Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

Outline PowerPoint PPT Presentation


  • 132 Views
  • Updated On :
  • Presentation posted in: General

Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba Toshiba America Research Inc. H. Schulzrinne Columbia University Presented by: Ashutosh Dutta [email protected] Outline.

Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

Secure Universal Mobility for Wireless InternetAuthors: A. Dutta, T. Zhang, S. MadhaniTelcordia TechnologiesK. Taniuchi, K. Fujimoto, Y. Katsube, Y.OhbaToshiba America Research Inc.H. SchulzrinneColumbia UniversityPresented by: Ashutosh [email protected]


Outline l.jpg

Outline

  • Motivation

  • Related Work

  • SUM Architecture

  • Experimental Test-bed

  • Results

  • SIP and MOBIKE approach

  • Conclusion and Future Work


Slide3 l.jpg

Mobile Wireless Internet: A Scenario

Domain1

Internet

Domain2

S4

AN

Access

Network 3

S3

S1

Access

Networks

S2

Access

Network 1

Access

Network 2

UMTS/CDMA

Network

Access

Networks

Access

Networks

UMTS/CDMA

Access Point

BT Access Point

802.11a/b/g Access Point

Multi-media

Terminal

Blue Tooth

Network

Webphone

Pocket PC

UMTS/CDMA

Network

802.11a/b/g Network


Motivation l.jpg

Motivation

Objective: To provide mobile enterprise users with the same working environment as they are at their office regardless of where they are (e.g., Intranet, Extranet), especially

  • provide persistent and seamless application session continuity

  • provide the same level of security as currently deployed in enterprise network environment

  • provide persistent and seamless reachability (or traceability) from internal network to mobile users

  • Provide VPN-agnostic roaming model independent of subscribed carrier

  • Provide no impact on the existing IT infrastructure

  • Optimize the solution as needed


Sum scenario l.jpg

WLAN

WLAN

LAN

Hot Spot

Hot Spot

Cellular

SUM Scenario

Internal (Protected)

External (unprotected)

DMZ

CN

MN

MN

MN

MN

provide reachability from internal network to mobile nodes

secure the communication while MN is at external network

provide session continuity while moving from one network to the other

CN: Correspondence Node

MN: Mobile Node


Issues to be resolved l.jpg

Issues to be Resolved

  • “IPsec VPN”, that is deployed to secure the communication, cannot currently cope with the session continuity while moving

  • “Mobile IP”, that is deployed to cope with the session continuity, cannot secure the communication contents itself

    (1) Combination of IPsec VPN and Mobile IP is necessary

  • Seamlessness is sometimes unsatisfactory due to “hand-off delay” (e.g., internal WLAN to Cellular data network) especially due to VPN establishment delay (more than 5 sec)

    (2) Way to reduce hand-off delay by Mobile Node is preferable


Related work l.jpg

Related Work

  • Miu and Bahl et al - Movement between similar kinds of networks

  • Rodriguez et al - MAR to support heterogeneous Access

  • Snoeren et al - Fine-grained TCP Migrate approach

  • Barton et al - Integration of Mobile IP and IP-Sec

  • Cheng et al (ICNSC) - Foreign agent based client driven

  • Adrangi et al – (IETF) Mobile IP Traversal for VPN gateways

  • Luo et al – Integration of wireless LAN and Cellular

  • Birdstep Technologies (www.birdstep.com)

    Smooth handoff, dynamic tunnel management, Integration with SIP


Sum architecture 1 l.jpg

SUM Architecture(1)

Internal (protected)

External (unprotected)

CN

External

Network 1

External

Network N

VPN

GW

x-HA

i-HA

i-MIP tunnel

x-MIP tunnel

VPN tunnel

Internal

Visited

Network

Internal

Home

Network

DMZ

MN

MN

MN

MN

  • Based on its current location, MN dynamically establishes/changes/terminates tunnels

  • without changing current standards of IPsec VPN or Mobile IP.

  • Triple encapsulation tunnel is constructed by:

  • i-HA (Internal Home Agent): Forwards IP packets to MN’s current internal location

  • VPN GW: Protects (encrypts and authenticates) IP packets transmitted in external networks

  • x-HA (External Home Agent): Forwards IP packets to MN’s current external location


Sum architecture protocol flow message flow for triple encapsulation tunnel establishment l.jpg

SUM Architecture Protocol FlowMessage flow for triple-encapsulation tunnel establishment

Internal (protected)

External (unprotected)

i-HA

VPN

GW

CN

MN

x-HA

x-MIP Registration Request

x-MIP Registration Reply

x-MIP tunnel established

IKE + VPN address assignment

VPN tunnel established

i-MIP Registration Request

i-MIP Registration Reply

i-MIP tunnel established


Make before break for hand off delay reduction l.jpg

Make-before-Break for Hand-off Delay Reduction

  • Prepare to use another better path before stop using current path

    • MN watches signal strength level of WLAN (or any other policy)

    • Before internal WLAN signal goes away (becomes lower than a threshold A), MN starts using cellular network and establishes x-HA tunnel and VPN tunnel as a stand-by path

    • MN stops using WLAN when its signal level becomes lower than threshold B (A>B), starts using cellular network, establishes i-MIP tunnel, then starts using x-MIP/VPN/i-MIP tunnel over the cellular

  • This could remove major factor of hand-off delay since VPN is established (that will take more than 5 sec) before switch-over


Demonstration scenario l.jpg

i-HA

Demonstration Scenario

Step 1: MN (at its home network over WLAN) and CN start an application

session, then MN starts moving

DMZ

VPN

GW

x-HA

CN

External

Network

(Cellular)

Internal Home Network

(WLAN)

External (unprotected)

Internal (protected)

MN

MN

MN


Demonstration scenario12 l.jpg

i-HA

Demonstration Scenario

Step 2: MN starts preparing alternate path by establishing x-MIP and VPN

tunnel over the cellular link, while keeping communication via the home

network over WLAN

DMZ

VPN

GW

x-HA

x-MIP tunnel

VPN tunnel

CN

External

Network

(Cellular)

Internal Home Network

(WLAN)

External (unprotected)

Internal (protected)

MN

MN

MN


Demonstration scenario13 l.jpg

i-HA

Demonstration Scenario

Step 3: MN stops using its home WLAN, starts using cellular and

establishes i-MIP tunnel, then continues communication with CN

DMZ

VPN

GW

x-HA

x-MIP tunnel

VPN tunnel

i-MIP tunnel

CN

External

Network

(Cellular)

Internal Home Network

(WLAN)

External (unprotected)

Internal (protected)

MN

MN

MN


Slide14 l.jpg

Secure Universal Mobility Testbed

Earth Link DSL

Internet

MN

External

Cellular

External

Hotspot

Verizon

CDMA 1XRTT

Enterprise Firewall

65

66

VPN

GW

100

(99)

Internal Home

(SSID=ITSUMO home)

(demo.tari.toshiba.com)

67

i-HA

TIA = 111-120

HoA = 70-75

MN

X-HA

Linux

R

SIP

2

98

HoA = 210-215

1

10.1.10.0/24

DMZ Network

AP

Internal Visited

.66 - .94

Monitor

CH

3

DHCP

205.132.6.64/27

DNS

4

10.1.20.0/24


Protocol sequence flow l.jpg

Protocol Sequence flow


Cbr voice traffic l.jpg

CBR Voice Traffic

(b) Inter-packet departure and arrival delay variation for

CBR (Voice)

(a) Packet Transmission Delay


Vbr video traffic l.jpg

VBR Video Traffic

b) Inter-packet departure and arrival variation delay

for VBR (Video)

a) Packet transmission delay


Slide18 l.jpg

RTP Packet Sequence


Dynamic tunnel management l.jpg

Dynamic Tunnel Management


Dynamic tunnel management flow l.jpg

Dynamic Tunnel Management Flow


Sip with mobike l.jpg

SIP with MOBIKE


Conclusion and future work l.jpg

Conclusion and Future Work

  • Active area of research within IETF’s Mobile IP working group

  • Triple-encapsulation mandates “always-on VPN”

    • Provides persistent reachability from internal network to mobile users,

    • May not be practical with currently deployed VPN

  • Capability of dual MIP (i-MIP and x-MIP) tunnel without VPN

    • Dynamic Tunnel Management will allow VPN setup on-demand basis

    • Adds additional values to the base triple-encapsulation architecture

    • Provides light-weight persistent reachability without consuming VPN resources

  • Dual MIP is enabled by SMG (Secure Mobility Gateway) that provides;

    • strong authentication to MIP messages to securely manage dual MIP tunnels

    • packet filtering to restrict packets transmitted over the dual MIP tunnels

    • Interaction with AAA domains

  • Robust header compression to take care of the overhead associated

  • SIP and MOBIKE approach will provide an optimized solution


Backup slides l.jpg

Backup Slides


Slide24 l.jpg

Multimedia Test-bed Architecture

Internet

FW

Domain 2

research.telcordia.com

Domain 1

tari.toshiba.com

Backbone

Border Router

Border Router

3600

3600

MAS

Dynamic

DNS

Smarts Bits Generator

IPv6

IPv6

SIP

Server/Call Agent

SIP

Server/Call Agent

Multicast

Proxy

CDMA/GPRS

R2

R3

R1

AAA

Server

SIP

Server

AAA

Server

DRCP

Server

PANA

IPSec

PANA

IPSec

DRCP

Server

DRCP

Server

PANA

IPSec

ERC4

ERC3

ERC1

ERC2

External

Omni

Antenna

HA/DRCP

Server

QOS

QOS

QOS

QOS

VLAN Switch

VLAN Switch

VLAN Switch

VLAN Switch

BT

GPS

client

802.11b

802.11b

External Coverage

MH

Micro

Macro

Domain

CDMA/GPRS

Coverage


Future on going work cont d l.jpg

Future / On-going Work (cont’d)

Internal (protected)

External (unprotected)

  • MN is in “Incoming Call Waiting Mode” when it maintains the dual MIP tunnel

  • SMG authenticates MIP registration messages as well as filters packets going through the established dual MIP tunnel

VPN GW

SMG

CN

x-MIP tunnel

i-MIP tunnel

i-HA

External

Network N

Internal

Visited

Internal

Visited

External

Network 2

Internal

Home

Network

Internal

Visited

Network

External

Network 1

DMZ

MN

MN

MN

MN


Step by step protocol flow l.jpg

Step-by-step protocol flow

PPP setup over CDMA at SNR (S1)

Make-before-break scenario at SNR = S2

Mobile coming back home


  • Login