Security, Mobility, and Multihoming in the Evolved Packet ...€¢HIP-based User Access...

Security, Mobility, and Multihoming in the

Future 3GPP Evolved Packet Core (EPC)

WIRELESS COMMUNICATIONS RESEARCH SEMINAR 2012

CWC’s participation in the Celtic MEVICO Project

© Centre for Wireless Communications, University of Oulu

Outline

•The Celtic MEVICO project

• Introduction to Host Identity Protocol (HIP)

•HIP in EPC and related research problems

•HIP-based User Access Authorization

•Secure and Multihomed Femtocells

•Fast Initial Authentication (FAP) in WLANs

•HIP-based VPN/VPLS Networks

2 16.2.2012


Celtic MEVICO Project

MEVICO –

Mobile Networks Evolution for Individual

Communications Experience

“MEVICO will research the network aspects of the 3GPP LTE-mobile

broadband network for its evolution in the mid-term in 2011-2014.

The goal is to contribute to the technical drive and leadership of the EPC

network (3GPP), and thus support the European industry to maintain

and extend its strong technical and market position in the mobile

networks market. The results can be used as contributions for further

development of the 3GPP standard on EPC in Rel11-Rel13.”

http://www.celtic-initiative.org/

3 16.2.2012


• Nokia Siemens Networks Oy

• University of Vienna

• AALTO University/ School of Science and Technology (AALTO)

• EXFO NetHawk

• University of Oulu, Centre for Wireless Communications

• VTT Technical Research Centre Of Finland

• Alcatel-Lucent Bell Labs France

• CEA Centre

• France Telecom

• Montimage

• Artelys

• Technische Universität Berlin

• Nokia Siemens Networks GmbH

• O2 Germany

• Deutsche Telecom

• Chemnitz University of Technology

• Budapest University of Technology, Mobile Innovation Centre

• Nokia Siemens Networks Hungary

• RAD Data Communications

• Ericsson

• Ericsson Turkey

• Turk Telecom

• Avea

MEVICO Project Partners

16.2.2012 4

Tekijöiden sukunimet aakkosjärjestyksessä


MEVICO Objectives

Ensure user plane and control plane scalability for high bit rate data services in 3GPP

– filter out unwanted traffic

– offload traffic to broadband access networks

– increase backhaul and core transport network capacity

– better and adaptive load distribution on transport and service level (distribution of core network functions, multipath communication)

– access technology agnostic

– reduce signaling overhead (attachment, session establishment, handover)

– better QoS support for applications, smart traffic management (application-level traffic identification, E2E QoS for application classes, improved resource selection and caching, multiaccess, access GW selection )

– reduce OPEX of network management (self-organizing network functions)

5 16.2.2012


Host Identity Protocol (HIP)

– Security, IP mobility, and multihoming through ID/locator split scheme

– New namespace: Host Identity (HI)

– Replaces the identifier role of IP address

– Public/private key pair as identifier for host

– Host Identity Tag (HIT) used by applications

– IPv4 and IPv6 run underneath the HIP protocol

– HIP is a signaling and key-exchange protocol

– Separate control and payload channel

– Mutual authentication of end-hosts via Host Identities

– Negotiation of Security Associations (SAs) and keying material

– Use with security services, e.g. Encapsulated Security Payload

– Benefits of HIP-based ID/locator split scheme

– Applications use a stable identity instead of a changing locator

– Routing still based on locator; no changes to core infrastructure

– End-hosts are able to prove their identities (i.e. cryptographic HIs)

– Security: key negotiation for data confidentiality and integrity protection

6 16.2.2012

HIP

IP

IP

TCP / UDP

Pa

ylo

ad

Co

ntr

ol

HI


Host Identity Protocol (HIP)

– Applications and transport layer is bound to stable HIs, namely HITs

– New points of network attachment have no effect on this binding

– Transparent handling of mobility events from the transport layer

– The HIP layer maps HITs to routable IP addresses

– On mobility this mapping information requires an update at the peer host

– Updates to HIT-IP mapping are achieved through HIP UPDATE mechanism

– Support for multihoming (i.e. host connected through 2 or more interfaces)

– Handling of multihoming corresponds to HIP mobility signaling (HIP UPDATE used)

– ID/locator separation to HIT and IP address enables simultaneous multihoming also between the

IPv4 and IPv6 protocols

– Host authentication is essential when supporting mobility and multihoming!

– Additional infrastructure to aid host tracking as well as reachability is needed, e.g.

DNS, Rendezvous Server (SRV) park or/and a fully distributed DHT-based Hi3

system

7 16.2.2012


Possible roles for HIP in EPC

HIP roles

– user access authorization

– IP mobility management for any legacy application

– network security (e.g, from femtocells to security gateways)

– enforcement of security policies (filters out unwanted traffic)

– load distribution (HIP provides opportunities for smart traffic steering in

the HIP peers)

– access technology agnostic, IPv4 and IPv6 coverage

Research questions:

– Support resource-constrained devices / high re-authentication rate

– Support frequent inter-GW mobility without requiring frequent HIP BEXs

when HIP is used between the UE and the GW

– Bind HIP transport protocol (e.g IPsec ESP beet mode) with EPC bearers

to provide appropriate QoS for different application classes.

– Issues with introducing HIP on 3GPP-access networks

8 16.2.2012


HIP-based User Authentication Protocol

•HIP Diet Exchange (DEX) with AKA authentication

•HIP DEX AKA provides similar functionality as the Internet Key Exchange protocol v2 (IKEv2) with EAP-AKA: it could control user access authentication and authorization of USIM based UEs in non-managed non-3GPP access networks.

•Both services provide mutual authentication and establish an IPsec security association pair to protect the path between the UE and the ePDG in the network layer.

•HIP DEX AKA is intended as a uniform L3 authentication service on the top of disparate access networks.

9 16.2.2012



10 16.2.2012



Real-life implementation – HIP-DEX base protocol implemented in the C++ language for GNU/Linux

– Two versions of HIP-AKA implemented in the C++ language for GNU/Linux • One is running in a testbed at CWC premises

• And the other in a testbed at BME-MIK premises

Testbed validation in cooperation with Budapest University of Technology and Economics, Mobile Innovation Centre (BME-MIK)

Validations will use both BME-MIK’s testbed and CWC’s testbed – In the beginning, validations are carried out using only the BME-MIK’s more

extensive testbed (Wi-Fi and UTRAN accesses supported); though some measurements and development work is done using the CWC’s testbed

– Testbed configurations emulate the flat (long-term) MEVICO LTE architecture

– Later, bootstrapping and Femtocell (possibly DEX used on L2) studies will be performed in CWC’s testbed

– We also intend to run our protocol in resource constraint mobile devices such as Android smart phones

11 16.2.2012


Femtocells are not meant to be

mobile. Nevertheless, they can be

deployed in mobile vehicles, e.g.

trains and buses.

Challanges:

1. Good security is required when

nodes are mobile and perform

frequent handovers

2. Seamless mobility for sensitive

applications needs good care in

handover

3. Service continuity for fast moving

vehicles with Femtocell BSs

HIP-based Vehicular Femtocells

16.2.2012 12


Fast Initial Authentication in WLAN

Why it is important:

1. WLAN can also provide a high data-rate for mobile

users those who move in high speed

2. When thousands of user entering at the same time

authentication should not drop any of them

3. Trend towards the small cells and home based

cellular networks is emerging

13 16.2.2012


HIP-based VPN/VPLS Networks

•HIP used to create a secure VPLS/VPN overlaid on

top of a untrusted network.

•Host identity (instead of IP) used for access control

•HIP protocol authenticates the hosts and builds

secure tunnels between them

•The payloads of the ESP-encrypted datagrams are

L2 frames / L3 packets.

•Learning the network structure – 1. Centralized : Eg. IF-MAP server (Boeing is using it)

– 2. Distributed learning : STP,L3 routing protocols etc

14 16.2.2012


Example of a HIP-based VPN Network

15 16.2.2012

Tekijöiden sukunimet aakkosjärjestyksessä


Thank you!

16 16.2.2012

Security, Mobility, and Multihoming in the Evolved Packet ...€¢HIP-based User Access...

Documents

Transcript of Security, Mobility, and Multihoming in the Evolved Packet ...€¢HIP-based User Access...