MOBOPTS Research Group A. Dutta (Ed.) Internet-Draft V. Fajardo Intended status: Informational Telcordia Expires: April 30, 2010 Y. Ohba K. Taniuchi Toshiba H. Schulzrinne Columbia Univ. October 27, 2009 A Framework of Media-Independent Pre-Authentication (MPA) for Inter- domain Handover Optimization draft-irtf-mobopts-mpa-framework-06 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 30, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Dutta (Ed.), et al. Expires April 30, 2010 [Page 1] Internet-Draft MPA Framework October 2009 Abstract This document describes a framework of Media-independent Pre- Authentication (MPA), a new handover optimization mechanism that addresses the issues on existing mobility management protocols and mobility optimization mechanisms to support inter-domain handover. MPA is a mobile-assisted, secure handover optimization scheme that works over any link-layer and with any mobility management protocol and is best applicable to support optimization during inter-domain handover. MPA's pre-authentication, pre-configuration, and proactive handover techniques allow many of the handoff related operations to take place before the mobile has moved to the new network. We describe the details of all the associated techniques and present the experimental results from the scenarios involving both inter- technology and intra-technology handoff. This document is a product of the IP Mobility Optimizations (MobOpts) Research Group. Dutta (Ed.), et al. Expires April 30, 2010 [Page 2] Internet-Draft MPA Framework October 2009 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Specification of Requirements . . . . . . . . . . . . . . 6 1.2. Performance Requirements . . . . . . . . . . . . . . . . . 6 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Handover Taxonomy . . . . . . . . . . . . . . . . . . . . . . 8 4. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Applicability of MPA . . . . . . . . . . . . . . . . . . . . . 12 6. MPA Framework . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.2. Functional Elements . . . . . . . . . . . . . . . . . . . 14 6.3. Basic Communication Flow . . . . . . . . . . . . . . . . . 16 7. MPA Operations . . . . . . . . . . . . . . . . . . . . . . . . 19 7.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 19 7.2. Pre-authentication in multiple CTN environment . . . . . . 20 7.3. Proactive IP address acquisition . . . . . . . . . . . . . 21 7.3.1. PANA-assisted proactive IP address acquisition . . . . 22 7.3.2. IKEv2-assisted proactive IP address acquisition . . . 22 7.3.3. Proactive IP address acquisition using DHCP only . . . 23 7.3.4. Proactive IP address acquisition using stateless autoconfiguration . . . . . . . . . . . . . . . . . . 24 7.4. Tunnel management . . . . . . . . . . . . . . . . . . . . 24 7.5. Binding Update . . . . . . . . . . . . . . . . . . . . . . 26 7.6. Preventing packet loss . . . . . . . . . . . . . . . . . . 27 7.6.1. Packet loss prevention in single interface MPA . . . . 27 7.6.2. Preventing packet losses for multiple interfaces . . . 27 7.6.3. Reachability test . . . . . . . . . . . . . . . . . . 28 7.7. Security and mobility . . . . . . . . . . . . . . . . . . 29 7.7.1. Link-layer security and mobility . . . . . . . . . . . 29 7.7.2. IP layer security and mobility . . . . . . . . . . . . 30 7.8. Authentication in initial network attachment . . . . . . . 31 8. Security Considerations . . . . . . . . . . . . . . . . . . . 31 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32 11.1. Normative References . . . . . . . . . . . . . . . . . . . 32 11.2. Informative References . . . . . . . . . . . . . . . . . . 33 Appendix A. Proactive duplicate address detection . . . . . . . . 36 Appendix B. Address resolution . . . . . . . . . . . . . . . . . 37 Appendix C. Systems evaluation and performance results . . . . . 38 C.1. Intra-technology, Intra-domain . . . . . . . . . . . . . . 39 C.2. Inter-technology, Inter-domain . . . . . . . . . . . . . . 41 C.3. MPA-assisted Layer 2 pre-authentication . . . . . . . . . 41 Appendix D. Coexistence of MPA with other optimization technique . . . . . . . . . . . . . . . . . . . . . . 46 Appendix E. Guidelines for handover preparation . . . . . . . . . 46 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 48 Dutta (Ed.), et al. Expires April 30, 2010 [Page 3] Internet-Draft MPA Framework October 2009 1. Introduction As wireless technologies including cellular and wireless LAN are beginning to get popular, supporting terminal handovers across different types of access networks, such as from a wireless LAN to CDMA or to GPRS is considered a clear challenge. On the other hand, supporting seamless terminal handovers between access networks of the same type is still more challenging, especially when the handovers are across IP subnets or administrative domains. To address those challenges, it is important to provide terminal mobility that is agnostic to link-layer technologies in an optimized and secure fashion without incurring unreasonable complexity. In this document we discuss a framework to support terminal mobility that provides seamless handovers with low latency and low loss. Seamless handovers are characterized in terms of performance requirements as described in Section 1.2. [mpa-wireless] is an accompanying document which presents few sets of implementation of MPA including performance results to show how existing protocols could be leveraged to realize the functionalities of MPA. Terminal mobility is accomplished by a mobility management protocol that maintains a binding between a locator and an identifier of a mobile node, where the binding is referred to as the mobility binding. The locator of the mobile node may dynamically change when there is a movement of the mobile node. The movement that causes a change of the locator may occur when there is a change in attachment point due to physical movement or network change. A mobility management protocol may be defined at any layer. In the rest of this document, the term "mobility management protocol" refers to a mobility management protocol which operates at the network layer or higher. There are several mobility management protocols at different layers. Mobile IP [RFC3344] and Mobile IPv6 [RFC3775] are mobility management protocols that operate at the network layer. Similarly, MOBIKE (IKEv2 Mobility and Multihoming) [RFC4555] is an extension to IKEv2 that provides the ability to deal with a change of an IP address of an IKEv2 end-point. There are several ongoing activities in the IETF to define mobility management protocols at layers higher than network layer. HIP (the Host Identity Protocol) [RFC5201] defines a new protocol layer between network layer and transport layer to provide terminal mobility in a way that is transparent to both network layer and transport layer. Also, SIP-based mobility is an extension to SIP to maintain the mobility binding of a SIP user agent [SIPMM]. While mobility management protocols maintain mobility bindings, these cannot provide seamless handover if used in their current form. An additional optimization mechanism is needed to prevent the loss of Dutta (Ed.), et al. Expires April 30, 2010 [Page 4] Internet-Draft MPA Framework October 2009 inflight packets transmitted during mobile's binding update procedure and to achieve seamless handovers. Such a mechanism is referred to as a mobility optimization mechanism. For example, mobility optimization mechanisms [RFC4881] and [RFC5568] are defined for Mobile IPv4 and Mobile IPv6, respectively, by allowing neighboring access routers to communicate and carry information about mobile terminals. There are protocols that are considered as "helpers" of mobility optimization mechanisms. The CARD (Candidate Access Router Discovery Mechanism) protocol [RFC4065] is designed to discover neighboring access routers. The CTP (Context Transfer Protocol) [RFC4066] is designed to carry state that is associated with the services provided for the mobile node, or context, among access routers. We describe some of the fast-handover scheme that attempt to reduce the handover delay in Section 4. There are several issues in existing mobility optimization mechanisms. First, existing mobility optimization mechanisms are tightly coupled with specific mobility management protocols. For example, it is not possible to use mobility optimization mechanisms designed for Mobile IPv4 or Mobile IPv6 for MOBIKE. What is strongly desired is a single, unified mobility optimization mechanism that works with any mobility management protocol. Second, there is no existing mobility optimization mechanism that easily supports handovers across administrative domains without assuming a pre- established security association between administrative domains. A mobility optimization mechanism should work across administrative domains in a secure manner only based on a trust relationship between a mobile node and each administrative domain. Third, a mobility optimization mechanism needs to support not only terminals with multiple-interfaces where simultaneous connectivity through multiple interfaces or connectivity through single interface can be expected, but also terminals with single-interface. This document describes a framework of Media-independent Pre- Authentication (MPA), a new handover optimization mechanism that addresses all those issues. MPA is a mobile-assisted, secure handover optimization scheme that works over any link-layer and with any mobility management protocol including Mobile IPv4, Mobile IPv6, MOBIKE, HIP, SIP mobility. In cases of multiple operators without roaming relationship or without agreement to participate in a key management scheme, MPA provides a framework that can perform pre- authentication to establish the security mechanisms without assuming a common source of trust. In MPA, the notion of IEEE 802.11i pre- authentication is extended to work at higher layer, with additional mechanisms to perform early acquisition of IP address from a network where the mobile node may move as well as proactive handover to the network while the mobile node is still attached to the current network. Since this document focuses on the MPA framework, it is Dutta (Ed.), et al. Expires April 30, 2010 [Page 5] Internet-Draft MPA Framework October 2009 left to future work to choose the protocols for MPA and define detailed operations. The accompanying document [mpa-wireless] provides one method that describes usage and interactions between existing protocols to accomplish MPA functionality. This document represents the consensus of the (MobOpts) Research Group. It has been reviewed by Research Group members active in the specific area of work. 1.1. Specification of Requirements In this document, several words are used to signify the requirements of the specification. These words are often capitalized. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Performance Requirements In order to provide desirable quality of service for interactive VoIP and streaming traffic, one needs to limit the value of end-to-end delay, jitter and packet loss to a certain threshold level. ITU-T and ITU-E standards define the acceptable values for these parameters. For example for one-way delay, ITU-T G.114 [RG98] recommends 150 ms as the upper limit for most of the applications, and 400 ms as generally unacceptable delay. One way delay tolerance for video conferencing is in the range of 200 to 300 ms [ITU98]. Also if an out-of-order packet is received after a certain threshold, it is considered lost. According to ETSI TR 101 [ETSI], a normal voice conversation can tolerate up to 2% packet loss. But this is the mean packet loss probability and may be applicable to a scenario when the mobile is subjected to repeated handoff during a normal conversation. Measurement techniques for delay and jitter are described in [RFC2679], [RFC2680] and 2681 [RFC2681]. In case of interactive VoIP traffic, end-to-end delay affects the jitter value, and thus is an important issue to consider. An end-to- end delay consists of several components, such as network delay, operating system (OS) delay, codec delay and application delay. A complete analysis of these delays can be found in [Wenyu]. During a mobile's handover, in-flight transient traffic cannot reach the mobile because of the associated handover delay. These in-flight packets could either be lost or buffered. If the in-flight packets are lost, then it contributes to jitter between the last packet before handoff and first packet after handoff. If these packets are buffered, packet loss is minimized, but there is additional jitter for the in-flight packets when these are flushed after the handoff. Buffering during handoff avoids the packet loss, but at the cost of Dutta (Ed.), et al. Expires April 30, 2010 [Page 6] Internet-Draft MPA Framework October 2009 additional one-way-delay. A trade-off between one-way-delay and packet loss is desired based on the type of application. The handover delay is attributed due to several factors, such as discovery, configuration, authentication, binding update and media delivery. Many of the security related procedures such as handover keying and re-authentication procedures deal with cases where there is a single source of trust at the top and the underlying AAA domain elements trust the top source of trust and the keys it generates and distributes. In this scenario, there is an appreciable delay in re- establishing link security related parameters, such as authentication, link key management and access authorization during inter-domain handover. The focus of this draft is the design of a framework that can reduce the delay due to authentication and other handoff related operations such as configuration and binding update. 2. Terminology Mobility Binding: A binding between a locator and an identifier of a mobile terminal. Mobility Management Protocol (MMP): A protocol that operates at network layer or above to maintain a binding between a locator and an identifier of a mobile node. Binding Update: A procedure to update a mobility binding. Media-independent Pre-Authentication Mobile Node (MN): A mobile node of media-independent pre-authentication (MPA) which is a mobile- assisted, secure handover optimization scheme that works over any link-layer and with any mobility management protocol. An MPA mobile node is an IP node. In this document, the term "mobile node" or "MN" without a modifier refers to "MPA mobile node". An MPA mobile node usually has a functionality of a mobile node of a mobility management protocol as well. Candidate Target Network (CTN): A network to which the mobile may move in the near future. Target Network (TN): The network to which the mobile has decided to move. The target network is selected from one or more candidate target network. Dutta (Ed.), et al. Expires April 30, 2010 [Page 7] Internet-Draft MPA Framework October 2009 Proactive Handover Tunnel (PHT): A bidirectional IP tunnel [RFC1853] that is established between the MPA mobile node and an access router of a candidate target network. In this document, the term "tunnel" without a modifier refers to "proactive handover tunnel. Point of Attachment (PoA): A link-layer device (e.g., a switch, an access point or a base station) that functions as a link-layer attachment point for the MPA mobile node to a network. Care-of Address (CoA): An IP address used by a mobility management protocol as a locator of the MPA mobile node. 3. Handover Taxonomy Based on the type of movement, type of access network, and underlying mobility support, one can primarily define the handover as inter- technology, intra-technology, inter-domain, and intra-domain. We describe briefly each of these handover processes. However, our focus of the dicussion is on Inter-domain handover. Inter-technology: A mobile may be equipped with multiple interfaces, where each interface can support different access technology (802.11, CDMA). A mobile may communicate with one interface at any time in order to conserve the power. During the handover the mobile may move out of the footprint of one access technology (e.g., 802.11) and move into the footprint of a different access technology (e.g., CDMA). This will warrant switching of the communicating interface on the mobile as well. This type of Inter-technology handover is often called as vertical Handover since the mobile makes movement between two different cell sizes. Intra-technology: An intra-technology handover is defined when a mobile moves between the same type of access technology such as between 802.11[a,b,n] and 802.11 [a,b,n] or between CDMA1XRTT and CDMA1EVDO. In this scenario a mobile may be equipped with a single interface (with multiple PHY types of the same technology) or with multiple interfaces. An Intra-technology handover may involve intra- subnet or inter-subnet movement and thus may need to change its L3 locator depending upon type of movement. Inter-domain: A domain can be defined in several ways. But for the purposes of roaming we define domain as an administrative domain which consists of networks that are managed by a single administrative entity which authenticates and authorizes a mobile for accessing the networks. An administrative entity may be a service provider, an enterprise or any organization. Thus, an inter-domain handover will by-default be subjected to inter-subnet handover and in Dutta (Ed.), et al. Expires April 30, 2010 [Page 8] Internet-Draft MPA Framework October 2009 addition it may be subjected to either inter-technology or intra- technology handover. Inter-domain handover will be subjected to all the transition steps a subnet handover goes through and in addition, it will be subjected to authentication and authorization process as well. It is also likely that the type of mobility support in each administrative domain will be different. For example, administrative domain A may have MIPv6 support, while administrative domain B may use Proxy MIPv6 [RFC5213] . Intra-domain: When a mobile's movement is confined to movement within an administrative domain it is called intra-domain movement. An intra-domain movement may involve intra-subnet, inter-subnet, intra- technology and inter-technology as well. Both inter-domain and intra-domain handovers can be subjected to either inter-technology or intra-technology handover based on the network access characteristics. Inter-domain handover requires authorization for acquisition or modification of resources assigned to a mobile and the authorization needs interaction with a central authority in a domain. In many cases, an authorization procedure during inter-domain handover follows an authentication procedure that also requires interaction with a central authority in a domain. Thus, security association between the network entities such as routers in the neighboring administrative domains need to be established before any interaction takes place between these entities. Similarly, an inter-domain mobility may involve different mobility protocols in each of its domains, such as MIPv6 and Proxy- MIPv6. In that case, one needs a generalized framework to achieve the optimization during inter-domain handover. Figure 1 shows a typical example of inter-domain mobility involving two domains, such as domain A and domain B. It illustrates several important components such as AAA Home server (AAAH), AAA visited servers (e.g., AAAV1 and AAAV2), Authentication Agent (AA), Layer 3 point of attachment, such as Access Router (AR) and layer 2 point of attachment, such as Access Point. Any mobile maybe using a specific mobility protocol and associated mobility optimization technique during intra-domain movement in either domain. But the same optimization technique may not be suitable to support inter-domain handover independent of whether it uses the same or different mobility protocol in either domain. Dutta (Ed.), et al. Expires April 30, 2010 [Page 9] Internet-Draft MPA Framework October 2009 +-----------------------------+ | +--------+ | | | | | | | AAAH --------------------| | | | | | | +|-------+ | | | | | | | | Home Domain | | | | | | +-------|---------------------+ | | | | | | | | | | | | | | | +----------------------------|-----------+ +-------------|------------+ | | | | +|-------+ | | Domain A +-------|+ | | +-----+ | | | | | | | | | ------ AAAV2 | | | | AAAV1 | | | | AA | | | | | +-------------- | | | +|----+ +--------+ | | | | +--------+ | | | | | |AA | | | |--- ---- | | +--|--+ | | / \ / \ | | | /----\ | || AR |-----| AR | | | -|-- / \ | | \ / \ / | | / \ | AR | | | -|-- --|- | | | AR ----------- / | |+--|---+ +------|------+ | | \ / \--|-/ | || AP4 | | L2 Switch | | | -/-- +-----|------+ | || | +-|---------|-+ | | / | L2 Switch | | |+------+ | | | | / +-|-------|--+ | | +---|--+ +----|-+ | | +----/-+ +----|-+ +-|----+ | |Domain B| | | | | | | | | | | | | | | AP5 | |AP6 | | | | AP1 | | AP2 | | AP3 | | | +--|---+ +------+ | | +------+ +------+ +--|---+ | | | | +--------------------------------|-------+ +-----------|--------------+ --|--------- | //// \\\\ -----|----- // +------+ //// +------+ \\\\ | | MN ------------->|MN | \\\ | | | | | | | | | +------+ | | +------+ | \\ | // | \\\\ \\\/ /// ------------ \\\\------------- //// Dutta (Ed.), et al. Expires April 30, 2010 [Page 10] Internet-Draft MPA Framework October 2009 Figure 1: Inter-domain Mobility 4. Related Work While basic mobility management protocols such as Mobile IP [RFC3344], Mobile IPv6 [RFC3775], SIP-Mobility [SIPMM] provide continuity to TCP and RTP traffic, these are not optimized to reduce the handover latency during mobile's movement between subnets and domains. In general these mobility management protocols introduce handover delays incurred at several layers such as, layer 3 and application layer for updating the mobile's mobility binding. These protocols also get affected due to underlying layer 2 delay as well. As a result, applications using these mobility protocols suffer from performance degradation. There have been several optimization techniques that apply to current mobility management schemes that try to reduce handover delay and packet loss during a mobile's movement between cells, subnets and domain. Micro-mobility management schemes [CELLIP], [HAWAII], and intra-domain mobility management schemes such as [IDMP], [I-D.ietf-mobileip-reg-tunnel] and [RFC5380] provide fast-handover by limiting the signaling updates within a domain. Fast Mobile IP protocols for IPv4 and IPv6 networks [RFC4881], [RFC5568] utilize mobility information made available by link layer triggers. Yokota et al. [YOKOTA] propose joint use of access point and a dedicated MAC bridge to provide fast-handover without altering the MIPv4 specification. Shin et al. [MACD] propose a scheme reducing the delay due to MAC layer handoff by providing a cache-based algorithm. In this scheme, the mobile caches the neighboring channels that it has already visited and thus uses a selective scanning method. This helps to reduce the associated scanning time. Some mobility management schemes use dual interfaces thus providing make-before-break [SUM] technique. In a make-before-break situation, communication usually continues with one interface, when the secondary interface is in the process of getting connected. The IEEE 802.21 working group is discussing these scenarios in details [802.21]. Providing fast-handover using a single interface needs more careful design than for a client with multiple interfaces. Dutta et al [SIPFAST] provide an optimized handover scheme for SIP- based mobility management, where the transient traffic is forwarded from the old subnet to the new one by using an application layer forwarding scheme. Gwon et al. [MITH] provide a fast handover scheme for the single interface case that uses mobile-initiated tunneling between the old foreign agent and new foreign agent. [MITH] defines two types of handover schemes such as Pre-MIT (Mobile Initiated Tunneling) and Post-MIT (Media Initiated Tunneling). The Dutta (Ed.), et al. Expires April 30, 2010 [Page 11] Internet-Draft MPA Framework October 2009 proposed MPA scheme is very similar to MITH's predictive scheme where the mobile communicates with the foreign agent before actually moving to the new network. However, the MPA scheme is not limited to MIP type mobility protocol only and in addition, this scheme takes care of movement between domains and performs pre-authentication in addition to proactive handover. Thus, MPA reduces the overall delay to close to link-layer handover delay. Most of the mobility optimization techniques developed so far are restricted to a specific type of mobility protocol only. While supporting optimization for inter-domain mobility, these protocols assume that there is a pre- established security arrangement between two administrative domains. But this assumption may not be viable always. Thus, there is a need to develop an optimization framework that can support inter-domain mobility without any underlying constraints or security related assumption. Recently, the HOKEY WG within IETF is defining the ways to expedite the authentication process. In particular, it has defined pre- authentication [I-D.ietf-hokey-preauth-ps] and fast re-authentication [RFC5169] mechanisms to expedite the authentication and security association process. 5. Applicability of MPA MPA is more applicable where an accurate prediction of movement can be easily made. For other environments, special care must be taken to deal with issues such as pre-authentication to multiple CTNs (Candidate Target Networks) as explained in Section 5.2 and failed switching and switching back as described in Section 5.8. However, addressing those issues in actual deployments may not be easier. Some of the deployment issues are described in [mpa-wireless]. The effectiveness of MPA may be relatively reduced if the network employs network-controlled localized mobility management in which the MN does not need to change its IP address while moving within the network. The effectiveness of MPA may also be relatively reduced if signaling for network access authentication is already optimized for movements within the network, e.g., when simultaneous use of multiple interfaces during handover is allowed. In other words, MPA is most viable solution to support inter-administrative domain handover without the simultaneous use of multiple interfaces. Since MPA is not tied to a specific mobility protocol, it is also applicable to support optimization for inter-domain handover where each domain maybe equipped with different mobility protocol. Figure 1 shows an example of inter-domain mobility where MPA could be applied. For example, domain A may support just Proxy MIPv6, whereas domain B may support Client Mobile IPv6. MPA's different functional components Dutta (Ed.), et al. Expires April 30, 2010 [Page 12] Internet-Draft MPA Framework October 2009 can provide the desired optimization techniques proactively. 6. MPA Framework 6.1. Overview Media-independent Pre-Authentication (MPA) is a mobile-assisted, secure handover optimization scheme that works over any link layer and with any mobility management protocol. With MPA, a mobile node is not only able to securely obtain an IP address and other configuration parameters for a CTN, but also able to send and receive IP packets using the IP address obtained before it actually attaches to the CTN. This makes it possible for the mobile node to complete the binding update of any mobility management protocol and use the new CoA before performing a handover at link-layer. MPA provides three basic procedures to provide this functionality. The first procedure is referred to as "pre-authentication", the second procedure is referred to as "pre-configuration", the combination of the third and fourth procedures are referred to as "secure proactive handover". The security association established through pre-authentication is referred to as an "MPA-SA". This functionality is provided by allowing a mobile node which has connectivity to the current network but is not yet attached to a CTN, to (i) establish a security association with the CTN to secure the subsequent protocol signaling, then (ii) securely execute a configuration protocol to obtain an IP address and other parameters from the CTN as well as execute a tunnel management protocol to establish a Proactive Handover Tunnel (PHT) [RFC1853] between the mobile node and an access router of the CTN, then (iii) send and receive IP packets, including signaling messages for binding update of an MMP and data packets transmitted after completion of binding update, over the PHT using the obtained IP address as the tunnel inner address, and finally (iv) deleting or disabling the PHT immediately before attaching to the CTN when it becomes the target network and then re-assigning the inner address of the deleted or disabled tunnel to its physical interface immediately after the mobile node is attached to the target network through the interface. Instead of deleting or disabling the tunnel before attaching to the target network, the tunnel may be deleted or disabled immediately after being attached to the target network. Especially, the third procedure described above (i.e., binding update procedure) makes it possible for the mobile to complete the higher- layer handover before starting link-layer handover. This means that the mobile is able to send and receive data packets transmitted after Dutta (Ed.), et al. Expires April 30, 2010 [Page 13] Internet-Draft MPA Framework October 2009 completing the binding update over the tunnel, while data packets transmitted before completion of binding update do not use the tunnel. 6.2. Functional Elements In the MPA framework, the following functional elements are expected to reside in each CTN to communicate with a mobile node: Authentication Agent (AA), Configuration Agent (CA) and Access Router (AR). These elements can reside in one or more network devices. An authentication agent is responsible for pre-authentication. An authentication protocol is executed between the mobile node and the authentication agent to establish an MPA-SA. The authentication protocol MUST be able to derive a key between the mobile node and the authentication agent and SHOULD be able to provide mutual authentication. The authentication protocol SHOULD be able to interact with an AAA protocol such as RADIUS and Diameter to carry authentication credentials to an appropriate authentication server in the AAA infrastructure. The derived key is used for further deriving keys used for protecting message exchanges used for pre-configuration and secure proactive handover. Other keys that are used for bootstrapping link-layer and/or network-layer ciphers MAY also be derived from the MPA-SA. A protocol that can carry EAP [RFC3748] would be suitable as an authentication protocol for MPA. A configuration agent (CA) is responsible for one part of pre- configuration, namely securely executing a configuration protocol to deliver an IP address and other configuration parameters to the mobile node. The signaling messages of the configuration protocol (e.g., DHCP) MUST be protected using a key derived from the key corresponding to the MPA-SA. An access router (AR)is a router that is responsible for the other part of pre-configuration, i.e., securely executing a tunnel management protocol to establish a proactive handover tunnel to the mobile node. IP packets transmitted over the proactive handover tunnel SHOULD be protected using a key derived from the key corresponding to the MPA-SA. Details of this procedure are described in Section 6.3. Dutta (Ed.), et al. Expires April 30, 2010 [Page 14] Internet-Draft MPA Framework October 2009 +----+ | | | CN | *----+ // /--------\ / |// \\// | Core / | |\X Network \ / \--------/ \\ / \ / \ / \\ +-------------/-----------+ +--------\-------------+ | +-----+ | |+-----+ | | | | +-----+ | || | +-----+ | | | AA | |CA | | ||AA | | CA | | | +--+--+ +--+--+ | |+--+--+ +--+--+ | | | +------+ | | | | +-----+ | | | | | pAR | | | | | |nAR | | | | ---+---+ +---+-----+----+---+-+ +-----+ | | +---+--+ | | +-----+ | | | | | | | | | | | | | | | | +------------+------------+ +--------|--------------+ Current | Candidate| Target Network Network | | | | | | | | | | ---+-------- --------|----- ///// \\\\\///// \\\\\ // //\\ \\ | +-+----+ | | | | oPoA | MN | | | | | | | | | | | +------+ \\ | // \\ XX\\\ nPoA ///// \\\\\ ///// ------------- ------------ Figure 2: MPA Functional Components Dutta (Ed.), et al. Expires April 30, 2010 [Page 15] Internet-Draft MPA Framework October 2009 6.3. Basic Communication Flow Assume that the mobile node is already connected to a point of attachment, say oPoA (old point of attachment), and assigned a care-of address, say oCoA (old care-of address). The communication flow of MPA is described as follows. Throughout the communication flow, data packet loss should not occur except for the period during the switching procedure in Step 5, and it is the responsibility of link-layer handover to minimize packet loss during this period. Step 1 (pre-authentication phase): The mobile node finds a CTN through some discovery process such as IEEE 802.21 and obtains the IP addresses of an authentication agent, a configuration agent and an access router in the CTN (Candidate Target Network) by some means. Details of discovery mechanism are discussed in Section 7.1. The mobile node performs pre-authentication with the authentication agent. As discussed in Section 7.2, the mobile may need to pre- authenticate with multiple candidate target networks. The decision regarding which candidate network the mobile needs to pre- authenticate with will depend upon several policies, such as signaling overhead, bandwidth requirement (QoS), mobile's location, communication cost, and handover robustness etc. Determining the policy that decides the target network the mobile should pre- authenticate with is out of scope for this document. If the pre-authentication is successful, an MPA-SA is created between the mobile node and the authentication agent. Two keys are derived from the MPA-SA, namely an MN-CA key and an MN-AR key, which are used to protect subsequent signaling messages of a configuration protocol and a tunnel management protocol, respectively. The MN-CA key and the MN-AR key are then securely delivered to the configuration agent and the access router, respectively. Step 2 (pre-configuration phase): The mobile node realizes that its point of attachment is likely to change from oPoA to a new one, say nPoA (new point of attachment). It then performs pre-configuration with the configuration agent using the configuration protocol to obtain several configuration parameters such as an IP address, say nCoA (new care-of address), and default router from the CTN. The mobile then communicates with the access router using the tunnel management protocol to establish a proactive handover tunnel. In the tunnel management protocol, the mobile node registers oCoA and nCoA as the tunnel outer address and the tunnel inner address, respectively. The signaling messages of the pre-configuration protocol are protected using the MN-CA key and the MN-AR key. When the configuration and the access router are co-located in the same device, the two protocols may be integrated into a single protocol like IKEv2. After completion of the tunnel establishment, the mobile Dutta (Ed.), et al. Expires April 30, 2010 [Page 16] Internet-Draft MPA Framework October 2009 node is able to communicate using both oCoA and nCoA by the end of Step 4. A configuration protocol and a tunnel management protocol may be combined in a single protocol or executed in different orders depending on the actual protocol(s) used for configuration and tunnel management. Step 3 (secure proactive handover main phase): The mobile node decides to switch to the new point of attachment by some means. Before the mobile node switches to the new point of attachment, it starts secure proactive handover by executing the binding update operation of a mobility management protocol and transmitting subsequent data traffic over the tunnel (main phase). This proactive binding update could be triggered based on certain local policy at the mobile node end, after the pre-configuration phase is over. This local policy could be signal-to-noise ratio, location of the mobile etc. In some cases, it may cache multiple nCOA addresses and perform simultaneous binding with the CN or HA. Step 4 (secure proactive handover pre-switching phase): The mobile node completes the binding update and becomes ready to switch to the new point of attachment. The mobile may execute the tunnel management protocol to delete or disable the proactive handover tunnel and cache nCoA after deletion or disabling of the tunnel. This transient tunnel can be deleted prior to or after the handover. The buffering module at the next access router buffers the packets once the tunnel interface is deleted. The decision as to when the mobile node is ready to switch to the new point of attachment depends on the handover policy. Step 5 (switching): It is expected that a link-layer handover occurs in this step. Step 6 (secure proactive handover post-switching phase): The mobile node executes the switching procedure. Upon successful completion of the switching procedure, the mobile node immediately restores the cached nCoA and assigns it to the physical interface attached to the new point of attachment. If the proactive handover tunnel was not deleted or disabled in Step 4, the tunnel is deleted or disabled as well. After this, direct transmission of data packets using nCoA is possible without using a proactive handover tunnel. Call flow for MPA is shown in Figure 3 and Figure 4. Dutta (Ed.), et al. Expires April 30, 2010 [Page 17] Internet-Draft MPA Framework October 2009 IP address(es) Available for Use by MN | +-----------------------------------+ | | Candidate Target Network | | | (Future Target Network) | | MN oPoA | nPoA AA CA AR | | | | | | | | | | | | | +-----------------------------------+ | | | | | | | . +---------------+ | | | | | . |(1) Found a CTN| | | | | | . +---------------+ | | | | | | | Pre-authentication | | | | | [authentication protocol] | | | |<--------+------------->|MN-CA key| | | | | | |-------->|MN-AR key| | +-----------------+ | | |------------------>| | |(2) Increased | | | | | | [oCoA] |chance to switch | | | | | | | | to CTN | | | | | | | +-----------------+ | | | | | | | | | | | | | | Pre-configuration | | | | | [configuration protocol to get nCoA] | | |<--------+----------------------->| | | | Pre-configuration | | | | | [tunnel management protocol to establish PHT] V |<--------+--------------------------------->| | | | | | | ^ +-----------------+ | | | | | | |(3) Determined | | | | | | | |to switch to CTN | | | | | | | +-----------------+ | | | | | | | | | | | | | | Secure proactive handover main phase | | | [execution of binding update of MMP and | | | transmission of data packets through AR | [oCoA, nCoA] | based on nCoA over the PHT] | | | |<<=======+================================>+--->... | . . . . . . . . . . . . . . . . . . . . . Figure 3: Example Communication Flow (1/2) Dutta (Ed.), et al. Expires April 30, 2010 [Page 18] Internet-Draft MPA Framework October 2009 | | | | | | | +----------------+ | | | | | | |(4) Completion | | | | | | | |of MMP BU and | | | | | | | |ready to switch | | | | | | | +----------------+ | | | | | | | Secure proactive handover pre-switching phase | | [tunnel management protocol to delete PHT] V |<--------+--------------------------------->| +---------------+ | | | | |(5)Switching | | | | | +---------------+ | | | | | | | | | +---------------+ | | | | |(6) Completion | | | | | |of switching | | | | | +---------------+ | | | | o<- Secure proactive handover post-switching phase ^ | [Re-assignment of TIA to the physical I/F] | | | | | | | | Transmission of data packets through AR | [nCoA] | based on nCoA| | | | | |<---------------+---------------------------+-->... | | | | | | . Figure 4: Example Communication Flow (2/2) 7. MPA Operations In order to provide an optimized handover for a mobile experiencing rapid subnet and domain handover, one needs to look into several operations. These issues include discovery of neighboring networking elements, choosing the right network to connect to based on certain policy, changing the layer 2 point of attachment, obtaining an IP address from a DHCP or PPP server, confirming the uniqueness of the IP address, pre-authenticating with the authentication agent, sending the binding update to the correspondent host and obtaining the redirected streaming traffic to the new point of attachment, ping- pong effect, probability of moving to more than one network and associating with multiple target networks. We describe these issues in details in the following paragraphs and describe how we have optimized these in case of MPA-based secure proactive handover. 7.1. Discovery Discovery of neighboring networking elements such as access points, access routers, authentication servers help expedite the handover Dutta (Ed.), et al. Expires April 30, 2010 [Page 19] Internet-Draft MPA Framework October 2009 process during a mobile's rapid movement between networks. After discovering the network neighborhood with a desired set of coordinates, capabilities and parameters the mobile can perform many of the operation such as pre-authentication, proactive IP address acquisition, proactive address resolution, and binding update while in the previous network. There are several ways a mobile can discover neighboring networks. The Candidate Access Router Discovery protocol [RFC4066] helps discover the candidate access routers in the neighboring networks. Given a certain network domain SLP (Service Location Protocol) and DNS help provide addresses of the networking components for a given set of services in the specific domain. In some cases many of the network layer and upper layer parameters may be sent over link layer management frames such as beacons when the mobile approaches the vicinity of the neighboring networks. IEEE 802.11u is considering issues such as discovering neighborhood using information contained in link layer. However, if the link-layer management frames are encrypted by some link layer security mechanism, then the mobile node may not be able to obtain the requisite information before establishing link layer connectivity to the access point. In addition this may add burden to the bandwidth constrained wireless medium. In such cases a higher layer protocol is preferred to obtain the information regarding the neighboring elements. There is some proposal such as [802.21] that helps obtain information about the neighboring networks from a mobility server. When the mobile's movement is imminent, it starts the discovery process by querying a specific server and obtains the required parameters such as the IP address of the access point, its characteristics, routers, SIP servers or authentication servers of the neighboring networks. In the event of multiple networks, it may obtain the required parameters from more than one neighboring networks and keep these in a cache. At some point the mobile finds out several CTNs out of many probable networks and starts the pre-authentication process by communicating with the required entities in the CTNs. Further details of this scenario are in Section 7.2. 7.2. Pre-authentication in multiple CTN environment In some cases, although a mobile decides a specific network to be the target network, it may actually end up with moving into a neighboring network other than the target network due to factors that are beyond the mobile's control. Thus it may be useful to perform the pre- authentication with a few probable candidate target networks and establish time-bound tunnels with the respective access routers in those networks. Thus, in the event of a mobile moving to a candidate target network other than that was chosen as the target network, it will not be subjected to packet loss due to authentication and IP Dutta (Ed.), et al. Expires April 30, 2010 [Page 20] Internet-Draft MPA Framework October 2009 address acquisition delay that could incur if the mobile did not pre- authenticate with that candidate target network. It may appear that by pre-authenticating with a number of candidate target networks and reserving the IP addresses, the mobile is provisioning resources that could be used otherwise. But since this happens for a time-limited period it should not be a big problem. However, it depends upon the mobility pattern and mobile's duration in a cell before the subsequent handoff. Mobile uses pre-authentication procedure to obtain IP address proactively and set up the time bound tunnels with the access routers of the candidate target networks. Also, MN may hold some or all of the nCoAs for future movement. The mobile may choose one of these addresses as the binding update address and send it to the CN (Correspondent Node) or HA (Home Agent), and will thus receive the tunneled traffic via the target network while in the previous network. But in some instances, the mobile may eventually end up moving to a network that is other than the target network. Thus, there will be a disruption in traffic as the mobile moves to the new network since the mobile has to go through the process of assigning the new IP address and sending the binding update again. Two solutions can take care of this problem. The mobile can take advantage of the simultaneous mobility binding and send multiple binding updates to the corresponding host or HA. Thus, the corresponding host or HA forwards the traffic to multiple IP addresses assigned to the virtual interfaces for a specific period of time. This binding update gets refreshed at the CH after the mobile moves to the new network, thus stopping the flow to the other candidate networks. Wakikawa [I-D.wakikawa-mobileip-multiplecoa] discusses different scenarios of mobility binding with multiple care- of-addresses. In case simultaneous binding is not supported in a specific mobility scheme, forwarding of traffic from the previous target network will help take care of the transient traffic until the new binding update is sent from the new network. 7.3. Proactive IP address acquisition In general, a mobility management protocol works in conjunction with the Foreign Agent or in co-located address mode. The MPA approach can use both co-located address mode and foreign agent address mode. We discuss here the address assignment component that is used in co- located address mode. There are several ways a mobile node can obtain an IP address and configure itself. Most commonly a mobile can configure itself statically in the absence of any configuration element such as a server or router in the network. The IETF Zeroconf working group defines auto-IP mechanism where a mobile is configured in an ad-hoc manner and picks a unique address from the specified link local address range. In a LAN environment the mobile can obtain an IP address from DHCP servers. In case of IPv6 networks, a mobile Dutta (Ed.), et al. Expires April 30, 2010 [Page 21] Internet-Draft MPA Framework October 2009 has the option of obtaining the IP address using stateless auto- configuration or DHCPv6. In a wide area networking environment, the mobile uses PPP to obtain the IP address by communicating with a NAS. Each of these processes takes of the order of few hundred milliseconds to few seconds depending upon the type of IP address acquisition process and operating system of the clients and servers. Since IP address acquisition is part of the handover process, it adds to the handover delay and thus it is desirable to reduce this delay as much as possible. There are few optimized techniques such as DHCP Rapid Commit [RFC4039], GPS-coordinate based IP address [GPSIP] available that attempt to reduce the handover time due to IP address acquisition time. However, in all these cases the mobile also obtains the IP address after it moves to the new subnet and incurs some delay because of the signaling handshake between the mobile node and the DHCP server. In the following paragraph we describe few ways a mobile node can obtain the IP address proactively from the CTN and the associated tunnel setup procedure. These can broadly be divided into four categories such as PANA-assisted proactive IP address acquisition, IKE-assisted proactive IP address acquisition, proactive IP address acquisition using DHCP only and stateless autoconfiguration. 7.3.1. PANA-assisted proactive IP address acquisition In case of PANA-assisted proactive IP address acquisition, the mobile node obtains an IP address proactively from a CTN. The mobile node makes use of PANA [RFC5191] messages to trigger the address acquisition process on the DHCP relay agent [RFC3046] that is colocated with the PANA authentication agent in the access router in the CTN. Upon receiving a PANA message from the mobile node, the DHCP relay agent performs normal DHCP message exchanges to obtain the IP address from the DHCP server in the CTN. This address is piggy- backed in a PANA message and is delivered to the client. In case of MIPv6 with stateless autoconfiguration, the router advertisement from the new target network is passed to the client as part of PANA message. The mobile uses this prefix and its MAC address to construct the unique IPv6 address as it would have done in the new network. Mobile IPv6 in stateful mode works very similar to DHCPv4. 7.3.2. IKEv2-assisted proactive IP address acquisition IKEv2-assisted proactive IP address acquisition works when an IPsec gateway and a DHCP relay agent are resident within each access router in the CTN. In this case, the IPsec gateway and DHCP relay agent in a CTN help the mobile node acquire the IP address from the DHCP server in the CTN. The MN-AR key established during the pre- Dutta (Ed.), et al. Expires April 30, 2010 [Page 22] Internet-Draft MPA Framework October 2009 authentication phase is used as the IKEv2 pre-shared secret needed to run IKEv2 between the mobile node and the access router. The IP address from the CTN is obtained as part of standard IKEv2 procedure, with using the co-located DHCP relay agent for obtaining the IP address from the DHCP server in the target network using standard DHCP. The obtained IP address is sent back to the client in the IKEv2 Configuration Payload exchange. In this case, IKEv2 is also used as the tunnel management protocol for a proactive handover tunnel (see Section 7.4). Alternatively VPN-GW can itself dispense the IP address from its IP address pool. 7.3.3. Proactive IP address acquisition using DHCP only As another alternative, DHCP may be used for proactively obtaining an IP address from a CTN without relying on PANA or IKEv2-based approaches by allowing direct DHCP communication between the mobile node and the DHCP relay or DHCP server in the CTN. In this case, the mobile node sends a unicast DHCP message to the DHCP relay agent or DHCP server in the CTN requesting an address, while using the address associated with the current physical interface as the source address of the request. When the message is sent to the DHCP relay agent, the DHCP relay agent relays the DHCP messages back and forth between the mobile node and the DHCP server. In the absence of a DHCP relay agent the mobile can also directly communicate with the DHCP server in the target network. The broadcast option in the client's unicast DISCOVER message should be set to 0 so that the relay agent or the DHCP server can send the reply directly back to the mobile using the mobile node's source address. This mechanism also works for an IPv6 node using stateful configuration. In order to prevent malicious nodes from obtaining an IP address from the DHCP server, DHCP authentication should be used or the access router should install a filter to block unicast DHCP message sent to the remote DHCP server from mobile nodes that are not pre- authenticated. When DHCP authentication is used, the DHCP authentication key may be derived from the MPA-SA established between the mobile node and the authentication agent in the candidate target network. The proactively obtained IP address is not assigned to the mobile node's physical interface until the mobile has moved to the new network. The IP address thus obtained proactively from the target network should not be assigned to the physical interface but rather to a virtual interface of the client. Thus, such a proactively acquired IP address via direct DHCP communication between the mobile node and the DHCP relay or the DHCP server in the CTN may be carried Dutta (Ed.), et al. Expires April 30, 2010 [Page 23] Internet-Draft MPA Framework October 2009 with additional information that is used to distinguish it from other addresses as assigned to the physical interface. Upon the mobile's entry to the new network, the mobile node can perform DHCP over the physical interface to the new network to get other configuration parameters such as the SIP server, DNS server by using DHCP INFORM. This should not affect the ongoing communication between the mobile and correspondent host. Also, the mobile node can perform DHCP over the physical interface to the new network to extend the lease of the address that was proactively obtained before entering the new network. In order to maintain the DHCP binding for the mobile node and keep track of the dispensed IP address before and after the secure proactive handover, the same DHCP client identifier needs to be used for the mobile node for both DHCP for proactive IP address acquisition and DHCP performed after the mobile node enters the target network. The DHCP client identifier may be the MAC address of the mobile node or some other identifier. 7.3.4. Proactive IP address acquisition using stateless autoconfiguration For IPv6, a network address is configured either using DHCPv6 or stateless autoconfiguration. In order to obtain the new IP address proactively, the router advertisement of the next hop router can be sent over the established tunnel, and a new IPv6 address is generated based on the prefix and MAC address of the mobile. Generating a COA from the new network will avoid the time needed to obtain an IP address and perform Duplicate Address Detection. Duplicate address detection and address resolution are part of the IP address acquisition process. As part of the proactive configuration these two processes can be done ahead of time. Details of how these two processes can be done proactively are described in Appendix A and Appendix B, respectively. In case of stateless autoconfiguration, the mobile checks to see the prefix of the router advertisement in the new network and matches it with the prefix of newly assigned IP address. If these turn out to be the same then the mobile does not go through the IP address acquisition phase again. 7.4. Tunnel management After an IP address is proactively acquired from the DHCP server in a CTN or via stateless autoconfiguration in case of IPv6, a proactive handover tunnel is established between the mobile node and the access Dutta (Ed.), et al. Expires April 30, 2010 [Page 24] Internet-Draft MPA Framework October 2009 router in the CTN. The mobile node uses the acquired IP address as the tunnel's inner address. There are several reasons why this transient tunnel is established between the NAR and the mobile in the old PoA, unlike transient tunnel in FMIPv6 (Fast MIPv6) [RFC5568], where it is set up between mobile's new point of attachment and the old access router. In case of inter-domain handoff, it is important that any signaling message between nPoA and the mobile needs to be secured. This transient secured tunnel provides the desired functionality including the securing the proactive binding update and transient data between the end-points before the handover has taken place. Unlike proactive mode of FMIPv6, transient handover packets are not sent to PAR, and thus a tunnel between mobile's new point of attachment and old access router is not needed. In case of inter-domain handoff, PAR and NAR could logically be far from each other. Thus, the signaling and data during pre- authentication period will take a longer route, and thus, may be subjected to longer one-way-delay. Hence, MPA provides a tradeoff between larger packet loss or larger one-way-packet delay for a transient period, when the mobile is preparing to handoff. The proactive handover tunnel is established using a tunnel management protocol. When IKEv2 is used for proactive IP address acquisition, IKEv2 is also used as the tunnel management protocol. Alternatively, when PANA is used for proactive IP address acquisition, PANA may be used as the secure tunnel management protocol. Once the proactive handover tunnel is established between the mobile node and the access router in the candidate target network, the access router also needs to perform proxy address resolution (Proxy ARP) on behalf of the mobile node so that it can capture any packets destined to the mobile node's new address. Since the mobile needs to be able to communicate with the correspondent node while in the previous network some or all parts of binding update and data from the correspondent node to mobile node need to be sent back to the mobile node over a proactive handover tunnel. Details of these binding update procedure are described in Section 5.7. In order for the traffic to be directed to the mobile node after the mobile node attaches to the target network, the proactive handover tunnel needs to be deleted or disabled. The tunnel management protocol used for establishing the tunnel is used for this purpose. Dutta (Ed.), et al. Expires April 30, 2010 [Page 25] Internet-Draft MPA Framework October 2009 Alternatively, when PANA is used as the authentication protocol the tunnel deletion or disabling at the access router can be triggered by means of PANA update mechanism as soon as the mobile moves to the target network. A link-layer trigger ensures that the mobile node is indeed connected to the target network and can also be used as the trigger to delete or disable the tunnel. A tunnel management protocol also triggers the router advertisement (RA) the from next access router to be sent over the tunnel, as soon as the tunnel creation is complete. 7.5. Binding Update There are several kinds of binding update mechanisms for different mobility management schemes. In case of Mobile IPv4 and Mobile IPv6, the mobile performs a binding update with the home agent only, if route optimization is not used. Otherwise, the mobile performs binding update with both the home agent (HA) and corresponding node (CN). In case of SIP-based terminal mobility, the mobile sends binding update using INVITE to the correspondent node and REGISTER message to the Registrar. Based on the distance between the mobile and the correspondent node, the binding update may contribute to the handover delay. SIP-fast handover [SIPFAST] provides several ways of reducing the handover delay due to binding update. In case of secure proactive handover using SIP-based mobility management we do not encounter the delay due to binding update completely, as it takes place in the previous network. Thus, this proactive binding update scheme looks more attractive when the correspondent node is too far from the communicating mobile node. Similarly, in case of Mobile IPv6, the mobile sends the newly acquired CoA from the target network as the binding update to the HA and CN. Also all signaling messages between MN and HA and between MN and CN are passed through this proactive tunnel that is set up. These messages include Binding Update (BU), Binding Acknowledgement (BA) and the associated return routability messages such as Home Test Init (HoTI), Home Test (HoT), Care-of Test Init (CoTI), Care-of Test (COT). In Mobile IPv6, since the receipt of on-link router advertisement is mandatory for the mobile to detect the movement and trigger the binding update, router advertisement from next access router needs to be advertised over the tunnel. By proper configuration on NAR, router advertisement can be sent over the tunnel interface to trigger the proactive binding update. The mobile also needs to make the tunnel interface the active interface, so that it can send the binding update using this interface as soon as it receives the router advertisement. Dutta (Ed.), et al. Expires April 30, 2010 [Page 26] Internet-Draft MPA Framework October 2009 If the proactive handover tunnel is realized as an IPsec tunnel, it will also protect these signaling messages between the tunnel end points and will make the return routability test secured as well. Any subsequent data will also be tunneled through as long as the mobile is in the previous network. The accompanying document [mpa-wireless] talks about the details of how binding updates and signaling for return routability are sent over the secured tunnel. 7.6. Preventing packet loss 7.6.1. Packet loss prevention in single interface MPA For single interface MPA, there may be some transient packets during link-layer handover that are directed to the mobile node at the old point of attachment before the mobile node is able to attach to the target network. Those transient packets can be lost. Buffering these packets at the access router of the old point of attachment can eliminate packet loss. Dynamic buffering signals that are signalled from the MN can temporarily hold transient traffic during handover and then these packets can be forwarded to the MN once it attaches to the target network. A detailed analysis of buffering technique can be found in [PIMRC06]. An alternative method is to use bicasting. Bicasting helps to forward the traffic to two destinations at the same time. However, it does not eliminate packet loss if link-layer handover is not seamlessly performed. On the other hand, buffering does not reduce packet delay. While packet delay can be compensated by a playout buffer at the receiver side for streaming application, a playout buffer does not help much for interactive VoIP application that cannot tolerate for large delay jitters. Thus it is still important to optimize the link-layer handover anyway. 7.6.2. Preventing packet losses for multiple interfaces MPA usage in multi-interface handover scenarios involves preparing the second interface for use via the current active interface. This preparation involves pre-authentication and provisioning at a target network where the second interface would be the eventual active interface. For example, during inter-technology handover from a Wi-Fi to a CDMA network, pre-authentication at the CDMA network can be performed via the Wi-Fi interface. The actual handover occurs when the CDMA interface becomes the active interface for the MN. In such scenarios, if handover occurs while both interfaces are active, there is generally no packet loss since transient packets directed towards the old interface will still reach the MN. However, if sudden disconnection of the current active interface is used to Dutta (Ed.), et al. Expires April 30, 2010 [Page 27] Internet-Draft MPA Framework October 2009 initiate handover to the prepared interface then transient packets for the disconnected interface will be lost while the MN attempts to be reachable at the prepared interface. In such cases, a specialized form of buffering can be used to eliminate packet loss where packets are merely copied at an access router in the current active network prior to disconnection. If sudden disconnection does occur, copied packets can be forwarded to the MN once the prepared interface becomes the active reachable interface. The copy-and-foward mechanism is not limited to multi-interface handover. A notable side-effect of this process is the possible duplication of packets during forwarding to the new active interface. Several approaches can be employed to minimize this effect. Relying on upper layer protocols such as TCP to detect and eliminate duplicates is the most common approach. Customized duplicate detection and handling techniques can also be used. In general, packet duplication is a well known issue that can also be handled locally by the MN. If the mobile takes a longer amount of time to detect the disconnection event of the current active interface, it can also have an adverse effect on the length of the handover process. Thus it becomes necessary to use an optimized scheme of detecting interface disconnection in such scenarios. Use of the current interface to perform pre-authentication instead of the new interface is desirable in certain circumstances, such as to save battery power or in cases where the adjacent cells (e.g., WiFi, and CDMA) are non-overlapping or in cases when the carrier does not allow simultaneous use of both interfaces. However, in certain circumstances, depending upon the type of target network, only parts of MPA operations can be performed (e.g., pre-authentication, pre-configuration, proactive binding update). In a specific scenario involving handoff between WiFi and CDMA network, some of the PPP context can be set up during the pre- authentication period, thus reducing the time for PPP activation. 7.6.3. Reachability test In addition to previous techniques, the MN may also want to ensure reachability of the new point of attachment before switching from the old one. This can be done by exchanging link-layer management frames with the new point of attachment. This reachability check should be performed as quickly as possible. In order to prevent packet loss during this reachability check, transmission of packets over the link between the MN and old point of attachment should be suspended by buffering the packets at both ends of the link during the reachability check. How to perform this buffering is out of scope of this document. Some of the results using this buffering scheme are explained in the accompanying implementation document. Dutta (Ed.), et al. Expires April 30, 2010 [Page 28] Internet-Draft MPA Framework October 2009 7.7. Security and mobility 7.7.1. Link-layer security and mobility Using the MPA-SA established between the mobile node and the authentication agent for a CTN, during the pre-authentication phase, it is possible to bootstrap link-layer security in the CTN while the mobile node is in the current network in the following way. Figure 5 shows the sequence of operation. (1) The authentication agent and the mobile node derives a PMK (Pair- wise Master Key) [RFC5247] using the MPA-SA that is established as a result of successful pre-authentication. Successful operation of EAP and an AAA protocol may be involved during pre-authentication to establish the MPA-SA. From the PMK, distinct TSKs (Transient Session Keys) [RFC5247] for the mobile node are directly or indirectly derived for each point of attachment of the CTN. (2) The authentication agent may install the keys derived from the PMK and used for secure association to points of attachment. The derived keys may be TSKs or intermediary keys from which TSKs are derived. (3) After the mobile node chooses a CTN as the target network and switches to a point of attachment in the target network (which now becomes the new network for the mobile node), it executes a secure association protocol such as the IEEE 802.11i 4-way handshake [802.11] using the PMK in order to establish PTKs (Pair-wise Transient Keys) and GTKs (Group Transient Keys) [RFC5247] used for protecting link-layer packets between the mobile node and the point of attachment. No additional execution of EAP authentication is needed here. (4) While the mobile node is roaming in the new network, the mobile node only needs to perform a secure association protocol with its point of attachment point and no additional execution of EAP authentication is needed either. Integration of MPA with link-layer handover optimization mechanisms such as 802.11r can be archived this way. The mobile node may need to know the link-layer identities of the point of attachments in the CTN to derive TSKs. Dutta (Ed.), et al. Expires April 30, 2010 [Page 29] Internet-Draft MPA Framework October 2009 _________________ ____________________________ | Current Network | | CTN | | ____ | | ____ | | | | (1) pre-authentication | | | | | MN |<------------------------------->| AA | | | |____| | | |____| | | . | | | | | . | | | | |____.____________| | | | .movement | |(2) Keys | ____.___________________| | | | _v__ _____ | | | | |(3) secure assoc. | | | | | | MN |<------------------>| AP1 |<-------+ | | |____| |_____| | | | . | | | .movement | | | . | | | . | | | _v__ _____ | | | | |(4) secure assoc. | | | | | | MN |<------------------>| AP2 |<-------+ | | |____| |_____| | |_____________________________________________________| Figure 5: Bootstrapping Link-layer Security 7.7.2. IP layer security and mobility IP layer security is typically maintained between the mobile and first hop router or any other network element such as SIP proxy by means of IPsec. This IPSec SA can be set up either in tunnel mode or in ESP mode. However, as the mobile moves, IP address of the router and outbound proxy will change in the new network. The mobile's IP address may or may not change depending upon the mobility protocol being used. This will warrant re-establishing a new security association between the mobile and the desired network entity. In some cases such as in 3GPP/3GPP2 IMS/MMD environment data traffic is not allowed to pass through unless there is an IPsec SA established between the mobile and outbound proxy. This will of course add unreasonable delay to the existing real-time communication during mobile's movement. In this scenario, key exchange is done as part of SIP registration that follows a key exchange procedure called AKA (Authentication and Key Agreement). MPA can be used to bootstrap this security association as part of pre-authentication via the new outbound proxy. Prior to the movement, if the mobile can pre-register via the new outbound proxy Dutta (Ed.), et al. Expires April 30, 2010 [Page 30] Internet-Draft MPA Framework October 2009 in the target network and completes the pre-authentication procedure, then the new SA state between the mobile and new outbound proxy can be established prior to the movement to the new network. A similar approach can also be applied if a key exchange mechanism other than AKA is used or the network element with which the security association has to be established is different than an outbound proxy. By having the security association established ahead of time, the mobile does not need to involve in any exchange to set up the new security association after the movement. Any further key exchange will be limited to renew the expiry time. This will also reduce the delay for real-time communication as well. 7.8. Authentication in initial network attachment When the mobile node initially attaches to a network, network access authentication would occur regardless of the use of MPA. The protocol used for network access authentication when MPA is used for handover optimization can be a link-layer network access authentication protocol such as IEEE 802.1X or a higher-layer network access authentication protocol such as PANA. 8. Security Considerations This document describes a framework of a secure handover optimization mechanism based on performing handover-related signaling between a mobile node and one or more candidate target networks to which the mobile node may move in the future. This framework involves acquisition of the resources from the CTN as well as data packet redirection from the CTN to the mobile node in the current network before the mobile node physically connects to one of those CTN. Acquisition of the resources from the candidate target networks must be done with appropriate authentication and authorization procedures in order to prevent unauthorized mobile node from obtaining the resources. For this reason, it is important for the MPA framework to perform pre-authentication between the mobile node and the candidate target networks. The MN-CA key and the MN-AR key generated as a result of successful pre-authentication can protect subsequent handover signaling packets and data packets exchanged between the mobile node and the MPA functional elements in the CTN's. The MPA framework also addresses security issues when the handover is performed across multiple administrative domains. With MPA, it is possible for handover signaling to be performed based on direct communication between the mobile node and routers or mobility agents Dutta (Ed.), et al. Expires April 30, 2010 [Page 31] Internet-Draft MPA Framework October 2009 in the candidate target networks. This eliminates the need for a context transfer protocol [RFC5247] for which known limitations exist in terms of security and authorization. For this reason, the MPA framework does not require trust relationship among administrative domains or access routers, which makes the framework more deployable in the Internet without compromising the security in mobile environments. 9. IANA Considerations This document has no actions for IANA. 10. Acknowledgments We would like to thank Farooq Anjum and Raziq Yaqub for their review of this document, and Subir Das for standardization support in the IEEE 802.21 WG. Authors would like to acknowledge Christian Vogt, Rajeev Koodli, Marco Liebsch and Juergen Schoenwaelder for their thorough review of the draft and useful feedback. 11. References 11.1. Normative References [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [RFC5380] Soliman, H., Castelluccia, C., ElMalki, K., and L. Bellier, "Hierarchical Mobile IPv6 (HMIPv6) Mobility Management", RFC 5380, October 2008. [RFC5568] Koodli, R., "Mobile IPv6 Fast Handovers", RFC 5568, July 2009. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Dutta (Ed.), et al. Expires April 30, 2010 [Page 32] Internet-Draft MPA Framework October 2009 [RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", RFC 4555, June 2006. [RFC4881] El Malki, K., "Low-Latency Handoffs in Mobile IPv4", RFC 4881, June 2007. [RFC4066] Liebsch, M., Singh, A., Chaskar, H., Funato, D., and E. Shim, "Candidate Access Router Discovery (CARD)", RFC 4066, July 2005. [RFC4065] Kempf, J., "Instructions for Seamoby and Experimental Mobility Protocol IANA Allocations", RFC 4065, July 2005. [RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", RFC 5247, August 2008. [RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. Yegin, "Protocol for Carrying Authentication for Network Access (PANA)", RFC 5191, May 2008. [RG98] ITU-T, "General Characteristics of International Telephone Connections and International Telephone Circuits: One-Way Transmission Time", ITU-T Recommendation G.114 1998. [ITU98] ITU-T, "The E-Model, a computational model for use in transmission planning", ITU-T Recommendation G.107 1998. [ETSI] ETSI, "Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 3: End-to-end Quality of Service in TIPHON systems; Part 1: General aspects of Quality of Service.", ETSI TR 101 329-6 V2.1.1. 11.2. Informative References [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, "Host Identity Protocol", RFC 5201, April 2008. [RFC2679] Almes, G., Kalidindi, S., and M. Zekauskas, "A One-way Delay Metric for IPPM", RFC 2679, September 1999. [RFC2680] Almes, G., Kalidindi, S., and M. Zekauskas, "A One-way Packet Loss Metric for IPPM", RFC 2680, September 1999. [RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip Delay Metric for IPPM", RFC 2681, September 1999. [RFC1853] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995. Dutta (Ed.), et al. Expires April 30, 2010 [Page 33] Internet-Draft MPA Framework October 2009 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, January 2001. [RFC4039] Park, S., Kim, P., and B. Volz, "Rapid Commit Option for the Dynamic Host Configuration Protocol version 4 (DHCPv4)", RFC 4039, March 2005. [RFC5172] Varada, S., "Negotiation for IPv6 Datagram Compression Using IPv6 Control Protocol", RFC 5172, March 2008. [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. [RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD) for IPv6", RFC 4429, April 2006. [I-D.wakikawa-mobileip-multiplecoa] Wakikawa, R., "Multiple Care-of Addresses Registration", draft-wakikawa-mobileip-multiplecoa-05 (work in progress), March 2006. [I-D.ietf-hokey-preauth-ps] Ohba, Y. and G. Zorn, "Extensible Authentication Protocol (EAP) Early Authentication Problem Statement", draft-ietf-hokey-preauth-ps-09 (work in progress), July 2009. [RFC5169] Clancy, T., Nakhjiri, M., Narayanan, V., and L. Dondeti, "Handover Key Management and Re-Authentication Problem Statement", RFC 5169, March 2008. [SIPMM] Schulzrinne, H. and E. Wedlund, "Application Layer Mobility Using SIP", ACM MC2R. [CELLIP] Cambell, A., Gomez, J., Kim, S., Valko, A., and C. Wan, "Design, Implementation, and Evaluation of Cellular IP", IEEE Personal communication Auguest 2000. [MOBIQUIT07] Lopez, R., Dutta, A., Ohba, Y., Schulzrinne, H., and A. Skarmeta, "Network-layer assisted mechanism to optimize authentication delay during handoff in 802.11 networks", IEEE Mobiquitous June 2007. [IEEE-03-084] Mishra, A., Shin, M., Arbaugh, W., Lee, I., and K. Jang, "Proactive Key Distribution to support fast and secure roaming, IEEE 802.11 Working Group, IEEE-03-084r1-I, Dutta (Ed.), et al. Expires April 30, 2010 [Page 34] Internet-Draft MPA Framework October 2009 "www.ieee802.org/11/Documents/DocumentHolder/3-084.zip"", IEEE June 2003. [SPRINGER07] Dutta, A., Das, S., Famolari, D., Ohba, Y., Taniuchi, K., Fajardo, V., Schulzrinne, H., Lopez, R., Kodama, T., and A. Skarmeta, "Seamless proactive handover across heterogeneous access networks", Wireless Personal Communication February 2007. [HAWAII] Ramjee, R., Porta, T., Thuel, S., Varadhan, K., and S. Wang, "HAWAII: A Domain-based Approach for Supporting Mobility in Wide-area Wireless networks", International Conference on Network Protocols ICNP'99. [IDMP] Das, S., Dutta, A., Misra, A., and S. Das, "IDMP: An Intra-Domain Mobility Management Protocol for Next Generation Wireless Networks", IEEE Wireless Communication Magazine October 2000. [I-D.ietf-mobileip-reg-tunnel] Calhoun, P., Montenegro, G., Perkins, C., and E. Gustafsson, "Mobile IPv4 Regional Registration", draft-ietf-mobileip-reg-tunnel-09 (work in progress), July 2004. [YOKOTA] Yokota, H., Idoue, A., and T. Hasegawa, "Link Layer Assisted Mobile IP Fast Handoff Method over Wireless LAN Networks", Proceedings of ACM Mobicom 2002. [MACD] Shin, S., "Reducing MAC Layer Handoff Latency in IEEE 802.11 Wireless LANs", MOBIWAC Workshop . [SUM] Dutta, A., Zhang, T., Madhani, S., Taniuchi, K., Ohba, Y., and H. Schulzrinne, "Secured Universal Mobility", WMASH 2004. [SIPFAST] Dutta, A., Madhani, S., and H. Schulzrinne, "Fast handoff Schemes for Application Layer Mobility Management", PIMRC 2004. [PIMRC06] Dutta, A., Ohba, Y., and H. Schulzrinne, "Dynamic Buffering Protocol for Mobile", PIMRC 2006. [MITH] Gwon, Y., Fu, G., and R. Jain, "Fast Handoffs in Wireless LAN Networks using Mobile initiated Tunneling Handoff Protocol for IPv4 (MITHv4)", Wireless Communications and Networking 2003, January 2005. Dutta (Ed.), et al. Expires April 30, 2010 [Page 35] Internet-Draft MPA Framework October 2009 [Wenyu] Jiang, W. and H. Schulzrinne, "Modeling of Packet Loss and Delay and their Effect on Real-Time Multimedia Service Quality", NOSSDAV 2000, June 2000. [802.21] "Draft IEEE Standard for Local and Metropolitan Area Networks: Media Independent Handover Services, IEEE P802.21/D14.00,", A contribution to IEEE 802.21 WG , September 2008. [802.11] "IEEE Wireless LAN Edition A compilation based on IEEE Std 802.11-1999(R2003)", Institute of Electrical and Electronics Engineers September 2003. [GPSIP] Dutta, A., "GPS-IP based fast-handoff for Mobiles", IEEE Sarnoff Symposium 2006. [MAGUIRE] Vatn, J. and G. Maguire, "The effect of using co-located care-of-address on macro handover latency", 14th Nordic Teletraffic Seminar 1998. [mpa-mobike] Mghazli, Y. and J. Bournelle, "MPA using IKEv2 and MOBIKE", draft-yacine-preauth-ipsec-00 IETF. [FMIP-results] Cabellos-Apaicio, A., Nunez-Martinez, J., Julian-Bertomeu, H., Jakab, L., Serral-Gracia, R., and J. Domingo-Pascual, "Evaluation of Fast Handover Implementation for Mobile IPv6 in a Real Testbed", IPOM 2005 LNCS 3751. [mpa-wireless] Dutta, A., Famolari, D., Das, S., Ohba, Y., Fajardo, V., Taniuchi, K., Lopez, R., and H. Schulzrinne, "Media- Independent Pre-authentication Supporting Secure Interdomain Handover Optimization", IEEE Wireless Magazine April 2008. Appendix A. Proactive duplicate address detection When the DHCP server dispenses an IP address, it updates its lease table, so that this same address is not given to another client for that specific period of time. At the same time the client also keeps a lease table locally so that it can renew when needed. In some cases where a network consists of both DHCP and non-DHCP enabled clients, there is a probability that another client in the LAN may have been configured with an IP address from the DHCP address pool. In such scenario the server detects a duplicate address based on ARP Dutta (Ed.), et al. Expires April 30, 2010 [Page 36] Internet-Draft MPA Framework October 2009 (Address Resolution Protocol) or IPv6 Neighbor Discovery before assigning the IP address. This detection procedure may take from 4 sec to 15 sec [MAGUIRE] and will thus contribute to a larger handover delay. In case of a proactive IP address acquisition process, this detection is performed ahead of time and thus, does not affect the handover delay at all. By performing the duplicate address detection ahead of time, we reduce the IP address acquisition time. The proactive duplicate address detection (DAD) over the candidate target network should be performed by the PAR on behalf of the mobile at the time of proactive handover tunnel establishment since duplicate address detection over a tunnel is not always performed. For example, in the case of IPv6, DAD over an IP-IP tunnel interface is turned off in an existing implementation. In the case of IPv6 over PPP [RFC5172], IPCPv6 negotiates the link local addresses and hence DAD over the tunnel is not needed. After the mobile has moved to the target network, a DAD procedure may be started because of reassignment of the nCoA to the physical interface to the target network. In that case, the mobile should use optimistic DAD [RFC4429] over the physical interface so that the nCoA that was used inside the proactive handover tunnel before handover can be immediately used over that physical interface after handover. The schemes used for the proactive DAD and optimistic DAD are applicable to both stateless and stateful address autoconfiguration schemes used for obtaining a nCoA. Appendix B. Address resolution Address resolution involves updating next access router's neighbor cache. We briefly describe these two operations below. During the process of pre-configuration, the MAC address resolution mappings needed by the mobile node to communicate with nodes in the target network after attaching to the target network can also be known, where the communicating nodes maybe the access router, authentication agent, configuration agent and correspondent node. There are several possible ways of performing such proactive MAC address resolution. o Use an information service mechanism [802.21] to resolve the MAC addresses of the nodes. This might require each node in the target network to be involved in the information service so that the server of the information service can construct the database for proactive MAC address resolution. Dutta (Ed.), et al. Expires April 30, 2010 [Page 37] Internet-Draft MPA Framework October 2009 o Extend the authentication protocol used for pre-authentication or the configuration protocol used for pre-configuration to support proactive MAC address resolution. For example, if PANA is used as the authentication protocol for pre-authentication, PANA messages may carry AVPs used for proactive address resolution. In this case, the PANA authentication agent in the target network may perform address resolution for on behalf of the mobile node. When the mobile node attaches to the target network, it installs the proactively obtained address resolution mappings without necessarily performing address resolution queries for the nodes in the target network. On the other hand, the nodes that reside in the target network and are communicating with the mobile node should also update their address resolution mappings for the mobile node as soon as the mobile node attaches to the target network. The above proactive address resolution methods could also be used for those nodes to proactively resolve the MAC address of the mobile node before the mobile node attaches to the target network. However, this is not useful since those nodes need to detect the attachment of the mobile node to the target network before adopting the proactively resolved address resolution mapping. A better approach would be integration of attachment detection and address resolution mapping update. This is based on gratuitously performing address resolution [RFC3344], [RFC3775] in which the mobile node sends an ARP Request or an ARP Reply in the case of IPv4 or a Neighbor Advertisement in the case of IPv6 immediately after the mobile node attaches to the new network so that the nodes in the target network can quickly update the address resolution mapping for the mobile node. Appendix C. Systems evaluation and performance results In this section we describe some of the deployment issues related to MPA. In this Section, we present some of the results from MPA implementation when applied to different handover scenarios. We present the summary of results from our experiments using MPA techniques for two types of handovers I) Intra-technology and Intra- domain, II) Inter-technology and Inter-domain. We also present the results from how MPA can bootstrap layer 2 security for both roaming and non-roaming cases. Detailed procedure and results are explained in [MOBIQUIT07] and [SPRINGER07]. Dutta (Ed.), et al. Expires April 30, 2010 [Page 38] Internet-Draft MPA Framework October 2009 C.1. Intra-technology, Intra-domain The results for MIPv6 and SIP mobility involving intra-domain mobility are shown in Figure 6 and Figure 7, respectively. Buffering Buffering Buffering Buffering (disabled) (enabled) (disabled) (enabled) & RO & RO & RO & RO (disabled) (disabled) (enabled) (enabled) ------------------------------------------------------------------- L2 handoff (ms) 4.00 4.33 4.00 4.00 L3 handoff (ms) 1.00 1.00 1.00 1.00 Avg. packet loss 1.33 0 0.66 0 Avg. inter-packet 16.00 16.00 16.00 16.00 arrival interval (ms) Avg. inter-packet n/a 45.33 n/a 66.60 arrival time during handover (ms) Avg. packet jitter n/a 29.33 n/a 50.60 (ms) Buffering Period n/a 50.00 n/a 50.00 (ms) Buffered Packets n/a 2.00 n/a 3.00 Figure 6: Mobile IPv6 with MPA Results Dutta (Ed.), et al. Expires April 30, 2010 [Page 39] Internet-Draft MPA Framework October 2009 Buffering Buffering disabled enabled ----------------------------------------------- L2 handoff (ms) 4.00 5.00 L3 handoff (ms) 1.00 1.00 Avg. packet loss 1.50 0 Avg. inter-packet 16.00 16.00 arrival interval (ms) Avg. inter-packet n/a 29.00 arrival time during handover (ms) Avg. packet jitter n/a 13.00 (ms) Buffering Period n/a 20.00 (ms) Buffered Packets n/a 3.00 Figure 7: SIP Mobility with MPA Results For all measurement, we did not experience any performance degradation during handover in terms of the audio quality of the voice traffic. With the use of buffering during handover, packet loss during the actual L2 and L3 handover is eliminated with an appropriate and reasonable settings of the buffering period for both MIP6 and SIP mobility. In the case of MIP6, there is not a significant difference in results with and without route optimization. It should be noted that results with more samples would be necessary for a more detailed analysis. In case of non-MPA assisted handover, handover delay and associated packet loss occurs from the moment the link-layer handover procedure begins up to successful processing of the binding update. During this process, IP address acquisitions via DHCP incurs the longest delay. This is due to the detection of duplicate IP address in the network before DHCP request completes. Binding update exchange also experiences long delay if the CN is too far from the MN. As a result, the Non-MPA assisted handover took an average of 4 seconds to Dutta (Ed.), et al. Expires April 30, 2010 [Page 40] Internet-Draft MPA Framework October 2009 complete with an approximate packet loss of about 200 packets. The measurement is based on the same traffic rate and traffic source as the MPA assisted handover. C.2. Inter-technology, Inter-domain Handoff involving heterogeneous access can take place in many different ways. We limit the experiment to two interfaces and therefore results in several possible setup scenarios depending upon the activity of the second interface. In one scenario, the second interface comes up when the link to the first interface goes down. This is a reactive scenario and usually gives rise to undesirable packet loss and handoff delay. In a second scenario, the second interface is being prepared while the mobile still communicates using the old interface. Preparation of the second interface should include setup of all the required state and security associations (e.g., PPP state, LCP, CHAP). If such lengthly process is established ahead of time, it reduces the time taken for the secondary interface to be attached to the network. After preparation, the mobile decides to use the second interface as the active interface. This results in less packet loss as it uses make- before-break techniques. This is a proactive scenario and can have two flavors. The first is where both interfaces are up and the second is when only the old interface is up the prepared interface is brought up only when handoff is about to occur. This scenario may be beneficial from a battery management standpoint. Devices that operate two interfaces simultaneously can rapidly deplete their batteries. However, by activating the second interface only after an appropriate network has been selected the client may utilize battery effectively. As compared to non-optimized handover that may result in delay up to 18 sec and 1000 packet loss during handover from WLAN to CDMA, we observed 0 packet loss, and 50 ms handoff delay between the last pre- handoff packet and first in-handoff packet. This handoff delay includes the time due to link down detection and time needed to delete the tunnel after the mobile has moved. However, we observed about 10 duplicate packets because of the copy-and-forward mechanism at the access routers. But these duplicate packets are usually handled easily by the upper layer protocols. C.3. MPA-assisted Layer 2 pre-authentication In this section, we discuss the results obtained from MPA-assisted layer 2 pre-authentication and compare these with EAP authentication and IEEE 802.11i's pre-authentication techniques. Figures 8 and 9 show the experimental testbed where we have conducted the MPA- assisted pre-authentication experiment for bootstrapping layer 2 Dutta (Ed.), et al. Expires April 30, 2010 [Page 41] Internet-Draft MPA Framework October 2009 security as explained in Section 7. By pre-authenticating and pre- configuring the link, the security association procedure during handoff reduces to a 4-way handshake only. Then MN moves to the AP and, after association, runs a 4-way handshake by using the PSKap (Pre-shared Key at AP) generated during PANA pre-authentication. At this point the handoff is complete. Details of this experimental testbed can be found in [MOBIQUIT07]. +----------------------------+-----------+ +-------------+------------+ | | | | | Home Domain +-------++ | | | | | | | | | | |AAAHome | | | | | + | | | | | +-----+--+ | | | | | | | Network B | | Network A | | | | | /----\ | | /---\ | | /nAR \ | | / \ | | | PAA |--------+-+----------+ pAR | | | \ / | | \ / | | \----/ | | \-+-/ | | | | | | | | +-------------------| | | | | | | IEEE 802.11i| | | | | | +------+ +------+ | | +---+--+ | | | | | | | | | | | | |AP2 | |AP1 | | | |AP0 | | | +------+ +------+ | | +------+ | | +------+ +-----+ | | +-----+ | | | | | | | | | | | | |MN +----------->|MN |<+------------- |MN | | | +------+ +-----+ | | ++----+ | |-----------------------------------------+-+------------+-------------+ Figure 8: Experimental Testbed for MPA-assisted L2 Pre-authentication (Non-roaming) Dutta (Ed.), et al. Expires April 30, 2010 [Page 42] Internet-Draft MPA Framework October 2009 +-----------------------------+ | +--------+ | | | | | | | AAAH + | | | | | | ++-------+ | | | | | | Home AAA Domain | | | | +-------+---------------------+ | | | Radius/ | Diameter | | | +----------------------------+-----------+ +-------------+------------+ | | | | | | Roaming +-------++ | | | | AAA Domain A | | | | | | | AAAV | | | | | + | | | | | Network A +-----+--+ | | Network B | | | | | | | | | | | | /----\ | | /---\ | | /nAR \ | | / \ | | | PAA |--------+-+----------+ pAR | | | \ / | | \ / | | \----/ | | \-+-/ | | | | | | | | +-------------------| | | | | | | IEEE 802.11i| | | | | | +------+ +------+ | | +---+--+ | | | | | | | | | | | | |AP2 | |AP1 | | | |AP0 | | | +------+ +------+ | | +------+ | | +------+ +-----+ | | +-----+ | | | | | | | | | | | | |MN +----------->|MN |<---------------| MN | | | +------+ +-----+ | | ++----+ | ----------------------- -----------------+ +------------+-------------+ Figure 9: Experimental Testbed for MPA-assisted L2 Pre-authentication (Roaming) Dutta (Ed.), et al. Expires April 30, 2010 [Page 43] Internet-Draft MPA Framework October 2009 We have experimented with three types of movement scenarios involving both non-roaming and roaming cases using the testbeds shown in figures 8 and 9, respectively. In the roaming case, MN is visiting in a domain different than its home domain. Consequently, the AAAh needs to be contacted which is placed in a location far from the visiting domain. For the non-roaming case, we assume the MN is moving within its home domain and only local AAA server (AAAHome) is contacted which is the home AAA server for the mobile. The first scenario does not involve any pre-authentication. MN is initially connected to AP0 and moves to AP1. Because neither network-layer authentication is enabled nor IEEE 802.11i pre- authentication is used, the MN needs to engage in a full EAP authentication with AP1 to gain access to the network after the move (post-authentication). This experiment shows the effect of absence of any kind of pre-authentication. The second scenario involves 802.11i pre-authentication and involves movement between AP1 and AP2. MN is initially connected to AP2, and starts IEEE 802.11i pre-authentication with AP1. This is an ideal scenario to compare the values obtained from 802.11i pre- authentication with that of network-layer assisted pre- authentication. Both scenarios use RADIUS as AAA protocol (APs implement a RADIUS client). The third scenario takes advantage of network layer assisted link-layer pre-authentication. It involves movement between two APs (e.g., between AP0 and AP1) that belong to two different subnets where 802.11i pre-authentication is not possible. Here, Diameter is used as AAA protocol (PAA implements a Diameter client). In this third movement scenario, the MN is initially connected to AP0. The MN starts PANA pre-authentication with the PAA which is co- located on the AR in the new candidate target network (nAR in network A) from the current associated network (network B). After authentication, PAA proactively installs two keys, PSKap1 and PSKap2 in both AP1 and AP2 respectively. By doing the key installations proactively, it preempts the process of communicating with AAA server for the keys after the mobile moves to the new network. Finally, because PSKap1 is already installed, AP1 starts immediately the 4-way handshake. We have used measurement tools such as ethereal and kismet to analyze the measurements for the 4-way handshake and PANA authentication. These measurements reflect different operations involved during network-layer pre-authentication. In our experiment, as part of the discovery phase, we assume that the MN is able to retrieve PAA's IP address and all required information about AP1 and AP2 (e.g. channel, security-related parameters, etc.) at some point before the handover. This avoids the scanning during Dutta (Ed.), et al. Expires April 30, 2010 [Page 44] Internet-Draft MPA Framework October 2009 link-layer handoff. We have applied this assumption to all three scenarios. Because our focus is on reducing the time spent on authentication part during handoff, we do not discuss the details of how we avoid the scanning. ==================================================================== Types |802.11i | 802.11i | MPA-assisted |Post | Pre | Layer 2 |Authentication | Authentication | Preauthentication ==================================================================== Operation| Non | Roaming | Non | Roaming |Non | Roaming| | Roaming | | Roaming | |Roaming| | =================================================================== Tauth | 61 ms | 599 ms | 99 ms | 638 ms | 177 ms| 831 ms | ------------------------------------------------------------------- Tconf | -- | -- | -- | -- | 16 ms | 17ms | ------------------------------------------------------------------- Tassoc+4 | | | | | | | way | 18 ms | 17 ms | 16 ms | 17 ms | 16 ms | 17 ms | ------------------------------------------------------------------| Total | 79 ms | 616 ms | 115 ms | 655 ms | 208 ms| 865 ms | ------------------------------------------------------------------| Time | | | | | | | affecting| 79 ms | 616 ms | 16 ms | 17 ms | 15 ms |17 ms | handover | | | | | | | ------------------------------------------------------------------| Figure 10: Results of MPA-assisted Layer 2 results Figure 10 shows the timing (rounded off to the most significant number) associated with some of the handoff operations we have measured in the testbed. We describe each of the timing below. Tauth refers to the execution of EAP-TLS authentication. This time does not distinguish whether this authentication was performed during pre-authentication or a typical post-authentication. Tconf refers to time spent during PSK generation and installation after EAP authentication is complete. When network-layer pre- authentication is not used, this time is not considered. Tassoc+4way refers to the time dedicated to the completion of association and the 4-way handshake with the target AP after the handoff. Dutta (Ed.), et al. Expires April 30, 2010 [Page 45] Internet-Draft MPA Framework October 2009 Appendix D. Coexistence of MPA with other optimization technique Although MPA by itself can provide optimization techniques for any mobility protocol, some parts of MPA operation can also augment other optimization techniques and thus can co-exist with the existing mobility optimization techniques. There are some similarities between the techniques associated with MPA and other related fast- handoff mechahnisms such as proactive mode of FMIPv6. Experimental results from both of these optimization techniques demonstrate that these results are bounded by layer 2 delay. However, if these techniques could be augmented by IEEE 802.21 network discovery mechanism, layer 2 handoff delay can also be optimized. Effectiveness of IEEE 802.21 has been demonstrated in the accompanying draft [mpa-wireless]. Additionally, certain features of MPA could also be used to enhance the effectiveness of FMIPv6 [RFC5568]. In particular, MPA's pre-authentication feature for both layer-2 and layer-3 and stateful pre-configuration feature can also be used to augment Fast MIPv6. MPA's layer-2 security bootstrapping feature can also reduce the layer-2 authentication delay associated with FMIPv6 [FMIP-results]. Support for pre-authentication technique to augment FMIPv6 during inter-domain mobility is future work. Appendix E. Guidelines for handover preparation In this section, we provide some guidelines for the roaming clients that use pre-authentication mechanisms to reduce the handoff delay. These guidelines can help determine the extent of pre-authentication operation that is needed based on a specific type of movement of the client. IEEE 802.11i and 802.11r take advantage of preauthentication mechanism at layer 2. Thus, many of the guidelines observed for 802.11i-based pre-authentication and 802.11r-based fast roaming could also be applicable to the clients that use MPA-based pre- authentication techniques. However, since MPA operations are not limited to a specific subnet and involve inter-subnet and inter- domain handover the guidelines need to take into account other factors such as movement pattern of the mobile, cell size etc. The time needed to complete pre-authentication mechanism is an important parameter since the mobile node needs to determine how much ahead of time the mobile needs to start the pre-authentication process so that it can finish the desired operations before the handover to the target network starts. The pre-authentication time will vary depending upon the speed of the mobile (e.g., pedestrian, vs. vehicular) and cell sizes (e.g., WiFi, Cellular). Cell residence time is defined as the average time the mobile stays in the cell before the next handoff takes place. Cell residence time is dependent upon the coverage area and velocity of the mobile. Thus, Dutta (Ed.), et al. Expires April 30, 2010 [Page 46] Internet-Draft MPA Framework October 2009 cell residence time is an important factor in determining the desirable pre-authentication time that a mobile should consider. Since pre-authentication operation involves six sub-operations as described in Section 7.2 and each sub-operation takes some discrete amount of time, only part of these sub-operations may be completed before handoff depending upon the available delay budget. For example, a mobile could complete only network discovery and network layer authentication process before the handoff and postpone the rest of the operations to until after the handover is complete. On the other hand if it is a slow moving vehicle and the adjacent cells are sparsely spaced, a mobile could complete all the desired MPA related operations. Finishing all the MPA related operations ahead of time reduces the handoff delay but adds other constraints such as cell residence time. We give a numerical example here similar to [IEEE-03-084]. D= Coverage diameter, v= Mobile's velocity, RTT = round trip time from AP to AAA server including processing time for authentication Tauth Tpsk = Time spent to install keys proactively on the target APs If for a given value of D = 100ft, Tpsk = 10 ms, and RTT = 100 ms, a mobile needs to execute only the pre-authentication procedure associated with MPA, then the following can be calculated for a successful MPA procedure before the handoff is complete. 2RTT+Tpsk < D/v v = 100 ft/(200 ms +10 ms) = ~500 ft/sec Similarly, for a similar cell size, if the mobile is involved in both pre-authentication and pre-configuration operations as part of the MPA procedure, and it takes an amount of time Tconfig= 190 ms to complete the layer 3 configuration including IP address configuration, then for a successful MPA operation, 2RTT+Tpsk+Tconfig < D/v v = 100 ft /(200 ms + 10 ms + 190 ms) = ~250 ft/sec Thus, compared to only pre-authentication part of MPA operation, in Dutta (Ed.), et al. Expires April 30, 2010 [Page 47] Internet-Draft MPA Framework October 2009 order to be able to complete both pre-autentication and pre- configuration operations successfully, either the mobile needs to move at a slower pace or it needs to expedite these operations for this given cell size. Thus, types of MPA operations will be constrained by the velocity of the mobile. As an alternative if a mobile does complete all the pre- authentication procedure much ahead of time, it uses up the resources accordingly by way of extra IP address, tunnel and extra bandwidth. Thus, there is always a tradeoff between the performance benefit obtained from pre-authentication mechanism and network characteristics, such as movement speed, cell size, and resources utilized. Authors' Addresses Ashutosh Dutta Telcordia Technologies 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 3130 Email: adutta@research.telcordia.com Victor Fajardo Telcordia Technologies 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 5368 Email: vfajardo@research.telcordia.com Yoshihiro Ohba Corporate R&D Center, Toshiba Corporation 1 Komukai-Toshiba-cho, Saiwai-ku Kawasaki, Kanagawa 212-0001 Japan Phone: Email: yoshihiro.ohba@toshiba.co.jp Dutta (Ed.), et al. Expires April 30, 2010 [Page 48] Internet-Draft MPA Framework October 2009 Kenichi Taniuchi Corporate R&D Center, Toshiba Corporation 1 Komukai-Toshiba-cho, Saiwai-ku Kawasaki, Kanagawa 212-8582 Japan Phone: Email: taniuchi@isl.rdc.toshiba.co.jp Henning Schulzrinne Columbia University Department of Computer Science 450 Computer Science Building New York, NY 10027 USA Phone: +1 212 939 7004 Email: hgs@cs.columbia.edu Dutta (Ed.), et al. Expires April 30, 2010 [Page 49]