MobiVPN: Towards a Reliable and Efficient Mobile VPN

January 2017

abstract: A Virtual Private Network (VPN) is the traditional approach for an end-to-end secure connection between two endpoints. Most existing VPN solutions are intended for wired networks with reliable connections. In a mobile environment, network connections are less reliable and devices experience intermittent network disconnections due to either switching from one network to another or experiencing a gap in coverage during roaming. These disruptive events affects traditional VPN performance, resulting in possible termination of applications, data loss, and reduced productivity. Mobile VPNs bridge the gap between what users and applications expect from a wired network and the realities of mobile computing. In this dissertation, MobiVPN, which was built by modifying the widely-used OpenVPN so that the requirements of a mobile VPN were met, was designed and developed. The aim in MobiVPN was for it to be a reliable and efficient VPN for mobile environments. In order to achieve these objectives, MobiVPN introduces the following features: 1) Fast and lightweight VPN session resumption, where MobiVPN is able decrease the time it takes to resume a VPN tunnel after a mobility event by an average of 97.19\% compared to that of OpenVPN. 2) Persistence of TCP sessions of the tunneled applications allowing them to survive VPN tunnel disruptions due to a gap in network coverage no matter how long the coverage gap is. MobiVPN also has mechanisms to suspend and resume TCP flows during and after a network disconnection with a packet buffering option to maintain the TCP sending rate. MobiVPN was able to provide fast resumption of TCP flows after reconnection with improved TCP performance when multiple disconnections occur with an average of 30.08\% increase in throughput in the experiments where buffering was used, and an average of 20.93\% of increased throughput for flows that were not buffered. 3) A fine-grained, flow-based adaptive compression which allows MobiVPN to treat each tunneled flow independently so that compression can be turned on for compressible flows, and turned off for incompressible ones. The experiments showed that the flow-based adaptive compression outperformed OpenVPN's compression options in terms of effective throughput, data reduction, and lesser compression operations. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2017

Computer science

Adaptive Compression

Mobile VPN

Mobility

Persistent TCP

Session Resumption

VPN

Définition d'une infrastructure de sécurité et de mobilité pour les réseaux pair-à-pair recouvrants / Definition of a security and mobility infrastructure for peer-to-peer overlay networks

Daouda, Ahmat mahamat

29 September 2014

La sécurisation inhérente aux échanges dans les environnements dynamiques et distribués, dépourvus d’une coordination centrale et dont la topologie change perpétuellement, est un défi majeur. Dans le cadre de cette thèse, on se propose en effet de définir une infrastructure de sécurité adaptée aux contraintes des systèmes P2P actuels. Le premier volet de nos travaux consiste à proposer un intergiciel, appelé SEMOS, qui gère des sessions sécurisées et mobiles. SEMOS permet en effet de maintenir les sessions sécurisées actives et ce, même lorsque la configuration réseau change ou un dysfonctionnement se produit. Cette faculté d’itinérance est rendue possible par la définition d’un nouveau mécanisme de découplage afin de cloisonner l’espace d’adressage de l’espace de nommage ; le nouvel espace de nommage repose alors sur les tables de hachage distribuées (DHT). Le deuxième volet définit un mécanisme distribué et générique d’échange de clés adapté à l’architecture P2P. Basé sur les chemins disjoints et l’échange de bout en bout, le procédé de gestion des clés proposé est constitué d’une combinaison du protocole Diffie-Hellman et du schéma à seuil(k, n) de Shamir. D’une part, l’utilisation des chemins disjoints dans le routage des sous-clés compense l’absence de l’authentification certifiée, par une tierce partie, consubstantielle au protocole Diffie-Hellman et réduit, dans la foulée, sa vulnérabilité aux attaques par interception. D’autre part, l’extension de l’algorithme Diffie-Hellman par ajout du schéma à seuil (k, n) renforce substantiellement sa robustesse notamment dans la segmentation des clés et/ou en cas de défaillances accidentelles ou délibérées dans le routage des sous-clés. Enfin, les sessions sécurisées mobiles sont évaluées dans un réseau virtuel et mobile et la gestion des clés est simulée dans un environnement générant des topologies P2P aléatoires. / Securing communications in distributed dynamic environments, that lack a central coordination point and whose topology changes constantly, is a major challenge.We tackle this challenge of today’s P2P systems. In this thesis, we propose to define a security infrastructure that is suitable to the constraints and issues of P2P systems. The first part of this document presents the design of SEMOS, our middleware solution for managing and securing mobile sessions. SEMOS ensures that communication sessions are secure and remain active despite the possible disconnections that can occur when network configurations change or a malfunction arises. This roaming capability is implemented via the definition of a new addressing space in order to split up addresses for network entities with their names ; the new naming space is then based on distributed hash tables(DHT). The second part of the document presents a generic and distributed mechanism for a key exchange method befitting to P2P architectures. Building on disjoint paths andend-to-end exchange, the proposed key management protocol consists of a combination of the Diffie-Hellman algorithm and the Shamir’s (k, n) threshold scheme. On the onehand, the use of disjoint paths to route subkeys offsets the absence of the third party’s certified consubstantial to Diffie-Hellman and reduces, at the same time, its vulnerability to interception attacks. On the other hand, the extension of the Diffie-Hellman algorithm by adding the threshold (k, n) scheme substantially increases its robustness, in particular in key splitting and / or in the case of accidental or intentional subkeys routing failures. Finally, we rely on a virtual mobile network to assess the setup of secure mobile sessions.The key management mechanism is then evaluated in an environment with randomly generated P2P topologies.

P2P

DHT

VPN mobile

Chemins disjoints

Diffie-Hellman

Schéma à seuil (k, n)

P2P

(k, n) threshold scheme

Diffie-Hellman

Disjoint paths

Mobile VPN

DHT

Low cost secure network connectivity for a municipal organization

Gutti, Krishna

January 2005

Wireless Local Area Networks (WLANs) based on 802.11 technology were initially conceived with the aim of providing wireless connectivity to client devices in limited areas, such as office buildings, homes, etc. or in places where wires are too expensive to be placed. This ‘anywhere’ connectivity is said to have improved worker’s productivity by allowing one to work flexibly from various places besides one’s desk. Currently we are witnessing the growth of both public and private networks based on WLAN technology. Such hotspots are usually limited to the network owner’s premises such as her office, campus, etc. This limits the total coverage area of this network. It is often not economically feasible for a network access provider to install Access Points at all places that a network user might go. This has become a problem for many network access providers; a sensible solution would be to collectively address the problem by entering into roaming agreements as is already done by most Wide Area Wireless Network providers. Such operator specific roaming agreements can provide nearly continuous coverage over a much wider area such as an entire city. One of the goals of this project was to study potential cost effective technical solutions that provide WLAN access to City of Stockholm’s network based on 802.11 technologies; including evaluation from different technical aspects (e.g., capacity enhancements, improvements in handover latency, etc). Proper deployment and management strategies were also evaluated. Technologies permitting differentiated services for users, enabling provisioning of Voice over Wireless Local Area Network (VoWLAN) services and other interactive services were studied. Technologies for authentication, authorization and accounting were studied. Additionally technical means of providing secure access to the wireless network were investigated. Evaluation of architectures that allow inter-operator roaming were made. Today’s corporate users are increasingly mobile and there is a need to provide secure access to corporate data to these mobile users. The coverage offered by WLAN networks even with large roaming agreements would still have coverage gaps which can be reduced by relying on the 3G networks which are being widely deployed. Virtual Private Network technologies are successfully used for providing secure remote access to data and Mobile IP technology provides application persistence to mobile users even while switching between networks (e.g., WLAN to 3G). There is a need for them to co-exist in order to provide secure, mobile access to data. Such secure mobile access could also be provided without relying on the above, standardised solutions. A goal of this master’s thesis was to evaluate the technical solutions to enable such secure, mobile access to data. Current products were evaluated and a suggestion of suitable products for the City of Stockholm was given. The above solutions together would provide the City of Stockholm with secure wireless network connectivity[.] / Trådlös Lokal Areal Nätverken (WLANs) baserat på 802.11 teknologien var i början uppfattade med det sikta med av skaffande trådlös anslutning till klienten anordningen i inlemmat områdena , sådan som kontor byggnad , hemmen etc. eller på platsen var tråden är alltför dyr till vara placerat. Den här ‘var som helst’ anslutning är sa till har förbättrat arbetaren produktiv vid tillåt en till verk böjlig från olika ställen for resten en’s skrivbord. Just nu vi er vittne växten av båda allmänhet och privat nätverken baserat på WLAN teknologien. Sådan hotspots är vanligtvis inlemmat till nätverken ägare lokalerna sådan som henne kontor, läger etc. Den här gränsen den räkna samman täckningen areal av de här nätverken. Den er ofta inte ekonomisk genomförbar till installera Tillträde Meningen i det hel tåt ställen så pass nätverken förbrukaren makt gå. Den här har bli ett problem för många nätverk skaffa; en förståndig lösande skulle bli till samlad adress problemet vid inlåtande in i att ströva avtalen så är redan gjort vid mest Vid Areal Trådlös Nätverken skaffa. Sådan operatör bestämd ströva avtalen kanna skaffa nästan kontinuerlig täckningen över en mycket vid areal sådan som en hel stor stad. En om målarna av det här projektet var till att studera potential kostnad effektiv teknisk lösandet så pass skaffa WLAN tillträde till Stor stad av Stockholm nätverken baserat på 802.11 teknologerna inklusive bedömningen från olik teknisk aspekterna (e.g., utrymme förstärkningarna , förbättringarna i handover latent tillstånd etc). Rätt spridandeen och företagsledning strategisk var också värderat ut. Teknologerna tillåt skilj tjänsten för förbrukaren, sättande i stånd till tillhandahållande av Röst över Trådlös Lokal Areal Nätverken (VoWLAN) tjänsten och annan interaktiv tjänsten var studier. Teknologerna för authentication, bemyndigandena och räkenskapen var studier. Ytterligare tekniskt medel av skaffande befästa tillträde till trådlös nätverken var undersöka. Bedömningen av arkitekturen så pass tillåta begrava - operatör ströva var gjord. Idag gemensam förbrukaren är alltmer rörlig och där er en behov till skaffa befästa tillträde till gemensam datan till de här rörlig förbrukaren. Täckningen erbjudande vid WLAN nätverken evn med stor ströva avtalen skulle stilla har täckningen öppning vilken kanna bli nedsatte vid användande den 3G nätverken vilken er vida spridde. Verklig Privat nätverk teknologerna ni är lyckosam använd för skaffande befästa avlägsen tillträde till datan och Rörlig IP teknologien skaffar applicering hårdnackenheten till rörlig förbrukaren jämn fördriva tiden kopplande emellan nätverken WLAN till 3G). Där er ett behov för dem till tillpass - finnas for att skaffa befästa, rörlig tillträde till datan. Sådan befästa rörlig tillträde kunde också bli försynt utan tillit till den över, standardiserat lösandet. En målet av den här övervinna teorin var till att bedöma den teknisk lösandet till möjliggöra sådan befästa, rörlig tillträde till daton. Ström produkten var värderat ut och en förslagen av passande produkten för staden av Stockholm var givit. Den över lösandet tillsammans skulle skaffa staden av Stockholm med befästa trådlös nätverken anslutning[.]

Wireless LAN

Wireless LAN operator networks

WLAN operator roaming

Mobile VPN

Trådlös LAN

Trådlös LAN operatör nätverken

WLAN operatör ströva

Rörlig VPN

Communication Systems

Kommunikationssystem