Download IEEE 802.21 Media Independent Handover Services

IEEE 802.21: Media Independent
Handover Services
Background: Wireless Internet Roaming
現代網際網路係由許多種不同系統的通訊設備所構成，各種規格彼此之間
無法互通，因而須透過其它設備來介接。在這樣的環境中如何提供有效的
漫遊支援？
Background
https://mentor.ieee.org/802.11/file/07/11-07-0453-00-0000-802-21-midweek-plenary-update.ppt
Handover
Initiation
Handover
Preparation
Handover
Execution
Scope of 802.21
Search new link
Setup new link
Network discovery
Network selection
Handover negotiation
Layer 2 connectivity
IP connectivity
Transfer
connection
Handover signaling
Context transfer
Packet reception
IEEE 802.21 helps with handover initiation, network
selection and interface activation
Background: IEEE 802.21
• Goals
– To enable handover between heterogeneous technologies
– Service continuity during and after handover
• IEEE 802.21 provides a framework
– Allow higher level to interact with lower layers to provide
session continuity without dealing with the specifics of
each technology
–
–
–
–
–
Service continuity
Quality of service
Network discovery
Network selection assistance
Power management
Background: IEEE 802.21
https://mentor.ieee.org/802.11/file/07/11-07-0453-00-0000-802-21-midweek-plenary-update.ppt
Applications (VoIP/RTP)
Link Layer
HandoverTriggers
Connection
Management
Policy
State
IETF
Change
Handover Management Predictive
Network
Mobility Management
ProtocolsInitiated
Smart
Triggers
Handover
Messages
Information
Service
IEEE 802.21
802.21 MIH Function
Handover Commands
L2 Triggers
and Events
WLAN
Network Information
Available Networks
Neighbor Maps
Network Services
Client Initiated
Network Initiated
Vertical Handovers
Handover
Messages
Information
Service
Cellular
WMAN
Protocol and Device Hardware
802.21 is meant to operate across different media
Outline
• IEEE 802.21 \
• Example Schemes
• Appendix
Handover 形式
• Horizontal handover
– Roaming within homogeneous technologies over the same
access network
• Vertical handover
– Roaming across heterogeneous technologies over different
access networks
• Hard handover (break-before-make)
– Break the original connection before setting up the new one
• Soft handover (make-before-break)
– Make the new connection before breaking the old one
IEEE 802.21
• Functionality
– Reduce power consumption by avoiding unnecessary
scanning and using information
• 例：Turn on IEEE 802.16 module only if 802.16 is available
– Reduce power consumption by using backend (core)
networks
– Reduce handover delay by passing security/QoS information
to next point of service
– Allow service providers to enforce their policies and roaming
agreements
IEEE 802.21 Features*
• Network selection
– Allows users to select between IEEE 802.3, 802.11, 802.16,
3GPP, and 3GPP2 networks
– MS (mobile stations) can automatically connect to the right
network by observing user selections or by user policies
– MS can notify user when available networks change or a
switch occurs
• Session continuity
– Allows make-before-break handover
• Provide interface for:
– Link state event reporting
– Intersystem information service
– Handover control (command) service
Media Independent Handover (MIH) Concept
General Architecture
To handle/hide the particularities of each technology, 802.21 maps generic
interfaces to a set of media-dependent service access points (SAPs)
(MIHF)
General Architecture
• MIHF user
– An entity that uses the MIH SAPs to
access MIHF services, and which is responsible for initiating
and terminating MIH signaling
• MIH_SAP
– An interface allows communication between the MIHF layer
and higher-layer MIHF users
• MIH_LINK_SAP
– An interface between the MIHF layer and the lower layers of
the protocol stack
– All communications between MIHF and lower layers are done
through the MIH_LINK_SAP
• MIH_NET_SAP
– An interface supports the exchange of information between
remote MIHF entities
MIH Services (1/2)
• Event Service
– Delivers triggers on events
– 例：link up, link down, new link
available
• Command Service
– Set of standard commands for handover control
– 例：switch link, configure link, initiate handover, etc
• Information Service
– Defines a service that provides information for faster handovers
– 例：list of available networks, IP version, network operator, etc.
MIH users access these services using well-defined service
access points (SAPs)
MIH Services (2/2)
• MIH Function
– An intermediate layer between upper
and lower layers whose main function
is to coordinate the exchange of information and commands
between different devices involved in making handover
decision and executing handover
– Media Independent Event Services: link up/down/going down,
transmission status
– Media Independent Command Services: switch links, get
status
– Media Independent Information Services: information
elements (IEs), neighbor reports
Reference Model
Multiple Access Network Reference Model
Reference Model: A Scenario
PoA: point of attachment
PoS: point of service
MN: mobile nide
Reference Model: A Scenario*
• Network entities
– MIH point of service (MIH PoS): network-side MIHF instance
that exchanges MIH messages with the MN-based MIHF. An
MN may have different PoSs as it may exchange messages
with more than one network entity.
– MIH non-PoS: does not exchange MIH messages with the
mobile node. A given network node may be a PoS for an MN
with which it exchanges MIH messages and a non-PoS for a
network node for which it does not.
– MIH point of attachment (PoA): endpoint of a layer 2 link that
includes the MN as the other endpoint
• Communication reference points
– R1 (MN←→Serving PoA (PoS)): used by the MN to
communicate with its PoA. It may be used by the MN to
gather information about the current status of its connection.
Reference Model: A Scenario*
• Communication reference points (續)
– R2 (MN ←→ Candidate PoA (PoS)): used by the MN to
communicate with a candidate PoA. It may be used to
gather information about candidate PoAs before making a
handover decision.
– R3 (MN ←→ non-PoA (PoS)): used by the MN to
communicate with an MIH PoS located on a non-PoA
network entity. It may be used by a network node to inform
the MN about the different IP configuration methods in the
network.
– R4 (PoS ←→ non-PoS): used for communications between
an MIH PoS and an MIH non-PoS. It is typically used when
an MIH server that is serving an MN (the PoS) needs to ask
for information from another MIH server (the non-PoS).
– R5 (PoS ←→ PoS): used between two different MIH PoSs
located at different network entities
Event Service
• Event Service
– Events related to handover can be originated at the MAC or
MIHF layer located in the node or at the point of attachment
to the network
– Local (terminal side) and remote (network side) events
– Events may trigger user actions
Event Service
• Event Service (續)
– Provides event classification, event filtering and event
reporting corresponding to dynamic changes in link
characteristics, links status, and link quality
– Events: administrative, state change, link parameter,
predictive, link synchronous, and link transmission
Event Service
Event flow model for link events and MIH events
Event Service: L2 Triggers (Link Events)
Disconnected
Connected
• State Change Events
– Link Up
– Link Down
– Link Parameters Change
• Predictive Events
– Link Going Down
• Network Initiated Events
– Load Balancing
– Operator Preferences
Link Going Down
Link Up
Link Down
WLAN
Link Up
Link
Switch
Make before
Break
WWAN
Time
Triggers minimize connectivity disruption during link switching
Event Service: Link Events 說明
Event Service: MIH Events 說明
Command Service
• Command Service
– Enables MIH users to manage and control link behavior
relevant to handovers and mobility
– Commands flow from user to MIH and then to link layer
– Commands allow users to switch links
– User communicates separately with each technology
(commands do
not flow from
one technology
to another)
Command Service
• Command service
flow
Information Service
• Information Service
– Provides information about networks in a particular
geographical area
– Information delivery via queries or by broadcast/multicast
– Generally static information
– 802.21 defines what information is required
– Does not define how the service is accessed
802.21
Information
Server
802.16
802.11
802.3
Information Service
• Information Service (續)
– Provides the capability for obtaining necessary information
for handovers including neighbor maps, link layer
information, and availability of services
– Access neighbor maps for networks in a geographic area
from any network entity
• Wi-Fi hotspot knows about cellular towers and vice versa
– Static link layer informational parameters
• QoS support and restricted networks.
– Use reports to allow efficiency
• Channel range prevents the need for scanning.
– Vendor specific features: Prioritize networks, network labels
Example Message Flow
Mobile-initiated
handover from 3G
to WLAN
MIH Protocol Frame Format
Information Elements
• Information elements
– Contain general Information (operators), access network
(roaming, cost, security, QoS), PoA (location, data rate,
channel range), higher layer, other information (vendor
specified)
– Information elements are delivered as a Type-Length-Value
(TLV) messages
Type (1 byte)
Length (variable)
Value (variable)
Network Initiated Handover
• Network initiated handover
–
–
–
–
MIH Handover Initiate: Suggested PoA
MIH Handover Prepare: Current to target network
MIH Handover Commit: Client commits to do handover
MIH Handover complete: New network to old network.
Send all buffered packets
Network Initiated Network Selection (Example)*
UE
MIHFUE
Network Operator
MME
MAC Layers
MIHFNW (IS)
802.16-AN
802.11-AN
802.11-AN
UE Discovery and Registration
MIH-Register-Event.Req()
MIH-Register-Event.Resp()
DL-Burst*
Link-Detect
Link-Event.Detect(link_info)
MIH-Info.Req
MIH-Info.Resp
Unfavorable
Network
Beacon
Link-Detect
Beacon
Link-Event.Detect(link_info)
MIH-Info.Req
MIH-Info.Resp
Favorable
Network =>
Selection
www.ietf.org/proceedings/05nov/slides/mipshop-6/mipshop-6.ppt
Network Controlled Handover (Example)*
Operator Network
UE
Mobile IP
MIHFUE
MME
802.11 MAC
Network
Selection
MIH-Remote-Link-Switch.Req(802.11 nwk)
L3-switch.Ind
802.11 Network
802.11-AN
New-FA
HA
Legend
Mobile-IP Signaling
MIH signaling
over new link
Proxy Rtr Solicitation
Proxy Rtr Advertisement
Link-Associate
L2-Procedures (Security, Re-association, QoS Neg.)
Link-Event-Up(802.11 nwk)
MIH-Link-Event-Up
FBU
Mobile IP update procedure over new link
Release
MIH-Remote-Link-Switch.Resp
www.ietf.org/proceedings/05nov/slides/mipshop-6/mipshop-6.ppt
MIHF Protocol
• The MIHF protocol allows peer MIHF entities to
interact with each other
– MIH communication may imply use of unacknowledged
connection-less transport services to reduce transport
overhead and ensure efficiency and reduced latency in the
delivery of MIH messages
MIHF Protocol*
• MIHF protocol
– Container for MIH messages for 802.11 defined in IEEE
802.11u
– Container for MIH messages for 802.16 defined in IEEE
802.16g
– Transport for MIH protocol is defined in the IETF MIPSHOP
working group
• IEEE 802.21 transport
– CS, ES, IS messages are transported over L2 or L3
– 802.11u is defining transport of 802.21 messages over
802.11
– MIPSHOP is defining transport over IP
MIHF Protocol: Usage Models*
www.ietf.org/proceedings/05nov/slides/mipshop-6/mipshop-6.ppt
• Direct model
Remote ES/CS
MIHFUE
MIHFMME
• Proxy model
MIHFUE
Remote ES/CS
MIHFproxu
Remote ES/CS
MIHF
802.21 Amendments for MIH*
• 802.21 amendments for MIH
– MIH Capability indication in beacon
– MAC Layer Management Entity (MLME) Service Access
Point (SAP): Link up indication, Scan confirm
– Information service for generic network selection: IS query
frame
– Transport of MIHF protocol over 802.11
Summary
• 802.21 is a standard protocol for handover initiation,
network selection, handover
• 802.21 provides a common interface to L3 and
higher mobility protocols
– Has triggers that allow higher layers to take action
– Has commands that allow higher layer to request actions
– Has information service that allows all layers to not have to
discover the static information
Remarks
• Similar technologies
– Unlicensed Mobile Access (UMA) technology is basically a
mobile-centric version of 802.21
– UMA is regarded to provide roaming and handover
between GSM, UMTS, Bluetooth and 802.11 networks
– http://www.umatoday.com/
– Since June 19 2005, UMA is a part of the ETSI 3GPP
standardization process under the GAN (Generic Access
Network) Group
Remarks
• Similar technologies
– WiOptiMo technology enables any application running on a
device to use the best Internet connection among all the
wired/wireless access providers available, guaranteeing
persistence in case of weak or no signal and managing the
switch among them (when needed/convenient) in a
transparent way, without interrupting the active
application/session.
– http://hal.inria.fr/inria-00001015/en/
or "WiSwitch: Seamless Handover between Multi-Provider
Networks“.
Outline
• IEEE 802.21
• Example Schemes
– F. Cacace and L. Vollero, “Managing Mobility and
Adaptation in Upcoming 802.21-Enabled Devices”, Proc.
4th Int'l Wksp. Wireless Mobile Applications and Services
on WLAN Hotspots, pp. 1–10, Sep. 2006 \
– A. Dutta, S. Das, D. Famolari, Y. Ohba, K. Taniuchi, V.
Fajardo, R. M. Lopez, T. Kodama, and H. Schulzrinne,
“Seamless Proactive Handover Across Heterogeneous
Access Networks”, Wireless Personal Communications,
43(3): 837–855, November 2007
• Appendix
Abstract*
• One emerging characteristic of electronic devices is the
increasing number of connectivity interfaces (aka NICs) towards
the outside world. That obviously translates in a set of technical
issues related to their management in order to provide seamless
connectivity when the connections move from one interface to
another. The IEEE 802.21 is a recent effort of IEEE that aims at
providing a general interface for the management of NICs. In
this paper we discuss how the upcoming standard may be
effectively exploited in a mobile context in order to hide network
heterogeneity to end users. To accomplish this task, we propose
a centralized element called Mobility Manager interfacing with
the 802.21 sublayer and responsible for the application of
connectivity policies. Based on a real testbed, we showed that the
new standard and the MM can be used to improve network
performance experienced by the end user. Moreover we showed
how the MM can interact with adaptive applications in order to
improve further the range of usability of real-time applications.
IEEE 802.21 Architecture
• Three primary services
– Media Independent Event Service (MIES)
– Media Independent Command Service (MICS)
– Media Independent Information Service (MIIS)
Media Independent Event Service*
• Support for both local and remote events
notification to the upper layers of a MS
• Common events provided through MIHF
–
–
–
–
–
Link up
Link down
Link parameters change
Link going down
L2 handover imminent
Media Independent Command Service*
• Used to gather information about the status of
connected links and to execute mobility and
connectivity decisions
– Commands can be both local, if issued by an upper layer
entity, or remote, if sent by an entity of the access network
• Typical commands
– “MIH poll” and “MIH configure” to poll connected links
asking for their status and to configure new links,
respectively
Media Independent Information Service*
• Provide information to mobile nodes about
available networks and services
– Use standard and platform independent description
language to represent that information: static and dynamic.
– Static: names and the providers of mobile terminal’s
neighboring network
– Dynamic: channel, security and the MAC addresses.
• Advantages
– Help significantly in the definition of high level handover
decisions and policies.
– Avoids any specific and access-dependent discovery
method for the automatic detection of neighbor networks
Media Independent Information Service
• Example of stack elements interaction under IEEE
802.21
Applications
Mobility Manager
Mobility Manager
802.21 MIH Function
• Mobility Manager
– A centralized system entity running onboard mobile devices
and directly interfacing services provided by 802.21
compliant network interfaces
– To deliver higher level services to applications in order to
enable active content adaptation, e.g. adaptation
coordinated with underlying network services
Applications
Why Mobility Manager?
Mobility Manager
802.21 MIH Function
• Although user applications can directly interface to
the MIH Function, there are reasons to support the
design of a system-level centralized entity
– Handoff decisions are system-wide and need a centralized
point of decision
– Applications need a view of network resources at a higher
abstraction level than provided by the MIH Function
– Shared network resources can be more efficiently granted to
requesting applications through a common service
– A common interface for mobility events allows easier design
of adaptive applications
Mobility Manager
Mobility Manager: Internals
• Link quality module
– In charge of storing the information
related to the available links and
dispatching notifications about changes in link quality
– Subscribes also to Link Parameters Change to update its
internal information about status of links
– Periodically uses the “MIH Poll” command to check the
status of a link (signal strength, link speed, etc.)
– When changes exceed thresholds, notifications are sent to
application level and to the handoff decision module
Mobility Manager: Internals
• Handoff decision module
– Interested in Link Up, Link Down
and Link Handoff Imminent events,
since they can trigger immediate handoff decisions
• Power management module
– Issues ”MIH Configure” command to set up or down
network interfaces
Benefits of the Network-Layer Mobility Manager
1. Vertical handoff can be executed before the connectivity is lost
• If there is more than one available wireless interface, service
continuity is possible
2. When there is a change of the access router, handoffs are
faster because there is no need to execute the Neighbor
Unreachability Detection procedure of IPv6
3. No need to waste bandwidth by setting high Router
Advertisements (RA) frequency on access networks in order to
lower handoff delay
4. Handoff decision module can avoid the ping-pong effect that is
common when the handoff decision is triggered at the network
level (due to the intermittent arrival of RAs from access routers)
5. Handoff decision module can minimize the degradation of data
flows due to the presence of zones with intermittent
connectivity
Outline
• IEEE 802.21
• Example Schemes
– F. Cacace and L. Vollero, “Managing Mobility and
Adaptation in Upcoming 802.21-Enabled Devices”, Proc.
4th Int'l Wksp. Wireless Mobile Applications and Services
on WLAN Hotspots, pp. 1–10, Sep. 2006
– A. Dutta, S. Das, D. Famolari, Y. Ohba, K. Taniuchi, V.
Fajardo, R. M. Lopez, T. Kodama, and H. Schulzrinne,
“Seamless Proactive Handover Across Heterogeneous
Access Networks”, Wireless Personal Communications,
43(3): 837–855, Nov. 2007 \
• Appendix
Wireless Internet Roaming Scenario
Abstract*
• Dual-mode handsets and multimode terminals are generating
demand for solutions that enable convergence and seamless
handover across heterogeneous access networks. The IEEE 802.21
working group is creating a framework that defines a Media
Independent Handover Function (MIHF), facilitates handover
across heterogeneous access networks and helps mobile users
experience better performance during mobility events. In this
paper, we describe this 802.21 framework and also summarize a
Media-independent Pre-Authentication (MPA) mechanism
currently under discussion within the IRTF that can further
optimize handover performance. We discuss how the 802.21
framework and the MPA technique can be integrated to improve
handover performance. Finally, we describe a test-bed
implementation and validate experimental performance results
of the combined mobility technique
Recall: IEEE 802.21*
• IEEE 802.11 provides
– Media Independent Event Service
– Media Independent Command Service
– Media Independent Information Service
Recall: IEEE 802.21*
• Media Independent Event Service
– Provides services to the upper layers by reporting both
local and remote events
Recall: IEEE 802.21*
• Media Independent Command Service
– Gathers information about the status of the connected
links, as well as to execute higher layer mobility and
connectivity decisions to lower layers
Recall: IEEE 802.21*
• Media Independent Information Service
– Provides access information, including network type,
roaming partners, channel information, MAC address,
security information, and other information about higher
layer services helpful to handover decision
Media Independent Preauthentication (MPA)
• Media Independent Pre-authentication
– A mobile-assisted, secure handover optimization scheme
– A mobile node is not only able to securely obtained IP
address and other configuration parameters from a
candidate target network (CTN), but also able to send and
receive IP packet using the obtained CTN IP address
before it physically attaches to the CTN
– MPA does not perform network discovery
How MPA Works?
• Operations
– Establishes a security association with a CTN via its
existing network using Protocol for carrying
Authentication and Network Access (PANA) to obtain
configuration information
– A bi-directional tunnel is established between device and
Access Router (AR) of the CTN
• IP packets sent over this tunnel
– When layer2 connect to CTN, this tunnel can be removed
then the handover is complete
MPA and 802.21 Assisted Handoff
802.11
CDMA
MPA vs. FMIPv6: Security
• MPA與FMIPv6 都是 make-before-break 預先換手的方法
• MPA
– With IEEE 802.21 Information Service helps to bootstrap L2
security such as 802.11i and thus optimize the L2 delay
• FMIPv6 (RFC 4068)
– R. Koodli (Ed.), Fast handovers for mobile IPv6, IETF RFC
4068, July 205
– With IEEE 802.21 Information discovery can help reduce
handover delay to L2 delay but without any security
optimization
• MPA有安全性驗證，而FMIPv6雖也配合802.21，並無安全
性驗證
MPA vs. FMIPv6: Pre-configuration and
Binding Update
• MPA
– Information exchanges take place between mobile node
and authentication agent (AA), access router (AR) and
configuration agent (CA) of the target network
– MPA 透過 target network (下一個即將使用的網路) 的 AA AR
CA 來進行 Pre-configuration and binding update
• FMIPv6
– Information exchanges between previous access router
(PAR) and next access router (NAR)
– FMIPv6 主要是透過 previous access router (PAR) and next
access router (NAR)來進行 Pre-configuration and binding
update
Experimental Setup for MPA and 802.21
Assisted Handovers
Experimental Setup: Intra-Technology, InterDomain
Experimental Setup: Inter-Technology, InterDomain
MPA Assisted L2 Handoff Delay
• Layer 2 handoff delay
– 802.11 layer-2 handoff delay consists scanning,
association, and authentication
– 802.11 layer-2 delay 主要是由 scanning, association,
authentication and EAP-TLS 所組成
• 附錄說明EAP TLS認證方法
– Scanning takes the maximum amount of time during layer
2 handover (scanning delay 所花費時間最多)
Message Flow: MPA-Assisted Optimized L2
Handoff
570 ms
15 ms
Summary
• A mobility optimization framework exploiting IEEE
802.21 and a media independent pre-authentication
(MPA) framework to provide secured and seamless
convergence and support heterogeneous handover
• Discussed several functional components of the
IEEE 802.21 framework and their respective roles in
providing the optimization
– Demonstrated network discovery, network selection, preconfiguration, pre-authentication, and proactive handover
operations that are part of a mobility event
• Presented two types of heterogeneous handover
scenarios: intra-technology, inter-domain; and
inter-technology, inter-domain
Outline
• IEEE 802.21
• Example Schemes
• Appendix \
– Public Key Infrastructure
– EAP-TLS Authentication Method
Public Key Infrastructure (for Key Administration)
• Public Key Infrastructure (PKI)
– Combination of software/hardware products, encryption
technologies and services that enable enterprises to
protect their communications on the Internet or other
types of networks
– Integrate digital certificates, public-key cryptography, and
certificate authorities into a total network security
architecture
– Encompasses
• Issue digital certificates to individual users and servers
• End-user enrollment software; integration with
corporate certificate directories
• Tools for managing/renewing/revoking certificates
Public Key Infrastructure
• Public keys are stored in publicly available
directories
• On the Internet, public key directories are maintained
by Certification Authorities (CAs) such as VeriSign
– PKI as a system of digital certificates, Certificate Authorities,
and other registration authorities that verify and authenticate
the validity of each party involved in an Internet transaction
– CAs are trusted third-parties (公正的第三者) that issue digital
certificates (aka digital IDs) to individuals and organization
that register with them
– Certificate Authorities are the digital world’s equivalent of
passport offices
Public Key Infrastructure
• A public key and private key are allocated when a
digital certificate is issued
– PGP (Pretty Good Privacy) and RSA are examples of public
key encryption systems
• Public-key certificates (issued by a trusted third party)
– 數位憑證是一個小型的電腦檔案，主要包含二部分
• “data” part: issuer, owner, public key, validity period, etc
• “signature” part: digital signature over the data part
Public Key Infrastructure
• X.509 format (ITU Recommendation & ISO/IEC Standard)
VERSION
例
SERIAL NUMBER
0
SIGNATURE ALGORITHM
1234567891011121314
RSA+MD5, 512
ISSUER
C=US, S=VA, O=GMU, OU=ISE
VALIDITY
9/9/99-1/1/1
SUBJECT
SUBJECT PUBLIC KEY INFO
SIGNATURE
C=US, S=VA, O=GMU, OU=ISSE, CN=Ravi Sandhu
RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx
SIGNATURE
Public Key Infrastructure: X.509 Certificate
Public Key Infrastructure
•
CA (Certificate Authority)：認證中心
– 發行數位憑證的信譽機構
•
•
DS (Directory Service)：存放電子憑證的地方
RA (Registry Agent)：代理使用者向CA登記註冊的代理
程式
• 動作流程 (註冊)
1. 使用者傳送自己的公開金鑰及資料到RA
2. RA傳送公開金鑰到CA
3. CA對此公開金鑰簽章成數位憑證
4. CA傳送此憑證到RA
5. 使用者從RA獲得憑證
6. CA傳送此憑證到DS
7. 使用者可以與DS確認他的憑證
數位憑證的產生與使用
• 數位憑證的產生與使用
Certificate Authority
2.產生數位憑證Certificate:
[H(個人身份資料及公鑰)]d
1.請求憑證(個人身份
相關資料及公鑰)
3.傳回Certificate
Alice
Bob
5.提出數位憑證Certificate以表明身份
4.驗證及儲存Certificate
6.驗證數位憑證
數位憑證與加解密機制的關係
EAP-TLS Message Flow (1/3)
EAP-TLS Message Flow (2/3)
AP-RADIUS Key
802.1X/EAP-Request Identity
802.1X/EAP-Response
Identity (My ID)
RADIUS Access Request/EAPResponse Identity
802.1X/EAP-Request(TLS)
RADIUS Access
Challenge/EAP-Request
802.1X/EAP-Response(TLS
ClientHello(random1))
RADIUS Access Request/EAPResponse TLS ClientHello
802.1X/EAP-Request(TLS
ServerHello(random2) || TLS
Certificate || TLS
CertificateRequest || TLS
server_key_exchange || TLS
server_done)
RADIUS Access
Challenge/EAP-Request
EAP-TLS Message Flow (3/3)
AP-RADIUS Key
MasterKey = TLS-PRF(PreMasterKey, “master secret” || random1 || random2)
802.1X/EAP-Response(TLS
client_key_exchange || TLS || TLS
certificate || TLS certificateVerify ||
TLS change_cipher_suite || TLS
finished
802.1X/EAP-Request(TLS
change_cipher_suite || TLS
finished)
802.1X/EAP-Response
RADIUS Access Request/EAPResponse
RADIUS Access
Challenge/EAP-Request
RADIUS Access Request/EAPResponse Identity
PMK = TLS-PRF(MasterKey, “client EAP encryption” || random1 || random2)
802.1X/EAP-Success
RADIUS Accept/EAPSuccess, PMK