FACULDADE DE ENGENHARIA DA UNIVERSIDADE DO PORTO VPN solution benchmarking for endpoints under fast network mobility João Francisco Mestrado Integrado em Engenharia Eletrotécnica e de Computadores Supervisor: Ana Aguiar Second Supervisor: António Damião Rodrigues July 25, 2018 c João Francisco, 2018 Resumo Esta dissertação foi proposta pela Veniam, uma start-up focada no desenvolvimento de redes veic- ulares. Fornecer conectividade em movimento sobre diferentes tecnologias (DSRC, Wi-Fi, ou 4G LTE) mantendo uma boa qualidade de experiência para os utilizadores é uma tarefa desafiante. O uso de VPNs facilita a gestão da rede, colocando os clientes logicamente numa mesma rede local. Isto pode ser usado para controlo remoto simplificado, e para esconder mudanças na rede física (novo ponto de acesso, novo endereço IP) de serviços e aplicações. Podem acrescentar também segurança, na forma de encriptação e autenticação. As soluções VPN são geralmente apropriadas para resolver o problema de conectividade para clientes estacionários, equipados com capacidade de computação razoavelmente elevada. No entanto, as VPNs falham em cenários móveis, quebrando as ligações ponta-a-ponta quando os clientes trocam de ponto de acesso à rede. Adicionalmente, a criptografia avançada e o peso ex- tra do protocolo resultam em soluções VPN exigentes ao nível de poder de computação no lado do cliente. Aplicar estas soluções nos dispositivos em movimento, de baixos recursos, das frotas inteligentes da Veniam resulta num serviço fortemente degradado. Nesta dissertação, diferentes soluções VPN serão estudadas e comparadas, com o objetivo de selecionar uma solução adequada ao caso de uso da Veniam. Para cada implementação, a degradação do throughput, aumento de latência, e uso de CPU serão medidos. A capacidade de se adaptar às trocas rápidas entre redes heterogéneas será também avaliada. Os resultados do benchmark permitirão a minimização da degradação do serviço causada pelo uso de túneis VPN na rede em ambiente móvel da Veniam. i ii Abstract This dissertation was proposed by Veniam, a start-up working on vehicular networks. Offering connectivity to moving things over different technologies (DSRC, Wi-Fi, or 4G LTE) while main- taining a good quality of experience for users is a challenging endeavour. The use of VPNs facilitates network management, by logically placing clients inside the same local network. This can be used for simplified remote control, and to hide physical network changes (new access point, new IP address) from other services or applications. They can also provide security features, in the form of encryption and authentication. VPNs are commonly well-suited to solve the connectivity problem for stationary clients, equipped with reasonably high processing power. However, VPNs fail in mobile scenarios, break- ing end-to-end connections when clients switch between network access points. Moreover, ad- vanced cryptography and protocol overhead means several VPN solutions demand high compu- tational power at the client side. Applying these solutions to the fast-moving, performance con- strained devices deployed in Veniam connected fleets results in a severely degraded service. In this dissertation, different VPNs will be researched and compared, with the goal of select- ing a suitable solution for Veniam’s use case. For each implementation, throughput degradation, latency increase, and CPU usage will be measured. Their ability to adapt to rapid switching be- tween heterogeneous networks will also be evaluated. The benchmark results will allow for the minimization of service degradation caused by the use of VPN tunnels in Veniam’s constrained mobile environment. iii iv Acknowledgements There are several people I would like to thank for their help in the making of this dissertation. Firstly, my supervisor Prof. Ana Aguiar, whose ideas, feedback and suggestions were fundamental to correctly tackle the problem I was given to solve. Also, as a lecturer, Prof. Ana Aguiar was a great contributor to the growth of my interest in the telecommunications and computer network fields and is someone any person would be lucky to have as a mentor. My gratitude also goes to my second supervisor, Eng. António Damião Rodrigues, whose support was invaluable, and without whom this dissertation would look much different and unpol- ished. I cannot thank him enough for the time spent reviewing my work, providing very detailed and clear feedback, and for always being available to answer my questions. I trust his input made this dissertation richer, and I am glad for all his help. I would also like to thank Eng. Diogo Lopes, my supervisor at Veniam, for his guidance and explanation of the Veniam network architecture. This has helped make sure the test scenarios were appropriate, and the results relevant to the Veniam use case. Of course, a big thank you to the incredible Veniam team for receiving me so well at their office. It was a pleasure to work alongside you and to witness such innovative ideas being born and developed in the heart of Porto. Finally, I am eternally grateful to my family, and specifically to my parents, Natércia Magal- hães and Rogério Francisco, for their belief in the importance of education and their unconditional support. I can always count on them, and for that, I am extremely lucky. I would also like to thank my friends, and specifically Jessica Rodrigues, for being such an important source of moral support, and for always having my best interests at heart. João Francisco v vi “Eles não sabem, nem sonham, que o sonho comanda a vida, que sempre que um homem sonha o mundo pula e avança como bola colorida entre as mãos de uma criança.” António Gedeão vii viii Contents 1 Introduction1 1.1 Context . .1 1.2 Motivation . .1 1.3 Objectives . .2 1.4 Dissertation Structure . .3 2 Problem Characterization5 2.1 Current State of Vehicular Networks . .5 2.2 Future Vision . .6 2.3 Problem Definition . .6 3 Literature Review9 3.1 Different VPN solutions . .9 3.2 Mobility in VPN connections . 10 3.3 Conclusions . 12 4 Methodology 13 4.1 Proposed Solution . 13 4.2 Experimental Set-up . 16 4.3 Network and Component Set-up . 16 4.3.1 Mobility Overhead . 17 4.3.2 Computational Overhead . 18 4.4 Testing procedure . 19 4.4.1 General Configurations . 19 4.4.2 Mobility Overhead . 21 4.4.3 Computational Overhead . 21 5 Results 23 5.1 Computational Overhead . 23 5.1.1 CPU Usage . 23 5.1.2 Throughput . 24 5.1.3 Latency . 25 5.2 Mobility Overhead . 26 5.2.1 Conclusions . 28 6 Conclusions and Future Work 29 6.1 Objective Satisfaction . 29 6.2 Future Work . 29 ix x CONTENTS References 31 List of Figures 1.1 Initial VPN connection . .4 1.2 Endpoint address updating, fixed VPN interface address . .4 4.1 Handshake procedure comparison . 15 4.2 Scheme of network and device set-up used for mobility overhead experiments. 18 4.3 Scheme of network and device set-up used for computational overhead experiments. 19 5.1 CPU usage comparison . 24 5.2 Throughput comparison . 25 5.3 Latency comparison . 26 xi xii LIST OF FIGURES List of Tables 3.1 Results of basic functionality from Berger [1]................... 10 3.2 Performance measurement results from Berger [1]................. 11 4.1 Comparison of OpenVPN and WireGuard . 14 4.2 Raspberry Pi key specifications . 17 4.3 Encryption and authentication algorithms used in each security configuration . 20 4.4 OpenVPN security features . 21 4.5 Summary of endpoint configurations, according to security and test categories . 22 5.1 Number of pings sent or received by a demoted interface in the different test sce- narios . 27 6.1 Average penalty per metric compared to plain Ethernet (lower is better) . 30 xiii xiv LIST OF TABLES Abbreviations and Symbols 3DES Triple Data Encryption Standard ACK Acknowledgment AES Advanced Encryption Standard AP Access Point API Application Programming Interface Auth Authentication AWS Amazon Web Services Cert Certificate CPU Central Processing Unit DHCP Dynamic Host Configuration Protocol DSRC Dedicated Short-range Communications EC2 Elastic Compute Cloud GB Gigabyte GCM Galois/Counter Mode GPLv2 GNU General Public License version 2 HIP Host Identity Protocol HMAC Hash-based Message Authentication Code IoT Internet of Things IP Internet Protocol IPSec Internet Protocol Security IPv4 Internet Protocol version 4 ISP Internet Service Provider L2TP Layer 2 Tunnelling Protocol LAN Local Area Network LTE Long Term Evolution NAT Network Address Translation Mbits/s Megabits per second MHz Megahertz MOBIKE IKEv2 Mobility and Multihoming Protocol ms milliseconds MTU Maximum Transmission Unit MUSeS Mobile User Secured Session P2P Peer-to-peer pp Percentage points PPTP Point-to-Point Tunneling Protocol RC4 Rivest Cipher 4 RPi Raspberry Pi RSU Roadside Unit xv xvi ABBREVIATIONS AND SYMBOLS RTT Round-trip Time SHA Secure Hash Algorithms SSTP Secure Socket Tunneling Protocol STCP Sociedade de Transportes Colectivos do Porto TCP Transmission Control Protocol TLS Transport Layer Security UDP User Datagram Protocol USB Universal Serial Bus V2V Vehicle-to-Vehicle V2I Vehicle-to-Infrastructure VLAN Virtual Local Area Network VoIP Voice over Internet Protocol VPN Virtual Private Network Chapter 1 Introduction 1.1 Context VPN (Virtual Private Network) solutions are widely used for many purposes. Although initially developed to allow remote access to private networks from an external point - for example, to read work documents stored in the company’s local network while at home -, new uses have come up. More recently, the general public has found this technology helpful in encrypting and protect- ing their data, obfuscating their communications to hide them from trackers or mass surveillance agents. This use case has led to the appearance of many VPN providers, offering the service on a subscription basis, with a focus on its security aspects or end node locations, allowing access to geo-locked content. By establishing a VPN session with a VPN server, it is also possible to traverse NAT (Network Address Translation) devices.