67th IRTF MOBOPTS – 1

Media Independent Pre-Authentication and Implementation

(draft-ohba-mobopts-mpa-framework-03.txt)

(draft-ohba-mobopts-mpa-implementation-03.txt)Yoshihiro Ohba,

Ashutosh Dutta (Ed.),

Victor Fajardo,

Kenichi Taniuchi,

Rafa Lopez,

Henning Schulzrinne

Presented by: Ashutosh Dutta

67th IETF, San Diego

67th IRTF MOBOPTS – 2

Outline Motivation

Related Work

MPA Framework Overview

Optimization Features

Implementation Results – Intra-technology, Inter-domain– Inter-technology, Inter-domain– Bootstrapping Layer 2

Deployment Considerations

Conclusion & Future Work

67th IRTF MOBOPTS – 3

Motivation Secured seamless convergence requires that jitter, delay and

packet loss are limited for real-time applications without compromising the security– ITU G.114 defines 150 ms end-to-end delay and 3% packet loss

for VoIP

Handoff delays exist at several layers– Layer 2 (handoff between AP/BS), Layer 3 (IP address

acquisition and other configuration parameters), Binding Update, Authentication, Authorization

The challenge is even greater when moving between heterogeneous networks– Mutiple access characteristics (802.11, CDMA, 802.16, GSM)– Multiple AAA domains– Diverse QoS requirement – Different configuration mechanism (e.g., DHCP, PPP)– Different mobility requirement (802.11, GPRS, 802.16)

67th IRTF MOBOPTS – 4

Mobility Optimization - Related Work Cellular IP, HAWAII - Micro Mobility

MIP-Regional Registration, Mobile-IP low latency, IDMP

FMIPv6, HMIPv6 (IPv6)

Yokota et al - Link Layer Assisted handoff

Shin et al, Velayos et al - Layer 2 delay reduction

Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR SIP-Fast Handoff - Application layer mobility optimization

DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition

67th IRTF MOBOPTS – 5

Media-independent Pre-Authentication (MPA) MPA is a mobile-assisted higher-layer authentication, authorization and

handover scheme that is performed a-priori to establishing L2 connectivity to a network where mobile may move in near future

Primarily three phases1) Pre-authentication2) Pre-configuration3) Proactive Handover

MPA provides a secure and seamless mobility optimization that works for Inter-subnet handoff, Inter-domain handoff and Inter-technology handoff

MPA works with any mobility management protocol Works with any network discovery scheme (IEEE 802.21, 802.11u, CARD

etc.)

TimeConventional Method

AP DiscoveryAP

Switching

MPAPre-authentication

IP address configuration

& IP handover

Time

ClientAuthentication

Packet Loss Period

67th IRTF MOBOPTS – 6

Home Network HA

MPA Overview (Inter-domain, Intra-Tech)

CN: Correspondent NodeMN: Mobile NodeAA: Authentication AgentCA: Configuration AgentAR: Access RouterBA: Buffering Agent

AA CA

A(X)

2. DATA [CN<->A(Y)] over proactive handovertunnel [AR<->A(X)]

AR

L2 handoff procedure

Domain X Domain Y

CN

Data in new domain

1. DATA[CN<->A(X)]

MN-CA key

Preconfiguration

pre-authentication

MN-AR key

3. DATA[CN<->A(Y)]

Data in old domain

MN

A(Y)

BU

Proactive handovertunneling end

procedure

Tunneled Data

MN

BA

67th IRTF MOBOPTS – 7

MPA-assisted Seamless Handoff (a deploymentscenario)

AA CA

MN-CA keyAR

Network 3

AR

AA CA

MN-CA keyNetwork 2

INTERNETInformation

Server

Mobile

CurrentNetwork 1

AR

AP1 Coverage Area AP 2 & 3 Coverage Area

ARNetwork 4

CN

AP3AP2AP1 CTNTN

CTN – Candidate Target NetworksTN – Target Network

67th IRTF MOBOPTS – 8

Key Optimization Features for MPA Pre-authentication

– L3 , L2 layer pre-authentication

Pre-Configuration– Proactive IP Address Acquisition (Stateful, Stateless)– Proactive Duplicate IP Address Detection– Proactive Address Resolution

Proactive Mobility Binding Update

Security bootstrapping– Link Layer– IP Layer

Layer 2 optimization

Dynamic Buffering Scheme– Buffering and Copy-Forwarding

Tunnel Management

67th IRTF MOBOPTS – 9

Protocol Set for current MPA prototype

Mobility Management Protocol MIPv6 SIPM

Information Service Scheme (802.21) XML/RDF XML/RDF

Pre-authentication protocol PANA PANA

Pre-configuration protocol Stateless,PANA

DHCP Relay,PANA

Proactive handover tunneling protocol

IPsec IP-in-IP

Proactive handover tunnel management protocol

PANA PANA

Buffer Management Protocol PANA PANA

Link-layer security None None

67th IRTF MOBOPTS – 10

Comparison - Intra-Technology, Inter-domain Handover (Case- I)

Non-802.21 assisted SIP-based mobility

Handoff4 s

802.21 assisted SIP-based mobility – Optimized handoff

Non-802.21 assisted SIP-based mobility

Handoff4 s

802.21 assisted SIP-based mobility – Optimized handoff

Audio output comparison

B uffer ingE nabled

B uffe ringD is abled

B ufferingE nable d+ ROE nable d

B uffer ing Dis able d+ R O E nabled

B uff e ring E na b led+ ROD is abled

B uffer ing D is ab led+ RO D is ab led

Han do ffP aram eters

3 .0 0n /a3. 00n /a2 . 00 n /aAvg . Bu ff ered P acket s

2 0 .0 0n /a50 .0 0n /a5 0 .0 0n /aBu ffe ring perio d ( ms )

1 3 .0 0n /a50 .6 0n /a2 9 .3 3 n /aAvg . pac ket jitt er (m s)

2 9 .0 0n /a66 .6 0n /a4 5 .3 3n /aAvg . int er -pack et arr ival tim e d urin g han do ver ( ms)

1 6 .0 01 6 .0 016 .0 01 6. 001 6 .0 01 6 .0 0Avg . int er -pack et in terva l (m s)

01 .5 000 .6 60 1 .3 3Avg . pac ket loss

5 .0 04 .0 04. 004 .0 04 . 334 .0 0L2 h an do ff (m s)

M IP v6 S IP M o bili tyM o bilit y Typ e

Delay and packet loss statistic

67th IRTF MOBOPTS – 11

Inter Technology, Inter-domain Scenario 1: If multiple interfaces can be simultaneously used during

handover Scenario 2: If multiple interfaces cannot be simultaneously used during

handover, then it is not easy to support seamless handover from one interface to another

– This can happen when the old interface suddenly becomes unavailable (this can happen over Wi-Fi link)

CN

MN

Wi-Fi EV-DO

ApplicationTraffic

Handover Signaling

CN

MN

Wi-Fi EV-DO

During Handover (Packet loss incurred) After Handover

ApplicationTraffic

Sudden Link down

MN: Mobile NodeCN: Correspondent Node

Scenario 2: Multiple Interfaces cannot be used simultaneously

67th IRTF MOBOPTS – 12

MPA Framework - Inter-domain, Inter-Tech Demonstration Scenario

– Sudden Disconnection from WiFi Network The handover tunnel server is placed outside the EV-DO network,

instead of placing it at the access router of EV-DO MN: Linux PC CN: Linux PC or Windows CE cell-phone Handover tunnel server: Linux PC Wireless LAN: 802.11b Handover tunnel encapsulation method: IP-in-IP Handover tunnel management protocol: PANA Application: Skype

CN (Linux PC or WinCE cell-phone)

MN (Linux PC)

Wi-Fi(802.11b)

EV-DO

Handover Tunnel Server (Linux PC)

• Packet loss = 0• Handoff Delay = 50 – 60 ms• Duplicate Packets = 10

67th IRTF MOBOPTS – 13

Typical Roaming architecture

AADomain B

Home Domain

AA

Inter-subnet

Intra-subnet(intra-domain)

(IEEE 802.11i/r) Inter-subnet(inter-domain)

AAAv1 AAAv2

AAAH

AP1 AP2 AP3AP4

AR AR

Domain AAA

Domain B

Home Domain

AA

Inter-subnet

Intra-subnet(intra-domain)

(IEEE 802.11i/r) Inter-subnet(inter-domain)

AAAv1 AAAv2

AAAH

AP1 AP2 AP3AP4

AR AR

Domain A

67th IRTF MOBOPTS – 14

Layer 2 Pre-authentication and bootstrapping

nAR/PAA

AAAv

AAAhHome Domain

pAR165.254.55.116/24

165.254.55.115/24

155.54.204.82

10.1.30.1/24

10.1.30.3/2410.1.30.2/24

10.1.10.2/24

10.1.10.1/2410.1.20.2/2410.1.20.1/24

PaC

PSK PSK

AP0AP1AP2

Diameter

PANA pre-auth

Association&

4-way handshake

Subnet A Subnet B

nAR/PAA

AAAv

AAAhHome Domain

pAR165.254.55.116/24

165.254.55.115/24

155.54.204.82

10.1.30.1/24

10.1.30.3/2410.1.30.2/24

10.1.10.2/24

10.1.10.1/2410.1.20.2/2410.1.20.1/24

PaC

PSK PSK

AP0AP1AP2

Diameter

PANA pre-auth

Association&

4-way handshake

Subnet A Subnet B

67th IRTF MOBOPTS – 15

MPA L2 pre-authentication

TypesOf Authentication

IEEE 802.11i EAP/TLS Post Authentication

IEEE 802.11i Pre-authentication

Network LayerAssisted layer 2 pre-authentication

Operation NonRoaming

Roaming NonRoaming

Roaming NonRoaming

Roaming

Tauth 61 ms 599 ms 99 ms 638 ms 177 ms 831 ms

TConf

(2 AP)

-- -- -- -- 16 ms 17 ms

Tassoc+ 4 Way handshake

18 ms 17 ms 16 ms 17 ms 15 ms 17 ms

Total 79 ms 616 ms 115 ms 655 ms 208 ms 865 ms

Time affecting handover

79 ms 616 ms 16 ms 17 ms 15 ms 17 ms

67th IRTF MOBOPTS – 16

Deployment Considerations Authentication State Management

Pre-allocation of QoS resources

Scalability and Resource Allocation Failed Switchover during handover

– Ping-Pong Effect

Pre-authentication with multiple CTNs

Multicast Mobility

MPA for IMS Networks

Applicability to other Fast-handoff approaches– L3 and L2 pre-authentication– MPA’s stateful proactive configuration

67th IRTF MOBOPTS – 17

MPA and Multicast Mobility

Internet

Home Network

HA

MN

Visited Network 1

DHCP

MN

Multicast Tree

Visited Network 2

MN

MR1 MR2DHCP

Handover

New Multicast Tree

Source

Internet

Home Network

HA

MN

Visited Network 1

DHCP

MN

Multicast Tree

Visited Network 2

MN

MR1 MR2DHCP

Handover

New Multicast Tree

Source

• Communicates the group address during pre-authentication phase• Provides multicast stream proactively• Reduces JOIN latency• Applicable to Remote subscription-based and home subscription-based approach

Internet

Home Network

Visited Network

HA

FA (v4)

MN

MN

Multicast Group Tree

Bi-dire

ction

al

Tunne

ling

Source

Visited Network

FA (v4)

MN

MPA Tunnel

PAR NAR

Remote subscription-based approach Home subscription-based approach

PARNAR

AA

67th IRTF MOBOPTS – 18

P/I-CSCF PDSN

PCFPCF

P/I-CSCF

S/I-CSCF

HAInternet

PDSN

P/I-CSCF

AP

WiFi NetworkHome Network

PDIF/PDG

DHCP

DHCP DHCP

DHCP

AAA/HSS

AS SPE

Network 1 Network 2

Network 3

MPA for IMS/MMD Network

67th IRTF MOBOPTS – 19

MPA to pre-allocate end-to-end QoS Use MPA and NSIS to reserve the end-to-end QoS guarantee for

the new interface and the target network while using the old interface

Choose the target network based on the available end-to-end QoS

AA CA

MN-CA keyAR

Network 3

AR

AA CA

MN-CA keyNetwork 2

INTERNETInformation

Server

CurrentNetwork 1

AR

AP 2 & 3 Coverage Area

ARNetwork 4

CN

AP3AP2AP1 CTNCTN

CTN – Candidate Target Networks

Multi-InterfaceMobile

Existing ConnectionNew ConnectionNew Connection

AA CA

MN-CA key

AA CA

MN-CA keyAR

Network 3

ARAR

AA CA

MN-CA key

AA CA

MN-CA keyNetwork 2

INTERNETInformation

Server

CurrentNetwork 1

AR

AP 2 & 3 Coverage Area

ARNetwork 4

CN

AP3AP2AP1 CTNCTN

CTN – Candidate Target Networks

Multi-InterfaceMobile

Existing ConnectionNew ConnectionNew Connection

67th IRTF MOBOPTS – 20

Related Drafts

draft-ohba-mobopts-heterogeneous-requirement-01.txt draft-ohba-pana-preauth-00.txt draft-ohba-preauth-ps-00.txt draft-yacine-preauth-ipsec-01.txt

67th IRTF MOBOPTS – 21

Conclusions Future Work MPA attempts to address the issues of inter-

domain handover and heterogeneous handover

MPA framework in conjunction with network discovery provides an optimized handover solution independent of mobility management protocol

Current Implementation results of MPA– Inter-domain, Intra-tech– Inter-domain, Inter-tech– Layer 2 bootstrapping– MIPv6 and SIP-based mobility Protocols

Results of FMIPv6 without pre-authentication support and MPA exhibit comparable performance characteristics and is bound by layer 2 delay

MPA’s pre-authentication part has been adopted by HOKEY WG

Implement other functionalities of MPA

– Performance results with multiple pre-authentication in the neighboring networks

– Performance of MPA for IMS/MMD network

– Performance of MPA for Multicast Mobility

Experiment with MPA’s pre-authentication mechanism to augment FMIPv6