مشخصات مقاله | |
ترجمه عنوان مقاله | راه اندازی پویا شبکه های خصوصی مجازی و امنیت پروتکل اینترنت در زنجیره عملکردی خدمات |
عنوان انگلیسی مقاله | Dynamic setup of IPsec VPNs in service function chaining |
انتشار | مقاله سال 2019 |
تعداد صفحات مقاله انگلیسی | 15 صفحه |
هزینه | دانلود مقاله انگلیسی رایگان میباشد. |
پایگاه داده | نشریه الزویر |
نوع نگارش مقاله |
مقاله پژوهشی (Research Article) |
مقاله بیس | این مقاله بیس نمیباشد |
نمایه (index) | Scopus – Master Journals List – JCR |
نوع مقاله | ISI |
فرمت مقاله انگلیسی | |
ایمپکت فاکتور(IF) |
4.205 در سال 2018 |
شاخص H_index | 119 در سال 2019 |
شاخص SJR | 0.592 در سال 2018 |
شناسه ISSN | 1389-1286 |
شاخص Quartile (چارک) | Q1 در سال 2018 |
مدل مفهومی | ندارد |
پرسشنامه | ندارد |
متغیر | ندارد |
رفرنس | دارد |
رشته های مرتبط | مهندسی فناوری اطلاعات |
گرایش های مرتبط | شبکه های کامپیوتری، اینترنت و شبکه های گسترده |
نوع ارائه مقاله |
ژورنال |
مجله / کنفرانس | شبکه های کامپیوتری – Computer Networks |
دانشگاه | Department of Information Security and Communication Technology, Norwegian University of Science and Technology (NTNU), Gjøvik 2802, Norway |
کلمات کلیدی | مجازی سازی عملکرد شبکه، زنجیره عملکردی خدمات، هدر سرویس شبکه، امنیت پروتکل اینترنت، تبادل کلیدی اینترنتی، تبادل کلیدی اینترنتی نرم افزار محور، RESTconf |
کلمات کلیدی انگلیسی | NFV، SFC، NSH، IPsec، IKE، SD-IKE، RESTconf |
شناسه دیجیتال – doi |
https://doi.org/10.1016/j.comnet.2019.05.015 |
کد محصول | E13673 |
وضعیت ترجمه مقاله | ترجمه آماده این مقاله موجود نمیباشد. میتوانید از طریق دکمه پایین سفارش دهید. |
دانلود رایگان مقاله | دانلود رایگان مقاله انگلیسی |
سفارش ترجمه این مقاله | سفارش ترجمه این مقاله |
فهرست مطالب مقاله: |
Abstract 1. Introduction 2. Extraction and discussion of requirements 3. Architecture 4. Implementation 5. Verification by experiments 6. Discussion and evaluation 7. Conclusion Funding Conflicts of Interest CRediT authorship contribution statement Appendix A. Supplementary materials Research Data References |
بخشی از متن مقاله: |
Abstract
This article describes a novel mechanism for the automated establishment of dynamic Virtual Private Networks (VPN) in the application domain of Network Function Virtualization (NFV). Each hop in an NFV Service Function Chain (SFC) lacks the capability of per-flow encryption, that makes the traffic flow in federated NFV environments vulnerable for eavesdropping. Due to the possible lack of bidirectional data plane communication channels between VNFs in an SFC, the Internet Security Key Exchange protocol (IPsec-IKE) is not applicable inside a VNF. Hence, this article introduces an alternative to IPsec-IKE that is specifically designed for NFV environments. This component is named Software Defined Security Associations (SD-SA), which is shown through a proof of concept evaluation to perform better than IPsec-IKE with respect to bandwidth and resource consumption. Introduction The security mechanisms in Software Defined Networks (SDN) and NFV lack the capability to encrypt and isolate the end-user traffic between VNFs. Fig. 1 exemplifies the problem by describing a typical VNF Service Function Chain (SFC), where the network traffic traverses multiple VNFs located at multiple service providers, while earlier work [1–3] shows that the current NFV standardization attempts from ETSI [4] and IETF [5] do not take VNF isolation into account in the SFC design. Accordingly, an end-user who subscribes to VNF services from multiple services providers: • Cannot end-to-end encrypt traffic, since the VNFs require to have access in order to manipulate this traffic. • Is not aware and in control of which service providers having access to the data traffic, can potentially eavesdrop traffic and manipulate the route tables. • Does not know if the VNFs are shared network services with other users, who can as such access private data. Earlier work [1,2], showed that these problems could be resolved by introducing hop-by-hop encryption per IP flow or per group of IP flows. This is enabled by deploying an encryption application in front of every VNF within an SFC (Fig. 1). We showed that this encryption application is typically a Virtual Machine attached to the Virtual Link [6], particularly assigned for this function. These underlying encryption functions [1] can also be perceived as regular VNFs. Furthermore, earlier work also showed an additional problem with such an architecture. A service chain, following the NSH and SFC specification [6], can have a different service path than the reverse service path. Consequently, a pair of encrypting and decrypting VNFs in a service chain, do not necessarily have a bidirectional communication channel on the data plane, where they can exchange keys. |