Archive | Network RSS feed for this section

Comparing the mobile data networks of Europe in OpenSignal’s newest report

18 Aug

Today, OpenSignal released its new Global State of Mobile Networks report, our first worldwide report that looks beyond 4G technology to examine the overall mobile data prowess of nearly 100 different countries. While you can see the overall conclusions and analysis in the report itself, we’re also drilling down to specific regions in a short series of blog posts. Today we’re starting with Europe.

The chart below shows how 33 European countries stack up in mobile data performance, plotting combined 3G and 4G availability on the vertical axis and average 3G/4G speed on the horizontal axis.

3G/4G speed vs. 3G/4G availability

3G/4G speed vs. 3G/4G availability

Europe does quite well in general in both speed availability, reflecting not only their investments in LTE but the mature state of their LTE infrastructures. Most of them are clustered in the upper central portion of the chart with speeds between 10 and 20 Mbps and high levels of mobile data signal availability. The vast majority of European users can latch onto a 3G or better signal more 80% of the time, according to our data.

Outside of that main cluster, we do see clumps of countries in similar stages of development. We find several Eastern European countries that haven’t quite caught up with the rest of the region in either speed or availability (sometimes both), though Germany falls in the underperforming category as well. Being a former member of the eastern bloc isn’t always indicative of poorer mobile data performance, though. Both Lithuania and Hungary are well to the right of Europe’s main cluster, joining the Nordic states and the Netherlands in an exclusive club of outperformers. These are the rare countries that are able to offer a consistent mobile data connection greater than 20 Mbps.

3G signals are plentiful around the world

3G has definitely taken hold in most countries. On the 95 countries in our sample, 93 of them had 3G or better signal availability more than half the time, while the vast majority had availability greater than 75%, according to our data.

Big differences remain in average consumer data speeds

Though 3G or 4G connections may be the norm, there are some sizable gaps country-to-country in our overall speed metric, which measures the average download performance across all networks. South Korea had the fastest overall speed of 41.3 Mbps, while the slowest average we measured was 2.2 Mbps in Afghanistan.

The dominant connection type is (surprise!) Wifi

We found high levels of mobile Wifi connections both in countries where mobile broadband is ubiquitous and in countries where mobile data infrastructure is more limited. The most mobile-Wifi-hungry country in the world was the Netherlands, where Wifi accounted for 70% of all of the smartphone connections we measured.

LTE development patterns are clearly emerging

When we correlated overall speeds with 3G/4G availability, we found distinct clusters of countries in similar stages of mobile development. Examining 3G and 4G together paints a much clearer picture of a country’s network progress than measuring 4G alone.


The End of the Private Enterprise Network

16 Aug

The network is the last thing that IT fully controls within the enterprise and consumes 12-15% of the enterprise technology budget. Compute, storage and applications are moving to the cloud with its elastic, pay for what is used, model. Users are going mobile, working from anywhere. Networking will be the last thing that is moved to the cloud, but this too will happen.

Users get frustrated with the enterprise network because it is slower to work in the office than when they work from home. CIO’s wonder why they pay 20x more for enterprise bandwidth than what they pay as a consumer. Business leaders are also frustrated with the enterprise network because it is slowing down their digital transformation projects.

Enterprise networks are inherently slower, less agile, less secure, and more expensive because of:

  1. Backhauling – Sending all Internet destined traffic back to a data center before going out to the Internet. 80% of enterprise branch office traffic is Internet destined and the backhauling is both expensive and slows down cloud based applications. Mobile device managers also backhaul cellular data traffic, causing the same problem.
  2. Legacy business models – Buying upfront tons of equipment (routers, firewalls, load balancers, network optimizers, intrusion detection) and signing multi-year contracts with 1-2 network service providers.
  3. ACL hell – Access Control Lists are used by network equipment to define on every interface where packets can and cannot go. This manual process can lead to thousands of rules and spirals out of control with no one understanding why a rule put in 3 years ago still applies. Also, routers are not able to report on which ACLs are used. Every network change requires new ACLs, which can break existing applications, making networks very complex and fragile.
  4. Perimeter Security – The assumption that a private network is more secure has not proven true as the many hacks that have been published and the greater frequency in which they are occurring. A zero trust model is required to provide end-to-end security.

Software Defined Wide Area Networks (SD-WANs) are a step towards making networks faster, more agile, and lower costs. SD-WANs utilize broadband Internet to the branch office and provide a security stack at the edge of the network to minimize backhauling and cheaper bandwidth than MPLS. SD-WANs use centralized controllers and IPsec or GRE tunnels to create an overlay network to mask the underlying network complexity. This is why the SD-WAN market is going to grow from 500M this year to 6B by 2020.

But, SD-WANs are just a step towards the Next Generation WAN (NG-WAN) which will be managed by cloud providers through Network as a Service (NaaS). Microsoft, Google, and other large Cloud Service Providers (CSPs) are becoming network operators. Gartner reports that 50% of cloud implementations have business impacting problems due to the network. CSPs realize that if they are going to provide a Quality of Experience (QoE) for their applications, that they need to have greater control of connecting their users.

To achieve complete end to end control of business IT computing and incent migration to cloud services, CSPs will offer secure seamless networking solutions to connect from customer on-premises servers to in-cloud-based resources. The next generation networks will leverage broadband Internet connectivity and high speed optical and Ethernet networks that are inter-connected at the carrier neutral collocations where the CSP’s reside. On the premises will be white box switches and wireless local area networks connected to a very intelligent router and security stack that can dynamically establish direct, secure sessions between application services and users.

This can be done at a fraction of the cost because the CSPs already possess significant technical resources in networking and they have different business models than the traditional Network Service Providers (NSPs). CSPs over time will marginalize existing NSPs and shed the complexity, that inhibits broader migration to cloud-based services.

The market for enterprise networking will go through a radical shakeout and will become commoditized. White box/brite box providers that develop the appropriate partnerships will see new opportunities. Winners will include low cost access and transport service providers along with existing and new network equipment providers bold enough to morph into a volume player for a low margin business.

The best lens into the IT future is to watch what start-up companies are doing. These companies do not have any legacy baggage and adopt the latest and greatest technology and solutions. Few start-ups are creating their own private networks. AirBnB and Uber are examples of companies without a private MPLS WAN.

This is a paradigm shift for the enterprise to go to the 1,000 plus fiber networks and Internet Service Providers (ISPs) that the cloud providers use, versus bringing 1-2 NSPs & ISPs into the enterprise.

The End of the Private Enterprise Network


5G Network Architecture 5G Network Architecture – A High-Level Perspective

27 Jul



  • A Cloud-Native 5G Architecture is Key
  • to Enabling Diversified Service Requirements
  • 5G Will Enrich the Telecommunication Ecosystem
    • The Driving Force Behind Network Architecture Transformation
    • The Service-Driven 5G Architecture
  • End-to-End Network Slicing for Multiple
  • Industries Based on One Physical Infrastructure
  • Reconstructing the RAN with Cloud
  • 1 Multi-Connectivity Is Key to High Speed and Reliability
  • 2 MCE
  • Cloud-Native New Core Architecture
  • 1 Control and User Plane Separation Simplifies the Core Network
  • 2 Flexible Network Components Satisfy Various Service Requirements
  • 3 Unified Database Management
  • Self-Service Agile Operation
  • Conclusion:
  • Cloud-Native Architecture is the Foundation of 5G Innovation

Download: 5G-Nework-Architecture-Whitepaper-en

LTE Network Architecture

3 Mar

The high-level network architecture of LTE is comprised of following three main components:

  • The User Equipment (UE).
  • The Evolved UMTS Terrestrial Radio Access Network (E-UTRAN).
  • The Evolved Packet Core (EPC).

The evolved packet core communicates with packet data networks in the outside world such as the internet, private corporate networks or the IP multimedia subsystem. The interfaces between the different parts of the system are denoted Uu, S1 and SGi as shown below:
LTE Architecture

The User Equipment (UE)

The internal architecture of the user equipment for LTE is identical to the one used by UMTS and GSM which is actually a Mobile Equipment (ME). The mobile equipment comprised of the following important modules:

  • Mobile Termination (MT) : This handles all the communication functions.
  • Terminal Equipment (TE) : This terminates the data streams.
  • Universal Integrated Circuit Card (UICC) : This is also known as the SIM card for LTE equipments. It runs an application known as the Universal Subscriber Identity Module (USIM).

A USIM stores user-specific data very similar to 3G SIM card. This keeps information about the user’s phone number, home network identity and security keys etc.

The E-UTRAN (The access network)

The architecture of evolved UMTS Terrestrial Radio Access Network (E-UTRAN) has been illustrated below.
LTE E-UTRANThe E-UTRAN handles the radio communications between the mobile and the evolved packet core and just has one component, the evolved base stations, called eNodeB or eNB. Each eNB is a base station that controls the mobiles in one or more cells. The base station that is communicating with a mobile is known as its serving eNB.
LTE Mobile communicates with just one base station and one cell at a time and there are following two main functions supported by eNB:

  • The eBN sends and receives radio transmissions to all the mobiles using the analogue and digital signal processing functions of the LTE air interface.
  • The eNB controls the low-level operation of all its mobiles, by sending them signalling messages such as handover commands.

Each eBN connects with the EPC by means of the S1 interface and it can also be connected to nearby base stations by the X2 interface, which is mainly used for signalling and packet forwarding during handover.
A home eNB (HeNB) is a base station that has been purchased by a user to provide femtocell coverage within the home. A home eNB belongs to a closed subscriber group (CSG) and can only be accessed by mobiles with a USIM that also belongs to the closed subscriber group.

The Evolved Packet Core (EPC) (The core network)

The architecture of Evolved Packet Core (EPC) has been illustrated below. There are few more components which have not been shown in the diagram to keep it simple. These components are like the Earthquake and Tsunami Warning System (ETWS), the Equipment Identity Register (EIR) and Policy Control and Charging Rules Function (PCRF).
LTE EPCBelow is a brief description of each of the components shown in the above architecture:

  • The Home Subscriber Server (HSS) component has been carried forward from UMTS and GSM and is a central database that contains information about all the network operator’s subscribers.
  • The Packet Data Network (PDN) Gateway (P-GW) communicates with the outside world ie. packet data networks PDN, using SGi interface. Each packet data network is identified by an access point name (APN). The PDN gateway has the same role as the GPRS support node (GGSN) and the serving GPRS support node (SGSN) with UMTS and GSM.
  • The serving gateway (S-GW) acts as a router, and forwards data between the base station and the PDN gateway.
  • The mobility management entity (MME) controls the high-level operation of the mobile by means of signalling messages and Home Subscriber Server (HSS).
  • The Policy Control and Charging Rules Function (PCRF) is a component which is not shown in the above diagram but it is responsible for policy control decision-making, as well as for controlling the flow-based charging functionalities in the Policy Control Enforcement Function (PCEF), which resides in the P-GW.

The interface between the serving and PDN gateways is known as S5/S8. This has two slightly different implementations, namely S5 if the two devices are in the same network, and S8 if they are in different networks.

Functional split between the E-UTRAN and the EPC

Following diagram shows the functional split between the E-UTRAN and the EPC for an LTE network:

2G/3G Versus LTE

Following table compares various important Network Elements & Signaling protocols used in 2G/3G abd LTE.

DiameterGTPc-v0 and v1 GTPc-v2


Cisco Sets Digital Network Architecture as its Platform of the Future

3 Mar

Cisco unveiled its Digital Network Architecture (DNA) for transforming business with the power of analytics driven by programmable networks, cloud applications, open APIs, and virtualization.  The Cisco DNA aims to extend the company’s data center-based, policy-driven Application Centric Infrastructure (ACI) technology throughout the entire network: from campus to branch, wired to wireless, core to edge.

Cisco DNA is built on five guiding principles:

  • Virtualize everything to give organizations freedom of choice to run any service anywhere, independent of the underlying platform – physical or virtual, on premise or in the cloud.
  • Designed for automation to make networks and services on those networks easy to deploy, manage and maintain – fundamentally changing the approach to network management.
  • Pervasive analytics to provide insights on the operation of the network, IT infrastructure and the business – information that only the network can provide.
  • Service management delivered from the cloud to unify policy and orchestration across the network – enabling the agility of cloud with the security and control of on premises solutions.
  • Open, extensible and programmable at every layer – Integrating Cisco and 3rd party technology, open API’s and a developer platform, to support a rich ecosystem of network-enabled applications.

“The digital network is the platform for digital business,” said Rob Soderbery, SVP for Enterprise Products and Solutions, Cisco.  “Cisco DNA brings together virtualization, automation, analytics, cloud and programmability to build that platform.  The acronym for the Digital Networking Architecture – DNA – isn’t an accident. We’re fundamentally changing the DNA of networking technology.”

The first deliverables of Cisco DNA include:

DNA Automation:  APIC-Enterprise Module (APIC EM) Platform

  • APIC-EM Platform:  A new version of Cisco’s enterprise controller has been released. Cisco claims 100+ customer deployments running up to 4000 devices from a single instance.  The company is adding automation software that removes the need for staging for pre-configuration or truck roll-outs to remote locations. The Plug and Play agent sits on Cisco routers and switches and talks directly to the network controller. A new EasyQoS service enables the network to dynamically update network wide QoS settings based on application policy.
  • Cisco Intelligent WAN Automation Services: This service automates IWAN deployment and management, providing greater WAN deployment flexibility and allowing IT to quickly configure and deploy a full-service branch office with just 10 clicks.  IWAN automation eliminates configuration tasks for advanced networking features, and automatically enables Cisco best practices, application prioritization, path selection and caching to improve the user experience.
  • DNA Virtualization:  Evolved IOS-XE is a network operating system optimized for programmability, controller-based automation, and serviceability. The new OS provides open model-driven APIs for third party application development, software-defined management, application hosting, edge computing and abstraction from the physical infrastructure to enable virtualization.   It supports the Cisco Catalyst 3850/3650, ASR 1000 and ISR 4000 today, and will continue to be expanded across the Enterprise Network portfolio.

    Evolved Cisco IOS XE includes Enterprise Network Function Virtualization (Enterprise NFV) that decouples hardware from software and gives enterprises the freedom of choice to run any feature anywhere. This solution includes the full software stack – virtualization infrastructure software; virtualized network functions (VNFs) like routing, firewall, WAN Optimization, and WLAN Controller; and orchestration services – to enable branch office service virtualization.

  • DNA Cloud Service Management:  CMX Cloud provides business insights and personalized engagement using location and presence information from Cisco wireless infrastructure.  With CMX Cloud enterprises can provide easy Wi-Fi onboarding, gain access to aggregate customer behavior data, and improve customer engagement.

Things that use Curve25519

14 Feb

Here’s a list of protocols and software that use or support the superfast, super secure Curve25519 ECDH function from Dan Bernstein. Note that Curve25519 ECDH should be referred to as X25519.

You may also be interested in this list of Ed25519 deployment.

This page is divided by Protocols, Networks, Operating Systems, Software, TLS Libraries, Libraries,Miscellaneous, Timeline notes, and Support coming soon.


  • DNS
    • DNSCurve — encrypted DNS between a resolver and authoritative server
    • DNSCrypt — encrypted DNS between a client and a resolver
  • Transport
    • CurveCP — a secure transport protocol
    • QUIC — a secure transport protocol
    • ZeroMQ — a secure transport protocol
    • Nitro — a library for painlessly writing scalable, fast, and secure message-passing network applications
    • lodp — Lightweight Obfuscated Datagram Protocol
    • RAET — (Reliable Asynchronous Event Transport) Protocol
    • SSH, thanks to the non-standard key exchange from the libssh team, adopted by OpenSSH and tinyssh
  • TLS
    • Nettle is the crypto library underneath GnuTLS
    • BoringSSL from Google
    • Other libraries are coming!
  • IPsec
    • OpenIKED — IKEv2 daemon which supports non-standard Curve25519
  • ZRTP
  • Other
    • TextSecure — encrypted messaging protocol derivative of OTR Messaging
    • Pond — forward secure, asynchronous messaging for the discerning
    • ZeroTier — Create flat virtual Ethernet networks of almost unlimited size
    • telehash — encrypted mesh protocol
    • bubblestorm — P2P group organization protocol
    • Apple AirPlay — stream content to HDTV/speakers


  • Tor — The Onion Router anonymity network
  • GNUnet — a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services
  • URC — an IRC style, private, security aware, open source project
  • Serval — Mesh telecommunications
  • cjdns — encrypted ipv6 mesh networking
    • Plus the Enigmabox — a Hardware cjdns router

Operating Systems

  • OpenBSD — used in OpenSSH, OpenIKED, and in CVS over SSH
  • Apple iOS — the operating system used in the iPhone, iPad, and iPod Touch
  • Android — ships with Chrome, which uses Curve25519 in QUIC
  • Cyanogenmod — version 11+ ships with TextSecure
  • All operating systems that ship with OpenSSH 6.5+ from the OpenBSD Project


  • DNS
  • Web browsers
  • CurveCP related
    • CurveProtect — securing major protocols with CurveCP. Also supports DNSCurve.
    • qremote — an experimental drop-in replacement for qmail’s qmail-remote with CurveCP support
    • curvetun — a lightweight curve25519-based IP tunnel
    • spiral-swarm — easy local file transfer with curvecp [ author recommends another project ]
    • QuickTun — “probably the simplest VPN tunnel software ever”
    • jeremywohl-curvecp — “A Go CurveCP implementation I was sandboxing; non-functional.”
    • curvecp.go — Go implementation of the CurveCP protocol
    • curvecp — Automatically exported from
    • urcd — the most private, secure, open source, “Internet Relay Chat” style chat network
  • MinimaLT related (all Pre-Alpha, not production ready, please contribute!)
    • The MinimaLT authors will soon release beta code. But some people are so excited about the protocol that they’ve written approximations based on published descriptions of it. Since I’m excited about MinimaLT as well, and since it shows serious public interest, I’m listing the following here.
    • mltpipepy — spiped style tunnel for the MinimaLT protocol implemented in Python 3
    • nimbus-network-minimalt — C implementation of MinimaLT
    • MinimaLT-experimental — an approximation of the MinimaLT protocol, in javascript
    • safeweb — Proposition of a faster and more secure Web (MinimaLT + DNSNMC)
    • Github lists something called “minimalt-go” by nimbus-network. It’s not MinimaLT! At a glance it uses the NSA/NIST curve P-256, and AES. Not X25519 and Salsa20 like MinimaLT.
  • Tox Software
    • Tox — Free, secure, Skype alternative
    • toxcore — an easy to use, all-in-one communication platform
    • uTox — Lightweight Tox client
    • qTox — Powerful Tox client that follows the Tox design guidelines
    • Toxy — Metro-style tox client for Windows
    • CzeTox — School project: Tox client in Qt (alpha code)
    • OneTox — Tox client for the Universal Windows Platform
    • toxcore-vs — All necessary libs to build static toxcore using Visual Studio 2013
    • toxic — CLI Tox client
  • SSH Software
    • OpenSSH — Secure Shell from the OpenBSD project
    • TinySSH — a small SSH server with state-of-the-art cryptography
    • Win32-OpenSSH — Win32 port of OpenSSH
    • asyncssh — an asynchronous SSH2 client and server atop asyncio
    • pssht — SSH server written in PHP
    • SmartFTP — an FTP, SSH, SFTP client
    • Dropbear — an SSH server and client
    • Tera Term — SSH client for Windows
  • Other Software
    • Tor — The Onion Router
    • TextSecure — secure text messaging
    • OpenIKED — IKEv2 daemon for IPsec, from the OpenBSD project
    • WhatsAppnot all platforms implement X25519! To be safe, use TextSecure
    • Signal Desktop — Signal Private Messenger for the Desktop
    • Signal — Free, world-wide, private messaging and phone calls for iPhone
    • textsecure-go — TextSecure client package for Go
    • tweetnacl-tools — Tools for using TweetNaCl
    • haskell-tor — A Haskell implementation of the Tor protocol
    • Secrete — ECIES implementation with Curve25519
    • Tinfoil Chat NaCl — a high assurance encryption plugin for Pidgin IM
    • vcrypt — Toolkit for multi-factor, multi-role encryption
    • KinomaJS — A JavaScript runtime optimized for the applications that power IoT devices
    • srlog2 — Secure Remote Log Transmission System
    • encryptify — encryptify encrypts files
    • gobox — Trivial CLI wrapper around go.crypto/nacl/box
    • zkm — Zero Knowledge Messaging
    • qabel-core — Implementation of Qabel-Core in Java
    • Rubinius Language Platform — a modern language platform that supports a number of programming languages
    • servertail — quickly and easily see real time output of log files on your servers
    • cryptomirror — explores ways to make crypto user-friendly in non-crypto friendly environments
    • couch-box — Asymmetric encrypted CouchDB documents, powered by NaCl’s curve25519-xsalsa20-poly1305
    • saltcellar — libsodium based file encryption
    • SQRL — Secure Quick Reliable Login
    • curve-keygen — a utility to generate Curve25519 keypairs
    • confidential-publishing — Code for “A decentralized approach to publish confidential data”
    • cryptutils — Various crypto utilties based on a common NaCl/Ed25519 core
    • SMSSecure — fork of TextSecure which adds encrypted SMS support
    • gr-nacl — GNU Radio module for data encryption using NaCl library
    • up — sending a file from one computer to another using the nacl library
    • quicbench — HTTP/QUIC load test and benchmark tool
    • session25519 — Derive curve25519 key pair from email/password via scrypt
    • Bleep — Private instant messaging via secure, distributed technology
    • pcp — Pretty Curved Privacy
    • opake — Messaging with in-browser encryption using curve25519
    • CurvedSalsa — encrypt/decrypt files with Salsa20 & Curve25519
    • asignify — Yet another signify tool
    • nymphemeral — an ephemeral nymserver GUI client
    • hs-noise — encrypted networking in Haskell
    • CPGB — Curve Privacy Guard B, a secure replacement for GPG using ECC
    • SigmaVPN — simple, light-weight and modular VPN software for UNIX systems
    • fastd — Fast and Secure Tunneling Daemon
    • Simply Good Privacy — PGP-like system without web of trust
    • PoSH-Sodium — Powershell module to wrap libsodium-net methods
    • midgetpack — a multiplatform secure ELF packer
    • dhbitty — a small public key encryption program written in C
    • Threema — encrypted messaging app (closed source)
    • tappet — a tiny encrypted UDP tunnel using TweetNaCl
    • Osteria — secure point-to-point messenger
    • mcrypt — Message Crypto – Encrypt and sign individual messages
    • chdkripto — CHDK firmware – crypto modules (work in progress)
    • CurveLock — message and file encryption for Windows
    • Securecom Text — a messaging app for easy private communication with friends
    • srndv2 — some random news daemon (version 2)
    • GoVPN — simple high-performance secure VPN using DH-EKE
    • Core Secret — Secure secret sharing between Bluetooth Low Energy peers on iOS
    • AxolotlKit — a free implementation of the Axolotl protocol
    • pyaxo — A python implementation of the Axolotl ratchet protocol
    • reop — reasonable expectation of privacy
    • SUPERCOP — a cryptographic benchmarking suite

TLS Libraries

  • BoringSSL
  • Others coming soon, which is next?!



  • Dan Bernstein: “An attacker who spends a billion dollars on special-purpose chips to attack Curve25519, using the best attacks available today, has about 1 chance in 1000000000000000000000000000 of breaking Curve25519 after a year of computation.”
  • Dmitry Chestnykh: “You can write a program to generate Curve25519 private key faster than PGP generates its private key.”
  • Adam Langley: “Of the concrete implementations of Diffie-Hellman, curve25519 is the fastest, common one. There are some faster primitives in eBACS, but the ones that are significantly faster are also significantly weaker.”
  • Matthew Green: “Any potential ‘up my sleeve’ number should be looked at with derision and thoroughly examined (Schneier thinks that the suggested NIST ECC curves are probably compromised by NSA using ‘up my sleeve’ constants). This is why I think we all should embrace DJB’s curve25519.”
  • Frederic Jacobs: “It’s incredible to realize that the TextSecure protocol enabled the largest end-to-end encrypted messaging deployement in history.”
  • GnuPG: “For many people the NIST and also the Brainpool curves have an doubtful origin and thus the plan for GnuPG is to use Bernstein’s Curve 25519 as default. GnuPG 2.1.0 already comes with support for signing keys using the Ed25519 variant of this curve. This has not yet been standardized by the IETF (i.e. there is no RFC) but we won’t wait any longer and go ahead using the proposed format for this signing algorithm.”
  • Ian Grigg: “In the past, things like TLS, PGP, IPSec and others encouraged you to slice and dice the various algorithms as a sort of alphabet soup mix. Disaster. What we got for that favour was code bloat, insecurity at the edges, continual arguments as to what is good & bad, focus on numbers & acronyms, distraction from user security, entire projects that rate your skills in cryptoscrabble, committeeitus, upgrade nightmares, pontification … Cryptoplumbing shouldn’t be like eating spagetti soup with a toothpick. There should be One Cipher Suite and that should do for everyone, everytime. There should be no way for users to stuff things up by tweaking a dial they read about in some slashdot tweakabit article while on the train to work… Picking curve25519xsalsa20poly1305 is good enough for that One True CipherSuite motive alone… It’s an innovation! Adopt it.”
  • wolfSSL: “Curve25519 so far is destroying the key agreement and generation benchmarks of previous curves, putting up numbers for both key agreement and generation that are on average 86 percent faster than those of NIST curves.”
  • Adam Langley: “Current ECDSA deployments involve an ECDSA key in an X.509 certificate and ephemeral, ECDHE keys being generated by the server as needed. These ephemeral keys are signed by the ECDSA key. A similar design would have an Ed25519 key in the X.509 certificate and curve25519 used for ECDHE. I don’t believe there’s anything needed to get that working save for switching out the algorithms.”

Timeline notes

X25519 support coming soon!

  • MinimaLT — A super fast, super secure transport protocol
  • TLS — Transport Layer Security
  • Ethos — An operating system to make it far easier to write applications that withstand attack
  • wolfSSL — for use in TLS
  • Microsoft TLS
  • dnsdist — a highly DNS-, DoS- and abuse-aware loadbalancer (adding DNSCrypt support)
  • curvecp-javascript — CurveCP protocol implementation in pure Javascript
  • php71_crypto — Pluggable Cryptography Interface for PHP 7.1
  • jc_curve25519 — Javacard implementation of Curve25519 (prototype, work-in-progress)
  • ConnectBot — the first SSH client for Android
  • sshlib — ConnectBot’s SSH library
  • Cyberduck — Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows
  • djbdnscurve6 — dnscache with DNSCurve & IPv6 support
  • JackPair — secure your voice phone calls against wiretapping
  • PuTTY — A Free Telnet/SSH Client
  • cjdrs — cjdns implementation in Rust
  • freepass — “TODO SQRL”
  • molch — An implementation of the axolotl ratchet based on libsodium
  • libsodium-laravel — Laravel integration for lib sodium
  • mute — secure messaging (currently in alpha release)
  • Tahoe-LAFS — Free and Open cloud storage system
  • Cloudflare“once QUIC makes the move from experimental to beta we’ll be sure to make it available for our customers.”
  • gospdyquic — SPDY/QUIC support for Go
  • Tox.NET — WIP reimplementation of Tox in C#
  • opt-cryptobox — Optimized cryptobox self-contained library
  • goquic — QUIC support for Go
  • SC4 — Strong Crypto for Mere Mortals
  • End-To-End — a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP
  • Yahoo End-To-End — Use OpenPGP encryption in Yahoo mail.
  • TextSecure-Browser — TextSecure as a Chrome Extension
  • curve_tun — TCP tunnels secured by Curve25519
  • Dust — A Blocking-Resistant Internet Transport Protocol
  • Twisted Python SSH — event-driven Python
  • pouch-box — Asymmetric encrypted PouchDB, powered by NaCl’s curve25519-xsalsa20-poly1305
  • Blight — a Tox client written in Racket that utilizes libtoxcore-racket
  • GnuPG — end-to-end encrypted email. Note: Alternatives like reop support Curve25519 now.
  • Noise — a secure transport protocol.
  • BitTorrent Live — uses crypto_box from NaCl
  • strongSwan — IPsec for Linux
  • TextSecureKit — a boilerplate for Mac & iOS apps
  • libopenssh — turn OpenSSH into a library


Software-Defined Storage: The 2016 Outlook

1 Feb

Interest in SDS is growing as companies look for alternatives to high-priced storage drives.

Software-defined networking is beginning to take off, but what’s happening with software-defined storage? We are well into the hype phase, with everything from backup managers to disk drives being described as “software-defined” and we are perhaps just beginning to see the first real SDS products emerge. That’s a long way from mainstream — or is it?

Despite all of the hype, startups have been developing new solutions and SDS may be closer to becoming a reality than you think. Let’s look at why that is. Mr. Gillette would recognize today’s storage business in an instant. Razors and razor-blades or appliances and drives — they’re essentially the same business model. The major vendors have built a business where commodity drives are marked up enormously, while ensuring that cheap drives can’t be used in their arrays by getting unique identifiers added to the drive firmware.

But the cloud and other trends are bursting the bubble and paving the way for software-defined storage. Cloud providers like Google don’t buy specialized drives;  everything COTS, with the result that the mega-CSPs enjoy $30 per terabyte hard drives while many businesses are locked into $300+ drives.

Looking at some numbers, we see a $190 list price 3 TB SAS drive marked up to $4,215 by EMC, $1,856 by NetApp and “only” $532 by Dell. But that’s only part of the story. Google uses many cheap SATA drives, with solid-state drives for fast work; a fast terabyte SSD/flash card likely costs Google around $500. List price for an 800 GB SAS SSD is $739. EMC sells that for $14,435 — a 20X markup!

So what does all of this have to do with software-defined storage? We now realize that there are cheaper alternatives that will allow cost containment of the expected explosion in capacity requirements. The problem has been getting to them. Hardware isn’t enough on its own; we need good software, and this is where SDS becomes important.

To get commodity prices on drives, the appliance has to be free of any proprietary lock-in. That precludes the traditional vendors and means that alternative sources for appliances are needed. These can be COTS units from the same companies that supply AWS, Google and Azure: The Chinese ODMs, such as Supermicro, Lenovo, and Quanta. Such units are high quality  — the CSPs assure that by buying in millions of units — and very inexpensive compared with the traditional storage array or appliance.

The next, and maybe most important issue, is finding software to run the appliances. Some software vendors such as Caringo and DataCore sell software that runs on COTS servers. Even better, open-source efforts such as Ceph and OpenStack Swift and Cinder are creating viable strong solutions for point appliances.

These software tools make deployment of a low-cost, COTS-based storage farm feasible and attractive, but are they SDS? The concept behind SDS is deceptively simple: Take the complicated data services that sit on top of storage and move them from the appliances to virtual machines sitting in servers. This allows right-sizing of the storage services for workload variation and also, incidentally, makes services compete with each other for market share, bringing prices down.

That’s the theory. Ceph is on the edge of SDS-compatibility. It is Lego-like and could be reconstructed to allow service abstraction. This would benefit the object/file/block universal storage software tremendously since missing features such as encryption, compression and deduplication could be integrate into the dataflow. With rewrites planned for the OSD storage node software in Ceph, this would be a great time to consider its SDS credentials more closely.

DataCore and FalconStor have software products that meet the definition of SDS and provide an inexpensive way to feature up boxes. These still move data through the service instance, which is a weakness shared with the current Ceph approach. Primary Data’s DataSphere  attempts code that is more like asynchronous pooling, where the producer of data talks to the service and organizes metadata and chunk addressing and then communicates directly with a set of storage devices to read or write data. In another development, Nutanix is considering selling its software as a subscription service without a hardware appliance, while partnering with Dell, Lenovo and SuperMicro to put that code on their platforms.

We can expect the major storage vendors to react to the threat of SDS by introducing their own software products. Whether these are really SDS and whether they free the buyer from vendor lock-in on drives remains to be seen.

SDS is still in its early stages, but the signs of aggressive growth seem evident. Interest is high and some estimate that more than 70%  of companies will try the approach, if not deploy it, in 2016. With intense pressure on IT budgets and a need to grow capacity dramatically looming, SDS may be the answer.


Interference Management

11 Jan

A. Interference Management with Delayed and Distributed CSIT

Channel state information at the transmitter (CSIT) plays an important role in interference management in wireless systems. Interference networks with global and instantaneous CSIT provide a great improvement of performance. In practice, however, obtaining global and instantaneous CSIT for transmitter cooperation is especially challenging, when the transmitters are distributed and the mobility of wireless nodes increases. In an extreme case where the channel coherence time is shorter than the CSI feedback delay, it is infeasible to acquire instantaneous CSIT in wireless systems. Obtaining global knowledge of CSIT is another obstacle for realizing transmitter cooperation when the backhaul or feedback link capacity is very limited for CSIT sharing between the distributed transmitters. Therefore, one of fundamental questions is that it still possible to obtain benefits in increasing the scaling law of the rate, i.e., degress-of-freedom (DoF), for interference networks under these two practical constraints?

Motivated by this question, I have proposed interference alignment algorithms exploiting local and moderately-delayed CSIT. The proposed method is a structured space-time repetition transmission technique that exploits both current and outdated CSIT jointly to align interference signals at unintended receivers in a distributed way. With this algorithm, they characterize trade-off regions between the sum of degrees of freedom (sum-DoF) and feedback delay in vector broadcast channels, the X channels, and a three-user interference channel to reveal the impact on how the CSI feedback delay affects the sum-DoF of the interference networks.

The key finding from this work is that distributed and moderately-delayed CSIT is useful to obtain strictly better the sum-DoF over the case of no CSI at the transmitter in a certain class of interference networks. For some classes of vector broadcast channels and X channels, I have illustrated how to optimally use distributed and moderately-delayed CSIT to yield the same sum-DoF as instantaneous and global CSIT. 

[Related Papers]
a. Namyoon Lee and Robert W. Heath Jr., “Space-Time Interference Alignment and Degrees of Freedom Regions for the MISO Broadcast Channel with Periodic CSI Feedback,” IEEE Transaction on Information Theory, vol. 60, no. 1, pp. 515-528, Jan. 2014.
b. Namyoon Lee, Ravi Tandon, and Robert W. Heath Jr., “Distributed Space-Time Interference Alignment,” Submitted to IEEE Transactions on Wireless Communications, April 2014.
c. Namyoon Lee and Robert W. Heath, “Not Too Delayed CSIT Achieves the Optimal Degrees of Freedom,” IEEE Allerton’12, Oct. 2012.
d. Namyoon Lee and Robert W. Heath, “CSI Feedback Delay and Degrees of Freedom Gain Trade-Off for the MISO Interference Channel,” IEEE Asilomar conference, Nov. 2012.

B. Interference Management for Multi-Way Communication Networks
   Due to the superposition and broadcast nature of the wireless medium, unmanaged interference results in diminishing data rates in wireless networks. With a recently developed network coding strategy, however, it was demonstrated that interference is no longer adverse in communication networks, provided that it can sagaciously be harnessed. This approach of exploiting interference has opened the possibility of better performance in the interference-limited communication regime than traditionally thought possible. For example, in wireless networks, the concept of physical layer (analog) network coding has shown that this strategy can attain higher rates over routing-based strategies under a certain network topology.
   To advance the idea of interference exploitation, I have proposed new physical-layer network coding strategies termed as signal space alignment for network coding and space-time physical-layer network coding (ST-PNC) for general multi-way communication network topologies. With theses strategies, I characterized the sum-DoF of general multi-way relay networks in terms of relevant system parameters, chiefly the number of users, the number of relays, and the number of antennas at relays. A major implication of the derived results is that efficiently harnessing both transmitted and overheard signals as side-information brings significant performance improvements to multi-way relay networks.
[Related Papers]
a. Namyoon Lee and Robert W. Heath Jr., “Space-Time Physical-Layer Network Coding,” Submitted to IEEE Journal of Selected Area on Communications, March 2014.
b. Namyoon Lee, Jong-Bu Lim, and Joohwan Chun, “Degrees of Freedom on the MIMO Y Channel : Signal Space Alignment for Network Coding,” IEEE Transaction on Information Theory, vol. 56, no. 7, pp. 3332-3342, July 2010.
c. Namyoon Lee and Joowhan Chun, “Degrees of Freedom for the MIMO Gaussian K-way Relay Channel: Successive Network Code Encoding and Decoding,” IEEE Transaction on Information Theory, vol. 60, no. 3, pp. 1814-1821, March 2014.

d. Kwang-Won Lee, Namyoon Lee, and Inkyu Lee, “Achievable Degrees of Freedom on MIMO Two-way Relay Interference Channels,” IEEE Transaction on Wireless Communications, vol. 12, no. 4, pp. 1472-1480, April. 2013.

e. Kwang-Won Lee, Namyoon Lee, and Inkyu Lee, “Achievable Degrees of Freedom on K-user Y Channels, ” IEEE Transaction on Wireless Communications, vol 11, pp. 1210 – 1219, Mar. 2012.
f. Hyun-Jong Yang, Young-Chul Kim, Namyoon Lee, and Arogyaswami Paulraj, “Achievable Sum-Rate of the Multiuser MIMO Two-Way Relay Channel in Cellular Systems: Lattice Coding-Aided Linear Precoding,” IEEE Journal of Selected Area on Communications, vol. 30, no. 8, pp. 1304-1318, Sep. 2012.

C. Interference Management for Multi-Hop Networks

   Interference management is complicated in the multi-hop networks because relay nodes between the source-destination pairs propagate the mixture of interference signals as well as desired signals on the network. This complicates the selection and design of relay strategies as it is not clear the extent to which a relay should forward, cancel, align, or otherwise manage interference. In this research direction, I have proposed interference-aware relay transmission techniques exploiting the concept of aligned interference neutralization for the multiple-input-multiple-output (MIMO) two-hop interference channels to characterize the scaling law of network sum-capacity.

[Related Papers]
a. Namyoon Lee and Chenwei Wang “Aligned Interference Neutralization and the Degrees of Freedom of the Two-User Wireless Networks with an Instantaneous Relay,” IEEE Transaction on Communications, vol. 61, no. 9, pp. 3611 – 3619, Sept. 2013.
b. Namyoon Lee and Robert W. Heath Jr., “Degrees of Freedom for the Two-Cell Two-Hop MIMO Interference Channel: Interference-Free Relay Transmission and Spectrally Efficient Relaying Protocol,” IEEE Transaction on Information Theory, vol. 59, no. 5 pp. 2882-2896, May 2013.
D. Interference Management with Limited Feedback
  Limited feedback is an essential technique for realizing advanced multi-antenna transmission techniques in multi-antenna wireless networks. With random vector quantization (RVQ) techniques, I have analyzed the impact of the limited channel state information feedback in various wireless networks.
[Related Papers]
a. Namyoon Lee and Wonjae Shin, “Adaptive Feedback Scheme on K-cell MISO Interfering Broadcast Channel with Limited Feedback,” IEEE Transaction on Wireless Communications, vol. 10, pp. 401-406, Feb. 2011

b. Junil Choi, Bruno Clerckx, Namyoon Lee, and Gil Kim, “A New Design of Polar-Cap Differential Codebook for Temporally/Spatially Correlated MISO Channels,” IEEE Transaction on Wireless Communications, vol. 11, pp. 703-711, Feb. 2012.
c. Namyoon Lee, Wonjae Shin, Robert W. Heath and Bruno Clerckx, “Interference Alignment with Limited Feedback on Two-cell Interfering MIMO-MAC,” IEEE International Symposium on Wireless Communication Systems (ISWCS), Aug. 2012. (Invited)


Telecommunications: Insights for 2015

11 Nov

Throughout the past few years, we’ve personally witnessed significant changes in the global telecoms marketplace. According to several studies, mobile technology and smart devices are expected to continue leading the way for the telecoms industry well into 2015, especially considering the fact that the number of mobile subscribers is estimated to outnumber the global population. What else can we expect for the future of global business telecommunications?




Guest Blog Image #1 – Rise of the Cloud: Usage of offsite data storage continues to climb and more businesses will gain internal space by stowing their information in the cloud. This will also increase global connectivity, efficiency, reliability and speed.

#2 – Same Thing, Different Place: Mobile icons are just as recognizable as numbers and letters nowadays, but you will start to see them in different locations. Smartphone apps are appearing in cars and on new wearable devices making them more mobile than ever before.

#3 – More Connectivity: Aside from the 550,000 miles of undersea cabling that connects the internet globally, the 4G networks will continue to be embraced by even more oversea countries. This will increase the number of “hot-spots” all over the world.

#4 – Traffic Forecasts: With more wireless connectivity will come more online traffic. Luckily, Wi-Fi speed has increased keeping pace with the releases of new mobile devices.

Guest Blog Image 2

#5 – Rise of the Machine to Machine (M2M): Along with our hand-held devices increasing their speed and connectivity, the machines are also keeping pace. Global M2M numbers in 2014 were estimated at 45 billion dollars and expected to reach almost 200 billion by 2020.

#6 – The Global Telecom Consumer in 2020: One example of the wireless, global customer in 2020, will be interaction with their “smart home” being more commonplace and connectable from almost anyplace on the planet. With the greater affordability of ICT (Information and Communications Technology) low-income families shouldn’t be left out in the cold.

#7 – The Exploding App Market: Another global communication technology set for record growth is the online App marketplace. The number of downloads in 2015 is expected to reach almost 180 million and continue to explode to over 260 million by 2017.

#8 – Communication Integration: Expect to see more integration with different forms of communication technologies such as VoIP and ISP. Much of this will be used to support the expanding BYOD (Bring Your Own Device) concept.

#9 – Big Data: This technological infrastructure is also set to expand exponentially in the next few years and have a positive impact on everything from cloud storage to the M2M market. For example, in 2013, executives in the US were most commonly using M2M to communicate more effectively with their customers.

#10 – Even Bigger Future Beyond 2015: While in 2013, there were 2.7 billion people were using the internet, by 2020 that number is forecasted to reach 24 billion.

We never know what the future truly has in store for us, but one thing is for certain, there will be a greater global reach for businesses through this kind of technology.

Please note the image source:


PIM Requirements Must Increase to Support

26 Sep

Several years ago passive intermodulation (PIM) was a virtually unknown performance

metric in distributed antenna systems (DAS). Today it is recognized as one of the most critical

requirements for optimum system performance. Hypersensitive antennas and radios, multiple

frequency overlays, and more components in the RF path create an environment in which the

margin for error regarding PIM continues to shrink

1. Given the high susceptibility of current DAS

systems, even small levels of PIM distortion can significantly impact network performance, as

measured by upload speed.

Outdoor macro sites were the first deployment scenarios where the PIM issues had to be

tackled. High power levels from the base transceiver station (BTS) ports and a more complex

RF path to the antennas—including jumpers, filters and tower mounted amplifiers (TMAs)—

contribute to generating PIM that can be very detrimental to the quality of wireless service.

Due to the limited uplink (UL) transmit power of mobile terminals, the uplink receive sensitivity

is a critical parameter to optimize in outdoor scenarios to allow a balanced downlink/uplink

maximum path-loss. Best practices for macro site deployments have been defined over the past

few years


High and reliable data throughput values are even more important in DAS environments, such as

stadiums, where there are many components in the RF path that can contribute to PIM generation.

The minimum PIM specification for each and every component is improving continually. PIM

specifications for RF components (splitters, couplers, etc.) and antennas have transitioned from

–140 dBc to –150 dBc and now are moving to –153 dBc and –160 dBc

[1]. With the passive

components—such as splitters, hybrid couplers, and directional couplers—being placed closer to

the signal sources in these systems, it is critical that the PIM specification for these devices is at the

highest levels.

It should be noted that, at the DAS point of interface (POI), the PIM requirements are actually

less stringent than at DAS remote unit ports coupled to a passive network. This is because

DAS POIs typically feature filters that limit the frequency range of the generated PIM products.

Moreover, BTS output ports are typically band-specific, so multiband carriers cannot mix

together and generate PIM products falling in multiple UL bands. In this case, a –153 dBc PIM

specification for POIs is typically sufficient to handle the input signals from macro BTS ports.

On the other hand, passive components used in RF signal distribution networks have wideband

frequency support. Therefore, multiband and multicarrier signals from DAS remote unit output

ports can mix together at every passive stage and generate a large variety of detrimental

PIM products falling in multiple uplink bands. As such, PIM requirements for these passive

components must be more stringent.

CommScope has introduced –160 dBc (i.e., –117 dBm IM power) passive components

in the product portfolio to provide a solution for demanding DAS applications where PIM

performance is critical. The following CommScope passive device families are offered with a

PIM specification of –160 dBc:

Power splitter

Hybrid coupler

Directional coupler


More detailed infomation – Source:

%d bloggers like this: