Title: Media Independent Pre-Authentication and Implementation (draft-ohba-mobopts-mpa-framework-03.txt) (draft-ohba-mobopts-mpa-implementation-03.txt)
1Media Independent Pre-Authentication and
Implementation (draft-ohba-mobopts-mpa-framework
-03.txt) (draft-ohba-mobopts-mpa-implementation-
03.txt)
Yoshihiro Ohba, Ashutosh Dutta (Ed.), Victor
Fajardo, Kenichi Taniuchi, Rafa Lopez,
Henning Schulzrinne Presented by Ashutosh
Dutta 67th IETF, San Diego
2Outline
- Motivation
- Related Work
- MPA Framework Overview
- Optimization Features
- Implementation Results
- Intra-technology, Inter-domain
- Inter-technology, Inter-domain
- Bootstrapping Layer 2
- Deployment Considerations
- Conclusion Future Work
3Motivation
- Secured seamless convergence requires that
jitter, delay and packet loss are limited for
real-time applications without compromising the
security - ITU G.114 defines 150 ms end-to-end delay and 3
packet loss for VoIP -
- Handoff delays exist at several layers
- Layer 2 (handoff between AP/BS), Layer 3 (IP
address acquisition and other configuration
parameters), Binding Update, Authentication,
Authorization - The challenge is even greater when moving between
heterogeneous networks - Mutiple access characteristics (802.11, CDMA,
802.16, GSM) - Multiple AAA domains
- Diverse QoS requirement
- Different configuration mechanism (e.g., DHCP,
PPP) - Different mobility requirement (802.11, GPRS,
802.16)
4Mobility Optimization - Related Work
- Cellular IP, HAWAII - Micro Mobility
- MIP-Regional Registration, Mobile-IP low latency,
IDMP - FMIPv6, HMIPv6 (IPv6)
- Yokota et al - Link Layer Assisted handoff
- Shin et al, Velayos et al - Layer 2 delay
reduction - Gwon et al, - Tunneling between FAs, Enhanced
Forwarding PAR -
- SIP-Fast Handoff - Application layer mobility
optimization - DHCP Rapid-Commit, Optimized DAD - Faster IP
address acquisition
5Media-independent Pre-Authentication (MPA)
- MPA is a mobile-assisted higher-layer
authentication, authorization and handover scheme
that is performed a-priori to establishing L2
connectivity to a network where mobile may move
in near future - Primarily three phases
- Pre-authentication
- Pre-configuration
- Proactive Handover
- MPA provides a secure and seamless mobility
optimization that works for Inter-subnet handoff,
Inter-domain handoff and Inter-technology handoff - MPA works with any mobility management protocol
- Works with any network discovery scheme (IEEE
802.21, 802.11u, CARD etc.)
AP Switching
Client Authentication
IP address configuration IP handover
AP Discovery
Conventional Method
Time
Pre-authentication
MPA
Time
Packet Loss Period
6MPA Overview (Inter-domain, Intra-Tech)
1. DATACNlt-gtA(X)
2. DATA CNlt-gtA(Y) over proactive
handover tunnel ARlt-gtA(X)
CN
3. DATACNlt-gtA(Y)
BA
AA
CA
AR
Domain X
Domain Y
Data in old domain
MN
CN Correspondent Node MN Mobile Node AA
Authentication Agent CA Configuration Agent AR
Access Router BA Buffering Agent
A(X)
7MPA-assisted Seamless Handoff (a
deploymentscenario)
CTN Candidate Target Networks TN Target
Network
Network 4
AR
Information Server
CN
INTERNET
Network 3
Network 2
AR
Current Network 1
TN
AR
CTN
AP3
AP2
AP1
AP1 Coverage Area
AP 2 3 Coverage Area
8Key Optimization Features for MPA
- Pre-authentication
- L3 , L2 layer pre-authentication
- Pre-Configuration
- Proactive IP Address Acquisition (Stateful,
Stateless) - Proactive Duplicate IP Address Detection
- Proactive Address Resolution
- Proactive Mobility Binding Update
- Security bootstrapping
- Link Layer
- IP Layer
- Layer 2 optimization
- Dynamic Buffering Scheme
- Buffering and Copy-Forwarding
9Protocol Set for current MPA prototype
Mobility Management Protocol MIPv6 SIPM
Information Service Scheme (802.21) XML/RDF XML/RDF
Pre-authentication protocol PANA PANA
Pre-configuration protocol Stateless, PANA DHCP Relay, PANA
Proactive handover tunneling protocol IPsec IP-in-IP
Proactive handover tunnel management protocol PANA PANA
Buffer Management Protocol PANA PANA
Link-layer security None None
10Comparison - Intra-Technology, Inter-domain
Handover (Case- I)
Audio output comparison
Delay and packet loss statistic
11Inter Technology, Inter-domain
- Scenario 1 If multiple interfaces can be
simultaneously used during handover - Scenario 2 If multiple interfaces cannot be
simultaneously used during handover, then it is
not easy to support seamless handover from one
interface to another - This can happen when the old interface suddenly
becomes unavailable (this can happen over Wi-Fi
link)
Application Traffic
CN
CN
Application Traffic
Wi-Fi
EV-DO
Wi-Fi
EV-DO
Handover Signaling
Sudden Link down
MN
MN
During Handover (Packet loss incurred)
After Handover
MN Mobile Node CN Correspondent Node
Scenario 2 Multiple Interfaces cannot be used
simultaneously
12MPA Framework - Inter-domain, Inter-Tech
- Demonstration Scenario
- Sudden Disconnection from WiFi Network
- The handover tunnel server is placed outside the
EV-DO network, instead of placing it at the
access router of EV-DO - MN Linux PC
- CN Linux PC or Windows CE cell-phone
- Handover tunnel server Linux PC
- Wireless LAN 802.11b
- Handover tunnel encapsulation method IP-in-IP
- Handover tunnel management protocol PANA
- Application Skype
CN (Linux PC or WinCE cell-phone)
Handover Tunnel Server (Linux PC)
Wi-Fi (802.11b)
EV-DO
- Packet loss 0
- Handoff Delay 50 60 ms
- Duplicate Packets 10
MN (Linux PC)
13Typical Roaming architecture
14Layer 2 Pre-authentication and bootstrapping
15MPA L2 pre-authentication
Types Of Authentication IEEE 802.11i EAP/TLS Post Authentication IEEE 802.11i EAP/TLS Post Authentication IEEE 802.11i Pre-authentication IEEE 802.11i Pre-authentication Network Layer Assisted layer 2 pre-authentication Network Layer Assisted layer 2 pre-authentication
Operation Non Roaming Roaming Non Roaming Roaming Non Roaming Roaming
Tauth 61 ms 599 ms 99 ms 638 ms 177 ms 831 ms
TConf (2 AP) -- -- -- -- 16 ms 17 ms
Tassoc 4 Way handshake 18 ms 17 ms 16 ms 17 ms 15 ms 17 ms
Total 79 ms 616 ms 115 ms 655 ms 208 ms 865 ms
Time affecting handover 79 ms 616 ms 16 ms 17 ms 15 ms 17 ms
16Deployment Considerations
- Authentication State Management
- Pre-allocation of QoS resources
- Scalability and Resource Allocation
-
- Failed Switchover during handover
- Ping-Pong Effect
- Pre-authentication with multiple CTNs
- Multicast Mobility
- MPA for IMS Networks
- Applicability to other Fast-handoff approaches
- L3 and L2 pre-authentication
- MPAs stateful proactive configuration
17MPA and Multicast Mobility
- Communicates the group address during
pre-authentication phase - Provides multicast stream proactively
- Reduces JOIN latency
- Applicable to Remote subscription-based and home
subscription-based approach
NAR
AA
PAR
Home subscription-based approach
Remote subscription-based approach
18MPA for IMS/MMD Network
SPE
AS
Home Network
WiFi Network
AAA/HSS
DHCP
HA
Network 3
S/I-CSCF
Internet
P/I-CSCF
DHCP
DHCP
Network 2
Network 1
PDIF/PDG
P/I-CSCF
PDSN
P/I-CSCF
PDSN
DHCP
AP
PCF
PCF
19MPA to pre-allocate end-to-end QoS
- Use MPA and NSIS to reserve the end-to-end QoS
guarantee for the new interface and the target
network while using the old interface - Choose the target network based on the available
end-to-end QoS
20Related Drafts
- draft-ohba-mobopts-heterogeneous-requirement-01.tx
t - draft-ohba-pana-preauth-00.txt
- draft-ohba-preauth-ps-00.txt
- draft-yacine-preauth-ipsec-01.txt
21Conclusions Future Work
- MPA attempts to address the issues of
inter-domain handover and heterogeneous handover - MPA framework in conjunction with network
discovery provides an optimized handover solution
independent of mobility management protocol - Current Implementation results of MPA
- Inter-domain, Intra-tech
- Inter-domain, Inter-tech
- Layer 2 bootstrapping
- MIPv6 and SIP-based mobility Protocols
- Results of FMIPv6 without pre-authentication
support and MPA exhibit comparable performance
characteristics and is bound by layer 2 delay - MPAs pre-authentication part has been adopted by
HOKEY WG
- Implement other functionalities of MPA
- Performance results with multiple
pre-authentication in the neighboring networks - Performance of MPA for IMS/MMD network
- Performance of MPA for Multicast Mobility
- Experiment with MPAs pre-authentication
mechanism to augment FMIPv6