MOBOPTS Research Group A. Dutta
Internet-Draft Telcordia
Expires: August 14, 2005 Y. Ohba (Ed.)
K. Taniuchi
TARI
H. Schulzrinne
Columbia Univ.
February 13, 2005
A Framework of Media-Independent Pre-Authentication (MPA)
draft-ohba-mobopts-mpa-framework-00
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 14, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes a framework of Media-independent
Pre-Authentication (MPA), a new handover optimization mechanism that
has a potential to address issues on existing mobility management
Dutta, et al. Expires August 14, 2005 [Page 1]
Internet-Draft MPA Framework February 2005
protocols and mobility optimization mechanisms. MPA is a
mobile-assisted, secure handover optimization scheme that works over
any link-layer and with any mobility management protocol. This
document also shows an initial implementation of MPA in our testbed
and some performance results to show how existing protocols could be
leveraged to realize the functionalities of MPA.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Performance Requirements . . . . . . . . . . . . . . . . . 5
2. Existing Work Fast-handover . . . . . . . . . . . . . . . . . 7
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. MPA Framework . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Functional Elements . . . . . . . . . . . . . . . . . . . 12
4.3 Basic Communication Flow . . . . . . . . . . . . . . . . . 12
5. Detailed Issues . . . . . . . . . . . . . . . . . . . . . . . 17
5.1 Discovery . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Proactive IP address acquisition . . . . . . . . . . . . . 18
5.2.1 PANA-assisted proactive IP address acquisition . . . . 19
5.2.2 IKEv2-assisted proactive IP address acquisition . . . 19
5.2.3 Proactive IP address acquisition using DHCP only . . . 19
5.3 Address resolution issues . . . . . . . . . . . . . . . . 20
5.3.1 Proactive duplicate address detection . . . . . . . . 20
5.3.2 Proactive address resolution update . . . . . . . . . 21
5.4 Tunnel management . . . . . . . . . . . . . . . . . . . . 22
5.5 Binding Update . . . . . . . . . . . . . . . . . . . . . . 23
5.6 Preventing packet loss . . . . . . . . . . . . . . . . . . 23
5.7 Link-layer security and mobility . . . . . . . . . . . . . 24
5.8 Authentication in initial network attachment . . . . . . . 25
6. Initial Implementation and Results . . . . . . . . . . . . . . 26
6.1 Network structure . . . . . . . . . . . . . . . . . . . . 26
6.2 MPA Scenario . . . . . . . . . . . . . . . . . . . . . . . 27
6.3 Non-MPA Scenario . . . . . . . . . . . . . . . . . . . . . 29
6.4 The evaluation and the results . . . . . . . . . . . . . . 31
6.5 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7. Security Considerations . . . . . . . . . . . . . . . . . . . 33
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 35
9.2 Informative References . . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 38
Intellectual Property and Copyright Statements . . . . . . . . 39
Dutta, et al. Expires August 14, 2005 [Page 2]
Internet-Draft MPA Framework February 2005
1. Introduction
As wireless technologies including cellular and wireless LAN are
popularly used, supporting terminal handovers across different types
of access networks, such as from a wireless LAN to CDMA or to GPRS is
considered as a clear challenge. On the other hand, supporting
terminal handovers between access networks of the same type is still
more challenging, especially when the handovers are across IP subnets
or administrative domains. To address those challenges, it is
important to provide terminal mobility that is agnostic to link-layer
technologies in an optimized and secure fashion without incurring
unreasonable complexity. In this document we discuss terminal
mobility that provides seamless handovers with low-latency and
low-loss. Seamless handovers are characterized in terms of
performance requirements as described in Section 1.1.
The basic part of terminal mobility is accomplished by a mobility
management protocol that maintains a binding between a locator and an
identifier of a mobile terminal, where the binding is referred to as
the mobility binding. The locator of the mobile node may dynamically
change when there is a movement of the mobile terminal. The movement
that causes a change of the locator may occur not only physically but
also logically. A mobility management protocol may be defined at any
layer. In the rest of this document, the term "mobility management
protocol" refers to a mobility management protocol which operates at
network layer or higher.
There are several mobility management protocols at different layers.
Mobile IP [RFC3344] and Mobile IPv6 [RFC3775] are mobility management
protocols that operate at network-layer. There are several ongoing
activities in the IETF to define mobility management protocols at
layers higher than network layer. For example, MOBIKE (IKEv2
Mobility and Multihoming) [I-D.ietf-mobike-design] is an extension to
IKEv2 that provides the ability to deal with a change of an IP
address of an IKEv2 end-point. HIP (the Host Identity Protocol)
[I-D.ietf-hip-base] defines a new protocol layer between network
layer and transport layer to provide terminal mobility in a way that
is transparent to both network layer and transport layer. Also,
SIP-Mobility is an extension to SIP to maintain the mobility binding
of a SIP user agent [SIPMM].
While mobility management protocols maintain mobility bindings, using
them solely in their current form is not sufficient to provide
seamless handovers. An additional optimization mechanism that works
in the visited network of the mobile terminal to prevent loss of
outstanding packets transmitted while updating the mobility binding
is needed to achieve seamless handovers. Such a mechanism is
referred to as a mobility optimization mechanism. For example,
Dutta, et al. Expires August 14, 2005 [Page 3]
Internet-Draft MPA Framework February 2005
mobility optimization mechanisms
[I-D.ietf-mobileip-lowlatency-handoffs-v4] and
[I-D.ietf-mipshop-fast-mipv6] are defined for Mobile IPv4 and Mobile
IPv6, respectively, by allowing neighboring access routers to
communicate to carry information on mobile terminals. There are
protocols that are considered as "helpers" of mobility optimization
mechanisms. The CARD (Candidate Access Router Discovery Mechanism)
protocol [I-D.ietf-seamoby-card-protocol] is designed to discover
neighboring access routers. The CTP (Context Transfer Protocol)
[I-D.ietf-seamoby-ctp] is designed to carry state that is associated
with the services provided for the mobile terminal, or context, among
access routers.
There are several issues in existing mobility optimization
mechanisms. First, existing mobility optimization mechanisms are
tightly coupled with specific mobility management protocols. For
example, it is not possible to use mobility optimization mechanisms
designed for Mobile IPv4 or Mobile IPv6 for MOBIKE. What is strongly
desired is a single, unified mobility optimization mechanism that
works with any mobility management protocol. Second, there is no
existing mobility optimization mechanism that easily supports
handovers across administrative domains without assuming a
pre-established security association between administrative domains.
A mobility optimization mechanism should work across administrative
domains in a secure manner only based on a trust relationship between
a mobile node and each administrative domain. Third, a mobility
optimization mechanism needs to support not only multi-interface
terminals where multiple simultaneous connectivity through multiple
interfaces can be expected, but also single-interface terminals.
This document describes a framework of Media-independent
Pre-Authentication (MPA), a new handover optimization mechanism that
has a potential to address all those issues. MPA is a
mobile-assisted, secure handover optimization scheme that works over
any link-layer and with any mobility management protocol including
Mobile IPv4, Mobile IPv6, MOBIKE, HIP, SIP mobility, etc. In MPA,
the notion of IEEE 802.11i pre-authentication is extended to work at
higher layer, with additional mechanisms to perform early acquisition
of IP address from a network where the mobile terminal may move as
well as proactive handover to the network while the mobile terminal
is still attached to the current network. Since this document
focuses on the MPA framework, it is left to the future work to choose
actual set of protocols for MPA and define detailed operations.
Nevertheless, the document also shows an initial implementation of
MPA in our testbed and some performance results to show how existing
protocols could be leveraged to realize the functionalities of MPA.
Dutta, et al. Expires August 14, 2005 [Page 4]
Internet-Draft MPA Framework February 2005
1.1 Performance Requirements
In order to provide desirable quality of service for interactive VoIP
and streaming traffic, one needs to limit the value of end-to-end
delay, jitter and packet loss to a certain threshold level. ITU-T
and ITU-E standards define the acceptable values for these
parameters. For example for one-way delay, ITU-T G.114 recommends
150 ms as the upper limit for most of the applications, and 400 ms as
generally unacceptable delay. One way delay tolerance for video
conferencing is in the range of 200 to 300 ms. Also if an
out-of-order packet is received after a certain threshold it is
considered lost. References [RFC2679], [RFC2680] and 2681 [RFC2681]
describe some of the measurement techniques for delay and jitter.
Also if an out-of-order packet is received after a certain threshold
it is considered lost.
An end-to-end delay consists of several components, such as network
delay, OS delay, CODEC delay and application delay. Network delay
consists of transmission delay, propagation delay, queueing delay in
the intermediate routers. Operating System related delay consists of
scheduling behavior of the operating system in the sender and
receiver. CODEC delay is generally caused due to packetization and
depacketization at the sender and receiver end. Application delay is
mainly attributed to playout delay that helps compensate the delay
variation within a network. End-to-end delay and jitter values can
be adjusted using proper value of the playout buffer at the receiver
end. In case of interactive VoIP traffic end-to-end delay affects
the jitter value and is an important thing to consider. During a
mobile's frequent handover, transient traffic cannot reach the mobile
and this contributes to the jitter as well. If the end system has a
playout buffer, then this jitter is subsumed by the playout buffer
delay, but otherwise this adds to the delay for interactive traffic.
Packet loss is typically caused by congestion, routing instability,
link failure, lossy links such as wireless links. During a mobile's
handover a mobile is subjected to packet loss because of its change
in attachment to the network. Thus for both streaming traffic and
VoIP interactive traffic packet loss will contribute to the service
quality of the real-time application. Number of packets lost is
proportional to the delay during handover and rate of traffic the
mobile is receiving. Lost packets contribute to congestion in case
of TCP traffic because of re-transmission, but it does not add to any
congestion in case of streaming traffic that is RTP/UDP based. Thus
it is essential to reduce the packet loss and effect of handover
delay in any mobility management scheme. In Section 2, we describe
some of the fast-handover scheme that have tried to reduce the
handover.
According to ETSI TR 101 [ETSI] a normal voice conversation can
Dutta, et al. Expires August 14, 2005 [Page 5]
Internet-Draft MPA Framework February 2005
tolerate up to 2% packet loss. If a mobile is subjected to frequent
handoff during a conversation, each handoff will contribute to packet
loss for the period of handoff. Thus maximum loss during a
conversation needs to be reduced to a level that is acceptable.
There is no clear threshold value for packet loss for streaming
application, but it needs to be reduced as much as possible to
provide better quality of service to a specific application.
Dutta, et al. Expires August 14, 2005 [Page 6]
Internet-Draft MPA Framework February 2005
2. Existing Work Fast-handover
While basic mobility management protocols such as Mobile IP
[RFC3344], Mobile IPv6 [RFC3775], SIP-Mobility [SIPMM] offer solution
to provide continuity to TCP and RTP traffic, these are not optimized
to reduce the handover latency during mobile's frequent movement
between subnets and domains. In general these mobility management
protocols suffer from handover delays incurred at several layers such
as layer 2, layer 3 and application layer for updating the mobile's
mobility binding.
There have been several optimization techniques that apply to
currently mobility management schemes that try to reduce handover
delay and packet loss during a mobile's movement between cells,
subnet and domain. There are few micro-mobility management schemes
[CELLIP], [HAWAII], and intra-domain mobility management schemes such
as [IDMP], [I-D.ietf-mobileip-reg-tunnel] that provide fast-handover
by limiting the signaling updates within a domain. Fast Mobile IP
protocols for IPv4 and IPv6 networks
[I-D.ietf-mobileip-lowlatency-handoffs-v4],
[I-D.ietf-mipshop-fast-mipv6] provide fast-handover techniques that
utilize mobility information made available by the link layer
triggers. Yokota et al. [YOKOTA] proposes joint use of access point
and dedicated MAC bridge to provide fast-handover without altering
MIPv4 specification. [MACD] scheme reduces the delay due to MAC
layer handoff by providing a cache-based algorithm.
Some of the mobility management schemes use dual interfaces thus
providing make-before-break scenario [SUM]. In a make-before-break
situation communication usually continues with one interface, when
the secondary interface is in the process of getting connected. The
IEEE 802.21 working group is discussing these scenarios in details.
Providing fast-handover using a single interface needs more careful
design techniques than for a client with multiple interfaces.
[SIPFAST] provides an optimized handover scheme for SIP-based
mobility management, where the transient traffic is forwarded from
the old subnet to the new one by using an application layer
forwarding scheme. [MITH] provides a fast handover scheme for a
single interface case that uses mobile initiated tunneling between
the old foreign agent and new foreign agent. [MITH] defines two
types of handover schemes such as Pre-MIT and Post-MIT. Our MPA
scheme is very similar in nature to MITH's predictive scheme where
the mobile communicates with the foreign agent before actually moving
to the new network. However the proposed MPA scheme described in
this document is not limited to MIP type mobility protocol only and
in addition this scheme takes care of movement between domains and
performs pre-authentication in addition to proactive handover. Thus
the proposed scheme reduces the overall delay to close to link-layer
Dutta, et al. Expires August 14, 2005 [Page 7]
Internet-Draft MPA Framework February 2005
handover delay.
Dutta, et al. Expires August 14, 2005 [Page 8]
Internet-Draft MPA Framework February 2005
3. Terminology
Mobility Binding:
A binding between a locator and an identifier of a mobile
terminal.
Mobility Management Protocol (MMP):
A protocol that operates at network layer or higher to maintain a
binding between a locator and an identifier of a mobile terminal.
Binding Update:
A procedure to update a mobility binding.
Media-independent Pre-Authentication Mobile Node (MN):
A mobile terminal of media-independent pre-authentication (MPA)
which is a mobile-assisted, secure handover optimization scheme
that works over any link-layer and with any mobility management
protocol. An MPA mobile node is an IP node. In this document,
the term "mobile node" or "MN" without a modifier refers to "MPA
mobile node". An MPA mobile node usually has a functionality of a
mobile node of a mobility management protocol as well.
Candidate Target Network (CTN):
A network to which the mobile may move in the near future.
Target Network (TN):
The network to which the mobile has decided to move. The target
network is selected from one or more candidate target network.
Proactive Handover Tunnel (PHT):
A bidirectional IP tunnel that is established between the MPA
mobile node and an access router of the candidate target network.
In this document, the term "tunnel" without a modifier refers to
"proactive handover tunnel".
Point of Attachment (PoA):
A link-layer device (e.g., a switch, an access point or a base
station, etc.) that functions as a link-layer attachment point for
the MPA mobile node to a network.
Dutta, et al. Expires August 14, 2005 [Page 9]
Internet-Draft MPA Framework February 2005
Care-of Address (CoA):
An IP address used by a mobility management protocol as a locator
of the MPA mobile node.
Dutta, et al. Expires August 14, 2005 [Page 10]
Internet-Draft MPA Framework February 2005
4. MPA Framework
4.1 Overview
Media-independent Pre-Authentication (MPA) is a mobile-assisted,
secure handover optimization scheme that works over any link-layer
and with any mobility management protocol. With MPA, a mobile node
is not only able to securely obtain an IP address and other
configuration parameters from a candidate target network, but also
able to send and receive IP packets using the obtained IP address and
other configuration parameters, before it attaches to the candidate
target network when the candidate target network becomes the target
network. This makes it possible for the mobile node to complete the
binding update of any mobility management protocol and use the new
care-of address before performing a handover at link-layer.
This functionality is provided by allowing a mobile node, which has a
connectivity to the current network but is not yet attached to a
candidate target network, to (i) establish a security association
with the candidate target network to secure the subsequent protocol
executions, then (ii) securely execute a configuration protocol to
obtain an IP address and other configuration parameters from the
candidate target network as well as a tunnel management protocol to
establish a bidirectional tunnel between the mobile node and an
access router of the candidate target network, then (iii) send and
receive IP packets, including signaling messages for binding update
of a mobility management protocol and data packets transmitted after
completion of binding update, over the tunnel using the obtained IP
address as the tunnel inner address, and finally (iv) deleting or
disabling the tunnel immediately before attaching to the candidate
target network when it becomes the target network and then
re-assigning the inner address of the deleted or disabled tunnel to
its physical interface immediately after the mobile node is attached
to the target network through the interface. Instead of deleting or
disabling the tunnel before attaching to the the target network, the
tunnel may be deleted or disabled immediately after being attached to
the target network.
Especially, the third procedure makes it possible for the mobile to
complete higher-layer handover before starting link-layer handover.
This means that the mobile is able to send and receive data packets
transmitted after completion of binding update over the tunnel, while
it is still able to send and receive data packets transmitted before
completion of binding update outside the tunnel.
In the above four basic procedures of MPA, the first procedure is
referred to as "pre-authentication", the second procedure is referred
to as "pre-configuration", the combination of the third and fourth
Dutta, et al. Expires August 14, 2005 [Page 11]
Internet-Draft MPA Framework February 2005
procedures are referred to as "secure proactive handover". The
security association established through pre-authentication is
referred to as an "MPA-SA". The tunnel established through
pre-configuration is referred to as a "proactive handover tunnel".
4.2 Functional Elements
In the MPA framework, the following functional elements are expected
to reside in each candidate target network to communicate with a
mobile node: Authentication Agent (AA), Configuration Agent (CA) and
Access Router (AR). Some or all of those elements can be placed in a
single network device or in separate network devices.
An authentication agent is responsible for pre-authentication. An
authentication protocol is executed between the mobile node and the
authentication agent to establish an MPA-SA. The authentication
protocol MUST be able to derive a key between the mobile node and the
authentication agent and SHOULD be able to provide mutual
authentication. The authentication protocol SHOULD be able to
interact with a AAA protocol such as RADIUS and Diameter to carry
authentication credentials to an appropriate authentication server in
the AAA infrastructure. The derived key is used for further deriving
keys used for protecting message exchanges used for pre-configuration
and secure proactive handover. Other keys that are used for
bootstrapping link-layer and/or network-layer ciphers MAY also be
derived from the MPA-SA. A protocol that can carry EAP [RFC3748]
would be suitable as an authentication protocol for MPA.
A configuration agent is responsible for one part of
pre-configuration, namely securely executing a configuration protocol
to securely deliver an IP address and other configuration parameters
to the mobile node. The signaling messages of the configuration
protocol MUST be protected using a key derived from the key
corresponding to the MPA-SA.
An access router is a router that is responsible for the other part
of pre-configuration, i.e., securely executing a tunnel management
protocol to establish a proactive handover tunnel to the mobile node,
and secure proactive handover using the proactive handover tunnel.
The signaling messages of the configuration protocol MUST be
protected using a key derived from the key corresponding to the
MPA-SA. IP packets transmitted over the proactive handover tunnel
SHOULD be protected using a key derived from the key corresponding to
the MPA-SA.
4.3 Basic Communication Flow
Assume that the mobile node is already connected to a point of
Dutta, et al. Expires August 14, 2005 [Page 12]
Internet-Draft MPA Framework February 2005
attachment, say oPoA (old point of attachment), and assigned a
care-of address, say oCoA (old care-of address). The communication
flow of MPA is described as follows. Throughout the communication
flow, data packet loss should not occur except for the period during
the switching procedure in Step 5, and it is the responsibility of
link-layer handover to minimize packet loss during this period.
Step 1 (pre-authentication phase): The mobile node finds a candidate
target network through some discovery process and obtains the IP
addresses, an authentication agent, a configuration agent and an
access router in the candidate target network by some means. The
mobile node performs pre-authentication with the authentication
agent. If the pre-authentication is successful, an MPA-SA is created
between the mobile node and the authentication agent. Two keys are
derived from the MPA-SA, namely an MN-CA key and an MN-AR key, which
are used to protect subsequent signaling messages of a configuration
protocol and a tunnel management protocol, respectively. The MN-CA
key and the MN-AR key are then securely delivered to the
configuration agent and the access router, respectively.
Step 2 (pre-configuration phase): The mobile node realizes that its
point of attachment is likely to change from oPoA to a new one, say
nPoA (new point of attachment). It then performs pre-configuration,
with the configuration agent using the configuration protocol to
obtain an IP address, say nCoA (new care-of address), and other
configuration parameters from the candidate target network, and with
the access router using the tunnel management protocol to establish a
proactive handover tunnel. In the tunnel management protocol, the
mobile node registers oCoA and nCoA as the tunnel outer address and
the tunnel inner address, respectively. The signaling messages of
the pre-configuration protocol are protected using the MN-CA key and
the MN-AR key. When the configuration and the access router are
co-located in the same device, the two protocols may be integrated
into a single protocol like IKEv2. After completion of the tunnel
establishment, the mobile node is able to communicate using both oCoA
and nCoA by the end of Step 4.
Step 3 (secure proactive handover main phase): The mobile node
determines to switch to the new point of attachment by some means.
Before the mobile node switches to the new point of attachment, it
starts secure proactive handover by executing binding update of a
mobility management protocol and transmitting subsequent data traffic
over the tunnel (main phase).
Step 4 (secure proactive handover pre-switching phase): The mobile
node completes binding update and becomes ready to switch to the new
point of attachment point. The mobile may execute the tunnel
management protocol to delete or disable the proactive handover
Dutta, et al. Expires August 14, 2005 [Page 13]
Internet-Draft MPA Framework February 2005
tunnel and cache nCoA after deletion or disabling of the tunnel. The
decision as to when the mobile node is ready to switch to the new
point of attachment depends on handover policy.
Step 5 (switching): It is expected that a link-layer handover occurs
in this step.
Step 6 (secure proactive handover post-switching phase): The mobile
node executes the switching procedure. Upon successful completion of
the switching procedure, the mobile node immediately restores the
cached nCoA and assigns it to the physical interface attached to the
new point of attachment. If the proactive handover tunnel was not
deleted or disabled in Step 4, the tunnel is deleted or disabled as
well. After this, direct transmission of data packets using nCoA is
possible without using a proactive handover tunnel.
Dutta, et al. Expires August 14, 2005 [Page 14]
Internet-Draft MPA Framework February 2005
+-----------------------------------+
| Candidate Target Network |
| (Future Target Network) | IP address(es)
MN oPoA | nPoA AA CA AR | Available for
| | | | | | | | Use by MN
| | +-----------------------------------+
| | | | | | .
+---------------+ | | | | | .
|(1) Found a CTN| | | | | | .
+---------------+ | | | | | |
| Pre-authentication | | | |
| [authentication protocol] | | |
|<--------+------------->|MN-CA key| | |
| | | |-------->|MN-AR key| |
+--------------------+ | | |------------------>| |
|(2) Increased chance| | | | | | [oCoA]
|to switch to the CTN| | | | | | |
+--------------------+ | | | | | |
| | | | | | |
| Pre-configuration | | | |
| [configuration protocol to get nCoA] | |
|<--------+----------------------->| | |
| Pre-configuration | | | |
| [tunnel management protocol to establish PHT] V
|<--------+--------------------------------->|
| | | | | | ^
+-----------------+ | | | | | |
|(3) Determined to| | | | | | |
|switch to the CTN| | | | | | |
+-----------------+ | | | | | |
| | | | | | |
| Secure proactive handover main phase | |
| [execution of binding update of MMP and | |
| transmission of data packets through AR | [oCoA, nCoA]
| based on nCoA over the PHT] | | |
|<<=======+=================================>+--->... |
. . . . . . .
. . . . . . .
. . . . . . .
Figure 1: Basic Communication Flow (1/2)
Dutta, et al. Expires August 14, 2005 [Page 15]
Internet-Draft MPA Framework February 2005
| | | | | | |
+-----------------+ | | | | | |
|(4) Completion | | | | | | |
|of MMP BU and | | | | | | |
|ready to switch | | | | | | |
+-----------------+ | | | | | |
| Secure proactive handover pre-switching phase |
| [tunnel management protocol to delete PHT] V
|<--------+--------------------------------->|
+---------------+ | | | |
|(5)Switching | | | | |
+---------------+ | | | |
| | | | |
+---------------+ | | | |
|(6) Completion | | | | |
|of switching | | | | |
+---------------+ | | | |
o<- Secure proactive handover post-switching phase ^
| [Re-assignment of TIA to the physical I/F] |
| | | | | |
| Transmission of data packets through AR | [nCoA]
| based on nCoA| | | | |
|<---------------+---------------------------+-->... |
| | | | | .
Figure 2: Basic Communication Flow (2/2)
Dutta, et al. Expires August 14, 2005 [Page 16]
Internet-Draft MPA Framework February 2005
5. Detailed Issues
In order to provide an optimized handover for a mobile experiencing
rapid subnet and domain handover, one needs to look into several
issues. These issues include discovery of neighboring networking
elements, choosing the right network to connect to based on certain
policy, changing the layer 2 point of attachment, obtaining an IP
address from a DHCP or PPP server, confirming the uniqueness of the
IP address, pre-authenticating with the authentication agent such as
AAA server in a specific domain, sending the binding update to the
correspondent host and obtaining the redirected streaming traffic to
the new point of attachment. We describe these issues in details in
the following paragraphs and describe how we have optimized these in
case of MPA-based secure proactive handover.
5.1 Discovery
Discovery of neighboring networking elements such as access points,
access routers, authentication servers help expedite the handover
process during a mobile's rapid movement between networks. By
discovering the network neighborhood with a desired set of
coordinates, capabilities and parameters the mobile can perform many
of the operation such as pre-authentication, proactive IP address
acquisition, proactive address resolution, and binding update while
in the previous network.
There are several ways a mobile can discover the neighboring
networks. The Candidate Access Router Discovery protocol
[I-D.ietf-seamoby-card-protocol] helps discover the candidate access
routers in the neighboring networks. Given a certain network domain
SLP and DNS help provide address of the networking components for a
given set of services in the specific domain. In some cases many of
the network layer and upper layer parameters may be sent over
link-layer management frames such as beacons when the mobile
approaches the vicinity of the neighboring networks. IEEE 802.11u is
considering issues such as discovering neighborhood using information
contained in link-layer. However, if the link-layer management
frames are encrypted by some link-layer security mechanism, then the
mobile node may not able to obtain the requisite information before
establishing link-layer connectivity to the access point. In
addition this may add burden to the bandwidth constrained wireless
medium. In such cases a higher layer protocol is preferred to obtain
the information regarding the neighboring elements. There is some
proposal such as [NETDISC] that helps obtain these information about
the neighboring networks from a mobility server. When the mobile's
movement is imminent, it starts the discovery process by querying a
specific server and obtains the required parameters such as the IP
address of the access point, its characteristics, routers, SIP
Dutta, et al. Expires August 14, 2005 [Page 17]
Internet-Draft MPA Framework February 2005
servers or authentication servers of the neighboring networks. In
the event of multiple networks, it may obtain the required parameters
from more than one neighboring networks and keep these in cache. At
some point the mobile finds out several candidate target networks out
of many probable networks and starts the pre-authentication process
by communicating with the required entities in the candidate target
networks.
5.2 Proactive IP address acquisition
In general a mobility management protocol works in conjunction with
Foreign Agent or in co-located address mode. Our MPA approach can
use both co-located address mode and foreign agent address mode. We
discuss here the address assignment component that is used in
co-located address mode. There are several ways a mobile node can
obtain an IP address and configure itself. Most commonly a mobile
can configure itself statically in the absence of any configuring
element such as a server or router in the network. The IETF Zeroconf
working group defines auto-IP mechanism where a mobile is configured
in an ad-hoc manner and picks a unique address from a specified range
such as 169.254.x.x. In a LAN environment the mobile can obtain IP
address from DHCP servers. In case of IPv6 networks, a mobile has
the option of obtaining the IP address using stateless
auto-configuration as well. In a wide area networking environment,
mobile uses PPP to obtain the IP address by communicating with a NAS.
Each of these processes takes of the order of few hundred
milliseconds to few seconds depending upon the type of IP address
acquisition process and operating system of the clients and servers.
Since IP address acquisition is part of the handover process, it adds
to the handover delay and thus it is desirable to reduce this timing
as much as possible. There are few optimized techniques such as DHCP
Rapid Commit [I-D.ietf-dhc-rapid-commit-opt], GPS-coordinate based IP
address [GPSIP] available that attempt to reduce the handover time
due to IP address acquisition time. However in all these cases the
mobile also obtains the IP address after it moves to the new subnet
and incurs some delay because of the signaling handshake between the
mobile node and the DHCP server.
In the following paragraph we describe few ways a mobile node can
obtain the IP address proactively from the candidate target network
and the associated tunnel setup procedure. These can broadly be
defined into three categories such as PANA-assisted proactive IP
address acquisition, IKE-assisted proactive IP address acquisition
and proactive IP address acquisition using DHCP only.
Dutta, et al. Expires August 14, 2005 [Page 18]
Internet-Draft MPA Framework February 2005
5.2.1 PANA-assisted proactive IP address acquisition
In case of PANA-assisted proactive IP address acquisition, the mobile
node obtains an IP address proactively from a candidate target
network. The mobile node makes use of PANA messages to trigger the
address acquisition process on the DHCP relay agent that co-locates
with PANA authentication agent in the access router in the candidate
target network. Upon receiving a PANA message from the mobile node,
the DHCP relay agent performs normal DHCP message exchanges to obtain
the IP address from the DHCP server in the candidate target network.
This address is piggy-backed in a PANA message and delivered to the
client.
5.2.2 IKEv2-assisted proactive IP address acquisition
IKEv2-assisted proactive IP address acquisition works when an IPsec
gateway and a DHCP relay agent are resident within each access router
in the candidate target networks. In this case, the IPsec gateway
and DHCP relay agent in a candidate target network help the mobile
node acquire the IP address from the DHCP server in the candidate
target network. The MN-AR key established during the
pre-authentication phase is used as the IKEv2 pre-shared secret
needed to run IKEv2 between the mobile node and the access router.
The IP address from the candidate target network is obtained as part
of standard IKEv2 procedure, with using the co-located DHCP relay
agent for obtaining the IP address from the DHCP server in the target
network using standard DHCP. The obtained IP address is sent back to
the client in the IKEv2 Configuration Payload exchange. In this
case, IKEv2 is also used as the tunnel management protocol for a
proactive handover tunnel (see Section 5.4).
5.2.3 Proactive IP address acquisition using DHCP only
As another alternative, DHCP may be used for proactively obtaining an
IP address from a candidate target network without relying on PANA or
IKEv2-based approaches by allowing direct DHCP communication between
the mobile node and the DHCP relay or DHCP server in the candidate
target network. In this case, the mobile node sends a unicast DHCP
message to the DHCP relay agent or DHCP server in the candidate
target network requesting an address, with using the address
associated with the current physical interface as the source address
of the request.
When the message is sent to the DHCP relay agent, the DHCP relay
agent relays the DHCP messages back and forth between the mobile node
and the DHCP server. In the absence of a DHCP relay agent the mobile
can also directly communicate with the DHCP server in the target
network. The broadcast option in client's unicast DISCOVER message
Dutta, et al. Expires August 14, 2005 [Page 19]
Internet-Draft MPA Framework February 2005
should be set to 0 so that the relay agent or the DHCP server can
send back the reply directly to the mobile using the mobile node's
source address.
In order to prevent malicious nodes from obtaining an IP address from
the DHCP server, DHCP authentication should be used or the access
router should install a filter to block unicast DHCP message sent to
the remote DHCP server from mobile nodes that are not
pre-authenticated. When DHCP authentication is used, the DHCP
authentication key may be derived from the MPA-SA established between
the mobile node and the authentication agent in the candidate target
network.
The proactively obtained IP address is not assigned to the mobile
node's physical interface until the mobile has not moved to the new
network. The IP address thus obtained proactively from the target
network should not be assigned to the physical interface but rather
to a virtual interface of the client. Thus such a proactively
acquired IP address via direct DHCP communication between the mobile
node and the DHCP relay or the DHCP server in the candidate target
network may be carried with additional information that is used to
distinguish it from other address assigned to the physical interface.
Upon the mobile's entry to the new network, the mobile node can
perform DHCP over the physical interface to the new network to get
other configuration parameters such as SIP server, DNS server, etc.,
by using e.g., DHCP INFORM. This should not affect the ongoing
communication between the mobile and correspondent host. Also, the
mobile node can perform DHCP over the physical interface to the new
network to extend the lease of the address that was proactively
obtained before entering the new network.
In order to maintain the DHCP binding for the mobile node and keep
track of the dispensed IP address before and after the secure
proactive handover, the same DHCP client identifier needs to be used
for the mobile node for both DHCP for proactive IP address
acquisition and DHCP performed after the mobile node enters the
target network. The DHCP client identifier may be the MAC address of
the mobile node or some other identifier.
5.3 Address resolution issues
5.3.1 Proactive duplicate address detection
When the DHCP server dispenses an IP address, it updates its lease
table, so that this same address is not given to another client for
that specific period of time. At the same time the client also keeps
a lease table locally so that it can renew when needed. In some
Dutta, et al. Expires August 14, 2005 [Page 20]
Internet-Draft MPA Framework February 2005
cases where a network consists of both DHCP and non-DHCP enabled
clients, there is a probability that another client with the LAN may
have been configured with an IP address from the DHCP address pool.
In such scenario the server does a duplicate address detection based
on ARP (Address Resolution Protocol) or IPv6 Neighbor Discovery
before assigning the IP address. This detection procedure may take
up to 4 sec to 15 sec [MAGUIRE] and will thus contribute to a larger
handover delay. In case of proactive IP address acquisition process,
this detection is performed ahead of time and thus does not affect
the handover delay at all. By performing the duplicate address
detection ahead of time, we reduce the handover delay factor.
5.3.2 Proactive address resolution update
During the process of pre-configuration, the address resolution
mappings needed by the mobile node to communicate with nodes in the
target network after attaching to the target network can also be
known, where the nodes may be the access router, authentication
agent, configuration agent and correspondent node. There are several
possible ways of performing such proactive address resolution.
o Use an information service mechanism [NETDISC] to resolve the MAC
addresses of the nodes. This might require each node in the
target network to involve in the information service so that the
server of the information service can construct the database of
proactive address resolution.
o Extend the authentication protocol used for pre-authentication or
the configuration protocol used for pre-configuration to support
proactive address resolution. For example, if PANA is used as the
authentication protocol for pre-authentication, PANA messages may
carry AVPs used for proactive address resolution. In this case,
the PANA authentication agent in the target network may perform
address resolution for on behalf of the mobile node.
o One can also make use of DNS to map the MAC address of the
specific interface associated with a specific IP address of the
network element in the target network. One may define a new DNS
resource record (RR) to proactively resolve the MAC addresses of
the nodes in the target network. But this approach may have its
own limitations since a MAC address is a resource that is bound to
an IP address, not directly to a domain name.
When the mobile node attaches to the target network, it installs the
proactively obtained address resolution mappings without necessarily
performing address resolution query for the nodes in the target
network.
Dutta, et al. Expires August 14, 2005 [Page 21]
Internet-Draft MPA Framework February 2005
On the other hand, the nodes that reside in the target network and
are communicating with the mobile node should also update their
address resolution mappings for the mobile node as soon as the mobile
node attaches to the target network. The above proactive address
resolution methods could also be used for those nodes to proactively
resolve the MAC address of the mobile node before the mobile node
attaches to the target network. However, this is not useful since
the those nodes need to detect the attachment of the mobile node to
the target network before adopting the proactively resolved address
resolution mapping. A better approach would be integration of
attachment detection and address resolution mapping update. This is
based on gratuitously performing address resolution [RFC3344],
[RFC3775] in which the mobile node sends an ARP Request or an ARP
Reply in the case of IPv4 or a Neighbor Advertisement in the case of
IPv6 immediately after the mobile node attaches to the new network so
that the nodes in the target network can quickly update the address
resolution mapping for the mobile node.
5.4 Tunnel management
After an IP address is proactively acquired from the DHCP server in a
candidate target network, a proactive handover tunnel is established
between the mobile node and the access router in the candidate target
network. The mobile node uses the acquired IP address as the tunnel
inner address and most likely it assigns the address to a virtual
interface.
The proactive handover tunnel is established using a tunnel
management protocol. When IKEv2 is used for proactive IP address
acquisition, IKEv2 is also used as the tunnel management protocol.
Alternatively, when PANA is used for proactive IP address
acquisition, PANA may be used as the secure tunnel management
protocol.
Once the proactive handover tunnel is established between the mobile
node and the access router in the candidate target network, the
access router also needs to perform proxy address resolution on
behalf of the mobile node so that it can capture any packets destined
to the mobile node's new address.
Since mobile needs to be able to communicate with the correspondent
node while in the previous network some or all part of binding update
and data from the correspondent node to mobile node need to be sent
back to the mobile node over a proactive handover tunnel. When SIP
Mobility is used for the mobility management protocol, the new
address as the contact address is reported to the correspondent node
using SIP Re-INVITE. Once the correspondent node's SIP user agent
obtains the new contact address it sends the OK to the new contact
Dutta, et al. Expires August 14, 2005 [Page 22]
Internet-Draft MPA Framework February 2005
address which actually belongs to the target network. The access
router in the target network picks up the OK signal as it was
directed to the new contact address and tunnels it to the mobile in
its previous network. Final ACK message is received from the mobile
to the correspondent node. Data from the mobile to the correspondent
node may not need to be tunneled in the absence of ingress filtering.
After completion of the SIP Re-INVITE signaling handshake, the data
from the correspondent node is sent to mobile via the proactive
handover tunnel.
In order for the traffic to be directed to the mobile node after the
mobile node attaches to the target network, the proactive handover
tunnel needs to be deleted or disabled. The tunnel management
protocol used for establishing the tunnel is used for this purpose.
Alternatively, when PANA is used as the authentication protocol the
tunnel deletion or disabling at the access router can be triggered by
means of PANA update mechanism as soon as the mobile moves to the
target network. A link-layer trigger ensures that the mobile node is
indeed connected to the target network and can also be used as the
trigger to delete or disable the tunnel.
5.5 Binding Update
There are several kinds of binding update mechanisms for different
mobility management schemes. In some cases such as Mobile IPv4
without RO binding update is sent to home agent only, binding update
is sent both to the home agent and corresponding host in case of
Mobile IPv6. In case of SIP-based terminal mobility the mobile sends
binding update using Re-INVITE to the correspondent node and REGISTER
message to the Registrar. Based on the distance between the mobile
and the correspondent node the binding update may contribute to the
handover delay. SIP-fast handover [SIPFAST] provides several ways of
reducing the handover delay due to binding update. In case of secure
proactive handover using SIP-based mobility management we rule out
the delay due to binding update completely, as it takes place in the
previous network. Thus this scheme looks more attractive when the
correspondent node is too far from the communicating mobile node.
5.6 Preventing packet loss
In MPA case we did not observe any packet loss due to IP address
acquisition, secured authentication and binding update. However,
there may be some transient packets during link-layer handover and
until the traffic to be directed to the mobile node after attaching
to the target network. Those transient packets can be lost.
Bicasting or buffering the transient packets at the access router can
be used to minimize or eliminate packet loss. However, bicasting
does not eliminate packet loss if link-layer handover is not
Dutta, et al. Expires August 14, 2005 [Page 23]
Internet-Draft MPA Framework February 2005
seamlessly performed. On the other hand, buffering does not reduce
packet delay. While packet delay can be compensated by playout
buffer at the receiver side for streaming application, playout buffer
does not help much for interactive VoIP application which cannot
tolerate for large delay jitters. Thus it is still important to
optimize the link-layer handover anyway.
5.7 Link-layer security and mobility
Using the MPA-SA established between the mobile node and the
authentication agent in a candidate target network, during the
pre-authentication phase, it is possible to bootstrap link-layer
security in the candidate target network while the mobile node is in
the current network in the following way.
(1) The authentication agent in the candidate target network and the
mobile node derives a PMK (Pair-wise Master Key)
[I-D.ietf-eap-keying] using the MPA-SA that is established as a
result of successful pre-authentication. Executions of EAP and an
AAA protocol may be involved during pre-authentication to establish
the MPA-SA. From the PMK, distinct TSKs (Transient Session Keys)
[I-D.ietf-eap-keying] for the mobile node are directly or indirectly
derived for each point of attachment of the candidate target network.
(2) The authentication agent may install the keys derived from the
PMK and used for secure association to points of attachment. The
derived keys may be TSKs or intermediary keys from which TSKs are
derived.
(3) After the mobile node chooses the candidate target network as the
target network and switches to a point of attachment in the target
network (which now becomes the new network for the mobile node), it
executes a secure association protocol such as IEEE 802.11i 4-way
handshake [802.11i] using the PMK in order to establish PTKs
(Pair-wise Transient Keys) and GTKs (Group Transient Keys)
[I-D.ietf-eap-keying] used for protecting link-layer packets between
the mobile node and the point of attachment. No additional execution
of EAP authentication is needed here.
(4) While the mobile node is roaming in the new network, the mobile
node only needs to perform a secure association protocol with its
point of attachment point and no additional execution of EAP
authentication is needed either. Integration of MPA with link-layer
handover optimization mechanisms such as 802.11r can be archived this
way.
The mobile node may need to know the link-layer identities of the
point of attachments in the candidate target network to derive TSKs.
Dutta, et al. Expires August 14, 2005 [Page 24]
Internet-Draft MPA Framework February 2005
If PANA is used as the authentication protocol for
pre-authentication, this is possible by carrying Device-Id AVPs in
the PANA-Bind-Request message sent from the PAA [I-D.ietf-pana-pana],
with each AVP containing the BSSID of a distinct access point.
_________________ ____________________________
| Current Network | | CTN |
| ____ | | ____ |
| | | (1) pre-authentication | | |
| | MN |<------------------------------->| AA | |
| |____| | | |____| |
| . | | | |
| . | | | |
|____.____________| | | |
.movement | |(2) Keys |
____.___________________| | |
| _v__ _____ | |
| | |(3) secure assoc. | | | |
| | MN |<------------------>| AP1 |<-------+ |
| |____| |_____| | |
| . | |
| .movement | |
| . | |
| . | |
| _v__ _____ | |
| | |(4) secure assoc. | | | |
| | MN |<------------------>| AP2 |<-------+ |
| |____| |_____| |
|_____________________________________________________|
Figure 3: Bootstrapping Link-layer Security
5.8 Authentication in initial network attachment
When the mobile node initially attaches to a network, network access
authentication would occur regardless of the use of MPA. The
protocol used for network access authentication when MPA is used for
handover optimization can be a link-layer network access
authentication protocol such as IEEE 802.1X or a higher-layer network
access authentication protocol such as PANA.
Dutta, et al. Expires August 14, 2005 [Page 25]
Internet-Draft MPA Framework February 2005
6. Initial Implementation and Results
We describe a specific scenario where we evaluate both MPA and
non-MPA based approaches. This section describes details of one of
the specific implementation for MPA and non-MPA. In addition to
implementation details, this section also provides the evaluation
results of optimized hand-off with MPA and compares it with
non-MPA-based handover.
6.1 Network structure
The experiment network structure is shown in Figure 4.
Network 1 Network 2 Network 3
(oPoA) (nPoA)
+--------+ +------------+
|Router 1|---------|Router 2(RA)|---------+
+---+----+ |PAA(AA) | |
| |DHCP Relay | |
| +--------+ |Agent (CA) | | +------------+
|-|DHCP | +------------+ | |CN |
| |Server 1| | +------------+ |-|SIP-M Client|
| +--------+ |-|DHCP | | +------------+
| | |Server 2 |
| | +------------+ |
| | |
| +-----+ | +-----+ |
|-|AP 1 | |-|AP 2 | |
+-----+ +-----+
: :
: :
+------------+ +------------+
|MN |---->|MN |
|SIP-M Client| |SIP-M Client|
|PaC | |PaC |
+------------+ +------------+
Figure 4: Network Structure
There are three networks defined in the implementation environment.
Network 1 is old point of attachment (oPoA), Network 2 is new point
of attachment (nPoA), and network 3 is where the correspondent node
(CN) resides. The mobile is initially in Network 1 and starts
communicating with the correspondent node. Network 1, network 2, and
network 3 do not need to be adjacent. In the implementation scenario
however, network 1, network 2 and network 3 are one hop away. In the
event of mobile's movement, a specific Mobility Management Protocol
(MMP) can take care of continuity of streaming traffic set up by the
Dutta, et al. Expires August 14, 2005 [Page 26]
Internet-Draft MPA Framework February 2005
peer-to-peer application.
Network 1 consists of DHCP Server 1, access point (AP) 1 and Access
Router 1. Network 2 consists a DHCP Server 2, AP 2 and Access Router
2. AP 1 and AP 2 are 802.11 wireless LAN access points. Router 2
also works as a PANA Authentication Agent (PAA) [I-D.ietf-pana-pana]
and a DHCP Relay Agent [RFC3046] for Network 2, but they can be
separated. DHCP relay-agent also acts like a Configuration Agent
(CA) that helps obtain the IP address for the mobile proactively from
the neighboring target network. Network 3 consists of a
Correspondent Node (CN) that communicates with the mobile node in
Network 1. Both the correspondent node and mobile node are equipped
with mobility enabled SIP client. Mobile SIP client is also equipped
with PANA Client (PaC). In this specific case SIP proxies are not
involved to set up the initial communication between the
correspondent node and mobile node. Mobile Node (MN) uses 802.11
wireless LAN as the access method and can communicate via AP 1 before
it moves to Network 2 where it communicates via AP 2. In this
specific case, the Mobility Management Protocol (MMP) is SIP Mobility
(SIP-M), configuration protocol is DHCP, authentication agent (AA) is
PAA, configuration agent (CA) is DHCP Relay Agent and Access Router
(AR) is Router 2 that can provide IP-in-IP tunneling [RFC1853]
management functions. The MN is also equipped with IP-in-IP
tunneling management function. Thus the mobile has the ability to
set up a tunnel interface and detunnel the packets sent over the
tunnel between the router 2 and the mobile. In this specific case,
we have used IPv4, although one can as well use mobility management
for IPv6 such as MIPv6 or SIP mobility over IPv6.
6.2 MPA Scenario
The communication flow for MPA in our implementation environment is
described below and in Figure 5
Step 0: As the MN bootstraps it associates with AP 1 and obtains the
IP address old Care of Address (oCoA) from the DHCP Server 1 in
network 1. The MN's SIP user agent communicates with CN's SIP user
agent. After a successful connection setup between the mobile and
correspondent node, a voice traffic flows between the MN and the CN.
This voice traffic is carried over RTP/UDP. We have used RAT (Robust
Audio Tool) as the media agent.
In Step 1 (pre-authentication phase), there are some triggers to Step
1 such as AP 1's link level going down because of MN's movement. MN
prepares to start the handover process and obtains the information
about the required elements of the target network from an information
server. Then the MN performs pre-authentication with PAA and derives
the MN-CA key and MN-AR key from the MPA-SA if the pre-authentication
Dutta, et al. Expires August 14, 2005 [Page 27]
Internet-Draft MPA Framework February 2005
is successful.
In Step 2 (pre-configuration phase), the MN performs
pre-configuration by communicating with DHCP Proxy to obtain IP
address and so forth. DHCP proxy and Authentication Agent (AA) are
co-located in this case. This IP address is the new Care of Address
(nCoA) the mobile would have obtained after moving to the new
network. DHCP Proxy gets the IP address from DHCP Server 2. The new
IP address of the mobile is relayed back to the mobile as part of its
pre-authentication process. After the MN gets the new IP address
(nCoA), an IP-in-IP tunnel is created between Router 2 and the
mobile.
At this point the behavior of the MN and Router 2 is basically
followed by [RFC1853] and the signals are cryptographically protected
by using the MN-CA key.
In Step 3 (secure proactive handover main phase), once the mobile is
configured with the new IP address (nCoA) on its virtual interface
and a tunnel is set up between the mobile and R2, the MN sends SIP
Re-invite with nCoA as its contact address to the CN. All the SIP
Re-invite signaling are carried over the tunnel and so as the new RTP
stream. Thus mobile receives the traffic in the old network even if
the CN sends traffic to nCoA.
Steps 4, 5 and 6 (secure proactive handover pre-switching phase,
switching and secure proactive handover post-switching phase): As the
mobile detects the new point of attachment and makes a decision to
switch over to the new network it associates with AP 2. At this
point the mobile configures itself by assigning the nCoA to its
physical interface and updates the default router from the local
cache that is stored during the pre-configuration phase in network 1.
The MN sends a PANA-Update-Request message to the access router R2.
This update message deletes the tunnel on the router R2 and deletes
the tunnel locally on the mobile. Mobile's ARP entry with nCoA is
also updated in the router R2 during the secure proactive handover
thus reducing the delay due to ARP process that usually happens when
a new node comes to a network.
Dutta, et al. Expires August 14, 2005 [Page 28]
Internet-Draft MPA Framework February 2005
Router 2 (RA)
PAA (AA)
DHCP DHCP Relay DHCP
MN AP1 Server 1 AP2 Agent Server 2 CN
|L2 Association| | | | | |
|<- - - - - - >| | | | | |
| oCoA assignment | | | | |
|<------------------->| | | | |
| SIP and voice communication start | | |
|<----------------------------------------------------------->|
| Step 1 Pre authentication with PAA | | |
|<-------------------------------------->| | |
| Step 2 Pre configuration with DHCP RA | | |
|<-------------------------------------->| | |
| | | | |DHCP Relay | |
| | | | |<--------->| |
| nCoA assignment | | | | |
|<-------------------------------------->| | |
|IP in IP tunnel is established with Router 2 | |
|<-------------------------------------->| | |
| Step 3 SIP Re-invite | | | |
|<======================================>|<------------------>|
|Voice traffic goes through IP in IP tunnel | |
|<======================================>|<------------------>|
| Step 4 Deletion of the tunnel | | |
|<-------------------------------------->| | |
X Step 5 Association with AP 2| | | |
X<- - - - - - - - - - - - - - >| | | |
X Voice traffic goes to nCoA | | | |
|<----------------------------------------------------------->|
<- - - - ->802.11 frame
<--------->IP packet
<=========>IP in IP tunneling packet
X Voice Packet loss is happened.
Figure 5: MPA Communication Flow in the implementation environment
6.3 Non-MPA Scenario
For the comparison purposes, non-MPA scenario is also experimented
and is described here. Non-MPA scenario does not provide any
proactive handover mechanism as such but follows standard handover
procedure.
Following are the steps of non-MPA scenario in a likely similar
Dutta, et al. Expires August 14, 2005 [Page 29]
Internet-Draft MPA Framework February 2005
situation.
There is no proactive handover involved in this case. Steps involved
as part of initial communication setup while the mobile is in network
1 remain same as that of MPA part. Based on some policy decision
such as signal-to-noise ratio, the mobile decides to switch to the
new network.
In first step, the MN associates with AP 2 and obtains new IP address
from DHCP Server 2, then assigns the IP address to the network
interface.
In second step, the MN authenticates to the PAA. No data can flow
through router R2, until the mobile successfully authenticates to the
PAA. This adds the delay for post-authentication.
In third step, the MN sends SIP Re-invite with the new IP address
obtained from the DHCP server in the new network, then the voice
traffic is destined to the new IP address. This binding update can
taken potentially a lot of time if the mobile's target network and
the correspondent node are far apart.
Dutta, et al. Expires August 14, 2005 [Page 30]
Internet-Draft MPA Framework February 2005
Router 2(RA)
PAA(AA)
DHCP DHCP Relay DHCP
MN AP1 Server 1 AP2 Agent Server 2 CN
|L2 Association| | | | | |
|<- - - - - - >| | | | | |
| IP address assignment | | | |
|<------------------->| | | | |
| SIP and voice communication start | | |
|<----------------------------------------------------------->|
| Association with AP 2 | | | |
X<- - - - - - - - - - - - - - >| | | |
X new IP address assignment | | | |
X<-------------------------------------------------->| |
X Authentication with PAA | | | |
X<-------------------------------------->| | |
X SIP Re-invite | | | |
X<----------------------------------------------------------->|
X Voice traffic goes to new IP address | | |
|<----------------------------------------------------------->|
<- - - - ->802.11 frame
<--------->IP packet
X Voice Packet loss is happened.
Figure 6: Communication Flow for Non-MPA in the implementation
environment
6.4 The evaluation and the results
In case of MPA scenario, there is no packet loss during
pre-authentication, and secure proactive handover before link-layer
handover takes place when the mobile moves to the new network. Delay
and associated packet loss are observed due to link-layer handover
delay and tunnel deletion mechanism during the handover. This
handover delay is limited to 170 ms including the link-layer delay.
This amounts to 6 RTP packets being lost because of these processes.
Note that in the measurement the RTP packets were not spaced equally
with 20 ms intervals even at the sending side. Optimizing link-layer
delay using a scheme such as [MACD] will reduce the total packets
lost further. It is important to note that the scheme described in
[MACD] has been experimented with HOSTAP driver only. We are also
implementing other methods as described in Section 5 to optimize the
handoff procedure further. It is also noted that the end-host
processing contributes to the handoff delay as well for things such
as tunnel deletion. Thus any system optimization techniques can also
help reduce the handoff delay.
Dutta, et al. Expires August 14, 2005 [Page 31]
Internet-Draft MPA Framework February 2005
In case of non-MPA scenario, handover delay and attributed packet
loss take place because of L2 handover during the movement, IP
address assignment, post-authentication, and mobility binding update.
Especially DHCP takes long time to complete the detection of
duplicate of IP address in the network and binding update can take a
long time if the correspondent node is too far from the mobile node.
In our testbed non-MPA-based handover took up to 4 seconds delay due
to all the above factors. Based on type of streaming traffic that
was sent once in every 20 ms using RAT approximately 200 packets were
lost.
6.5 Notes
In this example network, a portion of function is omitted such as
pre-authorization process, but it can be implemented to the network
and it's not critical section for the handover.
In this example network, candidate protocols can always be replaced
by the other protocols, for example, Mobility management protocol can
be replaced by Mobile IPv4 or Mobile IPv6. In that case, Home Agent
could be in Network 3, similarly the tunnel management protocol can
always be replaced by IKEv2 and IPsec tunnel mode. It is normal to
assume that the performance values will be different based on the
type of candidate protocols used. We also found that L2 delay can
vary based on the drivers and operating system used. We can provide
some examples of L2 delays here. For example Cisco Aironet 350 takes
almost 200-300 ms under linux operating system. Orinoco and Dlink
(Hostap) drivers take around 100-160 ms and 400-600 ms respectively
under Linux operating system but Orinoco with Windows takes about 250
ms. Where as Hostap driver with managed mode takes about 30 ms
handoff time which is comparable to that obtained by [MACD].
Dutta, et al. Expires August 14, 2005 [Page 32]
Internet-Draft MPA Framework February 2005
7. Security Considerations
This document describes a framework of a secure handover optimization
mechanism based on performing handover-related signaling between a
mobile node and one or more candidate target networks to which the
mobile node may move in the future. This framework involves
acquisition of the resources from the candidate target networks as
well as data packet redirection from the candidate target networks to
the mobile node in the current network before the mobile node
physically connects to one of those candidate target networks.
Acquisition of the resources from the candidate target networks must
accompany with appropriate authentication and authorization
procedures in order to prevent unauthorized mobile node from
obtaining the resources. For this reason, it is important for the
MPA framework to perform pre-authentication between the mobile node
and the candidate target networks. The MN-CA key and the MN-AR key
generated as a result of successful pre-authentication can protect
subsequent handover signaling packets and data packets exchanged
between the mobile node and the MPA functional elements in the
candidate target networks.
The MPA framework also addresses security issues when the handover is
performed across multiple administrative domains. With MPA, it is
possible for handover signaling to be performed based on direct
communication between the mobile node and routers or mobility agents
in the candidate target networks. This eliminates the need for a
context transfer protocol for which known limitations exist in terms
of security [I-D.ietf-eap-keying]. For this reason, the MPA
framework does not require trust relationship among administrative
domains or access routers, which makes thke framework more deployable
in the Internet without compromising the security in mobile
environments.
Dutta, et al. Expires August 14, 2005 [Page 33]
Internet-Draft MPA Framework February 2005
8. Acknowledgments
We would like to thank Farooq Anjum and Raziq Yakub for their review
of this document, Victor Fajardo, Kensaku Fujimoto and Provin Gurung
for MPA prototype implementation support, and Subir Das for
standardization support in the IEEE 802.21 WG.
Dutta, et al. Expires August 14, 2005 [Page 34]
Internet-Draft MPA Framework February 2005
9. References
9.1 Normative References
[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
August 2002.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004.
[RFC3775] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support
in IPv6", RFC 3775, June 2004.
[I-D.ietf-mobileip-lowlatency-handoffs-v4]
Malki, K., "Low latency Handoffs in Mobile IPv4",
draft-ietf-mobileip-lowlatency-handoffs-v4-09 (work in
progress), June 2004.
[I-D.ietf-mipshop-fast-mipv6]
Koodli, R., "Fast Handovers for Mobile IPv6",
draft-ietf-mipshop-fast-mipv6-03 (work in progress),
October 2004.
[I-D.ietf-seamoby-card-protocol]
Liebsch, M., "Candidate Access Router Discovery",
draft-ietf-seamoby-card-protocol-08 (work in progress),
September 2004.
[I-D.ietf-seamoby-ctp]
Loughney, J., "Context Transfer Protocol",
draft-ietf-seamoby-ctp-11 (work in progress), August 2004.
[I-D.ietf-eap-keying]
Aboba, B., "Extensible Authentication Protocol (EAP) Key
Management Framework", draft-ietf-eap-keying-04 (work in
progress), November 2004.
[I-D.ietf-pana-pana]
Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H. and A.
Yegin, "Protocol for Carrying Authentication for Network
Access (PANA)", draft-ietf-pana-pana-07 (work in
progress), December 2004.
[RG98] ITU-T, "General Characteristics of International Telephone
Connections and International Telephone Circuits: One-Way
Transmission Time", ITU-T Recommendation G.114 1998.
Dutta, et al. Expires August 14, 2005 [Page 35]
Internet-Draft MPA Framework February 2005
[ITU98] ITU-T, "The E-Model, a computational model for use in
transmission planning", ITU-T Recommendation G.107 1998.
[ETSI] ETSI, "Telecommunications and Internet Protocol
Harmonization Over Networks (TIPHON) Release 3: End-to-end
Quality of Service in TIPHON systems; Part 1: General
aspects of Quality of Service.", ETSI TR 101 329-6 V2.1.1.
9.2 Informative References
[I-D.ietf-mobike-design]
Kivinen, T. and H. Tschofenig, "Design of the MOBIKE
protocol", draft-ietf-mobike-design-01 (work in progress),
January 2005.
[I-D.ietf-hip-base]
Moskowitz, R., "Host Identity Protocol",
draft-ietf-hip-base-01 (work in progress), October 2004.
[RFC2679] Almes, G., Kalidindi, S. and M. Zekauskas, "A One-way
Delay Metric for IPPM", RFC 2679, September 1999.
[RFC2680] Almes, G., Kalidindi, S. and M. Zekauskas, "A One-way
Packet Loss Metric for IPPM", RFC 2680, September 1999.
[RFC2681] Almes, G., Kalidindi, S. and M. Zekauskas, "A Round-trip
Delay Metric for IPPM", RFC 2681, September 1999.
[RFC1853] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995.
[RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC
3046, January 2001.
[I-D.ietf-dhc-rapid-commit-opt]
Kim, P., Volz, B. and S. Park, "Rapid Commit Option for
DHCPv4", draft-ietf-dhc-rapid-commit-opt-05 (work in
progress), June 2004.
[SIPMM] Schulzrine, H., "Application Layer Mobility Using SIP",
MC2R.
[CELLIP] Cambell, A., Gomez, J., Kim, S., Valko, A. and C. Wan,
"Design, Implementation, and Evaluation of Cellular IP",
IEEE Personal communication Auguest 2000.
[HAWAII] Ramjee, R., Porta, T., Thuel, S., Varadhan, K. and S.
Wang, "HAWAII: A Domain-based Approach for Supporting
Mobility in Wide-area Wireless networks", .
Dutta, et al. Expires August 14, 2005 [Page 36]
Internet-Draft MPA Framework February 2005
[IDMP] Das, S., Dutta, A., Misra, A. and S. Das, "IDMP: An
Intra-Domain Mobility Management Protocol for Next
Generation Wireless Networks", IEEE Wireless Communication
Magazine October 2000.
[I-D.ietf-mobileip-reg-tunnel]
Calhoun, P., Montenegro, G., Perkins, C. and E.
Gustafsson, "Mobile IPv4 Regional Registration",
draft-ietf-mobileip-reg-tunnel-09 (work in progress), July
2004.
[YOKOTA] Yokota, H., Idoue, A. and T. Hasegawa, "Link Layer
Assisted Mobile IP Fast Handoff Method over Wireless LAN
Networks", Proceedings of ACM Mobicom 2002.
[MACD] Shin, S., "Reducing MAC Layer Handoff Latency in IEEE
802.11 Wireless LANs", MOBIWAC Workshop .
[SUM] Dutta, A., Zhang, T., Madhani, S., Taniuchi, K., Ohba, Y.
and H. Schulzrinne, "Secured Universal Mobility", WMASH
2004.
[SIPFAST] Dutta, A., Madhani, S. and H. Schulzrinne, "Fast handoff
Schemes for Application Layer Mobility Management", PIMRC
2004.
[MITH] Gwon, Y., Fu, G. and R. Jain, "Fast Handoffs in Wireless
LAN Networks using Mobile initiated Tunneling Handoff
Protocol for IPv4 (MITHv4)", Wireless Communications and
Networking 2003, January 2005.
[NETDISC] Anjum, F., Das, S., Dutta, A., Fajardo, V., Madhani, S.,
Ohba, Y., Taniuchi, K., Yaqub, R. and T. Zhang, "A
proposal for MIH function and Information Service", A
contribution to IEEE 802.21 WG , January 2005.
[GPSIP] Dutta, A., "GPS-IP based fast-handoff for Mobiles", NYMAN
2003.
[MAGUIRE] Vatn, J. and G. Maguire, "The effect of using co-located
care-of-address on macro handover latency", .
Dutta, et al. Expires August 14, 2005 [Page 37]
Internet-Draft MPA Framework February 2005
Authors' Addresses
Ashutosh Dutta
Telcordia Technologies
1 Telcordia Drive
Piscataway, NJ 08854
USA
Phone: +1 732 699 3130
EMail: adutta@research.telcordia.com
Yoshihiro Ohba
Toshiba America Research, Inc.
1 Telcordia Drive
Piscataway, NJ 08854
USA
Phone: +1 732 699 5305
EMail: yohba@tari.toshiba.com
Kenichi Taniuchi
Toshiba America Research, Inc.
1 Telcordia Drive
Piscataway, NJ 08854
USA
Phone: +1 732 699 5308
EMail: ktaniuchi@tari.toshiba.com
Henning Schulzrinne
Columbia University
Department of Computer Science
450 Computer Science Building
New York, NY 10027
USA
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu
Dutta, et al. Expires August 14, 2005 [Page 38]
Internet-Draft MPA Framework February 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Dutta, et al. Expires August 14, 2005 [Page 39]