IoT IP Overlay Network Security Performance Analysis with Open Source Infrastructure Deployment
Abstract
:1. Introduction
- Architecture: ONs are built on top of existing networks with added abstraction, allowing for flexibility in hardware and software. VPNs are implemented on existing IP networks, using specific protocols for secure connections.
- Data Flow Management: ONs manage data flow in a distributed manner, with each node responsible for its data transmission, allowing multiple paths based on network topology. VPNs manage data flow centrally, routing data through a secure tunnel between clients and a central server.
- Approach to Security: Overlay Networks (ONs) use end-to-end encryption, ensuring data security even over untrusted networks. VPNs use tunneling, encapsulating data in encrypted packets to create a secure pathway through public networks.
- Scalability: ONs are often more scalable, adapting to network changes and supporting more nodes without performance loss. VPNs may have scalability issues due to centralized tunnel management and device capacity limitations for encrypted traffic.
2. Related Works
3. Components of Overlay Architecture
- IPIP: The IPIP tunnel is a method of tunneling that allows IP packets to be transmitted within another IP packet. This type of tunnel is primarily used to connect two internal IPv4 subnets across the public IPv4 Internet. Due to its minimal overhead, it is optimal for this application, although it only supports IPv4 unicast traffic and not multicast. Furthermore, the IPIP tunnel supports both IP over IP and MPLS over IP.
- VTI: The Virtual Tunnel Interface (VTI) on Linux resembles Cisco’s VTI and Juniper’s secure tunnel implementation (st. xx). This tunneling driver facilitates IP encapsulations, compatible with XFRMi, to establish secure tunnels, enabling kernel routing atop. VTI tunnels function similarly to IPIP or SIT tunnels, with the addition of fwmark and IPsec encapsulation/decapsulation capabilities.
- GRE and GREtap: Generic Routing Encapsulation (GRE), defined in RFC 2784, involves inserting a GRE header between the inner and outer IP headers. Unlike IPIP, which is limited to encapsulating IP, GRE theoretically supports encapsulating any Layer 3 protocol with a valid Ethernet type. GRE tunnels can transport multicast traffic and IPv6. While GRE operates at OSI Layer 3, GREtap functions at OSI Layer 2, meaning there is an Ethernet header in the inner header.
- FOU: Tunneling operates across different layers of the networking stack, with IPIP or GRE working at the IP level, and FOU (Foo Over UDP) functioning at the UDP level. Leveraging UDP tunneling offers numerous advantages, tapping into existing hardware infrastructure like RSS in NICs, ECMP in switches, and checksum offload. Performance boosts have been evidenced for IPIP protocols through developer patch sets. Currently, the FOU tunnel accommodates encapsulation protocols such as IPIP and GRE, with an example FOU header provided. Configuring an FOU receive port for IPIP entails setting it to port 5555, while for GRE, setting IP proto to 47 is required. Another command establishes a new IPIP virtual interface (FOU1) configured for FOU encapsulation, with the destination port set to 5555.
- GUE: Generic UDP Encapsulation (GUE) is a form of UDP tunneling distinct from FOU. Unlike FOU, GUE features its encapsulation header, which includes protocol information and additional data. Setting up a GUE receive port for IPIP bound to 5555 involves configuring an IPIP tunnel for GUE encapsulation. Currently, the GUE tunnel supports inner IPIP and GRE encapsulation. An example GUE header is provided.
- GENEVE: Generic Network Virtualization Encapsulation (GENEVE) consolidates the functionalities of VXLAN, NVGRE, and STT, aiming to address their perceived limitations. Many anticipate that GENEVE could ultimately supplant these earlier formats entirely. The GENEVE tunnel header closely resembles VXLAN, with the key distinction lying in its flexibility. The GENEVE header allows for easy integration of new features through extension with a new Type-Length-Value (TLV) field.
- VXLAN: VXLAN (virtual extensible local area network) is a tunneling protocol designed to address the limitation of VLAN IDs (4096) in IEEE 802.1q. As described in IETF RFC 7348, VXLAN introduces a 24-bit segment ID, known as VXLAN Network Identifier (VNI), allowing for up to (16,777,216) virtual LANs. This capacity is 4096 times that of traditional VLANs. VXLAN finds common deployment in data centers across virtualized hosts, often spanning multiple racks. It encapsulates Layer 2 frames with a VXLAN header into a UDP-IP packet.
- IP/MACVLAN: MACVLAN enables multiple MAC and IP addresses on a single physical interface through MACVLAN sub-interfaces, unlike VLANs where sub-interfaces share the same MAC address. Each MACVLAN sub-interface has a unique MAC and IP address, directly integrated into the underlay network. Typically employed in virtualization, MACVLAN interfaces allow containers or VMs to obtain DHCP addresses directly, easing integration into existing networks. MACVLAN offers four types, with MACVLAN bridge being common, enabling local communication without external routing. External connectivity utilizes the underlay network, as illustrated by two containers communicating via the MACVLAN bridge.
- MACsec: MACsec operates at Layer 2, ensuring protection (integrity and/or encryption) transparently within the network. Unlike IPsec, which can pose performance challenges, MACsec is designed to run at line rate, typically in hardware’s ASIC, though not universally supported across hardware. The protected MACsec frame utilizes an Ethertype of 0x88e5. IPvlan is akin to MACVLAN but with a key distinction: the endpoints share the same MAC address. Supporting both L2 and L3 modes, IPvlan offers flexibility in networking configurations. In L2 mode, each endpoint retains the same MAC address but receives a different IP address. Conversely, L3 mode facilitates packet routing between endpoints, enhancing scalability. While the Ethernet Header and SecTag are sent in plaintext, they are always integrity-protected by ICV. The default cryptographic algorithm is AES-GCM-128. Additionally, MACsec supports optional replay protection with a configurable replay window.
3.1. IPsec
3.2. The Noise Protocol Framework
3.3. Linux Daemons
3.4. LibreSwan
OpenWrt
4. Description of Possible Deployment for Overlay Topologies
- A site to site scenario (where two remote offices communicate securely).
- A site to multi-site scenario (where multiple remote offices communicate securely).
- A road warriors scenario (in which multiple users from remote offices communicate securely with a particular local office).
5. Implemented Scenarios and Experimental Results
Listing 1. Bash script for a FOU interface. |
Listing 2. Bash script for an FOU interface Iptables Rule. |
Listing 3. Bash script for an FOU interface Nftables Rule. |
- Installing necessary packages to support network tunnels, such as OpenVPN, ipsec, or in this case use the scripts to deploy needed configurations;
- Configuring the specific tunnel configuration files, such as OpenVPN (‘*.conf’) or LibreSwan (‘*.conf’) configuration files;
- Enabling and starting the necessary services to manage the network tunnels;
- Configuring firewall rules, if necessary, to allow traffic through the network tunnels;
- Verifying the status of network tunnels to ensure they are active and functioning correctly.
5.1. Considered Overlay Network Deployed Topology
5.2. System Tools for Performance Analysis: Iperf and Netperf
- An MTU that is too high or too low can cause packet fragmentation or inefficiency in packet transfer. A value of 1400 can improve performance.
- If compression is enabled, it can cause extra CPU load.
- Suboptimal TCP/IP parameters can affect performance.
- Using outdated versions of Tinc can lead to performance issues, and Tinc has not been updated since 2021.
5.3. KVM Vs Containers, Strengths and Weaknesses
6. Conclusions and Future Works
- FOU (Foo Over UDP): Efficient encapsulation of IP in UDP, reducing overhead.
- GUE (Generic UDP Encapsulation): This offers flexibility for different protocols with minimal latency.
- GRE (Generic Routing Encapsulation) and GREtap: This ensures robust tunneling of various network protocols and Ethernet frames, respectively, optimizing traffic flow.
- IPIP (IP-in-IP): This simplifies tunneling with minimal processing overhead.
- GENEVE and VXLAN: These provide scalable solutions for network virtualization, enhancing performance in Overlay Networks.
- MACsec: This secures data link layer communications, maintaining high throughput with encryption.
- OpenVPN and WireGuard: These deliver secure and efficient VPN solutions, with WireGuard specifically known for its minimal CPU usage and high performance.
- IPsec (VTI, XFRMi, Classic): This ensures secure communications with optimized encryption and tunneling techniques.
- Tinc and Nebula: These offer mesh networking solutions that scale efficiently while maintaining security.
- KVM (Kernel-based Virtual Machine): This utilizes hardware virtualization extensions (Intel VT-x and AMD-V) to ensure near-native performance for VMs.
- CPU Pinning: This allows binding of VMs to specific CPU cores, reducing context switching and optimizing performance.
- NUMA (Non-Uniform Memory Access) Awareness: Proxmox can optimize memory and CPU allocation across NUMA nodes, improving access times and overall VM performance.
- Resource Limits and Quotas: This enables setting limits and quotas for CPU usage, ensuring fair distribution of resources and preventing any single VM from monopolizing CPU resources.
- Dynamic Resource Allocation: Proxmox dynamically adjusts resources based on current workload demands, optimizing CPU and memory usage.
- CPU Hotplug: This allows one to add CPUs to running VMs without downtime, providing flexibility and scalability.
- Integration with cgroups and namespaces: This ensures fine-grained control over resource allocation and isolation in containers, optimizing CPU usage.
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Abbreviations
AES | Advanced Encryption Standard |
AH | Authentication Header |
EAP | Extensible Authentication Protocol |
ESP | Encapsulating Security Payload |
GDPR | General Data Protection Regulation |
HW | Hardware |
IETF | Internet Engineering Task Force |
IKE | Internet Key Exchange |
IoT | Internet of Things |
IPsec | IP Security |
ISAKMP | Internet Security Association and Key Management Protocol |
MQTT | Message Queue Telemetry Transport |
NAT | Network Address Translation |
OTP | On-Time Password |
PSK | Pre Shared Key |
PSTN | Public Switched Telephone Network |
RTT | Round Trip Time |
RW | Road Warriors |
SAD | Security Association Database |
SPD | Security Policy Database |
SSL | Secure Sockets Layer |
SW | Software |
TLS | Transport Layer Security |
UTP | Unshielded Twisted Pair |
VPN | Virtual Private Network |
References
- Troia, S.; Mazzara, M.; Moreira Zorello, L.M.; Maier, G. Performance Evaluation of Overlay Networking for delay-sensitive services in SD-WAN. In Proceedings of the 2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom), Athens, Greece, 7–10 September 2021; pp. 150–155. [Google Scholar] [CrossRef]
- Farinacci, E.A. Generic Routing Encapsulation. In Proceedings of the RFC 2784, March 2000; Network Working Group: Herndon, VA USA, 2000. [Google Scholar]
- Lammle, T. Virtual Private Networks (VPNs); Wiley: Hoboken, NJ, USA, 2020; pp. 433–450. [Google Scholar] [CrossRef]
- Zhang, L.; Wang, Y.; Liang, S.; Jin, R. Container network architecture and performance analysis of Macvlan and IPvlan. In Proceedings of the 2022 International Conference on Education Innovation and Modern Management (EIMM 2022), Sanya, China, 22–23 December 2022; Volume 166. [Google Scholar] [CrossRef]
- Mao, H.; Zhu, L.; Qin, H. A Comparative Research on SSL VPN and IPSec VPN. In Proceedings of the 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing, Shanghai, China, 21–23 September 2012; pp. 1–4. [Google Scholar] [CrossRef]
- Thomson, M.; Turner, S. Using TLS to Secure QUIC. Internet-Draft draft-ietf-quic-tls-31, Internet Engineering Task Force. 2019. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Wood, C.A.; Enghardt, R.; Pauly, T.; Perkins, C.; Rose, K. A Survey of Transport Security Protocols. Internet-Draft draft-ietf-taps-transport-security-05, Internet Engineering Task Force. 2019. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Pereira, R.; Beaulieu, S. Extended Authentication Within ISAKMP/Oakley (XAUTH). Internet-Draft draft-ietf-ipsec-isakmp-xauth-06, Internet Engineering Task Force. 1999. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Smyslov, V.; Weis, B.; Group Key Management using IKEv2. Internet-Draft draft-ietf-ipsecme-g-ikev2-06, Internet Engineering Task Force. Task Force. 2022. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Cicirelli, F.; Gentile, A.F.; Greco, E.; Guerrieri, A.; Spezzano, G.; Vinci, A. An Energy Management System at the Edge based on Reinforcement Learning. In Proceedings of the 2020 IEEE/ACM 24th International Symposium on Distributed Simulation and Real Time Applications (DS-RT), Prague, Czech Republic, 14–16 September 2020; pp. 1–8. [Google Scholar] [CrossRef]
- Ezra, P.; Misra, S.; Agrawal, A.; Jonathan, O.; Maskeliunas, R.; Damaševičius, R. Secured Communication Using Virtual Private Network (VPN); Springer: Berlin/Heidelberg, Germany, 2022; pp. 309–319. [Google Scholar] [CrossRef]
- Ajiya, A.; Idriss, U. Performance Evaluation of IPSEC-VPN on Debian Linux Environment General Terms. Int. J. Comput. Appl. 2019, 975, 8887. [Google Scholar]
- Mahmmod, K.F.; Azeez, M.M.; Ahmed, M.A. IPsec Cryptography for Data Packets Security within VPN Tunneling Networks Communications. In Proceedings of the 2020 International Conference on Electrical Engineering and Informatics (ICELTICs), Aceh, Indonesia, 27–28 October 2020; pp. 1–8. [Google Scholar] [CrossRef]
- Wouters, P. Deprecation of IKEv1 and obsoleted algorithms. Internet-Draft draft-ietf-ipsecme-ikev1-algo-to-historic-06, Internet Engineering Task Force. 2022. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Aung, S.T.; Thein, T. Comparative Analysis of Site-to-Site Layer 2 Virtual Private Networks. In Proceedings of the 2020 IEEE Conference on Computer Applications (ICCA), Yangon, Myanmar, 27–28 February 2020; pp. 1–5. [Google Scholar] [CrossRef]
- Gont, F. Layer 3 Virtual Private Network (VPN) Tunnel Traffic Leakages in Dual-Stack Hosts/Networks. RFC 7359, 2014. Available online: https://www.rfc-editor.org/info/rfc7359 (accessed on 21 August 2024).
- Sanchez, D.; García, M.A. A Simple SCCP Tunneling Protocol (SSTP). Internet-Draft draft-sanchez-garcia-SSTP-v1r0-00, Internet Engineering Task Force. 1999. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Patel, D.B.V.; Aboba, D.B.D.; Dixon, W.; Zorn, G. Securing L2TP using IPSEC. Internet-Draft draft-ietf-pppext-l2tp-security-05, Internet Engineering Task Force. 1999. Available online: https://datatracker.ietf.org/ (accessed on 21 August 2024).
- Haga, S.; Esmaeily, A.; Kralevska, K.; Gligoroski, D. 5G Network Slice Isolation with WireGuard and Open Source MANO: A VPNaaS Proof-of-Concept. arXiv 2020, arXiv:2010.03849. [Google Scholar]
- Gamess, E. Network Performance Evaluation Between Virtual/Native Nodes Running on ARM-based SBCs Using KVM as Hypervisor. In Proceedings of the 2023 ACM Southeast Conference, ACMSE 2023, Virtual Event, 12–14 April 2023; Chang, K., Gamess, E., Shen, C., Eds.; ACM: New York, NY, USA, 2023; pp. 128–138. [Google Scholar] [CrossRef]
- Botta, A.; Canonico, R.; Navarro, A.; Stanco, G.; Ventre, G. Adaptive overlay selection at the SD-WAN edges: A reinforcement learning approach with networked agents. Comput. Netw. 2024, 243, 110310. [Google Scholar] [CrossRef]
- Godugu, K.K.; Vappangi, S. Investigations on Secrecy Performance of Downlink Overlay CR-NOMA System With SIC Imperfections. IEEE Access 2024, 12, 18051–18072. [Google Scholar] [CrossRef]
- Hema, P.P.; Babu, A.V. Physical Layer Secrecy Performance Analysis of Jamming-Assisted Overlay Cognitive NOMA Networks With Hardware Impairments and Multiple Non-Colluding Eavesdroppers. IEEE Access 2024, 12, 19459–19481. [Google Scholar] [CrossRef]
- Salatino, F.; Spina, M.G.; Tropea, M.; Rango, F.D. Detecting DDoS Attacks Through AI driven SDN Intrusion Detection System. In Proceedings of the 21st IEEE Consumer Communications & Networking Conference, CCNC 2024, Las Vegas, NV, USA, 6–9 January 2024; pp. 990–993. [Google Scholar] [CrossRef]
- Spina, M.G.; Tropea, M.; Rango, F.D. Securing MQTT-M2M Communications in a Food Retail Distribution. In Proceedings of the 21st IEEE Consumer Communications & Networking Conference, CCNC 2024, Las Vegas, NV, USA, 6–9 January 2024; pp. 554–557. [Google Scholar] [CrossRef]
- Schwarzmann, S.; Civelek, T.E.; Iera, A.; Corujo, D.; Karetsos, G.T.; Guerzoni, R.; Abboud, O.; Valenzuela, A.M.; Trivisonno, R.; Spina, M.G.; et al. Native Support of AI Applications in 6G Mobile Networks Via an Intelligent User Plane. In Proceedings of the IEEE Wireless Communications and Networking Conference, WCNC 2024, Dubai, United Arab Emirates, 21–24 April 2024; pp. 1–6. [Google Scholar] [CrossRef]
- Tropea, M.; Spina, M.G.; Rango, F.D. SDN-driven Dynamic Deployment of IDS with Load Balancing for Drones in Emergency Scenarios. In Proceedings of the International Conference on Information and Communication Technologies for Disaster Management, ICT-DM 2023, Cosenza, Italy, 13–15 September 2023; pp. 1–6. [Google Scholar] [CrossRef]
- LibreSwan. Available online: https://LibreSwan.org/ (accessed on 20 June 2022).
- StrongSwan. Available online: https://www.StrongSwan.org/ (accessed on 20 June 2022).
- OpenWrt. Available online: https://OpenWrt.org/ (accessed on 20 June 2022).
- Mazon-Olivo, B.; Pan, A. Internet of Things: State-of-the-art, Computing Paradigms and Reference Architectures. IEEE Lat. Am. Trans. 2022, 20, 49–63. [Google Scholar] [CrossRef]
- Kubernetes. Available online: https://kubernetes.io/it/docs/concepts/overview/what-is-kubernetes/ (accessed on 20 June 2022).
- Gentile, A.F.; Macrì, D.; Rango, F.D.; Tropea, M.; Greco, E. A VPN Performances Analysis of Constrained Hardware Open Source Infrastructure Deploy in IoT Environment. Future Internet 2022, 14, 264. [Google Scholar] [CrossRef]
Feature | LibreSwan |
---|---|
Pre-shared key authentication | Yes |
Public-key authentication | Yes |
IKEv1 key exchange | Yes |
IKEv2 key exchange | Yes |
AH support | Yes |
NSS compatibility | Yes |
DnsSec/XAUTH | Yes |
Network Manager compatibility | Yes |
VIP (Virtual IP Pools) | Yes |
NAT Traversal | Yes |
MOBIKE | Yes |
Route-based VPN | Yes |
Policy-based VPN | Yes |
Native {Policy/Route}–based VPN | Yes |
HA (High Availability) | Yes |
Legacy cipher suites backwards compatibility | No |
Overlay Network Managed | Overlay Deploy | Overlay Implemented | Operative Systems | Platforms |
---|---|---|---|---|
IPsec LibreSwan 4.15 | Site to Site | IKEv2 PSK TUNNEL IKEv2 PSK TRANSPORT | Linux DEBIAN 12 WINDOWS 10/11 (client) DEBIAN 11/12 (client) ANDROID 11 (client) iOS 16 (client) MAC OS X 14 (client) RASPBERRY Pi 2/3/4 OpenWrt 23.x | armv7 x86 x86-64 ARM64 ARM MIPSBE MMIPS SMIPS PPC |
IPsec LibreSwan 4.15 | Site to Site | IKEv2 XFRMi/VTI ROUTE BASED | Same as above | Same as above |
FOU | Site to Site | Same as above | armv7 x86 x86-64 | |
GUE | Site to Site | Same as above | armv7 x86 x86-64 | |
GRE | Site to Site | Same as above | armv7 x86 x86-64 | |
GRETAP | Site to Site | Same as above | armv7 x86 x86-64 | |
IPIP | Site to Site | Same as above | armv7 x86 x86-64 | |
GENEVE | Site to Site | Same as above | armv7 x86 x86-64 | |
VXLAN | Site to Site | Same as above | armv7 x86 x86-64 | |
MACSEC | Site to Site | Same as above | armv7 x86 x86-64 | |
Nebula Overlay VPN 1.6.1 | Site to Site Host to Host | Same as above | armv7 x86 x86-64 ARM64 ARM MIPSBE MMIPS SMIPS PPC |
Hardware | Quantity |
---|---|
Workstation with 12th Gen Intel(R) Core(TM) i7-1280P-2.00 GHz, 32GB RAM | 1 |
VMWare VM Debian 12 x86-64 virtualized | 2 |
VMWare VM Alpine Linux Latest x86-64 virtualized | 1 |
VMWare VM OpenWrt 23.x x86-64 virtualized | 1 |
MTU Type | MTU Size (bytes) |
---|---|
IP over SONET | 4470 |
Ethernet Jumbo Frames | 9000 |
IP over ATM Ethernet Jumbo Frames | 9180 |
Classic Ethernet | 1500 |
Tunneling Protocol | Header Type | Header Size (bytes) | Max Header Size (bytes) |
---|---|---|---|
IPIP | IP | 20 | 20 |
VTI | IP + VTI | 20 + 4 | 24 |
GRE | GRE | 4 + [0…34] | 38 |
GREtap | Ethernet Frame + GRE | 14 + 4 | 18 |
FOU | UDP + IP | 8 + 20 | 28 |
GUE | UDP + GRE | 8 + 4 + [0…34] | 46 |
GENEVE | UDP + IP + GENEVE | 8 + 20 + 10 | 38 |
VXLAN | UDP + IP + VXLAN | 8 + 20 + 8 + [0…16] | 52 |
MACVLAN | Ethernet Frame + MACVLAN | 14 + 4 | 18 |
MACsec | Ethernet Frame + MACsec | 14 + [8…30] | 44 |
KVM vs. Docker Strengths and Weaknesses | |||
---|---|---|---|
KVM | DOCKER | ||
Strengths | Weaknesses | Strengths | Weaknesses |
Isolation and Security | Higher Overhead | Resource Efficiency | Limited Isolation |
Full Operating System Support | Startup Speed | Startup Speed | Host Kernel Dependency |
Resource Flexibility | Resource Management | Portability | Security Management |
Compatibility and Stability | Process-level Isolation |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gentile, A.F.; Macrì, D.; Greco, E.; Fazio, P. IoT IP Overlay Network Security Performance Analysis with Open Source Infrastructure Deployment. J. Cybersecur. Priv. 2024, 4, 629-649. https://doi.org/10.3390/jcp4030030
Gentile AF, Macrì D, Greco E, Fazio P. IoT IP Overlay Network Security Performance Analysis with Open Source Infrastructure Deployment. Journal of Cybersecurity and Privacy. 2024; 4(3):629-649. https://doi.org/10.3390/jcp4030030
Chicago/Turabian StyleGentile, Antonio Francesco, Davide Macrì, Emilio Greco, and Peppino Fazio. 2024. "IoT IP Overlay Network Security Performance Analysis with Open Source Infrastructure Deployment" Journal of Cybersecurity and Privacy 4, no. 3: 629-649. https://doi.org/10.3390/jcp4030030