310 likes | 449 Views
Media-Independent Pre-Authentication (draft-ohba-mobopts-mpa-framework-00.txt). Ashutosh Dutta, Telcordia Technologies Yoshihiro Ohba (Ed.), Kenichi Taniuchi Toshiba America Research Inc. Henning Schulzrinne, Columbia University. Prepared for IRTF MOBOPTS WG
E N D
Media-Independent Pre-Authentication(draft-ohba-mobopts-mpa-framework-00.txt) Ashutosh Dutta, Telcordia Technologies Yoshihiro Ohba (Ed.), Kenichi Taniuchi Toshiba America Research Inc. Henning Schulzrinne, Columbia University Prepared for IRTF MOBOPTS WG March 8th, 62nd IETF, Minneapolis
Outline • Motivation • Handoff Delay during Wireless Internet Roaming • Fast Handoff Related Work • Proposed Method: Media-independent Pre-Authentication • Demonstration and Results • Conclusions/Future Work
Motivation • It is desirable to limit the jitter, delay and packet loss for real-time and non-real-time traffic • e.g.,150 ms end-to-end delay for interactive traffic such as VoIP, 2% packet loss is allowed • Delay due to handoff takes place at several layers • Layer 2 (handoff between AP) • Layer 3 (IP address acquisition, Configuration, Authentication, Authorization) • Binding Update, Media Redirection • Rapid handoff will contribute to overall delay and packet loss • Thus it is essential to reduce the handoff delay introduced at different layers • We propose a fast-handoff mechanism to reduce the handoff-delay and packet loss
3 2 1 DHCP server/ PPP /FA Handoff Latency Next Access Router MN AP1 AP2 HA/SIP Server CN AA Server Binds to AP1 Media 802.11i 1 Binds to AP2 ICMP Router Discovery/Router Advertisement 1- L2 Hand-over Latency Delay 2 – Delay due to IP Address Acquisition and Configuration, authentication, authorization 3 – Binding update and Media Redirection delay DHCP/ MIP CoA/PPP Stateless Auto-configuration 2 DAD/ARP AAA MIP BU/SIP Re-Invite 3 IGMP New Media
Problem in Mobility Management Protocols • Problem 1 (performance): Operations for updating higher-layer context (i.e., IP address acquisition, mobility binding update, authentication etc.) occur after link-layer handover • Processing and/or signaling delay for each operation accumulates • Longer packet loss period due to handoff delay • No solutions exist for single-interface host • Problem 2 (security): Existing mobility optimization mechanisms do not provide secure handover signaling especially for roaming cases • A secure mobility optimization mechanism that is tied with AAA (Authentication, Authorization and Accounting) and can deal with inter-subnet and inter-domain handover is needed • Problem 3 (applicability): Existing mobility optimization mechanisms are tightly coupled with particular mobility management protocols • FMIPv6 and HMIP are defined for Mobile IPv6 only • A mobility optimization mechanism that is applicable to any mobility management protocol is needed
Mobility Optimization - Related Work • Cellular IP, HAWAII - Micro Mobility • MIP-Regional Registration, Mobile-IP low latency, IDMP • HMIPv6, FMIPv6 (IPv6) • Yokota et al - Link Layer Assisted handoff • Shin et al, Velayos et al - Layer 2 delay reduction • Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR • SIP-Fast Handoff - Application layer mobility optimization • DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition
Media-independent Pre-Authentication (MPA) • MPA is: • a mobile-assisted higher-layer authentication, authorization and handover scheme that is performed prior to establishing L2 connectivity to a network where mobile may move in near future • MPA provides a secure and seamless mobility optimization that works for • Inter-subnet handoff • Inter-domain handoff • Inter-technology handoff • Use of multiple interfaces • MPA works with any mobility management protocol • MIP(v4,v6), SIPMM etc.
Functional Components of MPA • Pre-authentication/authorization • Used for establishing a security association (SA) between the mobile and a network to which the mobile may move • L2 pre-authentication can also be enabled based on the established SA • Pre-configuration • Used for establishing contexts specific to the network to which the mobile may move (e.g., nCoA) • The SA created in (1) are used to perform secured configuration procedure • Secured Proactive Handover • Used for sending/receiving IP packets based on the pre-authorized contexts by using the contexts of the current network
Expected Result during handoff Discover new AP in the neighboring subnet L3 auth/config starts L3 handoff starts L2 handoff starts Conventional Method Time L3 handoff completes L2 auth/authz, starts L2 handoff completes L3 auth/authz completes Discover New AP In the neighboring subnet Pre-auth/ Pre-config starts L2 handoff starts L3 handoff starts MPA Time Pre-auth/ Pre-config Completes (L2 SAs can be , completed here.) L2 handoff completes L3 handoff completes Critical period (communication interruption can occur)
MN Pre-Authentication SIP mobility is just an example mobility protocol. MPA works for any mobility management protocol CN DATA[CN<->A(X)] AA CA AR Subnet X Subnet Y pre-authentication CN: Correspondent Node MN: Mobile Node AA: Authentication Agent CA: Configuration Agent AR: Access Router
MN Pre-configuration CN DATA[CN<->A(X)] MN-CA key AA CA AR Subnet X Subnet Y pre-configuration CN: Correspondent Node MN: Mobile Node AA: Authentication Agent CA: Configuration Agent AR: Access Router IP address: A(X) Current subnet: X Status: Pre-authentication done Action: pre-configuration
MN Pre-Configuration (Cont.) CN DATA[CN<->A(X)] MN-AR key AA CA AR Subnet X Subnet Y Secure Proactive Handover tunnel establishment procedure CN: Correspondent Node MN: Mobile Node AA: Authentication Agent CA: Configuration Agent AR: Access Router IP address: A(X), A(Y) Current subnet: X Status: Pre-configuration done Action: SPH Initiation
MN Secured Proactive Handover: Main Phase CN DATA[CN<->A(X)] MN-AR key Re-Invite[CN<->A(Y)] AA CA AR Subnet X Subnet Y SIP Re-Invite over proactive hanodver tunnel [AR<->A(X)] CN: Correspondent Node MN: Mobile Node AA: Authentication Agent CA: Configuration Agent AR: Access Router IP address: A(X), A(Y) Current subnet: X Status: PH tunnel established Action: SIP Re-Invite
MN Secured Proactive Handover: Completion CN DATA [CN<->A(Y)] over proactive hanover tunnel [AR<->A(X)] AA CA AR Subnet X Subnet Y Proactive handover stop procedure L2 handoff procedure Data in new domain CN: Correspondent Node MN: Mobile Node AA: Authentication Agent CA: Configuration Agent AR: Access Router IP address: A(X), A(Y) Current subnet: X Status: SIP Re-Invite done Action: PH Completion
AP2 AP1 MN-CA key MN-CA key MN-CA key AA AA AA CA CA CA Mobile-assisted Seamless Handoff (a scenario) AR Network 1 CTN Network 2 AR CTN Mobile Current Network TN CTN – Candidate Target Networks TN – Target Network AR AP0 Network 3 AP3 CN Information Service (e.g.,802.21) mechanism can help locate the neighboring network elements in the candidate target networks (CTN)
MPA Communication Flow Candidate Target Network CN CA AR nPoA AA MN oPoA Existing session using oCoA 1. Found CTN Pre-authentication [Authentication Protocol] MN-CA Key 2. High probability to switch to the CTN MN-AR Key Pre-configuration [Configuration Protocol to get nCoA] Pre-configuration [tunnel management protocol to establish PHT 3. Determined to switch to The CTN Secure Proactive Update Phase Binding Update + data Transmission over PHT using nCoA 4. BU completion and Ready to switch Secure proactive handover pre-switching phase [tunnel management protocol to delete PHT] 5. Switching Post Switching Phase: Reassignment of nCoA to its physical Interface New Data using nCoA
MPA Optimization Issues • Network Discovery • Discover the neighboring network elements (e.g., Routers, APs, Authentication Agents) • 802.21 (Information Service), 802.11u, WIEN SG, CARD, DNS/SLP • Proactive IP Address Acquisition • Proactive Duplicate IP address Detection • Proactive Address Resolution • Proactive Tunnel Management • Proactive Mobility Binding Update • Bootstrap Link-layer Security in CTN using L3 Pre-authentication
Network 2 Network 3 Network 1 AA 10.10.30/24 10.10.20.52/24 PANA Agent 10.10.20.52/24 10.10.40.52/24 Relay/ Client Proxy R1 eth2 eth0 R2 eth0 AR AR IP2 10.10.10/24 DHCP Server DHCP Server CA AP1(Channel 6) SIP with VIC/RAT Application 10.10.10.51 AP2(Channel 9) ITSUMO network CN MN MN Move 10.10.30.25 Experimental Network in the Lab. IP1: 10.10.10.223 IP0: 10.10.40.20 AP1, AP2: Access Point R1, R2: Access Router MN: Mobile Node CN: Correspondent Node IP0, IP1: IP address of MN
Protocol flow for MPA Network 2 (802.11) Network 3 Network 1 (802.11) CN R2 R1 AP2 MN DHCP AP1 Assign IP0 to Physical I/F DHCP Data Assign IP1 to Tunnel I/F PANA (Pre-Authentication and pre-configuration to obtain IP1) Address acquisition Using DHCP relay Tunnel (IP0-IP1) - - SIP Re-invite with IP1 - - Data Deletes Tunnel with PANA Update L2 handover MN Assign IP1 to Physical I/F Packet loss period Data
Network 2 (802.11) Network 3 Network 1 (802.11) CN R2 R1 AP2 MN DHCP AP1 Assign IP0 to Physical I/F Data MN L2 handover - - DHCP PANA Assign IP1 to Physical I/F SIP Re-invite with IP1 Packet loss period Data Protocol Flow for Non-MPA
Performance (MPA-Non-MPA) • MPA • No packet loss during pre-authentication, pre-configuration and pro-active handoff before L2 handoff • Only 1 packet loss, 14 ms delay during handoff mostly transient data • Includes delay due to layer 2, update to delete the tunnel on the router • We also reduced the layer 2 delay in hostap Driver • L2 delay depends upon driver and chipset • non-MPA • About 200 packets loss, ~ 4 s during handover • Includes standard delay due to layer 2, IP address acquisition, Re-Invite, Authentication/Authorization • Could be more if we have firewalls also set up MPA Approach 802.11 802.11 4 s handoff Non-MPA Approach
Conclusions/Future Work • MPA framework provides an optimized mobility management solution independent of mobility protocol used • We demonstrated an initial prototype implementation and results • MPA works over single interface and multiple interfaces (e.g., 802.11, CDMA) • Define a more integrated architecture that works in conjunction information discovery scheme (e.g.,802.21, 802.11u) • Comments/Suggestions/Questions • Next steps?
Comments from the group • This framework is dependent upon a good network discovery scheme • We may need to set up temporary tunnels with more than one network temporarily • Need a smarter algorithm to decide the exact network the mobile may move • Binding Update ( Is it necessary to do it beforehand) • In MIPv6 we may need to do next-hop care of address check • What do we gain by doing binding update ahead of time • Need for pre-configuration ? • How much time it takes to do the pre-configuration • Pre-configuration usually does not affect the handoff delay or packet loss • Layer 2 delay reduction • How can it work with other mobility management techniques (e.g.. MIPv6)
Signal RTP Data Lost RTP Data MPA Experimental Flow (proactive handoff) (possible backup) Tunneled packet DHCP CN R2 MN MN Network 1 Network 3 Network 2 RTP IP0 DHCP PANA PANA (BIND) DHCP(IP1) Tunnel Setup RTP RTP SIP Re_INVITE (IP1) 8.913 BU OK (tunneled) OK No Packets lost During BU RTP packets Spaced ~16 ms 9.030 RTP 9.136 ACK Tunneled Data RTP (39835) 9.267 RTP (40335) 19.283 Handoff Decision PANA Trigger to delete tunnel 19.285 PANA Response 19.291 RTP (40336) 19.298 RTP (40337) 19.315 Tunnel deleted RTP (40340) 19.379 Lost packet (non-tunnel) RTP (40341) L2 handoff + local L3 Configuration 19.393 IWCONFIG (IOCTL) 19.395 X 19.394 JOIN (Auth/Assoc, ifconfig, route,) 19.408 JOIN (ACK) First packet in new network (non-tunneled) RTP (40342) 19.411 IP1
Bootstrapping Link-layer security using L3-Preauth Current Network CTN 1. Pre-authentication AA 2 . Keys (TSK) AP1 AP2 AP3 3. Secure Association 4. Secure Association MN MN MN
Mobile Wireless Internet: A Scenario (possible backup) Domain1 Internet Domain2 PSTN gateway WAN 802.11a/b/g WAN UMTS/ CDMA IPv6 Network Bluetooth 802.11 a/b/g LAN PSTN Hotspot LAN PAN CH Roaming User UMTS/CDMA Network Ad Hoc Network
Provider A Subnet A2(or ESS A2) Subnet B1 (or ESS B1) Subnet A1(or ESS A1) Provider B IEEE 802.11 LAN IEEE 802.11LAN IEEE 802.11LAN Intra-domain Inter-subnet MIH Inter-domain Inter-subnet MIH Single Radio Interface Roaming Scenario (possible backup)
3GPP Cellular Network IEEE 802.11LAN IEEE 802.11 LAN WLAN: deactivated Cellular: activated The mobile finds WLAN AP through information discovery over the activated I/F The mobile quickly activates the WLAN I/F and switch to it. The mobile may deactivate the cellular I/F Multiple Radio Interface Roaming Scenario (possible backup)