140 likes | 152 Views
This draft proposes a framework for Media-Independent Pre-Authentication (MPA) that provides secure and seamless mobility optimization for inter-subnet, inter-domain, and inter-technology handoffs. It also includes case studies, deployment issues, and performance results.
E N D
A Framework of Media-Independent Pre-authentication (MPA) for Inter-domain Handover optimization draft-ohba-mobopts-mpa-framework-05.txt Ashutosh Dutta Victor Fajardo Yoshihiro Ohba Kenichi Taniuchi Henning Schulzrinne (See also draft-ohba-mobopts-mpa-implementation-04.txt for performance results)
Media-independent Pre-Authentication (MPA) • MPA is a mobile-assisted higher-layer authentication, authorization and handover scheme that is performed before establishing L2 connectivity to a network where mobile may move in near future • MPA provides a secure and seamless mobility optimization that works for Inter-subnet handoff, Inter-domain handoff and Inter-technology handoff • MPA works with any mobility management protocol Client Authentication AP Switching IP address configuration & IP handover AP Discovery Conventional Method Time Pre-authentication MPA Time Packet Loss Period
MPA Phases • Pre-authentication: EAP pre-authentication to CTN (Candidate Target Network) • Pre-configuration: Proactive IP address acquisition from CTN • Pre-switching: L3 HO execution over MN-nAR tunnel • Switching: L2 handover • Post-switching: Tunnel deletion • Not all MPA phases have to be executed and can be replaced with other mechanisms • MPA Operation can stop at phase 1 (pre-auth only) or at phase 2 (pre-auth + pre-authorization),
Home Network HA BU Tunneled Data Proactive Handover Tunnelin pre-switching phase CN AR Serving Network Target Network MN
Agreement in IETF68 • Revise MPA framework draft to focus on inter-domain handover problem • Specific changes are explained in next slides
“Inter-domain Handover” Section Added • Definition of an administrative domain (or a domain): • Networks that are managed by a single administrative entity • An administrative entity may be a serviceprovider, an enterprise and any organization. • An Inter-domainhandover will by-default be subjected to inter-subnet handover and in addition it may be subjected to either inter-technology or intra-technology handover. • Inter-domain handover will be subjected to allthe transition steps a subnet handover goes through and in addition it will be subjected to authentication and authorization process as well. • It is also likely that type of mobility support in each administrative domain will be different. For example, administrative domain A may have MIPv6 support, while administrative domain B may use Proxy MIPv6.
Inter-domain Handover between CMIPv6 & PMIPv6 domains CMIPv6 domain PMIPv6 domain HA LMA PMA PMA AR AR AR PMA MPA MN
“Detailed Issues” Section split • MPA Operations (Section 7) • 7.1 Discovery • 7.2 Pre-authentication in multiple CTN environment • 7.3 Proactive IP address acquisition • 7.4 Address resolution • 7.5 Tunnel management • 7.6 Binding Update • 7.7 Preventing packet loss • 7.8 Link-layer security and mobility • 7.9 IP layer security and mobility • 7.10 Authentication in initial network attachment • MPA Deployment Issues (Section 8) • 8.1 Considerations for failed switching and switch-back • 8.2 Pre-allocation of QoS resources • 8.3 Resource allocation issue during pre-authentication • MPA Case Studies for Inter-Domain Handoff (Section 9) • 9.1 Homogeneous Mobility Protocol in each domain (MIPv6, SIP Mobility, MIPv4 FA-CoA, PMIPv6) • MPA for PMIPv6: http://www.ietf.org/internet-drafts/draft-taniuchi-netlmm-mpa-proxymipv6-00.txt • 9.2 Diverse Mobility Protocol in each domain • 9.3 Multicast mobility • 9.4 Coexistence of MPA with other optimization technique
“Applicability Statement” Section moved to earlier section (Section 4) • MPA is categorized as a proactive handover optimization mechanism. In other words, MPA is more applicable wherean accurate prediction of movement can be easily made • Even if accurate prediction of movement is easily made, effectivenessof MPA may be relatively reduced if the network employs network-controlled localized mobility management in which the MN does not need to change its IP address while moving within the network. • Effectiveness of MPA may also be relatively reduced if signaling fornetwork access authentication is already optimized for movements within the network, e.g., when simultaneous use of multipleinterfaces during handover is allowed • In other words, MPA is most viable solution for inter-administrativedomain predictive handover without simultaneous use of multiple interfaces
Performance result: MPA with L2sec bootstrapping • Use of MPA to bootstrap L2 security, e.g., IEEE 80211i, required for candidate networks, before handover • Handover performance between network-layer assisted pre-authentication and 802.11i pre-authentication is similar • Network-layer assisted pre-authentication works across multiple subnets/domains/media whereas 802.11i pre-authentication works only within the 802.11 and in the same ESS.
Performance result: MPA with multiple Mobility Management Protocols
Summary • MPA framework draft has been presented 5 times since IETF62 • The draft has been revised to focus on inter-domain handover and it’s in a good shape • The draft is fully ready to be a RG draft