media independent pre authentication draft ohba mobopts mpa framework 00 txt n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt) PowerPoint Presentation
Download Presentation
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt)

Loading in 2 Seconds...

play fullscreen
1 / 31

Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt) - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt). Ashutosh Dutta, Telcordia Technologies Yoshihiro Ohba (Ed.), Kenichi Taniuchi Toshiba America Research Inc. Henning Schulzrinne, Columbia University. Prepared for IRTF MOBOPTS WG

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt)' - thais


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
media independent pre authentication draft ohba mobopts mpa framework 00 txt

Media-Independent Pre-Authentication(draft-ohba-mobopts-mpa-framework-00.txt)

Ashutosh Dutta, Telcordia Technologies

Yoshihiro Ohba (Ed.), Kenichi Taniuchi

Toshiba America Research Inc.

Henning Schulzrinne, Columbia University

Prepared for IRTF MOBOPTS WG

March 8th, 62nd IETF, Minneapolis

outline
Outline
  • Motivation
  • Handoff Delay during Wireless Internet Roaming
  • Fast Handoff Related Work
  • Proposed Method: Media-independent Pre-Authentication
  • Demonstration and Results
  • Conclusions/Future Work
motivation
Motivation
  • It is desirable to limit the jitter, delay and packet loss for real-time and non-real-time traffic
    • e.g.,150 ms end-to-end delay for interactive traffic such as VoIP, 2% packet loss is allowed
  • Delay due to handoff takes place at several layers
    • Layer 2 (handoff between AP)
    • Layer 3 (IP address acquisition, Configuration, Authentication, Authorization)
    • Binding Update, Media Redirection
  • Rapid handoff will contribute to overall delay and packet loss
  • Thus it is essential to reduce the handoff delay introduced at different layers
  • We propose a fast-handoff mechanism to reduce the handoff-delay and packet loss
handoff latency

3

2

1

DHCP server/

PPP

/FA

Handoff Latency

Next

Access

Router

MN

AP1

AP2

HA/SIP Server

CN

AA

Server

Binds to AP1

Media

802.11i

1

Binds to AP2

ICMP Router Discovery/Router Advertisement

1- L2 Hand-over Latency Delay

2 – Delay due to

IP Address Acquisition and

Configuration, authentication, authorization

3 – Binding update and

Media Redirection delay

DHCP/ MIP CoA/PPP

Stateless Auto-configuration

2

DAD/ARP

AAA

MIP BU/SIP Re-Invite

3

IGMP

New Media

problem in mobility management protocols
Problem in Mobility Management Protocols
  • Problem 1 (performance): Operations for updating higher-layer context (i.e., IP address acquisition, mobility binding update, authentication etc.) occur after link-layer handover
    • Processing and/or signaling delay for each operation accumulates
    • Longer packet loss period due to handoff delay
    • No solutions exist for single-interface host
  • Problem 2 (security): Existing mobility optimization mechanisms do not provide secure handover signaling especially for roaming cases
    • A secure mobility optimization mechanism that is tied with AAA (Authentication, Authorization and Accounting) and can deal with inter-subnet and inter-domain handover is needed
  • Problem 3 (applicability): Existing mobility optimization mechanisms are tightly coupled with particular mobility management protocols
    • FMIPv6 and HMIP are defined for Mobile IPv6 only
    • A mobility optimization mechanism that is applicable to any mobility management protocol is needed
mobility optimization related work
Mobility Optimization - Related Work
  • Cellular IP, HAWAII - Micro Mobility
  • MIP-Regional Registration, Mobile-IP low latency, IDMP
  • HMIPv6, FMIPv6 (IPv6)
  • Yokota et al - Link Layer Assisted handoff
  • Shin et al, Velayos et al - Layer 2 delay reduction
  • Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR
  • SIP-Fast Handoff - Application layer mobility optimization
  • DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition
media independent pre authentication mpa
Media-independent Pre-Authentication (MPA)
  • MPA is:
    • a mobile-assisted higher-layer authentication, authorization and handover scheme that is performed prior to establishing L2 connectivity to a network where mobile may move in near future
  • MPA provides a secure and seamless mobility optimization that works for
    • Inter-subnet handoff
    • Inter-domain handoff
    • Inter-technology handoff
      • Use of multiple interfaces
  • MPA works with any mobility management protocol
    • MIP(v4,v6), SIPMM etc.
functional components of mpa
Functional Components of MPA
  • Pre-authentication/authorization
    • Used for establishing a security association (SA) between the mobile and a network to which the mobile may move
    • L2 pre-authentication can also be enabled based on the established SA
  • Pre-configuration
    • Used for establishing contexts specific to the network to which the mobile may move (e.g., nCoA)
    • The SA created in (1) are used to perform secured configuration procedure
  • Secured Proactive Handover
    • Used for sending/receiving IP packets based on the pre-authorized contexts by using the contexts of the current network
expected result during handoff
Expected Result during handoff

Discover

new AP

in the neighboring

subnet

L3

auth/config

starts

L3 handoff

starts

L2 handoff

starts

Conventional

Method

Time

L3 handoff

completes

L2 auth/authz,

starts

L2 handoff

completes

L3 auth/authz

completes

Discover

New AP

In the

neighboring

subnet

Pre-auth/

Pre-config

starts

L2 handoff

starts

L3 handoff

starts

MPA

Time

Pre-auth/

Pre-config

Completes

(L2 SAs can be ,

completed here.)

L2 handoff

completes

L3 handoff

completes

Critical period (communication interruption can occur)

pre authentication

MN

Pre-Authentication

SIP mobility is just an example mobility protocol. MPA works for any mobility management protocol

CN

DATA[CN<->A(X)]

AA

CA

AR

Subnet X

Subnet Y

pre-authentication

CN: Correspondent Node

MN: Mobile Node

AA: Authentication Agent

CA: Configuration Agent

AR: Access Router

pre configuration

MN

Pre-configuration

CN

DATA[CN<->A(X)]

MN-CA key

AA

CA

AR

Subnet X

Subnet Y

pre-configuration

CN: Correspondent Node

MN: Mobile Node

AA: Authentication Agent

CA: Configuration Agent

AR: Access Router

IP address: A(X)

Current subnet: X

Status: Pre-authentication done

Action: pre-configuration

pre configuration cont

MN

Pre-Configuration (Cont.)

CN

DATA[CN<->A(X)]

MN-AR key

AA

CA

AR

Subnet X

Subnet Y

Secure Proactive Handover tunnel establishment

procedure

CN: Correspondent Node

MN: Mobile Node

AA: Authentication Agent

CA: Configuration Agent

AR: Access Router

IP address: A(X), A(Y)

Current subnet: X

Status: Pre-configuration done

Action: SPH Initiation

secured proactive handover main phase

MN

Secured Proactive Handover: Main Phase

CN

DATA[CN<->A(X)]

MN-AR key

Re-Invite[CN<->A(Y)]

AA

CA

AR

Subnet X

Subnet Y

SIP Re-Invite over

proactive hanodver

tunnel [AR<->A(X)]

CN: Correspondent Node

MN: Mobile Node

AA: Authentication Agent

CA: Configuration Agent

AR: Access Router

IP address: A(X), A(Y)

Current subnet: X

Status: PH tunnel established

Action: SIP Re-Invite

secured proactive handover completion

MN

Secured Proactive Handover: Completion

CN

DATA [CN<->A(Y)]

over proactive hanover

tunnel [AR<->A(X)]

AA

CA

AR

Subnet X

Subnet Y

Proactive handover

stop procedure

L2 handoff procedure

Data in new

domain

CN: Correspondent Node

MN: Mobile Node

AA: Authentication Agent

CA: Configuration Agent

AR: Access Router

IP address: A(X), A(Y)

Current subnet: X

Status: SIP Re-Invite done

Action: PH Completion

mobile assisted seamless handoff a scenario

AP2

AP1

MN-CA key

MN-CA key

MN-CA key

AA

AA

AA

CA

CA

CA

Mobile-assisted Seamless Handoff (a scenario)

AR

Network 1

CTN

Network 2

AR

CTN

Mobile

Current

Network

TN

CTN – Candidate Target Networks

TN – Target Network

AR

AP0

Network 3

AP3

CN

Information Service (e.g.,802.21) mechanism can help locate the

neighboring network elements in the candidate target networks (CTN)

mpa communication flow
MPA Communication Flow

Candidate Target Network

CN

CA

AR

nPoA

AA

MN

oPoA

Existing session using oCoA

1. Found CTN

Pre-authentication

[Authentication Protocol]

MN-CA Key

2. High probability to

switch to the CTN

MN-AR Key

Pre-configuration

[Configuration Protocol to get nCoA]

Pre-configuration [tunnel management protocol to establish PHT

3. Determined to switch to

The CTN

Secure Proactive Update Phase

Binding Update + data Transmission over PHT using nCoA

4. BU completion and

Ready to switch

Secure proactive handover pre-switching phase

[tunnel management protocol to delete PHT]

5. Switching

Post Switching Phase: Reassignment of nCoA to its physical Interface

New Data using nCoA

mpa optimization issues
MPA Optimization Issues
  • Network Discovery
    • Discover the neighboring network elements (e.g., Routers, APs, Authentication Agents)
    • 802.21 (Information Service), 802.11u, WIEN SG, CARD, DNS/SLP
  • Proactive IP Address Acquisition
  • Proactive Duplicate IP address Detection
  • Proactive Address Resolution
  • Proactive Tunnel Management
  • Proactive Mobility Binding Update
  • Bootstrap Link-layer Security in CTN using L3 Pre-authentication
slide19

Network 2

Network 3

Network 1

AA

10.10.30/24

10.10.20.52/24

PANA

Agent

10.10.20.52/24

10.10.40.52/24

Relay/

Client

Proxy

R1

eth2

eth0

R2

eth0

AR

AR

IP2

10.10.10/24

DHCP

Server

DHCP

Server

CA

AP1(Channel 6)

SIP with VIC/RAT

Application

10.10.10.51

AP2(Channel 9)

ITSUMO network

CN

MN

MN

Move

10.10.30.25

Experimental Network in the Lab.

IP1: 10.10.10.223

IP0: 10.10.40.20

AP1, AP2: Access Point

R1, R2: Access Router

MN: Mobile Node

CN: Correspondent Node

IP0, IP1: IP address of MN

protocol flow for mpa
Protocol flow for MPA

Network 2 (802.11)

Network 3

Network 1 (802.11)

CN

R2

R1

AP2

MN

DHCP

AP1

Assign

IP0 to

Physical

I/F

DHCP

Data

Assign

IP1 to

Tunnel

I/F

PANA (Pre-Authentication and pre-configuration to obtain IP1)

Address

acquisition

Using DHCP

relay

Tunnel (IP0-IP1)

-

-

SIP Re-invite with IP1

-

-

Data

Deletes Tunnel with PANA Update

L2 handover

MN

Assign

IP1 to

Physical

I/F

Packet

loss period

Data

protocol flow for non mpa

Network 2 (802.11)

Network 3

Network 1 (802.11)

CN

R2

R1

AP2

MN

DHCP

AP1

Assign

IP0 to

Physical

I/F

Data

MN

L2 handover

-

-

DHCP

PANA

Assign

IP1 to

Physical

I/F

SIP Re-invite with IP1

Packet

loss period

Data

Protocol Flow for Non-MPA
performance mpa non mpa
Performance (MPA-Non-MPA)
  • MPA
    • No packet loss during pre-authentication, pre-configuration and pro-active handoff before L2 handoff
    • Only 1 packet loss, 14 ms delay during handoff mostly transient data
      • Includes delay due to layer 2, update to delete the tunnel on the router
      • We also reduced the layer 2 delay in hostap

Driver

      • L2 delay depends upon driver and chipset
  • non-MPA
    • About 200 packets loss, ~ 4 s during handover
      • Includes standard delay due to layer 2, IP address acquisition, Re-Invite, Authentication/Authorization
    • Could be more if we have firewalls also set up

MPA Approach

802.11

802.11

4 s

handoff

Non-MPA Approach

conclusions future work
Conclusions/Future Work
  • MPA framework provides an optimized mobility management solution independent of mobility protocol used
  • We demonstrated an initial prototype implementation and results
  • MPA works over single interface and multiple interfaces (e.g., 802.11, CDMA)
  • Define a more integrated architecture that works in conjunction information discovery scheme (e.g.,802.21, 802.11u)
  • Comments/Suggestions/Questions
  • Next steps?
comments from the group
Comments from the group
  • This framework is dependent upon a good network discovery scheme
    • We may need to set up temporary tunnels with more than one network temporarily
    • Need a smarter algorithm to decide the exact network the mobile may move
  • Binding Update ( Is it necessary to do it beforehand)
    • In MIPv6 we may need to do next-hop care of address check
    • What do we gain by doing binding update ahead of time
  • Need for pre-configuration ?
  • How much time it takes to do the pre-configuration
  • Pre-configuration usually does not affect the handoff delay or packet loss
  • Layer 2 delay reduction
  • How can it work with other mobility management techniques (e.g.. MIPv6)
mpa experimental flow proactive handoff possible backup

Signal

RTP Data

Lost RTP Data

MPA Experimental Flow (proactive handoff) (possible backup)

Tunneled packet

DHCP

CN

R2

MN

MN

Network 1

Network 3

Network 2

RTP

IP0

DHCP

PANA

PANA (BIND)

DHCP(IP1)

Tunnel

Setup

RTP

RTP

SIP Re_INVITE (IP1)

8.913

BU

OK (tunneled)

OK

No

Packets

lost

During BU

RTP packets

Spaced ~16 ms

9.030

RTP

9.136

ACK

Tunneled Data

RTP (39835)

9.267

RTP (40335)

19.283

Handoff

Decision

PANA Trigger to delete tunnel

19.285

PANA Response

19.291

RTP (40336)

19.298

RTP (40337)

19.315

Tunnel

deleted

RTP (40340)

19.379

Lost packet (non-tunnel)

RTP (40341)

L2 handoff

+ local L3

Configuration

19.393

IWCONFIG (IOCTL)

19.395

X

19.394

JOIN

(Auth/Assoc, ifconfig, route,)

19.408

JOIN (ACK)

First packet in new network (non-tunneled)

RTP (40342)

19.411

IP1

bootstrapping link layer security using l3 preauth
Bootstrapping Link-layer security using L3-Preauth

Current

Network

CTN

1. Pre-authentication

AA

2 . Keys (TSK)

AP1

AP2

AP3

3. Secure

Association

4. Secure

Association

MN

MN

MN

slide29

Mobile Wireless Internet: A Scenario (possible backup)

Domain1

Internet

Domain2

PSTN gateway

WAN

802.11a/b/g

WAN

UMTS/

CDMA

IPv6

Network

Bluetooth

802.11 a/b/g

LAN

PSTN

Hotspot

LAN

PAN

CH

Roaming

User

UMTS/CDMA

Network

Ad Hoc

Network

single radio interface roaming scenario possible backup

Provider A

Subnet A2(or ESS A2)

Subnet B1 (or ESS B1)

Subnet A1(or ESS A1)

Provider B

IEEE 802.11 LAN

IEEE 802.11LAN

IEEE 802.11LAN

Intra-domain

Inter-subnet MIH

Inter-domain

Inter-subnet MIH

Single Radio Interface Roaming Scenario (possible backup)
multiple radio interface roaming scenario possible backup

3GPP Cellular Network

IEEE 802.11LAN

IEEE 802.11 LAN

WLAN: deactivated

Cellular: activated

The mobile finds WLAN AP through information discovery over the activated I/F

The mobile quickly activates the WLAN I/F and switch to it.

The mobile may deactivate the cellular I/F

Multiple Radio Interface Roaming Scenario (possible backup)