International Journal of Computer Networking, Wireless and Mobile Communications (IJCNWMC) ISSN 2250-1568 Vol.

3, Issue 4, Oct 2013, 17-26 TJPRC Pvt. Ltd.

TRAFFIC ENGINEERING BASED VPN SECURITY IN WIRELESS MESH NETWORK

NARENDER SINGH & KRISHAN KUMAR Department of Computer Science and Engineering, SBSCTC, Firozpur, Punjab, India

ABSTRACT
Wireless mesh network (WMN) is a broad network of heterogeneous structure. It contains different type of clients connected through routers as well as gateways. WMN, due to its wide area, heterogeneous nature, auto configured prone to many vulnerabilities at different levels. Many security solutions have been deployed in telecommunication. All of these solutions are vulnerable to security threats. The paper reviewed the virtual private network (VPN) and its impact on the performance and defending mechanism from attacks. Different type of VPNs is described in this paper and their impact on functioning.

KEYWORDS: WMN, MPLS, VPN, BGP, VRF, IPSec INTRODUCTION

The wireless mesh network (WMN) is a wide network consist of heterogeneous network.WMN is a network having multiple hops and it is auto configurable. It is made up of clients, routers and gateways. A network is made up of many clients connected via wireless media and routers connects each client to another client and routers are connected to outside world via backbone to Gateways. WMN is made up of many type of wireless communication media such as low length WI-FI to high range and capacity Wimax. It is heterogeneous in nature as destination host may be of different type than source node. So compatibility is maintained by WMN. Due to heterogeneity nature, security lapses are much more severe over WMN. There are many attacks which affect the data and network working [1]. These attacks are like false authentication over application layer, Traffic attacks, snooping at the transport layer, Black hole, Worm hole etc. at the network layer, signal jamming, packets flooding at the data link layer, Collision, battery exhaustion etc. at the Physical layer. These attacks may change the data contents which affects the integrity of sensitive data or these may cause delay on denies real-time data which cause data unuseful. These attacks cause problems like delay, bandwidth consumption, denial to data processing, corrupting data etc. there are many solutions in mobile Ad-Hoc Network (MANET) but these solutions cant be applied over WMN . Because WMN as described before is a wide and heterogeneous type network and in a wide network it is not helpful to add all MANET security mechanism [2]. But during time , there are many security mechanism has been developed for WMN which provides security to some extent. These security mechanism provides security over each layer of WMN and prevents security lapses over these layers. The security mechanisms are Multi-protocol line switching (MPLS), it helps to restore the path/route when some node fails due to attacks. Virtual private network (VPN) it is a type of mechanism in which secure tunnels are created in between nodes which provides secure communication.

18

Narender Singh & Krishan Kumar

Figure 1: High Speed Wireless Mesh Network with Heterogeneous Nodes and Mesh Router & Gateway It also with MPLS provides more secure communication and provide QOS.VPN with Internet Protocol (IP) is also helpful to furnish security to integrity of data. Access control mechanism such as authentication, authorization, accounting are used to provide secure communication over a network. These security mechanisms are deployed which according to transmission media provide adequate security and make WMN a safe network for data transmission [2,3].

SECURITY REQUIREMENTS OF WMN

Availability- availability is the main security requirement of communication as data need to be available to the receiver and on time. Availability of data is integrated with integrity and confidentiality of data. This security requirement is challenged mainly during the DoS attacks, in which all the nodes in the network can be the attack target and thus some selfish nodes make some of the network services unavailable. So availability is the primary requirement [5]. Confidentiality- It means that the data should be confidential and should be received and seen by the right receiver. Confidentiality is a major security concern as some data is very sensitive and on time constraint which need to be confidential in WMN. As WMN is an open and multi-hop network there may be many security threats such as eavesdropping which is prevented at mesh clients (MC) and Mesh Routers (MRs) but confidentiality cannot be reached between MRs or Between MR (MG (Mesh Gateway). So for sensitive information , confidentiality should be achieved [6,5,8]. Integrity- integrity principal provides a correct data to be received . It says that all data will receive intact or there is some change in information by intruders. Integrity is affected by many reasons such as By some intruder who change data in midway. By some error in transmission such as collision [5,8].

Routing Security- WMN is an open and multi hop network. Routers are the min unsecure part of the network. As in WMN, there is no security provided at the routers. So intruders can easily extract valuable information such as sensitive information, routing table information and then they can change the values at routing tables and change the traffic flow which cause interruption in smooth flow of information. Due to unsecure routers there may be many attacks such as DoS, eavesdropping, which cause availability , integrity lapses. Privacy- Privacy guaranteed that data is accessible to only intent sender and receiver and no other can access private information. In WMN , privacy is at issue because of its vast network having many keyholes. A bank transaction contains sensitive information which is private to a bank user so privacy is needed to be maintained from unauthorized recipient . Privacy can be provided by security provided from SSL [2], encryption technique.

Traffic Engineering Based VPN Security in Wireless Mesh Network

19

Access Control- WMN use some access control mechanism from the older wireless network such as 802.11 , Adhoc network etc.. But one problem is that WMN is a multi-hop network which makes it difficult to apply secure access control over different transmission media. But some security mechanism such as AAA (Authentication, Authorization, Accounting) can be implemented at WMN. In AAA mechanism, there is a central server which provides a secure mechanism for communicating parties. It saves from unauthorized node to access data of another trusted node. The AAA server manages the secure mean of communication between trusted node [2,8]. Authentication- Authentication guarantees that the receiver or sender is an original party. It helps to save from unauthorized person to use the information which is not for that. WMN requires that the sender and the receiver party should authenticate each other as unauthorized person can show its identity as original by forged attack. Security of sensitive data is the main issue in WMN as there are many keyhole inside the Mesh Network. Non-Repudation- It guarantees that the receiver or sender cannot denies which he has committed. As in WMN, there are many users which do their transactions. So if one user has done some abnormal behavior then he is responsible for that behavior. Fairness- Fairness provides that there is a fair utilization of bandwidth among multiple nodes. There are multiple nodes as MR to MR and MR to MG and MR- to- MC and vice versa on which different strategies are facilitated to provide the fair bandwidth. So some threats can prohibit the different nodes to proper utilization of channel bandwidth [6].

VIRTUAL PRIVATE NETWORK (VPN)

A VPN is a security mechanism which is used to securely transfer data between user sites over worldwide. Tunnels are created for secure data transfer. A virtual connection is made between endpoints of tunnels which are used to send data to multiple users over different virtual lines. Before sending data over a public network, it is encapsulated (wrapped) in a new packets which are encrypted by different encryption algorithms and at another end point packets are de-encapsulated and send to intend receiver [7]. Data encapsulation is done via many protocols such as IPSec, L2TP, PPTP etc. VPN uses encryption to provide data confidentiality. When the connection between two end points has been established, the VPN makes use of the tunneling mechanism to encapsulate encrypted data into a secure tunnel, with openly read headers that can cross a public network. Packets passed over a public network are unreadable without proper decryption keys to decrypt them, thus ensuring that data is not changed in any way during transmission [7,8]. A VPN alone does not provide security and QOS but other technologies used with VPN such as MPLS, IPsec etc. These technologies provide QOS with secure data transfer in WMN. VPN Architecture VPN provides secure data communication between user networks or sites. VPN consist up of clients as well as gateways which helps to transfer data and to create tunnels and encapsulate data. A VPN has two types of gateway or routers , Provider edge (PE) and second Customer edge (CE). A customer edge router is used to encapsulation of data. They also used to create tunnels. PE is used to route the VPN traffic throughout the network. Encapsulation and de-encapsulation is done by CE. VPN devices are implemented over CE [9].

20

Narender Singh & Krishan Kumar

Figure 2: Hierarchical VPN Architecture Gateway-to-Gateway (G-G) VPNs are used to provide secure and safe communications in between two autonomous networks which may be local or remote. Gateway-to-Gateway VPN is deployed by establishing a VPN connection between the two end point gateway connected directly to the network. The traffic moves through the VPN tunnel established between gateways. The gateway perform the VPN functions such as impending label header and other activities and it also perform another function such as normal router to route traffic or as a firewall. After creating VPN tunnel between gateways, routing protocols are used to create and distribute routing information [2,10,18]. Host-to-Gateway (H-G) It is a common model to create a VPN connection between a host or client within a network with the gateway outside the network which is dedicated to the network and connects the network to the internet or outside world. Ahost may be a router within a private network which established a VPN tunnel with the gateway. It helps to secure the communication within the network. There may be other VPNs between gateways which are implemented and maintained by the service providers and distinguished by their VPN ID. For a large network there may be multiple VPNs present and provide secure communication between clients [2,10,18] Host-to-Host (H-H) It is a least common model to create a VPN connection between clients within a network. Each client act as a VPN client or end point. Direct client to client VPN are established which provides secure communication between clients. There may be VPN tunnel creates between server and host to provide secure data transfer. The organization configures the server with VPN services. this model provides protection for data throughout the transmission. There is a problem with this model that many local security mechanism such as network-based firewalls, intrusion detection systems, and other devices cannot be placed to provide multi layer security [2,10]. MPLS MPLS-TE is a traffic engineering approach which provides fast traffic over the network than traditional IP based network . It works at data link layer and security with TE (traffic Engineering) by using switching of label. MPLS add a label with the packets at label switched routers which help in sending /routing the packets quicker than traditional IP packet routing which is more prone to packet drop and delay. Label switched Router (LSR) is a special router which is used to route packets over the network [2,3]. There are router at the edge of network called label edge routers which are used to assign and detach the label to/from the packets. MPLS-TE helps to solve problem of congestion in which data packets routes packet to another path when one path is braked due to congestion from congested path to less congested path [2,3]. MPLS encapsulated packets by providing link layer authentication which helps to come out from many active attacks in

Traffic Engineering Based VPN Security in Wireless Mesh Network

21

WMN. DNS spoofing is discouraged by tag technique in MPLS. Signal jamming and message distortion are also blocked due to encapsulation of packets by tag or Label. Data integrity is also remains consistent, as tag is only removed at Edge router implemented with MPLS device. So data is safe from such active attacks to integrity of message. MPLS-TE provides security from DDOS attack such as flooding attacks. During a flooding attack, it reroute the packets to a new secure and less congested path [3,11,12,2]. MPLS-TE automatically sets a secure tunnel. The route is made over less cognate path automatically when due to flooding, network become less available at some routes then it automatically construct new secure tunnel. WMN backbone resources are less available due to flooding attack [3]. MPLS uses the different distribution of label protocols. There are different protocols for label distribution such as Label Distribution Protocol (LDP) and Border Gateway Protocol (BGP), Resource Reservation Protocol (RSVP) [2].

VPN Conjuction with MPLS

MPLS-VPN MPLS-VPN is a advancement of existing VPN networks which takes advantage of MPLS for packet routing with the traditional VPN. MPLS is helpful in the task which provide security from many threats such as denial of services (DOS), data breaching and fast recovery from flooding attack [3,13]. It provide the multi-path routing feature with the layer 2 switching technique and add label with IP header to route the packets. In Wireless mesh network, there are different demand at different time so there may route congestion. So in real time applications, there need to fast and without delay delivery of data so MPLS fulfill such requirements [2,3]. In MPLS-VPN VPN data is transferred over the MPLS enable backbone. MPLS backbone is mainly consist of provider routers and provider edge router. Each data passed through MPLS-VPN enable net of routers consist of two labels one for VPN and another for VPN. End ingress router peel the labels from the packets and original packets are send to the corresponding network based on the routing header. MPLSVPN may be tunneled or network based. Network based MPLs-VPN is characterized based on OSI layer. They are mainly layer-2 and layer-3 VPN. Layer-2 MPLS-VPN (L2VPN) MPLS-VPN works with multiple layers. Layer 2 i.e. the data link layer is used by the MPLS based VPN. In this VPN data is routed through secure tunnels. Secure tunnel transport data via MPLS. The Layer-2 technology of VPN doesn't depend upon layer 3. Any type of frame on layer-2 such as ATM, SONET etc. Can be transported over MPLS. It is not restricted to any one type of technology. In it, there is same infrastructure as MPLS-VPN of layer-3. MPLS-VPN at Layer-2 is comprised of costumer edge (CE), provider edge (PE), Provider (P). Customer Edge Device (CE): A CE placed on a customer network site and has one or more interface directly connected with provider networks. It can be a router, a switch, or a host. It cannot "sense" the existence of any VPN, and doesnt it need to support MPLS. Provider Edge Router (PE): A PE implemented on a service provider network and connects one or more keys to the network. In an MPLS network, all VPN processing occurs on the PEs. Provider (P) Router: A P router is a backbone or root router in a service provider network. It is not directly connected with any CE but CE is connected to Provider with a set of Provider Edge Routers. It only needs to be equipped with basic MPLS forwarding capability and no VPN processing is done on it. MPLS L2VPN uses label stacks to implement the transparent transmission of user packets in the MPLS network.

22

Narender Singh & Krishan Kumar

Outer label, also called a tunnel label, is used to transfer packets from one PE to another. Inner label, also called a VC label, is used to identify different connections between VPNs. Upon receiving packets, a PE determines to which CE the packets are to be forwarded according to the VC labels [2, 17].

Figure 3: MPLS VPN Enabled Network of Layer-2 Type Layer-2 VPN Type Virtual Private LAN Service (VPLS) -- A Layer-2 service that emulates a switched Ethernet (V) LAN across a Public switched Network (PSN). The Virtual Private Wire Service (VPWS) -- A Layer-2 service that provides point-to-point connectivity for a different variety of link layers, including Frame Relay, ATM, Ethernet, etc., across a PSN. The Virtual Private Multicast Service (VPMS) -- A Layer-2 service that provides point-to-multipoint connectivity for a variety of link layers across a PSN. IP-only L2VPN, an IP-only service over a PSN. The WG will address two specific types of IP-only L2VPN: o Point-to-point Layer-2 VPN. This service is similar to VPWS, but also supports heterogeneous Attachment Circuits at either end of a single point-to-point service. o Multipoint-to-multipoint Layer-2 VPN. This service is similar to VPLS, but learns IP and MAC address bindings from ARPs and broadcast/multicast IP packets. Ethernet VPN (E-VPN) - An enhanced Layer-2 service that emulates an Ethernet VLAN across a PSN. E-VPN supports load-sharing across multiple connections from a Layer-2 site to an L2VPN service. E-VPN is primarily targeted to support large-scale L2VPNs with resiliency requirements not satisfied by other L2VPN solutions. E-Tree, a Layer-2 service, which provides connectivity between one or more root nodes and one or more leaf node, with the constraint that leaf nodes may only communicate with root node or nodes and not with each other [16]. Implementation of L2VPN Currently, there is no official standard for MPLS L2VPN. The Provider-Provisioned Virtual Private Network (PPVPN) working group of the IETF has drafted several framework protocols. Two of the most important ones are Martini draft and Kompella draft: Draft-martini-l2circuit-trans-mpls Draft-Kampala-ppvpn-l2vpn

Traffic Engineering Based VPN Security in Wireless Mesh Network

23

The Martini draft defines a method for establishing PPP links to implement MPLS L2VPN by service providers in WMN. It uses Label Distribution Protocol (LDP) as a signaling protocol to transfer VC labels over PE routers. The Kampala draft defines a CE-to-CE mode for implementing MPLS L2VPN on the MPLS network in WMN. It uses extended BGP (I-BGP) as the signaling protocol to advertise Layer 2 reachability information and VC labels [17]. Layer-3 MPLS-VPN MPLS-VPN at the network layer is based on IP. It means that VPN data is transferred by network layer addresses. The most important implementation of MPLS-VPN is with extended multiprotocol Border gateway protocol (MP-BGP) protocol described by CISCO and Jupiter. BGP is used as a distribution protocol. It distributes VPN route information to all internet service provider (ISP) routers. This information is distributed between PE routers and autonomous systems with the IPv4 addresses prefixed with the network reachability information (NRLI). The MPLS enables VPN network is made of three types of routers as described above in Layer-2 MPLS-VPN: The provider router also called Gateway is the central router which is not enabled with the VPN and connects a different MPLS VPN enabled core networks. PE routers are MPLS VPN enabled routers which connect to CE routers. There can be multiple VPN within a network. Each VPN is distinguished from the other VPN identifier. Which differentiates between different VPN associated with a network which helps in distinguishing traffic over network of different VPN. Each Layer-3 MPLS-VPN has VPN routing /forwarding table (VRF). VRF is a membership of each Customer site over the network. The router maintains a VRF table for each site. VRF table prevents the VPN to interfere information over another route [2, 13].

Figure 4: Layer-3 MPLS-VPN with Two VPN and their VRF Table OPERATIONAL MODEL MPLS-VPN has following fundamental operation to create a VPN enable the network: A Control Flow for Route Distribution- Rote distribution is done by Border gateway protocol. When a customer sends data to the host, the customer sends it through routing table to PE router and then using VRF table , PE send it to another VPN over MPLS enable a network and to another site corresponding to host via VRF table. Creation of Label Switched Path (LSP) - A control flow is responsible for the establishment of LSP among the Provider Edge backbone. LSPs are used to forward MPLs traffic over a mesh network. LSPs are established and maintained by Label Distribution Protocol (LDP) and Resource reservation Protocol. Data Flow to Forward Data Traffic- Data traffic is forwarded through LSPs over the provider network. When a host sends data to a host at another site, then it customer s data is received by the CE router which after lookup

24

Narender Singh & Krishan Kumar

over over the global routing table send it to the corresponding PE router. The PE router maintains a stack which has: The MPLS label that was advertised by PE . The BGP next hop for the route (the loopback address of PE) . The outgoing sub-interface of the LSP from PE to another PE The initial MPLS label for the LSP from PE to another PE [2,22]. MPLS-VPN-IPSEC In traditional MPLS-VPN data is simply routed at network layer by simple IP protocol. Data is sent over internet through border gateway protocol(BGP). Additional security can be added using IPSEC, in which MPLS-VPN data is transferred over secure IPSEC connection. IPSEC connection is first created between two end points, then data with added feature of MPLS-VPN is transferred until connection is aborted by any one of end user. IPSEC provides security by Authentication, authorization privacy and data protection between clients in WMN [2,3,13].

Figure 5: MPLS-VPN-IPSEC Security Mechanism Actually IPSEC protocol is above IP protocol layer. It provides security for both IPV4 and IPv6 protocol by KAME implementation. Finally, MPLS-VPN-IPSEC provide Quality of services(QOS) and security services by authentication, authorization etc. [18]. IPSEC has two sub-protocols. Encapsulating Security Payload (ESP) is a part of the IPSEC protocol. it provides authentication, data integrity and confidentiality of data. ESP also provide individual feature such as authentication only and authorization only but this is not secure as without authorization of a client authentication mechanism is waste and vice-versa. Authentication Header (AH) is a part of the IPSEC protocol. It provides connectionless integrity and data authentication of IP packets. Further, it also protect from replay attacks by using the sliding

window technique and discarding older packets [13]. AH operates directly above IP, using IP protocol number 51 [19,20]. It provides confidentiality, data integrity and limited flow confidentiality [21]. IPSEC can be implemented in two ways. One in transport mode in which all data is encapsulated and encrypted send directly over the internet but it is less secure. Another way is by tunneled mode in which VPN tunnel are created between end points and then IPSEC secure data is send over these secure VPN tunnels. This provides more security than

Traffic Engineering Based VPN Security in Wireless Mesh Network

25

transport mode. MPLS is used with VPN-IPSEC to fast route configuration of data. This combination provides security from most happening attack i.e. DDOS attack. This combination can also not much secure. There is some flaws in the security such as weakness of encryption algorithm which cause breaking of security by decrypting the algorithm. Key distribution is also a problem. If key is disclosed to the intruder then it become easy to the attacker to breach the security. The security framework is dependant over confidentiality, integrity, and availability of data. The VPN provides confidentiality and integrity of data but lack to provide availability service because they add more components and services to the WMN infrastructure [2,3,11].

CONCLUSIONS
Wireless Mesh Network is a multi-hop, vast and combination of heterogeneous network. Due to these features, it is more severe to attacks. A VPN is a security mechanism to cope with such a security threat. Also WMN support many real time applications such as video conferencing and real time data transfer. Traditional VPNs has been also deployed but they have their own shortcoming. Traditional VPN has more delay which makes it insufficient for real time data transmission. So a new traffic engineering approach MPLS is employed and used with VPN which helps in faster data transfer with VPN security feature. So MPLs approach with VPN improves the overall performance of Mesh network.

ACKNOWLEDGEMENTS
The authors are grateful to Saheed Bhagat Singh State Technical Campus, Punjab (India) for providing continuous support throughout the research work.

REFERENCES
1. Ian F. Akyildiz, Xudong Wang , Weilin Wang Wireless mesh Networks: A survey Computer Network 2005; 47 (4): 445-487. 2. K. Vats, N. Singh, Jasvinder, L. Jaiswal Different Security Mechanisms for Different Type of Security Lapses in Wireless Mesh Network - A Review IJCSE 2012; ISSN: 0976-5166. 3. Okechukwu E. muogilim, kook-Keong loo , Richard comely Wireless Mesh Network security: a traffic engineering management approach Journal of Network and Computer Applications 34 (2011) 478491. 4. A. Egners Evaluating IEEE 802.11s Against Security Requirements of Wireless Mesh Networks UMIC Research Center, RWTH Aachen University. 5. H. Redwan and K. Kim(2008), Survey of Security Requirements, Attacks and Network Integration in Wireless Mesh Networks Japan-China Joint Workshop on Frontier of Computer Science and Technology. 6. M. S. Siddiqui, C.S. Hong (2007) Security Issues in Wireless Mesh Networks International Conference on Multimedia and Ubiquitous Engineering (MUE'07). 7. 8. VPN Security, Available at: www.infosec.gov.hk/english/technical/files/vpn.pdf. M. Rossberg, G. Schaefer, A survey on automatic configuration of virtual private networks Computer Networks 55 (2011) 16841699. 9. W. Yu, J. Wang Scalable network resource management for large scale Virtual Private Networks Simulation Modelling Practice and Theory 12 (2004) 263285.

26

Narender Singh & Krishan Kumar

10. Guide to IPSec VPNs: Recommendations of the National Institute of Standards and Technology available at: csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf NIST Special Publication 800-77. 11. D. Grayson, D. Guernsey, J. Butts, M. Spainhower, S. Shenoi, Analysis of security threats to MPLS virtual private networks International Journal of critical infrastructure protection 2(2009) 146153. 12. S.P. Carrasco, Partner, Carrasco & Associates MPLS VPN Services PW, VPLS and BGP MPLS/IP VPNs: Technology White Paper, Copyright 2003-2006. 13. F. Palmieri VPN scalability over high performance backbones Evaluating MPLS VPN against traditional approaches Proceedings of the Eighth IEEE International Symposium on Computers and Communication (ISCC03). 14. R. REN, D.G. FENG, KE MA, A detail implementation and analysis of MPLS VPN based on IPSEC Proceedings of the Third International Conference on Machine Learning and Cybemetics, Shanghai, 26-29 August 2004. 15. R. Cotter, D. Medhi Survivable Design of Reconfigurable MPLS VPN Networks 978 -1-4244-5048-0/09/ 26.00 c_2009 IEEE. 16. Cisco IP Solution Center L2VPN User Guide Copyright 2005 Cisco Systems, Inc. 17. An MPLS L2VPN Introduction Available at http://www.h3c.com. 18. VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets available at: www.vpnc.org/InteropProfiles/FVS336G-profile.pdf. 19. "Protocol Numbers". IANA. IANA. 2010-05-27. Archived from the original on 2010-07-27. 20. IPSec, Available at: en. Wikipedia.org/wiki/ipsec. 21. Kent, S. (December 2005). IP Authentication Header. IETF. RFC 4302. 22. C. Semeria, RFC 2547bis: BGP/MPLS VPN Fundamentals Juniper Network , 200012-001 03/01.