Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Emanuele Faranda - Creating network overlays with IoT devices using N2N

40 views

Published on

When building a network of communicating IoT devices, it is compulsory to ensure that all the devices are reachable regardless of their IP address and location. This talk is about an open source software named n2n that enables secure communication over a lightweight and secure p2p network overlay.

When building a network of IoT devices, communication topology can be a problem as some of them might be behind a NAT, and some others might be reachable only from certain network nodes. Furthermore the advent of mobile and automotive computing with non persistent addressing will make all this even more challenging. To address all this, usually people use a centralised cloud-based topology that makes the network weak and not optimal, as all the devices have to communicate though this central point instead, when possible, to talk directly. However the cloud does not address privacy and security, in particular when IoT devices are used and developers and not fully aware of security issues: this can be addressed by a network overlay that tackles this problem at network instead that at application level This talk is about an open source, lightweight network overlay software named n2n ( https://github.com/ntop/n2n ) [available for Linux, BSD, MacOS, Windows] developed by the authors, that enables the creation of a persistent network that promotes secure communications even on environments where security is an option, or some communications are prevented by NATs or firewall devices.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Emanuele Faranda - Creating network overlays with IoT devices using N2N

  1. 1. Creating Network Overlays with IoT Devices using N2N Emanuele Faranda <faranda@ntop.org>
  2. 2. Emanuele Faranda – LinuxLab 2018 IoT Challenges [1/2]  Constrained resources (cpu, memory)  Connect to the device for configuration/troubleshooting  Remotely export data and metrics  Remotely install security updates
  3. 3. Emanuele Faranda – LinuxLab 2018 IoT Challenges [2/2]  Interconnect different IoT devices in a secure way  Monitor the devices traffic for anomaly/malware detection  Implement policies to block unknown threats
  4. 4. Emanuele Faranda – LinuxLab 2018 Internet Today  The IP address of the devices is dynamic  IoT devices are often located behind NAT  IPv6 can improve the situation but we still need a way to define our own networks
  5. 5. Emanuele Faranda – LinuxLab 2018 NAT and Home [1/2]
  6. 6. Emanuele Faranda – LinuxLab 2018 NAT and Home [2/2] How to reach the device from anywhere?  Setup IP forwarding in the home router  Use dedicated vendor software to access the device from the cloud  The vendor must implement security into the application
  7. 7. Emanuele Faranda – LinuxLab 2018  Existing VPN solutions are complex and heavyweight  Most IoT protocols are not encrypted by design (MQTT, HTTP, ...) and would require modifications Other Problems
  8. 8. Emanuele Faranda – LinuxLab 2018 Our Vision  The internet should be a “transparent” IP- based transport for users, not a geographical/ISP constrain  Users should control/create their community networks (today network administrators do)  Move encryption and network reachability from the application to the network layer
  9. 9. Emanuele Faranda – LinuxLab 2018 Introducing N2N [1/2]  Is an encrypted Layer 2 VPN  It can cross NAT and firewalls  It’s decentralized, no single point of failure (like traditional VPN)  Makes it simple to join multiple virtual networks (comminities)
  10. 10. Emanuele Faranda – LinuxLab 2018  Open source project, driven by the community  Easy setup: cli tool or service  Easy integration: just a single function call  Cross platform: Android, Linux, *BSD, MacOs, Windows Introducing N2N [2/2]
  11. 11. Emanuele Faranda – LinuxLab 2018 N2N Architecture [1/2] Edge Node Edge Node Edge Node Edge Node Super Node Super Node Edge Node Edge Node Super Node Super Node Edge Node Edge Node Edge Node Edge Node Edge Node Edge Node Edge Node Edge Node
  12. 12. Emanuele Faranda – LinuxLab 2018  Meshed, semi-centralized architecture (like P2P) with super-nodes that can be build the basic network infrastructure  Multiple supernodes to announce hosts  Edge nodes beloging to the same community can talk together  Each edge node has a virtual network interface for each network it joined N2N Architecture [1/2]
  13. 13. Emanuele Faranda – LinuxLab 2018 Don’t Reinvent The Wheel  TUN/TAP adapters to run across OS  L2/L3 encrypted tunnels are used by peers to communicate  P2P protocols will be used for finding and registering hosts, as well as announcing new networks (communities)  DHCP and DNS
  14. 14. Emanuele Faranda – LinuxLab 2018 Why P2P  P2P has overcome all the limitation of the “closed” internet (firewalls, dynamic IP and NAT)  P2P can be seen as a “new/modern” IP routing protocol  P2P allows decentralized application design and works even with non- permanent connections contrary to IP
  15. 15. Emanuele Faranda – LinuxLab 2018 Install N2N Prebuilt binaries:  Setup repo http://packages.ntop.org  $ apt-get install n2n From github:  $ git clone https://github.com/ntop/n2n  $ ./autogen.sh && make
  16. 16. Emanuele Faranda – LinuxLab 2018 Run N2N  edge1$ edge -d n2n0 -c mycommunity -k mykey -a 192.168.9.1 -l supernode.ntop.org:7777  edge2$ edge -d n2n0 -c mycommunity -k mykey -a 192.168.9.2 -l supernode.ntop.org:7777  edge2$ ping 192.168.9.1
  17. 17. Emanuele Faranda – LinuxLab 2018 N2N Today  Users can setup their own supernodes Users can join different communities at once  Edge nodes can talk directly (in a LAN via multicast advertisements, or in a WAN if not NATed)  N2N can be intergrated into other software
  18. 18. Emanuele Faranda – LinuxLab 2018 Embedding N2N
  19. 19. Emanuele Faranda – LinuxLab 2018 Remote Assistance (ntopng)
  20. 20. Emanuele Faranda – LinuxLab 2018 Performance (scp)  Line rate: 1 gbit/s  Direct transfer: 900 mbit/s  N2N no encryption: 850 mbit/s  N2N with encryption: 114 mbit/s Note: encryption currently requires high computational resources and provides low througput. This will be addressed in the next release.
  21. 21. Emanuele Faranda – LinuxLab 2018 Going Beyond  Use asymmetric keys for nodes end-to-end encryption  Leverage hardware encryption  Apply traffic policies at the edge (nDPI)  Make N2N traffic stealth to DPI software
  22. 22. Emanuele Faranda – LinuxLab 2018 Credits and Links ● Luca Deri <deri@ntop.org> ● https://www.ntop.org/products/n2n ● https://github.com/ntop/n2n ● https://www.ntop.org/guides/ntopng/remot e_assistance.html ● https://github.com/gregnietsky/simpletun
  23. 23. Emanuele Faranda – LinuxLab 2018 Thank You

×