View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Secure Universal Mobility for Wireless Internet
Authors: A. Dutta, T. Zhang, S. MadhaniTelcordia Technologies
K. Taniuchi, K. Fujimoto, Y. Katsube, Y.OhbaToshiba America Research Inc.
H. SchulzrinneColumbia University
Presented by: Ashutosh [email protected]
Outline
MotivationRelated WorkSUM ArchitectureExperimental Test-bedResultsSIP and MOBIKE approachConclusion and Future Work
802.11a/b/g Network
AccessNetwork 2
AccessNetwork 3
UMTS/CDMANetworkUMTS/CDMA
Access Point
S1
S2
S3
S4
AccessNetworks
AccessNetworks
AccessNetworks
UMTS/CDMA Network
InternetDomain1Domain2
Pocket PC
Webphone
BT Access Point 802.11a/b/g Access Point
Blue Tooth Network
Multi-mediaTerminal
AN
AccessNetwork 1
Mobile Wireless Internet: A Scenario
MotivationObjective: To provide mobile enterprise users with the same working
environment as they are at their office regardless of where they are (e.g., Intranet, Extranet), especially
– provide persistent and seamless application session continuity
– provide the same level of security as currently deployed in enterprise network environment
– provide persistent and seamless reachability (or traceability) from internal network to mobile users
– Provide VPN-agnostic roaming model independent of subscribed carrier
– Provide no impact on the existing IT infrastructure
– Optimize the solution as needed
SUM Scenario
DMZInternal (Protected) External (unprotected)
CN
WLAN LAN WLAN
Cellular
Hot Spot Hot Spot
MN MN MN MN
secure the communication while MN is at external network
provide session continuity while moving from one network to the other
provide reachability from internal network to mobile nodes
CN: Correspondence NodeMN: Mobile Node
Issues to be Resolved
“IPsec VPN”, that is deployed to secure the communication, cannot currently cope with the session continuity while moving
“Mobile IP”, that is deployed to cope with the session continuity, cannot secure the communication contents itself
(1) Combination of IPsec VPN and Mobile IP is necessary
Seamlessness is sometimes unsatisfactory due to “hand-off delay” (e.g., internal WLAN to Cellular data network) especially due to VPN establishment delay (more than 5 sec)
(2) Way to reduce hand-off delay by Mobile Node is preferable
Related Work
Miu and Bahl et al - Movement between similar kinds of networks
Rodriguez et al - MAR to support heterogeneous Access Snoeren et al - Fine-grained TCP Migrate approach Barton et al - Integration of Mobile IP and IP-Sec Cheng et al (ICNSC) - Foreign agent based client driven Adrangi et al – (IETF) Mobile IP Traversal for VPN
gateways Luo et al – Integration of wireless LAN and Cellular Birdstep Technologies (www.birdstep.com)
Smooth handoff, dynamic tunnel management, Integration with SIP
SUM Architecture(1)
DMZ
Internal (protected) External (unprotected)
CN
Internal Home
Network
VPN tunnel x-MIP tunnel
VPN GW x-HA
Based on its current location, MN dynamically establishes/changes/terminates tunnels
without changing current standards of IPsec VPN or Mobile IP. Triple encapsulation tunnel is constructed by:• i-HA (Internal Home Agent): Forwards IP packets to MN’s current internal location• VPN GW: Protects (encrypts and authenticates) IP packets transmitted in external
networks • x-HA (External Home Agent): Forwards IP packets to MN’s current external location
MN
i-MIP tunnel
Internal Visited
Network
i-HA
MNMN MN
ExternalNetwork 1
ExternalNetwork N
IKE + VPN address assignment
SUM Architecture Protocol Flow Message flow for triple-encapsulation tunnel establishment
Internal (protected) External (unprotected)
CN i-HA MNVPN GW x-HA
x-MIP Registration Request
x-MIP Registration Reply
x-MIP tunnel established
VPN tunnel established
i-MIP Registration Request
i-MIP Registration Reply
i-MIP tunnel established
Make-before-Break for Hand-off Delay Reduction Prepare to use another better path before stop using
current path– MN watches signal strength level of WLAN (or any other
policy)– Before internal WLAN signal goes away (becomes lower
than a threshold A), MN starts using cellular network and establishes x-HA tunnel and VPN tunnel as a stand-by path
– MN stops using WLAN when its signal level becomes lower than threshold B (A>B), starts using cellular network, establishes i-MIP tunnel, then starts using x-MIP/VPN/i-MIP tunnel over the cellular
This could remove major factor of hand-off delay since VPN is established (that will take more than 5 sec) before switch-over
Demonstration Scenario
DMZ
Internal (protected) External (unprotected)
CN
VPN GW
x-HA
MNMN
ExternalNetwork(Cellular)Internal Home Network
(WLAN)
i-HA
MN
Step 1: MN (at its home network over WLAN) and CN start an application session, then MN starts moving
Demonstration Scenario
DMZ
Internal (protected) External (unprotected)
CN
VPN tunnel x-MIP tunnel
VPN GW
x-HA
MNMN
ExternalNetwork(Cellular)Internal Home Network
(WLAN)
i-HA
MN
Step 2: MN starts preparing alternate path by establishing x-MIP and VPNtunnel over the cellular link, while keeping communication via the home network over WLAN
Demonstration Scenario
DMZ
Internal (protected) External (unprotected)
CN
VPN tunnel x-MIP tunnel
VPN GW
x-HA
MN
i-MIP tunnel
MN
ExternalNetwork(Cellular)Internal Home Network
(WLAN)
i-HA
MN
Step 3: MN stops using its home WLAN, starts using cellular and establishes i-MIP tunnel, then continues communication with CN
Internet
X-HA
205.132.6.64/27
65
.66 - .94
DMZ Network
ExternalCellular
66
67
HoA = 70-75VPN
GW100(99)
Internal Visited
TIA = 111-120
10.1.10.0/24
98
10.1.20.0/24
3CH
i-HA
LinuxR
1HoA = 210-215
Internal Home(SSID=ITSUMO home)(demo.tari.toshiba.com)
AP
SIPMonitor
2
4DNS
ExternalHotspot
Earth Link DSL
MN
MN
VerizonCDMA 1XRTT
DHCP
Enterprise Firewall
Secure Universal Mobility Testbed
Protocol Sequence flow
Protocol Sequence during handoff
0
1
2
3
4
0 50 100
Time in Seconds
Pro
toco
l RTP
IPSEC
MIP
X-MIP I-MIP
VPN Setup
HomeDe-registration
VPN Break up
CBR Voice Traffic
Packet Transmission Delay for Voice Traffic
0.00000010
0.00000100
0.00001000
0.00010000
0.00100000
0.01000000
0.10000000
1.0000000036
460
3780
0
3914
0
4048
0
4182
0
4325
2
4558
6
4931
7
5262
4
5693
3
6094
0
6228
0
6362
0
Packet Numbers
Tran
smis
sion
Del
ay in
(Log
Sca
le)
Transmission Delay
802.11
Cellular
802.11
Packet Transmission Delay for Voice Traffic
0.00000010
0.00000100
0.00001000
0.00010000
0.00100000
0.01000000
0.10000000
1.0000000036
460
3780
0
3914
0
4048
0
4182
0
4325
2
4558
6
4931
7
5262
4
5693
3
6094
0
6228
0
6362
0
Packet Numbers
Tran
smis
sion
Del
ay in
(Log
Sca
le)
Transmission Delay
802.11
Cellular
802.11
Inter-Packet Delay Variation betw een CH and MH (Voice)
0.0010
0.0100
0.1000
1.0000
10.0000
3646
0
3748
4
3850
8
3953
2
4055
6
4158
0
4260
4
4401
2
4601
9
4886
7
5167
1
5417
2
5827
9
6085
2
6187
6
6290
0
Packet Numbers
Inte
r-Pa
cket
Del
ay d
iffer
ence
(lo
g sc
ale)
Delay Variation
802.11 802.11
Inter-Packet Delay Variation betw een CH and MH (Voice)
0.0010
0.0100
0.1000
1.0000
10.0000
3646
0
3748
4
3850
8
3953
2
4055
6
4158
0
4260
4
4401
2
4601
9
4886
7
5167
1
5417
2
5827
9
6085
2
6187
6
6290
0
Packet Numbers
Inte
r-Pa
cket
Del
ay d
iffer
ence
(lo
g sc
ale)
Delay Variation
802.11 802.11
(a) Packet Transmission Delay (b) Inter-packet departure and arrival delay variation for CBR (Voice)
VBR Video Traffic
VIC Packet Transm ission Delay (CH-MH)
00.001
00.009
00.086
00.864
08.640
26.400
24.000
00.000
00.000
2341
723
470
2352
323
576
2362
923
682
2373
923
792
2384
523
898
2395
124
004
2405
724
110
2416
3
Packet number
Tim
e in
Sec
onds
(Log
Sca
le)
Delay
802.11Cellular
802.11
VIC Packet Transm ission Delay (CH-MH)
00.001
00.009
00.086
00.864
08.640
26.400
24.000
00.000
00.000
2341
723
470
2352
323
576
2362
923
682
2373
923
792
2384
523
898
2395
124
004
2405
724
110
2416
3
Packet number
Tim
e in
Sec
onds
(Log
Sca
le)
Delay
802.11Cellular
802.11
Inter-Packet Delay variation between CH and MH (Video)
0.001000
0.010000
0.100000
1.000000
10.000000
2341
823
449
2348
023
511
2354
223
573
2360
4
2363
523
666
2369
7
2373
223
763
2379
4
2382
523
856
2388
723
918
2394
923
980
2401
1
2404
224
073
2410
424
135
2416
624
197
Packet Number
Inte
r-P
acke
t Del
ay V
aria
tion
(Log
Sca
le)
Inter D iff
Cellular 802.11b802.11b
Inter-Packet Delay variation between CH and MH (Video)
0.001000
0.010000
0.100000
1.000000
10.000000
2341
823
449
2348
023
511
2354
223
573
2360
4
2363
523
666
2369
7
2373
223
763
2379
4
2382
523
856
2388
723
918
2394
923
980
2401
1
2404
224
073
2410
424
135
2416
624
197
Packet Number
Inte
r-P
acke
t Del
ay V
aria
tion
(Log
Sca
le)
Inter D iff
Cellular 802.11b802.11b
a) Packet transmission delay b) Inter-packet departure and arrival variation delay for VBR (Video)
802.11-Cellular Secured Handoff
2000
2100
2200
2300
2400
2500
2600
57:07.2 57:50.4 58:33.6 59:16.8
Time in Minutes
RT
P S
eq
ue
nc
e n
um
be
rs
802-11-Cellularhandoff
Out-of-orderPackets
Low gradient
Cellular
80211-cellular
802.11
RTP Packet Sequence
Dynamic Tunnel Management
DMZ
Internal (protected)
External (unprotected)
CN
x-MIP tunnel
VPN GW
x-HA
MN
i-MIP tunnel
MN
ExternalNetwork(Cellular)Internal Home Network
(WLAN)
i-HA
MN
External (unprotected)
Hotspot
SIPServer
INVITE
SIP signaling
i-MIP tunnel : XHoa – ih0aX-Mip Tunnel: CoA - XhoaDMZ
Internal (protected)
External (unprotected)
CN
x-MIP tunnel
VPN GW
x-HA
MN
i-MIP tunnel
MN
ExternalNetwork(Cellular)Internal Home Network
(WLAN)
i-HAi-HA
MN
External (unprotected)
Hotspot
SIPServer
INVITE
SIP signaling
i-MIP tunnel : XHoa – ih0aX-Mip Tunnel: CoA - Xhoa
Dynamic Tunnel Management Flow
Internal (protected) External (unprotected)
CN i-HA MNVPN GW x-HA
x-MIP Registration
x-MIP tunnel establishedi-MIP registration with x-HoA
Home SIP
Double MIP tunnel established
INVITE INVITE
IKE + VPN Address Assignment
Secured OK
RTP over secured link
i-MIP registration with TIA
Triple tunnel established
Internal (protected) External (unprotected)
CN i-HA MNVPN GW x-HA
x-MIP Registration
x-MIP tunnel establishedx-MIP tunnel establishedi-MIP registration with x-HoA
Home SIP
Double MIP tunnel established
INVITE INVITE
IKE + VPN Address Assignment
Secured OK
RTP over secured link
i-MIP registration with TIA
Triple tunnel established
SIP with MOBIKE
Re-Invite
DMZ
Internal (protected) External (unprotected)
CN
Internal Home
Network
VPN tunnel
VPN GW
MN
Internal Visited
Network
HomeProxy
MNMN MN
ExternalNetwork 1
ExternalNetwork N
COA1TIA (Tunnel address)
COA2
MOBIKE(modifies SA)
Re-register (IP1)1 2
(IP0) (IP1)
Register (TIA)Register (TIA)
Re-Invite(TIA)
Re-Invite
DMZ
Internal (protected) External (unprotected)
CN
Internal Home
Network
VPN tunnel
VPN GW
MN
Internal Visited
Network
HomeProxy
MNMN MN
ExternalNetwork 1
ExternalNetwork N
COA1TIA (Tunnel address)
COA2
MOBIKE(modifies SA)
Re-register (IP1)1 2
(IP0) (IP1)
Register (TIA)Register (TIA)
Re-Invite(TIA)
Conclusion and Future Work Active area of research within IETF’s Mobile IP working group
Triple-encapsulation mandates “always-on VPN” – Provides persistent reachability from internal network to mobile users, – May not be practical with currently deployed VPN
Capability of dual MIP (i-MIP and x-MIP) tunnel without VPN – Dynamic Tunnel Management will allow VPN setup on-demand basis– Adds additional values to the base triple-encapsulation architecture– Provides light-weight persistent reachability without consuming VPN
resources
Dual MIP is enabled by SMG (Secure Mobility Gateway) that provides;– strong authentication to MIP messages to securely manage dual MIP tunnels– packet filtering to restrict packets transmitted over the dual MIP tunnels– Interaction with AAA domains
Robust header compression to take care of the overhead associated
SIP and MOBIKE approach will provide an optimized solution
Backup Slides
Multimedia Test-bed Architecture
Backbone
VLAN Switch
3600 3600
Domain 1tari.toshiba.com
Domain 2research.telcordia.com
R1
ERC1 ERC3
VLAN Switch
R2
ERC2
R3
ERC4
VLAN Switch VLAN Switch
SIPServer/Call Agent
SIPServer
Border Router Border Router
QOS QOSHA/DRCP
Server
DRCPServer
MulticastProxy
DRCPServer
DRCPServer
AAAServer
AAAServer
External OmniAntenna
Micro Macro DomainExternal Coverage
QOSQOS
PANAIPSec
SIPServer/Call Agent
MAS
IPv6 IPv6
PANAIPSec
PANAIPSec
MH
GPS client
BT802.11b
802.11b
Internet
FW
Smarts Bits Generator
DynamicDNS
CDMA/GPRS
CDMA/GPRSCoverage
Future / On-going Work (cont’d)
DMZ
Internal (protected) External (unprotected)
CN
Internal Home
Network
Internal Visited
Internal Visited
Internal Visited Network
External Network NExternal
Network 2External
Network 1
i-HA
MN MN MN MN
VPN GW SMG
i-MIP tunnel
x-MIP tunnel
MN is in “Incoming Call Waiting Mode” when it maintains the dual MIP tunnel
SMG authenticates MIP registration messages as well as filters packets going through the established dual MIP tunnel
Step-by-step protocol flow
CN MN i-HA VPN-GW x-HA
……
CDMAPPP
Connectionsetup
RTP
i-MIP Request
i-MIP Reply
x-MIP Request
x-MIP Reply
ISAKMP + x-MIP
ISAKMP
ISAKMP
ISAKMP + x-MIP
……
802.11
SNR = S1
Data on
CN MN i-HA VPN-GW x-HA
……
CDMAPPP
Connectionsetup
RTP
i-MIP Request
i-MIP Reply
x-MIP Request
x-MIP Reply
ISAKMP + x-MIP
ISAKMP
ISAKMP
ISAKMP + x-MIP
……
802.11
SNR = S1
Data on
CN MN i-HA VPN-GW x-HA
RTP ESP + x-MIP
ESP
ESP
ESP + x-MIP
i-MIP Request
i-MIP Reply
UDP + i-MIP
RTP
ESP
ESP + x-MIP
……
SNR=S2
DataOver
CDMA(tripple
Tunneled)
MakeBeforeBreak
CN MN i-HA VPN-GW x-HA
RTP ESP + x-MIP
ESP
ESP
ESP + x-MIP
i-MIP Request
i-MIP Reply
UDP + i-MIP
RTP
ESP
ESP + x-MIP
……
SNR=S2
DataOver
CDMA(tripple
Tunneled)
MakeBeforeBreak
CN MN i-HA VPN-GW x-HA
1xrttDisconnection
RTP
i-MIP Request
i-MIP Reply
ISAKMP + x-MIP
ISAKMP
ISAKMP
ISAKMP + x-MIP
……
MNBack home DataOn
802.11
VPNTunnel
Teardown
CN MN i-HA VPN-GW x-HA
1xrttDisconnection
RTP
i-MIP Request
i-MIP Reply
ISAKMP + x-MIP
ISAKMP
ISAKMP
ISAKMP + x-MIP
……
MNBack home DataOn
802.11
VPNTunnel
Teardown
PPP setup over CDMA at SNR (S1) Make-before-break scenario at SNR = S2
Mobile coming back home