670 likes | 834 Views
Highly Available and Secure Fault-tolerant Mobile Computing. Sanjay K. Madria Department of Computer Science University of Missouri-Rolla madrias@ieee.edu. Mobile Constraints Low bandwidth. Frequent disconnections but predictable. High bandwidth variability. Monetarily Expensive.
E N D
Highly Available and Secure Fault-tolerant Mobile Computing Sanjay K. Madria Department of Computer Science University of Missouri-Rolla madrias@ieee.edu
Mobile Constraints • Low bandwidth. • Frequent disconnections but predictable. • High bandwidth variability. • Monetarily Expensive. • Broadcast is physically supported in a cell. • Limited battery power and storage. • Fast changing locations.
MH – Mobile Host CellMSS – Mobile Support Station Trusted Part MH MH MH MH Fixed Host MSS MSS Fixed Network Mbps to Gbps MSS MSS MH Fixed Host Fixed Host MH MH MH Cell Cell Wireless connection (unreliable) Fixed and dedicated connection (reliable) Mobile Architecture.
Objectives • To Improve Data Availability in Mobile Computing • - Transaction models for mobile computing (Journal Paper appeared in DPDB’01) • To provide Secure Fault-tolerant Mobile systems • To provide uninterrupted secure service to the mobile hosts when base station moves or fails. (Paper in IC Internet Computing’00 and Research Grants of 80K)
How Mobile Transactions are different ? • Long-lived transactions due to the mobility and frequent disconnection. • To split computations, some of which execute on mobile host while others on MSS. • To share partial results with others. • Computations and communications supported by MSS. • Mobile hosts move from one cell to another, but the execution must continue • To maintain mutual consistency of data objects
Prewrite Mobile Transaction Model • Introduce a prewrite operation before a write operation; makes visible (the exact or abstract) the value that data object will have after the commit of the transaction. • pre-committed – MT has announced all the prewrites values and read all the required data objects, but has not been finally committed (updates on database are not performed). • A pre-committed MT’s results are made visible at MH and MSSs before the final commit.
Shifts the resource consuming part of the MT’s execution (updates of the database on disk) to the MSS. • Pre-committed avoids costly undo or compensating action. • Pre-read returns a prewrite value whereas a read returns a write value. • MTs are serialized based on their pre-commitorder.
Example 1: Long-duration Transaction Application • “House-construction” and “House-buying” Transactions • “Model House” as prewrite Example 2: Data Structure Application • Record Delete Operation in Hashing • Storage allocator and deallocator to work concurrently
Mobile Transaction Processing with Prewrites • MH has limited server capability Start________Reads/Prewrite________Pre-commit________Writes_________Commit Part of transaction executed at MH Part of transaction executed at MSS • Example – News-reporter Transaction • MH has very slow CPU and small memory; I/O device only. • Example – Image Retrieval Transaction
Concurrent Operations Case 1: Suppose a pre-read is currently being executed at MH and at the same time, the transaction that has announced the prewrite values finally commits at MSS T1__________r(x),pw(x)_______pc_______ w(x)_______c At MSS T2____ pr(x) __________ c At MH Time
Case 2: Consider a case where a read transaction commits at MH after the transaction that announced the prewrite operation, has been pre-committed. T1__________r(x),pw(x)_______pc_______w(x)________c At MSS T2__________r(x)__________c At MH Time
Pre-read Read Pre-write Write Pre-read Yes Yes No Yes Read Yes Yes Yes No Pre-write No Yes No Yes Write Yes No Yes No Operation Compatibility Matrix
Serializable Schedules in Mobile Transaction Model Case 1: In case of simple data objects, a history with a prewrite is same as the history without a prewrite. Case 2: Once a transaction’s prewrite-lock is updated to the write-lock, it can not acquire any other lock. Case 3: A prewrite-lock can not be updated to a write-lock if some other transaction is holding a conflicting lock. Case 4: A transaction, which returns an old value, can be serialized in the history
Multi-version Model to Exploit Availability in Mobile Computing • Start State, Commit, Termination • MH process ops, but Terminate at MSS • One Terminated version, but many committed version • MSS terminates them in–order of commitment
commit terminate Read-write Availability MH MSS Xi0 Xjts(j) Xi0 Zkts(k) --- Zi0 Zkts(k) Transaction TjTransaction Tk
Two committed versions Write-Write Availability MH MSS Xkts(k) Xjts(j) Xi0 Xkts(k) Zkts(k) --- Zi0 Zkts(k) Transaction TjTransaction Tk
Objective • To provide uninterrupted secure service to the mobile hosts when base station moves or fails. • Example – Battle Field
Mobile IP Entities • Mobile Host (MH) - Changes its point of attachment to the internet from one link to another. • Home Agent (HA) - Router on MH’s home network which tunnels datagrams (packets of data) to MH when it is away from home. • Foreign Agent (FA) - Router on MH’s visited network which provides routing services to the MH while registered.
To ensure security and theft of resources (like bandwidth), all the packets originating inside the network should be authenticated. • MH sends a packet to its HA along with the authentication information. • Authentication is successful-> HA forwards the packet. Otherwise, dropped. Mobile Node Authentication and Forwarding Services ArbitraryTopology Internet Home Agent
Disadvantages of Typical Setup • Home Agent becomes a single point of failure. • Home Agent becomes an attractive spot for attackers. • Not scalable – large number of hosts overload the Home Agent.
Research Goals • Eliminate the single point of failure. • Distribute the load and enhance scalability and survivability of the system. • Failures -- transparent to applications • Easy to implement
Traditional Approaches • Using a Proxy Server that takes up the responsibilities of the Base Station • Using a Second Base Station that forwards the packets to the actual Home Agent, using Mobile IP, which is now at a Foreign Network.
Proxy-based solution Destination Network BS1 Source Network Arbitrary Network Arbitrary Network BS Foreign Network
Traditional Approaches Disadvantages: • Manual updating of the routing tables • Not transparent to applications • Communication Delays • Additional security threats as the packets now traverse long paths through Internet.
Proposed Schemes • We propose two schemes: • Virtual Home Agent • Hierarchical Authentication • They differ in the architecture and the responsibilities that the Mobile Hosts and Base Stations hold.
Authentication Using Virtual Home Agent Entities in the proposed scheme • Virtual Home Agent(VHA) is an abstract entity identified by a network address. • Master Home Agent(MHA) is the physical entity that carries out the responsibilities of the VHA.
Authentication Using Virtual Home Agent • Backup Home Agent(BHA) is the entity that backs-up a VHA. When MHA fails, BHA having the highest priority becomes MHA. • Shared Secrets Database Server is the entity that manages and processes the queries on the secret database.
Virtual Home Agent Set up VHA ID = IP ADDR1 Master Home Agent(MHA) Database Server Shared Secrets Database Other hosts in the network Backup Home Agents
Protocol Description • All the MHAs and BHAs join a pre-configured multicast group. • MHA and each BHA is assigned a priority that indicates its preference to become a MHA, when the current MHA fails. • MHA has the highest priority at any given point of time.
Protocol Description • Periodically, MHA sends an advertisement packet to the configured multicast group. • Purpose of this advertisement packet is to let the BHAs know that MHA is still alive • Time-to-live is set to 1 in each advertisement as they never have to be transmitted outside the network.
Protocol Description • Advertisement Packet Format • VHA’s ID indicates the VHA that this Agent is the Master. • MHA’s priority is the priority of this MHA. • Authentication Information is necessary to void the masquerading attacks (i.e. anybody posing as a Master after compromising it). Authentication Information MHA’s priority VHA’s ID
Protocol Description • BHAs only listen for advertisements, they do not send the advertisements. • If a BHA did not receive any advertisement for some period, starts the Down Interval Timer, computed as follows Down Time Interval = 5*Advertisement Interval + ((MHA’s priority-BHA’s priority)/MHA’s priority)
Protocol Description • Down Interval Time takes care of packet losses (as it is atleast 5 advertisement intervals) • Down Interval Time is a function of BHA’s configured priority (if the priority is more, Down Interval Time is less).
Protocol Description • Down Interval Timer of the BHA having the highest priority will expire first and that guarantee BHA transitions from BHA to MHA. • New MHA sends advertisements from now onwards.
Protocol Description Advantages of this Election Protocol • No communication between the BHAs is required. • There is no confusion about which BHA becomes MHA (only the one whose timer expires first) • No additional security threats (like manipulating priorities of BHAs)
Protocol Description Backup State Start State Master State State Transitions
Advantages of the proposed scheme • Has only 3 states and hence the overhead of state maintenance is negligible. • Very few tasks need to be performed in each state • Flexible – there could be multiple VHAs in the same LAN and a MHA could be a BHA for another VHA, a BHA could be a BHA for more than one VHA at the same time.
Hierarchical Authentication Scheme • Multiple Home Agents in a LAN are organized in a hierarchy (like a tree data structure). • A Mobile Host shares a key with each of the Agents above it in the tree (Multiple Keys). • At any time, highest priority key is used for sending packets or obtaining any other kind of service.
Hierarchical Authentication Scheme A K2 Database B C K1 Database D E F G (K1, P1) (K2, P2)
Hierarchical Authentication Scheme Key Priority depends on several factors and computed as cumulative sum of weighted priorities of each factor. Example factors: • Communication Delays • Processing Speed of the Agents • Secret Key Usage • Life Time of the Key • Configurable Priorities • Availability of secret key information to an Agent
Hierarchical Authentication Scheme • Hosts detect the Home Agent’s failure or mobility when the Home Agent does not send an acknowledgement for a request. • When the failure is detected, host reduces the priority of the current key and picks up highest priority key to be used now onwards.
Cluster for scalability One IP Add. Request Distribution Requests Front End Clients Back-end