260 likes | 531 Views
Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba Toshiba America Research Inc. H. Schulzrinne Columbia University Presented by: Ashutosh Dutta adutta@research.telcordia.com. Outline.
E N D
Secure Universal Mobility for Wireless InternetAuthors: A. Dutta, T. Zhang, S. MadhaniTelcordia TechnologiesK. Taniuchi, K. Fujimoto, Y. Katsube, Y.OhbaToshiba America Research Inc.H. SchulzrinneColumbia UniversityPresented by: Ashutosh Duttaadutta@research.telcordia.com
Outline • Motivation • Related Work • SUM Architecture • Experimental Test-bed • Results • SIP and MOBIKE approach • Conclusion and Future Work
Mobile Wireless Internet: A Scenario Domain1 Internet Domain2 S4 AN Access Network 3 S3 S1 Access Networks S2 Access Network 1 Access Network 2 UMTS/CDMA Network Access Networks Access Networks UMTS/CDMA Access Point BT Access Point 802.11a/b/g Access Point Multi-media Terminal Blue Tooth Network Webphone Pocket PC UMTS/CDMA Network 802.11a/b/g Network
Motivation Objective: To provide mobile enterprise users with the same working environment as they are at their office regardless of where they are (e.g., Intranet, Extranet), especially • provide persistent and seamless application session continuity • provide the same level of security as currently deployed in enterprise network environment • provide persistent and seamless reachability (or traceability) from internal network to mobile users • Provide VPN-agnostic roaming model independent of subscribed carrier • Provide no impact on the existing IT infrastructure • Optimize the solution as needed
WLAN WLAN LAN Hot Spot Hot Spot Cellular SUM Scenario Internal (Protected) External (unprotected) DMZ CN MN MN MN MN provide reachability from internal network to mobile nodes secure the communication while MN is at external network provide session continuity while moving from one network to the other CN: Correspondence Node MN: Mobile Node
Issues to be Resolved • “IPsec VPN”, that is deployed to secure the communication, cannot currently cope with the session continuity while moving • “Mobile IP”, that is deployed to cope with the session continuity, cannot secure the communication contents itself (1) Combination of IPsec VPN and Mobile IP is necessary • Seamlessness is sometimes unsatisfactory due to “hand-off delay” (e.g., internal WLAN to Cellular data network) especially due to VPN establishment delay (more than 5 sec) (2) Way to reduce hand-off delay by Mobile Node is preferable
Related Work • Miu and Bahl et al - Movement between similar kinds of networks • Rodriguez et al - MAR to support heterogeneous Access • Snoeren et al - Fine-grained TCP Migrate approach • Barton et al - Integration of Mobile IP and IP-Sec • Cheng et al (ICNSC) - Foreign agent based client driven • Adrangi et al – (IETF) Mobile IP Traversal for VPN gateways • Luo et al – Integration of wireless LAN and Cellular • Birdstep Technologies (www.birdstep.com) Smooth handoff, dynamic tunnel management, Integration with SIP
SUM Architecture(1) Internal (protected) External (unprotected) CN External Network 1 External Network N VPN GW x-HA i-HA i-MIP tunnel x-MIP tunnel VPN tunnel Internal Visited Network Internal Home Network DMZ MN MN MN MN • Based on its current location, MN dynamically establishes/changes/terminates tunnels • without changing current standards of IPsec VPN or Mobile IP. • Triple encapsulation tunnel is constructed by: • i-HA (Internal Home Agent): Forwards IP packets to MN’s current internal location • VPN GW: Protects (encrypts and authenticates) IP packets transmitted in external networks • x-HA (External Home Agent): Forwards IP packets to MN’s current external location
SUM Architecture Protocol FlowMessage flow for triple-encapsulation tunnel establishment Internal (protected) External (unprotected) i-HA VPN GW CN MN x-HA x-MIP Registration Request x-MIP Registration Reply x-MIP tunnel established IKE + VPN address assignment VPN tunnel established i-MIP Registration Request i-MIP Registration Reply i-MIP tunnel established
Make-before-Break for Hand-off Delay Reduction • Prepare to use another better path before stop using current path • MN watches signal strength level of WLAN (or any other policy) • Before internal WLAN signal goes away (becomes lower than a threshold A), MN starts using cellular network and establishes x-HA tunnel and VPN tunnel as a stand-by path • MN stops using WLAN when its signal level becomes lower than threshold B (A>B), starts using cellular network, establishes i-MIP tunnel, then starts using x-MIP/VPN/i-MIP tunnel over the cellular • This could remove major factor of hand-off delay since VPN is established (that will take more than 5 sec) before switch-over
i-HA Demonstration Scenario Step 1: MN (at its home network over WLAN) and CN start an application session, then MN starts moving DMZ VPN GW x-HA CN External Network (Cellular) Internal Home Network (WLAN) External (unprotected) Internal (protected) MN MN MN
i-HA Demonstration Scenario Step 2: MN starts preparing alternate path by establishing x-MIP and VPN tunnel over the cellular link, while keeping communication via the home network over WLAN DMZ VPN GW x-HA x-MIP tunnel VPN tunnel CN External Network (Cellular) Internal Home Network (WLAN) External (unprotected) Internal (protected) MN MN MN
i-HA Demonstration Scenario Step 3: MN stops using its home WLAN, starts using cellular and establishes i-MIP tunnel, then continues communication with CN DMZ VPN GW x-HA x-MIP tunnel VPN tunnel i-MIP tunnel CN External Network (Cellular) Internal Home Network (WLAN) External (unprotected) Internal (protected) MN MN MN
Secure Universal Mobility Testbed Earth Link DSL Internet MN External Cellular External Hotspot Verizon CDMA 1XRTT Enterprise Firewall 65 66 VPN GW 100 (99) Internal Home (SSID=ITSUMO home) (demo.tari.toshiba.com) 67 i-HA TIA = 111-120 HoA = 70-75 MN X-HA Linux R SIP 2 98 HoA = 210-215 1 10.1.10.0/24 DMZ Network AP Internal Visited .66 - .94 Monitor CH 3 DHCP 205.132.6.64/27 DNS 4 10.1.20.0/24
CBR Voice Traffic (b) Inter-packet departure and arrival delay variation for CBR (Voice) (a) Packet Transmission Delay
VBR Video Traffic b) Inter-packet departure and arrival variation delay for VBR (Video) a) Packet transmission delay
Conclusion and Future Work • Active area of research within IETF’s Mobile IP working group • Triple-encapsulation mandates “always-on VPN” • Provides persistent reachability from internal network to mobile users, • May not be practical with currently deployed VPN • Capability of dual MIP (i-MIP and x-MIP) tunnel without VPN • Dynamic Tunnel Management will allow VPN setup on-demand basis • Adds additional values to the base triple-encapsulation architecture • Provides light-weight persistent reachability without consuming VPN resources • Dual MIP is enabled by SMG (Secure Mobility Gateway) that provides; • strong authentication to MIP messages to securely manage dual MIP tunnels • packet filtering to restrict packets transmitted over the dual MIP tunnels • Interaction with AAA domains • Robust header compression to take care of the overhead associated • SIP and MOBIKE approach will provide an optimized solution
Multimedia Test-bed Architecture Internet FW Domain 2 research.telcordia.com Domain 1 tari.toshiba.com Backbone Border Router Border Router 3600 3600 MAS Dynamic DNS Smarts Bits Generator IPv6 IPv6 SIP Server/Call Agent SIP Server/Call Agent Multicast Proxy CDMA/GPRS R2 R3 R1 AAA Server SIP Server AAA Server DRCP Server PANA IPSec PANA IPSec DRCP Server DRCP Server PANA IPSec ERC4 ERC3 ERC1 ERC2 External Omni Antenna HA/DRCP Server QOS QOS QOS QOS VLAN Switch VLAN Switch VLAN Switch VLAN Switch BT GPS client 802.11b 802.11b External Coverage MH Micro Macro Domain CDMA/GPRS Coverage
Future / On-going Work (cont’d) Internal (protected) External (unprotected) • MN is in “Incoming Call Waiting Mode” when it maintains the dual MIP tunnel • SMG authenticates MIP registration messages as well as filters packets going through the established dual MIP tunnel VPN GW SMG CN x-MIP tunnel i-MIP tunnel i-HA External Network N Internal Visited Internal Visited External Network 2 Internal Home Network Internal Visited Network External Network 1 DMZ MN MN MN MN
Step-by-step protocol flow PPP setup over CDMA at SNR (S1) Make-before-break scenario at SNR = S2 Mobile coming back home