Conference PaperPDF Available

Fast Transmission Mechanism for Secure VPLS Architectures

Authors:
Madhusanka Liyanage at University College Dublin
Madhusanka Liyanage
Andrei Gurtov at Linköping University
Andrei Gurtov
Mika Ylianttila at University of Oulu
Mika Ylianttila
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Ethernet based secure VPLS (Virtual Private LAN Services) networks require to establish full mesh of VPLS tunnels between the customer sites. However, the tunnel establishment between geographically distant customer sites introduces a significantly high delay to the user traffic transportation. In this article, we propose a novel fast transmission mechanism for secure VPLS architectures to reduce the waiting time before transmitting the data and the average data transmission delay between geographically distant customer sites. The performance of proposed mechanism is analyzed by using a simulation model and a testbed implementation.
Figures - uploaded by Madhusanka Liyanage
Author content
All figure content in this area was uploaded by Madhusanka Liyanage
Content may be subject to copyright.
Content uploaded by Madhusanka Liyanage
Author content
All content in this area was uploaded by Madhusanka Liyanage on Dec 10, 2017
Content may be subject to copyright.
Fast Transmission Mechanism for Secure VPLS
Architectures
Madhusanka Liyanage1, Mika Ylianttila2, Andrei Gurtov3
1,2Centre for Wireless Communications (CWC), University of Oulu, Finland
3Department of Computer and Information Science, Link¨oping University, Sweden
Email: 1madhusanka.liyanage@oulu.fi, 2mika.ylianttila@oulu.fi, 3gurtov@acm.org
Abstract—Ethernet based secure VPLS (Virtual Private LAN
Services) networks require to establish full mesh of VPLS tunnels
between the customer sites. However, the tunnel establishment
between geographically distant customer sites introduces a sig-
nificantly high delay to the user traffic transportation.
In this article, we propose a novel fast transmission mechanism
for secure VPLS architectures to reduce the waiting time before
transmitting the data and the average data transmission delay
between geographically distant customer sites. The performance
of proposed mechanism is analyzed by using a simulation model
and a testbed implementation.
Index Terms—VPLS, Delay, SDN, Security, IPsec, HIP
I. INTRODUCTION
Ethernet based VPLS networks are initially designed for
industrial networks to interconnect the premises-wide SCADA
(Supervisory Control and Data Acquisition) and process con-
trol devices. It provides transparent, protocol independent,
multipoint-to-multipoint Ethernet connectivity over (Internet
Protocol) or MPLS (Multiprotocol Label Switching) based
provider networks. Due to the simple, protocol-independent
and cost efficient operation, VPLS networks are now becoming
attractive in many Enterprise applications such as Telecommu-
nication networks, Industrial Internet, DCI (data center inter-
connect), voice over IP (VoIP) and videoconferencing services.
Thus, VPLS networks are now interconnecting customer sites
across the countries and even across the globe.
Existing secure VPLS architectures establish a full mesh
of IPsec tunnels between the customer sites. Each tunnel
establishment requires to exchange several round of message
exchanges. As a result, the tunnel establishment delay is highly
depending on the communication link quality and the distance
between the sites. For instance, the tunnel establishment delay
between geographically distant sites is very high. This will
effect the performance of delay sensitive applications. How-
ever, legacy secure VPLS networks do not consider commu-
nication link characteristics and follow the same procedure
for all the tunnel establishment instances. Thus, some tunnel
establishment instances are suffering from significantly high
tunnel establishment delays (E.g. tunnels with satellite hops)
and not able to provide required level of service quality.
Our Contribution
In this article, we propose a novel Fast Transmission
Mechanism (FTM) to reduce the waiting time of the user
data transmission. It ultimately reduces the average data trans-
mission delay between geographically distant customer sites
and increases the Quality of Service (QoS). We analyze the
performance of the proposed architecture by using a simula-
tion model. Finally, the feasibility of proposed mechanism is
verified by using a testbed implementation.
The rest of the paper is organized as follows. Section II
contains the background of existing secure VPLS architectures
and their limitations. Related works are presented in Section
III. The proposed FTM is described in Section IV. The
simulation and testbed experiment results are presented in
Section V. Section VI contains the conclusion of the paper.
II. BACKGROUND
A. Virtual Private LAN Service (VPLS)
VPLS provides the multipoint-to-multipoint Ethernet com-
munication over IP/MPLS (Multiprotocol Label Switching)
based provider networks. It expands the Ethernet broadcast
domain to multiple sites which are geographically dispersed
across the country or even the globe. Figure 1 illustrates a
simple VPLS architecture.
Fig. 1: The network topology of a VPLS network
A VPLS network consists of different components such as
Customer edge Equipment (CE), Provider edge Equipment
(PE), Provider (P) routers, PWs (Pseudo Wires)/tunnels and
a provider network. CEs are the middleboxes between the
customer sites and provider network. PEs are belonged to the
service provider and they have all the VPLS intelligence. A
full mesh of PWs/tunnels are established over the provider
network to interconnect these PEs. The provider network can
be operated on the basis of several network protocols, such
as IPv4, IPv6, and MPLS. Different variety of tunnels such
as IPsec, L2TPv3 (Layer 2 Tunneling Protocol Version 3)
and MPLS are used to establish these links. However, the
existing secure VPLS architectures [?], [1]–[3] and commer-
cial products [4], [5] utilize IPsec tunnels. Provider network
contains other P routers to provide the connectivity between
PEs. The existence of the overlay VPLS network is hidden
from P routers.
B. Limitations in Legacy Secure VPLS Architectures
In [6], authors listed the most of the limitations (i.e.
N-square scalability problem, static tunnel parameters, long
tunnel establishment delay and lack of traffic engineering
features) related to the secure VPLS tunnel establishment
mechanism. In addition to the list above, legacy secure VPLS
architectures are suffering form additional limitations when
they are used to interconnect the distant sites.
1) Long Waiting Time: When the long distant customer
sites are communicating, Customer sites have to face a waiting
time due to the long tunnel establishment delays. The tunnel
establishment delay is highly depending on communication
link quality and distance between PEs. Legacy secure VPLS
networks do not consider these physical layer constraints and
all the tunnel establishments follow the same procedure. As a
result, some tunnel establishment instances are suffering from
significantly high tunnel establishment delays (e.g. tunnels
with satellite hops).
In [6], authors have proposed a tunnel resumption mecha-
nism to reduce the tunnel establishment delay of subsequent
tunnel establishments between previously authorized PEs.
However, it does not reduces the tunnel establishment delay
which occurs during the initial tunnel establishment phase.
Moreover, this tunnel resumption mechanism can be supported
only for a limited amount of sites due to the network resources
limitation in PEs.
2) Reduced Quality of Service (QoS): The tunnel establish-
ment delay between geographically distant sites is very high.
For instance, the tunnel establishment of legacy secure VPLS
architectures [1]–[3] can take at least 2000 ms between the
VPLS sites which have 500 ms transmission delay. However,
communication sessions between are very short (e.g. less than
50 ms [7]) in many cases. If the session between sites lasts
only a short duration (e.g. 50 ms), then VPLS users have
to wait long (e.g. 2000 ms) just to communicate very short
duration (e.g.50 ms). This reduces the QoS of short sessions.
III. RELATED WORK
Internet Engineering Task Force (IETF) had standardized
two basic frameworks for VPLS networks by using Border
Gateway Protocol (BGP) [8] and Label Distribution Proto-
col (LDP) [9]. Thereafter, several VPLS architectures were
proposed to improve the performance of these frameworks
[1], [3], [10], [11]. The very first secure VPLS architecture
was proposed as Host Identity Protocol (HIP)-enabled virtual
private LAN Service (HIPLS) [1]. Later, two advanced HIP
based VPLS architectures were proposed as Session key based
HIP VPLS architecture (S-HIPLS) [2] and Hierarchical HIP
VPLS architecture (H-HIPLS) [3]. S-HIPLS is a flat VPLS
architecture which proposes to use a session key based se-
curity mechanism to achieve forwarding and security plane
scalability. A hierarchical architecture of S-HIPLS is proposed
as H-HIPLS to increase the control plane scalability as well.
Secure VPLS architectures are using in many industrial
applications as well. For instance, Boeing is using HIPLS
based VPLS network in the assembly line of Boeing 777 air-
planes [12]. Moreover, two major SCADA network appliance
developing companies [4], [5] have already started to develop
HIPLS based security solutions. The performance of secure
VPLS architectures and the commercial products are analyzed
in [13].
However, all above stated secure VPLS architectures use
static tunnel establishment procedures and they are suffering
from limitations such as underutilized network resources,
high tunnel management overhead and lack of flexibility.
Despite the H-HIPLS architecture, all other secure VPLS
architectures are suffering from N-square scalability problem
as well. Recently, the utilization of SDN to improve the tunnel
management performance of legacy secure VPLS architectures
is presented in [6].
All these secure VPLS architectures require to establish
IPsec tunnels between PEs. However, none of these archi-
tectures proposes a mechanism to overcome the high tunnel
establishment delay due to link level limitations.
IV. FAST TRANSMISSION MECHANISM (FTM)
We propose a novel Fast Transmission Mechanism (FTM)
to reduce the waiting time of the user data transmission and
the average data transmission delay between geographically
distant customer sites. The proposed FTM can be used with
existing secure VPLS architecture. However, some some mod-
ifications are required in the tunnel establishment mechanism
of secure VPLS architectures. Here, we use the tunnel estab-
lishment procedure presented in [1]–[3], [6] as the reference
model. The proposed FTM is illustrated in Figure 2.
Fig. 2: Fast Transmission Mechanism (FTM)
Similar to legacy secure VPLS architectures, PE1 or the
initiator triggers the registration procedure by sending I1
message. Then, PE2 or the responder sends pre-generated
R1 message which contains cryptographic puzzle, security
token and a signature. This security token is available only
for the registered PEs in the VPLS network. During the PE
registration phase either Authentication Server [1]–[3] or the
centralized controller [6] securely distributes the security token
to each PE. The security token is mandatory to establish
tunnels with other registered PEs in the VPLS network.
Upon the arrival of RI message, the initiator (PE1) checks
the signature and the security token. After the verification of
these fields, the initiator sends I2 message which contains the
solution of the puzzle, a security token and a signature. Upon
the arrival of I2 message, the responder (PE2) subsequently
checks the signature, the solution of the puzzle and the security
token. Now, the responder (PE2) has received all the necessary
information to establish the tunnel and it initiates the tunnel
from its side. Moreover, it sends the R2 message to complete
tunnel establishment procedure.
The existing VPLS architectures wait until the completion
of all four steps of the tunnel establishment mechanism to
transmit the user data. However, the tunnel establishment is
already completed for the responder (PE2), once it receives
the I2 message. Our FTM proposes to transmit the user
data from the initiator’s (PE1’s) end, after it sends the I2
message. Therefore, the tunnel establishment delay will be
reduced by 1 RTT (Round Trip Time). However, the initiator
(PE1) is still expecting the R2 message. If it does not receive
the R2 message before the timeout, it will terminate the
further transmission of user data and terminate the tunnel
establishment with the responder (PE2).
A. Selective FTM (SFTM) for SDN enabled VPLS networks
It is not necessary to support fast transmission for every
tunnel in a VPLS network. For instance, not all tunnels are
transporting delay critical user data or not all the tunnels are
facing long transport delay. For SDN enabled VPLS networks
[6], we can propose a Selective FTM (STFM) mechanism.
Here, the SDN controller has the opportunity to select which
tunnels are allowed to use FTM by considering following
factors.
1) Traffic Transport Delay between end PEs (D) : By
measuring the transport delay, we can eliminate the
short tunnels. In SDN networks, transport delay can be
calculated by using flow information from PEs.
2) QoS requirement of traffic flow (P) : The priority is given
for delay sensitive traffic flows. Priorities and QoS levels
can be set by using SLAs (Service Level Agreements)
between customer and provider networks.
However, SFTM can not use with other legacy secure VPLS
architectures [1]–[3] since there is no mechanism available to
get real-time network and traffic information. Such informa-
tion is available only for SDN enabled VPLS networks.
B. Fast Transmission Mechanism (FTM) with Tunnel Resump-
tion Procedure (TRP)
In [6], authors proposed a Tunnel Resumption Procedure
(TRP) to reduce the tunnel establishment delay of subsequent
tunnel establishments between already authorized and com-
municated PEs. For already registered PEs, the proposed FTM
mechanism can be used with TRP as well. The proposed FTM
with TRP is illustrated in Figure 3.
Fig. 3: Fast Transmission Mechanism (FTM) with Tunnel
Resumption Procedure (TRP)
Here, user data are transmitted right after the sending the
I1 message. In this case, PEs are not experiencing any tunnel
establishment delay. The user data are transmitting as they are
transmitted in a tunnel free environment. However, both PEs
should satisfy both FTM and TRP criteria to use FTM with
TRP.
V. P ERFORMANCE EVAL U AT I O N
The performance of proposed FTM analyzed with simula-
tion and testbed experiments.
A. Simulation Results
A network with 100 PEs is used as our reference network.
The model network is generated by using stochastic Kronecker
graphs [14]. We compared performance of FTM by integrating
into existing secure VPLS architectures, namely HIPLS [1], S-
HIPLS [11] and SDN VPLS [6] architectures.
In this experiment, we measured the average waiting time
before starting the user traffic transmission. We selected two
PEs and gradually increase the RTT (Round Trip Time)
between the PEs. We measure the waiting time at the session
initiating PE before transmitting the user data. Figure 4
illustrates the simulation results.
The simulation results (Figure 4) verify that proposed FTM
has reduced the waiting time for all VPLS architectures. The
reduction of waiting by one RTT helps to achieve at-least 50%
performance advantage in all scenarios. As we expected, PEs
are not experiencing any tunnel establishment delay for FTM
with TRP in SDN VPLS scenario (Figure 3).
0 50 100 150 200 250 300 350 400 450 500
0
200
400
600
800
1000
Round Trip Time (ms)
Waiting Time (ms)
a) HIPLS
HIPLS
HIPLS with FTM
0 50 100 150 200 250 300 350 400 450 500
0
200
400
600
800
1000
Round Trip Time (ms)
Waiting Time (ms)
b) SHIPLS
SHIPLS
SHIPLS with FTM
0 50 100 150 200 250 300 350 400 450 500
0
200
400
600
800
1000
Round Trip Time (ms)
Waiting Time (ms)
c) SDN VPLS
SDN
SDN with FTM
0 50 100 150 200 250 300 350 400 450 500
0
100
200
300
400
500
600
Round Trip Time (ms)
Waiting Time (ms)
d) SDN VPLS with TRP
SDN
SDN with TRP and FTM
Fig. 4: The average waiting time before starting the file transmission
B. Testbed Implementation
The proposed solution was implemented in a testbed to
analyze the real world performance and verify the feasibility
of proposed mechanism. The experiment testbed is illustrated
in Figure 5.










Fig. 5: The experiment testbed
We use three laptops and two Ethernet hubs in the testbed.
In first two laptops, OpenVswitch (OVS) version 1.10.0 [15] is
installed. These OpenFlow switches act as PE and each laptop
has Intel i5-3210M CPU of 2.5GHz. Moreover, we implement
two CEs in each of these laptops and each OVS represents PE
for two customer sites. Moreover, we use OpenHIP implemen-
tation [16] to establish IPsec tunnels between PEs.
TABLE I: The Performance Comparison
Average waiting
time (ms)
Performance
Advantage of
FTM
HIPLS [1] 80.6578
HIPLS [1] with FTM 42.6752 47.0910%
SHIPLS [11] 81.3541
SHIPLS [11] with FTM 43.1254 46.9905%
SDN VPLS [6] 80.5457
SDN VPLS [6] with FTM 41.9552 47.9113%
SDN VPLS [6] with TRP 44.5646
SDN VPLS [6] with TRP
and FTM
1.8545 95.8386%
The third laptop with a L2400 CPU of 1.66GHz works
as the SDN controller. We used POX controller [17] as our
controller and the latest POX controller [17] runs on this
laptop. POX controller uses OpenFlow version 1.1.0 [18]
to control SDN enabled PEs. A network with 100 Mbps
bandwidth had established by using two D-LINK DSR-250N
routers. Finally, we use OpenHIP implementation [16] to
establish IPsec tunnels between PEs.
In the testbed experiment, we established communication
sessions between CE1 and CE3 via the VPLS network. We
measured the waiting time before transmitting the data. We
compared the performance with other secure VPLS architec-
tures, namely HIPLS [1], S-HIPLS [11] and SDN VPLS [6].
We ran the experiment for 100 times and average values are
calculated. The experiment results are presented in Table I.
The experiment results verify that proposed FTM reduced
the waiting time of existing VPLS architectures by 46% -
47%. Moreover, FTM with TRP has almost zero waiting time
and waiting time reduction is about 96%. Here, user data
transmission can be started right after the transmission of first
tunnel establishment message (i.e. I1 in Figure 3).
VI. CONCLUSION AND FUTURE WORKS
Ethernet based secure VPLS (Virtual Private LAN Services)
networks require to establish a full mesh of VPLS tunnels
between customer sites. However, the tunnel establishment
between geographically distant customer sites introduces a
significantly high waiting time to the user traffic transportation.
Such long waiting times increase the traffic transport delay as
well as reduces the QoS of short communication sessions. In
this article, we proposed a novel Fast Transmission Mechanism
(FTM) for secure VPLS architectures to reduce the waiting of
user data transmission. It ultimately reduces the average data
transmission delay between geographically distant customer
sites.
The performance of proposed mechanism is analyzed with
existing VPLS architectures by using a simulation model. Sim-
ulation results verified that proposed FTM reduced the waiting
time of all the secure VPLS architectures. The reduction of
waiting by one RTT helps to achieve at-least 50% performance
advantage in all scenarios. Moreover, the proposed FTM was
implemented in a testbed to analyze the real world perfor-
mance and verify the feasibility of the proposed mechanism.
The experiment results verified that proposed FTM reduced the
waiting time of existing VPLS architectures by 46% - 47%.
Moreover, FTM with Tunnel Resumption Procedure (TRP) has
almost zero waiting time for SDN enabled VPLS networks.
ACKNOWLEDGMENT
This work has been performed in the framework of the SE-
CUREConnect (Secure Connectivity of Future Cyber-Physical
Systems), Naked Approach, Towards Digital Paradise and
CENIIT 17.01 projects. This research is funded by Academy
of Finland and TEKES, Finland.
REFERENCES
[1] T. Henderson, S. Venema, and D. Mattes, “HIP-based Virtual Private
LAN Service (HIPLS),” Internet Draft, IETF, December 2013.
[2] M. Liyanage and A. Gurtov, “A Scalable and Secure VPLS Architecture
for Provider Provisioned Networks,” in Proc. of IEEE Wireless Commu-
nication and Networking Conference: WCNC, Shanghai, China, 2013.
[3] M. Liyanage, M. Ylianttila, and A. Gurtov, “Secure Hierarchical Virtual
Private LAN Services for Provider Provisioned Networks,” in Proc.
of IEEE Conference on Communications and Network Security: CNS,
Washington D.C., USA, 2013.
[4] Tempered networks. [Online]. Available:
http://www.temperednetworks.com/
[5] Tofino Security Appliance. [Online]. Available:
http://www.tofinosecurity.com/products/tofino-security-appliance
[6] M. Liyanage, A. Gurtov, and M. Ylianttila, “Improving the Tunnel
Management Performance of Secure VPLS Architectures with SDN,” in
Proc. of IEEE Consumer Communications and Networking Conference
(CCNC), Las Vegas, USA. IEEE. IEEE, 2016.
[7] G. Keller and A. Beylot, “Improving flow level fairness and interactivity
in WLANs using size-based scheduling policies,” in Proc. of the
11th international symposium on Modeling, analysis and simulation of
wireless and mobile system, 2008.
[8] K. Kompella and Y. Rekhter, “Virtual Private LAN Service (VPLS)
Using BGP for Auto-Discovery and Signaling,” RFC 4761, IETF,
January 2007.
[9] M. Lasserre and V. Kompella, “Virtual private LAN service (VPLS)
using label distribution protocol (LDP) signaling,” RFC 4762, IETF,
January 2007.
[10] A. Sodder, K. Ramakrishnan, C. DelRegno, , and J. Wils, “Virtual
Hierarchical LAN Services,” Internet Draft, IETF, April 2003.
[11] M. Liyanage and A. Gurtov, “Securing Virtual Private LAN Service
by Efficient Key Management,” Security and Communication Networks,
2013.
[12] T. Henderson. Boeing HIP Secure Mobile Architecture. [Online].
Available: http://www.ietf.org/proceedings/73/slides/HIPRG-0.pdf
[13] M. Liyanage, J. Okwuibe, M. Ylianttila, and A. Gurtov, “Secure Virtual
Private LAN Services: An Overview with Performance Evaluation,” in
IEEE ICC 2015 - Workshop on Advanced PHY and MAC Techniques
for Super Dense Wireless Networks. IEEE, 2015, pp. 1–7.
[14] J. Leskovec, D. Chakrabarti, J. Kleinberg, C. Faloutsos, and Z. Ghahra-
mani, “Kronecker graphs: An approach to modeling networks,” The
Journal of Machine Learning Research, vol. 11, pp. 985–1042, 2010.
[15] Open vSwitch: An Open Virtual Switch. [Online]. Available:
http://openvswitch.org/
[16] “The OpenHIP project,” http://www.openhip.org/.
[17] About POX. [Online]. Available: http://www.noxrepo.org/pox/about-
pox/
[18] OpenFlow Switch Specification Version 1.1.0. [Online]. Available:
http://archive.openflow.org/documents/openflow-spec-v1.1.0.pdf
... To address this issue, Multi-Protocol Label Switching (MPLS) was developed. Providing private network over MPLS usually falls into two categories: MPLS Layer 3 VPN and MPLS Layer 2 VPN [3][4][5][6]. Virtual Private LAN Services (VPLS) combine the advantages of ethernet and MPLS to connect geographically dispersed LANs through IP/MPLS networks [7][8][9][10]. As a result, all network LANs can cooperate as a single LAN. ...
... Several studies, including references [44,49], have investigated and compared the scalability of different VPLS implementations. Additionally, reference [50] proposed a scalable virtual Layer 2 implementation, and reference [6] suggested various methods to enhance the scalability of VPLS. Each of these studies is discussed below. ...
Developing a Novel Hierarchical VPLS Architecture Using Q-in-Q Tunneling in Router and Switch Design
Article
Full-text available
  • Sep 2023
Virtual Private LAN Services (VPLS) is an ethernet-based Virtual Private Network (VPN) service that provides multipoint-to-multipoint Layer 2 VPN service, where each site is geographically dispersed across a Wide Area Network (WAN). The adaptability and scalability of VPLS are limited despite the fact that they provide a flexible solution for connecting geographically dispersed sites. Furthermore, the construction of tunnels connecting customer locations that are separated by great distances adds a substantial amount of latency to the user traffic transportation. To address these issues, a novel Hierarchical VPLS (H-VPLS) architecture has been developed using 802.1Q tunneling (also known as Q-in-Q) on high-speed and commodity routers to satisfy the additional requirements of new VPLS applications. The Vector Packet Processing (VPP) performs as the router’s data plane, and FRRouting (FRR), an open-source network routing software suite, acts as the router’s control plane. The router is designed to seamlessly forward VPLS packets using the Request For Comments (RFCs) 4762, 4446, 4447, 4448, and 4385 from The Internet Engineering Task Force (IETF) integrated with VPP. In addition, the Label Distribution Protocol (LDP) is used for Multi-Protocol Label Switching (MPLS) Pseudo-Wire (PW) signaling in FRR. The proposed mechanism has been implemented on a software-based router in the Linux environment and tested for its functionality, signaling, and control plane processes. The router is also implemented on commodity hardware for testing the functionality of VPLS in the real world. Finally, the analysis of the results verifies the efficiency of the proposed mechanism in terms of throughput, latency, and packet loss ratio.
View
... Related Work on VPLS Scalability: Broadly, [122] and [74] present comparisons of different VPLS implementations with respect to scalability, [123] describes a scalable L2 implementation and [124]- [127] proposed various solutions to improve scalability of VPLS. We discuss each of them as follows. ...
... In [126], a scalable solution for BGP route information handling in VXLAN using the EVPN control plane is presented. In [127], a solution using S-HIPLS to improve both control plane and data plane scalability is proposed. ...
A survey of Virtual Private LAN Services (VPLS): Past, present and future
Article
Full-text available
  • Jun 2021
  • COMPUT NETW
Virtual Private LAN services (VPLS) is a Layer 2 Virtual Private Network (L2VPN) service that has gained immense popularity due to a number of its features, such as protocol independence, multipoint-to-multipoint mesh connectivity, robust security, low operational cost (in terms of optimal resource utilization), and high scalability. In addition to the traditional VPLS architectures, novel VPLS solutions have been designed leveraging new emerging paradigms, such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), to keep up with the increasing demand. These emerging solutions help in enhancing scalability, strengthening security, and optimizing resource utilization. This paper aims to conduct an in-depth survey of various VPLS architectures and highlight different characteristics through insightful comparisons. Moreover, the article discusses numerous technical aspects such as security, scalability, compatibility, tunnel management, operational issues, and complexity, along with the lessons learned. Finally, the paper outlines future research directions related to VPLS. To the best of our knowledge, this paper is the first to furnish a detailed survey of VPLS.
View
... Several research works have been proposed to improve the features of HIPLS such as efficient key management [16], [17], scalability [16]- [19] and tunnel establishment procedure [20], [21]. In [16], [17], the authors propose a Session keybased HIPLS (S-HIPLS) architecture which has been used as the basis for other improved HIPLS versions, i.e. [18]- [21]. ...
KDC Placement Problem in Secure VPLS Networks
Article
Full-text available
  • Feb 2023
Virtual Private LAN Service (VPLS) is a VPN technology that connects remote client sites with provider networks in a transparent manner. Session key-based HIPLS (S-HIPLS) is a VPLS architecture based on the Host Identity Protocol (HIP) that provides a secure VPLS architecture using a Key Distribution Center (KDC) to implement security mechanisms such as authentication, encryption etc. It exhibits limited scalability though. Using multiple distributed KDCs would offer numerous advantages including reduced workload per KDC, distributed key storage, and improved scalability, while simultaneously eliminating the single point of failure of S-HIPLS. It would also come with the need for optimally placing KDCs in the provider network. In this work, we formulate the KDC placement (KDCP) problem for a secure VPLS network as an Integer Linear Programming (ILP) problem. The latter is NP-hard, thereby suggesting a high computational cost for obtaining exact solutions especially for large deployments. Therefore, we motivate the use of a primal-dual algorithm to efficiently produce near-optimal solutions. Extensive evaluations on large-scale network topologies, such as the random Internet graph, demonstrate our method's time-efficiency as well as its improved scalability and usefulness compared to both HIPLS and S-HIPLS.
View
... VPLS is a technology that was developed for interconnecting industrial sites with a Multi-Protocol Label Switching (MPLS) provider network [43]. The tunneling nature of VPLS is guaranteeing the security and integrity of transmitted information. ...
Realizing Multi-Access Edge Computing Feasibility: Security Perspective
Conference Paper
Full-text available
  • Oct 2019
Internet of Things (IoT) and 5G are emerging technologies that envisage a mobile service platform capable of provisioning billions of communication devices which enable ubiquitous computing and ambient intelligence. These novel approaches are guaranteeing gigabit-level bandwidth, ultra-low latency and ultra-high storage capacity for their subscribers. To achieve these limitations, ETSI has introduced the paradigm of Multi-Access Edge Computing (MEC) for creating efficient data processing architecture extending the cloud computing capabilities in the Radio Access Network (RAN). Despite the gained enhancements to the mobile network, MEC is subjected to security challenges raised from the heterogeneity of IoT services, intricacies in integrating virtualization technologies, and maintaining the performance guarantees of the mobile networks (i.e. 5G). In this paper, we are identifying the probable threat vectors in a typical MEC deployment scenario that comply with the ETSI standards. We analyse the identified threat vectors and propose solutions to mitigate them.
View
... The paper [16] submits that the message may arrive in a queue as unexpected if its data is received by the process-receiver before making the library call in order to receive such message to the memory buffer at the user program level. It is well known [7,17] that unexpected data is first copied to a temporary library buffer. Such recopying operations are costly for the overall exchange process and reduce its performance. ...
Influence of the direct message search mechanism based on the TCP protocols on the exchange process
Article
Full-text available
  • May 2019
The direct search mechanism is implemented with the expansion of the traditional socket TCP interface for receiving messages while bypassing the traditional order of the established queue. This mechanism can be used for high-performance and clustered computer systems in order to intensify data exchange and continuous support of a maximum load on computing machines. The interface for direct message search is implemented on the base of the Linux kernel. The experimental test results are obtained by using a set of simple microbenchmarks. During the test, the sender sends the required number of fixed-size messages via an established connection, and the receiver skips unexpected messages and reads the expected one into the user's space. The approach to finding the expected messages is realized with multiple searches for a case where the socket application treats the TCP socket as a list of messages with the ability to receive and delete the data not only from the buffer top but from any place in it. All expected messages are recognized and processed by the developed seek_recv() call. Each test contains ~80 repetitions, which include such operations as socket opening, sending 800–1000 messages according to the acceptance politics, and socket closure. The system only uses one active socket at the same time. The received results confirm a noticeable decrease in message processing CPU time by 36–40 % and overall productivity growth. However, when the volume of messages is approaching 1000 bytes, i.e. close to the typical size of the TCP packet useful load, there is a productivity decrease in the message exchange process.
View
Survey on Multi-Access Edge Computing Security and Privacy
Article
Full-text available
  • Feb 2021
The European Telecommunications Standards Institute (ETSI) has introduced the paradigm of Multi-Access Edge Computing (MEC) to enable efficient and fast data processing in mobile networks. Among other technological requirements, security and privacy are significant factors in the realization of MEC deployments. In this paper, we analyse the security and privacy of the MEC system. We introduce a thorough investigation of the identification and the analysis of threat vectors in the ETSI standardized MEC architecture. Furthermore, we analyse the vulnerabilities leading to the identified threat vectors and propose potential security solutions to overcome these vulnerabilities. The privacy issues of MEC are also highlighted, and clear objectives for preserving privacy are defined. Finally, we present future directives to enhance the security and privacy of MEC services.
View
View
Secure Virtual Private LAN Services: An Overview with Performance Evaluation
Conference Paper
Full-text available
  • Jun 2015
Virtual Private LAN Services (VPLS) is a widely utilized Layer 2 (L2) Virtual Private Network (VPN) architecture in industrial networks. In the last few years, VPLS networks gained an immense popularity as an ideal network architecture to interconnect industrial legacy SCADA (Supervisory Control and Data Acquisition) and process control devices over a shared network. However, legacy VPLS architectures are highly vulnerable to security threats which are initiated at the insecure shared network segment. Thus, secure VPLS architectures are becoming popular among industrial enterprises.In this article, we provide an overview of existing secure VPLS architectures with a performance evaluation. We evaluate the performance penalty of security on throughput, latency and jitter in a real world testbed. From these experiments, we seek to highlight the drawbacks of existing secure VPLS architectures after implementing them in a real networking environment.Moreover, we try to underscore future research questions that will help to improve the performance of secure VPLS networks.
View
Secure Hierarchical Virtual Private LAN Services for Provider Provisioned Networks
Conference Paper
Full-text available
  • Oct 2013
Virtual Private LAN Service (VPLS) is a widely used Layer 2 (L2) Virtual Private Network (VPN) service. Initial ly, VPLS architectures were proposed as flat architectures. They were used only for small and medium scale networks due to the lack of scalability. Hierarchical VPLS architectures are proposed to overcome these scalability issues. On the other hand, the security is an indispensable factor of a VPLS since it delivers the private user frames via an untrusted public network. However, the existing hierarchical architectures unable to provide a sufficient level of security for a VPLS network. In this paper, we propose a novel hierarchical VPLS architecture based on Host Identity Protocol (HIP). It provides a secure VPLS network by delivering vital security features such as a uthentication, confidentiality, integrity, availability, secure control protocol and robustness to the known attacks. The simulations verify that our proposal provides the control, forwarding and security plane scalability by reducing the number of tunnel s in the network as well as the number of keys stored at a node and the network. Finally, the simulation results confirm that the control protocol of the proposed architecture is protected from IP based attacks.
View
A scalable and secure VPLS architecture for provider provisioned networks
Conference Paper
Full-text available
  • Apr 2013
Virtual Private LAN Service (VPLS) is a Layer 2 Virtual Private Network (VPN) service. Internet Engineering Task Force (IETF) defined the essential system requirements of a VPLS network. Among them, Security is a key requirement as a VPLS delivers the customer data frames via untrusted public networks. However, the existing secure VPLS architectures are suffering from scalability issues and they are infeasible to implement in large scale networks. In this paper, we propose a novel VPLS architecture based on Host Identity Protocol (HIP). It includes a new session key based security mechanism which provides the scalability both in forwarding and security planes. Initial simulations verify that the proposed architecture reduces the key storage in a VPLS node, the total key storage in the network and the number of encryption per broadcast frame than other secure VPLS architectures. Additionally, our proposal provides an efficient broadcast mechanism and comparably higher degree of security features than other existing VPLS proposals.
View
Virtual private LAN service (VPLS) using BGP for auto-discovery and signaling
Article
Full-text available
  • Jan 2007
Virtual Private LAN Service (VPLS), also known as Transparent LAN Service and Virtual Private Switched Network service, is a useful Service Provider offering. The service offers a Layer 2 Virtual Private Network (VPN); however, in the case of VPLS, the customers in the VPN are connected by a multipoint Ethernet LAN, in contrast to the usual Layer 2 VPNs, which are point-to-point in nature. This document describes the functions required to offer VPLS, a mechanism for signaling a VPLS, and rules for forwarding VPLS frames across a packet switched network.
View
Securing virtual private LAN service by efficient key management
Article
Full-text available
  • Jan 2014
Virtual private local area network service (VPLS) is a layer 2 service provider-provisioned virtual private network service. Security is one of the key system requirements of a VPLS because it delivers the frames via an untrusted network. Several VPLS architectures are proposed during the recent years. However, many of them do not provide a sufficient level of security. On the other hand, the existing secure VPLS architectures are also suffering from the scalability issues, and they are infeasible to implement in large scale networks. Hence, we present a scalable secure VPLS architecture based on host identity protocol (HIP). It includes a new session key-based security mechanism that provides the scalability both in forwarding and security planes. The initial simulations verify that our proposal comparatively reduces the complexity of the key storage at a node, the total key storage of the network, and the number of encryption per a broadcast frame. Additionally, it offers an efficient broadcast mechanism and comparably higher degree of security features than other existing VPLS proposals. The simulation results further confirm that our proposal is able to protect the control protocol of the VPLS from the Internet Protocol (IP)/transmission control protocol-(TCP) based attacks.
View
Kronecker Graphs: An Approach to Modeling Networks
Article
Full-text available
  • Dec 2008
How can we model networks with a mathematically tractable model that allows for rigorous analysis of network properties? Networks exhibit a long list of surprising properties: heavy tails for the degree distribution; small diameters; and densification and shrinking diameters over time. Most present network models either fail to match several of the above properties, are complicated to analyze mathematically, or both. In this paper we propose a generative model for networks that is both mathematically tractable and can generate networks that have the above mentioned properties. Our main idea is to use the Kronecker product to generate graphs that we refer to as "Kronecker graphs". First, we prove that Kronecker graphs naturally obey common network properties. We also provide empirical evidence showing that Kronecker graphs can effectively model the structure of real networks. We then present KronFit, a fast and scalable algorithm for fitting the Kronecker graph generation model to large real networks. A naive approach to fitting would take super- exponential time. In contrast, KronFit takes linear time, by exploiting the structure of Kronecker matrix multiplication and by using statistical simulation techniques. Experiments on large real and synthetic networks show that KronFit finds accurate parameters that indeed very well mimic the properties of target networks. Once fitted, the model parameters can be used to gain insights about the network structure, and the resulting synthetic graphs can be used for null- models, anonymization, extrapolations, and graph summarization.
View
Improving flow-level fairness and interactivity in WLANs using size-based scheduling policies
Conference Paper
  • Oct 2008
In this paper, we investigate the use of a size-based scheduling policy, LASTOTAL, inWLANs. A size-based scheduling policy is a priority policy where the priority of a flow is based on its size. LASTOTAL replaces the legacy IP level FIFO scheduler at the access point. The lower protocol layers, and especially the MAC 802.11 layer are left unchanged. We demonstrate using realistic synthetic workloads, that LAS-TOTAL solves the unfairness issue due to DCF in 802.11 WLANs and ensures small response times to the majority of the flows under any load conditions. The latter property is desirable as short flows correspond to interactive applications and maintaining low response times for those flows despite load variations, significantly improves user experience. We also introduce and validate Markovian queuing models to assess the response time of the access point for both FIFO and LASTOTAL.
View
HIP-based Virtual Private LAN Service (HIPLS)
  • Dec 2013
  • T Henderson
  • S Venema
  • D Mattes
T. Henderson, S. Venema, and D. Mattes, "HIP-based Virtual Private LAN Service (HIPLS)," Internet Draft, IETF, December 2013.
Virtual private LAN service (VPLS) using label distribution protocol (LDP) signaling
  • Jan 2007
  • M Lasserre
  • V Kompella
M. Lasserre and V. Kompella, "Virtual private LAN service (VPLS) using label distribution protocol (LDP) signaling," RFC 4762, IETF, January 2007.