راه اندازی شبکه های خصوصی مجازی
ترجمه نشده

راه اندازی شبکه های خصوصی مجازی

عنوان فارسی مقاله: راه اندازی پویا شبکه های خصوصی مجازی و امنیت پروتکل اینترنت در زنجیره عملکردی خدمات
عنوان انگلیسی مقاله: Dynamic setup of IPsec VPNs in service function chaining
مجله/کنفرانس: شبکه های کامپیوتری – Computer Networks
رشته های تحصیلی مرتبط: مهندسی فناوری اطلاعات
گرایش های تحصیلی مرتبط: شبکه های کامپیوتری، اینترنت و شبکه های گسترده
کلمات کلیدی فارسی: مجازی سازی عملکرد شبکه، زنجیره عملکردی خدمات، هدر سرویس شبکه، امنیت پروتکل اینترنت، تبادل کلیدی اینترنتی، تبادل کلیدی اینترنتی نرم افزار محور، RESTconf
کلمات کلیدی انگلیسی: NFV، SFC، NSH، IPsec، IKE، SD-IKE، RESTconf
نوع نگارش مقاله: مقاله پژوهشی (Research Article)
شناسه دیجیتال (DOI): https://doi.org/10.1016/j.comnet.2019.05.015
دانشگاه: Department of Information Security and Communication Technology, Norwegian University of Science and Technology (NTNU), Gjøvik 2802, Norway
صفحات مقاله انگلیسی: 15
ناشر: الزویر - Elsevier
نوع ارائه مقاله: ژورنال
نوع مقاله: ISI
سال انتشار مقاله: 2019
ایمپکت فاکتور: 4.205 در سال 2018
شاخص H_index: 119 در سال 2019
شاخص SJR: 0.592 در سال 2018
شناسه ISSN: 1389-1286
شاخص Quartile (چارک): Q1 در سال 2018
فرمت مقاله انگلیسی: PDF
وضعیت ترجمه: ترجمه نشده است
قیمت مقاله انگلیسی: رایگان
آیا این مقاله بیس است: خیر
آیا این مقاله مدل مفهومی دارد: ندارد
آیا این مقاله پرسشنامه دارد: ندارد
آیا این مقاله متغیر دارد: ندارد
کد محصول: E13673
رفرنس: دارای رفرنس در داخل متن و انتهای مقاله
فهرست مطالب (انگلیسی)

Abstract

1. Introduction

2. Extraction and discussion of requirements

3. Architecture

4. Implementation

5. Verification by experiments

6. Discussion and evaluation

7. Conclusion

Funding

Conflicts of Interest

CRediT authorship contribution statement

Appendix A. Supplementary materials

Research Data

References

بخشی از مقاله (انگلیسی)

Abstract

This article describes a novel mechanism for the automated establishment of dynamic Virtual Private Networks (VPN) in the application domain of Network Function Virtualization (NFV). Each hop in an NFV Service Function Chain (SFC) lacks the capability of per-flow encryption, that makes the traffic flow in federated NFV environments vulnerable for eavesdropping. Due to the possible lack of bidirectional data plane communication channels between VNFs in an SFC, the Internet Security Key Exchange protocol (IPsec-IKE) is not applicable inside a VNF. Hence, this article introduces an alternative to IPsec-IKE that is specifically designed for NFV environments. This component is named Software Defined Security Associations (SD-SA), which is shown through a proof of concept evaluation to perform better than IPsec-IKE with respect to bandwidth and resource consumption.

Introduction

The security mechanisms in Software Defined Networks (SDN) and NFV lack the capability to encrypt and isolate the end-user traffic between VNFs. Fig. 1 exemplifies the problem by describing a typical VNF Service Function Chain (SFC), where the network traffic traverses multiple VNFs located at multiple service providers, while earlier work [1–۳] shows that the current NFV standardization attempts from ETSI [4] and IETF [5] do not take VNF isolation into account in the SFC design. Accordingly, an end-user who subscribes to VNF services from multiple services providers: • Cannot end-to-end encrypt traffic, since the VNFs require to have access in order to manipulate this traffic. • Is not aware and in control of which service providers having access to the data traffic, can potentially eavesdrop traffic and manipulate the route tables. • Does not know if the VNFs are shared network services with other users, who can as such access private data. Earlier work [1,2], showed that these problems could be resolved by introducing hop-by-hop encryption per IP flow or per group of IP flows. This is enabled by deploying an encryption application in front of every VNF within an SFC (Fig. 1). We showed that this encryption application is typically a Virtual Machine attached to the Virtual Link [6], particularly assigned for this function. These underlying encryption functions [1] can also be perceived as regular VNFs. Furthermore, earlier work also showed an additional problem with such an architecture. A service chain, following the NSH and SFC specification [6], can have a different service path than the reverse service path. Consequently, a pair of encrypting and decrypting VNFs in a service chain, do not necessarily have a bidirectional communication channel on the data plane, where they can exchange keys.