Mobileip Working Group Youngsong Mun Internet-Draft Miyoung Kim Expires: June, 2007 Soongsil University Jaehoon Nah Seungwon Sohn ETRI December, 2006 Local Authentication Scheme Based on AAA Architecture in IEEE 802.16e BWA draft-mun-mobileip-bwa-aaa-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract Mobile IP has been recently getting popularity with some interesting transformation in order to be more suitable for use by existing and emerging wireless technology, such as IEEE 802.16e Broadband Wireless Access(BWA) One of the fundamental features to make Mobile M. Kim, et al. Expires June, 2007 [Page 1] Internet-Draft Local Authentication Scheme July 2006 IP available in commercial world is secure access with it. In this draft, we propose a novel scheme to locally authenticate and authorize inter-domain roaming users for efficient way in IEEE 802.16e BWA based on authentication, authorization and accout-ing(AAA) infrastructure. We present the detailed operations to establish local security association(SA) for authentication and performance evaluation by con-sidering the traffic and mobility properties of a roaming user as well as the dis-tance between the mobile node(MN) and its home AAA server. Proposed scheme outperforms exiting method with respect to authentication cost and ser-vice latency. Table of Contents 1. Introduction....................................................3 2. Terminology.....................................................4 3. Authentication Overview on AAA Infrastructure...................5 4. IEEE 802.16e Handover...........................................9 4.1. IEEE 802.16e Fast Handover in Predictive Mode 5. AAA-based Authentication Provision.............................11 5.1 Authentication Extension Flow 6. Conclusions....................................................11 7. References.....................................................12 8. Authors' Addresses.............................................13 M. Kim, et al. Expires June, 2007 [Page 2] Internet-Draft Local Authentication Scheme July 2006 1. Introduction Mobile IP enables a MN to move freely from one point of connection to Internet to another point without disruption of pre-established end-to-end transport connection, e.g. TCP. When a MN enters a visited domain, it obtains a temporary IP address named Care-of Address(CoA) and registers it with home agent(HA), a special router in its home domain. The correspondent node (CN) communicating with the MN can send packets to the MNs home address. The MNs home domain captures the packets sent to ti and forwards them to its temporary address[1]. The one of the main problem is from lacking of security service. The MN should be authenticated to verify the right of its ccessibility if it is regal user by pre-defined contractions between ISPs[2]. IEEE 802.16 wireless MN called ¡®Worldwide Interoperability for Microware Ac-cess(WiMAX)¡¯ has been standardized as a promising solution of a fixed broadband wireless access system and it provides network access from building through external antennas communicating with central base stations[3,4]. Due to its feature covering broad areas without expensive installation cost, it may offer ubiquitous broadband access[3]. Additionally, IEEE 802.16e called ¡®Wireless Broadband(WiBro)¡¯ is a stan-dard in progressing for BWA in order to support mobility with offering up to 2Mbps at 60km/h, which is expected to fill the gap between fixed wired or wireless networks and mobility systems. [5] describes the various deployment scenarios to provide migration path toward 4G. WiFi is already in laptop, cell phones and PDAs. One of the first uses of 802.16 will be backhaul for WiFi hotspots forming a micro cell. With WiMAX, hotspots will be extended as so called ¡®hotzone¡¯ for user of WiFi applications. Next, the WiMAX main base station(BS) with wired backhaul at the center of cluster of WiMAX mesh base stations forms a macro cell providing coverage for the surrounding region. Fi-nally, deployment of mobile WiMAX(WiBro) is suggested to get the complete 4G with full mobility. To offer mobility, the wireless service must be as pervasive as cell phone service. The solution is to create small cells instead of trying to cover large areas with a single antenna. The main challenges reported from IETF mobile ip WG are security and quality of service(QoS)[6]. Both are important in providing reliable communications because of the unprotected and bursty open medium. To provide security services in wireless networks, authentication to identify the MN and negotiate credentials such as encryp-tion keys and algorithms for secure communication [7,8,9]. M. Kim, et al. Expires June, 2007 [Page 3] Internet-Draft Local Authentication Scheme July 2006 The security research has taken into 802.16e and Mobile IP with different aspect of approach without the rela-tionship between them. As a complementary protocol leveraging the 802.16e and Mobile IP, FIMP becomes a candidate to start and complete the layer3 handover and binding update by using results of its successful deployment scenarios. In this draft, we propose service architecture to support fast and secure global roaming service across multiple service domains. Using this scheme, a mobile user can be served with continuous communication service when it is belonging to different domain. Mobile user only needs to carry single identification to receive the same ser-vice on any service network that minimizes the handoff latency in AAA-enabled roam-ing service specifically to support real-time applications. This draft is organized as follows. In Section 2, we summarize the operations of AAA-enabled mobile IP architecture and discuss the performance issue raised in the support of fast handoff in secure global roaming service. In Section 3, we present the AAA-enabled roaming service integrated with fast handoff scheme over IEEE 802.16e BWA. The proposed model is aligned with IETF Mobile IP [1,10,11] and AAA frameworks. In Section 4, we describe the goals and design of authentication scheme for the case of mobility patterns, e.g. traffic and movement probability in which the optimized operations are introduced with considering the security issues [2]. In Sec-tion 5 and 6, performance enhancement scheme and cost evaluation of our proposal are described in respect to existing schemes, mobile ip and fast handover in IEEE 802.16e. Finally, the conclusion is given in Section 7. M. Kim, et al. Expires June, 2007 [Page 4] Internet-Draft Local Authentication Scheme July 2006 2. Terminology This document borrows all of the terminology from Mobile IPv6 [1] and AAA for Mobile MIPv6 [3]. Attendant: AAA entity which is the local AAA system entry point and the local address provider/registry. Term from [8]. AAA client: attendant. AAA home server (AAAH): AAA server of the home network. AAA local server (AAAL): AAA server of the local network. AVP (Attribute Value Pair): AAA (element of) payload. Binding: home address/care-of address association for a mobile node on a mobility aware IPv6 node. Care-of address (Co@): temporary address used by a mobile node. The care-of address is allocated or registered by a local entity which is assumed for simplicity in this document to be the same than the attendant. Home address (H@): fixed address used by a mobile node. The home address belongs to the home network and is in general well known by the mobile node even if the protocol described here supports home address allocation. Home agent (HA): router on the home network which forwards traffic at the destination of the home address to the mobile node. Mobile Node (MN): node using mobile IPv6 mechanisms. Correspondent Node (CN) A IPv6 host communicating with MN. Network Access Identifier (NAI): [5] mobile user identifier which is compatible with user_FQDN identities of IKE. We assume NAI can be used to identify any entity involved here even if some of them are nodes and not users. Security Association (SA): a security connection which affords security services to some traffic between peers. This notion is shared between IPsec, ISAKMP and AAA over different forms. M. Kim, et al. Expires June, 2007 [Page 5] Internet-Draft Local Authentication Scheme July 2006 Access Router (AR) The MN's default router. Handover A process of terminating existing connectivity and obtaining new IP connectivity. Router Solicitation for Proxy Advertisement (RtSolPr) A message from the MN to the PAR requesting information for a potential handover. Proxy Router Advertisement (PrRtAdv) A message from the PAR to the MN that provides information about neighboring links facilitating expedited movement detection. The message also acts as a trigger for network-initiated handover. 3. Authentication Overview on AAA Infrastructure In order to deliver the authentication messages between networks, many authentica-tion architectures are proposed for different types of mobile networks. This draft adopts the Diameter-based AAA architecture which is proposed by IETF for Mobile IP networks. AAA infrastructure is composed of local AAA servers(AAAv), home AAA serv-ers(AAAh), and proxy AAA servers(AAAp). An AAAv is an AAA server that serves for the visiting MNs in a network domain for AAA operations. An AAAh is an AAA server in the home network of MN. AAAp relays the AAA messages between differ-ent AAA servers with secure manner. Figure 1 shows the hierarchical deployment architecture to provide a MN with secure authentication. Taking into account that, IRTF defined a framework providing a suitable support for these concepts known as AAA. Note that current service providers have noticed about the importance of AAA infrastructures to control their resources. In fact, the vast majority of them have deployed these infrastructures for years successfully. How-ever, these infrastructures are based on protocols as RADIUS and TACACS+ that are considered as antiquated as they were designed to support a specific kind of user and access technology, e.g. dialup PPP user with fixed connection. M. Kim, et al. Expires June, 2007 [Page 6] Internet-Draft Local Authentication Scheme July 2006 Diameter is a lightweight, peer-based AAA protocol designed to offer a scalable foundation for introducing a new policy and AAA service over existing(PPP) and emerging(roaming, Mobile IP) network technologies. Diameter employs many of the same mechanism as RADIUS, including UDP transport, encoded attribute and value pairs(AVP) and proxy server support. Also it attempts to correct limitations inherent in RADIUS. Diameter supports a much larger AVP length and incorporates a reliable, window-based transport. It realizes the full authentication with less transaction of messages which is important in roaming environment.[12] To consider the efficiency and security with different mobility and traffic patterns, we propose a local authentication scheme with SA delegation, which can be imple-mented based on AAA (Diameter) architecture. M. Kim, et al. Expires June, 2007 [Page 7] Internet-Draft Local Authentication Scheme July 2006 4. IEEE 802.16e Handover Basically, the 3 steps are performed in completing Fast Handover procedure, Background Activity,Handover Preparation and Handover Execution. Serving BS(Base-station) advertises its presence to MN in the first step where the MN scans the Serving BS by referencing the information advertised from it. In the next step, the handover preparation is initiated by MN or Serving BS as shown in the figure x. After completing the steps, MN is reconnected to Target BS and joins the 802.16e Network. After switching the link, the MN synchronizes with the target BS and performs the 802.16e network entry procedure. The MN may exchange the RNG-REQ/RSP, SBC-REQ/RSP, PKM-REQ/RSP, REG-REQ/RSP messages with the target BS. However, the messages exchanged between MN and Serving BS should be authen-ticated prior to execute the handover steps since the BST attacks can be installed be-tween them where an attacker mimics the MN to Serving BS and vice versa. As ap-proved in Mobile IP, Diameter protocol is appropriate for securing the messages. Handover procedures over 802.16e are defined for both predictive mode and reac-tive mode. Note that there is no need of IP mobility when the target BS is under same subnet. Therefore FBU is sent conditionally depending on whether the target BS is under different subnet or not[4,7]. 4.1. IEEE 802.16e Fast Handover in Predictive Mode In this mode, Serving BS(PAR) advertises MOB_NBR_ADV message periodically to announce its presence to the nodes in its coverage. If the MN discovers the new neighbor BSs specified in this message, it performs scanning for them. Then the MN tries to resolve the new neighbor¡¯s BSID to the associated AR by exchange the RtSolPr and PrRtAdv messages with the PAR. In this time, the MN initiates handover by sending MOB_MSHO_REQ to the Serving BS and receives MOB_BSHO_RSP as the response from the PAR. Also, the Serving BS can initiate handover by sending MOB_BSHO_REQ to the MN. Upon receiving the MOB_BSHO_RSP or MOB_BSHO_REQ from the Serving BS, layer2 notifies upper layer of the time the link goes down by predefined trigger. This triggering initiates the layer3 fast handover procedure where the MN exchanges FBU and FBack with the PAR. The PAR estab-lishes the tunnel with NAR by exchanging HI/Hack M. Kim, et al. Expires June, 2007 [Page 8] Internet-Draft Local Authentication Scheme July 2006 messages[4] before sending FBack to the MN. During this procedure, NAR verifies if NCoA is available or not. If FBack arrives before the handover, MN sends MOB_HO_IND to complete the hand-over procedure as defined in predictive mode. MN smoothly performs handover to the target BS. MN BS(PAR) BS#1(NAR) BS#2(NAR) || | | | || MOB_NBR_ADV(NB#,{NB_INFO}| | | ||<------------------------ | | | || MOB_SCN_RSP | | | ||------------------------->| | | || MOB_SCN_REQ | | | ||<-------------------------| | | || | | | || SCANNING | | | || | | | || RtSolPr | | | ||------------------------->| | | || PrRtAdv | | | ||<-------------------------| | | || Handover Preparation | | | || | | | || MOB_MNHO_REQ | | | ||------------------------->| | | || MOB_BSHO)RSP | | | ||<-------------------------| | | || FBU | HI | | ||------------------------->|------------------>| | || FBACK | HACK | | ||<-------------------------|<------------------| | || |--> Packets | | || MOB_MNHO_INO |------------------>| | ||------------------------->| | | || | | | || 802.16e Network Re-try | | || FNA | | | ||--------------------------------------------->| | || | STOP_FORWARDING | | || |<------------------| | || Packets | | | ||<-------------------------|-------------------|| || | | | Fig. 1. Fast handover message flow over 802.16e in predictive mode operation M. Kim, et al. Expires June, 2007 [Page 9] Internet-Draft Local Authentication Scheme July 2006 When the network entry is finished, the MN triggers the status to layer2 to enable the link and issues FNA to the NAR. On receiving the FNA from the MN, the NAR delivers the buffered packets to the MN. After finishing this procedure, the layer2 of the MN informs the upper layer that the status of the link about to transit to active from down and the MN issues FNA embedding FBU to the NAR. Upon receiving FNA, the NAR verifies the availability of the requesting NCoA and forwards the inner FBU to the PAR. If the NAR detects the NCoA is already in use, it discards the FBU and reply with Router Advertisement with NAACK option to the MN. Otherwise, it delivers the packets destined to NCoA to the MN. M. Kim, et al. Expires June, 2007 [Page 10] Internet-Draft Local Authentication Scheme July 2006 5 AAA-based Authentication Provision MN starts FMIPv6 operation by sending FBU to PAR and finishes by sending FNA to NAR after handover, after scanning the ARs. 5.1 Authentication Extension Flow After scanning the APs, MN starts FMIPv6 operation by sending FBU to PAR and finishes by sending FNA to NAR after handover. MN BS(PAR) BS#1(NAR) HA || | | | || MOB_NBR_ADV(NB#,{NB_INFO}| | | ||<------------------------ | | | || MOB_SCN_RSP | | | ||------------------------->| | | || MOB_SCN_REQ | | | ||<-------------------------| | | || | | | || SCANNING | | | || | | | || RtSolPr | | | ||------------------------->| | | || PrRtAdv | | AAA(n) | AAA(n) ||<-------------------------| | | | | || Handover Preparation | | | | | || | | | | | || MOB_MNHO_REQ | | | | | ||------------------------->| | | | | || MOB_BSHO)RSP | | | | | ||<-------------------------| | | | | || FBU | HI | | | | ||------------------------->|------------------>| | | | || FBACK | HACK | | | | ||<-------------------------|<------------------| | | | || Authentication_req | | | | | ||------------------------->|------------------>| | | | || |--> Packets | | | | || MOB_MNHO_INO |------------------>| | | | ||------------------------->| | | | | || | | | | | || 802.16e Network Re-try | | | | || FNA | | | | | ||--------------------------------------------->| | | | || | STOP_FORWARDING | | | | || |<------------------| | | | || Packets | | | | | ||<-------------------------|-------------------| | | | M. Kim, et al. Expires June, 2007 [Page 11] Internet-Draft Local Authentication Scheme July 2006 Fig. 2. Proposed message flow enabling the layer-2,3 and home registration progress to reduce the binding registration time after completing predictive mode of FMIP operation over 802.16e This scenario enables to obtain the FMIPv6 information to move by scanning and joining before the handover is finished. This draft proposes to eliminate the unessen-tial time after handover by completing binding update at the same time with handover by including the binding update into handover procedure to enhance the performance and to reduce the possibility of DAD fails occurring from moving to the NAR area with pre-configured NCoA by embedding the duplication-free NCoA in the response message, HAck , when the NCoA is sent to PAR within the FBU where in turn the message is forwarded to NAR carried by HI. The EAPoL frame contains the security material, address of HA, nonce to prevent the replay attack, secret value, authenticator and home address. 6. Security Considerations In this draft, AAA infrastrucure are secured by IPsec and TLS. Hence, it is assumed that messages exchanging in AAA infrastructure are secured. However, obviously a deep security review is needed. 7. Conclusions Mobile IP is expected to support global roaming as it is built on IP protocol inde-pendent with lower layer protocol. However, the design rationale was to provide global roaming covering the wide range of service by defining the movement detec-tion, IP configuration, binding update and authentication that is not adequate for real-time application moving across the multiple service areas. So, more sophisticated mobility support of Mobile IP is required for next wireless solutions, e.g. IEEE 802.16e, demanding the real-time multimedia service. In this draft, we present the enhanced handover scheme to reduce the packet loss or latency by inter-working with layer-2,layer-3 handoff and home registration. Also, by deploying the AAA authentication service into handover procedure, we can accom-plish to generate local SA during the layer-2 and FMIP handover. In addition, we can avoid the possibility of duplicated address (nCoA) by defining the additional role of re-generating the duplication-free nCoA in NAR. As the result, total processing time including binding registration can be reduced as expected which enables the real-time service with minimum latency or loss. M. Kim, et al. Expires June, 2007 [Page 12] Internet-Draft Local Authentication Scheme July 2006 he proposed scheme shows cost reduction each for Diameter and FMIP about 35% and 27% respectively by comparing the cost ratio of proposed scheme. 8. References [1] D. Johnson, C. Perkins, J. Arkko, "Mobility Support in IPv6", RFC3775, June 2004. [2] Perkins, C.," Mobile IP and security issue: an overview," Internet Technologies and Services, 1999. Proceedings. First IEEE/Popov Workshop on, 1999 Pages:131 - 148. [3] Lee DH, Kyamakya K and Umondi JP," Fast Handover Algorithm for IEEE 802.16e Broad-band Wireless Access System," Wireless Pervasive Computing, 2006 1st International Sym-posium on (2006), pp. 1-6. [4] Chow, J. and Garcia, G. "Macro- and micro-mobility handoffs in Mobile IP based MBWA networks," Global Telecommunications Conference, 2004. GLOBECOM '04. IEEE Volume 6, 29 Nov.-3 Dec. 2004 Page(s):3921 - 3925 Vol.6 [5] K.R. Santhi and G. Senthil Kumararn, "Migration to 4G: Mobile IP based Solutions", Pro-ceedings of the Advanced International Conference on Telecommunications and Interna-tional Conference on Internet and Web Applications and Services (AICT/ICIW), 2006. [6] R. Jain, T. Raleigh, C. Graff and M. Bereschinsky, "Mobile Internet Access and QoS Guar-antees using Mobile IP and RSVP with Location Registers," in Proc. ICC'98 Conf., pp. 1690-1695, June 1998. [7] Reen-Cheng Ric and Han-Chieh,".Mobile IPv6 and AAA Architecture Based on WLAN," .Proceedings of the 2004 International Symposium on Applications and the Inter-net Workshops(SAINTW'04),January 2004. [8] Cappiello M, Floris A and Veltri L.,"Mobility amongst heterogeneous networks with AAA support," In Proceedings of the IEEE International Conference on Communications, ICC 2002, Vol. 4, 28 April-2 May 2002; 2064-2069. [9] Yeali Sun, Yu-Chun Pan and Meng Chang Chen, "Fast and Secure Universal Roaming Service for Mobile Internet," IEEE Globecom, 2005. [10] Rajeev Koodli, Charles E. Perkins, "Fast Handovers and Context Transfers in Mobile Net-works," ACM Computer Communication Review, Vol. 31, No. 5, October, 2001. M. Kim, et al. Expires June, 2007 [Page 13] Internet-Draft Local Authentication Scheme July 2006 [11] R. Koodli et al, "Fast Handovers for Mobile IPv6," RFC4-68, July 2005. [12] Rafael Marin Lopez, Gregorio Martinez Perez and Antonio F. Gomez Skarmeta," Deploy-ment of AAA Infrastructures in IPv6 Networks," Proceedings of the 2005 Symposium on Applications and the Internet Workshops (SAINT 2005 Workshops) - Volume 00, Pages: 26 - 29, June, 2005. [13] Wei Liang andWenye Wang, "A Local Authentication Control Scheme Based on AAA Architecture in Wireless Networks,"," in Proc. of the 60th IEEE Vehicular Technology Con-ference (VTC04 Fall), Los Angeles, September 2004. 9. Authors' Addresses Miyoung Kim Information and Media Technology Institute Research, Soongsil University, #1-1 SangDo-5 Dong, DongJak-Gu, Seoul, 156-743 Korea Phone: +82-2-812-0689 Fax: +82-2-822-2236 E-mail: mizero31@sunny.soongsil.ac.kr Youngsong Mun, Professor Department of Computing, Soongsil University, #1-1 SangDo-5 Dong, DongJak-Gu, Seoul, 156-743 Korea Phone: +82-2-820-0676 Fax: +82-2-822-2236 E-mail: mun@computing.ssu.ac.kr Jaehoon Nah Network Security Department, ETRI #161 Gajeong-Dong Yuseong-Gu Daejeon, seoul, 305-350 KOREA Phone: +82-42-860-6749 Fax: +82-42-860-5611 E-mail: jhnah@etri.re.kr Seungwon Sohn Network Security Department, ETRI #161 Gajeong-Dong Yuseong-Gu Daejeon, seoul, 305-350 KOREA Phone: +82-42-860-5072 Fax: +82-42-860-5611 E-mail: swsohn@etri.re.kr M. Kim, et al. Expires June, 2007 [Page 14] Internet-Draft Local Authentication Scheme July 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights. M. Kim, et al. Expires June, 2007 [Page 15] Internet-Draft Local Authentication Scheme July 2006 Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. M. Kim, et al. Expires June, 2007 [Page 16]