Media Independent Pre-Authentication and Implementation (draft-ohba-mobopts-mpa-framework-03.txt) (draft-ohba-mobopts-mpa-implementation-03.txt)

1
Media Independent Pre-Authentication and
Implementation (draft-ohba-mobopts-mpa-framework
-03.txt) (draft-ohba-mobopts-mpa-implementation-
03.txt)
Yoshihiro Ohba, Ashutosh Dutta (Ed.), Victor
Fajardo, Kenichi Taniuchi, Rafa Lopez,
Henning Schulzrinne Presented by Ashutosh
Dutta 67th IETF, San Diego
2
Outline

• Motivation
• Related Work
• MPA Framework Overview
• Optimization Features
• Implementation Results
• Intra-technology, Inter-domain
• Inter-technology, Inter-domain
• Bootstrapping Layer 2
• Deployment Considerations
• Conclusion Future Work

3
Motivation

• Secured seamless convergence requires that
  jitter, delay and packet loss are limited for
  real-time applications without compromising the
  security
• ITU G.114 defines 150 ms end-to-end delay and 3
  packet loss for VoIP
• Handoff delays exist at several layers
• Layer 2 (handoff between AP/BS), Layer 3 (IP
  address acquisition and other configuration
  parameters), Binding Update, Authentication,
  Authorization
• The challenge is even greater when moving between
  heterogeneous networks
• Mutiple access characteristics (802.11, CDMA,
  802.16, GSM)
• Multiple AAA domains
• Diverse QoS requirement
• Different configuration mechanism (e.g., DHCP,
  PPP)
• Different mobility requirement (802.11, GPRS,
  802.16)

4
Mobility Optimization - Related Work

• Cellular IP, HAWAII - Micro Mobility
• MIP-Regional Registration, Mobile-IP low latency,
  IDMP
• FMIPv6, HMIPv6 (IPv6)
• Yokota et al - Link Layer Assisted handoff
• Shin et al, Velayos et al - Layer 2 delay
  reduction
• Gwon et al, - Tunneling between FAs, Enhanced
  Forwarding PAR
• SIP-Fast Handoff - Application layer mobility
  optimization
• DHCP Rapid-Commit, Optimized DAD - Faster IP
  address acquisition

5
Media-independent Pre-Authentication (MPA)

• MPA is a mobile-assisted higher-layer
  authentication, authorization and handover scheme
  that is performed a-priori to establishing L2
  connectivity to a network where mobile may move
  in near future
• Primarily three phases
• Pre-authentication
• Pre-configuration
• Proactive Handover
• MPA provides a secure and seamless mobility
  optimization that works for Inter-subnet handoff,
  Inter-domain handoff and Inter-technology handoff
• MPA works with any mobility management protocol
• Works with any network discovery scheme (IEEE
  802.21, 802.11u, CARD etc.)

AP Switching
Client Authentication
IP address configuration IP handover
AP Discovery
Conventional Method
Time
Pre-authentication
MPA
Time
Packet Loss Period
6
MPA Overview (Inter-domain, Intra-Tech)
1. DATACNlt-gtA(X)
2. DATA CNlt-gtA(Y) over proactive
handover tunnel ARlt-gtA(X)
CN
3. DATACNlt-gtA(Y)
BA
AA
CA
AR
Domain X
Domain Y
Data in old domain
MN
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router BA Buffering Agent
A(X)
7
MPA-assisted Seamless Handoff (a
deploymentscenario)
CTN Candidate Target Networks TN Target
Network
Network 4
AR
Information Server
CN
INTERNET
Network 3

Network 2
AR
Current Network 1
TN
AR
CTN
AP3
AP2
AP1
AP1 Coverage Area
AP 2 3 Coverage Area
8
Key Optimization Features for MPA

• Pre-authentication
• L3 , L2 layer pre-authentication
• Pre-Configuration
• Proactive IP Address Acquisition (Stateful,
  Stateless)
• Proactive Duplicate IP Address Detection
• Proactive Address Resolution
• Proactive Mobility Binding Update
• Security bootstrapping
• Link Layer
• IP Layer
• Layer 2 optimization
• Dynamic Buffering Scheme
• Buffering and Copy-Forwarding

9
Protocol Set for current MPA prototype
Mobility Management Protocol MIPv6 SIPM
Information Service Scheme (802.21) XML/RDF XML/RDF
Pre-authentication protocol PANA PANA
Pre-configuration protocol Stateless, PANA DHCP Relay, PANA
Proactive handover tunneling protocol IPsec IP-in-IP
Proactive handover tunnel management protocol PANA PANA
Buffer Management Protocol PANA PANA
Link-layer security None None
10
Comparison - Intra-Technology, Inter-domain
Handover (Case- I)
Audio output comparison

Delay and packet loss statistic
11
Inter Technology, Inter-domain

• Scenario 1 If multiple interfaces can be
  simultaneously used during handover
• Scenario 2 If multiple interfaces cannot be
  simultaneously used during handover, then it is
  not easy to support seamless handover from one
  interface to another
• This can happen when the old interface suddenly
  becomes unavailable (this can happen over Wi-Fi
  link)

Application Traffic
CN
CN
Application Traffic
Wi-Fi
EV-DO
Wi-Fi
EV-DO
Handover Signaling
Sudden Link down
MN
MN
During Handover (Packet loss incurred)
After Handover
MN Mobile Node CN Correspondent Node
Scenario 2 Multiple Interfaces cannot be used
simultaneously
12
MPA Framework - Inter-domain, Inter-Tech

• Demonstration Scenario
• Sudden Disconnection from WiFi Network
• The handover tunnel server is placed outside the
  EV-DO network, instead of placing it at the
  access router of EV-DO
• MN Linux PC
• CN Linux PC or Windows CE cell-phone
• Handover tunnel server Linux PC
• Wireless LAN 802.11b
• Handover tunnel encapsulation method IP-in-IP
• Handover tunnel management protocol PANA
• Application Skype

CN (Linux PC or WinCE cell-phone)
Handover Tunnel Server (Linux PC)
Wi-Fi (802.11b)
EV-DO

• Packet loss 0
• Handoff Delay 50 60 ms
• Duplicate Packets 10

MN (Linux PC)
13
Typical Roaming architecture
14
Layer 2 Pre-authentication and bootstrapping
15
MPA L2 pre-authentication
Types Of Authentication IEEE 802.11i EAP/TLS Post Authentication IEEE 802.11i EAP/TLS Post Authentication IEEE 802.11i Pre-authentication IEEE 802.11i Pre-authentication Network Layer Assisted layer 2 pre-authentication Network Layer Assisted layer 2 pre-authentication
Operation Non Roaming Roaming Non Roaming Roaming Non Roaming Roaming
Tauth 61 ms 599 ms 99 ms 638 ms 177 ms 831 ms
TConf (2 AP) -- -- -- -- 16 ms 17 ms
Tassoc 4 Way handshake 18 ms 17 ms 16 ms 17 ms 15 ms 17 ms
Total 79 ms 616 ms 115 ms 655 ms 208 ms 865 ms
Time affecting handover 79 ms 616 ms 16 ms 17 ms 15 ms 17 ms
16
Deployment Considerations

• Authentication State Management
• Pre-allocation of QoS resources
• Scalability and Resource Allocation
• Failed Switchover during handover
• Ping-Pong Effect
• Pre-authentication with multiple CTNs
• Multicast Mobility
• MPA for IMS Networks
• Applicability to other Fast-handoff approaches
• L3 and L2 pre-authentication
• MPAs stateful proactive configuration

17
MPA and Multicast Mobility

• Communicates the group address during
  pre-authentication phase
• Provides multicast stream proactively
• Reduces JOIN latency
• Applicable to Remote subscription-based and home
  subscription-based approach

NAR
AA
PAR
Home subscription-based approach
Remote subscription-based approach
18
MPA for IMS/MMD Network
SPE
AS
Home Network
WiFi Network
AAA/HSS
DHCP
HA
Network 3
S/I-CSCF
Internet
P/I-CSCF
DHCP
DHCP
Network 2
Network 1
PDIF/PDG
P/I-CSCF
PDSN
P/I-CSCF
PDSN
DHCP
AP
PCF
PCF
19
MPA to pre-allocate end-to-end QoS

• Use MPA and NSIS to reserve the end-to-end QoS
  guarantee for the new interface and the target
  network while using the old interface
• Choose the target network based on the available
  end-to-end QoS

20
Related Drafts

• draft-ohba-mobopts-heterogeneous-requirement-01.tx
  t
• draft-ohba-pana-preauth-00.txt
• draft-ohba-preauth-ps-00.txt
• draft-yacine-preauth-ipsec-01.txt

21
Conclusions Future Work

• MPA attempts to address the issues of
  inter-domain handover and heterogeneous handover
• MPA framework in conjunction with network
  discovery provides an optimized handover solution
  independent of mobility management protocol
• Current Implementation results of MPA
• Inter-domain, Intra-tech
• Inter-domain, Inter-tech
• Layer 2 bootstrapping
• MIPv6 and SIP-based mobility Protocols
• Results of FMIPv6 without pre-authentication
  support and MPA exhibit comparable performance
  characteristics and is bound by layer 2 delay
• MPAs pre-authentication part has been adopted by
  HOKEY WG

• Implement other functionalities of MPA
• Performance results with multiple
  pre-authentication in the neighboring networks
• Performance of MPA for IMS/MMD network
• Performance of MPA for Multicast Mobility
• Experiment with MPAs pre-authentication
  mechanism to augment FMIPv6