NORTEL NETWORKS CONFIDENTIAL

IP Mobility“Always on, Everywhere”

Sprint Research Symposium

March 8-9, 2000

Emad Qaddoura, IPMobility Group

2

Wireless InternetNetwork Vision

Internet

Router

HubRtr

Device Independence:User Addressability

user@realm

Device Independence:RF access provided

by wireless NIC

Access Independence:2G, 3G, 802.11,xDSL, cable, ...

Network Independence:intranet, extranet,

mobile, SOHO

• Leveraging IP and the Internetto provide services acrossdevices, access technologiesand networks

3

A “Box” View

���

������������

���������������������������

�!��

"#$%&

"#$%�������'

�������������� ���� ���������������

Rtr

4

“Future” Mobile Terminals

• Commercially availableNOW

• 233MHz Pentium II MMXon your belt

• 1” screen = 17” monitor

5

Functional ArchitectureMobility Services Layer

PolicyMgmt

ServiceProvision

DirectoryServer

DHCP DNS

CertificateAuth

AAA Server

ServingMobilityManager

DHCP DNSAAA

Client

PolicyEnforce

AccessAccting

PayloadMediation

LocalServiceLayer

NetworkServiceLayer

Access Network Layer

Internetworking Layer

Firewall

SecureMsg

Gateway

Servers

MediaGateway

OA&M

VPNProxy /Firewall

Mo

bili

ty S

ervi

ces

Lay

er

ServiceBroker

SignallingGateway

MGCCall

Server

AccessMedia

Gateway

Internet PSTN

Router

Router

Vis

ited

Sys

tem

Ho

me

Sys

tem

HomeMobilityManager

AcctingServiceBureau

ServiceAgreement

Broker

UnifiedDirectory

SecureMsg

Gateway

Servers

MGC

Mobile Client

6

NSF

Functional ArchitectureAccess Independence

LSF

IPRAN

UMTS3GPP

NAC3GPP2

802.112G

RANWireline

LSFLSFLSFLSF

Acc

ess

Net

wo

rks

Co

reN

etw

ork

Ter

min

als

NSF

UMTSCore

Network

UMTSRAN

GGSN

SGSN

HLRVLR

MSC• The Core Network can support any accessnetwork capable of presenting an IP interface,either directly (e.g. 802.11) or via intermediatenetworks (e.g. GPRS)

• Access gateways can be used when theaccess network does not natively support IP

G/W G/W G/W G/W

7

IP MobilityDefinitions

• The Wireless Internet is an IP-centric, mobility-enablednetwork— IP addresses are used for all routing within the core network

— IP protocols and technologies are used in the control plane

— The network is functionally equivalent to a traditional cellular network(especially with respect to mobility and roaming)

• IP Mobility focuses on Layer 3 of the core network— Mobility functions are independent of the access technology (2G, 3G,

wireline, etc.) and the underlying network transport technology (ATM,Ethernet, etc.)

• The IP Mobility framework is a functional architecture— There are many alternative implementations

8

IP MobilityKey Principles

• Mobility is based on the user, not the terminal— Users will have a single subscription in a home network

• Security is essential within and between networks— Networks will employ a single network security framework

— Service Level Agreements (SLAs) must exist between all networksusers will roam in

• IP protocols will be used wherever practical— Terminals will support the IP stack (end-to-end packet data)

• The network architecture should be simple— The architecture will employ a single control plane protocol

— The architecture should avoid having anchor points

9

User / Mobile Node / Server Addressing

• Identity of all components based on the IETF NetworkAccess Identifier (NAI)— User, Mobile Node, Serving & Home Domains

— The NAI grammar based on IETF RFC 2486

— The general format is “user@realm” (rccoffin@nortelnetworks.com)

972 684 7737 rccoffin@nortelnetworks.com972 684 -> nortelnetworks.com

972 684 7737 -> rccoffin

NAI/E.164 Interworking

10

In the LSF:• The DHCP server is used to assign local

COAs to the terminals that access thenetwork

• The DNS server in the LSF is used by theterminal for address resolution functions

In the NSF:• The DHCP server is used to assign

temporary IP addresses to roaming mobilenodes that do not have configured(permanent) IP address

• The DNS server is updated with theterminal’s allocated IP address by the DHCPserver and with the terminal’s COA by theMobility Manager

• The Mobility Manager updates the locationof the terminal in the UDS

IP MobilityDNS, DHCP and UDS

Internet

DHCP

SMG

Router

MobilityManager

DNS

LSF NSF

DynamicDNS Update

AddressAllocation

DynamicDNS Update

DHCP

SMG

Router

MobilityManager

DNS

UDS

Location Update

11

IP MobilitySecurity Associations

SMG

AAA

Router

MobilityManager

LSF

NSF

Internet

AAA

SMG

Router

MobilityManager

SA 3

SA 2

SA 1

Visited Network

Home Network

User

CorrespondentNode

Private Network

SA 3SMG

Router

MobilityManager

SA 1

12

IP MobilitySingle SecureControl Channel

AAA

SMG

Router

SMM

AAA

SMG

Router

HMM

CorrespondentNode

Internet

AAA SMG

Router

Service Broker

xAN

• Single protocol for Mobility and AAA functions— AAA functions (Diameter based) are extended to include mobility functions

— NAI based routing relaxes the usage of IPv4 address space

• Single tunnel between LSF and NSF entities through SMG— Service providers maintain only one secure tunnel

— All entities (AAA, UDS, SMM, HMM etc.) can communicate securely

UDS

LSF NSF

13

IP MobilityAddress ManagementEvent Triggering

DHCP

SMG

Router

MobilityManager

DNS

LSFNSF

DynamicDNS Update

AddressAllocation

DynamicDNS Update

DHCP

SMG

Router

MobilityManager

DNS

UDS

Location Update

• User based mobility— Dynamic allocation of IP addresses using NAI— Integrated with DNS/DHCP— Terminal based mobility supported— Trigger for location based services

Internet

Servers

LocationEvent Triggers

14

LocationServers

IP MobilityMessage Flows - Initial Registration

SMG

MobilityManager

LSF

xAN2

xAN1

SMG

Router

MobilityManager

DNS

NSFInternet

Visited Network

Home NetworkRouter

Router

AuthServer

1

2

DHCP

2a

2b

3

3a

3b

4a

5

UDS

4b

4c

Router

15

NAS

PPP followed byCHAP/PAP

Registration with Other Access Networks

TCP/IP

PPP

Apps

IPM

MN Software

Drivers

AccessHMMHA

Home Network

CA

Router

IPM Registration[MIP orDiameter]

SMMFA

Visited Network

Router

MIP SMMFA

Visited Network

Router

Rout

er

PSTN

ISDN

GPRS

802.3

802.11

TCP/IP

PPP

Apps

IPM

MN Software

Drivers

Bluetooth, 802.3, 802.11

Bluetooth, 802.3, 802.11

16

GPRS (and others) Wireless LANInterworking

TCP/IP

PPP

Apps

IPM

MN Software

Drivers

Mobile Node Arbitrator• Transparency between driver and IP layer

• Tunneling and encapsulation

• IP Address manipulation

• Network point of attachment selection

• Network selection on

• Default

• Bandwidth

• Cost

• Signal Strength

• BER

• TOD

• …

GPRS

802.11

Bluetooth

802.3

802.11

17

IP MobilityMessage Flows - Handoff (Same COA)

SMG

Router

MobilityManager

LSF

xAN2

xAN1

SMG

Router

MobilityManager

DNS

NSF

Internet

Serving Network

Home Network

Router

Router

AuthServer

1

2

DHCP

CorrespondentNode

43

6 5

18

IP MobilityMessage Flows - Handoff (New COA)

SMG

MobilityManager

LSF

xAN2

xAN1

SMG

Router

MobilityManager

DNS

NSF

Internet

Serving Network

Home Network

Router

Router

AuthServer

1

2

DHCP

9a

9b

CorrespondentNode

43

5

6

789

10a

11

UDS

10b

Router

LocationServers 10c

19

IP MobilityMessage Flows - Handoff (Inter LSF)

SMG

MobilityManager

LSF

xAN4

xAN3

SMG

Router

MobilityManager

DNS

NSF

Serving Network

Home Network

Router

Router

AuthServer

1

DHCP

9b

CorrespondentNode

43

10aSMG

Router

MobilityManager

LSF

xAN2

xAN1

Visited Network

Router

Router7

2

9

2a

7a11

5

6

8

UDS

10b

Router

Internet

9a

LocationServers

10c

20

.

Subnet1 Subnet2

Home

IKE

KENA

• Fast security setup between two administrative domains— one step and one process vs. two steps and four messages

• Real time sensitive and proactive key distribution— Secure path is setup prior to need, I.e, during handoff

• Multitude of nodes in a sub-network share single security relationship— Distributed vs. point-to-point

• Security on per user (per communication channel) basis— Also supports per session basis

• Centralized key generation and distribution

• Complements IKE and ISAKMP

• Use IKE/ISAKMP for Primary [Home -Subnetwork] security

• Use KENA for Secondary [Sessionbased] security

IP MobilityKey Enabled Network Architecture (KENA)

21

.

Registration Request

• Home IP address is blank• HMM/HA’s IP address is in the clear• User NAI is encrypted• MN’s Layer 2 address is sent in the clear

We achieve PRIVACY and Authentication

Link not Secure Link Secure

Assumptions• Shared Secret or Asymmetric Keys between MN and Home• Secure path between the SMM/FA and Home

IP MobilityKENA over Mobile IP

MN SMM/FA HA

22

MNRegistration Reply

• User NAI is sent in the clear • MN’s IP address is sent in the clear• MN’s Layer 2 address is sent in the clear• K2 and K3 in the clear• K1 and K3 encrypted using Shared Secret

Link not Secure Link Secure

Registration Reply

• MN has K1 for MN-HA path• MN has K3 for MN-FA path

Link Secure K3 Link Secure K2

• SMM/FA now knows the MN’s identity• SMM/FA obtains the MN’s IP address• SMM/FA can map MN’IP address to MN’s

layer 2 address• SMM/FA has key K2 for FA-HA path• SMM/FA has key K3 for FA-MN path

Link Secure K1

IP MobilityKENA over Mobile IP Continued

SMM/FA HMM/HA

23

.• Mobile IP AAA Key Distribution Requirements

• MN and FA authentication

• Protection of user privacy until FA is authorized

• Distribution of keys per MN’s registration session

• Facilitation of Layer 3 encryption

• Central authority for key generation and distribution

• Enhances smooth handoff through proactive keygeneration and distribution

IP MobilityKENA Accomplishes

24

Unified Directory ServicesKey Architectural Principles• Carrier-focused, directory schema for profile

management (end-users and served networks)

• Virtual grouping/context management across all NEs

• Open and extensible directory schema enabling third-party integration

• Integration with leading customer care and billingsystems

• Support carrier-grade requirements for scaleability andavailability

• Allow functionality to be deployed as required bynetwork operator (modularity)

25

ServiceModules

ServiceCore

ServiceManagement

Unified Directory ServicesArchitecture Framework

NetworkElement

NetworkElement

NetworkElement

NetworkElement

NetworkElement

NetworkElement

RADIUS DNS DHCPVirtual

NetworkController

Class ofServiceManager

UnifiedMobilityManager

(HLR)

CertificateAuthority

Network NetworkElement

LDAP APIServerManager

Appl’nServer

ServiceActivation

ServiceAssurance &

CustomerCare

ServiceAccounting/

Billing

UnifiedDirectory

26

topThese auxiliary objectclasses may be

used to modify the “subscription”structural objectclass.

-ipmIpMobileNodeAddress : ipAddress-ipmIpmobileNodeAddressIsPermanent : boolean-ipmIpDhcpServerAddress : ipAddress-ipmMobileNodeIsRegistered : boolean-ipmIpCareOfAddr : ipAddress-ipmNaiLocalServingFunction : string

ipMobilityData

<< Auxiliary >>

* could the subscriptionID in the TBDsubscriptionentry be the NAI for the subscription?

If there are really multiple terminals under eachTBDsubscription, then it’s possible this andother auxiliary object classes must modify thestructural terminal entry as opposed to theTBDsubscription entry.

-is41HlrId : string (HLR serving the Mobile Node)-is41LocationAreaId : integer-is41MscId : string (MSC serving the Mobile Node)-is41Pcssn : string-is41QualInfoCode : integer-is41SysAccessType : integer-is41SysMyType : integer

is41InterworkingData

<< Auxiliary >>

-mapHlrNumber : string-mapMscNumber : string-mapVlrNumber :string

mapInterworkingData

<< Auxiliary >>

Common Schema/DIT Definition

27

Call and Session ManagementMessage Flows - Mobile Initiated Session

SMG

MobilityManager

LSF

xAN2

xAN1

SMG

Router

MobilityManager

DNS

NSF

Internet

Visited Network

Home Network

Router

Router

DHCP

CorrespondentNode

DNS

1

2

AuthServerUDS

Router

28

InternetRouter

Call and Session ManagementMessage Flows - Mobile Terminated Session

SMG

MobilityManager

LSF

xAN2

xAN1

SMG

MobilityManager

DNS

NSF

Visited Network

Home Network

Router

Router

DHCP

CorrespondentNode

1

24

4a

DNS

7

7a

6

AuthServerUDS

1.1

Router

35

3a

5a

29

Call and Session ManagementMessage Flows - Mobile Initiated Call

xAN2

xAN1

AAA+

SecurityGateway

Router

MobilityManager

DNS

NSF

Internet

Visited Network

Home Network

Router

Router

DHCP

AAA+

SecurityGateway

Router

MobilityManager

LSF

DNSCallServer

VoiceGateway

G/WController

PSTN

1 2

4

35 677a

88a8b

99a

9b

9c8c

AuthServerUDS

30

Call and Session ManagementMessage Flows - Mobile Terminated Call

AAA+

SecurityGateway

Router

MobilityManager

LSF

xAN2

xAN1

AAA+

SecurityGateway

Router

MobilityManager

DNS

NSF

Internet

Visited Network

Home Network

Router

Router

DHCP

DNSCallServer

PSTNVoice

Gateway

G/WController

1

23 8c

8a

99a

9b

9c8

4

56

6a

7 7a

8b

AuthServerUDS

31

Conclusions

• System approach makes the Internet fully mobile— Security, Trusted Relationships, Business Relationships

— Directories, Address Management, Address Resolution

— Heterogeneous Access, MAC layer independence

• New “Mobile Client” Paradigm— Not just a phone – rather an information appliance

— Small, Cheap, Very Powerful, …, Soon!

• Mobile Applications already exist— Heterogeneous Applications, TCP/IP layer independence

— Network Aware applications next step