Title: Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt)
1Media-Independent Pre-Authentication(draft-ohba-
mobopts-mpa-framework-00.txt)
Ashutosh Dutta, Telcordia Technologies Yoshihiro
Ohba (Ed.), Kenichi Taniuchi Toshiba America
Research Inc. Henning Schulzrinne, Columbia
University
Prepared for IRTF MOBOPTS WG March 8th, 62nd
IETF, Minneapolis
2Outline
- Motivation
- Handoff Delay during Wireless Internet Roaming
- Fast Handoff Related Work
- Proposed Method Media-independent
Pre-Authentication - Demonstration and Results
- Conclusions/Future Work
3Motivation
- It is desirable to limit the jitter, delay and
packet loss for real-time and non-real-time
traffic - e.g.,150 ms end-to-end delay for interactive
traffic such as VoIP, 2 packet loss is allowed - Delay due to handoff takes place at several
layers - Layer 2 (handoff between AP)
- Layer 3 (IP address acquisition, Configuration,
Authentication, Authorization) - Binding Update, Media Redirection
- Rapid handoff will contribute to overall delay
and packet loss - Thus it is essential to reduce the handoff delay
introduced at different layers - We propose a fast-handoff mechanism to reduce the
handoff-delay and packet loss
4Handoff Latency
DHCP server/ PPP /FA
Next Access Router
MN
AP1
AP2
HA/SIP Server
CN
AA Server
Binds to AP1
Media
802.11i
?1
Binds to AP2
ICMP Router Discovery/Router Advertisement
?1- L2 Hand-over Latency Delay ?2 Delay due
to IP Address Acquisition and Configuration,
authentication, authorization ?3 Binding
update and Media Redirection delay
DHCP/ MIP CoA/PPP
?
Stateless Auto-configuration
?2
DAD/ARP
AAA
MIP BU/SIP Re-Invite
?3
New Media
IGMP
5Problem in Mobility Management Protocols
- Problem 1 (performance) Operations for updating
higher-layer context (i.e., IP address
acquisition, mobility binding update,
authentication etc.) occur after link-layer
handover - Processing and/or signaling delay for each
operation accumulates - Longer packet loss period due to handoff delay
- No solutions exist for single-interface host
- Problem 2 (security) Existing mobility
optimization mechanisms do not provide secure
handover signaling especially for roaming cases - A secure mobility optimization mechanism that is
tied with AAA (Authentication, Authorization and
Accounting) and can deal with inter-subnet and
inter-domain handover is needed - Problem 3 (applicability) Existing mobility
optimization mechanisms are tightly coupled with
particular mobility management protocols - FMIPv6 and HMIP are defined for Mobile IPv6 only
- A mobility optimization mechanism that is
applicable to any mobility management protocol is
needed
6Mobility Optimization - Related Work
- Cellular IP, HAWAII - Micro Mobility
- MIP-Regional Registration, Mobile-IP low latency,
IDMP - HMIPv6, FMIPv6 (IPv6)
- Yokota et al - Link Layer Assisted handoff
- Shin et al, Velayos et al - Layer 2 delay
reduction - Gwon et al, - Tunneling between FAs, Enhanced
Forwarding PAR -
- SIP-Fast Handoff - Application layer mobility
optimization - DHCP Rapid-Commit, Optimized DAD - Faster IP
address acquisition
7Media-independent Pre-Authentication (MPA)
- MPA is
- a mobile-assisted higher-layer authentication,
authorization and handover scheme that is
performed prior to establishing L2 connectivity
to a network where mobile may move in near future - MPA provides a secure and seamless mobility
optimization that works for - Inter-subnet handoff
- Inter-domain handoff
- Inter-technology handoff
- Use of multiple interfaces
- MPA works with any mobility management protocol
- MIP(v4,v6), SIPMM etc.
8Functional Components of MPA
- Pre-authentication/authorization
- Used for establishing a security association (SA)
between the mobile and a network to which the
mobile may move - L2 pre-authentication can also be enabled based
on the established SA - Pre-configuration
- Used for establishing contexts specific to the
network to which the mobile may move (e.g., nCoA) - The SA created in (1) are used to perform secured
configuration procedure - Secured Proactive Handover
- Used for sending/receiving IP packets based on
the pre-authorized contexts by using the contexts
of the current network
9Expected Result during handoff
Discover new AP in the neighboring subnet
L3 auth/config starts
L3 handoff starts
L2 handoff starts
Conventional Method
Time
L3 handoff completes
L2 auth/authz, starts
L2 handoff completes
L3 auth/authz completes
Discover New AP In the neighboring subnet
Pre-auth/ Pre-config starts
L2 handoff starts
L3 handoff starts
MPA
Time
Pre-auth/ Pre-config Completes (L2 SAs can be
, completed here.)
L2 handoff completes
L3 handoff completes
Critical period (communication interruption can
occur)
10Pre-Authentication
SIP mobility is just an example mobility
protocol. MPA works for any mobility management
protocol
CN
DATACNlt-gtA(X)
AA
CA
AR
Subnet X
Subnet Y
pre-authentication
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
11Pre-configuration
CN
DATACNlt-gtA(X)
MN-CA key
AA
CA
AR
Subnet X
Subnet Y
pre-configuration
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X) Current subnet X Status
Pre-authentication done Action pre-configuration
12Pre-Configuration (Cont.)
CN
DATACNlt-gtA(X)
MN-AR key
AA
CA
AR
Subnet X
Subnet Y
Secure Proactive Handover tunnel
establishment procedure
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X), A(Y) Current subnet X Status
Pre-configuration done Action SPH Initiation
13Secured Proactive Handover Main Phase
CN
DATACNlt-gtA(X)
MN-AR key
Re-InviteCNlt-gtA(Y)
AA
CA
AR
Subnet X
Subnet Y
SIP Re-Invite over proactive hanodver tunnel
ARlt-gtA(X)
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X), A(Y) Current subnet X Status
PH tunnel established Action SIP Re-Invite
14Secured Proactive Handover Completion
CN
DATA CNlt-gtA(Y) over proactive hanover tunnel
ARlt-gtA(X)
AA
CA
AR
Subnet X
Subnet Y
Proactive handover stop procedure
L2 handoff procedure
Data in new domain
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X), A(Y) Current subnet X Status
SIP Re-Invite done Action PH Completion
15Mobile-assisted Seamless Handoff (a scenario)
AR
Network 1
CTN
Network 2
AR
CTN
Mobile
Current Network
TN
CTN Candidate Target Networks TN Target
Network
AR
AP0
Network 3
AP3
CN
Information Service (e.g.,802.21) mechanism can
help locate the neighboring network elements in
the candidate target networks (CTN)
16MPA Communication Flow
Candidate Target Network
CN
CA
AR
nPoA
AA
MN
oPoA
Existing session using oCoA
1. Found CTN
Pre-authentication Authentication Protocol
MN-CA Key
2. High probability to switch to the CTN
MN-AR Key
Pre-configuration Configuration Protocol to get
nCoA
Pre-configuration tunnel management protocol to
establish PHT
3. Determined to switch to The CTN
Secure Proactive Update Phase Binding Update
data Transmission over PHT using nCoA
4. BU completion and Ready to switch
Secure proactive handover pre-switching phase
tunnel management protocol
to delete PHT
5. Switching
Post Switching Phase Reassignment of nCoA to its
physical Interface
New Data using nCoA
17MPA Optimization Issues
- Network Discovery
- Discover the neighboring network elements (e.g.,
Routers, APs, Authentication Agents) - 802.21 (Information Service), 802.11u, WIEN SG,
CARD, DNS/SLP - Proactive IP Address Acquisition
- Proactive Duplicate IP address Detection
- Proactive Address Resolution
- Proactive Tunnel Management
- Proactive Mobility Binding Update
- Bootstrap Link-layer Security in CTN using L3
Pre-authentication
18Protocol Set for the MPA demonstration
Pre-authentication protocol PANA
Pre-configuration protocol PANA, DHCP Relay
Proactive handover tunneling protocol IP-in-IP
Proactive handover tunnel management protocol PANA
Mobility management protocol SIP Mobility
Link-layer security None
19Experimental Network in the Lab.
IP1 10.10.10.223
IP0 10.10.40.20
AP1, AP2 Access Point R1, R2 Access Router MN
Mobile Node CN Correspondent Node IP0, IP1 IP
address of MN
20Protocol flow for MPA
Network 2 (802.11)
Network 3
Network 1 (802.11)
CN
R2
AP2
R1
MN
DHCP
AP1
Assign IP0 to Physical I/F
DHCP
Data
Assign IP1 to Tunnel I/F
PANA (Pre-Authentication and pre-configuration to
obtain IP1)
Address acquisition Using DHCP relay
Tunnel (IP0-IP1)
-
-
SIP Re-invite with IP1
-
-
Data
Deletes Tunnel with PANA Update
L2 handover
MN
Assign IP1 to Physical I/F
Packet loss period
Data
21Protocol Flow for Non-MPA
22Performance (MPA-Non-MPA)
- MPA
- No packet loss during pre-authentication,
pre-configuration and pro-active handoff before
L2 handoff - Only 1 packet loss, 14 ms delay during handoff
mostly transient data - Includes delay due to layer 2, update to delete
the tunnel on the router - We also reduced the layer 2 delay in hostap
- Driver
- L2 delay depends upon driver and chipset
- non-MPA
- About 200 packets loss, 4 s during handover
- Includes standard delay due to layer 2, IP
address acquisition, Re-Invite,
Authentication/Authorization - Could be more if we have firewalls also set up
MPA Approach
802.11
802.11
4 s
handoff
Non-MPA Approach
23Conclusions/Future Work
- MPA framework provides an optimized mobility
management solution independent of mobility
protocol used - We demonstrated an initial prototype
implementation and results - MPA works over single interface and multiple
interfaces (e.g., 802.11, CDMA) - Define a more integrated architecture that works
in conjunction information discovery scheme
(e.g.,802.21, 802.11u) - Comments/Suggestions/Questions
-
- Next steps?
24Thank you!
25Comments from the group
- This framework is dependent upon a good network
discovery scheme - We may need to set up temporary tunnels with more
than one network temporarily - Need a smarter algorithm to decide the exact
network the mobile may move - Binding Update ( Is it necessary to do it
beforehand) - In MIPv6 we may need to do next-hop care of
address check - What do we gain by doing binding update ahead of
time - Need for pre-configuration ?
- How much time it takes to do the
pre-configuration - Pre-configuration usually does not affect the
handoff delay or packet loss - Layer 2 delay reduction
- How can it work with other mobility management
techniques (e.g.. MIPv6)
26Backup Slides
27MPA Experimental Flow (proactive handoff)
(possible backup)
Tunneled packet
CN
DHCP
R2
MN
MN
Network 1
Network 3
Network 2
RTP
IP0
DHCP
PANA
PANA (BIND)
DHCP(IP1)
Tunnel Setup
RTP
RTP
SIP Re_INVITE (IP1)
8.913
BU
OK (tunneled)
OK
No Packets lost During BU
RTP packets Spaced 16 ms
9.030
RTP
9.136
ACK
RTP (39835)
Tunneled Data
9.267
RTP (40335)
19.283
Handoff Decision
PANA Trigger to delete tunnel
19.285
PANA Response
19.291
RTP (40336)
19.298
RTP (40337)
19.315
Tunnel deleted
RTP (40340)
19.379
RTP (40341)
Lost packet (non-tunnel)
IWCONFIG (IOCTL)
19.393
L2 handoff local L3 Configuration
19.395
X
19.394
JOIN
(Auth/Assoc, ifconfig, route,)
19.408
JOIN (ACK)
RTP (40342)
First packet in new network (non-tunneled)
19.411
IP1
28Bootstrapping Link-layer security using L3-Preauth
Current Network
CTN
AA
1. Pre-authentication
2 . Keys (TSK)
AP1
AP2
AP3
3. Secure Association
4. Secure Association
MN
MN
MN
29Mobile Wireless Internet A Scenario (possible
backup)
Domain1
Internet
Domain2
PSTN gateway
WAN
802.11a/b/g
WAN
UMTS/ CDMA
IPv6 Network
Bluetooth
802.11 a/b/g
LAN
PSTN
Hotspot
LAN
PAN
CH
Roaming User
UMTS/CDMA Network
Ad Hoc Network
30Single Radio Interface Roaming Scenario (possible
backup)
31Multiple Radio Interface Roaming Scenario
(possible backup)