Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt)

1
Media-Independent Pre-Authentication(draft-ohba-
mobopts-mpa-framework-00.txt)
Ashutosh Dutta, Telcordia Technologies Yoshihiro
Ohba (Ed.), Kenichi Taniuchi Toshiba America
Research Inc. Henning Schulzrinne, Columbia
University
Prepared for IRTF MOBOPTS WG March 8th, 62nd
IETF, Minneapolis
2
Outline

• Motivation
• Handoff Delay during Wireless Internet Roaming
• Fast Handoff Related Work
• Proposed Method Media-independent
  Pre-Authentication
• Demonstration and Results
• Conclusions/Future Work

3
Motivation

• It is desirable to limit the jitter, delay and
  packet loss for real-time and non-real-time
  traffic
• e.g.,150 ms end-to-end delay for interactive
  traffic such as VoIP, 2 packet loss is allowed
• Delay due to handoff takes place at several
  layers
• Layer 2 (handoff between AP)
• Layer 3 (IP address acquisition, Configuration,
  Authentication, Authorization)
• Binding Update, Media Redirection
• Rapid handoff will contribute to overall delay
  and packet loss
• Thus it is essential to reduce the handoff delay
  introduced at different layers
• We propose a fast-handoff mechanism to reduce the
  handoff-delay and packet loss

4
Handoff Latency
DHCP server/ PPP /FA
Next Access Router
MN
AP1
AP2
HA/SIP Server
CN
AA Server
Binds to AP1
Media
802.11i
?1
Binds to AP2
ICMP Router Discovery/Router Advertisement
?1- L2 Hand-over Latency Delay ?2 Delay due
to IP Address Acquisition and Configuration,
authentication, authorization ?3 Binding
update and Media Redirection delay
DHCP/ MIP CoA/PPP
?
Stateless Auto-configuration
?2
DAD/ARP
AAA
MIP BU/SIP Re-Invite
?3
New Media
IGMP
5
Problem in Mobility Management Protocols

• Problem 1 (performance) Operations for updating
  higher-layer context (i.e., IP address
  acquisition, mobility binding update,
  authentication etc.) occur after link-layer
  handover
• Processing and/or signaling delay for each
  operation accumulates
• Longer packet loss period due to handoff delay
• No solutions exist for single-interface host
• Problem 2 (security) Existing mobility
  optimization mechanisms do not provide secure
  handover signaling especially for roaming cases
• A secure mobility optimization mechanism that is
  tied with AAA (Authentication, Authorization and
  Accounting) and can deal with inter-subnet and
  inter-domain handover is needed
• Problem 3 (applicability) Existing mobility
  optimization mechanisms are tightly coupled with
  particular mobility management protocols
• FMIPv6 and HMIP are defined for Mobile IPv6 only
• A mobility optimization mechanism that is
  applicable to any mobility management protocol is
  needed

6
Mobility Optimization - Related Work

• Cellular IP, HAWAII - Micro Mobility
• MIP-Regional Registration, Mobile-IP low latency,
  IDMP
• HMIPv6, FMIPv6 (IPv6)
• Yokota et al - Link Layer Assisted handoff
• Shin et al, Velayos et al - Layer 2 delay
  reduction
• Gwon et al, - Tunneling between FAs, Enhanced
  Forwarding PAR
• SIP-Fast Handoff - Application layer mobility
  optimization
• DHCP Rapid-Commit, Optimized DAD - Faster IP
  address acquisition

7
Media-independent Pre-Authentication (MPA)

• MPA is
• a mobile-assisted higher-layer authentication,
  authorization and handover scheme that is
  performed prior to establishing L2 connectivity
  to a network where mobile may move in near future
• MPA provides a secure and seamless mobility
  optimization that works for
• Inter-subnet handoff
• Inter-domain handoff
• Inter-technology handoff
• Use of multiple interfaces
• MPA works with any mobility management protocol
• MIP(v4,v6), SIPMM etc.

8
Functional Components of MPA

• Pre-authentication/authorization
• Used for establishing a security association (SA)
  between the mobile and a network to which the
  mobile may move
• L2 pre-authentication can also be enabled based
  on the established SA
• Pre-configuration
• Used for establishing contexts specific to the
  network to which the mobile may move (e.g., nCoA)
• The SA created in (1) are used to perform secured
  configuration procedure
• Secured Proactive Handover
• Used for sending/receiving IP packets based on
  the pre-authorized contexts by using the contexts
  of the current network

9
Expected Result during handoff
Discover new AP in the neighboring subnet
L3 auth/config starts
L3 handoff starts
L2 handoff starts
Conventional Method
Time
L3 handoff completes
L2 auth/authz, starts
L2 handoff completes
L3 auth/authz completes
Discover New AP In the neighboring subnet
Pre-auth/ Pre-config starts
L2 handoff starts
L3 handoff starts
MPA
Time
Pre-auth/ Pre-config Completes (L2 SAs can be
, completed here.)
L2 handoff completes
L3 handoff completes
Critical period (communication interruption can
occur)
10
Pre-Authentication
SIP mobility is just an example mobility
protocol. MPA works for any mobility management
protocol
CN
DATACNlt-gtA(X)
AA
CA
AR
Subnet X
Subnet Y
pre-authentication
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
11
Pre-configuration
CN
DATACNlt-gtA(X)
MN-CA key
AA
CA
AR
Subnet X
Subnet Y
pre-configuration
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X) Current subnet X Status
Pre-authentication done Action pre-configuration
12
Pre-Configuration (Cont.)
CN
DATACNlt-gtA(X)
MN-AR key
AA
CA
AR
Subnet X
Subnet Y
Secure Proactive Handover tunnel
establishment procedure
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X), A(Y) Current subnet X Status
Pre-configuration done Action SPH Initiation
13
Secured Proactive Handover Main Phase
CN
DATACNlt-gtA(X)
MN-AR key
Re-InviteCNlt-gtA(Y)
AA
CA
AR
Subnet X
Subnet Y
SIP Re-Invite over proactive hanodver tunnel
ARlt-gtA(X)
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X), A(Y) Current subnet X Status
PH tunnel established Action SIP Re-Invite
14
Secured Proactive Handover Completion
CN
DATA CNlt-gtA(Y) over proactive hanover tunnel
ARlt-gtA(X)
AA
CA
AR
Subnet X
Subnet Y
Proactive handover stop procedure
L2 handoff procedure
Data in new domain
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router
IP address A(X), A(Y) Current subnet X Status
SIP Re-Invite done Action PH Completion
15
Mobile-assisted Seamless Handoff (a scenario)

AR
Network 1
CTN
Network 2
AR
CTN
Mobile
Current Network
TN
CTN Candidate Target Networks TN Target
Network
AR
AP0
Network 3
AP3
CN
Information Service (e.g.,802.21) mechanism can
help locate the neighboring network elements in
the candidate target networks (CTN)
16
MPA Communication Flow
Candidate Target Network
CN
CA
AR
nPoA
AA
MN
oPoA
Existing session using oCoA
1. Found CTN
Pre-authentication Authentication Protocol
MN-CA Key
2. High probability to switch to the CTN
MN-AR Key
Pre-configuration Configuration Protocol to get
nCoA
Pre-configuration tunnel management protocol to
establish PHT
3. Determined to switch to The CTN
Secure Proactive Update Phase Binding Update
data Transmission over PHT using nCoA
4. BU completion and Ready to switch
Secure proactive handover pre-switching phase
tunnel management protocol
to delete PHT
5. Switching
Post Switching Phase Reassignment of nCoA to its
physical Interface
New Data using nCoA
17
MPA Optimization Issues

• Network Discovery
• Discover the neighboring network elements (e.g.,
  Routers, APs, Authentication Agents)
• 802.21 (Information Service), 802.11u, WIEN SG,
  CARD, DNS/SLP
• Proactive IP Address Acquisition
• Proactive Duplicate IP address Detection
• Proactive Address Resolution
• Proactive Tunnel Management
• Proactive Mobility Binding Update
• Bootstrap Link-layer Security in CTN using L3
  Pre-authentication

18
Protocol Set for the MPA demonstration
Pre-authentication protocol PANA
Pre-configuration protocol PANA, DHCP Relay
Proactive handover tunneling protocol IP-in-IP
Proactive handover tunnel management protocol PANA
Mobility management protocol SIP Mobility
Link-layer security None
19
Experimental Network in the Lab.
IP1 10.10.10.223
IP0 10.10.40.20
AP1, AP2 Access Point R1, R2 Access Router MN
Mobile Node CN Correspondent Node IP0, IP1 IP
address of MN
20
Protocol flow for MPA
Network 2 (802.11)
Network 3
Network 1 (802.11)

CN
R2
AP2
R1
MN
DHCP
AP1
Assign IP0 to Physical I/F
DHCP
Data
Assign IP1 to Tunnel I/F
PANA (Pre-Authentication and pre-configuration to
obtain IP1)
Address acquisition Using DHCP relay
Tunnel (IP0-IP1)
-
-
SIP Re-invite with IP1
-
-
Data
Deletes Tunnel with PANA Update
L2 handover
MN
Assign IP1 to Physical I/F
Packet loss period
Data
21
Protocol Flow for Non-MPA
22
Performance (MPA-Non-MPA)

• MPA
• No packet loss during pre-authentication,
  pre-configuration and pro-active handoff before
  L2 handoff
• Only 1 packet loss, 14 ms delay during handoff
  mostly transient data
• Includes delay due to layer 2, update to delete
  the tunnel on the router
• We also reduced the layer 2 delay in hostap
• Driver
• L2 delay depends upon driver and chipset
• non-MPA
• About 200 packets loss, 4 s during handover
• Includes standard delay due to layer 2, IP
  address acquisition, Re-Invite,
  Authentication/Authorization
• Could be more if we have firewalls also set up

MPA Approach
802.11
802.11
4 s
handoff
Non-MPA Approach
23
Conclusions/Future Work

• MPA framework provides an optimized mobility
  management solution independent of mobility
  protocol used
• We demonstrated an initial prototype
  implementation and results
• MPA works over single interface and multiple
  interfaces (e.g., 802.11, CDMA)
• Define a more integrated architecture that works
  in conjunction information discovery scheme
  (e.g.,802.21, 802.11u)
• Comments/Suggestions/Questions
• Next steps?

24
Thank you!
25
Comments from the group

• This framework is dependent upon a good network
  discovery scheme
• We may need to set up temporary tunnels with more
  than one network temporarily
• Need a smarter algorithm to decide the exact
  network the mobile may move
• Binding Update ( Is it necessary to do it
  beforehand)
• In MIPv6 we may need to do next-hop care of
  address check
• What do we gain by doing binding update ahead of
  time
• Need for pre-configuration ?
• How much time it takes to do the
  pre-configuration
• Pre-configuration usually does not affect the
  handoff delay or packet loss
• Layer 2 delay reduction
• How can it work with other mobility management
  techniques (e.g.. MIPv6)

26
Backup Slides
27
MPA Experimental Flow (proactive handoff)
(possible backup)
Tunneled packet
CN
DHCP
R2
MN
MN
Network 1
Network 3
Network 2
RTP
IP0
DHCP
PANA
PANA (BIND)
DHCP(IP1)
Tunnel Setup
RTP
RTP
SIP Re_INVITE (IP1)
8.913
BU
OK (tunneled)
OK
No Packets lost During BU
RTP packets Spaced 16 ms
9.030
RTP
9.136
ACK
RTP (39835)
Tunneled Data
9.267
RTP (40335)
19.283
Handoff Decision
PANA Trigger to delete tunnel
19.285
PANA Response
19.291
RTP (40336)
19.298
RTP (40337)
19.315
Tunnel deleted
RTP (40340)
19.379
RTP (40341)
Lost packet (non-tunnel)
IWCONFIG (IOCTL)
19.393
L2 handoff local L3 Configuration
19.395
X
19.394
JOIN
(Auth/Assoc, ifconfig, route,)
19.408
JOIN (ACK)
RTP (40342)
First packet in new network (non-tunneled)
19.411
IP1
28
Bootstrapping Link-layer security using L3-Preauth
Current Network
CTN
AA
1. Pre-authentication
2 . Keys (TSK)
AP1
AP2
AP3
3. Secure Association
4. Secure Association
MN
MN
MN
29
Mobile Wireless Internet A Scenario (possible
backup)
Domain1
Internet
Domain2
PSTN gateway
WAN
802.11a/b/g
WAN
UMTS/ CDMA
IPv6 Network

Bluetooth
802.11 a/b/g
LAN
PSTN
Hotspot
LAN
PAN
CH
Roaming User
UMTS/CDMA Network
Ad Hoc Network
30
Single Radio Interface Roaming Scenario (possible
backup)
31
Multiple Radio Interface Roaming Scenario
(possible backup)