Overlay and Tunneled Proxies

• Overlay and Tunneled Proxies are specialized intermediaries that manage protocol translation and secure data flows between resource-constrained IoT devices and robust, high-capacity networks.
• They integrate functionalities like stateless filtering, adaptive load balancing, and dynamic code offload to achieve optimal latency, throughput, and energy efficiency.
• Practical implementations leverage modular designs and virtualization to enforce security policies, reduce network overhead, and enhance service continuity across diverse IoT environments.

An IoT Edge Proxy is a protocol- and function-specific intermediary deployed at the boundary between resource-constrained IoT domains and higher-capacity networks, clouds, or service processing backends. Its principal roles are to mediate, process, filter, secure, and aggregate data and control plane flows at or near the network edge, acting as a locus for efficient, scalable, and adaptive orchestration of both communications and computations. Recent instantiations span from stateless caching proxies in constrained CoAP networks to security-anchored edge gateways for Wi-Fi IoT, edge-processing modules in LPWANs (e.g., LoRaWAN), Kubernetes-integrated load-balancers for service continua, and reconfigurable cryptographic agents for heterogeneous multi-radio environments. These systems optimize for varied metrics: latency, throughput, energy, bandwidth savings, security, privacy, compatibility, and seamless service continuity.

1. Architectural Principles and Taxonomy

IoT Edge Proxy architectures are highly heterogeneous, structurally adapted to underlying network and device constraints:

• Modular bridging architectures: As in Wi-Fi-enabled IoT, edge proxies operate as Ethernet bridges equipped with traffic monitors, L2/L3 policy enforcement engines, and isolation mechanisms. All wireless traffic is forced through the proxy using a dual-port bridge, with processing modules for capturing, monitoring, filtering, and quarantining packets or flows (Ganiuly et al., 15 Dec 2025).
• Protocol translation proxies: In CoAP domains, edge proxies mediate between 6LoWPAN+DTLS+UDP sensor subnets and HTTP/TLS+TCP upstreams. They transparently convert, cache, and schedule traffic, preserving RESTful semantics while optimizing energy and latency (&&&1&&&).
• Edge-enabled functional augmentation: Over LPWANs such as LoRaWAN, edge proxies at the gateway layer selectively aggregate, filter, and process IoT sensor streams before forwarding, using group key mechanisms for selective decryption and aggregation while maintaining strict confidentiality (Milani et al., 2024).
• Virtualization-based proxies: Proxy VMs, typically instantiated in edge cloudlets, act as per-user intermediaries for data ingestion, access control, semantic structuring, and federated query, supporting migration across cloudlets for both latency and energy optimization (Ansari et al., 2017).
• Service-focused proxies and security agents: In mobile and cross-standard environments, security agents play as "edge proxies," centralizing key management, authentication, and advanced cryptographic policy enforcement, enabling lightweight ("thin client") operation on IoT devices (Hsu et al., 2017).
• Adaptive process orchestrators: IoT edge proxies may further include DCE-capable hosts and resource-aware process migration (REM) schemes to dynamically split, offload, and execute computation across the cloud-fog-edge continuum (Chang et al., 2018).
• QoS-aware service routers: Load-balancing proxies embedded as DaemonSets within Kubernetes clusters enforce service-level objectives by dynamically routing requests based on observed and predicted QoS metrics (Čilić et al., 2024).

The following table summarizes characteristic architectures:

Approach	Deployment Site	Core Functions / Modules
Transparent Wi-Fi Gateway	Inline (Bridge)	Traffic Monitor, Policy Enforcer, Isolation
CoAP–HTTP Proxy	Edge node/gateway	Cache, Protocol Conversion, Freshness Control
LPWAN Edge-Enabled GW	Gateway (LoRa/E2GW)	Aggregation, Filtering, Secure Key Handling
Proxy VM (Cloudlet)	Edge Cloudlet	Data Structuring, AC, Federation, Migration
Security Agent (ReSIoT)	Near-user (router)	KeyMgmt, Auth, Crypto Offload, Unified API
EPIoT Host (REM)	Edge device	DCE, Resource Monitor, Dynamic Partitioning
QEdgeProxy (K3s)	K8s Node	QoS-Pool, Adaptive Routing, Feedback Loop

2. Data Plane Functions and Processing Models

Edge proxies optimize the data plane using stateless and constrained-state algorithms targeted to their deployment contexts:

• Stateless/Bounded-State Filtering: Wi-Fi edge proxies eschew DPI in favor of statistical or rule-based L2/L3 checks such as MAC-spoofing and deauth detection. Decisions derive from predicates over {MAC, channel, frame-type} tuples and moving window counters:

$$\text{If}\; \text{count\_deauth}(client\_mac, 10\,s) > \theta_{\text{deauth}} \Rightarrow \text{BLOCK}\; client\_mac$$

(Ganiuly et al., 15 Dec 2025)

• Protocol Bridging and Resource Caching: CoAP proxies modularize protocol translation, maintain per-resource caches, and implement workload-responsive proactive or reactive fetching (MGET, Observe). Data freshness is managed by autonomously selecting per-resource refresh thresholds $T_{th} = \mu + k\sigma$, balancing cache hit probability $h = 1 - e^{-\lambda T_{th}}$ with network cost (Misic et al., 2018).
• Stream Aggregation and Operator Graphs: Edge2LoRa proxies apply programmable operator graphs $G=(V,E)$ where vertices are window, map, or aggregation primitives executed on encrypted data streams, filtering or aggregating into a reduced, privacy-respecting uplink (Milani et al., 2024).
• Dynamic Code Offload and Scheduling: Using the REM scheme, proxies at the edge measure local/peer resource state and network latency, partition incoming processable workloads ($D$ objects) across cloud/fog/edge nodes to minimize makespan:

$T_{\text{total}} = \max_{i}\; T_i(wp_i)$

with $T_i(wp_i)$ estimated using explicit models of per-chunk packing, transfer, unpack, compute, and return costs (Chang et al., 2018).

• QoS-Pool and Adaptive Load-Balancing: QEdgeProxy proxies estimate per-service instance response latencies $\hat{L}_i$ via exponential moving average, maintain "QoS pools" with instances satisfying SLO $Q_s$, and apply feedback-driven routing:

$P_s = \{ i \in I_s \mid \hat{L}_i \leq Q_s \}$

(Čilić et al., 2024)

3. Security, Privacy, and Access Control

Edge proxies frequently serve as trust anchors and security brokers:

• L2/L3 Policy Enforcement and Quarantine: Wi-Fi proxies enforce real-time quarantine by modifying network policies (iptables drop, VLAN reassign) and initiating tunnel-based isolation or deeper analysis for anomalous devices (Ganiuly et al., 15 Dec 2025).
• End-to-End and Group Key Management: In Edge2LoRa, proxies deploy ECDH-based group key agreement to access payloads while maintaining end-to-end security semantics; keys E2E-EncKey and E2E-IntKey are derived from ECDH secrets $S = abG$ (Milani et al., 2024).
• Reconfigurable Security Function (RSF): As in ReSIoT, edge Security Agents execute group signatures (BBS) for anonymous authentication and attributed-based encryption (ABE) for secure access control, shifting heavy crypto from constrained endpoints to the proxy, thereby reducing energy and time by ≈80% in witness benchmarks (Hsu et al., 2017).
• Semantic and Social-Based Access Control: Proxy VMs leverage RDF ontologies for federated access control policies (social, co-location, ownership relationships), implementing token-based AC with social context queries (Ansari et al., 2017).

4. Performance, Scalability, and Overhead Analysis

IoT edge proxies are assessed on several axes:

• Latency and Throughput Overhead: Wi-Fi edge gateway prototypes introduce ≈3.1% additional network latency and <4% reduction in throughput at 70-node scale, while delivering an 87% reduction in successful spoofing incidents and a 42% acceleration in recovery from deauth attacks (Ganiuly et al., 15 Dec 2025).
• Bandwidth and Latency Savings: Edge aggregation in Edge2LoRa gives ≈80% reduction in traffic and ≈22% reduction in end-to-end latency, with near-linear scaling for increasing device density (Milani et al., 2024).
• Resource-Aware Migration Gains: REM-enabled proxies reduce job makespan by 30–50% over naïve/equal-split migration, adaptively excluding cloud when latency increases, and balancing resource utilization to avoid hotspots (Chang et al., 2018).
• Cloudlet Proxy VM Migration: LAM and EAM migration strategies in MEIoT offer tradeoffs: LAM achieves minimum average delay (~17 ms), while EAM reduces on-grid energy by ≈39% with 0% SLA violation (at modest cost in latency) (Ansari et al., 2017).
• Cache, RTT, and Energy Metrics: CoAP proxies in MGET/Observe mode retain $P_s>0.9$ transmission success and maintain lower per-node energy burden compared to POST/GET, with sublinear growth in RTT even at $n=500$ (Misic et al., 2018).
• QoS Adherence Under Dynamics: QEdgeProxy maintains ≥98% SLO-adherent routing under both static and eventful (adds, failures, network impairment) workloads, with under 15 MB/node memory and <5% CPU at 1 000 req/s (Čilić et al., 2024).

5. Deployment, Compatibility, and Design Best Practices

Practical deployment of IoT edge proxies incorporates multiple guidelines:

• Incremental Deployment and Backward Compatibility: Edge2LoRa (LPWAN) and Wi-Fi proxy designs support coexistence with legacy devices and gateways, requiring no modification to underlying PHY/MAC or activation flows, and allowing fall-back to non-edge paths as needed (Milani et al., 2024, Ganiuly et al., 15 Dec 2025).
• Hardware and Resource Considerations: Prototypical deployments have used commodity hardware (e.g., Raspberry Pi 5 for Wi-Fi proxies) or commodity VMs/cloudlets for virtualization, with resource monitoring for scalability triggers (e.g., DPDK offload, smart NICs for >60 clients) (Ganiuly et al., 15 Dec 2025).
• Policy Simplicity and Field Tuning: Simpler deterministic rule sets at the edge result in lower latency, higher reliability, and reduced false positives (<3%). Thresholds for deauth, spoofing, and aggregation are best tuned in-situ (Ganiuly et al., 15 Dec 2025).
• Autonomous Resource Management: REM-based proxies and Kubernetes-centric QEdgeProxy rely on continuous profiling, dynamic feedback, and automated tourist adaptation to workload and network/environmental shifts (Chang et al., 2018, Čilić et al., 2024).
• Control and Security Domains: Security agents should rely on authenticated, privileged credential storage (e.g., HSM or remote enclave), and reserve resource quotas per inflow to ensure >90% RSF success under peak load (Hsu et al., 2017).
• Semantic and Access Token Layering: Edge proxy VMs should cache common ontologies locally, employ RDF-based AC engines, and periodically reassess user-device mappings and access policies to maintain interoperability and minimize traffic overhead (Ansari et al., 2017).

6. Impact, Lessons Learned, and Technical Directions

Research has demonstrated that IoT edge proxies are key enablers for:

• Security and Resilience: Edge enforcement blocks wireless attacks before core infiltration, improving IoT network resilience without specialized endpoints or infrastructural modifications (Ganiuly et al., 15 Dec 2025).
• Latency, Bandwidth, and Energy Efficiency: Edge aggregation and adaptive process offloading minimize both backbone bandwidth and end-to-end latency, while dynamically tuning compute placements for both latency and green energy constraints (Milani et al., 2024, Ansari et al., 2017, Chang et al., 2018).
• Heterogeneity Bridging and Interoperability: Unified API and protocol bridges support diverse stack integration with minimal per-stack overhead, e.g., ReSIoT's group signature/ABE layering across ZigBee, BLE, Wi-Fi, LTE D2D (Hsu et al., 2017).
• Seamless Service Continuity and SLO Enforcement: Fast feedback loops for QoS and instance pool management, exemplified in QEdgeProxy, allow robust service under network dynamics and instance churn (Čilić et al., 2024).
• Cognitive and Social Context Integration: Edge-resident semantic and SIoT access control bootstraps interoperability and supports private/resource-constrained IoT deployments, with AC enforced at the edge preserving core network scalability (Ansari et al., 2017).
• Scalable, Resource-Balanced IoT Domains: Proper design choices (multicast, layered event-driven handling, autonomous cache updates) result in improved scaling, energy utilization, and data reliability for large peer clusters (Misic et al., 2018).

Empirically, research converges on the criticality of architectural modularity, on-device lightweight mechanisms, robust deployment configurability, and tight feedback-driven metrics in sustaining secure, performant, and scalable IoT infrastructures at the edge.