Global ETD Search

31	Řídící a monitorovací jednotka pro hlavici optického spoje / Control and monitoring unit for optical link station Podzimek, David January 2010 (has links) The aim of Master thesis "Control and monitoring unit for optical link station" is a web server, enabling communication microcontroller with the user. The communication is based on TCP/IP model. Work an overview of the various parts of the TCP/IP model. The main part of this work is devoted to the software created. The core of unit are microcontroller C8051F120 and ethernet controller CP2200 made by Silicon Laboratories.
32	Řízení toku dat na úrovni transportní vrstvy / Data-flow Control on Transport Layer Pánek, Michal January 2015 (has links) In order to easily send data between two end elements without congestion, methods that suitably control flow of date and evaluate possible overload state are necessary. One such method is to control the data flow directly on the transport layer. This layer offers a range of mechanisms dedicated to deal with this issue. The aim of this paper is divided into three parts. The first part describes the integration of transport layer TCP/IP model, and the ability to process TCP data stream. The second part describes methods to manage congestion, their integration by usage environment. It mainly focuses on methods of TCP Reno and TCP Vegas. Their simulation and analysis on transmission the data stream stream. The third part deals with the analysis in detail of TCP Vegas. Analyzes possible parameters for alpha a beta within the TCP Vegas, and a combination of TCP Vegas and TCP Reno.
33	A Peer-to-Peer Networking Framework for Scalable Massively Multiplayer Online Game Development in Unity Forsbacka, Jakob, Sollenius, Gustav January 2023 (has links) This thesis investigates designing and implementing a peer-to-peer (P2P) networking frameworkfor Unity, a popular game engine, intending to offer a scalable and efficient solution forconstructing networked multiplayer games. The research covers an analysis of a P2P networkarchitecture, transport layer protocols, challenges in NAT traversal, and peer list management.A framework is proposed, incorporating NAT traversal, remote procedural calls (RPC), synchronization variables (SyncVar), interest management (IM), and a lobby system. The framework’sperformance is evaluated through integration, network, and game performance tests. Resultsdemonstrate the framework’s capacity to accommodate up to 50 players, with a theoreticalmaximum of 200 players, but further optimization techniques could increase this limit. IMsolutions are suggested to improve scalability, rendering the framework a more viable optionfor MMOGs. Additionally, this thesis seeks to contribute to comprehending P2P networkingframework design and implementation for Unity while emphasizing potential directions forfuture research and how they should be optimized / Denna uppsats undersöker design och implementering av ett peer-to-peer (P2P) nätverksramverk för Unity, en populär spelmotor, med målet att erbjuda en skalbar och effektiv lösning för att bygga nätverksbaserade flerspelarspel. Uppsatsen omfattar en analys av P2P-nätverksarkitektur, transportlagerprotokoll, utmaningar vid NAT-Travesering och hantering av peerlistor. Ett ramverk som inkluderar NAT-Travesering, fjärrproceduranrop (RPC), synkroniseringsvariabler (SyncVar), Interest Management (IM) och ett lobby-system föreslås. Ramverkets prestanda utvärderas genom integrationstester, nätverksprestandatester och spel-prestandatester. Resultaten visar att ramverket kan hantera upp till 50 spelare, med en teoretisk maximal kapacitet på 200 spelare, men ytterligare optimiserings tekniker kan öka denna gränsen. IM-lösningar föreslås för att förbättra skalbarheten, vilket gör ramverket till ett bättre alternativ för MMOG. Dessutom syftar denna uppsats till att bidra till förståelsen för design och implementering av P2P-nätverksramverk för Unity, samtidigt som den betonar potentiella riktningar för framtida forskning och hur dessa ska kunna optimeras. P2P Networking MMOG Scalability Multiplayer Game NAT Transversal Unity Framework TCP UDP RUDP Transport layer protocols RPC Interest Management Dead Reckoning Computer Sciences Datavetenskap (datalogi)
34	Alternative Uses of CZTS Thin Films for Energy Harvesting Mustaffa, Muhammad Ubaidah Syafiq 07 September 2021 (has links) The search for renewable energy resources and ways to harvest them has become a global mainstream topic among researchers nowadays, with solar cells and thermoelectric generators among the energy harvesting technologies currently being researched in vast. CZTS (Cu2ZnSnS4), a p-type semiconducting material initially researched to replace copper indium gallium selenide (CIGS) as the light absorbing layer in thin film solar cells, was studied in this doctoral work for alternative uses in energy harvesting. This work aims to systemically investigate the prospects of CZTS to be used as hole transport layers and thermoelectric generators. CZTS thin film was successfully fabricated using a versatile approach involving hot-injection synthesis of CZTS nanoparticles ink followed by spin coating and thermal treatment. Results obtained revealed the possibility to fine control CZTS thin film fabrication based on ink concentration and spin. Besides that, thermal treatment temperature was found to affect the film’s overall properties, where an increase in thermal treatment temperature improved the degree of crystallinity and electrical properties. In addition, a phase change going from less stable cubic and wurtzite structures to a more stable tetragonal structure was also observed. Furthermore, CZTS was found to be a good candidate to replace the commonly used organic hole transport layer in perovskite solar cells, with potentials in improving performance and stability. In addition, CZTS also possessed good transport properties to be a potential p-type material in a thermoelectric generator, with the preliminary performance of fabricated CZTS/AZO thermoelectric generator showing a maximum power output of ~350 nW at ~170 KΔT. These findings provide new perspectives for CZTS in energy harvesting applications, despite the struggle in its development as the absorber layer in thin film solar cells. Besides providing a deeper understanding of CZTS and its vast possibilities in energy harvesting applications, promising future research stemming from this work is also limitless, reinventing ways in material studies, in search of alternative applications which may be of benefit.
35	Testing TLS 1.3 Implementations Against Common Criteria for Information Technology Security Evaluation : Using TLS-Attacker to automate collaborative Protection Profile tests Tacchi Mondaca, Antonello January 2024 (has links) In today’s digital society where all daily actions are performed over the internet, there is an ever increasing need to ensure security when dealing with sensitive information. The default standard for securing communications over the internet,the Transport Layer Security (TLS) protocol, was used for over 90 % of all traffic communication in 2020. TLS has also in recent years received an upgrade, with the new version being 1.3, which introduced substantial changes in its communication protocol. As such, it is of vital importance to ensure that its current standard manages to ensure continued security when using encrypted communications over the internet in accordance with international standards, such as the Common Criteria (CC) standard. This leads us to the problem of how to ensure that evaluation of TLS implementations are done efficiently while ensuring the quality of the evaluation. More, specifically we aim to see how we can automate parts of the evaluation process by creating tests according to the requirements of the Supporting Document (SD) of the CC standard. In this paper we create various tests according to the CC standard for TLS 1.3 implementations that can be automatically run in order. We then use the OpenSSL command line tool as an implementation and run it against our created tests. This was done by using the TLS-Attacker testing framework to not only establish TLS handshakes as either server or client, but also edit which parameters are accepted and the created data packets themselves to test how the implementation handles specific changes in the handshake. The result of the experiment are a series of tests which evaluates whether or not a TLS 1.3 implementation fulfills the requirements set by the CC standard. Our subset of tests covers client and server tests and evaluates an implementation’s use of ciphersuites, named groups, curves, and session resumption. Our results provide a base for creating the remaining tests for TLS 1.3 which is readily extendable through the use of the testing framework, TLS-Attacker. Remaining tests include the use of certificates, as well as Datagram Transport Layer Security (DTLS) for server and client, which could be the focus for future work. / I dagens samhälle där mer och mer handlingar och transaktioner sker digitalt finns det ett stigande behov av att säkerställa säkerheten när känslig information hanteras. Den vanligaste standarden för att säkra kommunikation över internet, TLS, användes i över 90% av all trafikkommunikation år 20202. TLS har också under de senaste åren uppgraderats till version 1.3, vilket introducerade betydande ändringar i dess kommunikationsprotokoll. Det är därför av avgörande vikt att säkerställa att den nuvarande standarden klarar att säkerställa säkra krypterade kommunikationer över internet enligt internationella standarder, såsom CC standarden. Detta leder oss till problemet med hur vi ska säkerställa att utvärderingar av TLS utförs på ett effektivt och smidigt sätt och samtidigt upprätthåller kvaliteten på utvärderingen. Mer specifikt ämnar vi att se hur vi kan automatisera delar av utvärderingsprocessen genom att skapa tester enligt kraven i SD för CC standarden. I denna avhandling skapar vi olika tester enligt CC standarden för TLS 1.3 implementationer som kan köras automatiskt i ordning. Vi använder sedan OpenSSL kommandotolken som en TLS implementation och kör den mot våra skapade tester. Detta utfördes med hjälp av TLS-Attackers testramverk för att inte endast etablera TLS-handskakningar som antingen server eller klient, utan även redigera vilka parametrar som accepteras samt vilka datapaket som sänds, och hur implementationen hanterar ändringar under handskakningen. Resultatet av experimentet är en serie tester som utvärderar huruvida en TLS 1.3 implementation uppfyller kraven som ställs av CC standarden. Vår delmängd av tester täcker klient- och servertester, och utvärderar en implementations användning av chiffersviter, grupper, kurvor och återupptagande av sessioner. Våra resultat ger en bas för att skapa återstående tester för TLS 1.3 vilka kan utökas genom användning av testramverket, TLS-Attacker. Återstående tester inkluderar användning av certifikat, samt DTLS för server och klient, vilket kan vara fokus för framtida arbete. Common Criteria Transport Layer Security 1.3 Security Target Target of Evaluation Common Criteria Transportlagersäkerhet 1.3 Säkerhetsmål Mål för Utvärdering Computer and Information Sciences Data- och informationsvetenskap
36	To Determine Networked Telemetry Resynchronization Time Laird, Daniel T. 10 1900 (has links) ITC/USA 2011 Conference Proceedings / The Forty-Seventh Annual International Telemetering Conference and Technical Exhibition / October 24-27, 2011 / Bally's Las Vegas, Las Vegas, Nevada / The Central Test and Evaluation Investment Program (CTEIP) Integrated Network Enhanced Telemetry (iNET) program is currently testing networked telemetry transceivers (IP.TM-Tx/Rx) using the Internet Protocol (IP), for use in telemetry (TM) channels. A unique characteristic of networked telemetry channel is packet drops due to radio frequency (RF) signal dynamics, i.e., terrain, weather, aircraft attitude, manmade objects, etc.. One of the key measures of the IP.TMTx/ Rx is reliability is link availability (LA), and a key element of LA is time to resynchronize after RF link loss. IP TM IP.TM-Tx/Rx RF OFDM BPSK QPSK QAM FEC TDMA Ethernet Link-Layer Transport-Layer UDP MTU FPS Sink Source Channel LA Differences Delta-Counts Delta-Time Time-Window Slot-Time Epoch-Time Resync-Time Means Model CI ANOVA
37	Implementace ethernetového komunikačního rozhraní do obvodu FPGA / Implementation of ethernet communication inteface into FPGA chip Skibik, Petr January 2011 (has links) The thesis deals with the implementation of Ethernet-based network communication interface into FPGA chip. VHDL programming language is used for description of the hardware. The interface includes the implementation of link-layer Ethernet protocol and network protocols such as IPv4, ARP, ICMP and UDP. The final design allows bi-directional communication on the transport-layer level of TCP/IP model. The designed interface was implemented into Virtex5 FPGA chip on development board ML506 by Xilinx.
38	The Security Layer O'Neill, Mark Thomas 01 January 2019 (has links) Transport Layer Security (TLS) is a vital component to the security ecosystem and the most popular security protocol used on the Internet today. Despite the strengths of the protocol, numerous vulnerabilities result from its improper use in practice. Some of these vulnerabilities arise from weaknesses in authentication, from the rigidity of the trusted authority system to the complexities of client certificates. Others result from the misuse of TLS by developers, who misuse complicated TLS libraries, improperly validate server certificates, employ outdated cipher suites, or deploy other features insecurely. To make matters worse, system administrators and users are powerless to fix these issues, and lack the ability to properly control how their own machines communicate securely online. In this dissertation we argue that the problems described are the result of an improper placement of security responsibilities. We show that by placing TLS services in the operating system, both new and existing applications can be automatically secured, developers can easily use TLS without intimate knowledge of security, and security settings can be controlled by administrators. This is demonstrated through three explorations that provide TLS features through the operating system. First, we describe and assess TrustBase, a service that repairs and strengthens certificate-based authentication for TLS connections. TrustBase uses traffic interception and a policy engine to provide administrators fine-tuned control over the trust decisions made by all applications on their systems. Second, we introduce and evaluate the Secure Socket API (SSA), which provides TLS as an operating system service through the native POSIX socket API. The SSA enables developers to use modern TLS securely, with as little as one line of code, and also allows custom tailoring of security settings by administrators. Finally, we further explore a modern approach to TLS client authentication, leveraging the operating system to provide a generic platform for strong authentication that supports easy deployment of client authentication features and protects user privacy. We conclude with a discussion of the reasons for the success of our efforts, and note avenues for future work that leverage the principles exhibited in this work, both in and beyond TLS. SSL TLS man in the middle certificate OpenSSL security operating system administrator control kernel security policy certificates transport layer security secure sockets layer developer mistakes vulnerabilities client authentication DANE OSCP CRLSet CRL Convergence notary POSIX socket API API Computer Sciences
39	Which News Articles are You Reading? : Using Fingerprinting to Attack Internal Pages of News Websites / Fingeravtrycksattack mot nyhetsartiklar Lindblom, Martin January 2021 (has links) When performing fingerprinting attacks against websites in a controlled environment astudy may achieve very promising results. However, these can be misleading as the closedworld setting may not accurately represent the real-world. This is a problem many priorworks have been critiqued for, the inability to transfer their results from the closed-worldsetting to the real-world. Being able to do so is of great importance to establish what thereal-world consequences would be of fingerprint attacks. If unable to apply one’s findingsoutside of a tightly controlled environment it is difficult to gauge if these attacks types posea real threat or not. Thereby, this thesis has, contrary to previous work, based its settingon a real-world scenario to provide tangible insights into vulnerabilities of news websites.Furthermore, it targeted internal pages of websites, something understudied by previousliterature. All of this while presenting a novel classifier that is lightweight and requireslittle training, and a framework for automatically collecting and labelling encrypted TCPtraffic without the use of a proxy. Fingerprint Attack Privacy Transport Layer Security TLS Real-World Scenario News Websites News Articles Proxy-Less Labelling Heuristic Transmission Control Protocol TCP Internal Pages Automatic Data Collection Computer and Information Sciences Data- och informationsvetenskap
40	An Extension Of Multi Layer IPSec For Supporting Dynamic QoS And Security Requirements Kundu, Arnab 02 1900 (has links) (PDF) Governments, military, corporations, financial institutions and others exchange a great deal of confidential information using Internet these days. Protecting such confidential information and ensuring their integrity and origin authenticity are of paramount importance. There exist protocols and solutions at different layers of the TCP/IP protocol stack to address these security requirements. Application level encryption viz. PGP for secure mail transfer, TLS based secure TCP communication, IPSec for providing IP layer security are among these security solutions. Due to scalability, wide acceptance of the IP protocol, and its application independent character, the IPSec protocol has become a standard for providing Internet security. The IPSec provides two protocols namely the Authentication header (AH) and the Encapsulating Security Payload (ESP). Each protocol can operate in two modes, viz. transport and tunnel mode. The AH provides data origin authentication, connectionless integrity and anti replay protection. The ESP provides all the security functionalities of AH along with confidentiality. The IPSec protocols provide end-to-end security for an entire IP datagram or the upper layer protocols of IP payload depending on the mode of operation. However, this end-to-end model of security restricts performance enhancement and security related operations of intermediate networking and security devices, as they can not access or modify transport and upper layer headers and original IP headers in case of tunnel mode. These intermediate devices include routers providing Quality of Service (QoS), TCP Performance Enhancement Proxies (PEP), Application level Proxy devices and packet filtering firewalls. The interoperability problem between IPSec and intermediate devices has been addressed in literature. Transport friendly ESP (TF-ESP), Transport Layer Security (TLS), splitting of single IPSec tunnel into multiple tunnels, Multi Layer IPSec (ML-IPSec) are a few of the proposed solutions. The ML-IPSec protocol solves this interoperability problem without violating the end-to-end security for the data or exposing some important header fields unlike the other solutions. The ML-IPSec uses a multilayer protection model in place of the single end-to-end model. Unlike IPSec where the scope of encryption and authentication applies to the entire IP datagram, this scheme divides the IP datagram into zones. It applies different protection schemes to different zones. When ML-IPSec protects a traffic stream from its source to its destination, it first partitions the IP datagram into zones and applies zone-specific cryptographic protections. During the flow of the ML-IPSec protected datagram through an authorized intermediate gateway, certain type I zones of the datagram may be decrypted and re-encrypted, but the other zones will remain untouched. When the datagram reaches its destination, the ML-IPSec will reconstruct the entire datagram. The ML-IPSec protocol, however suffers from the problem of static configuration of zones and zone specific cryptographic parameters before the commencement of the communication. Static configuration requires a priori knowledge of routing infrastructure and manual configuration of all intermediate nodes. While this may not be an issue in a geo-stationary satellite environment using TCP-PEP, it could pose problems in a mobile or distributed environment, where many stations may be in concurrent use. The ML-IPSec endpoints may not be trusted by all intermediate nodes in a mobile environment for manual configuration without any prior arrangement providing the mutual trust. The static zone boundary of the protocol forces one to ignore the presence of TCP/IP datagrams with variable header lengths (in case of TCP or IP headers with OPTION fields). Thus ML-IPSec will not function correctly if the endpoints change the use of IP or TCP options, especially in case of tunnel mode. The zone mapping proposed in ML-IPSec is static in nature. This forces one to configure the zone mapping before the commencement of the communication. It restricts the protocol from dynamically changing the zone mapping for providing access to intermediate nodes without terminating the existing ML-IPSec communication. The ML-IPSec endpoints can off course, configure the zone mapping with maximum number of zones. This will lead to unnecessary overheads that increase with the number of zones. Again, static zone mapping could pose problems in a mobile or distributed environment, where communication paths may change. Our extension to the ML-IPSec protocol, called Dynamic Multi Layer IPSec (DML-IPSec) proposes a multi layer variant with the capabilities of dynamic zone configuration and sharing of cryptographic parameters between IPSec endpoints and intermediate nodes. It also accommodates IP datagrams with variable length headers. The DML-IPSec protocol redefines some of the IPSec and ML-IPSec fundamentals. It proposes significant modifications to the datagram processing stage of ML-IPSec and proposes a new key sharing protocol to provide the above-mentioned capabilities. The DML-IPSec supports the AH and ESP protocols of the conventional IPSec with some modifications required for providing separate cryptographic protection to different zones of an IP datagram. This extended protocol defines zone as a set of non-overlapping and contiguous partitions of an IP datagram, unlike the case of ML-IPSec where a zone may consist of non-contiguous portions. Every zone is provided with cryptographic protection independent of other zones. The DML-IPSec categorizes zones into two separate types depending on the accessibility requirements at the intermediate nodes. The first type of zone, called type I zone, is defined on headers of IP datagram and is required for examination and modification by intermediate nodes. One type I zone may span over a single header or over a series of contiguous headers of an IP datagram. The second type of zone, called type II zone, is meant for the payload portion and is kept secure between endpoints of IPSec communications. The single type II zone starts immediately after the last type I zone and spans till the end of the IP datagram. If no intermediate processing is required during the entire IPSec session, the single type II zone may cover the whole IP datagram; otherwise the single type II zone follows one or more type I zones of the IP datagram. The DML-IPSec protocol uses a mapping from the octets of the IP datagram to different zones, called zone map for partitioning an IP datagram into zones. The zone map contains logical boundaries for the zones, unlike physical byte specific boundaries of ML-IPSec. The physical boundaries are derived on-the-fly, using either the implicit header lengths or explicit header length fields of the protocol headers. This property of the DML-IPSec zones, enables it to accommodate datagrams with variable header lengths. Another important feature of DML-IPSec zone is that the zone maps need not remain constant through out the entire lifespan of IPSec communication. The key sharing protocol may modify any existing zone map for providing service to some intermediate node. The DML-IPSec also redefines Security Association (SA), a relationship between two endpoints of IPSec communication that describes how the entities will use security services to communicate securely. In the case of DML-IPSec, several intermediate nodes may participate in defining these security protections to the IP datagrams. Moreover, the scope of one particular set of security protection is valid on a single zone only. So a single SA is defined for each zone of an IP datagram. Finally all these individual zonal SA’s are combined to represent the security relationship of the entire IP datagram. The intermediate nodes can have the cryptographic information of the relevant type I zones. The cryptographic information related to the type II zone is, however, hidden from any intermediate node. The key sharing protocol is responsible for selectively sharing this zone information with the intermediate nodes. The DML-IPSec protocol has two basic components. The first one is for processing of datagrams at the endpoints as well as intermediate nodes. The second component is the key sharing protocol. The endpoints of a DML-IPSec communication involves two types of processing. The first one, called Outbound processing, is responsible for generating a DML-IPSec datagram from an IP datagram. It first derives the zone boundaries using the zone map and individual header field lengths. After this partitioning of IP datagram, zone wise encryption is applied (in case of ESP). Finally zone specific authentication trailers are calculated and appended after each zone. The other one, Inbound processing, is responsible for generating the original IP datagram from a DML-IPSec datagram. The first step in the inbound processing, the derivation of zone boundary, is significantly different from that of outbound processing as the length fields of zones remain encrypted. After receiving a DML-IPSec datagram, the receiver starts decrypting type I zones till it decrypts the header length field of the header/s. This is followed by zone-wise authentication verification and zone-wise decryption. The intermediate nodes processes an incoming DML-IPSec datagram depending on the presence of the security parameters for that particular DML-IPSec communication. In the absence of the security parameters, the key sharing protocol gets executed; otherwise, all the incoming DML-IPSec datagrams get partially decrypted according to the security association and zone mapping at the inbound processing module. After the inbound processing, the partially decrypted IP datagram traverses through the networking stack of the intermediate node . Before the IP datagram leaves the intermediate node, it is processed by the outbound module to reconstruct the DML-IPSec datagram. The key sharing protocol for sharing zone related cryptographic information among the intermediate nodes is the other important component of the DML-IPSec protocol. This component is responsible for dynamically enabling intermediate nodes to access zonal information as required for performing specific services relating to quality or security. Whenever a DML-IPSec datagram traverses through an intermediate node, that requires access to some of the type I zones, the inbound security database is searched for cryptographic parameters. If no entry is present in the database, the key sharing protocol is invoked. The very first step in this protocol is a header inaccessible message from the intermediate node to the source of the DML-IPSec datagram. The intermediate node also mentions the protocol headers that it requires to access in the body portion of this message. This first phase of the protocol, called the Zone reorganization phase, is responsible for deciding the zone mapping to provide access to intermediate nodes. If the current zone map can not serve the header request, the DML-IPSec endpoint reorganizes the existing zone map in this phase. The next phase of the protocol, called the Authentication Phase is responsible for verifying the identity of the intermediate node to the source of DML-IPSec session. Upon successful authentication, the third phase, called the Shared secret establishment phase commences. This phase is responsible for the establishment of a temporary shared secret between the source and intermediate nodes. This shared secret is to be used as key for encrypting the actual message transfer of the DML-IPSec security parameters at the next phase of the protocol. The final phase of the protocol, called the Security parameter sharing phase, is solely responsible for actual transfer of the security parameters from the source to the intermediate nodes. This phase is also responsible for updation of security and policy databases of the intermediate nodes. The successful execution of the four phases of the key sharing protocol enables the DML-IPSec protocol to dynamically modify the zone map for providing access to some header portions for intermediate nodes and also to share the necessary cryptographic parameters required for accessing relevant type I zones without disturbing an existing DML-IPSec communication. We have implemented the DML-IPSec for ESP protocol according to the definition of zones along with the key sharing algorithm. RHEL version 4 and Linux kernel version 2.6.23.14 was used for the implementation. We implemented the multi-layer IPSec functionalities inside the native Linux implementation of IPSec protocol. The SA structure was updated to hold necessary SA information for multiple zones instead of single SA of the normal IPSec. The zone mapping for different zones was implemented along with the kernel implementation of SA. The inbound and outbound processing modules of the IPSec endpoints were re-implemented to incorporate multi-layer IPSec capability. We also implemented necessary modules for providing partial IPSec processing capabilities at the intermediate nodes. The key sharing protocol consists of some user space utilities and corresponding kernel space components. We use ICMP protocol for the communications required for the execution of the protocol. At the kernel level, pseudo character device driver was implemented to update the kernel space data structures and necessary modifications were made to relevant kernel space functions. User space utilities and corresponding kernel space interface were provided for updating the security databases. As DML-IPSec ESP uses same Security Policy mechanism as IPSec ESP, existing utilities (viz. setkey) are used for the updation of security policy. However, the configuration of the SA is significantly different as it depends on the DML-IPSec zones. The DML-IPSec ESP implementation uses the existing utilities (setkey and racoon) for configuration of the sole type II zone. The type I zones are configured using the DML-IPSec application. The key sharing protocol also uses this application to reorganize the zone mapping and zone-wise cryptographic parameters. The above feature enables one to use default IPSec mechanism for the configuration of the sole type II zone. For experimental validation of DML-IPSec, we used the testbed as shown in the above figure. An ESP tunnel is configured between the two gateways GW1 and GW2. IN acts as an intermediate node and is installed with several intermediate applications. Clients C11 and C21 are connected to GW1 and GW2 respectively. We carried out detailed experiments for validating our solution w.r.t firewalling service. We used stateful packet filtering using iptables along with string match extension at IN. First, we configured the firewall to allow only FTP communication (using port information of TCP header and IP addresses of Inner IP header ) between C11 and C21. In the second experiment, we configured the firewall to allow only Web connection between C11 and C21 using the Web address of C11 (using HTTP header, port information of TCP header and IP addresses of Inner IP header ). In both experiments, we initiated the FTP and WEB sessions before the execution of the key sharing protocol. The session could not be established as the access to upper layer headers was denied. After the execution of the key sharing protocol, the sessions could be established, showing the availability of protocol headers to the iptables firewall at IN following the successful key sharing. We use record route option of ping program to validate the claim of handling datagrams with variable header lengths. This option of ping program records the IP addresses of all the nodes traversed during a round trip path in the IP OPTION field. As we used ESP in tunnel mode between GW1 and GW2, the IP addresses would be recorded inside the encrypted Inner IP header. We executed ping between C11 and C21 and observed the record route output. Before the execution of the key sharing protocol, the IP addresses of IN were absent in the record route output. After the successful execution of key sharing protocol, the IP addresses for IN were present at the record route output. The DML-IPSec protocol introduces some processing overhead and also increases the datagram size as compared to IPSec and ML-IPSec. It increases the datagram size compared to the standard IPSec. However, this increase in IP datagram size is present in the case of ML-IPSec as well. The increase in IP datagram length depends on the number of zones. As the number of zone increases this overhead also increases. We obtain experimental results about the processing delay introduced by DML-IPSec processing. For this purpose, we executed ping program from C11 to C21 in the test bed setup for the following cases: 1.ML-IPSec with one type I and one type II zone and 2. DML-IPSec with one type I and one type II zone. We observe around 10% increase in RTT in DML-IPSec with two dynamic zones over that of ML-IPSec with two static zones. This overhead is due to on-the-fly derivation of the zone length and related processing. The above experiment analyzes the processing delay at the endpoints without intermediate processing. We also analyzed the effect of intermediate processing due to dynamic zones of DML-IPSec. We used iptables firewall in the above mentioned experiment. The RTT value for DML-IPSec with dynamic zones increases by less than 10% over that of ML-IPSec with static zones. To summarize our work, we have proposed an extension to the multilayer IPSec protocol, called Dynamic Multilayer IPSec (DML-IPSec). It is capable of dynamic modification of zones and sharing of cryptographic parameters between endpoints and intermediate nodes using a key sharing protocol. The DML-IPSec also accommodates datagrams with variable header lengths. The above mentioned features enable any intermediate node to dynamically access required header portions of any DML-IPSec protected datagrams. Consequently they make the DML-IPSec suited for providing IPSec over mobile and distributed networks. We also provide complete implementation of ESP protocol and provide experimental validation of our work. We find that our work provides the dynamic support for QoS and security services without any significant extra overhead compared to that of ML-IPSec. The thesis begins with an introduction to communication security requirements in TCP/IP networks. Chapter 2 provides an overview of communication security protocols at different layers. It also describes the details of IPSec protocol suite. Chapter 3 provides a study on the interoperability issues between IPSec and intermediate devices and discusses about different solutions. Our proposed extension to the ML-IPSec protocol, called Dynamic ML-IPSec(DML-IPSec) is presented in Chapter 4. The design and implementation details of DML-IPSec in Linux environment is presented in Chapter 5. It also provides experimental validation of the protocol. In Chapter 6, we summarize the research work, highlight the contributions of the work and discuss the directions for further research. Computer Communication Protocols Internet Protocol Service Computer Security Internet Protocol Security Intermediate QoS and Security Service Multi Layer IPSec (ML-IPSec) Authentication Header (AH) Communication Security Protocols IP Security Encapsulating Security Payload (ESP) Quality of Service (QoS) Transport Friendly ESP (TF-ESP) Transport Layer Security (TLS) Computer Science

Search results