Next generation overlay networks: security, trust, and deployment challenges
- Autores: Jordi Paillissé Vilanova
- Directores de la Tesis: Albert Cabellos Aparicio (dir. tes.), Fabio Marino (codir. tes.)
- Lectura: En la Universitat Politècnica de Catalunya (UPC) ( España ) en 2021
- Idioma: español
- Materias:
- Texto completo no disponible (Saber más ...)
- Resumen
Overlay networks are a technique to build a new network on top of an existing one. They are a key tool to add functionality to existing networks, and are used in different layers of the Internet stack for a wide variety of purposes, like confidentiality, Quality of Service, virtual networking, etc. Specifically, network overlays in the IP networking layer are widely used in some of these use cases. However, these kind of overlay networks do not have as many functionalities as overlays in other layers. For example, thanks to the Zero Trust Networking paradigm it is possible to build secure overlay networks at L7 using HTTPS.
Taking this into account, this thesis strives to add new features and improve on others of IP overlay networks, in order to support emerging challenges. This thesis focuses on three axes: security, trust, and deployment in enterprise scenarios. First, regarding security, we explore how to simplify the setup of secure tunnels over the Internet, without relying on external Public Key Infrastructure or proprietary solutions. To this purpose, we leverage WireGuard, a state of the art VPN protocol, and add a control plane on top of it to distribute encryption keys. In addition, we present the implementation of a prototype and a performance evaluation.
Second, with respect to trust, we investigate how emerging blockchain technology can be used in distributed mapping systems. Mapping systems are a database used in some overlay network deployments to assist in the creation of tunnels, by storing overlay to underlay pairs of addresses. Mapping systems are not commonly used in scenarios with multiple administrative domains, due to configuration complexity and centralized control. We explore how some of the properties of blockchains, such as distributed control, or auditability, can help in building these type of mapping systems. We take into account both the policy aspects, that is, the advantages of a distributed trust scheme, and the technical ones, like simplified management. In addition, we present two deployment scenarios: one to increase the security of BGP-based inter-domain routing, and a set of cooperating companies that want to establish communications among themselves.
Finally, we focus on the deployment of enterprise networks leveraging overlay networks. First, we discuss the challenges present in current enterprise networks, such as segmentation, mobility, or simplified operations. Then, we present a design based on overlay networks and SDN principles to address them, along with an evaluation of two real-life deployments. We conclude with a design tailored for future enterprise networks, based also on overlay networks and a layered approach. This solution aims to provide mobility, multi-homing, confidentiality, user and application identity, and access control policies for enterprise endpoints connected from any network, either in the campus or outside.
