390 likes | 525 Views
UPMT – Universal Per-application Mobility management using Tunnels. Stefano Salsano - stefano.salsano@uniroma2.it Marco Bonola - marco.bonola@uniroma2.it. Always best connected (ABC). ABC service concept: automatic selection of the “best” interface in the mobile device
E N D
UPMT – Universal Per-application Mobility management using Tunnels Stefano Salsano - stefano.salsano@uniroma2.it Marco Bonola - marco.bonola@uniroma2.it
Always best connected (ABC) ABC service concept: automatic selection of the “best” interface in the mobile device Dates back to the early 2000, but turning ABC services into reality is still a challenge: Need to change networking equipment, existing applications, networking stacks ? True ABC services require “per-application” mobility, typical solutions offers “per-device” mobility 3G offload renews interest in ABC concept
UPMT: Universal Per-application Mobility management using Tunnels per-application independent management of connectivity (even per-flow) Key features • works on existing networks • supports private IP networks / NAT • works with ALL existing applications • no changes in the correspondent hosts • implemented on Linux and Android platforms
The problem space for ABC services IP level MeasurementsLink level measurementsCost, SecurityReputation, Location based Legacy applicationsMobility-aware applications OS related aspects Decision policies Per-application mobility Per device mobility Always Best Connected(ABC) services Mobility Management Business scenarios Operator centricUser centricCorporate net. centricAggregator centricOver-the-top prov. centric Choice of Mobility Layer:Layer 2 / Network / Shim / Transport / Application
Other solutions • None of the existing solutions fully satisfies ABC requirements • Mobile IPv4 • Mobile IPv6 • Proxy Mobile IP v4|v6 • SIP based mobility • Host Identity Protocol
IP in UDP tunnels from the Mobile Host to the Anchor Node, one tunnel for interface The Anchor Node provides a “second level” NAT, the Correspondent Hosts are unaware of UPMT Each application can be independently sent over one of the tunnels The applications see a Virtual Interface, they are shielded from any mobility/handover issue and from loss of connectivity on the physical interfaces SIP protocol is used for mobility management signaling between Mobile Host and Anchor Node Basic principles of UPMT(see figure in next slide)
Basic principles of UPMT Anchor Node(AN) “second level”NAT CorrespondentHost (CH) IP/UDP Tunnel 1 PublicInternet “first level”NAT NAT 1 VirtualInterface NAT 2 IP/UDP Tunnel 2 Access Networks Mobile Host (MH)
UPMT scalability The basic scenario foreseesa “centralized” Anchor Node Corresp.Host AnchorNode (AN) AnchorNAT LocalNAT Public Internet AN3 LocalNAT AN2(public IPs) AN1 Mobile Host (MH)
UPMT scalability Multiple Anchor Nodescan be supported… Corresp.Host Corresp.Host AnchorNode (AN) 2 AnchorNode (AN) AnchorNAT LocalNAT Public Internet AN3 LocalNAT AN2(public IPs) AN1 Mobile Host (MH)
UPMT scalability A “fixed” host with UPMT modules canplay the role of the Anchor Node ! AnchorNode (AN) AnchorNAT LocalNAT Fixed Host,e.g. for example: Public Internet AN3 LocalNAT AN2(public IPs) AN1 … and other over-the-top providers Mobile Host (MH)
UPMT scalability Direct Mobile Host to Mobile Host communication AnchorNode (AN) LocalNAT Public Internet AN3 LocalNAT AN2(public IPs) MHNAT AN1 Mobile Host (MH) Mobile Host (MH)
UPMT scalability All together… Corresp.Host AnchorNode (AN) 2 AnchorNode (AN) AnchorNAT FixedHost LocalNAT Public Internet AN3 LocalNAT AN2(public IPs) MHNAT AN1 Mobile Host (MH) Mobile Host (MH)
IP in UDP tunneling IP UDP IP UDP or TCP application Tunnel header IP src: real_iface_addr IP dest: AN_addr Original header IP src: virtual iface IP dst: CH_addr • Protocol independent native NAT traversal • Overhead and tunnel multiplexing (with respect to GRE, IPinIP)) • Simple user-space implementation is possible
UPMT Virtual interface Virtual interface upmt0 IP z Physical IPaddresses IP x IP y Physical interfaces pp0 eth0 wifi0 • Virtual interfaces hide IP reconfiguration and connectivity loss of underlying NIC • Legacy application see a standard interface, the encapsulation and mobility management is completely hidden
Virtual IP addresses “Local”Virtual IP address Virtual interface local-VIPA upmt0 Virtual IP addressassigned by the AN pau-VIPA (Per Association Unique) IP z Physical IPaddresses IP x IP y Physical interfaces pp0 eth0 wifi0 • The packet will undergo one internal NAT from the local-VIPA to the pau-VIPA assigned by the Anchor Node
Security: S-UPMT • Signaling protection MANDATORY • PKI, TLS • Data protection OPTIONAL • IPSEC • Optional IPSEC, otherwise like HIP… • what about IPSEC NAT traversal? • What happens after an unpredictable handover (break-before-make)? • Need for TLS channel complete re-establishment? • Can’t do otherwise: the IP has changed, the socket has been closed.. • Need for IPSEC SAs re-establishment? • Complete re-negotiation? MOBIKEv2?
S-UPMT: Signaling protection • PHASE 1 • TLS authentication • VIPA exchange • IPSEC indication • PHASE 2 (IPSEC supported) • IPSEC SA negotiation inside TLS channel • SA bound to VIpAs. See later on.. • Signaling protected by IPSEC • Data protection by IPSEC • PHASE 2 (no IPSEC) • New TLS (TUNNELED) channel • Signaling protected by TLS • No data protection
S-UPMT: IPSEC data protection • IPSEC is applied independently from UDP encapsulation • IPSEC SAs are bound to VIpAs that never change • NO need for SA re-establishment (like HIP, but we don’t require new stack)
UPMT-S: Data protection IPSEC Tunnel mode for MH-AN UPMT compressed header IPSEC Transport mode for end2end
UPMT modules in a Mobile Host Graphical User Interface Policies Classification offlows and applications Mobilitymanagementmechanisms Decisionengine Interfaces/networksmanager QoS/QoEmeasurements
Classification of flows/applications A flow is identified by the 5-tuple: (protocol, IP src, IP dst, Layer 4 source port, Layer 4 destination port) The complete 5-tuple is generally known after that a flow is started, but we need to intercept the flow from the very first packet We enhanced Linux kernel so that process IDs are (internally) carried together with the packets
Implementation architecture (MH side) Interface UCE GUI function call Signaling Agent UPMT module local socket Application Monitor Conn-Tracker Proxy Externalmodule UCE - UPMT Control Entity DBUS JNI Network Manager NETLINK socket UPMT Configuration Tool User Space Exception filter Kernel NETLINK socket UPMT Connection Tracker UPMT Tunneling PAFT
UPMT packet flow (OUTPUT) packet from application NOT under UPMT control packet from application under UPMT control Internal signaling and function calls Page 25 18/09/2014
UPMT packet flow (INPUT) Page 26 18/09/2014
Policies: some examples Never run “bulk transfer” applications on expensive and/or resource-limited access nets. When connected as a guest to a wifi that only provide web access, use the wifi only for the browser. For a voice call, use wifi if the quality is OK, move to 3G if the quality on wifi is bad AND the quality on 3G is better.
Policies: configuration language ***IP BASED POLICIES*** 160.80.54.34/32 static wifi0 160.81.0.0/16 noUPMT 160.80.80.150 -AN=160.80.80.150 default ***APPLICATION POLICIES*** application1 noUPMT application2 default firefox priorityList eth0 wifi0 ppp0 any skype static wifi0 ssh priorityList eth+ wifi0 ppp0 application3 priorityList wifi0:ssid=wifi-campus ppp0:apn=ibox.tim.it application4 priorityList eth1 wifi+:ssid=!wifi-campus ppp0:apn!=ibox.tim.it application5 myPolicy application6 myPolicy application7 myPolicy ***DEFINION OF USER POLICIES*** myPolicy priorityList eth+ wifi+ ***DEFINION OF SYSTEM POLICIES*** default static any upmtSignalling default
Two types of Policies Interface Availability based policies Only needs to know up/down status of interfaces and IP configuration parameters Currently supported Measurement based policies Link level measurements, IP level measurements / QoE measurements Currently NOT supported (work in progress!)
Business scenarios UPMT can be used in different business scenarios: • Operator centric • User centric • Corporate Net. centric • Aggregator centric • Over-the-top Prov. centric
System level performances MH - Mobile Host AN – Anchor Node Packets/s Packets/s
Linux and Android implementation • The UPMT implementation is open source http://netgroup.uniroma2.it/UPMT • Tunneling and flow classification are implemented in kernel space for performance/scalability A UPMT Live distribution for Linux is available, it can be configured to be a Mobile Host or an Anchor Node • Porting on Android (2.2 Platform), Nexus one terminal • Kernel modules ported, patch for multiple interfaces
Work in progress… • QoS/QoE measurement based handover • Estimation of available bandwidth and delay • MUPPET : Multi Parameter IP Performance Evaluation Tool • End-to-end mobility management (from mobile host to mobile host with no relay on the Anchor Node if possible) • Control GUI on Android • APIs for UPMT aware applications • Header compression mechanisms
Take home message • To the best of our knowledge, UPMT is the only implemented solution that provides: • per-application handover • support of all legacy applications • overlay approach with no support from routers and access network • support of NAT • support of legacy correspondent host moreover, it is open source…
References • M. Bonola, S. Salsano, A. Polidoro, “UPMT: Universal Per-Application Mobility Management using Tunnels”, IEEE GLOBECOM 2009 • M. Bonola, S. Salsano, “Achieving Scalability in the UPMT Mobility Management Solution”, Future Network & Mobile Summit 2010, 16 – 18 June 2010, Florence, Italy. • M. Bonola, S. Salsano, “Per-application Mobility Management: Performance Evaluation of the UPMT Solution”, IWCMC 2011, Istanbul, Turkey, July 2011 • S. Salsano, M. Bonola, “The UPMT solution”, technical report, http://netgroup.uniroma2.it/TR/UPMT.pdf
Work in progress • S. Salsano, M. Bonola, A. Gambitta, A. Bianchi “UPMT: Per-Application Mobility Management in Mobile Broadband Networks”, submitted to Communication Magazine special issue on Traffic Management for Mobile Broadband Networks • M. Bonola, S. Salsano, “S-UPMT: a secure Vertical Handover solution based on IP in UDP tunneling and IPsec”, to be submitted to Wiley WCMC journal.
The UPMT team • Marco Bonola (marco.bonola@uniroma2.it) • Stefano Salsano (stefano.salsano@uniroma2.it) • Alessio Bianchi, Andrea Gambitta, Fabio Patriarca, Fabio Ludovici, Enrico Gagliano, Andrea Capitani, Belen Ibanez, Daniele Dedda, Alessandro Tramontozzi, Pier Luigi Ventre, Aurelio Franconeri