International Journal of Computer Science and Information Security (IJCSIS

),
Vol. 15, No. 1, January 2017

Study, Evaluation and Measurement of IEEE
802.16e Secured by Dynamic and Multipoint
VPN IPsec
Azeddine KHIAT, Ayoub BAHNASSE, Jamila BAKKOURY, Mohamed EL KHAILI


Abstract— Nowadays universities and companies trends offer a bandwidth of 70 Mbps per wireless channel, depending
increasingly to deploy wireless infrastructure such as WiMAX, on the particular technical configuration chosen, WiMAX
Wi-Fi, etc. in one hand to increase mobility and collaboration, in coverage area can achieve 50 KM.
other hand to grow network cost-effectively. Therefore the
upcoming challenge is to offer a high security level that such Fig. 1 [3] illustrate component equipment of an IP based
infrastructure does not implicitly guarantee. WiMAX network.
In order to secure communication between wirelesses
infrastructures, Virtual Private Network can be deployed, this
solution appears to be the best choice but it is limited in terms of
scalability, i.e. it doesn’t support the extension of the number of
sites.
Dynamic and Multipoint Virtual private Network stands for
DMVPN, is the best choice to achieve a good level of security,
guarantee the scalability and support the modularity of the whole
network. It allows also a dynamic creation of virtual Private IP
tunnels between multiple sites automatically, quickly and with
least configuration.
In this paper, we will evaluate the performance of IEEE
802.16e networks secured by DMVPN IPsec. HTTP with heavy
load will be used as a transported application.

Index Terms—IPsec; DMVPN; VPN; WiMAX; IEEE 802.16e;
Performances, OPNET Modeler.

I. INTRODUCTION

T HE need to deploy a wireless access with a high bandwidth
is become global and primordial especially for Moroccan
universities. Thanks to such networks users can work together
Fig. 1. IP-based WiMAX network architecture

more effectively, roam without losing connection, add users  Mobile Stations (MS), are used by the end user to access
quickly and grow the network scale without restrictions. the network.
 Base station (BS), is responsible for providing the air
A. WiMAX technology interface to the mobile stations, this node is also
responsible for managing mobility functions, such as
Worldwide Interoperability for Microwave Access tunnel establishment, radio resource management,
technology stands for WiMAX, refers to IEEE 802.16 [1] [2], Quality of service policy enforcement.
has been implemented for this purpose it is considered as a
scalable wireless platform for building alternative or  Access service network is responsible for the connection
complementary broadband networks. WiMAX technology can management and mobility across cell sites and inter-
service provider network boundaries, ASM allows also
a radio resource management, admission control,
Submitted on 27 January 2017. establishment, and management of mobility tunnel with
Azeddine KHIAT, Jamila BAKKOURY and Mohamed EL KHAILI base stations, Quality of Service and policy
SSDIA Laboratory, ENSET HASSAN 2nd University of Casablanca
Mohammedia, Morocco. (azeddine.khiat@univh2m.ma).
enforcement, and foreign agent functionality for mobile
IP, and routing to the selected CSN.
Ayoub BAHNASSE, LAB STIC, Dept Physics, Faculty Sciences University
Chouaib Doukali, El Jadida Morocco (bahnasse.a@ucd.ac.ma).  Connectivity Service Network, is defined as a set of
network functions that provide IP connectivity services
276
https://sites.google.com/site/ijcsis/
ISSN 1947-5500

but they are static it means that a 277 https://sites. it may provide also specification of combination of source and destination following functions.2 shows the 802. AHP  Handover initiation. For these reasons medium and large companies currently tend toward the Dynamic Multipoint VPN network [10] as a solution to connect securely remote sites due to its ability to deploy a very high number of secure tunnels with a minimum of cost and especially of configuration.  Acquisition of Up Link (UL) parameters. Man in the Middle attacks. NHS Stores all registered mappings and replies handover process is the received signal strength. 3. GRE tunnels forwards Unicast. the DMVPN technology is based on NHRP. IPsec operates in two modes. the handover is occurring due to weak signal. these vulnerability can compromise the availability.16e handover procedure  Cell reselection. Multicast and broadcast traffic. Fig. the most important component before occurring (NHS). in addition to environment constraint. No. address. Fig. Encapsulation Security Payload (ESP) [13] protocols and Authentication Header Protocol (AHP) [14].4 shows the encapsulation of ESP in both modes issues. we notice security Fig. provides also the confidentiality of data. NHRP allows mGRE [4-5]. ESP  Synchronization with new Down Link (DL). mGRE allows to establish Policy and Admission Control based and Inter-ASN multiple tunnel across a single physical interface with mobility. including: DoS Attacks. 15. All In general. IPSec and routing protocols :  the mGRE protocol is a tunneling protocol that can encapsulate a variety of network layer protocols inside IP protocol. Tunnel and Transport there are several potential attacks [6-9]. integrity and the authentication of data. transport mode: Tunnel mode replaces the original IP header and encapsulates the entire packet. the tunnel mode and  Ranging. 1.3 shows the encapsulation of AHP in both modes Tunnel and Transport Fig. 2. etc. replay attack. of each tunnel is required. mGRE.google.com/site/ijcsis/ ISSN 1947-5500 . International Journal of Computer Science and Information Security (IJCSIS). According to to NHRP request from Clients. Next-Hop physical address (Public address). provide integrity and authentication of data. IEEE 802. AAA server.16e Handover Procedure C. January 2017 to the WiMAX subscribers. WiMAX handover procedure  the NHRP[11] protocol is a resolution protocol used by Handover refers to all the operations carried out to allow a a Spoke connected to Non Broadcast Multi-Access MS to change radio cells without interrupting the conversation “NBMA” to determine the IP address of the NBMA or the transfer of data. AH Encapsulation on tunnel and transport mode The main issues of WiMAX and other wireless technologies. Vol. But with the presence of the NAT. Spokes called Next-Hop Clients (NHC) register their physical addresses mapped to logical addresses cell capacity and radio channel condition. multiple dynamic destinations. B. Internet access. MS will be connected to the BS neighbor if loss rate tunnel endpoint to discover each other’s physical IP was detected. In the horizontal (Tunnel address) into the HUB called Next-Hop Server handover. despite the good intentions for WiMAX security level. Transport mode does not modify the initial header it is inserted between the network layer and the transport layer of the OSI model. Rogue base stations.  the IPsec [12] protocol is an extending of  Handover decision . integrity issues cause packets rejection[15]. DMVPN for WiMAX Fig.

DMVPN network architecture II. I. The work [21] discusses the deployment of a secure WiMAX network. and dynamic temporary tunnels performance and Web based applications. 5. TCP delay. Through the studies carried out. This was a motivation for us to complement above works by: (i) including Fig. are.16 network. in Section 4 we will discuss obtained results and we will conclude on the fifth section. the impact of its protocols on DMVN networks or on While none of these works addressed the issue of DMVPN in Non Broadcast Multi Access networks in general[18]. (ii) of 3 SPOKEs and 1 HUB. deals with the importance of IPsec tunneling for securing communications between different BSs. This work seems very interesting. January 2017 impact of the tunnel on the performance of the network and the transported applications. This work discusses the architecture of the IPsec protocol and describes how to deploy a site-to-site tunnel between two BSs. including both MAC and IPsec security. but it does not show the 278 https://sites. This paper [20]. The simulators offer the same qualitative  interior gateway routing protocols ensure optimal results. RELATED WORKS Several works have been conducted assessing the performance of IP based WiMAX using VPN technology. evaluation criteria fixed correct ID and password. [19]. between them. Spokes have a static permanent Simulating the impact of the number of tunnels on network mGRE tunnel to the HUB. HTTP object response delay. illustrates an example of DMVPN Network consisting the new VPN technology DMVPN in WiMAX network.. 5. The work [23] Performs the same previous studies but under Fig. 15. In order to guarantee establishment of tunnels. which. gateways must be connected to the same cloud and provides In our study we used HTTP traffic. No. by visualizing the impact of the increase of tunnels number. III. 17]. The author has shown that the IPsec protocol is the most recommended in terms of security and mobility. many research has been done to study The results obtained from the previous work are expected. International Journal of Computer Science and Information Security (IJCSIS). 1. The rest of the paper is organized as following. The article [22] also addresses the concept of IPsec and site- to-site tunneling in a WiMAX network.e. Vol. As a remark about these two works. Section 3 will be reserved for the discussion of evaluation scenarios.google. by default provides scalability. the WiMAX network. the author evaluates the efficiency of the various encryption and integrity protocols in the IEEE802.com/site/ijcsis/ ISSN 1947-5500 . TCP retransmission count. routing of data between the routers of the same cloud[16. The results obtained are similar to those of the other works. we can say that they can be much more interesting if scalability is taken into consideration. highly recommended in wireless networks. ESP Encapsulation on tunnel and transport mode the Qualnet simulator. 4. SIMULATION SCENARIOS This section presents the created scenarios using OPNET Modeler tool [24] Fig.

1. IV. Each cell contain six mobile stations which [25-28]. called UHC “University Hassan II Casablanca”. Simulation network MS-3-5 MS-2-5 MS-2-6 MS-3-6 the simulated network [Fig.google.048 Mbps capacity. Its objective is to establish a communication infrastructure between Moroccan training and education institutions. Vol. MS Application HTTP Heavy Load In order to evaluate the impact of tunnels. EIGRP routing protocol was the most recommended Casablanca”. is the national. we set the destination preference for each client to ensure that transversal tunnels are build. compared to the second scenario. 6. 6] consists of four hexagonal cells MS-3-1 MS-4-1 of IEEE802. BSS AND MOBILE NODE CONFIGURATION PARAMETERS A. 279 https://sites. All BSs are connected to Access MS-4-2 MS-3-2 MS-3-3 MS-4-4 Service Network Gateway (ASN-GW). other BSs plays the role of SPOKEs Based on research assessing the performances of DMVPN (MANFALOUTI.com/site/ijcsis/ ISSN 1947-5500 . one BSs acts as a HUB of the topology.5 W number of tunnels established in the first scenario. FSAC “Faculty of Science Aïn Chock network. International Journal of Computer Science and Information Security (IJCSIS). which has a 2. training and research. hash known as "MARWAN". 15. For this purpose we created two scenarios based on the network simulation shown on figure 6. communication are controlled as following [Table 2] TABLE II. Each BS connected to the ASN-GW by using the PPP E1 link. The following table TABLE III. non-profit computer DES MD5 Pre-share 5 Transport network dedicated to education. LFSS “Letter Faculty And Social Sciences and best suited for fast and reliable delivery of applications Casablanca”). No. 2 tunnels per site. January 2017 In the first scenario. this was an incentive for us to use it on routing move in parallel from one BS to another. DESTINATION PREFERENCE OF COMMUNICATIONS Client Server SCENARIO MS-1-1 MS-2-1 1 MS-2-2 MS-1-2 MS-3-3 MS-1-3 MS-1-4 MS-3-4 MS-4-3 MS-1-5 MS-1-6 MS-4-6 MS-4-3 MS-2-3 MS-2-4 MS-4-4 MS-3-5 MS-2-5 MS-2-6 MS-3-6 MS-3-1 MS-4-1 MS-4-2 MS-3-2 SCENARIO MS-1-1 MS-2-1 2 MS-2-2 MS-1-2 MS-4-3 MS-1-3 MS-1-4 MS-2-3 MS-4-5 MS-1-5 MS-1-6 MS-4-6 MS-2-4 MS-3-4 Fig. this improvement is justified by the BSS and MS Maximum Transmission 0. the ASN-GW represents the encryption and 2 Moroccan Academic and Research Wide Area Network. A brief description of the IPsec attributes used in both scenarios is shown in table 3. IPSEC ATTRIBUTES USED illustrate configuration parameters of BSS and mobile stations. IKE Phase 1 IKE authentication DH Tunnel and 2 Phase 1 Group mode In the real environment. process.16e networks. partial mesh BSS and MS PHY Profile Wireless OFDMA 20 MHz tunnels offers the small delay compared to full mesh tunnels BSS and MS number of transmitters SISO by a factor of 15%. OBTAINED RESULTS AND DISCUSSIONS TABLE I. Object Response Time This statistic specifies response time for each inlined object BSS Antenna Gain 15 dBi MS Antenna Gain -1 dBi from the HTML page. 3 tunnels Power per site. As show in figure 7. in the second scenarios a partial meshed tunnels are performed. a full meshed tunnels are created between mobile stations.

CONCLUSION Given that a dynamic DMVPN tunnel require additional In this paper we performed a performance evaluation of IEEE resources for the negotiation of policies (Routing + NHRP + 802. Z. October 2004 [2] IEEE 802. 9. [3] Teo. The mobile broadband WiMAX standard [standards in a nutshell]. “Part 16: Air Interface for Fixed Broadband Wireless Access Systems”. 144-148.2005. Vol. 1. H.. REFERENCES [1] IEEE 802. Fig. & Zhang. 8th 280 https://sites. TCP retransmission Count This parameter represents the Total number of TCP retransmissions in the network.16e. [5] Shahab Hussain. 802.. 27. No. for all connections. International Journal of Computer Science and Information Security (IJCSIS). 24(5). 802. December 2005. 15. TCP retransmission count packet is sent from the source TCP layer to the time it is completely received by the TCP layer in the destination node.com/site/ijcsis/ ISSN 1947-5500 . (2007). TCP Delay TCP delay represents the delay of packets received by the TCP layers in the complete network.28 June. The full meshed scenario require IEEE 802. This parameter is measured from the time an application data Fig.16e secured by DMVPN IPsec.google.9 shows the TCP retransmission count. 143 – 149. pp. 2011. 8. IEEE Std.54%. ‘’Analysis of Fig. IEEE conference on Control and System Graduate Research Colloquium (ICSGRC). and et al. According to our IPsec) and then the establishment of connection. January 2017 C. Obtained results confirmed that more we increase the number of tunnels. Amendment to IEEE Standard for Local and Metropolitan Area Networks. second scenario with a factor of 64. ‘’Handoff in mobile WiMAX: Forced handoff scheme with load balancing in mobile WiMAX networks‘’. We simulated an example of the Moroccan Hassan II university network. “Part 16: Air Interface for Fixed Broadband Wireless Access Systems – Physical and Medium Access Control Layer for Combined Fixed and Mobile Operation in Licensed Bands”. worst will be the performances of transported applications. Mohd Baba. K.16e secured by dynamic and multipoint VPN additional delay to transmit a TCP segment compared to the technology.16-2004. Partial researches almost of scientific works deals with the meshed scenario exploit the already established tunnel to implementation of site-to-site VPN network to secure such directly open TCP session between peers. 7. Fig. Tao. IEEE Standard for Local and Metropolitan Area Networks. TCP Delay in seconds handover performance in mobile WiMAX networks‘’. V. and Muhammad Ibrahim.16 Working Group. and we increased the number of tunnels to show their impact on the network and on transported application. this justify the networks. This was an incentive for us to study the behavior of obtained result on figure 8. J. IEEE Std. IEEE Signal Processing Magazine. Object response time in seconds B.16 Working Group. Written when data is retransmitted from the TCP unacknowledged buffer. [4] Mohd Pardi.

June). 2012. & Petrescu. & Toderean. [13] Kent. Ezedin. [20] Dogaru. [15] Adoba. Network performance evaluation for RIP. In : New Technologies.2. InAustralian Information Security Management Conference (p. [21] Balu. & Doraswamy. Study and evaluation of the high availability of a Dynamic Multipoint Virtual Private Network.. I.. In Business Management and Electronic Information (BMEI). NBMA next hop resolution protocol (NHRP). 16-26. pp. W. IEEE 802.16 (WiMAX). & ELKAMOUN.. (2015). Performance Evaluation of Real Time Applications for RIP. & Atkinson. Security Issues of IEEE 802.. R. A. E. International Journal of Computer Networks and Communications Security (IJCNCS). OSPF and RIP based on technical background using OPNET modeler. & Sethi. Mobility and Security. (2009). [6] Derrick Boom. Naval Postgraduate School Monterey. (1997). Impact of IPSec on the Performance of the IEEE 802. RFC 2401: Security architecture for the Internet Protocol. & Dixon. (2010. S. A. IP Authentication Header. Atkinson. Washington. RFC 2406. Route creation influence on DMVPN QoS. H. J. 2010 Second International Conference on (pp. j. [26] Bahnasse. [27] Fitigau. 506- 511). Study and Analysis of a Dynamic Routing Protocols' Scalability over a Dynamic Multi-point Virtual Private Network. 123(2).. [24] Lu. 1.S. C. Washington University. Mag. Status: PROPOSED STANDARD. Series C. [19] Thorenoor. (2008). G. S. Khaled. 1-4).. G. T. ITI'09. secure data transmission over wimax networks using vpn technology in realtime environments. 2008. & Khan. IEEE.961. 609- 614).. I. (2015).. & Politis. International Journal of Computer Applications.. IEEE. 10th May 2004. R. Bull. Risteski. p. Computer Science Department. (1). s. U. P.. & Yang. 191-195). N. International Journal of Computer Science and Mobile Computing. Panaousis. June). 2008. (2009). (1998). p. 2009. t.16 wireless networks. UPB Sci. & Header. & El Kamoun. Cambridge University Press. (2004). April). 22-25 Oct. L. et CHAMAS. 8. Retana. 2006. Revue MéDiterranéEnne Des TéLéCommunications. A. Khalid. Piscitello.346. A. 85-90. R. February. 281 https://sites. 1.16 Wireless Networks. Proceedings of the ITI 2009 31st International Conference on (pp.. (2015). [12] Kent.. A. S. IEEE. RFC 2402. [17] Chen. [14] Kent.. J. Obsoletes RFC1825 [Atk95a]. d. Ca 93943 [7] Hasan. (2006. Patent No. Cole. A survey of WiMAX security threats... Denial of Service Vulnerabilities in IEEE 802.S. L. December). Design and implementation of secure enterprise network based on DMVPN. B.. Corporate Headquarters Cisco Systems.3 Issue. M.. OSPF and EIGRP for flapping links using OPNET Modeler. & Senthil. Vol.2014. [10] Dynamic Multipoint VPN (DMVPN) Design Guide. Latkoski. S.. In Electronics. January 2017 IEEE International Workshop on Performance and Management of Wireless and Mobile Networks. M. I. D. In Computer and Network Technology (ICCNT).". N. H.. Encapsulating Security Protocol. (2010). [18] Jankuniene. (2009. Work in Progress. C. 2013 International Conference on (pp. Vol. November 1998.. (2014).. Dynamic routing protocol implementation decision between EIGRP. SHUAIB. OSPF and EIGRP routing protocols. No. [9] Nguyen.. B. 71(2). (2013). A. International Journal of Computer Science and Information Security (IJCSIS). E. Computers and Artificial Intelligence (ECAI). May). 1- 6. In Information Technology Interfaces. Inc. & Atkinson.. (1998).. D. R. (2011. IEEE Vehicular Tech.. R. H. pg. 666 – 672.com/site/ijcsis/ ISSN 1947-5500 . IEEE. [25] BAHNASSE. Patent and Trademark Office. P.16 Security Issues: A Survey. 104 p [11] Luciani. N. D. A. [16] Asati. IPSec provisioning in WiMAX networks. 202-211 [22] Nazaryan. T. 71).. Z. 5(2).. & Jankunaite. 3(1). NTMS'08. P. DC: U. [8] Bogdanoski. IEEE. (2012).google. WIMAX 802. B. S. T.16 Network–Secure Communications. RFC 3715–IPSec-network address translation (NAT) compatibility requirements. Unlocking the power of OPNET modeler. (2013. 2011 International Conference on (Vol. 15. Van Savage. Katz. & Popovski. [23] BARKA. [28] Iqbal.