Upload
kelvin
View
37
Download
0
Embed Size (px)
DESCRIPTION
Public Access Mobility LAN: Extending The Wireless Internet into The LAN Environment. JUN LI, STEPHEN B.WEINSTEIN, JUNBIAO ZHANG,NAN TU . NEC USA Inc. IEEE Wireless Communications June 2002. 報告者 : 通訊所 鍾國麟. Introduction. Aim is to meet Ubiquitous access High data rate Local services - PowerPoint PPT Presentation
Citation preview
1
Public Access Mobility LAN:Extending The Wireless Internet into The LAN EnvironmentJUN LI, STEPHEN B.WEINSTEIN, JUNBIAO ZHANG,NAN TU . NEC USA Inc.
IEEE Wireless Communications June 2002報告者 : 通訊所 鍾國麟
2
Introduction
Aim is to meet Ubiquitous access High data rate Local services
Need for Wireless LAN environments
3
Introduction (cont’d)
Architectural guidelines for WLAN environments Large-scale IP-based Supporting mobile/portable
appliances
4
Introduction (cont’d)
公眾 WLAN 目前的問題 End User 網路環境提供業者 (Hotel, 機場 , 餐廳 ..etc) ISPs
5
交 200 元無線上網
User
6
買 xxx 上網易付卡
漫遊 ? QoS ?
7
User 的需要 :1. 帳號 , 密碼 , 帳單能統一2. Mobility3. Qos
8
提供無線場地的業者1. 愈多人來上網愈好2. 設備維護3. 管理方便4. 拆帳5. 商業形像 ..etc
ISPs…
ISP 業者1. 無線環境範圍愈大愈好2. 設備維護方便3. 提供 USER 不同 QoS4. 提供 Mobility
9
PamLAN
IP-based Public Access Mobility LANSupports Internet Access via WLANs Multiple air interfaces Multiple virtual operators(isp, 電信業者 ) Location dependent services Local IP mobility QoS (within wired network)
10
PamLAN business model
Network operators Hotel, airport, ...
Third-party service providers (like ISPs) Franchises obtained from PamLAN
operator Also called: virtual operators
End users
11
PamLAN
May have multiple LAN segments Airports, hotels, universities, ...
Can be built on existing LANs By adding wireless access points
12
PamLAN vs. Cellular Systems
Even 3G mobile communication systems would not be sufficient for evolving Internet applications 384 kb/s outdoors, 2 Mb/s indoors
downstream burst rates Intrinsic problem: providing continuous
coverage in reserved spectrum Investment/Capacity scalability???
13
PamLAN vs. Cellular Systems
WLANs have free spectrumProblem: Potential interfarence i.e. IEEE 802.11b & Bluetooth
Property owners may be agreed or enforced on compatibility
14
Promises of PamLAN
Addresses problems in current WLANs Lack of public access Being tied down to a single access point Single air interface
Not a breakthrough in technological capacitiesCombination of available technologies
15
Architecture
PamLAN/VOLAN/VLAN hierarchy PamLAN: multiple virtual operators VOLAN: Virtual Operator LAN
Extends VLAN capabilities across subnetworks
VLAN: Virtual LAN Implements user group feaures Simulates a physical LAN on a
multisegment LAN environment
16
PamLAN
ISPs
VOLAN1
vlan1 vlan2vlan3 vlan4
VOLAN2
17
Architecture (cont’d)
18
Architecture (cont’d)
Switched Ethernet LANAccess Points Supporting IEEE, Bluetooth,
Cellular, ... IP-based access router with proxies
Gateway routers
19
Architecture (cont’d)
QoS is supported by Ethernet Switches CSMA/CD + full duplex (no contention)
Integration of Cellular IP & Mobile IP for supporting mobilityMPLS (Multi-Protocol Label Switching) Brings QoS across multiple LAN segments
20
Large Scale PamLAN
For single VLAN QoS can be easily supportedFor large scale WLANs? Intermediate routers work at layer 3
Layer 2 information is lost Source & destination addresses must
be used for VOLAN membership Intermediate routers must know all IP
addresses for VLAN mapping
21
Large Scale PamLAN (cont’d)
Solution: MPLS Simple & efficient Access points & Internet gateways
handle VOLAN provisioning Intermediate routers are shielded
from details
VLAN for grouping traffic per VOLANMPLS for whole PamLAN
22
MPLS (Multi-Protocol Label Switching)
Tunnels traffic between gateways & access points Intermediate routers only examine MPLS
labels, which imposes a path
Forwarding Equivalence Class (FEC) Formed based on VOLAN membership &
QoS
FEC is inserted in MPLS label Used for 802.1p priority within VLAN
23
MPLS (cont’d)
24
MPLS (cont’d)
Traffic engineered paths can be set up among access points and Internet gateways according to service contracts between PamLan & virtual operators
25
Protocol Stack
26
Security Issues
Mutual authentication user 和 AP 都需經過 Virtual operators‘s
RADIUS 認證Secure Channel Establishement Public-key-based secure channel
establishment
Authorization Filtering at the access point
27
Mutual Authentication
IP-based authentication 5 Basic Steps: MN 經由 AP 取得 IP (DHCP) MN Login session
access point: relay agent to virtual operator(ISP’s RADIUS)
Challenge-responce protocol for authentication
Public key for securing channel
28
Mutual Authentication (cont’d)
29
MN AP/Radius client Radius(RS)UID
A(UID,Krc)Krc 是 ap 和 Radius serve 互相知道的 key
A(M,k) MD5 系統
UserID
A(UID,s1,E(E(s1,kmu),krc)),krc)Kmu 是 MN 和 RS 之間的 keyUID,s1( 亂數 )
UID,s1,E(s1,kmu),s2A((UID,E(s1,kmu),s2,krc)
A((UID,s1,E(E(s1,kmu),krc),Pkmu),krc)
Pkmu 是 mn 的 public key
UID,EP((E(s2,kmu),SK,Pkmu)
30
Securing Channel
After authentication AP 有 user 的 profile (public key, qos 等
級 , 會員資料等 ..) AP sends session key encrypted
under the corresponding public key IPSEC together with ESP can be used
for security at IP layer depending on user requests
31
Authorization Control
Based on user credentials, packets can be filtered at the access point 使用者可以經由 PamLAN 上 Internet 使用者可以使用當地的 printer 或是其他服
務
32
Accounting
3 possible charging policies Flat-fee based
PamLAN 管理員和 ISP 收取一定費用,則該 isp user 可以無限制使用
Per-session ISP 依 USER 使用時間收錢 .(IDLE….? )
Usage based( 計量 ) Avoidance dispute by digital signature
33
Mobility Issues
Micromobility Roaming within PamLAN
Possible approaches Cellular IP: refreshing router contents
can be a burden for too many users MPLS based: only end points have to
update location Old, new access points and Internet
gateway need to be informed
34
Mobility Issues
Fast handoff 一個 MN 移動到了新的 AP 還要在做一次認
證是很浪費時間的
Move user profile from old AP to the new AP
35
Fast handoff flow
新 AP 向舊 AP 拿取 user 的 profile(Public-key, Session-key,IP, policies….)舊 AP 向 Radius 發出訊息終止現在的 session 計費 .新的 AP 產生新的 Session key, 在將新的 S-KEY和舊的 S-key 用 user 的 Public-key 封裝給 user.User 比對 Session key 資料 , 用新的 S-key 和新AP 傳輸資料新 AP 上的 IP filter 資料由舊 AP 取得 , 同時發訊息給 Radius 開始計費 .
36
Experimental Implementation
一台 12port switch 三台 PC,OS:Linux 二台 PC 裝了 802.11b 卡當成是 AP
測試方法 1. 確認 Vlan 和 diffserv 可以在 switch 上使
用 2. 結合 cellular ip protocol 在這個網路上 3. 實作基本的 AAA 功能
37
Experimental Implementation
Mobility Cellular IP
Linux Kernel(AP) IP Filter IPSEC
OpenSource Radius client(AP)
38
Further work
MPLS-based MobilityQoS admission control
39
Conclusion
ExtensibleMultiple servicesMultiple air interfacesAre all appliances capable of handling PKC opreations?