Cooperative Firewall Signaling over SCION

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Sähkötekniikan korkeakoulu | Master's thesis
Communications Engineering
Degree programme
CCIS - Master’s Programme in Computer, Communication and Information Sciences (TS2013)
80 + 12
5th Generation (5G) and Internet of Things (IoT) have contributed to the rise in connected devices, which in turn has exhausted the available set of IP addresses. NAT is a popular solution that solves the IP exhaustion problem but suffers from a reachability issue. Customer Edge Switching (CES) is a firewall solution intended to replace the traditional NAT by enforcing cooperative behavior. While CES solves the reachability issue, it is still troubled by some of the typical attacks present on the current Internet. Scalability, Control, and Isolation on Next-Generation Networks (SCION) is a new Internet architecture designed to provide effective point-to-point packet delivery. Realizing the SCION network would require changes to infrastructure and the protocol stack. However, SCION provides an application for the end-hosts in an IP network to connect to SCION using SCION-IP-Gateway (SIG).SCION does not provide any defensive mechanism for application-layer DoS attacks, while CES does. Having an end system focused on trust solution over SCION would provide defense against trivial attacks and application-layer DoS attacks. End-domains can benefit from the integration of CES and SCION, where CES provides host-level authenticity by cooperative behavior concept, and SCION can provide network-level security by design. In this thesis, the control plane/signaling traffic between the two CES nodes is switched from routed IP to SCION whenever available using SIG. The implementation is carried out in three phases: Proactive, Reactive, and Monitor phases, and verified with a range of tests such as design verification, delay calculation of CETP optimization, and SIG performance. The evidence suggests that the solution has no change from an end-user perspective. SCION's SIG is stable and provides good performance. The solution is the first prototype of an end-to-end, client-to-server trustworthy communication and service solution over the wide-area network.
Kantola, Raimo
Thesis advisor
Riaz, Maria
NAT, customer edge switching, SCION, CES signaling over SCION
Other note