1 / 31

輔大資工所 在職研一 報告人:林煥銘

Public Access Mobility LAN: Extending The Wireless Internet into The LAN Environment Jun Li, Stephen B. Weinstein, Junbiao Zhang, And Nan Tu NEC USA Inc. 輔大資工所 在職研一 報告人:林煥銘

kadeem-emerson
Download Presentation

輔大資工所 在職研一 報告人:林煥銘

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Access Mobility LAN:Extending The Wireless Internet into The LAN EnvironmentJun Li, Stephen B. Weinstein, Junbiao Zhang, And Nan Tu NEC USA Inc. 輔大資工所 在職研一 報告人:林煥銘 學號:492515241

  2. Outline • Introduction • Architecture & Protocol Components • Security Issues • Mobility Management • Conclusion

  3. Introduction • PamLAN:Public Access Mobility LAN • Aim is to meet • Ubiquitous access • High data rate • Local services demands • Architectural guidelines for WLAN environments • Large-scale • IP-based • Supporting mobile/portable appliances (Simultaneously support different air interfaces)

  4. Introduction (cont’d) • Based on wired LAN environment • Wireless access points are imbeded • Multi-segment LAN • Supporting handoffs

  5. Introduction (cont’d) • Supports Internet Access via WLANs • Multiple air interfaces • Multiple virtual operators • Location dependent services • Local IP mobility • QoS (within wired network)

  6. Introduction (cont’d) • The main disadvantage of current WLANs • Lack of public access • Being tied down to a single access point (i.e.,restriction to subscribers of the WLAN operator) • Single air interface (reducing the range of appliances) • Not a breakthrough in technological capacities • Combination of available technologies

  7. Architecture • Table 1. PamLAN/VOLAN/VLAN hierarchy.

  8. Architecture (cont’d) • Switched Ethernet LAN • Access Points • Supporting IEEE, Bluetooth, Cellular, ... • IP-based access router with proxies • Gateway routers • Internet access through IP-tunneling

  9. Architecture (cont’d)

  10. Architecture (cont’d) • Integration of Cellular IP & Mobile IP for supporting mobility • MPLS (Multi-Protocol Label Switching) • Brings QoS across multiple LAN segments • IEEE VLAN standard 802.1Q • IEEE 802.1p header for QoS

  11. Large Scale PamLAN • For single VLAN QoS can be easily supported • For large scale WLANs? • Intermediate routers work at layer 3 • Source & destination addresses must be used for VOLAN membership • Intermediate routers must know all IP addresses for VLAN mapping • VLAN for grouping traffic per VOLAN • MPLS for whole PamLAN

  12. MPLS (Multi-Protocol Label Switching) • Tunnels traffic between gateways & access points • Intermediate routers only examine MPLS labels, which imposes a path • Forwarding Equivalence Class (FEC) • Formed based on VOLAN membership & QoS • FEC is inserted in MPLS label • Used for 802.1p priority within VLAN

  13. MPLS (cont’d)

  14. MPLS (cont’d) • Traffic engineered paths can be set up among access points and Internet gateways according to service contracts between PamLan & virtual operators • DiffServ QoS service: • IEEE 802.1p & MPLS traffic engineering

  15. Protocol Stack

  16. Security Issues Four major components: • Mutual Authentication • Secure Channel Establishement • Per packet encryption • Filtering function

  17. Security Issues User’s Profile: Public Key Subscription status RADIUS client DHCP Filter

  18. Mutual Authentication • RADIUS (Remote Authentication Dial-In User Service) • IP-based authentication (~802.11 proposal) • Basic Steps: • Obtaining IP (DHCP) • Login session • access point: relay agent to virtual operator • Challenge-responce protocol for authentication • Send the user’s profile

  19. Securing Channel Establishment • After authentication • User’s profile is transfered to the access point including his/her public key • Access point sends session key encrypted under the corresponding public key • IPSec together with ESP can be used for security at IP layer depending on user requests

  20. Authorization Control • Based on user credentials, packets can be filtered at the access point • Through (authenticated with the session key) • Sent to the authentication engine (login in) • Blocked (unauthorized traffic)

  21. Mobility Issues • Mobility should be supported at layer 3 • Multiple subnetworks within PamLAN • Micromobility • Roaming within PamLAN

  22. Mobility Issues (cont’d) • Possible approaches • Cellular IP: • Routing update message is sent from mobile device • New AP, each router along the way, gateway update their routing table • The mobile device periodically send paging packets • The process is burden when a large number of mobile devices being served • MPLS based: only end points have to update location • Old, new access points and Internet gateway need to be informed

  23. Cellular IP

  24. Routing update Cellular IP Routing entries are refreshed periodically

  25. Mobility Issues (cont’d) • Fast AAA handoff • No repetative authentication • Move user profile from old access point to the new one(contain public key, old session key, mobile device IP, old session’s access policy) • Old AP signals to the RADIUS server terminate the current accounting session • New AP generates a new session key • New AP sends old session key and new session key encrypted under user’s public key • User uses the new session key to establish a secure connection with the new AP

  26. Fetch the profile Fast AAA handoff Contains :user’s public key, old session key, mobile device’s IP, access policy…. old AP new AP

  27. Fast AAA handoff The old AP signals to the RADIUS server the termination of the current accounting session. old AP new AP

  28. New session key + Old session key Fast AAA handoff Encrypts new session key and old session key using public key and send the result to the user in a UDP packet old AP new AP

  29. New session key Establish a secure connection Fast AAA handoff The mobile deveice decrypts these keys and compares the old session key old AP new AP

  30. Conclusion • Secure • Economical • Extensible • Multiple service providers • Multiple air interfaces • Variety of services appropriate for coming generations of Internet appliances.

  31. Reference

More Related