ScienceDirect

Available online at www.sciencedirect.com

ScienceDirect
Procedia Computer Science 00 (2019) 000–000
Available online at www.sciencedirect.com www.elsevier.com/locate/procedia
Procedia Computer Science 00 (2019) 000–000
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 160 (2019) 831–836

International Workshop on Emerging Networks And Communications

(IWENC 2019)
International Workshop
Novemberon4-7,
Emerging NetworksPortugal
2019, Coimbra, And Communications
(IWENC 2019)
November 4-7, 2019, Coimbra, Portugal
A novel approach for improving MPLS VPN security by adopting
the software
A novel approach definedMPLS
for improving network
VPN paradigm
security by adopting
the software
Faycal Bensalaha*,defined
Najib EL network paradigm
Kamouna, Youssef baddib
a
Faycal Bensalah *, Najib EL Kamoun , Youssef baddi
a
Laboratory STIC, Faculty of Sciences , University
b
a
Chouaib DOUKKALI, BD Jabran b 24000, Morocco
Khalil Jabran ,El Jadida
Laboratory STIC, ESTSB , University Chouaib DOUKKALI, BD Jabran Khalil Jabran ,El Jadida 24000, Morocco
a
Laboratory STIC, Faculty of Sciences , University Chouaib DOUKKALI, BD Jabran Khalil Jabran ,El Jadida 24000, Morocco
b
Laboratory STIC, ESTSB , University Chouaib DOUKKALI, BD Jabran Khalil Jabran ,El Jadida 24000, Morocco

Abstract

Abstract
The security of network infrastructures is one of the tedious tasks in modern networks. Indeed, nowadays’ demanded security
must have as a characteristic the dynamism and the capacity to adapt to the context of the exchanges, in other words, security
mustsecurity
The not influence network
of network performance.
infrastructures To meet
is one of thethis need,tasks
tedious network automation
in modern through
networks. a software-defined
Indeed, networksecurity
nowadays’ demanded (SDN)
must havecan
controller as abecharacteristic
used. SDN athe newdynamism
paradigm,and the capacity
allowing throughtoaadapt to thetocontext
controller of the
orchestrate theexchanges, in other
entire network words, security
architecture. In this
must
paper not influencea network
we propose performance.
new solution To meet
for the dynamic this need,
generation of network automation
security policies through
between a software-defined
different MPLS VPN sites network (SDN)
by adopting
controller can be used. SDN a new paradigm, allowing through a controller to orchestrate the entire network architecture. In this
the SDN approach.
paper we propose a new solution for the dynamic generation of security policies between different MPLS VPN sites by adopting
the SDN approach.
© 2019 The Authors. Published by Elsevier B.V.
© 2019
This The
is an Authors.
open accessPublished by Elsevier
article under the CC B.V.
BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
© 2019 The under
Peer-review Authors. Published by
responsibility of Elsevier
the B.V. Program Chairs.
Conference
Peer-review under responsibility of the Conference Program Chairs.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review
Keywords: SDN;under responsibility
Security; VPN; MPLS;of the Conference
Automation; Program
QoS; Chairs.
controller.

Keywords: SDN; Security; VPN; MPLS; Automation; QoS; controller.

1. Introduction
Security is one of the major concerns of businesses, because security is not just about privacy, integrity, or
1. Introductionbut includes high availability. High availability depends on several factors namely equipment used,
authentication,
Securityand
strategies is plans
one of the major
provided concerns
by the companyof in
businesses, because security
case of malfunction is not just about privacy, integrity, or
of the system.
authentication, but includes high availability. High availability depends on several factors namely equipment used,
strategies and plans provided by the company in case of malfunction of the system.

* Corresponding author. Tel.: +212-0661-068-001 ; fax: +212-0523-344-449.

E-mail address: f.bensalah@ucd.ac.ma
* Corresponding author. Tel.: +212-0661-068-001 ; fax: +212-0523-344-449.
E-mail address:
1877-0509 © 2019f.bensalah@ucd.ac.ma
The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review©under
1877-0509 2019responsibility
The Authors. of the Conference
Published Program
by Elsevier B.V. Chairs.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.

1877-0509 © 2019 The Authors. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
10.1016/j.procs.2019.11.003
832 Faycal Bensalah et al. / Procedia Computer Science 160 (2019) 831–836
2 Faycal Bensalah / Procedia Computer Science 00 (2018) 000–000

The four fundamentals of security can sometimes be required by the company, so finding a compromise and a
solution to guarantee them requires a lot of treatment. For example, encryption protocols or traffic security policies
in general can influence the performance of equipment and thus compromise the availability of resources.

Multi-Protocol Label Switching "MPLS" [1] is considered as the main protocol deployed in the core layer of the
operator's network. MPLS has been successful with the emergence of new associated services, primarily the Virtual
Private Network (VPN) service [2]. MPLS VPN makes it possible to obtain a secure connection at a lower cost. To
create client VPNs, it is therefore necessary to isolate the flows of each client.

It is true that MPLS VPN provides a high level of security over traditional VPN because the traffic passes through
the operator's private network, but some customers prefer to add an encryption layer through the IPsec protocol [3].
IPsec also relies on two protocols: 1) Authentication header acronym for AH [4], guaranteeing authentication,
integrity and anti-replay of data, 2) Encapsulation Security Payload "ESP" [5] ensuring the more privacy.

The rest of the paper is organized as follows, in Section 2 we will discuss the interest of IPsec policy deployment
automation for MPLS VPN solution. In section 3 we will clearly position our contribution. In section 4 we will
present our solution. In section 5 we will evaluate the performance of our solution. And conclusion in section 6.

2. SDN for MPLS VPN

With the advent of the cloud, we are seeing an extra step in process automation with the Software Defined
Network (SDN) [6]. This brings a real simplification with automated operations in standard and reproducible
environments. Thanks to this new mode of operation, the test and deployment phases are reduced, thus saving
substantial time and money. SDN allows through the orchestration principle to manage the network resources of the
company from a central point called the controller [7]. The SDN paradigm in our situation can be adopted to
implement new rules to improve the security policies of IPsec protected MPLS VPN tunnels in order to meet the
needs of the company especially in terms of security, integrity, authentication, and especially availability.

Figure 1 illustrates the operating principle of our SDN approach to solve the problem of adapting an IPsec security
policy to achieve better MPLS VPN performance.

Fig. 1. The operation of the proposed SDN approach to automate the deployment of IPsec
 Faycal Bensalah et al. / Procedia Computer Science 160 (2019) 831–836 833
Author name / Procedia Computer Science 00 (2018) 000–000 3

Our approach consists of three steps: measuring network performance (applications and equipment), calculating
the appropriate IPsec policy, and deploying this policy on routers and devices. These steps revolve around the four
elements: availability, confidentiality, integrity, and authentication.

3. Positioning of the contribution

Although MPLS VPN technology provides security services at the core network level, some users require an
additional level of security whether it is between CE and PE or almost between CE and CE. This security need can
be achieved by implementing a security layer through the IPsec protocol. The problem of this protocol lies in the
level of the staticity of its security policies, in other words, the predefined policy will be applied between the sites on
any type of traffic without taking into account the severity of the exchanges. Our contribution makes it possible to
generate IPsec automatically with different levels of security taking into consideration:

1. Availability: The security policy should not be very demanding in terms of CPU and RAM resources if the
output interface experiences periodic failures due to congestions or insufficient buffer memory.
2. Confidentiality and Integrity: The security policy must consider the need for encryption and integrity,
provide powerful algorithms in the context that requires it, and non-consuming algorithms for tunnels
carrying non-priority traffic.
3. Authentication: IPsec must generate policies supporting different Diffie-Hellman groups and RSA
signatures, the choice of DH groups or signature depends on the communicating sites and the transported
traffic.
4. Scalability: The security policy must take into consideration the total number of IPsec tunnels deployed at
an output interface. If this number can influence the operability of the other tunnels the approach can close
the non-priority tunnels or suggest a non-powerful security policy.

4. Proposed Approach

The proposed approach, based on three logical layers: application, control and data, allows:

1. Generate different levels of security policies.

2. Depending on the establishment of an IPsec protected MPLS VPN tunnel between the S1 and S2 sites, a
security policy is automatically developed at the controller.
3. Configuration files are generated and automatically delivered to the routers based on the manufacturer.
4.
The architecture of the proposed approach is illustrated in Figure 2.

Fig. 2. The architecture of the proposed approach

834 Faycal Bensalah et al. / Procedia Computer Science 160 (2019) 831–836
4 Faycal Bensalah / Procedia Computer Science 00 (2018) 000–000

The application layer and a layer responsible for performing SLA measurement and active flow detection operations
on each gateway. The operations performed are done according to attributes, for example in the SLA measurement
operation, the attributes can be the loss rate, the latency, the jitter, the MOS score, the loading duration of a file.
These attributes vary from one application to another. Through the application layer new attributes can be
customized for a specific type of applications. Figure 3 illustrates an example of defining new attributes for a
predefined application.

Fig. 3. Example of assigning new QoS attributes

The control layer, consisting of three modules, helps bring the intelligence to determine a policy automatically
according to desired performance. The Security Associations module contains the different security levels of a
policy and its different IPsec settings. The generic policies defined by default in our approach are: Highly secure,
secure, unsecured. The first policy guarantees confidentiality, integrity and data authentication. The second assures
only the integrity and the authentication of the data. The latest policy provides no security to transported traffic, it is
based on IP to IP encapsulation. Each of the policies mentioned above is characterized by a preconfigured list of
IPsec SA. Table 1 illustrates this association between attributes and policy.

Table 1. Different default security levels.

Policy Level Encryption Integrity Mode IPsec Key length

Highly Secured AES SHA Tunnel ESP 256 to 521 BEC

Secured x MD5 Tunnel AH 2048 bit modulus

Unsecured x x x x x

The tunnel endpoints module allows to list the endpoints of IPsec tunnels established or being established. This
module can detect the performance of each interface through which the tunnel can be deployed, this operation
ensures that the security policy to be deployed between two sites will not saturate the gateways or influence the
performance of tunnels already established. The Policy Enforcement module makes it possible to check whether the
delivered security policy is optimal, in the opposite case to adapt the security policy to comply with the SLA. The
adaptation can be performed using less expensive encryption protocols in terms of processing or smaller key
lengths. The process of verifying the effectiveness of the delivered policy can be done by collecting SLA statistics
from the application layer. Interoperability between the control and application layer is performed by
communication protocols, OpenFlow in a fully SDN network, or by python sockets in our case of hybrid SDN.
The equipment concerned by the configuration is located at the level of the data layer, this layer consists of two
modules. Manufacturer Detection, This module contains a list of manufacturers and their command line syntax for
configuring IPsec MPLS VPN tunnels. Detection of the equipment model can be performed by looking at the
following object identifiers (OIDs): ".1.3.6.1.2.1.1.2", ".1.3.6.1.2.1.1.1". Configuration files that reflect deployed
IPsec policies are generated and delivered to gateways through SSH tunnels.
 Faycal Bensalah et al. / Procedia Computer Science 160 (2019) 831–836 835
Author name / Procedia Computer Science 00 (2018) 000–000 5

5. Performance Evaluation

In order to evaluate the performance of our approach, we realized on GNS3 the network architecture illustrated in
figure 4.

Fig. 4. Evaluation Network Architecture

The evaluation network consists of 7 Provider routers (P), 3 Provider Edge (PE) routers, each PE directly
connects two Edge Client (CE) routers. The evaluation policy is to compare the performance of the applications
transported through IPsec MPLS VPN tunnels using the classical approach and our proposed approach. The
experimentation process consists of increasing the CE’ number and measure VoIP, FTP, and equipment
performances.

Fig. 5. VoIP loss rate percent. Fig. 6. VoIP Latency by ms

Figure 7 illustrates the VoIP loss rate in both traditional and proposed approaches. We find that our approach is
much more scalable compared to the traditional solution, the loss rate does not reach 2% even in the case of 40 CE.
However, the rate becomes unacceptable in the traditional IPsec case from the 30 CE scenario.

Figure 6 illustrates the VoIP latency, obtained results shows that our approach doesn’t exceed 150 ms as
recommended for VoIP traffic, however this delay was bypassed in the case of traditional IPsec implementation. In
fact, latency depends on the processing performed by encryption algorithms for a specific traffic, our approach use
low-cost algorithms in case of network overload, this justify the best results compared to traditional method.
836 Faycal Bensalah et al. / Procedia Computer Science 160 (2019) 831–836
6 Faycal Bensalah / Procedia Computer Science 00 (2018) 000–000

Fig. 7. FTP download time Fig. 8. Average of CE CPU performances

Figure 7 illustrate the download delay of an FTP file. The same finding as for VoIP was observed in this case.
Our approach perform better even for elastic flow.

The proposed approach have a positive impact even for equipment performances. Figure 8 illustrates the average
of CE performances in terms of CPU using traditional and proposed approach. The performance are quite similar for
both approach in 4 tunnels but a noticeable difference is intercepted starting for the case of 12 tunnels.

6. Conclusions

In this paper we have dealt with a recent problem, it is to offer a good level of security based on the performance
of the network namely transported applications and even gateways. This paper addresses the case of IPsec security
in MPLS VPN tunnels, which is increasingly being rolled out in most businesses. Our approach is based on the SDN
paradigm, in which a controller has been used to measure network performance, define an appropriate IPsec policy,
and apply this policy at the gateway level. The evaluation of the performances of our model showed that this kind of
solutions brings a gain in terms of the QoS indicators and thus a long life of the network of the company.

References

[1] Bensalah, F., & El Kamoun, N. (2019). Novel software-defined network approach of flexible network adaptive for VPN MPLS
traffic engineering. International Journal of Advanced Computer Science and Applications, 10(4), 280-284.
[2] Bensalah, F., El Kamoun, N., & Bahnasse, A. (2017). Evaluation of tunnel layer impact on VOIP performances (IP-MPLS-MPLS
VPN-MPLS VPN IPsec). International Journal of Computer Science and Network Security (IJCSNS), 17(3), 87.
[3] Bensalah, F., El Kamoun, N., & Bahnasse, A. (2017). Analytical performance and evaluation of the scalability of layer 3 tunneling
protocols: case of voice traffic over IP. IJCNS International Journal of Computer Science and Network Security, 17(4), 361-369.
[4] Kent, S., "IP Authentication Header", RFC 4302, DOI 10.17487/RFC4302, December 2005, <https://www.rfc-
editor.org/info/rfc4302>.
[5] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, <https://www.rfc-
editor.org/info/rfc4303>.
[6] Bahnasse, A., Louhab, F. E., Ait Oulahyane, H., Talea, M., & Bakali, A. (2018). Novel SDN architecture for smart MPLS traffic
engineering-DiffServ aware management. Future Generation Computer Systems, 87, 115-126. doi:10.1016/j.future.2018.04.066
[7] Bahnasse, A., Louhab, F. E., Oulahyane, H. A., Talea, M., & Bakali, A. (2018). Smart bandwidth allocation for next generation
networks adopting software-defined network approach. Data in Brief, 20, 840-845. doi:10.1016/j.dib.2018.08.091