ID/Locator Split-Based Mobility Scheme for Heterogeneous New Generation Network

The new generation network or the future Internet should treat mobile hosts as first-class objects and allow them to move freely across different networks that use heterogeneous protocols. For this purpose, this paper presents a mobility scheme, designed on the basis of the ID/locator split concept. The scheme provides mobility support from the identity layer, a shim layer inserted between the transport and network layers in the new generation network architecture. Mobility functions are independent of network layer protocols, thus they support mobility across heterogeneous network protocols. These functions are distributed in both end hosts and edge routers so that the scheme provides seamless mobility by reducing handover delay and consequent interruption in communication sessions.     

Design of a USIM and ECC based handover authentication scheme for 5G-WLAN heterogeneous networks

A variety of wireless communication technologies have been developed to provide services to a large number of users. The future integrated 5G-WLAN wireless networks will support seamless and secure roaming, and various types of real-time applications and services, which will be the trend of next-generation computing paradigm. In this paper, we discuss the privacy and security problems in 5G-WLAN heterogeneous networks and present a logical 5G-WLAN integrated architecture. We also propose a novel USIM and ECC based design of handover authentication for next-generation 5G-WLAN heterogeneous networks that can provide secure and seamless Internet connectivity. Our scheme has the features of strong security and better performance in terms of computation cost, energy cost, and storage cost as compared with the state-of-the-art schemes.     

基于身份与位置分离的嵌套移动 网络路由优化机制

基于移动IPv6嵌套移动网络中存在的路由优化问题,本质上是由传统互联网的体系结构造成的.在传统互联网体系结构中,IP地址同时代表了节点的身份标识和位置标识,这种双重功能不利于节点的移动.针对这一问题,本文提出一种身份与位置分离的体系结构,IP地址只作为节点的位置标识,引入端点标识符作为通信双方的身份标识,使得当节点的地址改变时通信双方的连接不中断.在该身份与位置分离体系结构基础上,提出一种嵌套移动网络的路由优化机制,利用封装在IPv6逐跳选项报头中的路由更新选项、路由确认选项和路由删除选项进行路由优化.性能分析结果表明,该机制具有较低的报文开销和路由更新时延.     

标识分离映射网络的可扩展性和安全性研究(英文)

The locator/ID separation paradigm has been widely discussed to resolve the serious scalability issue that today's Internet is facing. Many researches have been carried on with this issue to alleviate the routing burden of the Default Free Zone (DFZ), improve the traffic engineering capabilities and support efficient mobility and multi-homing. However, in the locator/ID split networks, a third party is needed to store the identifier-to-locator pairs. How to map identifiers onto locators in a scalable and se...     

Authentication and ID-Based Key Management Protocol in Pervasive Environment

The combination of wired and wireless technologies is spreading rapidly with the advance of Internet and networks, since it enables the creation of new services, and provides new features to both users and service providers. In such wired and wireless integrated services, network integration is very important, because such systems involve linking heterogeneous networks; and they involve integrating transmission technologies across networks. In this situation, existing security and communication technologies are unsuitable, since network integration involves heterogeneous networks. The network may have several security vulnerabilities. Also, the available services are for roaming users. In these services, we must provide fast authentication and security for roaming. Therefore, in this paper we proposed authentication and ID-based key management in pervasive environments. Our system provides efficient, secure communication.     

基于身份位置分离系统的互联网安全模式研究

基础网络作为智能管道,应该在以开放、简单和共享为宗旨的技术优势基础上,建立完备的安全保障体系,从网络体系结构上保证网络信息的真实来源,实现可靠的网络、业务和用户综合管理能力。本文分析互联网安全问题的同时,提出了基于身份位置分离系统的互联网安全模式,通过建立互联网统一标识管理体系,逐步形成互联网事件因果关系逻辑结构的可信的生态系统。     

An operational mobility model over IPv6: design,modeling, and evaluation

The fast Internet evolution and rapid development of wireless technologies have made it possible for users to communicate while on the move. Mobile IPv6 (MIPv6) is a candidate solution for next generation mobile Internet. Despite its popularity, MIPv6 still suffers from various limitations, for example, lack of business model and management of enormous and discrete home agents, preventing it from being deployed in large‐scale commercial environments. Recently, the ID/Locator split architecture has demonstrated its significant predominance in next generation mobile networks. With the aim of pushing the global deployment of mobility support over IPv6, this study makes an effort to design and evaluate an operational mobility model over IPv6 (OMIPv6) based on the ID/Locator split architecture to tackle the problems raised by the current form of MIPv6. In particular, a distributed cloud mobility management system is employed to be responsible for maintaining the identification and locations of mobile hosts, and providing the name resolution services to the mobile hosts. Furthermore, this paper develops an analytical model considering all possible costs required for the operation of OMIPv6, and adopts it as a cost‐effective tool to evaluate various costs and operation overheads on the performance of the OMIPv6 protocol. Copyright © 2012 John Wiley & Sons, Ltd.     

智慧协同网络体系基础研究

现有互联网具有"三重绑定"特征,即:服务的"资源和位置绑定"、网络的"控制和数据绑定"及"身份与位置绑定".这种网络体系与机制是相对"静态"和"僵化"的,在此基础上的演进与发展无法从根本上满足信息网络"高速"、"高效"、"海量"、"泛在"等通信需求,难以解决网络可扩展性、移动性、安全性等问题,更难以实现网络资源的高效利用、节能等.本文创造性提出了以"三层"、"两域"为典型特征的智慧协同网络体系结构模型."三层"即:智慧服务层、资源适配层和网络组件层;"两域"即实体域和行为域.在"三层"、"两域"体系模型的基础上,分别建立了智慧服务层、资源适配层和网络组件层的基本理论,以在有效解决网络可扩展性、移动性、安全性等问题的基础上,大幅度提高网络资源利用率,降低网络能耗等,显著提升用户体验.     

An authenticated re‐encryption scheme for secure file transfer in named data networks

With the fast progress of the Internet and communication technologies, the digital communication is increasingly based on the architecture of TCP/IP. Nevertheless, in TCP/IP's architecture, there are limitations such as data uncertainty and flow overloading. In response to this, a novel architecture has been proposed, which is known as the named data network (NDN). Named data network is an alternative network architecture based on the data each user accesses. Users gain accesses to the data by using an adjacent router (node) that verifies the correctness of the data. In NDN, the router has the capability to store and search for the data. Hence, this architecture largely improves the disadvantages in TCP/IP's architecture. Named data network is a new proposal and relatively under‐researched now. Thus far, an adequate secure file transfer protocol is still unavailable for NDN. In some cases, files are broken or the source fails to authenticate, which results in the need to discover the owner of the file. Furthermore, we believe that NDN should involve an authentication mechanism in the secure file transfer protocol. In view of the above, this paper presents an authenticated re‐encryption scheme for NDN, which offers sender authentication, data confidentiality, and support for potential receivers. Finally, we also propose a security model for sender authentication and prove that the proposed scheme is secure.     

Secure Service and Network Framework for Mobile Ethernet

Secure cellular data services have become more popular in the Japanese market. These services are based on 2G/3G cellular networks and are expected to move into the next-generation wireless networks, called Beyond 3G. In the Beyond 3G, wireless communication available at a user's location is selected based on the type of the service. The user downloads an application from one wireless network and executes it on another. Beyond 3G expects core and wireless operators and allows to plug-in new wireless access. A security model that can accommodate these requirements needs to be sufficiently flexible for end users to utilize with ease. In this paper, we explain the Mobile Ethernet architecture for all IP networks in terms of the Beyond 3G. We discuss usage scenario/operator models and identify entities for the security model. We separate a mobile device into a personal identity card (PIC) containing cryptographic information and a wireless communications device that offers security and flexibility. We propose a self-delegation protocol for device authentication and use a delegated credential for unified network- and service-level authentication. We also propose proactive handover authentication using the security context between different types of wireless access, such as Third Generation Partnership Project (3GPP) and WLAN, so that the secure end-to-end communication channels established by service software on the TCP/IP are not terminated. Lastly, we raise security issues regarding the next-generation platform.     

Mobile and Multicast IP Services in PACS: System Architecture, Prototype, and Performance

Traditionally, wireless cellular communication systems have been engineered for voice. With the explosive growth of Internet applications and users, there is an increasing demand on providing Internet services to mobile users based on the voice-oriented cellular networks. However, Internet services add a set of radically different requirements on to the cellular wireless networks, because the nature of communication is very different from voice. It is a challenge to develop an adequate network architecture and necessary systems components to meet those requirements.This paper describes our experience on developing Internet services, in particular, mobile and multicast IP services, in PACS (Personal Access Communication Systems). Our major contributions are five-fold: (i) PACS system architecture that provides wireless Internet and Intranet access by augmenting the voice network with IP routers and backbone links to connect to the Internet; (ii) simplified design of RPCU (Radio Port Controller Unit) for easy service maintenance and migration to future IP standards such as IPv6; (iii) native PACS multicast to efficiently support dynamic IP multicast and MBone connectivity; (iv) optimization and incorporation of Mobile IP into PACS handoff mechanism to efficiently support roaming within a PACS network as well as global mobility between PACS networks and the Internet; (v) successful prototype design of the new architecture and services verified by extensive performance measurements of IP applications. Our design experience and measurement results demonstrate that it is highly feasible to seamlessly integrate the PACS networks into the Internet with global IP mobility and IP multicast services.     

异构网络融合场景下车联网的移动性管理和资源管理

摘要：针对异构网络融合场景下车联网的特点,研究了车联网中的移动性管理技术和资源管理技术。在介绍物联网及车联网基本概念的基础上,分析了车联网中异构网络融合的应用场景,通过研究车联网中的通信设备、通信形式、组网方式等,提出了车联网的网络架构。与一般异构网络相比,车联网中车辆移动速度快,造成车辆接入公共网络时频繁切换的问题,为此,研究了车联网中的移动性管理技术。车联网中通信设备以及通信形式的多样化带来了多样化的业务需求,针对不同优先级业务提出了车联网中基于优先级的资源管理技术,即在异构网络的资源管理中必须保证高优先级业务在资源分配、接入控制、网络选择等方面始终处于优先状态。     

基于匿名认证的车联网安全技术研究

车联网相关应用需要基于实时、准确的交通信息。RSU会实时进行广播,同时车辆间要进行实时通信,包括车辆的身份信息、驾驶状态及位置信息等。攻击者可以利用车联网的开放性获取实时发送的空口数据,通过破解空口数据获得车辆的身份信息和位置信息,进而可以通过伪装、篡改或者植入恶意程序的方式对车辆进行攻击。因此,车联网通信过程中的信息安全问题必须得到有效的保护。基于区块链的匿名认证,车辆在V2V及V2I通信过程中将公钥作为假名进行认证,既保证了消息来源的真实性和消息的完整性,也避免了车辆身份信息的泄露。     

MEC-based architecture for interoperable and trustworthy internet of moving things

The expansion of the Internet of Moving Things (IoMT) leads to limitless and continuous working playgrounds exploited by highly dynamic end devices. This requires the adoption of multi-Radio Access Technologies (RATs)-based strategies to provide IoMT units with ubiquitous connectivity. To this end, the development of secure bootstrapping and authentication mechanisms is necessary to permit the secure operation of end devices. Given the transmission and power limitations of these elements, current cryptographic solutions do not address these stringent requirements. For that reason, in the study we present a Multi-Access Edge Computing (MEC)-based end-to-end architecture that enables an efficient and secure authentication and key agreement between end devices and network servers over heterogeneous resource-limited networks such as the Low Power Wide Area Networks (LPWANs). Our proposal is based on the Authentication, Authorization, and Accounting (AAA) architecture and the recent Internet Engineering Task Force initiatives Static Context Header Compression and Low-Overhead CoAP-EAP. The results obtained from experimental tests reveal the validity of the proposal as it enables constrained IoMT devices to gain IPv6 connectivity as well as performs end-to-end secure authentication with notable reliability and controlled latency.     

Lightweight and scalable secure communication in VANET

To avoid a message to be tempered and forged in vehicular ad hoc network (VANET), the digital signature method is adopted by IEEE1609.2. However, the costs of the method are excessively high for large-scale networks. The paper efficiently copes with the issue with a secure communication framework by introducing some lightweight cryptography primitives. In our framework, point-to-point and broadcast communications for vehicle-to-infrastructure (V2I) and vehicle-to-vehicle (V2V) are studied, mainly based on symmetric cryptography. A new issue incurred is symmetric key management. Thus, we develop key distribution and agreement protocols for two-party key and group key under different environments, whether a road side unit (RSU) is deployed or not. The analysis shows that our protocols provide confidentiality, authentication, perfect forward secrecy, forward secrecy and backward secrecy. The proposed group key agreement protocol especially solves the key leak problem caused by members joining or leaving in existing key agreement protocols. Due to aggregated signature and substitution of XOR for point addition, the average computation and communication costs do not significantly increase with the increase in the number of vehicles; hence, our framework provides good scalability.     

LISP controller: a centralized LISP management system for ISP networks

As the current Internet architecture is suffering from scalability issues, the network research community has proposed alternative designs for the Internet architecture. Among those solutions that adopt the idea of locator/identifier split paradigm, the locator/identifier separation protocol (LISP) has been considered as the most promising solution because of its incrementally deployable feature. Despite various advantages provided by LISP, many ISPs are still conservative to adopt LISP into their production network because the standard LISP does not fully satisfy ISP's requirements on LISP‐enabled services. In this paper, we define ISP's requirements on LISP‐enabled commercial services and describe limitations of the standard LISP from an ISP's perspective. Also, we propose LISP controller, a centralized LISP management system. By using LISP controller, we evaluate three ISP's representative LISP use cases: traffic engineering, virtual machine live migration, and vertical handover. The results show that the proposed LISP controller provides centralized management, controllability, and fast map entry update, without any modifications on the standard LISP. LISP controller allows an ISP to control and manage its LISP‐enabled services while satisfying ISP's requirements. Copyright © 2015 John Wiley & Sons, Ltd.     

ID/Locator Split-Based Distributed Mobility Management Mechanism

We have designed the heterogeneity inclusion and mobility adaptation through locator ID separation (HIMALIS) architecture to support mobility natively in the New Generation Network. This paper proposes a new distributed mobility scheme in the HIMALIS architecture for supporting seamless mobility for the host moving across access networks of different network-layer protocols. The proposed scheme also supports mobility of an access network. It includes a signaling procedure to redirect downstream traffic from the previous gateway (or previous access router) to the new gateway (or new access router) to minimize the service disruption or packet losses during a handover. The performance results obtained from a testbed implementation in Linux validate the effectiveness of the proposal. The results demonstrate that it can achieve seamless (no packet loss) handovers if overlapped wireless access networks are available.     

移动自组织网络中可扩展的定位符/标识符分离路由协议

In the traditional Internet Protocol (IP) architecture, there is an overload of IP semantic problems. Existing solutions focused mainly on the infrastructure for the fixed network, and there is a lack of support for Mobile Ad Hoc Networks (MANETs). To improve scalability. A routing protocol for MANETs is presented based on a locator named Tree-structure Locator Distance Vector (TLDV). The hard core of this routing method is the identifier/locator split by the Distributed Hash Table (DHT ) method, which provides a scalable routing service. The node locator indicates its relative location in the network and should be updated whenever topology changes . Locator space is organized as a tree-structure, and the basic routing operation of the TLDV protocol is presented. TLDV protocol is compared to some classical routing protocols for MANETs on the NS2 platform. Results show that TLDV has better scalability.     

Security in service-oriented vehicular networks - [Service-oriented broadband wireless network architecture]

Service-oriented vehicular networks support diverse infrastructure-based commercial services including Internet access, real-time traffic concerns, video streaming, and content distribution. The success of service delivery in vehicular networks depends on the underlying communication system to enable the user devices to connect to a large number of communicating peers and even to the Internet. This poses many new research challenges, especially in the aspects of security, user privacy, and billing. In this article we first identify the key requirements of authentication, privacy preservation, and billing for service delivery in vehicular networks. We then review the existing industrial and academic efforts on service- oriented vehicular networks. We also point out two security challenges, minimizing vehicleto- infrastructure authentication latency and distributed public key revocation, which are considered among the most challenging design objectives in service-oriented vehicular networks. A novel fast vehicle-to-infrastructure authentication based on a vehicle mobility prediction scheme and an infrastructure-based short-time certificate management scheme are then proposed to address these two challenges.     

Mobility management protocols for next-generation all-IP satellite networks [architectures and protocols for mobility management in all-IP mobile networks]

To provide ubiquitous terrestrial Internet coverage mobility and Internet-based access to data generated by satellites, there is a strong desire to integrate the terrestrial Internet and satellite networks. This requires satellites that are based on IP for communications. Rotation of low Earth orbit satellites around the Earth results in communicating with different ground stations over time, and requires mobility management protocols for seamless communication between the Internet and satellite networks. In this article we provide a comprehensive summary and comparison of state-of-the-art research on mobility management schemes for satellite networks. The schemes are based on network and transport layers for managing host and network mobility. This article clearly indicates the aspects that need further research and which mobility management schemes are the best candidates for satellite networks.