A Framework of Media-Independent Pre-authentication (MPA) for Inter-domain Handover optimization

1
A Framework of Media-Independent
Pre-authentication (MPA) for Inter-domain
Handover optimization

• draft-ohba-mobopts-mpa-framework-05.txt
• Ashutosh Dutta
• Victor Fajardo
• Yoshihiro Ohba
• Kenichi Taniuchi
• Henning Schulzrinne

(See also draft-ohba-mobopts-mpa-implementation-04
.txt for performance results)
2
Media-independent Pre-Authentication (MPA)

• MPA is a mobile-assisted higher-layer
  authentication, authorization and handover scheme
  that is performed before establishing L2
  connectivity to a network where mobile may move
  in near future
• MPA provides a secure and seamless mobility
  optimization that works for Inter-subnet handoff,
  Inter-domain handoff and Inter-technology handoff
• MPA works with any mobility management protocol

Client Authentication
AP Switching
IP address configuration IP handover
AP Discovery
Conventional Method
Time
Pre-authentication
MPA
Time
Packet Loss Period
3
MPA Phases

1. Pre-authentication EAP pre-authentication to CTN
   (Candidate Target Network)
2. Pre-configuration Proactive IP address
   acquisition from CTN
3. Pre-switching L3 HO execution over MN-nAR tunnel
4. Switching L2 handover
5. Post-switching Tunnel deletion

Not all MPA phases have to be executed and can be
replaced with other mechanisms MPA Operation can
stop at phase 1 (pre-auth only) or at phase 2
(pre-auth pre-authorization),
4
Proactive Handover Tunnelin pre-switching phase
CN
AR
Serving Network
Target Network
MN
5
Agreement in IETF68

• Revise MPA framework draft to focus on
  inter-domain handover problem
• Specific changes are explained in next slides

6
Inter-domain Handover Section Added

• Definition of an administrative domain (or a
  domain)
• Networks that are managed by a single
  administrative entity
• An administrative entity may be a service
  provider, an enterprise and any organization.
• An Inter-domain handover will by-default be
  subjected to inter-subnet handover and in
  addition it may be subjected to either
  inter-technology or intra-technology handover.
• Inter-domain handover will be subjected to all
  the transition steps a subnet handover goes
  through and in addition it will be subjected to
  authentication and authorization process as well.
  
• It is also likely that type of mobility support
  in each administrative domain will be different.
  For example, administrative domain A may have
  MIPv6 support, while administrative domain B may
  use Proxy MIPv6.

7
Inter-domain Handover between CMIPv6 PMIPv6
domains
CMIPv6 domain
PMIPv6 domain
HA
LMA
PMA
PMA
PMA
AR
AR
AR
MPA
MN
8
Detailed Issues Section split

• MPA Operations (Section 7)
• 7.1 Discovery
• 7.2 Pre-authentication in multiple CTN
  environment
• 7.3 Proactive IP address acquisition
• 7.4 Address resolution
• 7.5 Tunnel management
• 7.6 Binding Update
• 7.7 Preventing packet loss
• 7.8 Link-layer security and mobility
• 7.9 IP layer security and mobility
• 7.10 Authentication in initial network
  attachment
• MPA Deployment Issues (Section 8)
• 8.1 Considerations for failed switching and
  switch-back
• 8.2 Pre-allocation of QoS resources
• 8.3 Resource allocation issue during
  pre-authentication
• MPA Case Studies for Inter-Domain Handoff
  (Section 9)
• 9.1 Homogeneous Mobility Protocol in each domain
  (MIPv6, SIP Mobility, MIPv4 FA-CoA, PMIPv6)

9
Applicability Statement Section moved to
earlier section (Section 4)

• MPA is categorized as a proactive handover
  optimization mechanism. In other words, MPA is
  more applicable where an accurate prediction of
  movement can be easily made
• Even if accurate prediction of movement is easily
  made, effectiveness of MPA may be relatively
  reduced if the network employs network-controlled
  localized mobility management in which the MN
  does not need to change its IP address while
  moving within the network.
• Effectiveness of MPA may also be relatively
  reduced if signaling for network access
  authentication is already optimized for movements
  within the network, e.g., when simultaneous use
  of multiple interfaces during handover is allowed
• In other words, MPA is most viable solution for
  inter-administrative domain predictive handover
  without simultaneous use of multiple interfaces

10
Performance result MPA with L2sec bootstrapping

• Use of MPA to bootstrap L2 security, e.g., IEEE
  80211i, required for candidate networks, before
  handover
• Handover performance between network-layer
  assisted pre-authentication and 802.11i
  pre-authentication is similar
• Network-layer assisted pre-authentication works
  across multiple subnets/domains/media whereas
  802.11i pre-authentication works only within the
  802.11 and in the same ESS.

Type of authentication 802.11i post-authentication 802.11i post-authentication 802.11i pre-authentication 802.11i pre-authentication Network-layer assisted pre-authentication Network-layer assisted pre-authentication
Operation Non-roaming Roaming Non-roaming Roaming Non-roaming Roaming
Authentication and authorization delay 61ms 599ms 99ms 636ms 177ms 831ms
Configuration delay N/A N/A N/A N/A 17ms 17ms
Secure association 18m 17ms 16ms 17ms 17ms 17ms
Total 79m 616ms 115ms 655ms 211ms 865ms
Handover Delay 79m 616ms 16ms 17ms 17ms 17ms
11
Performance result MPA with multiple Mobility
Management Protocols
12
Summary

• MPA framework draft has been presented 5 times
  since IETF62
• The draft has been revised to focus on
  inter-domain handover and its in a good shape
• The draft is fully ready to be a RG draft

13
Thank You!
14
MPA for L2 Pre-auth bootstrapping Scenario