Transcript PPT Version
Media Independent Pre-Authentication and Implementation
(draft-ohba-mobopts-mpa-framework-03.txt)
(draft-ohba-mobopts-mpa-implementation-03.txt)
Yoshihiro Ohba,
Ashutosh Dutta (Ed.),
Victor Fajardo,
Kenichi Taniuchi,
Rafa Lopez,
Henning Schulzrinne
Presented by: Ashutosh Dutta
67th IETF, San Diego
67th IRTF MOBOPTS – 1
Outline
Motivation
Related Work
MPA Framework Overview
Optimization Features
Implementation Results
– Intra-technology, Inter-domain
– Inter-technology, Inter-domain
– Bootstrapping Layer 2
Deployment Considerations
Conclusion & Future Work
67th IRTF MOBOPTS – 2
Motivation
Secured seamless convergence requires that jitter, delay and
packet loss are limited for real-time applications without
compromising the security
– ITU G.114 defines 150 ms end-to-end delay and 3% packet loss
for VoIP
Handoff delays exist at several layers
– Layer 2 (handoff between AP/BS), Layer 3 (IP address
acquisition and other configuration parameters), Binding Update,
Authentication, Authorization
The challenge is even greater when moving between heterogeneous
networks
– Mutiple access characteristics (802.11, CDMA, 802.16, GSM)
– Multiple AAA domains
– Diverse QoS requirement
– Different configuration mechanism (e.g., DHCP, PPP)
– Different mobility requirement (802.11, GPRS, 802.16)
67th IRTF MOBOPTS – 3
Mobility Optimization - Related Work
Cellular IP, HAWAII - Micro Mobility
MIP-Regional Registration, Mobile-IP low latency, IDMP
FMIPv6, HMIPv6 (IPv6)
Yokota et al - Link Layer Assisted handoff
Shin et al, Velayos et al - Layer 2 delay reduction
Gwon et al, - Tunneling between FAs, Enhanced Forwarding PAR
SIP-Fast Handoff - Application layer mobility optimization
DHCP Rapid-Commit, Optimized DAD - Faster IP address acquisition
67th IRTF MOBOPTS – 4
Media-independent Pre-Authentication (MPA)
MPA is a mobile-assisted higher-layer authentication, authorization and
handover scheme that is performed a-priori to establishing L2 connectivity to a
network where mobile may move in near future
Primarily three phases
1)
2)
3)
Pre-authentication
Pre-configuration
Proactive Handover
MPA provides a secure and seamless mobility optimization that works for
Inter-subnet handoff, Inter-domain handoff and Inter-technology handoff
MPA works with any mobility management protocol
Works with any network discovery scheme (IEEE 802.21, 802.11u, CARD etc.)
AP Discovery
Conventional
Method
AP
Switching
Client
IP address
Authentic configuration
ation
& IP handover
Time
Pre-authentication
MPA
Time
Packet Loss Period
67th IRTF MOBOPTS – 5
MPA Overview (Inter-domain, Intra-Tech)
Home
Network
1. DATA[CN<->A(X)]
2. DATA [CN<->A(Y)]
over proactive handover
tunnel [AR<->A(X)]
3. DATA[CN<->A(Y)]
HA
CN
MN-CA key MN-AR key
Pre
configuration AA
Domain X
BA
CA
AR
BU
Data in new
domain
Tunneled Data
Domain Y
Data in old
domain
pre-authentication
MN
A(X)
MN
A(Y)
Proactive handover
tunneling end
procedure
L2 handoff
procedure
CN: Correspondent Node
MN: Mobile Node
AA: Authentication Agent
CA: Configuration Agent
AR: Access Router
BA: Buffering Agent
67th IRTF MOBOPTS – 6
MPA-assisted Seamless Handoff (a deployment
CTN – Candidate Target Networks
scenario)
TN – Target Network
Network 4
AR
Information
Server
CN
INTERNET
Network 3
MN-CA key
Network 2
Current
Network 1
AR
TN
AP1
AP1 Coverage Area
MN-CA key
AR
AR
AA
AA
CA
AP2
CTN
CA
AP3
AP 2 & 3 Coverage Area
Mobile
67th IRTF MOBOPTS – 7
Key Optimization Features for MPA
Pre-authentication
– L3 , L2 layer pre-authentication
Pre-Configuration
– Proactive IP Address Acquisition (Stateful, Stateless)
– Proactive Duplicate IP Address Detection
– Proactive Address Resolution
Proactive Mobility Binding Update
Security bootstrapping
– Link Layer
– IP Layer
Layer 2 optimization
Dynamic Buffering Scheme
– Buffering and Copy-Forwarding
Tunnel Management
67th IRTF MOBOPTS – 8
Protocol Set for current MPA prototype
Mobility Management Protocol
MIPv6
SIPM
Information Service Scheme (802.21) XML/RDF
XML/RDF
Pre-authentication protocol
PANA
PANA
Pre-configuration protocol
Stateless,
PANA
DHCP Relay,
PANA
Proactive handover tunneling
protocol
IPsec
IP-in-IP
Proactive handover tunnel
management protocol
PANA
PANA
Buffer Management Protocol
PANA
PANA
Link-layer security
None
None
67th IRTF MOBOPTS – 9
Comparison - Intra-Technology, Inter-domain Handover
(Case- I)
M o bilit y Typ e
Handoff
4s
Non-802.21 assisted SIP-based mobility
802.21 assisted SIP-based mobility – Optimized handoff
Audio output comparison
M IP v6
S IP M o bili ty
Han do ff
P aram eters
B uffer ing
D is abled
+ RO
D is abled
B uff ering
E na bled
+ RO
D is abled
B uffer ing
Dis able d
+ RO
E nabled
B uffering
E nable d
+ RO
E nable d
B uffe ring
D is abled
B uffer ing
E nabled
L2 h an do ff
(m s)
4 .0 0
4 . 33
4 .0 0
4. 00
4 .0 0
5 .0 0
Avg . pac ket
loss
1 .3 3
0
0 .6 6
0
1 .5 0
0
Avg . int er pack et in terva l
(m s)
1 6 .0 0
1 6 .0 0
1 6. 00
16 .0 0
1 6 .0 0
1 6 .0 0
Avg . int er pack et arrival
tim e d urin g
han do ver ( ms)
n /a
4 5 .3 3
n /a
66 .6 0
n /a
2 9 .0 0
Avg . pac ket
jitt er (m s)
n /a
2 9 .3 3
n /a
50 .6 0
n /a
1 3 .0 0
Bu ffe ring
perio d ( ms )
n /a
5 0 .0 0
n /a
50 .0 0
n /a
2 0 .0 0
Avg . Bu ff ered
P acket s
n /a
2 . 00
n /a
3. 00
n /a
3 .0 0
Delay and packet loss statistic
67th IRTF MOBOPTS – 10
Inter Technology, Inter-domain
Scenario 1: If multiple interfaces can be simultaneously used during
handover
Scenario 2: If multiple interfaces cannot be simultaneously used during
handover, then it is not easy to support seamless handover from one
interface to another
– This can happen when the old interface suddenly becomes unavailable (this
can happen over Wi-Fi link)
Application
Traffic
Wi-Fi
CN
EV-DO
Sudden
Link down
Application
Traffic
Wi-Fi
CN
EV-DO
Handover Signaling
MN
During Handover (Packet loss incurred)
MN: Mobile Node
CN: Correspondent Node
MN
After Handover
Scenario 2: Multiple Interfaces cannot be used simultaneously
67th IRTF MOBOPTS – 11
MPA Framework - Inter-domain, Inter-Tech
Demonstration Scenario
– Sudden Disconnection from WiFi Network
The handover tunnel server is placed outside the EV-DO network,
instead of placing it at the access router of EV-DO
MN: Linux PC
CN: Linux PC or Windows CE cell-phone
Handover tunnel server: Linux PC
Wireless LAN: 802.11b
Handover tunnel encapsulation method: IP-in-IP
Handover tunnel management protocol: PANA
Application: Skype
CN (Linux PC or WinCE cell-phone)
Handover Tunnel Server (Linux PC)
Wi-Fi
(802.11b)
EV-DO
• Packet loss = 0
• Handoff Delay = 50 – 60 ms
• Duplicate Packets = 10
MN (Linux PC)
67th IRTF MOBOPTS – 12
Typical Roaming architecture
67th IRTF MOBOPTS – 13
Layer 2 Pre-authentication and bootstrapping
67th IRTF MOBOPTS – 14
MPA L2 pre-authentication
Types
Of
Authentication
IEEE 802.11i EAP/TLS Post
Authentication
IEEE 802.11i
Pre-authentication
Network Layer
Assisted layer 2 preauthentication
Operation
Non
Roaming
Roaming
Non
Roaming
Roaming
Non
Roaming
Roaming
Tauth
61 ms
599 ms
99 ms
638 ms
177 ms
831 ms
TConf
--
--
--
--
16 ms
17 ms
Tassoc
+ 4 Way
handshake
18 ms
17 ms
16 ms
17 ms
15 ms
17 ms
Total
79 ms
616 ms
115 ms
655 ms
208 ms
865 ms
Time affecting
handover
79 ms
616 ms
16 ms
17 ms
15 ms
17 ms
(2 AP)
67th IRTF MOBOPTS – 15
Deployment Considerations
Authentication State Management
Pre-allocation of QoS resources
Scalability and Resource Allocation
Failed Switchover during handover
– Ping-Pong Effect
Pre-authentication with multiple CTNs
Multicast Mobility
MPA for IMS Networks
Applicability to other Fast-handoff approaches
– L3 and L2 pre-authentication
– MPA’s stateful proactive configuration
67th IRTF MOBOPTS – 16
MPA and Multicast Mobility
• Communicates the group address during pre-authentication phase
• Provides multicast stream proactively
• Reduces JOIN latency
• Applicable to Remote subscription-based and home subscription-based
approach
PAR
AA
NAR
Remote subscription-based approach
Home subscription-based approach
67th IRTF MOBOPTS – 17
MPA for IMS/MMD Network
SPE
AS
Home Network
DHCP
AAA/HSS
HA
WiFi Network
Network 3
Internet
S/I-CSCF
P/I-CSCF
DHCP
Network 1
P/I-CSCF PDSN
DHCP
Network 2
PDIF/PDG
P/I-CSCF PDSN
DHCP
AP
PCF
PCF
67th IRTF MOBOPTS – 18
MPA to pre-allocate end-to-end QoS
Use MPA and NSIS to reserve the end-to-end QoS guarantee for
the new interface and the target network while using the old
interface
Choose the target network based on the available end-to-end QoS
67th IRTF MOBOPTS – 19
Related Drafts
draft-ohba-mobopts-heterogeneous-requirement-01.txt
draft-ohba-pana-preauth-00.txt
draft-ohba-preauth-ps-00.txt
draft-yacine-preauth-ipsec-01.txt
67th IRTF MOBOPTS – 20
Conclusions
MPA attempts to address the issues of
inter-domain handover and heterogeneous
handover
MPA framework in conjunction with network
discovery provides an optimized handover
solution independent of mobility
management protocol
Current Implementation results of MPA
– Inter-domain, Intra-tech
– Inter-domain, Inter-tech
– Layer 2 bootstrapping
– MIPv6 and SIP-based mobility
Protocols
Future Work
Implement other functionalities of MPA
– Performance results with multiple preauthentication in the neighboring
networks
– Performance of MPA for IMS/MMD
network
– Performance of MPA for Multicast
Mobility
Experiment with MPA’s pre-authentication
mechanism to augment FMIPv6
Results of FMIPv6 without preauthentication support and MPA exhibit
comparable performance characteristics
and is bound by layer 2 delay
MPA’s pre-authentication part has been
adopted by HOKEY WG
67th IRTF MOBOPTS – 21