Media-Independent Pre-Authentication(draft-ohba-mobopts-mpa-framework-00.txt)

Ashutosh Dutta, Telcordia Technologies

Yoshihiro Ohba (Ed.), Kenichi Taniuchi

Toshiba America Research Inc.

Henning Schulzrinne, Columbia University

Prepared for IRTF MOBOPTS WGMarch 8th, 62nd IETF, Minneapolis

IRTF – 2

Outline

Motivation Handoff Delay during Wireless Internet Roaming Fast Handoff Related Work Proposed Method: Media-independent Pre-Authentication Demonstration and Results Conclusions/Future Work

IRTF – 3

Motivation

It is desirable to limit the jitter, delay and packet loss for real-time and non-real-time traffic– e.g.,150 ms end-to-end delay for interactive traffic such as VoIP, 2%

packet loss is allowed Delay due to handoff takes place at several layers

– Layer 2 (handoff between AP) – Layer 3 (IP address acquisition, Configuration, Authentication, Authorization)

– Binding Update, Media Redirection Rapid handoff will contribute to overall delay and packet loss Thus it is essential to reduce the handoff delay introduced at

different layers We propose a fast-handoff mechanism to reduce the handoff-

delay and packet loss

IRTF – 4

1- L2 Hand-over Latency Delay

2 – Delay due toIP Address Acquisition and Configuration, authentication, authorization

3 – Binding update and Media Redirection delay

Handoff Latency

AP1 AP2NextAccessRouter

ICMP Router Discovery/Router Advertisement

DHCP server/PPP/FA

DHCP/ MIP CoA/PPP

HA/SIP Server

MIP BU/SIP Re-Invite

CN

Media

New Media

Binds to AP1

Binds to AP2

MN

1

2

3

Stateless Auto-configuration

AAA

IGMP

DAD/ARP

1

2

3AAServer

802.11i

IRTF – 5

Problem in Mobility Management Protocols

Problem 1 (performance): Operations for updating higher-layer context (i.e., IP address acquisition, mobility binding update, authentication etc.) occur after link-layer handover

– Processing and/or signaling delay for each operation accumulates– Longer packet loss period due to handoff delay– No solutions exist for single-interface host

Problem 2 (security): Existing mobility optimization mechanisms do not provide secure handover signaling especially for roaming cases

– A secure mobility optimization mechanism that is tied with AAA (Authentication, Authorization and Accounting) and can deal with inter-subnet and inter-domain handover is needed

Problem 3 (applicability): Existing mobility optimization mechanisms are tightly coupled with particular mobility management protocols

– FMIPv6 and HMIP are defined for Mobile IPv6 only– A mobility optimization mechanism that is applicable to any mobility

management protocol is needed

IRTF – 6

Mobility Optimization - Related Work Cellular IP, HAWAII - Micro Mobility

MIP-Regional Registration, Mobile-IP low latency, IDMP

HMIPv6, FMIPv6 (IPv6)

Yokota et al - Link Layer Assisted handoff

Shin et al, Velayos et al - Layer 2 delay reduction

Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR

SIP-Fast Handoff - Application layer mobility optimization

DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition

IRTF – 7

Media-independent Pre-Authentication (MPA)

MPA is:– a mobile-assisted higher-layer authentication, authorization and

handover scheme that is performed prior to establishing L2 connectivity to a network where mobile may move in near future

MPA provides a secure and seamless mobility optimization that works for – Inter-subnet handoff

– Inter-domain handoff

– Inter-technology handoff Use of multiple interfaces

MPA works with any mobility management protocol– MIP(v4,v6), SIPMM etc.

IRTF – 8

Functional Components of MPA

1) Pre-authentication/authorization– Used for establishing a security association (SA) between the

mobile and a network to which the mobile may move– L2 pre-authentication can also be enabled based on the

established SA

2) Pre-configuration– Used for establishing contexts specific to the network to which the

mobile may move (e.g., nCoA)– The SA created in (1) are used to perform secured configuration

procedure

3) Secured Proactive Handover – Used for sending/receiving IP packets based on the pre-authorized

contexts by using the contexts of the current network

IRTF – 9

Expected Result during handoff

TimeConventionalMethod

Discovernew AP in the neighboringsubnet L2 handoff

starts

L3 handoffstarts

MPA

DiscoverNew APIn the neighboring subnet

Pre-auth/Pre-configCompletes(L2 SAs can be ,completed here.)

L2 handoffstarts

L3 handoffcompletes

L2 handoffcompletes

L3 handoffstarts

L2 handoffcompletes

Critical period (communication interruption can occur)

L3auth/configstarts

L3 auth/authzcompletes

Time

Pre-auth/Pre-configstarts

L2 auth/authz,starts

L3 handoffcompletes

IRTF – 10

Pre-Authentication

Subnet X Subnet Y

CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router

AA CA AR

MN

pre-authentication

CNDATA[CN<->A(X)]

SIP mobility is just an example mobility protocol. MPA works for any mobility management protocol

IRTF – 11

Pre-configuration

CN

AA CA AR

MN

IP address: A(X)Current subnet: XStatus: Pre-authentication doneAction: pre-configuration

DATA[CN<->A(X)]

MN-CA key

pre-configuration

Subnet X Subnet Y

CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router

IRTF – 12

Pre-Configuration (Cont.)

CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router

AA CA AR

MN

IP address: A(X), A(Y)Current subnet: XStatus: Pre-configuration doneAction: SPH Initiation

MN-AR key

Secure Proactive Handover tunnel

establishmentprocedure

CNDATA[CN<->A(X)]

Subnet X Subnet Y

IRTF – 13

Secured Proactive Handover: Main Phase

CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router

AA CA

MN

IP address: A(X), A(Y)Current subnet: XStatus: PH tunnel establishedAction: SIP Re-Invite

MN-AR key

SIP Re-Invite over proactive hanodvertunnel [AR<->A(X)]

CNDATA[CN<->A(X)]

AR

Subnet X Subnet Y

Re-Invite[CN<->A(Y)]

IRTF – 14

Secured Proactive Handover: Completion

CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access Router

AA CA

IP address: A(X), A(Y)Current subnet: XStatus: SIP Re-Invite doneAction: PH Completion

DATA [CN<->A(Y)] over proactive hanovertunnel [AR<->A(X)]

AR

Proactive handoverstop procedure

MN

L2 handoff procedure

Subnet X Subnet Y

CN

Data in new domain

IRTF – 15

Mobile-assisted Seamless Handoff (a scenario)

AR

AP1

Mobile

AP2

AP3

AP0

AA CA

MN-CA keyAA CA

MN-CA key

AA CA

MN-CA key

CN

AR

AR

Network 1

Network 2

Network 3

CurrentNetwork TN

Information Service (e.g.,802.21) mechanism can help locate the neighboring network elements in the candidate target networks (CTN)

CTNCTN

CTN – Candidate Target NetworksTN – Target Network

IRTF – 16

MPA Communication Flow

MN oPoA nPoA AA CA AR

1. Found CTN

Candidate Target Network

Pre-authentication[Authentication Protocol]

MN-CA Key

MN-AR Key2. High probability to switch to the CTN

Pre-configuration [Configuration Protocol to get nCoA]

Pre-configuration [tunnel management protocol to establish PHT

3. Determined to switch toThe CTN Secure Proactive Update Phase

Binding Update + data Transmission over PHT using nCoA

4. BU completion andReady to switch

Secure proactive handover pre-switching phase [tunnel management protocol to delete PHT]

CN

5. Switching Post Switching Phase: Reassignment of nCoA to its physical Interface

Existing session using oCoA

New Data using nCoA

IRTF – 17

MPA Optimization Issues Network Discovery

– Discover the neighboring network elements (e.g., Routers, APs, Authentication Agents)

– 802.21 (Information Service), 802.11u, WIEN SG, CARD, DNS/SLP

Proactive IP Address Acquisition

Proactive Duplicate IP address Detection

Proactive Address Resolution

Proactive Tunnel Management

Proactive Mobility Binding Update

Bootstrap Link-layer Security in CTN using L3 Pre-authentication

IRTF – 18

Protocol Set for the MPA demonstration

Pre-authentication protocol PANA

Pre-configuration protocol PANA, DHCP Relay

Proactive handover tunneling protocol IP-in-IP

Proactive handover tunnel management protocol PANA

Mobility management protocol SIP Mobility

Link-layer security None

IRTF – 19

Experimental Network in the Lab.

IP0: 10.10.40.20 IP1: 10.10.10.223

AP1, AP2: Access PointR1, R2: Access RouterMN: Mobile NodeCN: Correspondent NodeIP0, IP1: IP address of MN

R2R1

10.10.20.52/2410.10.20.52/24

10.10.40.52/24

10.10.10/24

10.10.10.51

eth0

eth0

eth2

SIP with VIC/RATApplication

DHCPServer

Relay/Client Proxy

PANAAgent

10.10.30.25

Network 1 Network 2

IP2

AP1(Channel 6)

AP2(Channel 9)ITSUMO network

DHCPServer

Move

AA

CA

AR

CNMN MN

10.10.30/24

Network 3

AR

IRTF – 20

Protocol flow for MPA

MN AP1 AP2 R2 DHCP

MN

Network 1 (802.11) Network 2 (802.11)

Assign IP0 to PhysicalI/F

PANA (Pre-Authentication and pre-configuration to obtain IP1)

CN

Data

Data

Tunnel (IP0-IP1) -

-SIP Re-invite with IP1

Data

AddressacquisitionUsing DHCPrelay

R1

Network 3

-

-

Deletes Tunnel with PANA Update

Assign IP1 to PhysicalI/F

Assign IP1 to TunnelI/F

L2 handover

Packet loss period

DHCP

IRTF – 21

Protocol Flow for Non-MPA

MN AP1 AP2 R2 DHCP

Network 1 (802.11) Network 2 (802.11)

Assign IP0 to PhysicalI/F

CN

Data

-

SIP Re-invite with IP1

Data

R1

Network 3

-

PANAAssign IP1 to PhysicalI/F

DHCP

MNL2 handover

Packet loss period

IRTF – 22

Performance (MPA-Non-MPA)

MPA – No packet loss during pre-authentication,

pre-configuration and pro-active handoff before L2 handoff

– Only 1 packet loss, 14 ms delay during handoff mostly transient data

Includes delay due to layer 2, update to delete the tunnel on the router

We also reduced the layer 2 delay in hostapDriver L2 delay depends upon driver and chipset

non-MPA – About 200 packets loss, ~ 4 s during

handover Includes standard delay due to layer 2, IP

address acquisition, Re-Invite, Authentication/Authorization

– Could be more if we have firewalls also set up

MPA Approach

Non-MPA Approach

handoff

802.11 802.114 s

IRTF – 23

Conclusions/Future Work

MPA framework provides an optimized mobility management solution independent of mobility protocol used

We demonstrated an initial prototype implementation and results

MPA works over single interface and multiple interfaces (e.g., 802.11, CDMA)

Define a more integrated architecture that works in conjunction information discovery scheme (e.g.,802.21, 802.11u)

Comments/Suggestions/Questions

Next steps?

IRTF – 24

Thank you!

IRTF – 25

Comments from the group This framework is dependent upon a good network discovery scheme

– We may need to set up temporary tunnels with more than one network temporarily

– Need a smarter algorithm to decide the exact network the mobile may move Binding Update ( Is it necessary to do it beforehand)

– In MIPv6 we may need to do next-hop care of address check– What do we gain by doing binding update ahead of time

Need for pre-configuration ? How much time it takes to do the pre-configuration Pre-configuration usually does not affect the handoff delay or packet

loss Layer 2 delay reduction How can it work with other mobility management techniques (e.g..

MIPv6)

IRTF – 26

Backup Slides

IRTF – 27

MPA Experimental Flow (proactive handoff) (possible backup)

R2MNCNDHCP

RTP

PANA DHCP

PANA (BIND)

SIP Re_INVITE (IP1)8.913

9.030

9.136

RTP (39835)

OK

ACK

9.267

19.283

19.285

19.291

HandoffDecision

PANA Trigger to delete tunnel

RTP (40335)

RTP (40336)19.29819.31519.379

RTP (40340)

IWCONFIG (IOCTL) RTP (40341)19.39319.394 JOIN19.408 JOIN (ACK)

(Auth/Assoc, ifconfig, route,)

L2 handoff+ local L3Configuration

PANA Response

RTP (40342)

BU

19.411

MNNetwork 1

Network 2 Network 3

First packet in new network (non-tunneled)

19.395 Lost packet (non-tunnel)

DHCP(IP1)

RTP

RTP

Tunnel deleted

RTP

X

Tunneled Data

NoPackets lostDuring BU

Tunnel Setup

Signal

RTP Data

Lost RTP Data

Tunneled packet

RTP (40337)

OK (tunneled)

RTP packetsSpaced ~16 ms

IP0

IP1

IRTF – 28

Bootstrapping Link-layer security using L3-Preauth

Current Network

CTN

MN

AP2 AP3

AA

AP1

MN MN

1. Pre-authentication

2 . Keys (TSK)

3. Secure Association

4. Secure Association

IRTF – 29

Mobile Wireless Internet: A Scenario (possible backup)

802.11a/b/g

Bluetooth

IPv6Network

UMTS/CDMA Network

InternetDomain1

Domain2

UMTS/CDMA

PSTN gateway

Hotspot

CHRoaming User Ad Hoc

Network

PAN

LAN

WAN

WAN

LAN

PSTN

802.11 a/b/g

IRTF – 30

Single Radio Interface Roaming Scenario (possible backup)

Provider B

Provider A

IEEE 802.11 LAN

Subnet A1(or ESS A1) Subnet A2(or ESS A2) Subnet B1 (or ESS B1)

IEEE 802.11LAN IEEE 802.11LAN

Intra-domainInter-subnet MIH

Inter-domainInter-subnet MIH

IRTF – 31

Multiple Radio Interface Roaming Scenario (possible backup)

IEEE 802.11 LAN IEEE 802.11LAN

3GPP Cellular Network

WLAN: deactivatedCellular: activated

The mobile finds WLAN AP through information discovery over the activated I/F

The mobile quickly activates the WLAN I/F and switch to it.The mobile may deactivate the cellular I/F