Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt) Ashutosh Dutta,...
-
Upload
eileen-lewis -
Category
Documents
-
view
215 -
download
0
Transcript of Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt) Ashutosh Dutta,...
Media-Independent Pre-Authentication(draft-ohba-mobopts-mpa-framework-00.txt)
Ashutosh Dutta, Telcordia Technologies
Yoshihiro Ohba (Ed.), Kenichi Taniuchi
Toshiba America Research Inc.
Henning Schulzrinne, Columbia University
Prepared for IRTF MOBOPTS WGMarch 8th, 62nd IETF, Minneapolis
IRTF – 2
Outline
Motivation Handoff Delay during Wireless Internet Roaming Fast Handoff Related Work Proposed Method: Media-independent Pre-Authentication Demonstration and Results Conclusions/Future Work
IRTF – 3
Motivation
It is desirable to limit the jitter, delay and packet loss for real-time and non-real-time traffic– e.g.,150 ms end-to-end delay for interactive traffic such as VoIP, 2%
packet loss is allowed Delay due to handoff takes place at several layers
– Layer 2 (handoff between AP) – Layer 3 (IP address acquisition, Configuration, Authentication, Authorization)
– Binding Update, Media Redirection Rapid handoff will contribute to overall delay and packet loss Thus it is essential to reduce the handoff delay introduced at
different layers We propose a fast-handoff mechanism to reduce the handoff-
delay and packet loss
IRTF – 4
1- L2 Hand-over Latency Delay
2 – Delay due toIP Address Acquisition and Configuration, authentication, authorization
3 – Binding update and Media Redirection delay
Handoff Latency
AP1 AP2NextAccessRouter
ICMP Router Discovery/Router Advertisement
DHCP server/PPP/FA
DHCP/ MIP CoA/PPP
HA/SIP Server
MIP BU/SIP Re-Invite
CN
Media
New Media
Binds to AP1
Binds to AP2
MN
1
2
3
Stateless Auto-configuration
AAA
IGMP
DAD/ARP
1
2
3AAServer
802.11i
IRTF – 5
Problem in Mobility Management Protocols
Problem 1 (performance): Operations for updating higher-layer context (i.e., IP address acquisition, mobility binding update, authentication etc.) occur after link-layer handover
– Processing and/or signaling delay for each operation accumulates– Longer packet loss period due to handoff delay– No solutions exist for single-interface host
Problem 2 (security): Existing mobility optimization mechanisms do not provide secure handover signaling especially for roaming cases
– A secure mobility optimization mechanism that is tied with AAA (Authentication, Authorization and Accounting) and can deal with inter-subnet and inter-domain handover is needed
Problem 3 (applicability): Existing mobility optimization mechanisms are tightly coupled with particular mobility management protocols
– FMIPv6 and HMIP are defined for Mobile IPv6 only– A mobility optimization mechanism that is applicable to any mobility
management protocol is needed
IRTF – 6
Mobility Optimization - Related Work Cellular IP, HAWAII - Micro Mobility
MIP-Regional Registration, Mobile-IP low latency, IDMP
HMIPv6, FMIPv6 (IPv6)
Yokota et al - Link Layer Assisted handoff
Shin et al, Velayos et al - Layer 2 delay reduction
Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR
SIP-Fast Handoff - Application layer mobility optimization
DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition
IRTF – 7
Media-independent Pre-Authentication (MPA)
MPA is:– a mobile-assisted higher-layer authentication, authorization and
handover scheme that is performed prior to establishing L2 connectivity to a network where mobile may move in near future
MPA provides a secure and seamless mobility optimization that works for – Inter-subnet handoff
– Inter-domain handoff
– Inter-technology handoff Use of multiple interfaces
MPA works with any mobility management protocol– MIP(v4,v6), SIPMM etc.
IRTF – 8
Functional Components of MPA
1) Pre-authentication/authorization– Used for establishing a security association (SA) between the
mobile and a network to which the mobile may move– L2 pre-authentication can also be enabled based on the
established SA
2) Pre-configuration– Used for establishing contexts specific to the network to which the
mobile may move (e.g., nCoA)– The SA created in (1) are used to perform secured configuration
procedure
3) Secured Proactive Handover – Used for sending/receiving IP packets based on the pre-authorized
contexts by using the contexts of the current network
IRTF – 9
Expected Result during handoff
TimeConventionalMethod
Discovernew AP in the neighboringsubnet L2 handoff
starts
L3 handoffstarts
MPA
DiscoverNew APIn the neighboring subnet
Pre-auth/Pre-configCompletes(L2 SAs can be ,completed here.)
L2 handoffstarts
L3 handoffcompletes
L2 handoffcompletes
L3 handoffstarts
L2 handoffcompletes
Critical period (communication interruption can occur)
L3auth/configstarts
L3 auth/authzcompletes
Time
Pre-auth/Pre-configstarts
L2 auth/authz,starts
L3 handoffcompletes
IRTF – 10
Pre-Authentication
Subnet X Subnet Y
CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router
AA CA AR
MN
pre-authentication
CNDATA[CN<->A(X)]
SIP mobility is just an example mobility protocol. MPA works for any mobility management protocol
IRTF – 11
Pre-configuration
CN
AA CA AR
MN
IP address: A(X)Current subnet: XStatus: Pre-authentication doneAction: pre-configuration
DATA[CN<->A(X)]
MN-CA key
pre-configuration
Subnet X Subnet Y
CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router
IRTF – 12
Pre-Configuration (Cont.)
CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router
AA CA AR
MN
IP address: A(X), A(Y)Current subnet: XStatus: Pre-configuration doneAction: SPH Initiation
MN-AR key
Secure Proactive Handover tunnel
establishmentprocedure
CNDATA[CN<->A(X)]
Subnet X Subnet Y
IRTF – 13
Secured Proactive Handover: Main Phase
CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router
AA CA
MN
IP address: A(X), A(Y)Current subnet: XStatus: PH tunnel establishedAction: SIP Re-Invite
MN-AR key
SIP Re-Invite over proactive hanodvertunnel [AR<->A(X)]
CNDATA[CN<->A(X)]
AR
Subnet X Subnet Y
Re-Invite[CN<->A(Y)]
IRTF – 14
Secured Proactive Handover: Completion
CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router
AA CA
IP address: A(X), A(Y)Current subnet: XStatus: SIP Re-Invite doneAction: PH Completion
DATA [CN<->A(Y)] over proactive hanovertunnel [AR<->A(X)]
AR
Proactive handoverstop procedure
MN
L2 handoff procedure
Subnet X Subnet Y
CN
Data in new domain
IRTF – 15
Mobile-assisted Seamless Handoff (a scenario)
AR
AP1
Mobile
AP2
AP3
AP0
AA CA
MN-CA keyAA CA
MN-CA key
AA CA
MN-CA key
CN
AR
AR
Network 1
Network 2
Network 3
CurrentNetwork TN
Information Service (e.g.,802.21) mechanism can help locate the neighboring network elements in the candidate target networks (CTN)
CTNCTN
CTN – Candidate Target NetworksTN – Target Network
IRTF – 16
MPA Communication Flow
MN oPoA nPoA AA CA AR
1. Found CTN
Candidate Target Network
Pre-authentication[Authentication Protocol]
MN-CA Key
MN-AR Key2. High probability to switch to the CTN
Pre-configuration [Configuration Protocol to get nCoA]
Pre-configuration [tunnel management protocol to establish PHT
3. Determined to switch toThe CTN Secure Proactive Update Phase
Binding Update + data Transmission over PHT using nCoA
4. BU completion andReady to switch
Secure proactive handover pre-switching phase [tunnel management protocol to delete PHT]
CN
5. Switching Post Switching Phase: Reassignment of nCoA to its physical Interface
Existing session using oCoA
New Data using nCoA
IRTF – 17
MPA Optimization Issues Network Discovery
– Discover the neighboring network elements (e.g., Routers, APs, Authentication Agents)
– 802.21 (Information Service), 802.11u, WIEN SG, CARD, DNS/SLP
Proactive IP Address Acquisition
Proactive Duplicate IP address Detection
Proactive Address Resolution
Proactive Tunnel Management
Proactive Mobility Binding Update
Bootstrap Link-layer Security in CTN using L3 Pre-authentication
IRTF – 18
Protocol Set for the MPA demonstration
Pre-authentication protocol PANA
Pre-configuration protocol PANA, DHCP Relay
Proactive handover tunneling protocol IP-in-IP
Proactive handover tunnel management protocol PANA
Mobility management protocol SIP Mobility
Link-layer security None
IRTF – 19
Experimental Network in the Lab.
IP0: 10.10.40.20 IP1: 10.10.10.223
AP1, AP2: Access PointR1, R2: Access RouterMN: Mobile NodeCN: Correspondent NodeIP0, IP1: IP address of MN
R2R1
10.10.20.52/2410.10.20.52/24
10.10.40.52/24
10.10.10/24
10.10.10.51
eth0
eth0
eth2
SIP with VIC/RATApplication
DHCPServer
Relay/Client Proxy
PANAAgent
10.10.30.25
Network 1 Network 2
IP2
AP1(Channel 6)
AP2(Channel 9)ITSUMO network
DHCPServer
Move
AA
CA
AR
CNMN MN
10.10.30/24
Network 3
AR
IRTF – 20
Protocol flow for MPA
MN AP1 AP2 R2 DHCP
MN
Network 1 (802.11) Network 2 (802.11)
Assign IP0 to PhysicalI/F
PANA (Pre-Authentication and pre-configuration to obtain IP1)
CN
Data
Data
Tunnel (IP0-IP1) -
-SIP Re-invite with IP1
Data
AddressacquisitionUsing DHCPrelay
R1
Network 3
-
-
Deletes Tunnel with PANA Update
Assign IP1 to PhysicalI/F
Assign IP1 to TunnelI/F
L2 handover
Packet loss period
DHCP
IRTF – 21
Protocol Flow for Non-MPA
MN AP1 AP2 R2 DHCP
Network 1 (802.11) Network 2 (802.11)
Assign IP0 to PhysicalI/F
CN
Data
-
SIP Re-invite with IP1
Data
R1
Network 3
-
PANAAssign IP1 to PhysicalI/F
DHCP
MNL2 handover
Packet loss period
IRTF – 22
Performance (MPA-Non-MPA)
MPA – No packet loss during pre-authentication,
pre-configuration and pro-active handoff before L2 handoff
– Only 1 packet loss, 14 ms delay during handoff mostly transient data
Includes delay due to layer 2, update to delete the tunnel on the router
We also reduced the layer 2 delay in hostapDriver L2 delay depends upon driver and chipset
non-MPA – About 200 packets loss, ~ 4 s during
handover Includes standard delay due to layer 2, IP
address acquisition, Re-Invite, Authentication/Authorization
– Could be more if we have firewalls also set up
MPA Approach
Non-MPA Approach
handoff
802.11 802.114 s
IRTF – 23
Conclusions/Future Work
MPA framework provides an optimized mobility management solution independent of mobility protocol used
We demonstrated an initial prototype implementation and results
MPA works over single interface and multiple interfaces (e.g., 802.11, CDMA)
Define a more integrated architecture that works in conjunction information discovery scheme (e.g.,802.21, 802.11u)
Comments/Suggestions/Questions
Next steps?
IRTF – 25
Comments from the group This framework is dependent upon a good network discovery scheme
– We may need to set up temporary tunnels with more than one network temporarily
– Need a smarter algorithm to decide the exact network the mobile may move Binding Update ( Is it necessary to do it beforehand)
– In MIPv6 we may need to do next-hop care of address check– What do we gain by doing binding update ahead of time
Need for pre-configuration ? How much time it takes to do the pre-configuration Pre-configuration usually does not affect the handoff delay or packet
loss Layer 2 delay reduction How can it work with other mobility management techniques (e.g..
MIPv6)
IRTF – 27
MPA Experimental Flow (proactive handoff) (possible backup)
R2MNCNDHCP
RTP
PANA DHCP
PANA (BIND)
SIP Re_INVITE (IP1)8.913
9.030
9.136
RTP (39835)
OK
ACK
9.267
19.283
19.285
19.291
HandoffDecision
PANA Trigger to delete tunnel
RTP (40335)
RTP (40336)19.29819.31519.379
RTP (40340)
IWCONFIG (IOCTL) RTP (40341)19.39319.394 JOIN19.408 JOIN (ACK)
(Auth/Assoc, ifconfig, route,)
L2 handoff+ local L3Configuration
PANA Response
RTP (40342)
BU
19.411
MNNetwork 1
Network 2 Network 3
First packet in new network (non-tunneled)
19.395 Lost packet (non-tunnel)
DHCP(IP1)
RTP
RTP
Tunnel deleted
RTP
X
Tunneled Data
NoPackets lostDuring BU
Tunnel Setup
Signal
RTP Data
Lost RTP Data
Tunneled packet
RTP (40337)
OK (tunneled)
RTP packetsSpaced ~16 ms
IP0
IP1
IRTF – 28
Bootstrapping Link-layer security using L3-Preauth
Current Network
CTN
MN
AP2 AP3
AA
AP1
MN MN
1. Pre-authentication
2 . Keys (TSK)
3. Secure Association
4. Secure Association
IRTF – 29
Mobile Wireless Internet: A Scenario (possible backup)
802.11a/b/g
Bluetooth
IPv6Network
UMTS/CDMA Network
InternetDomain1
Domain2
UMTS/CDMA
PSTN gateway
Hotspot
CHRoaming User Ad Hoc
Network
PAN
LAN
WAN
WAN
LAN
PSTN
802.11 a/b/g
IRTF – 30
Single Radio Interface Roaming Scenario (possible backup)
Provider B
Provider A
IEEE 802.11 LAN
Subnet A1(or ESS A1) Subnet A2(or ESS A2) Subnet B1 (or ESS B1)
IEEE 802.11LAN IEEE 802.11LAN
Intra-domainInter-subnet MIH
Inter-domainInter-subnet MIH
IRTF – 31
Multiple Radio Interface Roaming Scenario (possible backup)
IEEE 802.11 LAN IEEE 802.11LAN
3GPP Cellular Network
WLAN: deactivatedCellular: activated
The mobile finds WLAN AP through information discovery over the activated I/F
The mobile quickly activates the WLAN I/F and switch to it.The mobile may deactivate the cellular I/F