Whitepaper | Advanced Networking for the Cloud World

Summary

The Internet protocol suite, more commonly referred to at TCP/IP, represents the computer networking model and set of communications protocols at the center of the Internet.  The main design goal of the  TCP/IP protocols was to allow the build-out of the interconnection of networks, while shortcoming represent themselves as you consider its use for the forthcoming Internet of Things market, where hundreds of billions of devices are expected to be connected.

This technical paper addresses these shortcomings of TCP/IP networking for the Cloud Connected World.

The Cloud Connected represents an opportunity in both market size and the sheer number of devices unlike any market preceding it. Networking technology must evolve to address the emerging challenges of security, scale, and ease of implementation that will come about as a result.

TCP/IP ≠ End to End

A fundamental challenge for the IoT is that TCP/IP based Internet connectivity provides little ability to ensure an end-to-end chain of trust with the most significant limitation being each independent network on the chain represents an independent unpredictable point point of vulnerability. 

An Internet Protocol (IP) address, is much like a street address, in that it provides a unique way to identify a network interface.  Although it is often thought that IP addresses represent physical devices, it is essential to specifically note that the explicit intent of the specification is that it represents a network interface, which in turn can be associated with a separate network, where some method of routing is used to manage end to end connectivity. 

The Cloud Connected World requires a secure direct connection technology capable of ensuring an end-to-end chain of trust.

Remote.It secure connections are made using a small piece of portable C code that connects to any TCP/IP stack using the standard localhost interface. The software runs as a daemon in user space on a Linux platform or can be ported to any TCP/IP stack, such as those based on LwIP or uIP [1]. As an example of use, the localhost interface on a PC allows a user to connect to a web server on the same PC securely. A user would type a localhost address such as 127.0.0.1 into a browser. A connection using a 127.0.0.1 address is secure because the information passed between the web server and browser never leaves the PC. Remote.It allows a user to connect to the webserver from a remote device, but still connect using a 127.0.0.1 localhost address. Data may then be securely and directly passed between the web server and the remote user device using a Remote.It connection and the localhost interface. The direct Remote.It connection uses a TLS secured tunnel to extend the localhost interface and thus enable host-to-host communication in the same way, for example, that a protected bus might be used for inter-process communication between CPUs. A Remote.It connection may be made between any types of PC, mobile device, sensor, or any type of IoT (Internet of Things) device.

Remote.It software and secure connections provide first-line protection against cybersecurity attacks. The NSA advocates that users of Internet Controls Systems (ICS) perform scans to discover network devices and determine network topology [2]. Unfortunately, it is easy for an attacker to perform the same types of scans. Shodan (for the Internet) and Fing (for the local area network) are examples of such simple to use but sophisticated network scanner tools that can be used to aid an attack. Remote.It allows any service, such as an HTTP connection, to be connected or bound to a Remote.It service using a 127.0.0.0/8 class address. The TCP/IP stack will now only respond to incoming connections from a 127.0.0.0/8 or localhost class of addresses. Since localhost addresses may never appear on an external network according to RFC1060 the TCP/IP stack is now secure from outside penetration. In addition, all ports may be closed from outside requests. Restricting connection from any external IP address and losing all external ports eliminates the TCP/IP stack fingerprints that a network scanner detects and effectively hides or cloaks any device that is using Remote.It software. Remote.It device cloaking may be selectively turned off or disabled to perform legitimate scans for inventory, testing, etc. but enabled for normal use in order to defend against port scanning and other network penetration exploits.

Remote.It technology allows any authenticated user to connect to any resource (in the cloud or IoT) using the Remote.It application on a mobile device or using any browser. The Remote.It SaaS (Software as a Service) server authenticates the user and initiates and then brokers a connection between the IoT device and the user. Per-session keys are sent to the IoT device and the user and then the server hands the connection off to both endpoints thus establishing a secure direct connection between user and resource. 

Remote.It connection technology is simple yet flexible and powerful, and may be extended in several ways. As an example, a sensor node could execute trusted code that communicates with another trusted host in the cloud via a Remote.It connection. Since a Remote.It connection operates at the TCP/IP level as a service it eliminates the need for any secondary level of authentication.

Example

Another example of extension is by enabling service level virtualization, and independent Remote.It secure connections could be made for HTTP/HTTPS, ssh, and VNC on a single device.  Services may also be bundled or joined within a single Remote.It connection. In one production deployment of the Remote.It technology, (with more than 100k devices in the field) an IP camera video stream is bundled with a control channel. The bundled connection handled above the TCP/IP layer enables QoS for live streaming video by varying the video stream bit rate according to TCP buffer fill rate. Such a use of Remote.It technology represents a powerful extension to TCP/IP. For example, recently Winstein (Stanford) and Balakrishnan (MIT) have shown that a similar control layer can provide a several-fold improvement in either bandwidth or latency over 4G LTE connections without any alteration to the 4G data channel itself [4].

Remote.It connection technology provides direct connections between devices and eliminates the need for any paid and complex cloud services such as STUN, TURN, and ICE. A direct Remote.It connection also provides lower latency than cloud-based connections.  Remote.It can use the low latency of connections from users and IoT devices to the cloud.

Easy Provisioning

Remote.It technology is engineered to allow cloud resources to be easily registered, provisioned, and deployed. So for example, a new server instance in Amazon AWS, Microsoft Azure, or Google Cloud Platform (GCP) can be programmed to be provisioned or re-provisioned based on the fact the instance is using the same external IP address as a user. Remote.It connections originated by the endpoints allowing direct connections to be made without port forwarding or firewall configuration. The connection technology allows cloud resources, IoT devices, and users to migrate between different network configurations, or to operate on or behind different cellular or satellite networks. Deployment of Remote.It simply requires a small stand-alone binary with minimal engineering effort.  Remote.It allows the extension of a LAN or proximal network to the Internet in a secure fashion.

Remote.It connections can be made directly and securely between two devices that include Remote.It software or by using a relay server between a device that includes Remote.It software and one that does not. The Remote.It-enabled relay server could be part of a gateway and thus allow cloud resources in a VPC or IoT devices on a LAN to communicate even though the Internet connection to the gateway is down. Ease of use extends to the sharing of services and devices including controls on access, ownership, and control. Remote.It also provides the SaaS infrastructure to support the Remote.It connection technology including the registration, provisioning, network monitoring, geo-located servers, and kits to allow integration with any platform [5] [6].

‍

‍

‍

‍

References

[1] http://en.wikipedia.org/wiki/LwIP and http://en.wikipedia.org/wiki/UIP_(micro_IP) describe LwIP and uIP that are two common low footprint TCP/IP stacks used in embedded systems.

[2] https://www.nsa.gov/ia/_files/ics/ics_fact_sheet.pdf A Framework for Assessing and Improving the Security Posture of Industrial Control Systems (ICS), Systems and Network Analysis Center, NSA, Released: August 20, 2010 Version: 1.1. Describes NSA recommendations for IoT and ICS devices.

[3] http://www.icri-sc.org/fileadmin/user_upload/Group_TRUST/PubsPDF/trustlite.pdf Koeberl, Patrick, Steffen Schulz, Ahmad-Reza Sadeghi, and Vijay Varadharajan. "TrustLite: a security architecture for tiny embedded devices." In Proceedings of the Ninth European Conference on Computer Systems, p. 10. ACM, 2014. Describes Intel’s Trustlite trust and attestation technology.

[4] Winstein, Keith. "Transport architectures for an evolving Internet." PhD diss., Massachusetts Institute of Technology, 2014. advised by Hari Balakrishnan. Describes the use of channel models above the TCP/IP layer to improve bandwidth and latency of a cellular connection.

[5] US Patent US8447843, priority date September 2006, describes how the Weaved technology can identify, configure, and access an IoT device connected to a network.

[6] US Patent Application US20150052253

‍