Authentication,Authorization and Authentication,Authorization and

Accounting in Hybrid Ad hoc Accounting in Hybrid Ad hoc

Networks Networks

By,By,

Venkata VamshiVenkata Vamshi

OverviewOverview

�� WLAN a popular Technology.WLAN a popular Technology.

�� Hybrid Ad hoc Networks, A solution to WLAN Independent AccessHybrid Ad hoc Networks, A solution to WLAN Independent Access

�� Authentication Authorization and Accounting important for WireleAuthentication Authorization and Accounting important for Wireless ss Access.Access.

�� Desired Architecture .Desired Architecture .

�� Adapting IEE 802.11 standards to Achieve secured Adapting IEE 802.11 standards to Achieve secured wirlelesswirleless..

�� Validating proposed solution through simulation.Validating proposed solution through simulation.

IntroductionIntroductionWLANs have emerged to fill the growing Internet demand.WLANs have emerged to fill the growing Internet demand.Through employing the WiFi technology, typically based on theThrough employing the WiFi technology, typically based on theIEEE 802.11 standard, a mobile user in the communication rangeIEEE 802.11 standard, a mobile user in the communication rangeof an access point is provided with Internet access. of an access point is provided with Internet access.

Access points (APs) are deployed at densely populated areas suchAccess points (APs) are deployed at densely populated areas suchas as airports, railway stations and public hotspots, where the Internairports, railway stations and public hotspots, where the Internet et access is heavily used.access is heavily used.

Hybrid ad hoc networks appear as an attractive solution in extenHybrid ad hoc networks appear as an attractive solution in extending ding the service area of WLAN infrastructures, and are expected to ofthe service area of WLAN infrastructures, and are expected to offer fer seamless wireless network access for mobile users, avoiding the seamless wireless network access for mobile users, avoiding the deployment of a huge number of APs.deployment of a huge number of APs.

Introduction(Contd..)Introduction(Contd..)

These networks employ a multiThese networks employ a multi--hop access mode; combining pure ad hop access mode; combining pure ad hoc networks and fixed infrastructure. Each mobile node may accehoc networks and fixed infrastructure. Each mobile node may access ss the fixed infrastructure either directly or via other nodes in athe fixed infrastructure either directly or via other nodes in amultimulti--hop hop fashion.fashion.

Furthermore, these networks are expected to reduce the number ofFurthermore, these networks are expected to reduce the number ofAPs APs needed to cover a crowded area and to reduce the impact of collineeded to cover a crowded area and to reduce the impact of collisions sions with multiple users attached to the same AP.with multiple users attached to the same AP.

In this paper, we propose a novel architecture intended for hybrIn this paper, we propose a novel architecture intended for hybrid ad id ad hoc networks in public WLANs hotspots, with typically the Interhoc networks in public WLANs hotspots, with typically the Internet net access as the potential service offered to mobile clients.access as the potential service offered to mobile clients.

Introduction(contd..)Introduction(contd..)Authorization and Accounting (AAA) scheme is developed forAuthorization and Accounting (AAA) scheme is developed for

convenient and secure communication between mobile users,convenient and secure communication between mobile users,

authorizing only subscribed users to access the Internet serviceauthorizing only subscribed users to access the Internet service..

The proposed architecture adapts the 802.11i [1] to the hybrid aThe proposed architecture adapts the 802.11i [1] to the hybrid add

hoc network environment, allowing extended forwarding capabilitihoc network environment, allowing extended forwarding capabilities in es in 802.11i without compromising its secure features.802.11i without compromising its secure features.

We introduce the concept of crossWe introduce the concept of cross--layer interaction with the adlayer interaction with the ad

hoc routing layer in order to provide a virtual clusteringhoc routing layer in order to provide a virtual clustering

infrastructure useful for the 802.11i operation.infrastructure useful for the 802.11i operation.

Proposed ArchitectureProposed Architecture

PROPOSED ARCHITECTUREPROPOSED ARCHITECTURE

The general objective of this architecture is supporting mobile The general objective of this architecture is supporting mobile clients' secure and seamless access to the Internet, near publicclients' secure and seamless access to the Internet, near publicWLAN hotspots, even when they move beyond WLAN WLAN hotspots, even when they move beyond WLAN communication ranges.communication ranges.

A hybrid ad hoc network that combines a fixed network A hybrid ad hoc network that combines a fixed network infrastructure and a virtual infrastructure consisting of mobileinfrastructure and a virtual infrastructure consisting of mobileclients is used.clients is used.

The fixed infrastructure has two core entities: The fixed infrastructure has two core entities: a. Fixed Infrastructure.a. Fixed Infrastructure.b. Virtual Infrastructure.b. Virtual Infrastructure.

The aggregation (backbone) network managed by the netwoThe aggregation (backbone) network managed by the network rk operator forming the backend of the fixed infrastructure and operator forming the backend of the fixed infrastructure and providing Internet connectivity. providing Internet connectivity.

The WLAN 802.11 APs which implement the front end of the The WLAN 802.11 APs which implement the front end of the fixed infrastructure and are deployed at WLAN hotspots.fixed infrastructure and are deployed at WLAN hotspots.

Each AP is linked to an existing ADSL broadband Internet Each AP is linked to an existing ADSL broadband Internet access node. The virtual infrastructure (or the nonaccess node. The virtual infrastructure (or the non--fixed fixed infrastructure) is composed of mobile clients through ad hoc infrastructure) is composed of mobile clients through ad hoc clusters constructed clusters constructed inaina random fashion.random fashion.

Each AP is linked to an existing ADSL broadband Internet Each AP is linked to an existing ADSL broadband Internet accessnodeaccessnode..

The virtual infrastructure (or the nonThe virtual infrastructure (or the non--fixed infrastructure) fixed infrastructure) iscomposediscomposedof mobile clients through ad hoc clusters constructed of mobile clients through ad hoc clusters constructed inaina random fashion.random fashion.

Each chain of ad hoc clusters is linked to Each chain of ad hoc clusters is linked to theinfrastructuretheinfrastructurevia an via an AP as shown in FigureAP as shown in Figure

Business Model Business Model Due to the transient nature of WLAN usage scenarios, it would Due to the transient nature of WLAN usage scenarios, it would be inconvenient for mobile clients to go through the payment be inconvenient for mobile clients to go through the payment process each time they use the WLAN. process each time they use the WLAN.

So ,an onSo ,an on--use package (using preuse package (using pre--paid cards) model where paid cards) model where payments are made according to the WLAN utilization is not so payments are made according to the WLAN utilization is not so appropriate with our proposed architecture due to the difficultyappropriate with our proposed architecture due to the difficultyof managing the accounting information for mobile clients.of managing the accounting information for mobile clients.

However, they propose a pure package (pay before use) However, they propose a pure package (pay before use) business model, which is associated to the clientsbusiness model, which is associated to the clients’’ Internet Internet subscription or telephone subscription and where the billing is subscription or telephone subscription and where the billing is monthly fixed whether the client uses the service or not. monthly fixed whether the client uses the service or not.

Virtual Infrastructure through a CrossVirtual Infrastructure through a Cross--Layer InteractionLayer Interaction

Classical 802.11i depends on architectural elements in order to Classical 802.11i depends on architectural elements in order to carry out the carry out the authentication process.authentication process.

It employs an authenticator (WLAN AP) and an authentication servIt employs an authenticator (WLAN AP) and an authentication server as fixed er as fixed elements where mobile clients are the supplicants that request aelements where mobile clients are the supplicants that request authentication from uthentication from the authentication server via the authenticator.the authentication server via the authenticator.

To achieve efficient AAA employing the 802.11i in our hybrid ad To achieve efficient AAA employing the 802.11i in our hybrid ad hoc hotspot hoc hotspot environment, a virtual infrastructure is needed to provide a sorenvironment, a virtual infrastructure is needed to provide a sort of centralization.t of centralization.

We exploit a crossWe exploit a cross--layer interaction with the routing layer that enables each node layer interaction with the routing layer that enables each node in in the network to evaluate its own status locally and to establish the network to evaluate its own status locally and to establish a network global view a network global view according to some defined metrics.according to some defined metrics.

Initial hypothesis and clusters' Initial hypothesis and clusters'

classificationclassification

We consider the following hypothesis in providing theWe consider the following hypothesis in providing thehierarchical clustering infrastructure, aiming to have a sort ofhierarchical clustering infrastructure, aiming to have a sort ofcentralization:centralization:i) A fixed diameter equal to 1 hop.i) A fixed diameter equal to 1 hop.

ii) A defined density for each cluster head (CH) determining theii) A defined density for each cluster head (CH) determining themaximum number of nodes the CH can support.maximum number of nodes the CH can support.

iii) A defined depth for each CH, determining the possible numbeiii) A defined depth for each CH, determining the possible number r of its downstream clusters.of its downstream clusters.

The CH depth is calculated as a function of the current CH densiThe CH depth is calculated as a function of the current CH density and its ty and its maximum density.maximum density.Step 1:Step 1:In a first step, a default cluster is constructed around each APIn a first step, a default cluster is constructed around each APby mobile clients by mobile clients falling in its communication range and authenticating directly tfalling in its communication range and authenticating directly through the AP hrough the AP via classical 802.11i. Since this type of clusters is privilegedvia classical 802.11i. Since this type of clusters is privilegedin term of lesser in term of lesser number of hops to reach the authentication server and access thenumber of hops to reach the authentication server and access theInternet, we Internet, we call this type of clusters primary clusters.call this type of clusters primary clusters.

step 2:step 2:

In a second step, a number of ad hoc clusters are constructed inIn a second step, a number of ad hoc clusters are constructed ina random a random fashion among mobile clients that are out of the WLAN communicatfashion among mobile clients that are out of the WLAN communication range. ion range. In this case, some mobile clients are selected to be CHs. Each CIn this case, some mobile clients are selected to be CHs. Each CH plays the H plays the role of a friend node or an auxiliary authenticator for mobile crole of a friend node or an auxiliary authenticator for mobile clients belonging lients belonging to its cluster. We call this type of clusters secondary clustersto its cluster. We call this type of clusters secondary clusters,,

Routing protocol role in providing clusters:Routing protocol role in providing clusters:

The following criteria are considered: The following criteria are considered:

i) CH density, i) CH density,

ii) CH depth, and ii) CH depth, and

iii) stability of the CH node.iii) stability of the CH node.

Clusters construction takes place respecting the following priorClusters construction takes place respecting the following priorities:ities:1. The first mobile client falling in the proximity of an 1. The first mobile client falling in the proximity of an APassociatesAPassociateswith this AP with this AP

constructing a primary cluster. The constructing a primary cluster. The APisAPis considered as the CH and plays the role of considered as the CH and plays the role of the authenticator to all its cluster members.the authenticator to all its cluster members.2. Secondary cluster construction takes place among 2. Secondary cluster construction takes place among mobilenodesmobilenodesthat do not fall that do not fall

in the communication range of APs.in the communication range of APs.

Each node failing to associate with an AP starts to construct a Each node failing to associate with an AP starts to construct a secondary cluster secondary cluster through choosing a CH respectively considering the following prithrough choosing a CH respectively considering the following priorities: orities:

a) CH belongs to a primary cluster and satisfies the previousa) CH belongs to a primary cluster and satisfies the previously mentioned ly mentioned conditions necessary for CHs;conditions necessary for CHs;b) CH belongs to a secondary cluster and satisfies the criterb) CH belongs to a secondary cluster and satisfies the criteria of choice of the ia of choice of the

CH.CH.

RADIUS AuthenticationRADIUS Authentication�� RADIUS is a widely deployed protocol, based on a RADIUS is a widely deployed protocol, based on a

client/server model, that enables centralized client/server model, that enables centralized authentication, authorization, and accounting for authentication, authorization, and accounting for network accessnetwork access

�� RADIUS is the standard for managing network access for RADIUS is the standard for managing network access for VPN, dialVPN, dial--up, and wireless networksup, and wireless networks

�� Use RADIUS to manage network access centrally across Use RADIUS to manage network access centrally across many types of network accessmany types of network access

�� RADIUS servers receive and process connection requests RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxiesor accounting messages from RADIUS clients or proxies

Authentication, Authorization andAuthentication, Authorization and

Accounting (AAA) MechanismAccounting (AAA) Mechanism

Chained AuthenticationChained Authentication

Experimentation MethodologyExperimentation Methodology

Results and Analysis Results and Analysis

They derived the following performance metrics to study the They derived the following performance metrics to study the effect of extending the 802.11i on the performance of the effect of extending the 802.11i on the performance of the authentication process:authentication process:

Authentication failures.Authentication failures.

Studying clustering versus non Studying clustering versus non

clustering cases.clustering cases.

Average authentication delay.Average authentication delay.

Server solicitation ratio.Server solicitation ratio.

Average Authentication trials failure.Average Authentication trials failure.

Authentication delay with different Authentication delay with different

ad hoc chainingad hoc chaining

Authentication failures with ad hoc Authentication failures with ad hoc

clustering size.clustering size.

Server Request Distribution.Server Request Distribution.

ConclusionConclusion

Efficient AAA process as well as secure links' setup takes place for each mobile client during the Internet access service.

We observed that the clustering approach can compensate the lack of APs (insufficient size of WLAN infrastructure) allowing secure service access for non covered nodes.