, there is a doubt as to the usefulness of the first
three messages of the EAP process. Finally, some proposals introduce eliminat-
ing upper layer information on association request/response messages to speed
up link establishment. However, the approach proposed in Publication III is
different from those.
OSA is a null authentication algorithm as the IEEE 802.11 standard states.
Any STA requesting OSA can be authenticated without any secure credentials.
OSA poses some additional overhead in the already time-consuming EAP process.
For the pre-RSNA WLANs of today, it is considered more secure to authenticate
any mobile STA and then proceed with pre-shared WEP encryption rather than
challenging it with a clear-text nonce in order to authenticate it and then use
WEP encryption [136–138]. However, WEP is considered to be highly insecure
now. The dotted line in Fig. 13 presents the removal of OSA.
The IEEE 802.11-2007 standard for Extended Service Set (ESS) transitions
states that authentication is a prerequisite for association. Also, an act of deau-
59
Fig 13. Supplicant's authentication-association state diagram.
thentication in RSNA network disassociates a STA. Simultaneously, the IEEE
802.1X controlled ports of that STA must be disabled, and Pairwise Transient
Key Security Associations (PTKSAs) must be deleted. At this point, deau-
thentication is an important function in RSNs, and moreover, the association
is closely tightened with authentication. My understanding is that there is a
need to decouple authentication from association, although the state machine is
posing considerable constraints on doing this.
Removal of the first three messages (Extensible Authentication Protocol
(EAP) over LAN (EAPoL) Start, EAP Request-ID, and EAP Response-ID) of
the EAP process is another approach of FIA. In this way, the mobile STA does
not have to prove its identity, which in any case is sent in clear text to the AP.
This method seems to improve the whole authentication process, but may raise
security concerns. Piggybacking other time-consuming processes and perform-
ing them in parallel with the association process during link set-up is another
60
approach of optimising authentication [139, 140]. Furthermore, running DHCP
over association frames is a promising solution. However, this will not imme-
diately reduce the time spent on authentication; instead, it will accelerate the
connection establishment by introducing a concurrent process.
3.2.3 Solution overview
After a comprehensive expression of the background and concepts related to
802.11 authentication process, we understood that there can be direct applica-
tions of HIP-DEX in the IEEE 802.11 standard for device authentication and key
agreement. Therefore, we propose that HIP can be integrated into the current
standard to act as a Key Management System (KMS). However, HIP-BEX has
been already tested in 802.11 networks, although the results turned out not to
be so preferable for real-time applications [141–144]. However, neither HIP-BEX
nor HIP-DEX has so far been tested for IEEE 802.11 initial authentication.
HIP-DEX has the advantage of having a directly fitting key model that 802.11
standard has introduced (MK, PTK, Group Temporal Key (GTK)). The aim
here is to let HIP datagrams run over 802.11 authentication frames. We argue
that the GTK could be delivered on an Association Response frame as a reply
to an Association Request frame that contains a HIP UPDATE datagram. The
HIP UPDATE can generally act as a rekeying mechanism when needed. An
AP may introduce PORT-based network access control as with that is used by
the 802.1X framework for ensuring that only authorised supplicants (STAs) may
have access to the network. By introducing a new information element to the
beacon and authentication frames, we can initially announce the HIP capabilities
of the network [141], and then distinguish HIP traffic.
The proposed scheme in Fig. 14 introduces a much simpler architecture and
seamless handovers within the same ESS. More specifically, the established HIP-
DEX SAs can be preserved during handovers within the same ESS, as the SA
establishment is valid between the mobile STA and the wireless controller. Thus,
only the controller, which has the appropriate level of trust by the Authentication
Server (AS), should be responsible for communicating with the AS.
However, the STA and the controller must share long-lasting secure associ-
ations, which indeed provide mutual authentication. In Fig. 15, the proposed
authentication procedure for commercial deployment is presented. First, the
61
Fig 14. Supplicant's authentication architecture for HIP-DEX.
access point must transmit the beacon frames to advertise the HIP capabilities
of the network and the respondent’s address. Optionally, the mobile STA per-
forms active scanning and initiates HIP exchange with the controller’s link-local
or predefined multicast address [141]. Thereby, the initiator triggers OSA and
association, which is followed by HIP-DEX exchange to the controller, while the
AP act as a relay for the incoming traffic. By now, the uncontrolled port is
unblocked in order to allow the HIP traffic to reach the controller (responder).
The responder, upon reception of the I2 message, communicates with the AS
in order to authenticate the initiator and replies accordingly. This allows to
establish ESP SAs and flow ESP protected traffic without HIP overhead.
In ESS transition (i.e. transition between wireless controllers), mobility may
either include rekeying or not and should use the HIP UPDATE messages to in-
form the peer of changing of the IP address. This certainly promises a reduction
in the number of authentication messages. Thereby, the authentication round-
trips would be reduced to 1.5. Thus, we believe that DEX can provide delays
that can be tolerated by most time-constrained applications. More specifically,
compared to Wireless Protected Access (WPA2) AKM, the solution we propose
in Publication III is proven to be highly efficient.
In terms of exchanged data, the HIP-DEX based approach needs no more
than 550 bytes to complete the AKM process. Taking into account the fact that
62
Fig 15. Fast initial authentication with HIP-DEX.
every HIP-DEX message is encapsulated into an authentication frame (approxi-
mately 40 bytes) a total of 542 bytes for the complete 4-way handshake can be
counted. WPA2 operation may require the exchange around 1,300 bytes until
the whole AKM process is completed [134, 145]. Although this number may fluc-
tuate depending on the security-specific WPA2 mechanisms used, the advantage
of the solution described above is the seamless BSS handover and the quite low
overhead, that HIP-DEX poses on wireless controller during ESS transition.
Compared to WPA2, HIP-DEX has an impressive performance in terms of
bytes exchanged. However, the HIP-BEX challenge may introduce some addi-
tional delay at the receiver due to processing. This makes HIP-BEX unfavorable
for delay-sensitive applications. Of course, the purpose of HIP-DEX is to sim-
plify and eliminate the above constraints. Additionally, it would be a major
revision for IEEE 802.11 standard to adopt a completely new concept for AKM
operations. It is mostly the willingness of the vendors that will define the po-
tential for this migration to occur, as soon as they are convinced that HIP can
make a difference. However, so far, many attempts to convince them are already
demoted due to backward compatibility.
63
3.2.4 Implementation guidelines
The design of our solution requires the Linux kernel code to be modified. IEEE
802.11 standard implementation is composed of different subsystems, where each
is responsible for a particular function. Below, we summarise the functional
elements in Fig. 16 that are associated with our solution:
– mac80211: includes the MAC Layer Management entity (MLME) and is
responsible for implementing shared code for soft-MAC/half-MAC wireless
– cfg80211: responsible for checking the protocol translation
– nl80211: provides the userspace with access to cfg80211 functions by means
of the wpa_supplicant and hostapd
– wpa_supplicant: Userspace module to incorporate with cfg80211
– hostapd: Userspace module to implement access-point’s MLME which is
closely bounded up with nl80211
– Userspace Station Management Entity (SME): responsible for authen-
tication and association methods.
The Linux system implements the “wpa_supplicant” module which is responsible
for the key negotiation of the supplicant with the authenticator and controls the
handover, as well as the authentication and association phases. The “hostapd”
is the corresponding module for the access point or the authenticator. These
modules share some common code and directly interact with the lower-level
subsystems through the nl80211 interface. The “wpa_supplicant_event()” func-
tion is critical for any code modification. The actual authentication/association
exchanges begin here. A mobile STA first performs a scan for available APs.
Based on the beacon frames or probe responses depending on the type
of scanning it supports, it generates an “EVENT_SCAN_RESULTS” event
in the “wpa_supplicant_event()” function and normally continues on to the
“wpa_supplicant_scan_results()” where it picks the requested network. Then
it transfers to the “wpa_supplicant_associate()” function through the interme-
diate “wpa_supplicant_connect()” function.
All of the next AKM operations continue by following the same idea. The
association starts from the “ieee80211_association()” function or directly from
the “wpa_drv_associate()” function which is closer to the driver’s level. On the
64
Fig 16. Wireless subsystem architecture.
AP side, the “ieee802_11_mgmt()” function is the place where all the incoming
management frames are listed in “ieee802 11_defs.h”.
3.2.5 Prototyping and evaluation approach
The prototype system consists of a massive amount of code lines that are inter-
connected and difficult to analyse. The supplicant and authenticator have the
following configurations: the supplicant has an i5 CPU of 2.67GHz and authen-
ticator a CPU of 2.16GHz, both running 2.6.35 Linux kernel. The authentica-
tor has an Atheros AR5001X+ wireless network adapter, and the supplicant is
equipped with an integrated wireless network adapter.
The authenticator is configured to operate on a preconfigured channel, whereas
the supplicant scans all of the channels until it detects the correct Service Set
IDentification (SSID). Channel configuration is important when supplicants use
fast inter-AP transition. IEEE 802.11r can reduce delay at least in the transition
between the APs. However, neither 11r nor 11i addresses the actual problem of
initial authentication. On the other hand, time synchronisation between STAs
and APs in the same BSS would take up to 2ms, which is counted in the total
authentication delay. Attempts to minimise this delay require modifications at
the driver level that also implicate some reinforcements in 802.11 amendments.
Thus, our work is focused on minimising the delay in the protocol level
attachment that goes through several phases, such as authentication, association,
key-generation and exchange. In any authentication scheme, the most time-
consuming process is the AKM. Thus, the developers’ main focus for the AKM
65
should be to reduce the latency which results in suppressing the overall delay
in 802.11 without weakening the security aspects. HIP-DEX is a secure AKM
scheme that fits with many delay-constrained applications, due to improved
security that it provides with ECC and comparatively lower overhead. The HIP-
DEX module was developed in C++ with the support of OpenSSL version 1.0.1c
with ECC point multiplication for the Elliptic curve Diffie-Hellman (ECDH)
handshake [146].
WPA2 is developed on top of the RSN framework, which provides support for
all WPA mechanisms, including Counter Mode Cipher Block Chaining Message
Authentication Code Protocol (CCMP) encryption based on AES ciphering (128
bit key in our case) as an alternative to the Temporal Key Integrity Protocol
(TKIP) in WPA. AES lowers the complexity of message encryption, and thus
also reduces the authentication delay. More specifically, the mean authentication
delay for WPA was measured to be around 0.103s and with WPA2 it was around
0.093s. As with ITU-T G.114, for VoIP applications, the maximum affordable
one-way latency is 0.15s. Since the previous results include the entire voice
path, those networks should have a transit latency considerably less than 0.15s.
Together with scan delay and authentication delay neither WPA nor WPA2 fits
in today’s real-time mobile applications.
Our implementation allows us to measure the averaged delay of HIP-WPA
(0.0305s) which is more than 300% of improvement compared to WPA2. It also
protects the hosts from replay attacks by using the puzzle as a nonce and Cipher-
based MAC (CMAC) to generate ECDH. HIP-DEX uses AES encryption to
protect against eavesdropping and ECDH to mitigate spoofing and Sybil attacks.
However, passive attacks such as HIT spoofing have a limited effect depending
on how often the initiator communicates to the spoofing responder.
66
3.3 OpenFlow based secure mobile backhaul
In recent years, mobile backhaul networks have undergone a period of significant
evolution and innovation, and this trend is set to continue for the foreseeable
future. The vehicular cell scenarios described in this dissertation have been
widely researched, although researchers have not yet come up with a unique
solution to meet the expected demand. The major challenges here are: seamless
connectivity, session continuity and signaling overhead. Most traditional IP
protocols fail to enable seamless user connectivity to Internet while roaming.
A system that would dynamically adjust with the changing network topology
and flow dynamism is beneficial in this case. Therefore, it is important for the
network controller to have an overall view of the network. WLAN has a flexible
framework compared to the cellular systems, which could be easily adapted to
different user scenarios and is also cost-effective as a backhauling solution.
The literature in this area reveals that virtualising the resources would effec-
tively solve the resource allocation problem in a mobile environment. To meet
this demand, the Software Defined Networking (SDN) approach is suggested in
this thesis. OpenFlow is an SDN enabler which provides flexible flow manage-
ment and high-level control over the forwarding infrastructure. On one hand,
there is a barrier between possessing a mechanism for a platform in which one
can readily innovate. On the other hand, it is difficult to differentiate between
different wireless technologies due to the proprietary protocols or interfaces that
they implement. It is expected that the current SDN architecture would solve
these problems effectively. OpenFlow evolves inside network core with static
flows [69, 147, 148]. However, it does not support user mobility, cell mobility or
SDN controller mobility.
In deploying OpenFlow in the WLAN backhaul, it must also guarantee com-
munication security between the mobile cells and the network controller. Al-
though, current SSL-based encryption is capable of encrypting this channel, SSL
will not support encrypting the mobile backhaul. Therefore, a new mechanism
to encrypt the channel must be provided. Fig. 17 presents the OpenFlow switch
architecture. The OpenFlow channel may use either plain TCP or TCP over
SSL/TLS [149]. When using plain TCP, it is recommended to use alterna-
tive security measures to prevent eavesdropping, controller impersonation, or
other attacks on the OpenFlow channel. The OpenFlow switch specification ver-
67
Fig 17. OpenFlow based switch architecture.
sion 1.4 describes the use of TLS for encrypting traffic between the switch and
the controller. The TLS connection is initiated by the switch to the controller on
start-up over the default TCP port 6653 [149]. However, use of TLS is optional
according to the specification. Fig. 18 and 19 present the delay in TCP and TLS
connection establishment. It is seen that the secure connection establishment
takes more than twice the time of TCP connection establishment, which is not
favorable for the “mobile cell” scenario. This issue is extensively studied in this
dissertation.
3.3.1 Problem statement
Mobility support is indeed a failure that limits the feasibility of using OpenFlow
in vehicular communication. In terms of mobility, we can think of two basic
mobility scenarios: 1) user mobility in wireless environment; and 2) moving net-
works or network mobility, where a set of users follow a mobile cell. User mobility
in OpenFlow networks has been realised in previous studies, although network
mobility with OpenFlow has not yet been proposed or realised in the available
68
Fig 18. Delay in insecure connection establishment (switch to controller).
Fig 19. Delay in secure connection establishment (switch to controller).
literature. For example, we could consider moving cells, such as vehicular APs,
mobile Femto base stations, or mobile pico-cells. Thus, studying the feasibility
of using OpenFlow on moving cells is a potential research area that would offer
all SDN benefits to the users following the cell.
The mobile cells must always use a wireless backhaul to connect to the Inter-
net or provider edge. In a latter section, we had already presented a promising
cost-effective solution for traffic backhauling. To enable SDN-based cell mobil-
ity, it is important to maintain the connectivity between the moving cell and
the controller, since the controller is the root of the network that is responsible
69
for the operations of underlying forwarding elements as they are initially dumb
(without inbuilt intelligence to operate on their own) without the controller.
This isolation leaves no option for the underlying network elements with
upcoming events as they are operated on instructions from the controller or
applications run on it. This is the reason why cell mobility with OpenFlow is
critical, unlike in the legacy network architecture. However, multipath connectiv-
ity [150, 151] and/or distributed controllers would provide solutions to overcome
this problem. Multiple connections between the mobile cell and the controller
will provide seamless connectivity even if one channel fails. For this to work, the
mobile cells must support IP multihoming. Despite this, multipath connectiv-
ity inspired by IP multihoming assures the efficient use of installed bandwidth
and increased robustness through the simultaneous use of potentially diversified
paths. This would result in optimal utilisation of the available network resources.
The limitations of the current OpenFlow version insist on modifications to
enable flexibility to move a cell. More specifically, below we present a summary
of shortcomings related to mobility with OpenFlow, which we are trying to solve
in this research.
– Flow processing : A change of address would disrupt flow processing from
network switches. Thus, this requires regular updates to the flow tables
– Secure session management : Changing an IP address may also tear down
active SSL/TCP sessions
– Secure handover : Problem of mutual authentication and reauthentication.
SSL cannot support mobility alone and certificate exchange would not be
preferable for fast moving wireless clients,
– Flow rule management : A change of IP address to solve the latter issue
causes additional overhead, since the flow rules must be updated frequently.
3.3.2 Scenario description
We consider a traveling mobile user who is directly associated with a mobile base
station, vehicular access point, mobile femtocell, or any other mobile cell that is
moving alone with its users, as shown in Fig. 20.
This could be described in brief as a “network mobility” scenario. The cur-
rent OpenFlow implementation (version 1.4.0) does not support moving net-
70
Fig 20. OpenFlow-based cell mobility
works. Network mobility is a well-investigated research area in IP-based legacy
networks. NEMO is a widely used network mobility protocol which maintains a
bi-directional tunnel to a “Home Agent” that advertises an aggregation of mobile
networks to the infrastructure [152, 153]. The “Mobile Router” in the NEMO
architecture performs as a default gateway for the mobile network to aggregate
traffic from the client [154]. However, “Mobile router” is a common approach to
avoid any modification to a node in a mobile cell, which reduces complexity.
These solutions are completely IP-based, and still require an anchor point,
which may result in routing deficiencies. This approach may require the mobile
router to acquire a block of new addresses, rather than acquiring a single address.
This is only one way to achieve “network mobility”. Creating a tunnel from the
mobile router to some home router in the operator network is another approach
to backhauling traffic in moving networks. Besides this, a mobile node may
delegate the right to do mobility related signaling to the “mobile router”.
Under certain conditions, this delegation may be further extended to another
router on the fixed network side. We believe that a combination of these poten-
tial solutions would be more effective, rather than implementing them alone.
However, in this thesis, we limit our contributions to the backhaul between the
mobile cell and the controller. The change in point of attachment to the net-
works edge results IP layer discontinuity by interrupting channel between cell
and controller. This disrupts packet processing at the mobile cell and makes the
following mobile stations unreachable to their associated peers.
71
3.3.3 Solution overview
The IP-based connectivity between the switch and the controller is unstable with
mobility. The isolation of a switch from the controller makes it entirely unman-
aged [155]. Since the sessions are built on top of the IPs, mobility would disrupt
packet processing [156]. Thus, we propose HIP-based permanent identifiers to
establish secure control channels in-between the switch and the controller.
Fig 21. OFHIP layered architecture.
We name this solution, “OFHIP” for the convenience of later references.
OFHIP implements a HIP layer in the switch and the controller to establish
a secure channel in-between. This channel encrypts the OpenFlow messages in
IPSec ESP mode. The HIP-based mutual authentication provides secure creden-
tials for IPSec. However, the discontinuity in the network layer associations are
not recovered using OFHIP. Instead, OFHIP introduces multipath connectivity
to the controller and a fast locator update procedure to manage switch/controller
mobility. On one hand, the switch mobility extends SDN’s benefits to mobile
cells, while on the other hand, OFHIP supports controller migration, which is
deemed in network virtualisation. Fig. 21 presents the proposed solution.
The secure control channel only encrypts the traffic between the switch and
the controller, without modifying the standard OpenFlow messages. Because of
the encryption and decryption on either side of the channel, we would expect
72
a throughput deficiency. However, throughput is not the major concern in a
control channel, since it is meant to deliver only the control information, but
not user-originated traffic. The control channel characteristics are presented in
Publication IV. Fig. 22 illustrates the OFHIP message exchange at the initiation
of the secure channel. With cell mobility, the controller must be notified of the
point of attachment using a HIP UPDATE messages. Then, the switch and
the controller must change their local bindings at the HIP sub-layer (new IP
addresses).
It may be that both SPI and IP addresses are changed simultaneously in a
single UPDATE. When the switch is multihomed (has more than one globally
routable address), it has multiple addresses available at the HIP sub-layer as
alternative locators for fault tolerance. This would configure multiple IPv4 and
IPv6 addresses on the same interface, or the use of multiple interfaces attached
to different service providers. However, it requires the maintenance of separate
ESP SAs for each interface in order to prevent packets that are arriving over
different paths falling outside of the ESP anti-replay window.
Multihoming, thus, makes it possible for the bindings to be many-to-many in
the outbound direction of the switch. This enables multipath connectivity to the
controller and enhances fault tolerance and robustness. However, only one SPI
and address pair can be used for any given packet, so the switch and the controller
must dynamically manipulate these bindings. Beyond locally managing such
multiple bindings, the peer-to-peer HIP signaling protocol needs to be flexible
enough to define the desired mappings between HITs, SPIs and addresses, and
needs to ensure that UPDATE messages are sent along the right network paths.
The re-establishment of the control channel may follow rekeying or not. In
any case, handover disconnects the current TCP layer associations; thus, at each
handover, the TCP layer associations are reset. Indeed, TCP takes only a few
milliseconds for connection establishment. Using the available locators simulta-
neously, we expect improved throughput and seamless mobility by sequentially
using the locators for a “make-before-break” type of handover.
3.3.4 Security consideration
By replacing SSL/TLS-based security with OpenFlow, we have introduced HIP
Diet exchange for mutually authenticating the forwarding elements to the con-
73
Fig 22. Message exchange for HIP-aware mobile switch.
troller. HIP is designed to provide secure authentication and to limit the ex-
posure of the hosts to various DoS and MitM attacks. HIP-DEX replaces the
SIGMA authenticated Diffie-Hellman key exchange of BEX with a random gen-
erated key exchange encrypted by a Diffie-Hellman derived key [89, 157], which
is contributed by the associated forwarding element and the controller. The
strength of the key is based on the quality of the secrets [158, 159].
It is extremely difficult to compromise a HIP sub-layer-assigned identity (i.e.
HI) because of the way in which they are generated, but, if compromised, all
HIP connections protected by that HI are vulnerable to attacks. The puzzle
mechanism in DEX works the same way as it works in BEX and uses CMAC
to provide assurance of the authenticity hence the integrity, of binary data. In
HIP-DEX implementation, the R1 packet is unprotected and offers an attacker
new resources for exhaustive attacks against the switch. This could be mitigated
by only processing a received R1 when it has sent an I1.
On the other hand, the IPSec encryption between the switch and the con-
troller protects control information. Furthermore, the use of ESP can pro-
vide confidentiality, data origin authentication, connectionless integrity, an anti-
replay service, and (limited) traffic flow confidentiality [160, 161]. However, a
set of security services provided depends on the options selected at the time of
SA establishment and on the location in a network.
74
3.3.5 Evaluation of results
Our solution replaces the SSL/TLS-based mutual authentication in OpenFlow
version-1.0.0 with HIP-Diet exchange. This allows the expansion of OpenFlow
mobility into moving networks with enhanced security. In a nutshell, our so-
lution, “OFHIP” encrypts the switch to the controller channel using securely
established keys with HIP Diet exchange. This is implemented as a separate
module on top of the OpenFlow implementation.
In our test bed, we compare both OFHIP and SSL based channel establish-
ment. In order to use SSL with OpenFlow, it is necessary to set-up a public-key
infrastructure which includes a pair of Certificate Authorities (CAs) for the con-
troller and switch. We have used a script to generate the Public Key Infrastruc-
ture (PKI). Thereby, we established the private keys and certificate authorities’
certificates for the switch and the controller, and root certificates for their CAs.
The experimental results reveal that SSL/TLS-based encryption consumes
more than twice the time of insecure TCP-based connection establishment. The
SSL secure channel establishment between the switch and the controller took
around 46ms, whereas OFHIP could reduce this to around 26ms. On the same
network, we evaluate throughput characteristics when the switch is on the move.
In this case, the control channel during handover was managed with HIP UP-
DATE exchange, which renews locators. Thereby, mobility does not affect on
the sessions that are built on top of HIP layer identities.
75
3.4 SDN core for secure mobility
The future of the telecommunications industry is an unstoppable path towards
a more open ecosystem; one that has been previously closed and proprietary
where innovation has been bogged down by a glacial standards process. Beyond
WLAN, enabling other wireless networking methods help multi-band users to
roam seamlessly and communicate with different systems. When there are dif-
ferent systems or backhauling mechanisms on the same network, a successful
integration must always come up with a flexible core.
Rapidly implementing a new mobility management protocol in the current
network is a major challenge. Network operators need to find a more flexible
and easier ways to manage and control their networks. Many SDN based ar-
chitectures are being proposed to improve existing manageability, such as SDN-
based cellular core networks and SDN based radio access networks empowered
by Access Network Discovery and Selection Function (ANDSF) to assist users
to discover non-3GPP access networks such as Wi-Fi or WIMAX [162].
The main idea of SDN is to decouple the data and control planes. In SDN,
switches (data-plane) are simple data forwarding devices which are controlled
and managed by the SDN controller (control plane) via programmatic interfaces.
Acting between mobile users and service providers are the wireless operators,
which could include anyone managing a Wi-Fi network, such as a university,
local coffee shop, hotel chain, airport, shopping mall, private enterprise or venue.
Wireless operators must be prepared to:
– Authenticate and authorise a disparate set of users requesting access
– Meet security, QoS, policy control, and other needs of groups of users
– Handle massive growth in mobile traffic, connections, speeds and video, as
well as increasing data offloading from cellular networks
– Support multiple network service providers, both public and private, sharing
the operator’s WLAN
– Easily add new network service providers to the wireless network
– Support any type of wireless device that comes through the door
– Make end-user analytic data available to the core providers.
To date, wireless operators have been forced to build their wireless networks
by choosing from a plethora of end-to-end proprietary solutions provided by in-
76
cumbent vendors. While solutions exist, the operators become locked into a
proprietary platform, often ending up paying for capabilities they do not need,
and must wait for vendor-provided upgrades to enhance or add new features.
This approach has defined a generation of business models that burdened wire-
less operators with capital equipment costs, while failing to provide the agility
required to meet the rapidly changing demands of mobile users and applications.
Industry adoption of SDN is already underway, but without solutions for
WLAN, SDN’s true promise is lost. We believe that it is crucial to integrate
Wi-Fi networks within the SDN strategy to simplify the management and to
enhance the capacity of the whole network. With SDN, wired and wireless
network components can be viewed as peer elements and managed as such. Thus,
applications can be seamlessly integrated, and value can be equally added to both
wired and wireless networks. Below, we summarise the benefits of SDN enabled
Wi-Fi:
– Single-pane-of-glass management of the unified wired and wireless network
with policy automation
– The ability to mix and match best-of-breed solutions from different vendors
– Open standards-based APIs to make it easy to create SDN applications
– Simplified network provisioning and lower total cost of ownership
– Ability to manage entire Wi-Fi network from a single dashboard
– Controlled multi-tenant Wi-Fi networks, applications and devices
– Application-based virtual networks
– Cost effective third-party hardware
– OpenFlow-enabled APIs.
Meeting the exploding mobility demand requires a more agile wireless LAN.
As the network edge transits to all-wireless, SDN and OpenFlow are emerging
as a way to bring new levels of agility. With the rapid growth of mobility and
cloud services, the wireless LAN is becoming the primary access method. With
next-generation 802.11ac technology delivering gigabit throughput today, the
transition to an all-wireless access network will only accelerate [163].
In order to achieve the full promise of mobility, wired and wireless LANs must
be provisioned faster and managed more easily. Today, applications and services
depend on these two physically separated network infrastructure platforms. The
user experience differs when using applications over a wired or wireless LAN.
77
Network administrators must manage and secure wired and wireless access net-
works separately, with discrete tools and consoles. The difficulty of provisioning
and managing these infrastructures independently is a barrier to achieving the
scale required. Software defined networking is an optimal approach to overcome
this problem by separating the control and forwarding layers, and by centralising
the knowledge of the networks.
3.4.1 SDN for Wi-Fi networks
The promise of SDN is that the networks are no longer closed, proprietary and
difficult to program. But the extent of that openness and flexibility ultimately de-
pends on each vendor’s implementation and adherence to the standards. Limited
implementations or proprietary twists will serve only to hamstring the progress
of SDN with customers. To deliver on the promise, SDN must work for all users
and across all networks, with true interoperability among network components
via OpenFlow [60, 164]. With open programmable access to the wireless infras-
tructure, network-aware applications can communicate directly with the wireless
controller and the network can change dynamically in response.
There are different standardised approaches for offloading, mobility, service
discovery, etc. On one hand, Media Independent Handover (MIH) [165] is a
standard being developed by IEEE 802.21 to enable the handover of IP sessions
from one Layer 2 access technology to another, to achieve mobility on end user
devices. On the other hand, Distributed Mobility Management (DMM) [166], a
new architectural paradigm for evolving mobile IP networks aims at transparency
above the IP layer, including maintenance of active transport level sessions as
mobile hosts or entire mobile networks change their point of attachment to the
Internet. However, SDN architecture provides a more flexible framework for
implementing the same functionality but in a different style.
3.4.2 Cloudi�cation and wireless device virtualisation
Network Functions Virtualisation (NFV) aims to address the problems of shorter
hardware lifecycles, increasing energy costs, capital investment challenges, and
other collateral issues of hardware based appliances by leveraging standard IT
virtualisation technology to consolidate many network equipment types onto
78
industry standard high-volume servers, switches and storage, which could be
located in data-centres, network nodes and end user premises [167, 168].
Wi-Fi mobile cloud virtualisation is a new dimension of SDN based mobility.
Emerging SDN technologies complement data-centre switches by automating net-
work policies and provisioning within a broader integrated cloud infrastructure
ecosystem. Cloud controllers, as resource managers to the underlying infras-
tructure drive provisioning decisions on workload placement and mobility [169].
Every time a mobility event occurs, the network must be updated to ensure the
proper provisioning of required resources. Switches must interface with these
controllers in real time, as these nodes are highly mobile.
There have been several research efforts around virtualisation of 802.11 pro-
tocol. In MultiNet [170], clients use a special device driver that makes use of
802.11’s power saving mode in order to continuously switch between multiple
networks. Spider [171] designed a driver that allows clients to be connected
to multiple APs at the same time. The authors of Spider also conclude that
using multiple APs can demonstrate better throughput when the APs are on
the same channel. Wireless virtualisation is an attractive option for testbeds
and experimental facilities. Virtualising the Wi-Fi APs is the first step towards
virtualising the wireless network infrastructure [172]. A virtual AP simulates a
physical access point which is configured on a per-radio basis. Virtual APs al-
low the wireless LAN to be segmented into multiple broadcast domains or slices
that are the wireless equivalent of Ethernet VLANs. Furthermore, this allows
different security mechanisms for different clients on the same access point.
Virtualised APs also provide better control over broadcast and multicast traf-
fic, which can help to avoid negative performance impact on a wireless network.
Each virtual AP is identified by a configured SSID and a unique Basic Service Set
IDentification (BSSID). In this approach, each virtual AP can be independently
enabled or disabled and individually supported with different security mecha-
nisms. In this thesis, we use virtual APs for experiments related to seamless
mobility.
3.4.3 Motivation
In IEEE 802.11 settings, clients in “managed mode” perform a probe scan in order
to find APs. For this, they generate probe request messages. APs responding
79
with probe response messages become potential candidates for the clients to
associate with. The client then initiates a series of handshakes with the AP that
culminates in a successful connection between the two entities.
The client can now transmit data frames that will be forwarded by the AP.
At this juncture, the infrastructure has no signaling mechanism to instruct the
client to handover to another AP without explicitly disconnecting the client (that
is done by sending the client a disassociation frame, and forcing it to repeat the
association handshake). This is inconvenient to the clients, especially when they
are in an environment managed by a root, i.e. the SDN controller.
Inter-system communication has been a critical problem so far due to the
technologically different or proprietary platforms on which the indigenous equip-
ments are developed. SDN core is a solid platform to manage traffic from differ-
ent network systems irrespective of their nature. This particularly leads to mo-
bile traffic offloading and roaming, content adaptation (such as adaptive stream-
ing), and mobile traffic optimisation that could be greatly benefited by leveraging
OpenFlow as wlan-SDN. Offloading, Wi-Fi roaming, and network heterogeneity
are highly demanding services in future 5G networks. With SDN, these services
can be easily monitored, and flows could be modified and dynamically set to fit
in the needs. By introducing this manageability in the radio environment, the
networks could be automated through sensing contextual changes in the network,
adapting to the contextual changes, and applying control loop systems to learn
and update themselves for future actions without human intervention.
3.4.4 Implementation and experimental approach
In this section, we tackle the problems of wireless SDN with virtual APs and
high-level abstraction which enables the controller or AP to take over control of a
client’s association decision, and leads to a logical isolation of clients with respect
to the IEEE 802.11 MAC layer. Fig. 23 presents the high-level abstraction of APs’
that virtualise their physical resources. The WLAN clustering service enabled
on the APs handles seamless client mobility by synchronising the client sessions
across the APs in the same Layer 2 domain. Next, we describe the virtual AP
abstraction and how clustering is used to achieve the said logical isolation and
client mobility. In this approach, each client is connected to a unique SSID, i.e.
the clients are given the illusion of owning a network slice over which they can
80
Fig 23. OpenFlow based WLAN access points.
freely move around. From the client’s perspective, the virtual AP is the regular
IEEE 802.11 AP to which it first associates.
Cluster abstraction among APs enables seamless handover without the client
performing a re-association, generating additional Layer 2 or 3 messages, and
most importantly, without requiring any special software or hardware at the
client. This is because once a client is associated with an AP, the only protocol
level requirement is that the client gets acknowledgment frames for the data
frames that it generates from the AP it is associated with, and receives beacons
from the AP periodically. At the client’s MAC layer, it does not matter if the
actual radio generating these ACK frames changes.
By abstracting the association state of a client’s connection away from in-
dividual physical APs, virtual SSIDs thus achieve a form of wireless network
virtualisation with OpenFlow, where each client in a slice sees a logical SSID
unique to it regardless of the actual physical AP it is communicating with. Intu-
itively, a virtual AP handover is equivalent to physically moving an AP whilst
retaining all its state. The end-point of a link always corresponds to the client’s
IP and MAC addresses, along with a unique SSID assigned.
81
3.4.5 SDN and software-de�ned radio
Cognitive networking aims to automate networks by sensing contextual changes
in the network, adapting to those and applying control loop systems to learn and
update itself for future actions without human intervention. Cognitive Radio
System (CRS) technology is used to respond to the growing demand of mobile
data traffic by mechanisms for access to shared spectrum and resources.
In mobile broadband networks, CRS technology is supposed to balance traf-
fic growth with network resources by optimising network resources using load
balancing and efficient spectrum access mechanisms. Extending the cognitive
concept beyond the radio domain, a network can be cognitive if it has knowl-
edge about itself, its components, and their interconnection, and it should be
able to share this knowledge and reason about it. Cognitive networks have
the potential to provide high-bandwidth, adaptive and robust communication
through their ability to observe the current state of the network, analyse it, and
adapt to available resources in the most efficient manner possible.
However, the legacy network architectures are tightly coupled with the un-
derlying hardware where a change would require complex manual configurations
and human intervention. For example, the core network is not dynamically ad-
justable at run-time to the changing environment, spectral fluctuations and vary-
ing traffic patterns. Therefore, it is difficult to benefit from cognitive concepts
in legacy network architectures. SDN puts forward the idea of infrastructure-
architecture split and separating intelligence from the datapath to program its
substrate through an open programming environment [173–175].
In other words, SDN disaggregates traditional vertically integrated network-
ing stacks to improve network feature velocity or to customise the operation
for specialised environments. On one hand, cognitive networks are highly adap-
tive by sensing the environment, reasoning through concurrent computation and
dynamically adjusting to the environment or available network resources accord-
ingly. On the other hand, by centralising the cognitive network’s intelligence at
the SDN controller, a programmatic approach to improving and automating this
dynamism through the global visibility of the network state and computational
reasoning in a logically centralised manner can be introduced [175]. Therefore,
in Publication V, we propose SDN core to address the challenges related to the
82
Fig 24. Integration of Cognitive network and WLAN via SDN core.
integration of different network systems and the realisation of secure mobility
and access control on top of it.
3.4.6 Implementation and evaluation
In Publication V, we present a performance evaluation of seamless mobility with
SDN core. As already mentioned in this dissertation, SDN core is a promising
solution for traffic management in mobile networks. In this study, we set up
the test bed in Fig. 24, which consists of different vendor platforms that enable
both 802.11 and Cognitive access. The network consists of OpenFlow-enabled
APs, Wireless Open-access Research Platform (WARP) based cognitive network
components, and SDN core with NetFPGA platform and OpenFlow-based hard-
ware/software switches [69, 148].
WARP [176] is a programmable FPGA-based platform, which is shown in
Fig. 25. The heart of this board is a Xilinx Virtex-II Pro FPGA chip. This
FPGA is well suited for the DSP intensive operations required by PHY layer
algorithms. It also includes two embedded IBM PowerPC 405 (PPC405) proces-
sor cores, providing a resource for implementing higher-layer algorithms that are
better suited for general purpose processors than programmable FPGA logic, e.g.
83
MAC protocols. The FPGA board also provides flexible and fast interconnection
options for interfacing with peripherals [177].
While the FPGA itself provides significant processing power, its connections
to other devices on the platform allow a variety of applications that can be
targeted at the platform. The FPGA board offers a 10/100 Mbits Ethernet
interface for connecting to standard wired networks. This connection allows
real-time communication between existing wired networks and custom wireless
networks implemented on WARP [178]. The FPGA board has four daughter
card slots, each wired to dedicated FPGA I/O pins. The custom peripheral
boards, like radio daughter boards, can be connected to these slots.
Fig 25. WARP FPGA Board v1.2.
The radio daughter board generates an analogue RF signal from digital I/Q
information and transforms the received analogue RF signal back into digital I/Q
form. It also controls the RX/TX gains used in the RF amplifiers on the radio
daughter board. The Linux Enriched Design for Wireless Open-access Research
Platform (LE-WARP) design [177], with its improved performance and added
features, has enabled us to achieve our goal of realising a self-configurable, self-
aware, and deployable wireless network demonstrator concept.
Thus, this design has been very beneficial to us and shows that there is a need
for this type of system design for integration. In the end, the greater purpose
84
Fig 26. Time-sequence diagram of traf�c between WLAN and Cognitiv e clients.
Fig 27. Round trip time between WLAN and Cognitive clients.
of the LE-WARP design, i.e. the flexibility to set up wireless test network to
verify complex theoretical algorithms at different layers of OSI model helps in
our solution. We enable traffic forwarding between the WLAN and Cognitive
network by configuring flows that enable reachability to each other.
The implementation of cognitive WARP is rate-limited, which is due to the
clock speed and radio capacity. We have also measured the expected theoreti-
cal limit to prove the bandwidth limitation, which also resembles the test bed
85
results. WARP uses 10MHz bandwidth with a Fast Fourier Transform (FFT)
size of 64 and cyclic prefix of 16 samples. This means that one OFDM symbol
takes 64+16=80 samples and with 10MHz sampling, the OFDM symbol dura-
tion is 8µs. Not all sub-carriers are used for data transmission, so 48 out of
64 sub-carriers carry data. We use Quadrature Phase Shift Keying (QPSK) (2
bits/sub-carrier) modulation and coding rate is 1 (no coding). This means, to
transmit (48x2) bits, it would theoretically take 8µs; thus, the maximum theo-
retical throughput can be calculated as (96bits/8µs)=12Mbit/s. Since, resources
are equally shared, the maximum one-way throughput is 6Mbit/s.
This almost in-lines with our TCP throughput results. If we perform the
same calculation on our WLAN of 22MHz bandwidth and maximum modulation
ratio, 64-Quadrature Amplitude Modulation (QAM) with 3/4 coding, leads to
a throughput of 59.4Mbit/s, which is in-line with the maximum throughput of
802.11a or 802.11g that is 54Mbit/s. Thus, integrating different systems has
been a quest in traditional networks and EPC, which is expected to emerge by
satisfying the high-level requirements of packet delivery.
This problem is still under the discussion in the SDN community, although
only a few implementation results with network heterogeneity and mobility have
been found in recent literature. In Figs. 26 and 27, we present our test bed
results. The “outlying” packets in Fig. 26 indicate problems with window size
and buffer. In fact, the WARP has a very limited buffer that limits data rates.
The RTT in Fig. 27 varies over a long range due to scheduling in the radio level
resulted by cognitive algorithms and wireless propagation.
86
4 Conclusion and future work
This chapter summarises the conclusion of this thesis, highlighting our contribu-
tions and main results. In the next section, existing problems in this area are
described and future research directions are highlighted.
4.1 Conclusion
It is evident that the Internet is growing rapidly, and simultaneously the demand
for mobile Internet is gradually increasing. Security and mobility are the most
critical challenges the network operators are facing today with the incremental
use of Internet. Therefore, the concepts and results presented in this thesis
are timely important for network operators to innovate new solutions. Small
cell networks are identified as a clue to improved network capacity, i.e. high
availability of bandwidth. Bringing the network closer to the users by adding
small cells is instrumental in meeting the anticipated increase of data demand.
These facts led the motivation towards the research work presented in Pub-
lication I and II. User mobility is a well-investigated research area where the
operators have already come across several standard solutions. However, pre-
vious publications elaborate more complex mobility scenarios by studying the
network mobility, which is more effective in reducing the signaling load and en-
hancing the quality of experience. Publication I proposes a vehicular femtocell
architecture, which enables seamless mobility over the users following the mobile
cell (i.e. cells in metros, trams, and buses). The mobile backhaul is yet to be
researched due to changing channel conditions although high-level approaches
would help to normalise the discontinuity due to mobility. However, many of
them will not retain the IP connectivity to the peers during handover.
With this, we can argue that multihoming is the foreseeable future of mobile
communication. The solution presented in Publication I illustrates the impact
of handover with both singlehomed and multihomed approaches. Undoubtedly,
there is a clear improvement in user experience according to the results pre-
sented. This evaluation was performed for VoIP traffic, which is a widely used
commercial application over IP networks. It gives significant benefits compared
87
to legacy phone systems in terms of cost and rich media services, which proves a
certain diversification from Time Division Multiplexing (TDM) to IP networks.
Wireless networks are reluctant to changing channel conditions. Thus, sim-
ulating it needs specific tools. OMNeT++ is a widely used and freely available
tool for innovating networking solutions with 802.11 modular implementation.
The latter research was simulated with OMNeT++ by implementing new mod-
ules for mobile cells and wireless relays.
Publication II is an attempt towards extending this concept to urban areas.
Easy deployability, cost-effectiveness, and flexibility are the concerns of the mo-
bile backhaul architectures presented in this dissertation. From the operators’
point of view, deployment and maintenance costs are the primary concerns in
adapting a backhaul solution. An evaluation of the fixed cost is presented in
Subsection 3.1.1, which is calculated to be less than 500 USD of deployment
cost per km2. According to the proposed cost model in [109], the network man-
agement cost is estimated to be 25% of the equipment and transmission cost, i.e.
around 125 USD/km2, which is relatively low compared to 3G or 4G systems.
Context-awareness is an emerging research with 4G and 5G systems, since
they allow automatic adaptation of devices, systems and applications to the
changing user context. Indeed, location update is an obligation of context aware-
ness, which is expected to be accurate and fast enough. Having said that, the
solution in Publication II has a very high industrial value, since fast location
update and verification are essences of 5G systems.
This fulfills the basic requirement of femtocell communication which is rec-
ommended in 3GPP specifications. This allows a femtocell to move freely while
backhauling traffic via its wireless up-link. Along with mobility, security prob-
lems are always evident, especially due to the wireless nature of communication.
Therefore, in parallel with mobility, proper authentication, configuration man-
agement and, tunnel encryption should be in place. Thus, in overall, the results
presented in the Publication II have a high industrial value which is incremental
with the next generation of communication services.
WLAN is a complement to the next generation networks that is capable of
non-interfering communication with cellular networks. As applications are get-
ting more and more sensitive, initial authentication delay limits the usability of
802.11 in future networks. Several proposals for FIA have already been proposed
in the past literature. However, the problem many standardisation bodies are
88
facing today is the backward compatibility (millions of devices are already in
use and in the markets). Thus, scalable solutions should always be backward
compatible and minimise the changes to the tightly constructed procedures for
user authentication and association in initial design of 802.11.
Having said that, the work presented in Publication III minimises the changes
to the 802.11 state machine. This solution does not modify the 802.11 association
procedure, since standard parameters are to be set during this phase. Thus, the
proposed authentication scheme in Publication III is naturally followed by the
association. This scheme (HIP-WPA) anticipates in enabling seamless inter-AP
mobility and reducing the control traffic and delay.
HIP-WPA uses a comparable architecture to either WPA or WPA2 while
preserving backward compatibility to some level, and still utilises the associa-
tion frames to exchange low-level information. The ECC-based key exchange
proposed in this scheme well suits next generation mobile applications as it con-
sumes less memory and time due to the reduced key length. Since ECC was
first proposed in the early 2000s, it has not yet reached maturity with wide
acceptance in commercial applications. However, a significant growth of ECC
adoption in mobile applications is expected in the near future.
Even though the literature reveals of WLAN and cellular interoperable sys-
tems, commercial deployment has not yet been successful. Centralised con-
trol over all heterogeneous systems best suits managing the underlying net-
work infrastructure and aggregating the control functions into a separate control
layer. However, the current OpenFlow implementation lacks support for mobil-
ity, which is an essential requirement of commercialisation.
The work presented in Publication IV is driven by the motivation to enhance
mobility support by implementing secure mobile cells that can be deployed in
trains, buses and other automotives. On one hand, this brings the network close
to their clients, and on the other hand, reduces the response time on new packet
arrivals. Since the backhaul is at least partly wireless, our solution (OFHIP)
implements encryption to fulfill the commercialisation needs.
OFHIP can also be extended to migrate the SDN controller as a counter-
part of network function virtualization. According to the available literature,
OFHIP is the first conceptual design of OpenFlow based mobile cells enabling
robust multipath connectivity to the controller. From the operator’s perspective,
management flexibility and scalability are extensively improved with control and
89
forwarding plane separation. Thus, OFHIP allows network managers to easily
impose new rules, accept and deny traffic, and control quality parameters.
This, in turn, reduces the complexity in network management, which is one
of the challenges the operators are facing today due to wide span of networks
and integration of different management systems and technologies. Having said
that, the work presented in Publication V implements a heterogeneous software-
defined network of both WLAN and Cognitive networking support, which en-
ables seamless mobility via SDN core. The OpenFlow supported APs on the
testbed enable a distributed protocol, which synchronises the user session states
across the APs in the cluster. This allows fast roaming of users between APs.
To configure clustering, the APs were connected to the same Layer 2 broad-
cast domain. The Cognitive network implemented on top of the WARP platform
was also connected to the same Layer 2 domain. We claim that this is the first in-
tegration of 802.11 and Cognitive networks via OpenFlow core. The results help
in understanding the characteristics of channels across different wireless systems.
The “tcpdump” records reveal the impact of scheduling on the cognitive network
side, which is directly associated with the network performance. Thus, the net-
work operators, those who are planning to deploy Cognitive networks on the
current EPC, must consider the performance of the scheduling algorithms. The
results presented here help them to make decisions in designing their network
architectures and identifying the bottlenecks.
4.2 Discussion and future Work
Many open questions remain for future work, which includes a comprehensive
evaluation of proposed solutions and robustness in more realistic dynamic net-
work scenarios and solving the deployment issues. The simulation results in
Publications I and II leave no doubt that multihoming utilises available wire-
less connectivity to enhance throughput and to reduce drop rate while enabling
seamless mobility. Nevertheless, this proposal is not optimal in terms of mobility,
since handover is not seamless in the link layer.
We shall continue attempts to enhance handover in IEEE 802.11. This in-
cludes proposing modifications to the 802.11 state machine. Such a solution
would not be scalable as millions of Wi-Fi devices are already in the use and in
the market. Thus, we are left with two options: 1) extending handover with an
90
overlay mechanism without modifying the current state machine; 2) changing
the state machine, removing standard authentication and then, optimising.
We believe that the first option is more scalable due to backward compatibil-
ity with the existing devices. Our solution for fast initial authentication has the
potential to lower handover latency for delay-constrained mobile applications.
However, it requires further investigations, since optimising re-authentication
and inter-AP handover is not discussed in the scope of this research. Thus,
the future interests will be towards the design and development of fast re-
authentication and forward secrecy schemes.
The presentations of research related to SDN in this dissertation describe the
implementation of OpenFlow based mobility. Solutions for user mobility with
OpenFlow are already in the market and have captured the attention of the SDN
community and industry. This thesis proposes enhancements over mobile user
experience by deploying OpenFlow-enabled mobile cells. This research studies
the control channel behavior between the mobile cell and the controller. Studying
the data plane characteristics would also help in understanding the feasibility of
deploying similar solutions.
In security perspective, both control and data planes have the similar impor-
tance. As Internet-based commercial applications demand high level of security,
users expect end-to-end encryption. Thus, my future interest will follow the in-
vestigations towards SDN user-plane encryption with IPSec ESP in BEET mode.
This will allow enterprise-level applications to evolve with OpenFlow. The de-
signers of the future Internet aim at efficient and flexible distribution platforms
that scale to the rising demands. The architecture and techniques described in
this dissertation will take a step into this direction.
On legacy networks, heterogeneity increases the network complexity as new
technologies and systems are integrated into the network. SDN brings different
systems under a single management umbrella by isolating the control functions
from the infrastructure. Still, inter-systems communication, seamless mobility,
QoS management, and security support with OpenFlow must be improved to
meet commercialising requirements. The work carried out in the university
ELAB will be extended to innovate solutions for seamless mobility and secu-
rity. By the time of writing this thesis, we have implemented OpenFlow enabled
Cognitive base stations which are currently under validation. They will provide
the initial footprints for new research directions.
91
References
1. Andrews JG, Claussen H, Dohler M, Rangan S & Reed MC (2012) Femtocells:past, present, and future. IEEE Journal on Selected Areas in Communications30(3): 497–508.
2. Sankaran C (2012) Data offloading techniques in 3GPP Rel-10 networks: A tuto-rial. IEEE Communications Magazine 50(6): 46–53.
3. Brickhouse RA & Rappaport T (1996) Urban in-building cellular frequencyreuse. In: Proceedings of Global Telecommunications Conference Communica-tions(GLOBECOM), volume 2, pp. 1192–1196. IEEE.
4. Stocker A (1984) Small-cell mobile phone systems. IEEE Transactions on Vehic-ular Technology 33(4): 269–275.
5. Quinn E (1986) The cell enhancer. In: Proceedings of 36th Vehicular TechnologyConference Vehicular Technology Conference, volume 36, pp. 77–83. IEEE.
6. Drucker EH (1988) Development and application of a cellular repeater. In: Pro-ceedings of 38th Vehicular Technology Conference, pp. 321–325. IEEE.
7. Iyer R, Parker J & Sood P (1990) Intelligent networking for digital cellular sys-tems and the wireless world. In: Proceedings of IEEE Global TelecommunicationsConference and Exhibition.’Communications: Connecting the Future’ (GLOBE-COM), pp. 475–479. IEEE.
8. Brickhouse R & Rappaport T (1996) Urban in-building cellular frequency reuse.In: Proceedings of IEEE Global Telecommunications Conference Communications(GLOBECOM): The Key to Global Prosperity, volume 2, pp. 1192–1196.
9. Saunders S, Carlaw S, Giustina A, Bhat RR, Rao VS & Siegberg R (2009) Fem-tocells: opportunities and challenges for business and technology. Wiley.
10. Zhang Y (2010) Resource sharing of completely closed access in femtocell net-works. In: Proceedings of Wireless Communications and Networking Conference(WCNC), pp. 1–5. IEEE.
11. Zhang J, De la Roche G et al. (2010) Femtocells: technologies and deployment.Wiley Online Library.
12. Gozalvez J (2010) First Commercial LTE network [Mobile Radio]. IEEE VehicularTechnology Magazine 5(2): 8–16.
13. Fuxjager P, Fischer HR, Gojmerac I & Reichl P (2010) Radio resource allocationin urban femto-WiFi convergence scenarios. In: Proceedings of 6th EURO-NFConference on Next Generation Internet (NGI), pp. 1–8. IEEE.
14. Chandrasekhar V, Andrews J & Gatherer A (2008) Femtocell networks: a survey.IEEE Communications Magazine 46(9): 59–67.
15. Knisely D, Yoshizawa T & Favichia F (2009) Standardization of femtocells in3GPP. IEEE Communications Magazine 47(9): 68–75.
16. Knisely D & Favichia F (2009) Standardization of femtocells in 3GPP2. IEEECommunications Magazine 47(9): 76–82.
17. Vezin JB, Giupponi L, Tyrrell A, Mino E & Miroslaw B (2011) A femtocellbusiness model: The BeFEMTO view. In: Proceedings of Future Network MobileSummit (FutureNetw), pp. 1–8.
93
18. Bennis M, Giupponi L, Diaz E, Lalam M, Maqbool M, Strinati E, De DomenicoA & Latva-aho M (2011) Interference management in self-organized femtocellnetworks: The BeFEMTO approach. In: Proceedings of 2nd International Con-ference on Wireless Communication, Vehicular Technology, Information Theoryand Aerospace Electronic Systems Technology (Wireless VITAE), pp. 1–6.
19. Serrano A, Giupponi L & Dohler M (2010) BeFEMTO’s self-organized and doci-tive femtocells. In: Future Network and Mobile Summit, pp. 1–8.
20. Claussen H (2007) Performance of Macro- and Co-Channel Femtocells in a Hier-archical Cell Structure. In: Proceedings of IEEE 18th International Symposiumon Personal, Indoor and Mobile Radio Communications (PIMRC), pp. 1–5.
21. Ho LTW & Claussen H (2007) Effects of User-Deployed, Co-Channel Femtocellson the Call Drop Probability in a Residential Scenario. In: Proceedings of IEEE18th International Symposium on Personal, Indoor and Mobile Radio Communi-cations (PIMRC).
22. Claussen H, Ho LTW & Samuel L (2008) Self-optimization of coverage for fem-tocell deployments. In: Proceedings of Wireless Telecommunications Symposium(WTS), pp. 278–285.
23. Claussen H & Pivit F (2009) Femtocell Coverage Optimization Using SwitchedMulti-Element Antennas. In: Proceedings of IEEE International Conference onCommunications (ICC), pp. 1–6.
24. Chandrasekhar V & Andrews J (2009) Uplink capacity and interference avoidancefor two-tier femtocell networks. IEEE Transactions on Wireless Communications8(7): 3498–3509.
25. Chandrasekhar V & Andrews J (2009) Spectrum allocation in tiered cellular net-works. IEEE Transactions on Communications 57(10): 3059–3068.
26. Chandrasekhar V, Andrews J, Muharemovict T, Shen Z & Gatherer A (2009)Power control in two-tier femtocell networks. IEEE Transactions on WirelessCommunications 8(8): 4316–4328.
27. Jo HS, Mun C, Moon J & Yook JG (2009) Interference mitigation using uplinkpower control for two-tier femtocell networks. IEEE Transactions on WirelessCommunications 8(10): 4906–4910.
28. Namal S, Ghaboosi K, Bennis M, MacKenzie A & Latva-aho M (2010) Jointadmission control amp; interference avoidance in self-organized femtocells. In:Proceedings of 44th Asilomar Conference on Signals, Systems and Computers(ASILOMAR), pp. 1067–1071.
29. Namal S, Gurtov A & Bennis M (2011) Securing the backhaul for mobile andmulti-homed femtocells. In: Proceedings of Future Network Mobile Summit (Fu-tureNetw), pp. 1–15.
30. Zhang H, Wen X, Wang B, Zheng W & Sun Y (2010) A novel handover mechanismbetween femtocell and macrocell for LTE based networks. In: Proceedings of 2ndInternational Conference on Communication Software and Networks (ICCSN), pp.228–231.
31. Zhang H, Ma W, Li W, Zheng W, Wen X & Jiang C (2011) Signalling cost evalu-ation of handover management schemes in LTE-advanced femtocell. In: Proceed-ings of 73rd IEEE Vehicular Technology Conference (VTC Spring), pp. 1–5.
94
32. TESLA N (1898). Method of and apparatus for controlling mechanism of movingvessels or vehicles. US Patent 613809.
33. Vernam GS (1926) Cipher printing telegraph systems for secret wire and radiotelegraphic communications. Transactions of the American Institute of ElectricalEngineers 45: 295–301.
34. Boone J & Patterson P (2000) The start of the digital revolution. SIGSALY:secure digital voice communications in World War II 13.
35. Shannon CE (1949) Communication theory of secrecy systems. Bell System Tech-nical Journal 28(4): 656–715.
36. NIST (1977) Data Encryption Standard-FIPS PUB 46. Appendix A, FederalInformation Processing Standards Publication .
37. Rivest RL, Shamir A & Adleman L (1978) A method for obtaining digital signa-tures and public-key cryptosystems. Communications of the ACM 21(2): 120–126.
38. Smith JL (1971) The design of Lucifer, a cryptographic device for data commu-nications. Technical report, IBM Research Report RC3326.
39. Diffie W & Hellman M (1976) New directions in cryptography. IEEE Transactionson Information Theory 22(6): 644–654.
40. ElGamal T (1985) A public key cryptosystem and a signature scheme based ondiscrete logarithms. IEEE Transactions on Information Theory 31(4): 469–472.
41. Knudsen LR, Rijmen V, Rivest RL & Robshaw MJ (1998) On the design and secu-rity of RC2. In: Proceedings of Fast Software Encryption, pp. 206–221. Springer.
42. Rivest R (1992) The RC4 Encryption Algorithm, RSA Data Security Inc. Thisdocument has not been made public .
43. Kaliski B (1993) A survey of encryption standards. IEEE Micro 13(6): 74–81.44. Rivest R (1992) RFC 1319. The MD2 Message Digest Algorithm .45. Rivest R (1992). The MD4 Message-Digest Algorithm, RFC 1320.46. Den Boer B & Bosselaers A (1992) An attack on the last two rounds of MD4. In:
Proceedings of Advances in Cryptology-Crypto’91, pp. 194–203. Springer.47. Kaliski B & Robshaw M (1995) Message authentication with MD5. CryptoBytes
(RSA Labs Technical Newsletter) 1(1).48. Wang X & Yu H (2005) How to break MD5 and other hash functions. In: Advances
in Cryptology–EUROCRYPT 2005, pp. 19–35. Springer.49. Krawczyk H, Bellare M & Canetti R (1997). RFC 2104: HMAC: Keyed-hashing
for message authentication.50. Bellare M, Canetti R & Krawczyk H (1996) Keying hash functions for message
authentication. In: Proceedings of Advances in Cryptology-CRYPTO’96, pp. 1–15. Springer.
51. Kelsey J, Schneier B & Wagner D (1996) Key-schedule cryptanalysis of idea,g-des, gost, safer, and triple-des. In: Proceedings of Advances in Cryptology-CRYPTO’96, pp. 237–251. Springer.
52. Westlund HB (2002) NIST reports measurable success of Advanced EncryptionStandard. Journal of Research of the National Institute of Standards and Tech-nology .
53. Koblitz N, Menezes A & Vanstone S (2000) The state of elliptic curve cryptogra-phy. In: Towards a Quarter-Century of Public Key Cryptography, pp. 103–123.Springer.
95
54. Lenstra Jr HW (1987) Factoring integers with elliptic curves. Annals of mathe-matics pp. 649–673.
55. Koblitz N (1987) Elliptic curve cryptosystems. Mathematics of computation48(177): 203–209.
56. Miller VS (1986) Use of elliptic curves in cryptography. In: Proceedings of Ad-vances in Cryptology-CRYPTO’85, pp. 417–426. Springer.
57. Weaver AC (2006) Secure sockets layer. Computer 39(4): 88–90.58. Hickman K & Elgamal T (1995) The SSL protocol. Netscape Communications
Corp 501.59. Feamster N, Rexford J & Zegura E (2013) The Road to SDN: an intellectual
history of programmable networks. Queue 11(12): 20.60. Li LE, Mao ZM & Rexford J (2012) Toward software-defined cellular networks. In:
Proceedings of European Workshop on Software Defined Networking (EWSDN),pp. 7–12. IEEE.
61. Chen T & Jackson A (1998) Active And Programmable Networks [Guest Edito-rial]. IEEE Network: The Magazine of Global Internetworking 12(3): 10–11.
62. Tennenhouse DL, Smith JM, Sincoskie WD, Wetherall DJ & Minden GJ (1997) Asurvey of active network research. IEEE Communications Magazine 35(1): 80–86.
63. Tennenhouse DL & Wetherall DJ (2002) Towards an active network architec-ture. In: Proceedings of DARPA Active Networks Conference and Exposition(ANECE), pp. 2–15. IEEE.
64. Caesar M, Caldwell D, Feamster N, Rexford J, Shaikh A & van der Merwe J (2005)Design and implementation of a routing control platform. In: Proceedings of the2nd conference on Symposium on Networked Systems Design & Implementation,volume 2, pp. 15–28. USENIX Association.
65. Greenberg A, Hjalmtysson G, Maltz DA, Myers A, Rexford J, Xie G, Yan H,Zhan J & Zhang H (2005) A clean slate 4d approach to network control andmanagement. ACM SIGCOMM Computer Communication Review 35(5): 41–54.
66. Rexford J, Greenberg A, Hjalmtysson G, Maltz DA, Myers A, Xie G, Zhan J& Zhang H (2004) Network-wide decision making: toward a wafer-thin controlplane. In: Proceedings of HotNets III, pp. 59–64. Citeseer.
67. Enns R, Bjorklund M & Schoenwaelder J (2011) RFC 4741: Network configura-tion protocol. Network Research Group, IETF .
68. Casado M, Freedman MJ, Pettit J, Luo J, McKeown N & Shenker S (2007) Ethane:Taking control of the enterprise. ACM SIGCOMM Computer CommunicationReview 37(4): 1–12.
69. McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J,Shenker S & Turner J (2008) OpenFlow: enabling innovation in campus networks.ACM SIGCOMM Computer Communication Review 38(2): 69–74.
70. Koponen T et al. (2010) Onix: a distributed control platform for large-scaleproduction networks. In: Proceedings of OSDI, volume 10, pp. 1–6.
71. Heller B, Sherwood R & McKeown N (2012) The controller placement problem.In: Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks,pp. 7–12. ACM.
72. Dixit A, Hao F, Mukherjee S, Lakshman T & Kompella R (2013) Towards anelastic distributed SDN controller. In: Proceedings of the 2nd ACM SIGCOMM
96
Workshop on Hot Topics in Software Defined Networking, pp. 7–12. ACM.73. Tootoonchian A & Ganjali Y (2010) Hyperflow: a distributed control plane for
openflow. In: Proceedings of the 2010 internet network management conferenceon Research on enterprise networking, pp. 3–3. USENIX Association.
74. Drutskoy D, Keller E & Rexford J (2013) Scalable Network Virtualization inSoftware-Defined Networks. IEEE Internet Computing 17(2): 20–27.
75. Bari M, Boutaba R, Esteves R, Granville L, Podlesny M, Rabbani M, ZhangQ & Zhani M (2013) Data Center Network Virtualization: A Survey. IEEECommunications Surveys Tutorials 15(2): 909–928.
76. Steinder M, Whalley I, Carrera D, Gaweda I & Chess D (2007) Server virtualiza-tion in autonomic management of heterogeneous workloads. In: Proceedings of10th IFIP/IEEE International Symposium on Integrated Network Management(IM’07), pp. 139–148. IEEE.
77. Daniels J (2009) Server virtualization architecture and implementation. Cross-roads 16(1): 8–12.
78. Hoelzle U (2012) Openflow google. Open Networking Summit 17.79. Gurtov A (2008) Host identity protocol (HIP): towards the secure mobile internet,
volume 21. John Wiley & Sons.80. Nikander P, Gurtov A & Henderson TR (2010) Host identity protocol (HIP):
Connectivity, mobility, multi-homing, security, and privacy over IPv4 and IPv6networks. Communications Surveys & Tutorials, IEEE 12(2): 186–204.
81. Moskowitz R, Heer T, Jokela P & Henderson T (2012) Host identity protocolversion 2 (hipv2). Network Working Group, IETF .
82. Varjonen S, Komu M & Gurtov A (2009) Secure and efficient IPv4/IPv6 handoversusing host-based identifier-locator split. In: Proceedings of Software, Telecommu-nications & Computer Networks (SoftCOM 2009), pp. 111–115. IEEE.
83. Nováczki S, Bokor L & Imre S (2007) A HIP based network mobility protocol.In: Proceedings of International Symposium on Applications and the InternetWorkshops, SAINT Workshops 2007., pp. 48–48. IEEE.
84. Moskowitz R, Nikander P, Jokela P & Henderson T (2008) RFC5201: Host iden-tity protocol. Network Working Group, IETF .
85. Gurtov A, Komu M & Moskowitz R (2009) Host identity protocol: identi-fier/locator split for host mobility and multihoming. Internet Protocol J 12(1):27–32.
86. Nikander P, Henderson T, Vogt C & Arkko J (2006) End-host mobility and mul-tihoming with the host identity protocol. Network Working Group, IETF .
87. Nikander P & Laganier J (2008) RFC 5205: Host identity protocol (HIP) domainname system (DNS) extensions. Network Working Group,IETF .
88. Jokela P (2008) RFC 5202: Using the encapsulating security payload (ESP) trans-port format with the host identity protocol (HIP). Network Working Group,IETF.
89. Nie P, Vähä-Herttua J, Aura T & Gurtov A (2011) Performance analysis of HIPdiet exchange for WSN security establishment. In: Proceedings of the 7th ACMSymposium on QoS and Security for Wireless and Mobile Networks, pp. 51–56.ACM.
97
90. Stiemerling M, Quittek J & Eggert L (2008) NAT and firewall traversal issues ofHost Identity Protocol (HIP) communication .
91. Tschofenig H, Gurtov A, Ylitalo J, Nagarajan A & Shanmugam M (2005) Travers-ing middleboxes with the host identity protocol. In: Proceedings of InformationSecurity and Privacy, pp. 17–28. Springer.
92. Bilogrevic I, Jadliwala M & Hubaux Jp (2010) Security issues in next genera-tion mobile networks: LTE and femtocells. In: Proceedings of 2nd InternationalFemtocell Workshop. Citeseer.
93. Laganier J (2008) RFC 5203: Host identity protocol (HIP) registration extension.Network working Group, International Engineering Task Force .
94. Perkins C et al. (2002) RFC 3344: IP mobility support for IPv4. Network WorkingGroup,IETF .
95. Johnson D, Perkins C & Arkko J (2004) RFC 3775: Mobility support in IPv6.Network Working Group,IETF .
96. Quoitin B, Iannone L, De Launois C & Bonaventure O (2007) Evaluating thebenefits of the locator/identifier separation. In: Proceedings of 2nd ACM/IEEEInternational Workshop on Mobility in the Evolving Internet Architecture, p. 5.ACM.
97. Nordmark E & Bagnulo M (2009) RFC 5533: Site Multi-homing by IPv6 Inter-mediation (SHIM6). Technical report.
98. Sousa BM, Pentikousis K & Curado M (2011) Multihoming management for fu-ture networks. Mobile Networks and Applications 16(4): 505–517.
99. Savola P & Chown T (2005) A survey of IPv6 site multihoming proposals. In:Proceedings of the 8th International Conference of Telecommunications (ConTEL2005), pp. 41–48.
100. Sultan F, Srinivasan K, Iyer D & Iftode L (2002) Migratory TCP: connectionmigration for service continuity in the Internet. In: Proceedings of 22nd Interna-tional Conference on Distributed Computing Systems, pp. 469–470. IEEE.
101. Chen LW, Cabrera-Mercader C & Fallik B (2006). Wireless Backhaul. US PatentApp. 11/534,407.
102. Varga A et al. (2001) The OMNeT++ discrete event simulation system. In:Proceedings of the European Simulation Multiconference (ESM’2001), volume 9,p. 185. sn.
103. Varga A & Hornig R (2008) An overview of the OMNeT++ simulation environ-ment. In: Proceedings of the 1st International Conference on Simulation Toolsand Techniques for Communications,Nnetworks and Systems & Workshops, p. 60.ICST (Institute for Computer Sciences, Social-Informatics and Telecommunica-tions Engineering).
104. Steinbach T, Kenfack HD, Korf F & Schmidt TC (2011) An extension of theOMNeT++ INET framework for simulating real-time ethernet with high accu-racy. In: Proceedings of the 4th International ICST Conference on SimulationTools and Techniques, pp. 375–382. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering).
105. Maureira JC, Dalle O & Dujovne D (2009) Generation of realistic 802.11 in-terferences in the omnet++ inet framework based on real traffic measurements.In: Proceedings of the 2nd International Conference on Simulation Tools and
98
Techniques, p. 74. ICST (Institute for Computer Sciences, Social-Informatics andTelecommunications Engineering).
106. Bokor L, Zeke LT, Nováczki S & Jeney G (2009) Protocol design and analysis ofa HIP-based per-application mobility management platform. In: Proceedings ofthe 7th ACM International Symposium on Mobility Management and WirelessAccess, pp. 7–16. ACM.
107. Bokor L, Nováczki S, Zeke LT & Jeney G (2009) Design and evaluation of HostIdentity Protocol (HIP) simulation framework for INET/OMNeT++. In: Pro-ceedings of the 12th ACM nternational conference on Modeling, Analysis andSimulation of Wireless and Mobile Systems, pp. 124–133. ACM.
108. Hu B, Chen S, Yuan T, Zhan X & Li W (2012) Design of a Failure Detection andRecovery method for multi-homing in HIP. In: Proceedings of 2nd InternationalConference on Computer Science and Network Technology (ICCSNT), pp. 864–870. IEEE.
109. Garbin DA (1998) Toward a national data network: architectural issues and therole of government. The Unpredictable Certainty: White Papers p. 217.
110. Kent S & Atkinson R (1998) RFC 2401: Security architecture for the internetprotocol. Technical report.
111. Oppliger R (1998) Security at the Internet layer. Computer 31(9): 43–47.112. Borgaonkar R, Redon K & Seifert JP (2011) Security analysis of a femtocell device.
In: Proceedings of the 4th International Conference on Security of Informationand Networks, pp. 95–102. ACM.
113. Knisely D, Yoshizawa T & Favichia F (2009) Standardization of femtocells in3GPP. IEEE Communications Magazine 47(9): 68–75.
114. Henderson T (2003) Host mobility for ip networks: a comparison. IEEE Network17(6): 18–26.
115. Kivinen T & Tschofenig H (2006) RFC 4621: Design of the IKEv2 mobility andmultihoming (MOBIKE) protocol. Technical report.
116. Atkinson R (2005) An Overview of the Identifier-Locator Network Protocol(ILNP). RN 5(22): 1.
117. Stewart RR & Xie Q (2001) Stream control transmission protocol (SCTP) .118. Komu M, Tarkoma S, Kangasharju J & Gurtov A (2005) Applying a cryptographic
namespace to applications. In: Proceedings of the 1st ACM workshop on DynamicInterconnection of Networks, pp. 23–27. ACM.
119. Gurtov A & Korhonen J (2004) Measurement and analysis of tcp-friendly ratecontrol for vertical handovers. ACM MCCR 8(3): 73–87.
120. Gurtov A (2000) TCP Performance in the Presence of Congestion and CorruptionLosses. Master’s Thesis, University of Helsinki, Department of Computer Science.
121. Huang PJ, Tseng YC & Tsai KC (2006) A fast handoff mechanism for IEEE802.11 and IAPP networks. In: Proceedings of IEEE 63rd Vehicular TechnologyConference (VTC), volume 2, pp. 966–970. IEEE.
122. Shin S, Forte AG, Rawat AS & Schulzrinne H (2004) Reducing MAC layer handofflatency in IEEE 802.11 wireless LANs. In: Proceedings of the 2nd internationalworkshop on Mobility Management & Wireless Access Protocols, pp. 19–26. ACM.
99
123. Brik V, Mishra A & Banerjee S (2005) Eliminating handoff latencies in 802.11WLANs using multiple radios: applications, experience, and evaluation. In: Pro-ceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pp.27–27. USENIX Association.
124. Nie J, Wen J, Dong Q & Zhou Z (2005) A seamless handoff in IEEE 802.16a andIEEE 802.11n hybrid networks. In: Proceedings of International Conference onCommunications, Circuits and Systems, volume 1, pp. 383–387. IEEE.
125. Amir Y, Danilov C, Hilsdale M, Musaloiu-Elefteri R & Rivera N (2006) Fast hand-off for seamless wireless mesh networks. In: Proceedings of the 4th internationalconference on Mobile Systems, Applications and Services, pp. 83–95. ACM.
126. Chandrasekhar V, Andrews JG & Gatherer A (2008) Femtocell networks: a sur-vey. IEEE Communications Magazine 46(9): 59–67.
127. Boncella RJ (2002) Wireless security: an overview. Communications of the Asso-ciation for Information Systems 9(15): 269–282.
128. Mishra A & Arbaugh WA (2002) An initial security analysis of the IEEE 802.1Xstandard .
129. Congdon P, Aboba B, Smith A, Zorn G & Roese J (2003) RFC 3580: IEEE802.1 X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.Network Working Group,IETF .
130. Chen JC & Wang YP (2005) Extensible authentication protocol (EAP) andIEEE 802.1x: tutorial and empirical experience. IEEE Communications Mag-azine 43(12): 26–32.
131. Pack S & Choi Y (2003) Pre-authenticated fast handoff in a public wireless LANbased on IEEE 802.1 x Model. In: Mobile and Wireless Communications, pp.175–182. Springer.
132. Craiger JP et al. (2002) 802.11, 802.1 x, and wireless security. GIAC SecurityEssentials Certification Practical Assignment .
133. Mun H, Han K & Kim K (2009) 3G-WLAN interworking: security analysis andnew authentication and key agreement based on EAP-AKA. In: Proceedings ofWireless Telecommunications Symposium (WTS), pp. 1–8.
134. Georgantas K (2011) Fast initial authentication, a new mechanism to enable fastWLAN mobility. Master of Science Thesis, School of ICT Royal Institute ofTechnology, Sweden pp. 1–65.
135. Housley R & Arbaugh W (2003) Security problems in 802.11-based networks.Communications of the ACM 46(5): 31–34.
136. Lashkari AH, Mansoor M & Danesh AS (2009) Wired Equivalent Privacy (WEP)versus Wi-Fi Protected Access (WPA). In: Proceedings of International Confer-ence on Signal Processing Systems, pp. 445–449. IEEE.
137. Lashkari AH, Towhidi F & Hosseini RS (2009) Wired Equivalent Privacy (WEP).In: Proceedings of International Conference on Future Computer and Communi-cation (ICFCC 2009)., pp. 492–495. IEEE.
138. Stubblefield A, Ioannidis J & Rubin AD (2004) A key recovery attack on the802.11 b wired equivalent privacy protocol (WEP). ACM Transactions on Infor-mation and System Security (TISSEC) 7(2): 319–332.
139. Cox GW, Fu Z & Smith AM (2008). Method and apparatus for mutual au-thentication at handoff in a mobile wireless communication network. US Patent
100
7,421,582.140. Yang G, Wong DS & Deng X (2007) Anonymous and authenticated key exchange
for roaming networks. Wireless Communications, IEEE Transactions on 6(9):3461–3472.
141. Korhonen J, Mäkelä A & Rinta-Aho T (2007) HIP based network access protocolin operator network deployments. In: Proceedings of 1st Ambient NetworksWorkshop on Mobility, Multiaccess, and Network Management (M2NM’07).
142. Paakkonen P, Salmela P, Aguero R & Choque J (2008) Performance analysis ofHIP-based mobility and triggering. In: Proceedings of International Symposiumon World of Wireless, Mobile and Multimedia Networks (WoWMoM), pp. 1–9.IEEE.
143. Khurri A, Vorobyeva E & Gurtov A (2007) Performance of Host Identity Proto-col on lightweight hardware. In: Proceedings of 2nd ACM/IEEE internationalworkshop on Mobility in the Evolving Internet Architecture, p. 4. ACM.
144. Jokela P, Rinta-aho T, Jokikyyny T, Wall J, Kuparinen M, Mahkonen H, Melén J,Kauppinen T & Korhonen J (2004) Handover performance with HIP and MIPv6.In: Proceedings of 1st International Symposium on Wireless Communication Sys-tems, pp. 324–328. IEEE.
145. Lashkari AH, Danesh MMS & Samadi B (2009) A survey on wireless securityprotocols (WEP, WPA and WPA2/802.11i). In: Proceedings of 2nd IEEE Inter-national Conference on Computer Science and Information Technology (ICCSIT2009), pp. 48–52. IEEE.
146. Käsper E (2012) Fast elliptic curve cryptography in OpenSSL. In: FinancialCryptography and Data Security, pp. 27–39. Springer.
147. Rotsos C, Sarrar N, Uhlig S, Sherwood R & Moore AW (2012) Oflops: An openframework for openflow switch evaluation. In: Proceedings of Passive and ActiveMeasurement, pp. 85–95. Springer.
148. Naous J, Erickson D, Covington GA, Appenzeller G & McKeown N (2008) Im-plementing an OpenFlow switch on the NetFPGA platform. In: Proceedings ofthe 4th ACM/IEEE Symposium on Architectures for Networking and Communi-cations Systems, pp. 1–9. ACM.
149. Open Network Foundation (2012) OpenFlow Switch Specification Version 1.3.0( Wire Protocol 0x04 ). (ONF) .
150. Barré S, Paasch C & Bonaventure O (2011) Multipath TCP: from theory topractice. In: Proceedings of the 10th International IFIP TC 6 Conference onNetworking (NETWORKING), pp. 444–457. Springer.
151. Gurtov A & Polishchuk T (2009) Secure multipath transport for legacy Internetapplications. In: Proceedings of the 6th International Conference on BroadbandCommunications, Networks, and Systems (BROADNETS), pp. 1–8. IEEE.
152. Devarapalli V, Wakikawa R, Petrescu A & Thubert P (2005) RFC 3963: Networkmobility (NEMO) basic support protocol. Network Working Group,IETF .
153. Lach HY, Janneteau C & Petrescu A (2003) Network mobility in beyond-3Gsystems. Communications Magazine, IEEE 41(7): 52–57.
154. Leung K, Dommety G, Narayanan V & Petrescu A (2008) RFC 5177: NetworkMobility (NEMO) Extensions for Mobile IPv4. Network Working Group,IETF .
101
155. Benton K, Camp LJ & Small C (2013) Openflow vulnerability assessment. In:Proceedings of the 2nd ACM SIGCOMM workshop on Hot Topics in SoftwareDefined Networking, pp. 151–152. ACM.
156. Chu YH, Chen YT, Chou YC & Tseng MC (2011) A simplified cloud computingnetwork architecture using future internet technologies. In: Proceedings of 13thAsia-Pacific Network Operations and Management Symposium (APNOMS), pp.1–4. IEEE.
157. Gurtov A, Nikolaevsky I & Lukyanenko A (2012) Using HIP DEX for key man-agement and access control in smart objects .
158. Pellikka J, Gurtov A & Faigl Z (2012) Lightweight host and user authenticationprotocol for All-IP telecom networks. In: Proceedings of IEEE International Sym-posium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM),pp. 1–7. IEEE.
159. Meca FV, Ziegeldorf JH, Sanchez PM, Morchon OG, Kumar SS & Keoh SL (2013)HIP security architecture for the IP-based Internet of Things. In: Proceedings of27th International Conference on Advanced Information Networking and Appli-cations Workshops (WAINA), pp. 1331–1336. IEEE.
160. Kuptsov D, Nechaev B & Gurtov A (2012) Securing medical sensor network withhip. In: Wireless Mobile Communication and Healthcare, pp. 150–157. Springer.
161. Henderson T & Gurtov A (2012) RFC6538: The Host Identity Protocol (HIP)experiment report. Network Working Group,IETF .
162. Taaghol P, Salkintzis AK & Iyer J (2008) Seamless integration of mobile WiMAXin 3GPP networks. IEEE Communications Magazine 46(10): 74–85.
163. Ong EH, Kneckt J, Alanen O, Chang Z, Huovinen T & Nihtila T (2011) IEEE802.11ac: Enhancements for very high throughput WLANs. In: Proceedingsof IEEE 22nd International Symposium on Personal Indoor and Mobile RadioCommunications (PIMRC), pp. 849–853. IEEE.
164. Yap KK, Kobayashi M, Sherwood R, Huang TY, Chan M, Handigol N & McK-eown N (2010) OpenRoads: Empowering research in mobile networks. ACMSIGCOMM Computer Communication Review 40(1): 125–126.
165. Lampropoulos G, Salkintzis AK & Passas N (2008) Media-independent handoverfor seamless service provision in heterogeneous networks. IEEE CommunicationsMagazine 46(1): 64–71.
166. Zuniga J, Bernardos C, de la Oliva A, Melia T, Costa R & Reznik A (2013) Dis-tributed mobility management: A standards landscape. IEEE CommunicationsMagazine 51(3): 80–87.
167. Derakhshan F, Grob-Lipski H, Roessler H, Schefczik P & Soellner M (2013) En-abling Cloud Connectivity Using SDN and NFV Technologies. In: Mobile Net-works and Management, pp. 245–258. Springer.
168. Basta A, Kellerer W, Hoffmann M, Hoffmann K & Schmidt ED (2013) A VirtualSDN-enabled LTE EPC Architecture: a case study for S/P-Gateways functions.In: Proceedings of IEEE SDN for Future Networks and Services (SDN4FNS), pp.1–7. IEEE.
169. Paul S & Jain R (2012) OpenADN: Mobile apps on global clouds using OpenFlowand Software Defined Networking. In: Proceedings of IEEE Globecom Workshops(GC Wkshps), pp. 719–723. IEEE.
102
170. Chandra R & Bahl P (2004) MultiNet: Connecting to multiple IEEE 802.11networks using a single wireless card. In: Proceedings of 23rd Annual JointConference of the IEEE Computer and Communications Societies (INFOCOM),volume 2, pp. 882–893. IEEE.
171. Soroush H, Gilbert P, Banerjee N, Corner MD, Levine BN & Cox L (2011) Spider:improving mobile networking with concurrent Wi-Fi connections. In: Proceedingsof ACM SIGCOMM Computer Communication Review, volume 41, pp. 402–403.ACM.
172. Suresh L, Schulz-Zander J, Merz R, Feldmann A & Vazao T (2012) Towardsprogrammable enterprise WLANs with odin. In: Proceedings of the 1st workshopon Hot Topics in Software Defined Networks, pp. 115–120. ACM.
173. Dutta A, Saha D, Grunwald D & Sicker D (2010) An architecture for softwaredefined cognitive radio. In: Proceedings of Architectures for Networking andCommunications Systems (ANCS), pp. 1–12. IEEE.
174. Kim S, Kang JM, Seo S & Hong JWK (2013) A cognitive model-based approachfor autonomic fault management in OpenFlow networks. International Journal ofNetwork Management 23(6): 383–401.
175. Nakauchi K, Ishizu K, Murakami H, Nakao A & Harada H (2011) AMPHIBIA: acognitive virtualization platform for end-to-end slicing. In: Proceedings of IEEEInternational Conference on Communications (ICC), pp. 1–5. IEEE.
176. Amiri K, Sun Y, Murphy P, Hunter C, Cavallaro JR & Sabharwal A (2007) WARP,a unified wireless network testbed for education and research. In: Proceedings ofIEEE International Conference on Microelectronic Systems Education (MSE’07),pp. 53–54. IEEE.
177. Jokinen M & Tuomivaara H (2011) LE-WARP: Linux enriched design for wirelessopen-access research platform. In: Proceedings of the 4th International Confer-ence on Cognitive Radio and Advanced Spectrum Management, p. 16. ACM.
178. Tuomivaara H, Raustia M & Jokinen M (2009) Demonstration of distributedTDMA MAC protocol implementation with OLSR on Linux enriched WARP. In:Proceedings of the 4th ACM international workshop on Experimental Evaluationand Characterization, pp. 85–86. ACM.
103
Original articles
I Namal S., Pellikka J., & Gurtov A. (2012) Secure and Multihomed Ve-
hicular Femtocells. In proceedings of 75th IEEE Vehicular Technology
Conference (VTC Spring),Yokohama, Japan, pp. 1–5, IEEE, DOI:10.1109/
VETECS.2012.6240063, ISSN: 1550-2252.
II Namal S., Liyanage M., & Gurtov A. (2013) Realization of Mobile Femto-
cells: Operational and Protocol Requirements. Wireless Personal Commu-
nications, Volume 71, Number 1, pp. 339–364, Springer US, DOI:10.1007/
s11277-012-0818-9, ISSN: 0929-6212.
III Namal S., Georgantas K., & Gurtov A. (2013) Lightweight Authentica-
tion and Key Management on 802.11 with Elliptic Curve Cryptography.
In proceedings of Wireless Communications and Networking Conference
(WCNC), Shanghai, China, pp. 1830–1835, IEEE, DOI:10.1109/ WCNC.-
2013.6554842, ISSN: 1525-3511.
IV Namal S., Ahmad I., Gurtov A., & Ylianttila M. (2013) Enabling Secure
Mobility with OpenFlow. In proceedings of IEEE Software Defined Net-
working for Future Networks and Services (SDN4FNS), Trento, Italy, pp. 1–
5, IEEE, DOI:10.1109/SDN4FNS.2013.6702540.
V Namal S., Ahmad I., Jokinen M., Gurtov A., & Ylianttila M. (2014) SDN
Core for Mobility Between Cognitive Radio and 802.11 Networks. In pro-
ceedings of 8th International Conference on Next Generation Mobile Apps,
Services and Technologies (NGMAST’14), in press, 2014
Reprinted with permission from IEEE (I,III,IV) and Springer US (II)
Original publications are not included in the electronic version of the disser-
tation.
105
A C T A U N I V E R S I T A T I S O U L U E N S I S
Book orders:Granum: Virtual book storehttp://granum.uta.fi/granum/
S E R I E S C T E C H N I C A
493. Juntunen, Jouni (2014) Enhancing organizational ambidexterity of the FinnishDefence Forces’ supply chain management
494. Hänninen, Kai (2014) Rapid productisation process : managing an unexpectedproduct increment
495. Mehtonen, Saara (2014) The behavior of stabilized high-chromium ferriticstainless steels in hot deformation
496. Majava, Jukka (2014) Product development : drivers, stakeholders, and customerrepresentation during early development
497. Myllylä, Teemu (2014) Multimodal biomedical measurement methods to studybrain functions simultaneously with functional magnetic resonance imaging
498. Tamminen, Satu (2014) Modelling the rejection probability of a quality testconsisting of multiple measurements
499. Tuovinen, Lauri (2014) From machine learning to learning with machines :remodeling the knowledge discovery process
500. Hosio, Simo (2014) Leveraging Social Networking Services on MultipurposePublic Displays
501. Ohenoja, Katja (2014) Particle size distribution and suspension stability inaqueous submicron grinding of CaCO3 and TiO2
502. Puustinen, Jarkko (2014) Phase structure and surface morphology effects on theoptical properties of nanocrystalline PZT thin films
503. Tuhkala, Marko (2014) Dielectric characterization of powdery substances usingan indirectly coupled open-ended coaxial cavity resonator
504. Rezazadegan Tavakoli, Hamed (2014) Visual saliency and eye movement :modeling and applications
505. Tuovinen, Tommi (2014) Operation of IR-UWB WBAN antennas close to humantissues
506. Vasikainen, Soili (2014) Performance management of the university educationprocess
507. Jurmu, Marko (2014) Towards engaging multipurpose public displays : designspace and case studies
508. Namal, Suneth (2014) Enhanced communication security and mobilitymanagement in small-cell networks
ABCDEFG
UNIVERSITY OF OULU P .O. B 00 F I -90014 UNIVERSITY OF OULU FINLAND
A C T A U N I V E R S I T A T I S O U L U E N S I S
S E R I E S E D I T O R S
SCIENTIAE RERUM NATURALIUM
HUMANIORA
TECHNICA
MEDICA
SCIENTIAE RERUM SOCIALIUM
SCRIPTA ACADEMICA
OECONOMICA
EDITOR IN CHIEF
PUBLICATIONS EDITOR
Professor Esa Hohtola
University Lecturer Santeri Palviainen
Postdoctoral research fellow Sanna Taskila
Professor Olli Vuolteenaho
University Lecturer Veli-Matti Ulvinen
Director Sinikka Eskelinen
Professor Jari Juga
Professor Olli Vuolteenaho
Publications Editor Kirsti Nurkkala
ISBN 978-952-62-0636-3 (Paperback)ISBN 978-952-62-0637-0 (PDF)ISSN 0355-3213 (Print)ISSN 1796-2226 (Online)
U N I V E R S I TAT I S O U L U E N S I SACTAC
TECHNICA
U N I V E R S I TAT I S O U L U E N S I SACTAC
TECHNICA
OULU 2014
C 508
Suneth Namal
ENHANCED COMMUNICATION SECURITY AND MOBILITY MANAGEMENT IN SMALL-CELL NETWORKS
UNIVERSITY OF OULU GRADUATE SCHOOL;UNIVERSITY OF OULU, FACULTY OF INFORMATION TECHNOLOGY AND ELECTRICAL ENGINEERING, DEPARTMENT OF COMMUNICATIONS ENGINEERING;CENTRE FOR WIRELESS COMMUNICATIONS
C 508
ACTA
Suneth Nam
al