Transcript PPT Version

A Framework of Media-Independent
Pre-authentication (MPA) for
Inter-domain Handover optimization
draft-ohba-mobopts-mpa-framework-05.txt
Ashutosh Dutta
Victor Fajardo
Yoshihiro Ohba
Kenichi Taniuchi
Henning Schulzrinne
(See also draft-ohba-mobopts-mpa-implementation-04.txt for performance results)
Media-independent PreAuthentication (MPA)
• MPA is a mobile-assisted higher-layer authentication, authorization
and handover scheme that is performed before establishing L2
connectivity to a network where mobile may move in near future
• MPA provides a secure and seamless mobility optimization that works
for Inter-subnet handoff, Inter-domain handoff and Inter-technology
handoff
• MPA works with any mobility management protocol
AP Discovery
Conventional
Method
AP
Switching
Client
IP address
Authentic configuration
ation
& IP handover
Time
Pre-authentication
MPA
Time
Packet Loss Period
MPA Phases
1. Pre-authentication: EAP pre-authentication to CTN
(Candidate Target Network)
2. Pre-configuration: Proactive IP address acquisition from
CTN
3. Pre-switching: L3 HO execution over MN-nAR tunnel
4. Switching: L2 handover
5. Post-switching: Tunnel deletion
Not all MPA phases have to be executed and can be
replaced with other mechanisms
MPA Operation can stop at phase 1 (pre-auth only) or at phase 2 (pre-auth
+ pre-authorization),
Proactive Handover Tunnel
in pre-switching phase
Home
Network
HA
CN
BU
AR
Serving Network
MN
Target Network
Tunneled Data
Agreement in IETF68
• Revise MPA framework draft to focus on
inter-domain handover problem
• Specific changes are explained in next
slides
“Inter-domain Handover” Section
Added
•
Definition of an administrative domain (or a domain):
– Networks that are managed by a single administrative entity
– An administrative entity may be a service provider, an enterprise and any organization.
•
An Inter-domain handover will by-default be subjected to inter-subnet handover
and in addition it may be subjected to either inter-technology or intra-technology
handover.
•
Inter-domain handover will be subjected to all the transition steps a subnet
handover goes through and in addition it will be subjected to authentication and
authorization process as well.
•
It is also likely that type of mobility support in each administrative domain will be
different. For example, administrative domain A may have MIPv6 support, while
administrative domain B may use Proxy MIPv6.
Inter-domain Handover between
CMIPv6 & PMIPv6 domains
CMIPv6 domain
PMIPv6 domain
HA
LMA
PMA
PMA
AR
PMA
MPA
MN
AR
AR
“Detailed Issues” Section split
•
MPA Operations (Section 7)
–
–
–
–
–
–
–
–
–
–
•
MPA Deployment Issues (Section 8)
–
–
–
•
7.1 Discovery
7.2 Pre-authentication in multiple CTN environment
7.3 Proactive IP address acquisition
7.4 Address resolution
7.5 Tunnel management
7.6 Binding Update
7.7 Preventing packet loss
7.8 Link-layer security and mobility
7.9 IP layer security and mobility
7.10 Authentication in initial network attachment
8.1 Considerations for failed switching and switch-back
8.2 Pre-allocation of QoS resources
8.3 Resource allocation issue during pre-authentication
MPA Case Studies for Inter-Domain Handoff (Section 9)
–
9.1 Homogeneous Mobility Protocol in each domain (MIPv6, SIP Mobility, MIPv4 FA-CoA,
PMIPv6)
•
–
–
–
MPA for PMIPv6: http://www.ietf.org/internet-drafts/draft-taniuchi-netlmm-mpa-proxymipv6-00.txt
9.2 Diverse Mobility Protocol in each domain
9.3 Multicast mobility
9.4 Coexistence of MPA with other optimization technique
“Applicability Statement” Section
moved to earlier section (Section 4)
•
MPA is categorized as a proactive handover optimization mechanism. In
other words, MPA is more applicable where an accurate prediction of
movement can be easily made
•
Even if accurate prediction of movement is easily made, effectiveness of MPA
may be relatively reduced if the network employs network-controlled
localized mobility management in which the MN does not need to change its
IP address while moving within the network.
•
Effectiveness of MPA may also be relatively reduced if signaling for
network access authentication is already optimized for movements within
the network, e.g., when simultaneous use of multiple interfaces during
handover is allowed
•
In other words, MPA is most viable solution for inter-administrative
domain predictive handover without simultaneous use of multiple
interfaces
Performance result:
MPA with L2sec bootstrapping
• Use of MPA to bootstrap L2 security, e.g., IEEE 80211i, required for
candidate networks, before handover
• Handover performance between network-layer assisted pre-authentication
and 802.11i pre-authentication is similar
• Network-layer assisted pre-authentication works across multiple
subnets/domains/media whereas 802.11i pre-authentication works only
within the 802.11 and in the same ESS.
Type of
authentication
802.11i postauthentication
802.11i preauthentication
Network-layer assisted
pre-authentication
Operation
Nonroaming
Roaming
Nonroaming
Roaming
Nonroaming
Roaming
Authentication and
authorization delay
61ms
599ms
99ms
636ms
177ms
831ms
Configuration delay
N/A
N/A
N/A
N/A
17ms
17ms
Secure association
18m
17ms
16ms
17ms
17ms
17ms
Total
79m
616ms
115ms
655ms
211ms
865ms
Handover Delay
79m
616ms
16ms
17ms
17ms
17ms
Performance result:
MPA with multiple Mobility
Management Protocols
M o bilit y Typ e
M IP v6
S IP M o bili ty
Han do ff
P aram eters
B uffer ing
D is abled
+ RO
D is abled
B uff ering
E na bled
+ RO
D is abled
B uffer ing
Dis able d
+ RO
E nabled
B uffering
E nable d
+ RO
E nable d
B uffe ring
D is abled
B uffer ing
E nabled
L2 h an do ff
(m s)
4 .0 0
4 . 33
4 .0 0
4. 00
4 .0 0
5 .0 0
Avg . pac ket
loss
1 .3 3
0
0 .6 6
0
1 .5 0
0
Avg . int er pack et in terva l
(m s)
1 6 .0 0
1 6 .0 0
1 6. 00
16 .0 0
1 6 .0 0
1 6 .0 0
Avg . int er pack et arrival
tim e d urin g
han do ver ( ms)
n /a
4 5 .3 3
n /a
66 .6 0
n /a
2 9 .0 0
Avg . pac ket
jitt er (m s)
n /a
2 9 .3 3
n /a
50 .6 0
n /a
1 3 .0 0
Bu ffe ring
perio d ( ms )
n /a
5 0 .0 0
n /a
50 .0 0
n /a
2 0 .0 0
Avg . Bu ff ered
P acket s
n /a
2 . 00
n /a
3. 00
n /a
3 .0 0
Summary
• MPA framework draft has been presented 5
times since IETF62
• The draft has been revised to focus on interdomain handover and it’s in a good shape
• The draft is fully ready to be a RG draft
Thank You!
MPA for L2 Pre-auth &
bootstrapping: Scenario