Upload
angela-berry
View
214
Download
0
Embed Size (px)
Citation preview
67th IRTF MOBOPTS – 1
Media Independent Pre-Authentication and Implementation
(draft-ohba-mobopts-mpa-framework-03.txt)
(draft-ohba-mobopts-mpa-implementation-03.txt)Yoshihiro Ohba,
Ashutosh Dutta (Ed.),
Victor Fajardo,
Kenichi Taniuchi,
Rafa Lopez,
Henning Schulzrinne
Presented by: Ashutosh Dutta
67th IETF, San Diego
67th IRTF MOBOPTS – 2
Outline Motivation
Related Work
MPA Framework Overview
Optimization Features
Implementation Results – Intra-technology, Inter-domain– Inter-technology, Inter-domain– Bootstrapping Layer 2
Deployment Considerations
Conclusion & Future Work
67th IRTF MOBOPTS – 3
Motivation
Secured seamless convergence requires that jitter, delay and packet loss are limited for real-time applications without compromising the security– ITU G.114 defines 150 ms end-to-end delay and 3% packet loss
for VoIP
Handoff delays exist at several layers– Layer 2 (handoff between AP/BS), Layer 3 (IP address
acquisition and other configuration parameters), Binding Update, Authentication, Authorization
The challenge is even greater when moving between heterogeneous networks– Mutiple access characteristics (802.11, CDMA, 802.16, GSM)– Multiple AAA domains– Diverse QoS requirement – Different configuration mechanism (e.g., DHCP, PPP)– Different mobility requirement (802.11, GPRS, 802.16)
67th IRTF MOBOPTS – 4
Mobility Optimization - Related Work Cellular IP, HAWAII - Micro Mobility
MIP-Regional Registration, Mobile-IP low latency, IDMP
FMIPv6, HMIPv6 (IPv6)
Yokota et al - Link Layer Assisted handoff
Shin et al, Velayos et al - Layer 2 delay reduction
Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR
SIP-Fast Handoff - Application layer mobility optimization
DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition
67th IRTF MOBOPTS – 5
Media-independent Pre-Authentication (MPA) MPA is a mobile-assisted higher-layer authentication, authorization and
handover scheme that is performed a-priori to establishing L2 connectivity to a network where mobile may move in near future
Primarily three phases1) Pre-authentication2) Pre-configuration3) Proactive Handover
MPA provides a secure and seamless mobility optimization that works for Inter-subnet handoff, Inter-domain handoff and Inter-technology handoff
MPA works with any mobility management protocol Works with any network discovery scheme (IEEE 802.21, 802.11u, CARD
etc.)
TimeConventional Method
AP DiscoveryAP
Switching
MPA
Pre-authentication
IP address configuration
& IP handover
Time
ClientAuthentication
Packet Loss Period
67th IRTF MOBOPTS – 6
Home Network HA
MPA Overview (Inter-domain, Intra-Tech)
CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access RouterBA: Buffering Agent
AA CA
A(X)
2. DATA [CN<->A(Y)] over proactive handovertunnel [AR<->A(X)]
AR
L2 handoff procedure
Domain X Domain Y
CN
Data in new domain
1. DATA[CN<->A(X)]
MN-CA key
Preconfiguration
pre-authentication
MN-AR key
3. DATA[CN<->A(Y)]
Data in old domain
MN
A(Y)
BU
Proactive handovertunneling end
procedure
Tunneled Data
MN
BA
67th IRTF MOBOPTS – 7
MPA-assisted Seamless Handoff (a deploymentscenario)
AA CA
MN-CA keyAR
Network 3
AR
AA CA
MN-CA key
Network 2
INTERNETInformation
Server
Mobile
CurrentNetwork 1
AR
AP1 Coverage Area AP 2 & 3 Coverage Area
AR
Network 4
CN
AP3AP2AP1 CTNTN
CTN – Candidate Target NetworksTN – Target Network
67th IRTF MOBOPTS – 8
Key Optimization Features for MPA
Pre-authentication– L3 , L2 layer pre-authentication
Pre-Configuration– Proactive IP Address Acquisition (Stateful, Stateless)– Proactive Duplicate IP Address Detection– Proactive Address Resolution
Proactive Mobility Binding Update
Security bootstrapping– Link Layer– IP Layer
Layer 2 optimization
Dynamic Buffering Scheme– Buffering and Copy-Forwarding
Tunnel Management
67th IRTF MOBOPTS – 9
Protocol Set for current MPA prototype
Mobility Management Protocol MIPv6 SIPM
Information Service Scheme (802.21) XML/RDF XML/RDF
Pre-authentication protocol PANA PANA
Pre-configuration protocol Stateless,
PANA
DHCP Relay,
PANA
Proactive handover tunneling protocol
IPsec IP-in-IP
Proactive handover tunnel management protocol
PANA PANA
Buffer Management Protocol PANA PANA
Link-layer security None None
67th IRTF MOBOPTS – 10
Comparison - Intra-Technology, Inter-domain Handover (Case- I)
Non-802.21 assisted SIP-based mobility
Handoff4 s
802.21 assisted SIP-based mobility – Optimized handoff
Non-802.21 assisted SIP-based mobility
Handoff4 s
802.21 assisted SIP-based mobility – Optimized handoff
Audio output comparison
B uffer ing
E nabled
B uffe ring
D is abled
B uffering
E nable d+ RO
E nable d
B uffer ing Dis able d
+ R O E nabled
B uff ering
E na bled+ RO
D is abled
B uffer ing D is abled
+ RO D is abled
Han do ff
P aram eters
3 .0 0n /a3. 00n /a2 . 00 n /aAvg . Bu ff ered P acket s
2 0 .0 0n /a50 .0 0n /a5 0 .0 0n /aBu ffe ring perio d ( ms )
1 3 .0 0n /a50 .6 0n /a2 9 .3 3 n /aAvg . pac ket jitt er (m s)
2 9 .0 0n /a66 .6 0n /a4 5 .3 3n /aAvg . int er-pack et arr ival tim e d urin g han do ver ( ms)
1 6 .0 01 6 .0 016 .0 01 6. 001 6 .0 01 6 .0 0Avg . int er-pack et in terva l (m s)
01 .5 000 .6 60 1 .3 3Avg . pac ket loss
5 .0 04 .0 04. 004 .0 04 . 334 .0 0L2 h an do ff (m s)
M IP v6 S IP M o bili tyM o bilit y Typ e
Delay and packet loss statistic
67th IRTF MOBOPTS – 11
Inter Technology, Inter-domain Scenario 1: If multiple interfaces can be simultaneously used during
handover Scenario 2: If multiple interfaces cannot be simultaneously used during
handover, then it is not easy to support seamless handover from one interface to another
– This can happen when the old interface suddenly becomes unavailable (this can happen over Wi-Fi link)
CN
MN
Wi-Fi EV-DO
ApplicationTraffic
Handover Signaling
CN
MN
Wi-Fi EV-DO
During Handover (Packet loss incurred) After Handover
ApplicationTraffic
Sudden Link down
MN: Mobile NodeCN: Correspondent Node
Scenario 2: Multiple Interfaces cannot be used simultaneously
67th IRTF MOBOPTS – 12
MPA Framework - Inter-domain, Inter-Tech Demonstration Scenario
– Sudden Disconnection from WiFi Network The handover tunnel server is placed outside the EV-DO network,
instead of placing it at the access router of EV-DO MN: Linux PC CN: Linux PC or Windows CE cell-phone Handover tunnel server: Linux PC Wireless LAN: 802.11b Handover tunnel encapsulation method: IP-in-IP Handover tunnel management protocol: PANA Application: Skype
CN (Linux PC or WinCE cell-phone)
MN (Linux PC)
Wi-Fi(802.11b)
EV-DO
Handover Tunnel Server (Linux PC)
• Packet loss = 0• Handoff Delay = 50 – 60 ms• Duplicate Packets = 10
67th IRTF MOBOPTS – 13
Typical Roaming architecture
AADomain B
Home Domain
AA
Inter-subnet
Intra-subnet(intra-domain)
(IEEE 802.11i/r) Inter-subnet(inter-domain)
AAAv1 AAAv2
AAAH
AP1 AP2 AP3AP4
AR AR
Domain A
AADomain B
Home Domain
AA
Inter-subnet
Intra-subnet(intra-domain)
(IEEE 802.11i/r) Inter-subnet(inter-domain)
AAAv1 AAAv2
AAAH
AP1 AP2 AP3AP4
AR AR
Domain A
67th IRTF MOBOPTS – 14
Layer 2 Pre-authentication and bootstrapping
nAR/PAA
AAAv
AAAhHome Domain
pAR165.254.55.116/24
165.254.55.115/24
155.54.204.82
10.1.30.1/24
10.1.30.3/2410.1.30.2/24
10.1.10.2/24
10.1.10.1/2410.1.20.2/2410.1.20.1/24
PaC
PSK PSK
AP0AP1AP2
Diameter
PANA pre-auth
Association&
4-way handshake
Subnet A Subnet B
nAR/PAA
AAAv
AAAhHome Domain
pAR165.254.55.116/24
165.254.55.115/24
155.54.204.82
10.1.30.1/24
10.1.30.3/2410.1.30.2/24
10.1.10.2/24
10.1.10.1/2410.1.20.2/2410.1.20.1/24
PaC
PSK PSK
AP0AP1AP2
Diameter
PANA pre-auth
Association&
4-way handshake
Subnet A Subnet B
67th IRTF MOBOPTS – 15
MPA L2 pre-authentication
Types
Of Authentication
IEEE 802.11i EAP/TLS Post Authentication
IEEE 802.11i
Pre-authentication
Network Layer
Assisted layer 2 pre-authentication
Operation Non
Roaming
Roaming Non
Roaming
Roaming Non
Roaming
Roaming
Tauth 61 ms 599 ms 99 ms 638 ms 177 ms 831 ms
TConf
(2 AP)
-- -- -- -- 16 ms 17 ms
Tassoc
+ 4 Way handshake
18 ms 17 ms 16 ms 17 ms 15 ms 17 ms
Total 79 ms 616 ms 115 ms 655 ms 208 ms 865 ms
Time affecting handover
79 ms 616 ms 16 ms 17 ms 15 ms 17 ms
67th IRTF MOBOPTS – 16
Deployment Considerations Authentication State Management
Pre-allocation of QoS resources
Scalability and Resource Allocation Failed Switchover during handover
– Ping-Pong Effect
Pre-authentication with multiple CTNs
Multicast Mobility
MPA for IMS Networks
Applicability to other Fast-handoff approaches– L3 and L2 pre-authentication– MPA’s stateful proactive configuration
67th IRTF MOBOPTS – 17
MPA and Multicast Mobility
Internet
Home Network
HA
MN
Visited Network 1
DHCP
MN
Multicast Tree
Visited Network 2
MN
MR1 MR2
DHCP
Handover
New
Multicast Tree
Source
Internet
Home Network
HA
MN
Visited Network 1
DHCP
MN
Multicast Tree
Visited Network 2
MN
MR1 MR2
DHCP
Handover
New
Multicast Tree
Source
• Communicates the group address during pre-authentication phase• Provides multicast stream proactively• Reduces JOIN latency• Applicable to Remote subscription-based and home subscription-based approach
Internet
Home Network
Visited Network
HA
FA (v4)
MN
MN
Multicast Group Tree
Bi-dire
ction
al
Tunne
ling
Source
Visited Network
FA (v4)
MN
MPA Tunnel
PAR NAR
Remote subscription-based approach Home subscription-based approach
PARNAR
AA
67th IRTF MOBOPTS – 18
P/I-CSCF PDSN
PCFPCF
P/I-CSCF
S/I-CSCF
HA
Internet
PDSN
P/I-CSCF
AP
WiFi NetworkHome Network
PDIF/PDG
DHCP
DHCP DHCP
DHCP
AAA/HSS
AS SPE
Network 1 Network 2
Network 3
MPA for IMS/MMD Network
67th IRTF MOBOPTS – 19
MPA to pre-allocate end-to-end QoS
Use MPA and NSIS to reserve the end-to-end QoS guarantee for the new interface and the target network while using the old interface
Choose the target network based on the available end-to-end QoS
AA CA
MN-CA keyAR
Network 3
AR
AA CA
MN-CA keyNetwork 2
INTERNETInformation
Server
CurrentNetwork 1
AR
AP 2 & 3 Coverage Area
ARNetwork 4
CN
AP3AP2AP1 CTNCTN
CTN – Candidate Target Networks
Multi-InterfaceMobile
Existing Connection
New ConnectionNew Connection
AA CA
MN-CA key
AA CA
MN-CA keyAR
Network 3
ARAR
AA CA
MN-CA key
AA CA
MN-CA keyNetwork 2
INTERNETInformation
Server
CurrentNetwork 1
AR
AP 2 & 3 Coverage Area
ARNetwork 4
CN
AP3AP2AP1 CTNCTN
CTN – Candidate Target Networks
Multi-InterfaceMobile
Existing Connection
New ConnectionNew Connection
67th IRTF MOBOPTS – 20
Related Drafts
draft-ohba-mobopts-heterogeneous-requirement-01.txt draft-ohba-pana-preauth-00.txt draft-ohba-preauth-ps-00.txt draft-yacine-preauth-ipsec-01.txt
67th IRTF MOBOPTS – 21
Conclusions Future Work
MPA attempts to address the issues of inter-domain handover and heterogeneous handover
MPA framework in conjunction with network discovery provides an optimized handover solution independent of mobility management protocol
Current Implementation results of MPA– Inter-domain, Intra-tech– Inter-domain, Inter-tech– Layer 2 bootstrapping– MIPv6 and SIP-based mobility Protocols
Results of FMIPv6 without pre-authentication support and MPA exhibit comparable performance characteristics and is bound by layer 2 delay
MPA’s pre-authentication part has been adopted by HOKEY WG
Implement other functionalities of MPA
– Performance results with multiple pre-authentication in the neighboring networks
– Performance of MPA for IMS/MMD network
– Performance of MPA for Multicast Mobility
Experiment with MPA’s pre-authentication mechanism to augment FMIPv6