Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba

Secure Universal Mobility for Wireless Internet

Authors: A. Dutta, T. Zhang, S. MadhaniTelcordia Technologies

K. Taniuchi, K. Fujimoto, Y. Katsube, Y.OhbaToshiba America Research Inc.

H. SchulzrinneColumbia University

Presented by: Ashutosh [email protected]

Outline

MotivationRelated WorkSUM ArchitectureExperimental Test-bedResultsSIP and MOBIKE approachConclusion and Future Work

802.11a/b/g Network

AccessNetwork 2

AccessNetwork 3

UMTS/CDMANetworkUMTS/CDMA

Access Point

S1

S2

S3

S4

AccessNetworks

AccessNetworks

AccessNetworks

UMTS/CDMA Network

InternetDomain1Domain2

Pocket PC

Webphone

BT Access Point 802.11a/b/g Access Point

Blue Tooth Network

Multi-mediaTerminal

AN

AccessNetwork 1

Mobile Wireless Internet: A Scenario

MotivationObjective: To provide mobile enterprise users with the same working

environment as they are at their office regardless of where they are (e.g., Intranet, Extranet), especially

– provide persistent and seamless application session continuity

– provide the same level of security as currently deployed in enterprise network environment

– provide persistent and seamless reachability (or traceability) from internal network to mobile users

– Provide VPN-agnostic roaming model independent of subscribed carrier

– Provide no impact on the existing IT infrastructure

– Optimize the solution as needed

SUM Scenario

DMZInternal (Protected) External (unprotected)

CN

WLAN LAN WLAN

Cellular

Hot Spot Hot Spot

MN MN MN MN

secure the communication while MN is at external network

provide session continuity while moving from one network to the other

provide reachability from internal network to mobile nodes

CN: Correspondence NodeMN: Mobile Node

Issues to be Resolved

“IPsec VPN”, that is deployed to secure the communication, cannot currently cope with the session continuity while moving

“Mobile IP”, that is deployed to cope with the session continuity, cannot secure the communication contents itself

(1) Combination of IPsec VPN and Mobile IP is necessary

Seamlessness is sometimes unsatisfactory due to “hand-off delay” (e.g., internal WLAN to Cellular data network) especially due to VPN establishment delay (more than 5 sec)

(2) Way to reduce hand-off delay by Mobile Node is preferable

Related Work

Miu and Bahl et al - Movement between similar kinds of networks

Rodriguez et al - MAR to support heterogeneous Access Snoeren et al - Fine-grained TCP Migrate approach Barton et al - Integration of Mobile IP and IP-Sec Cheng et al (ICNSC) - Foreign agent based client driven Adrangi et al – (IETF) Mobile IP Traversal for VPN

gateways Luo et al – Integration of wireless LAN and Cellular Birdstep Technologies (www.birdstep.com)

Smooth handoff, dynamic tunnel management, Integration with SIP

SUM Architecture(1)

DMZ

Internal (protected) External (unprotected)

CN

Internal Home

Network

VPN tunnel x-MIP tunnel

VPN GW x-HA

Based on its current location, MN dynamically establishes/changes/terminates tunnels

without changing current standards of IPsec VPN or Mobile IP. Triple encapsulation tunnel is constructed by:• i-HA (Internal Home Agent): Forwards IP packets to MN’s current internal location• VPN GW: Protects (encrypts and authenticates) IP packets transmitted in external

networks • x-HA (External Home Agent): Forwards IP packets to MN’s current external location

MN

i-MIP tunnel

Internal Visited

Network

i-HA

MNMN MN

ExternalNetwork 1

ExternalNetwork N

IKE + VPN address assignment

SUM Architecture Protocol Flow Message flow for triple-encapsulation tunnel establishment


CN i-HA MNVPN GW x-HA

x-MIP Registration Request

x-MIP Registration Reply

x-MIP tunnel established

VPN tunnel established

i-MIP Registration Request

i-MIP Registration Reply

i-MIP tunnel established

Make-before-Break for Hand-off Delay Reduction Prepare to use another better path before stop using

current path– MN watches signal strength level of WLAN (or any other

policy)– Before internal WLAN signal goes away (becomes lower

than a threshold A), MN starts using cellular network and establishes x-HA tunnel and VPN tunnel as a stand-by path

– MN stops using WLAN when its signal level becomes lower than threshold B (A>B), starts using cellular network, establishes i-MIP tunnel, then starts using x-MIP/VPN/i-MIP tunnel over the cellular

This could remove major factor of hand-off delay since VPN is established (that will take more than 5 sec) before switch-over

Demonstration Scenario

DMZ


CN

VPN GW

x-HA

MNMN

ExternalNetwork(Cellular)Internal Home Network

(WLAN)

i-HA

MN

Step 1: MN (at its home network over WLAN) and CN start an application session, then MN starts moving


DMZ


CN


VPN GW

x-HA

MNMN


(WLAN)

i-HA

MN

Step 2: MN starts preparing alternate path by establishing x-MIP and VPNtunnel over the cellular link, while keeping communication via the home network over WLAN


DMZ


CN


VPN GW

x-HA

MN

i-MIP tunnel

MN


(WLAN)

i-HA

MN

Step 3: MN stops using its home WLAN, starts using cellular and establishes i-MIP tunnel, then continues communication with CN

Internet

X-HA

205.132.6.64/27

65

.66 - .94

DMZ Network

ExternalCellular

66

67

HoA = 70-75VPN

GW100(99)

Internal Visited

TIA = 111-120

10.1.10.0/24

98

10.1.20.0/24

3CH

i-HA

LinuxR

1HoA = 210-215

Internal Home(SSID=ITSUMO home)(demo.tari.toshiba.com)

AP

SIPMonitor

2

4DNS

ExternalHotspot

Earth Link DSL

MN

MN

VerizonCDMA 1XRTT

DHCP

Enterprise Firewall

Secure Universal Mobility Testbed

Protocol Sequence flow

Protocol Sequence during handoff

0

1

2

3

4

0 50 100

Time in Seconds

Pro

toco

l RTP

IPSEC

MIP

X-MIP I-MIP

VPN Setup

HomeDe-registration

VPN Break up

CBR Voice Traffic

Packet Transmission Delay for Voice Traffic

0.00000010

0.00000100

0.00001000

0.00010000

0.00100000

0.01000000

0.10000000

1.0000000036

460

3780

0

3914

0

4048

0

4182

0

4325

2

4558

6

4931

7

5262

4

5693

3

6094

0

6228

0

6362

0

Packet Numbers

Tran

smis

sion

Del

ay in

(Log

Sca

le)

Transmission Delay

802.11

Cellular

802.11

Packet Transmission Delay for Voice Traffic

0.00000010

0.00000100

0.00001000

0.00010000

0.00100000

0.01000000

0.10000000

1.0000000036

460

3780

0

3914

0

4048

0

4182

0

4325

2

4558

6

4931

7

5262

4

5693

3

6094

0

6228

0

6362

0

Packet Numbers

Tran

smis

sion

Del

ay in

(Log

Sca

le)

Transmission Delay

802.11

Cellular

802.11

Inter-Packet Delay Variation betw een CH and MH (Voice)

0.0010

0.0100

0.1000

1.0000

10.0000

3646

0

3748

4

3850

8

3953

2

4055

6

4158

0

4260

4

4401

2

4601

9

4886

7

5167

1

5417

2

5827

9

6085

2

6187

6

6290

0

Packet Numbers

Inte

r-Pa

cket

Del

ay d

iffer

ence

(lo

g sc

ale)

Delay Variation

802.11 802.11

Inter-Packet Delay Variation betw een CH and MH (Voice)

0.0010

0.0100

0.1000

1.0000

10.0000

3646

0

3748

4

3850

8

3953

2

4055

6

4158

0

4260

4

4401

2

4601

9

4886

7

5167

1

5417

2

5827

9

6085

2

6187

6

6290

0

Packet Numbers

Inte

r-Pa

cket

Del

ay d

iffer

ence

(lo

g sc

ale)

Delay Variation

802.11 802.11

(a) Packet Transmission Delay (b) Inter-packet departure and arrival delay variation for CBR (Voice)

VBR Video Traffic

VIC Packet Transm ission Delay (CH-MH)

00.001

00.009

00.086

00.864

08.640

26.400

24.000

00.000

00.000

2341

723

470

2352

323

576

2362

923

682

2373

923

792

2384

523

898

2395

124

004

2405

724

110

2416

3

Packet number

Tim

e in

Sec

onds

(Log

Sca

le)

Delay

802.11Cellular

802.11

VIC Packet Transm ission Delay (CH-MH)

00.001

00.009

00.086

00.864

08.640

26.400

24.000

00.000

00.000

2341

723

470

2352

323

576

2362

923

682

2373

923

792

2384

523

898

2395

124

004

2405

724

110

2416

3

Packet number

Tim

e in

Sec

onds

(Log

Sca

le)

Delay

802.11Cellular

802.11

Inter-Packet Delay variation between CH and MH (Video)

0.001000

0.010000

0.100000

1.000000

10.000000

2341

823

449

2348

023

511

2354

223

573

2360

4

2363

523

666

2369

7

2373

223

763

2379

4

2382

523

856

2388

723

918

2394

923

980

2401

1

2404

224

073

2410

424

135

2416

624

197

Packet Number

Inte

r-P

acke

t Del

ay V

aria

tion

(Log

Sca

le)

Inter D iff

Cellular 802.11b802.11b

Inter-Packet Delay variation between CH and MH (Video)

0.001000

0.010000

0.100000

1.000000

10.000000

2341

823

449

2348

023

511

2354

223

573

2360

4

2363

523

666

2369

7

2373

223

763

2379

4

2382

523

856

2388

723

918

2394

923

980

2401

1

2404

224

073

2410

424

135

2416

624

197

Packet Number

Inte

r-P

acke

t Del

ay V

aria

tion

(Log

Sca

le)

Inter D iff

Cellular 802.11b802.11b

a) Packet transmission delay b) Inter-packet departure and arrival variation delay for VBR (Video)

802.11-Cellular Secured Handoff

2000

2100

2200

2300

2400

2500

2600

57:07.2 57:50.4 58:33.6 59:16.8

Time in Minutes

RT

P S

eq

ue

nc

e n

um

be

rs

802-11-Cellularhandoff

Out-of-orderPackets

Low gradient

Cellular

80211-cellular

802.11

RTP Packet Sequence

Dynamic Tunnel Management

DMZ

Internal (protected)

External (unprotected)

CN

x-MIP tunnel

VPN GW

x-HA

MN

i-MIP tunnel

MN


(WLAN)

i-HA

MN


Hotspot

SIPServer

INVITE

SIP signaling

i-MIP tunnel : XHoa – ih0aX-Mip Tunnel: CoA - XhoaDMZ

Internal (protected)


CN

x-MIP tunnel

VPN GW

x-HA

MN

i-MIP tunnel

MN


(WLAN)

i-HAi-HA

MN


Hotspot

SIPServer

INVITE

SIP signaling

i-MIP tunnel : XHoa – ih0aX-Mip Tunnel: CoA - Xhoa

Dynamic Tunnel Management Flow



x-MIP Registration

x-MIP tunnel establishedi-MIP registration with x-HoA

Home SIP

Double MIP tunnel established

INVITE INVITE

IKE + VPN Address Assignment

Secured OK

RTP over secured link

i-MIP registration with TIA

Triple tunnel established



x-MIP Registration

x-MIP tunnel establishedx-MIP tunnel establishedi-MIP registration with x-HoA

Home SIP

Double MIP tunnel established

INVITE INVITE

IKE + VPN Address Assignment

Secured OK

RTP over secured link

i-MIP registration with TIA

Triple tunnel established

SIP with MOBIKE

Re-Invite

DMZ


CN

Internal Home

Network

VPN tunnel

VPN GW

MN

Internal Visited

Network

HomeProxy

MNMN MN

ExternalNetwork 1

ExternalNetwork N

COA1TIA (Tunnel address)

COA2

MOBIKE(modifies SA)

Re-register (IP1)1 2

(IP0) (IP1)

Register (TIA)Register (TIA)

Re-Invite(TIA)

Re-Invite

DMZ


CN

Internal Home

Network

VPN tunnel

VPN GW

MN

Internal Visited

Network

HomeProxy

MNMN MN

ExternalNetwork 1

ExternalNetwork N

COA1TIA (Tunnel address)

COA2

MOBIKE(modifies SA)

Re-register (IP1)1 2

(IP0) (IP1)

Register (TIA)Register (TIA)

Re-Invite(TIA)

Conclusion and Future Work Active area of research within IETF’s Mobile IP working group

Triple-encapsulation mandates “always-on VPN” – Provides persistent reachability from internal network to mobile users, – May not be practical with currently deployed VPN

Capability of dual MIP (i-MIP and x-MIP) tunnel without VPN – Dynamic Tunnel Management will allow VPN setup on-demand basis– Adds additional values to the base triple-encapsulation architecture– Provides light-weight persistent reachability without consuming VPN

resources

Dual MIP is enabled by SMG (Secure Mobility Gateway) that provides;– strong authentication to MIP messages to securely manage dual MIP tunnels– packet filtering to restrict packets transmitted over the dual MIP tunnels– Interaction with AAA domains

Robust header compression to take care of the overhead associated

SIP and MOBIKE approach will provide an optimized solution

Backup Slides

Multimedia Test-bed Architecture

Backbone

VLAN Switch

3600 3600

Domain 1tari.toshiba.com

Domain 2research.telcordia.com

R1

ERC1 ERC3

VLAN Switch

R2

ERC2

R3

ERC4

VLAN Switch VLAN Switch

SIPServer/Call Agent

SIPServer

Border Router Border Router

QOS QOSHA/DRCP

Server

DRCPServer

MulticastProxy

DRCPServer

DRCPServer

AAAServer

AAAServer

External OmniAntenna

Micro Macro DomainExternal Coverage

QOSQOS

PANAIPSec

SIPServer/Call Agent

MAS

IPv6 IPv6

PANAIPSec

PANAIPSec

MH

GPS client

BT802.11b

802.11b

Internet

FW

Smarts Bits Generator

DynamicDNS

CDMA/GPRS

CDMA/GPRSCoverage

Future / On-going Work (cont’d)

DMZ


CN

Internal Home

Network

Internal Visited

Internal Visited

Internal Visited Network

External Network NExternal

Network 2External

Network 1

i-HA

MN MN MN MN

VPN GW SMG

i-MIP tunnel

x-MIP tunnel

MN is in “Incoming Call Waiting Mode” when it maintains the dual MIP tunnel

SMG authenticates MIP registration messages as well as filters packets going through the established dual MIP tunnel

Step-by-step protocol flow

CN MN i-HA VPN-GW x-HA

……

CDMAPPP

Connectionsetup

RTP

i-MIP Request

i-MIP Reply

x-MIP Request

x-MIP Reply

ISAKMP + x-MIP

ISAKMP

ISAKMP

ISAKMP + x-MIP

……

802.11

SNR = S1

Data on


……

CDMAPPP

Connectionsetup

RTP

i-MIP Request

i-MIP Reply

x-MIP Request

x-MIP Reply

ISAKMP + x-MIP

ISAKMP

ISAKMP

ISAKMP + x-MIP

……

802.11

SNR = S1

Data on


RTP ESP + x-MIP

ESP

ESP

ESP + x-MIP

i-MIP Request

i-MIP Reply

UDP + i-MIP

RTP

ESP

ESP + x-MIP

……

SNR=S2

DataOver

CDMA(tripple

Tunneled)

MakeBeforeBreak


RTP ESP + x-MIP

ESP

ESP

ESP + x-MIP

i-MIP Request

i-MIP Reply

UDP + i-MIP

RTP

ESP

ESP + x-MIP

……

SNR=S2

DataOver

CDMA(tripple

Tunneled)

MakeBeforeBreak


1xrttDisconnection

RTP

i-MIP Request

i-MIP Reply

ISAKMP + x-MIP

ISAKMP

ISAKMP

ISAKMP + x-MIP

……

MNBack home DataOn

802.11

VPNTunnel

Teardown


1xrttDisconnection

RTP

i-MIP Request

i-MIP Reply

ISAKMP + x-MIP

ISAKMP

ISAKMP

ISAKMP + x-MIP

……

MNBack home DataOn

802.11

VPNTunnel

Teardown

PPP setup over CDMA at SNR (S1) Make-before-break scenario at SNR = S2

Mobile coming back home

Documents

Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba