Security, Mobility, and Multihoming in the Evolved Packet ...€¢HIP-based User Access...
Transcript of Security, Mobility, and Multihoming in the Evolved Packet ...€¢HIP-based User Access...
Security, Mobility, and Multihoming in the
Future 3GPP Evolved Packet Core (EPC)
WIRELESS COMMUNICATIONS RESEARCH SEMINAR 2012
CWC’s participation in the Celtic MEVICO Project
© Centre for Wireless Communications, University of Oulu
Outline
•The Celtic MEVICO project
• Introduction to Host Identity Protocol (HIP)
•HIP in EPC and related research problems
•HIP-based User Access Authorization
•Secure and Multihomed Femtocells
•Fast Initial Authentication (FAP) in WLANs
•HIP-based VPN/VPLS Networks
2 16.2.2012
© Centre for Wireless Communications, University of Oulu
Celtic MEVICO Project
MEVICO –
Mobile Networks Evolution for Individual
Communications Experience
“MEVICO will research the network aspects of the 3GPP LTE-mobile
broadband network for its evolution in the mid-term in 2011-2014.
The goal is to contribute to the technical drive and leadership of the EPC
network (3GPP), and thus support the European industry to maintain
and extend its strong technical and market position in the mobile
networks market. The results can be used as contributions for further
development of the 3GPP standard on EPC in Rel11-Rel13.”
http://www.celtic-initiative.org/
3 16.2.2012
© Centre for Wireless Communications, University of Oulu
• Nokia Siemens Networks Oy
• University of Vienna
• AALTO University/ School of Science and Technology (AALTO)
• EXFO NetHawk
• University of Oulu, Centre for Wireless Communications
• VTT Technical Research Centre Of Finland
• Alcatel-Lucent Bell Labs France
• CEA Centre
• France Telecom
• Montimage
• Artelys
• Technische Universität Berlin
• Nokia Siemens Networks GmbH
• O2 Germany
• Deutsche Telecom
• Chemnitz University of Technology
• Budapest University of Technology, Mobile Innovation Centre
• Nokia Siemens Networks Hungary
• RAD Data Communications
• Ericsson
• Ericsson Turkey
• Turk Telecom
• Avea
MEVICO Project Partners
16.2.2012 4
Tekijöiden sukunimet aakkosjärjestyksessä
© Centre for Wireless Communications, University of Oulu
MEVICO Objectives
Ensure user plane and control plane scalability for high bit rate data services in 3GPP
– filter out unwanted traffic
– offload traffic to broadband access networks
– increase backhaul and core transport network capacity
– better and adaptive load distribution on transport and service level (distribution of core network functions, multipath communication)
– access technology agnostic
– reduce signaling overhead (attachment, session establishment, handover)
– better QoS support for applications, smart traffic management (application-level traffic identification, E2E QoS for application classes, improved resource selection and caching, multiaccess, access GW selection )
– reduce OPEX of network management (self-organizing network functions)
5 16.2.2012
© Centre for Wireless Communications, University of Oulu
Host Identity Protocol (HIP)
– Security, IP mobility, and multihoming through ID/locator split scheme
– New namespace: Host Identity (HI)
– Replaces the identifier role of IP address
– Public/private key pair as identifier for host
– Host Identity Tag (HIT) used by applications
– IPv4 and IPv6 run underneath the HIP protocol
– HIP is a signaling and key-exchange protocol
– Separate control and payload channel
– Mutual authentication of end-hosts via Host Identities
– Negotiation of Security Associations (SAs) and keying material
– Use with security services, e.g. Encapsulated Security Payload
– Benefits of HIP-based ID/locator split scheme
– Applications use a stable identity instead of a changing locator
– Routing still based on locator; no changes to core infrastructure
– End-hosts are able to prove their identities (i.e. cryptographic HIs)
– Security: key negotiation for data confidentiality and integrity protection
6 16.2.2012
HIP
IP
IP
TCP / UDP
Pa
ylo
ad
Co
ntr
ol
HI
© Centre for Wireless Communications, University of Oulu
Host Identity Protocol (HIP)
– Applications and transport layer is bound to stable HIs, namely HITs
– New points of network attachment have no effect on this binding
– Transparent handling of mobility events from the transport layer
– The HIP layer maps HITs to routable IP addresses
– On mobility this mapping information requires an update at the peer host
– Updates to HIT-IP mapping are achieved through HIP UPDATE mechanism
– Support for multihoming (i.e. host connected through 2 or more interfaces)
– Handling of multihoming corresponds to HIP mobility signaling (HIP UPDATE used)
– ID/locator separation to HIT and IP address enables simultaneous multihoming also between the
IPv4 and IPv6 protocols
– Host authentication is essential when supporting mobility and multihoming!
– Additional infrastructure to aid host tracking as well as reachability is needed, e.g.
DNS, Rendezvous Server (SRV) park or/and a fully distributed DHT-based Hi3
system
7 16.2.2012
© Centre for Wireless Communications, University of Oulu
Possible roles for HIP in EPC
HIP roles
– user access authorization
– IP mobility management for any legacy application
– network security (e.g, from femtocells to security gateways)
– enforcement of security policies (filters out unwanted traffic)
– load distribution (HIP provides opportunities for smart traffic steering in
the HIP peers)
– access technology agnostic, IPv4 and IPv6 coverage
Research questions:
– Support resource-constrained devices / high re-authentication rate
– Support frequent inter-GW mobility without requiring frequent HIP BEXs
when HIP is used between the UE and the GW
– Bind HIP transport protocol (e.g IPsec ESP beet mode) with EPC bearers
to provide appropriate QoS for different application classes.
– Issues with introducing HIP on 3GPP-access networks
8 16.2.2012
© Centre for Wireless Communications, University of Oulu
HIP-based User Authentication Protocol
•HIP Diet Exchange (DEX) with AKA authentication
•HIP DEX AKA provides similar functionality as the Internet Key Exchange protocol v2 (IKEv2) with EAP-AKA: it could control user access authentication and authorization of USIM based UEs in non-managed non-3GPP access networks.
•Both services provide mutual authentication and establish an IPsec security association pair to protect the path between the UE and the ePDG in the network layer.
•HIP DEX AKA is intended as a uniform L3 authentication service on the top of disparate access networks.
9 16.2.2012
© Centre for Wireless Communications, University of Oulu
HIP-based User Authentication Protocol
10 16.2.2012
© Centre for Wireless Communications, University of Oulu
HIP-based User Authentication Protocol
Real-life implementation – HIP-DEX base protocol implemented in the C++ language for GNU/Linux
– Two versions of HIP-AKA implemented in the C++ language for GNU/Linux • One is running in a testbed at CWC premises
• And the other in a testbed at BME-MIK premises
Testbed validation in cooperation with Budapest University of Technology and Economics, Mobile Innovation Centre (BME-MIK)
Validations will use both BME-MIK’s testbed and CWC’s testbed – In the beginning, validations are carried out using only the BME-MIK’s more
extensive testbed (Wi-Fi and UTRAN accesses supported); though some measurements and development work is done using the CWC’s testbed
– Testbed configurations emulate the flat (long-term) MEVICO LTE architecture
– Later, bootstrapping and Femtocell (possibly DEX used on L2) studies will be performed in CWC’s testbed
– We also intend to run our protocol in resource constraint mobile devices such as Android smart phones
11 16.2.2012
© Centre for Wireless Communications, University of Oulu
Femtocells are not meant to be
mobile. Nevertheless, they can be
deployed in mobile vehicles, e.g.
trains and buses.
Challanges:
1. Good security is required when
nodes are mobile and perform
frequent handovers
2. Seamless mobility for sensitive
applications needs good care in
handover
3. Service continuity for fast moving
vehicles with Femtocell BSs
HIP-based Vehicular Femtocells
16.2.2012 12
© Centre for Wireless Communications, University of Oulu
Fast Initial Authentication in WLAN
Why it is important:
1. WLAN can also provide a high data-rate for mobile
users those who move in high speed
2. When thousands of user entering at the same time
authentication should not drop any of them
3. Trend towards the small cells and home based
cellular networks is emerging
13 16.2.2012
© Centre for Wireless Communications, University of Oulu
HIP-based VPN/VPLS Networks
•HIP used to create a secure VPLS/VPN overlaid on
top of a untrusted network.
•Host identity (instead of IP) used for access control
•HIP protocol authenticates the hosts and builds
secure tunnels between them
•The payloads of the ESP-encrypted datagrams are
L2 frames / L3 packets.
•Learning the network structure – 1. Centralized : Eg. IF-MAP server (Boeing is using it)
– 2. Distributed learning : STP,L3 routing protocols etc
14 16.2.2012
© Centre for Wireless Communications, University of Oulu
Example of a HIP-based VPN Network
15 16.2.2012
Tekijöiden sukunimet aakkosjärjestyksessä