Browsing by Subject "SDN"

Now showing 1 - 6 of 6
  • Thumbnail Image
    Publication
    Open Access
    A Framework for Dynamic Configuration of TLS Connections Based on Standards
    (Springer, 2022-01-20) Pastor-Galindo, Javier; López-Millán, Gabriel; Marín-López, Rafael; Cánovas, Óscar; Pereñíguez García, Fernando; Ingeniería y Tecnología de Computadores
    The Transport Layer Security (TLS) protocol is widely used for protecting end-to-end communications between network peers (applications or nodes). However, the administrators usually have to configure parameters (e.g., cryptography algorithms or authentication credentials) to establish TLS connections manually. However, this way of managing security connections becomes infeasible when the number of network peers is high. This paper proposes a TLS management framework that configures and manages TLS connections in a dynamic and autonomous manner. The solution is based on well-known standardized protocols and models that allow providing the necessary configuration parameters to establish a TLS connection between two network nodes. Nowadays, this is required in several application scenarios such as virtual private networks, virtualized network functions, or service function chains. Our framework is based on standard elements of the Software Defined Networking paradigm, widely adopted to provide flexibility to network management, such as for the scenarios aforementioned. The proposed framework has been implemented in a proof of concept to validate the suitability of the proposed solution to manage the dynamic configuration of TLS connections. The experimental results confirm that the implementation of this framework enables an operable and flexible procedure to manage TLS connections between network nodes in different scenarios.
  • Thumbnail Image
    Publication
    Open Access
    Analysis and practical validation of a standard SDN-based framework for IPsec management
    (Elsevier, 2023-01) Marín-López, Rafael; Cánovas, Óscar; Parra-Espín, José Antonio; López Millán, Gabriel; Pereñíguez García, Fernando; Ingeniería y Tecnología de Computadores
    The Internet Engineering Task Force (IETF), the international standardization organism for the Internet, has recently approved a standard, RFC 9061, which defines an interface and framework with which to manage IPsec SAs autonomously by using the Software Defined Networking (SDN) paradigm. In this framework, a centralized entity, the controller, sends configuration information to IPsec-enabled nodes in the network in order to create IPsec SAs. Two cases are presented: IKE-case, in which the nodes ship an IKE implementation that is configured by the controller or IKE-less, in which the controller sends the IPsec SAs directly to the nodes, among other relevant security information. This paper analyzes both cases in depth, provides a design for the controller’s operation based on Mealy state machines and obtains experimental results from a virtualized testbed so as to compare these cases, which are missing parts in the standard.
  • Thumbnail Image
    Publication
    Restricted
    CORECONF implementation as SDN southboundInterface for IoT: an OSCORE/EDHOC use case
    (Institute of Electrical and Electronics Engineers Inc., 2025) Fernández, Javier A.; Marín López, Rafael; López Millán, Gabriel; Toutain, Laurent; Ingeniería de la Información y las Comunicaciones; Facultades de la UMU::Facultad de Informática
    The Internet of Things (IoT) aims to gather valuable data from our surroundings through resource-constrained networks and devices. For this reason, efficient and lightweight communication protocols are required to be developed and adopted. CORECONF, a network management protocol designed for constrained environments, provides a promising solution for IoT device configuration. This work introduces pycoreconf, an open-source implementation of CORECONF, with the goal of testing the protocol and making it more accessible to researchers and developers by enabling its use in real-world scenarios and experimental setups. In this paper, we evaluate its performance and applicability as a southbound interface in an SDN-based architecture, demonstrating its potential for configuring security contexts between IoT devices. Potential for other use cases remains to be explored in future work. Our results suggest that pycoreconf is a viable tool for those interested in exploring and adopting CORECONF in IoT scenarios.
  • Thumbnail Image
    Publication
    Restricted
    Establishment of IPsec security associations with Diffie–Hellman following a SDN-based framework: analysis and practical validation
    (Elsevier, 2024-08-17) Parra Espín, José Antonio; Marín López, Rafael; López Millán, Gabriel; Ingeniería de la Información y las Comunicaciones; Facultades de la UMU::Facultad de Informática
    The centralized management of IPsec Security Associations (SAs) by using Software Defined Network (SDN) paradigm has been already explored and standardized. Datacenters are some of the scenarios where the dynamic establishment of IPsec security associations among network nodes has been deemed relevant. In these scenarios, where nodes do not support protocols like IKEv2, applying solutions where the generation and distribution of keys for IPsec are delegated to the SDN controller. However, these scenarios have the issue that the controller itself generates the IPsec keys for the nodes, posing a higher risk to the system’s security in case the controller is compromised. For these scenarios, it would be necessary to define solutions that allow the distribution of this cryptographic material securely, while maintaining the capacity restrictions established by the nodes. To solve this risk, we propose the generation of the IPsec keys using key distribution through the Diffie–Hellman algorithm in such a manner, that the controller will never have access to the IPsec SAs session keys used by the network nodes, mitigating the aforementioned problem. In concrete, our approach makes the nodes responsible for generating their own Diffie–Hellman public and private keypair, while the controller is only in charge of distributing the public keys to the rest of nodes, as well as other parameters needed to install the IPsec SAs. As we will analyze, the distribution of the public keys will be enough to allow the network nodes to generate the session keys. This work presents the design, implementation and validation of this IPsec management solution based on Diffie–Hellman in SDN environments using asymmetric key distribution for negotiating encryption and integrity keys, focusing on the performance in key generation and installation of IPsec SAs.
  • Thumbnail Image
    Publication
    Open Access
    SDN-AAA: towards the standard management of AAA infrastructures
    (Elsevier, 2025-01-26) López Gómez, Francisco; Marín López, Rafael; Cánovas Reverte, Óscar; López Millán, Gabriel; Periniguez García, Fernando; Ingeniería de la Información y las Comunicaciones; Facultades de la UMU::Facultad de Informática
    Software Defined Networking (SDN) is a widely adopted technology that enables agile and flexible management of networks and services. This paradigm is a strong candidate for addressing the dynamic and secure management of large and complex Authentication, Authorization and Accounting (AAA) infrastructures. In those infrastructures, multiple nodes must securely exchange information to interconnect different realms, and the manual configuration of these nodes represents a significant point of failure and a challenge for administrators. This paper presents a novel SDN-based framework, named SDN-AAA, that follows a data model-driven approach using the YANG standard. This framework enables the dynamic management of routing and security configurations in AAA scenarios. Additionally, empirical results demonstrate that the proposed framework can handle increasing numbers of nodes without significant performance degradation in mesh and star topologies, with configuration and routing times that linearly or exponentially scale depending on the topology used. This validates the feasibility of the solution in real-world scenarios.
  • Thumbnail Image
    Publication
    Restricted
    SDN-based automated rekey of IPsec security associations : design and practical validations
    (Elsevier, 2023-09) Parra-Espín, José Antonio; Marín-López, Rafael; Cánovas, Óscar; López Millán, Gabriel; Pereñíguez García, Fernando; Ingeniería y Tecnología de Computadores
    The standard Request for Comments (RFC) 9061 defines a framework to autonomously manage IPsec security associations (SAs) in SDN environments. The standard describes two cases: the IKE case, in which the nodes use the Internet Key Exchange (IKEv2) protocol to negotiate IPsec SAs, and the IKE-less case, in which IKEv2 is not shipped in the network devices, and the SDN controller is in charge of distributing the IPsec SAs with all the information needed to secure the communications (cryptographic material, traffic selectors, algorithms, etc.). In both cases, for security reasons, the IPsec protocol requires the periodic renovation of the keys used by the IPsec SAs in a process named rekey. The IKE case already has an automatic rekey mechanism, the IKEv2 protocol, however the IKE-less case requires the definition of a rekey method, which is implemented by the controller. The use of the IKE-less case has been recognized useful in scenarios such as datacenters, with thousands of nodes requiring the management of SAs, or Internet of Things, with constrained devices that may not have enough resources to use IKEv2. Therefore, the definition of a suitable rekey process is a keystone for the IKE-less case. This work presents the design, implementation and validation of four different algorithms to perform a rekey process in the IKE-less case from the IPsec standard, taking to account performance, security and packet loss. We have also analyzed each algorithm’s behavior in representative network scenarios based on mesh or star topologies.