Download ITSUMO Demonstration - Columbia University

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
Secure Universal Mobility for Wireless Internet
Authors: A. Dutta, T. Zhang, S. Madhani
Telcordia Technologies
K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba
Toshiba America Research Inc.
H. Schulzrinne
Columbia University
Presented by: Ashutosh Dutta
[email protected]
Outline
Motivation
Related Work
SUM Architecture
Experimental Test-bed
Results
SIP and MOBIKE approach
Conclusion and Future Work
Mobile Wireless Internet: A Scenario
Domain1
Internet
S4
S3
S1
Access
Network 1
S2
Domain2
AN
Access
Network 3
Access
Network 2
UMTS/CDMA
Access Point
BT Access Point
UMTS/
CDMA
Network
Access
Networks
Access
Networks
Access
Networks
802.11a/b/g Access Point
Blue Tooth
Network
802.11a/b/g Network
Multi-media
Terminal
Web
phone
Pocket
PC
UMTS/CDMA
Network
Motivation
Objective: To provide mobile enterprise users with the same working
environment as they are at their office regardless of where they are
(e.g., Intranet, Extranet), especially
– provide persistent and seamless application session continuity
– provide the same level of security as currently deployed in
enterprise network environment
– provide persistent and seamless reachability (or traceability) from
internal network to mobile users
– Provide VPN-agnostic roaming model independent of subscribed
carrier
– Provide no impact on the existing IT infrastructure
– Optimize the solution as needed
SUM Scenario
Internal (Protected)
DMZ
External (unprotected)
CN
Cellular
WLAN
LAN
MN
WLAN
Hot Spot
MN
provide session continuity
while moving from one
network to the other
CN: Correspondence Node
MN: Mobile Node
Hot Spot
MN
secure the communication
while MN is at external
network
MN
provide reachability from
internal network to
mobile nodes
Issues to be Resolved
 “IPsec VPN”, that is deployed to secure the communication, cannot
currently cope with the session continuity while moving
 “Mobile IP”, that is deployed to cope with the session continuity, cannot
secure the communication contents itself
(1) Combination of IPsec VPN and Mobile IP is necessary
 Seamlessness is sometimes unsatisfactory due to “hand-off delay” (e.g.,
internal WLAN to Cellular data network) especially due to VPN
establishment delay (more than 5 sec)
(2) Way to reduce hand-off delay by Mobile Node is preferable
Related Work
 Miu and Bahl et al - Movement between similar kinds of
networks
 Rodriguez et al - MAR to support heterogeneous Access
 Snoeren et al - Fine-grained TCP Migrate approach
 Barton et al - Integration of Mobile IP and IP-Sec
 Cheng et al (ICNSC) - Foreign agent based client driven
 Adrangi et al – (IETF) Mobile IP Traversal for VPN gateways
 Luo et al – Integration of wireless LAN and Cellular
 Birdstep Technologies (www.birdstep.com)
Smooth handoff, dynamic tunnel management, Integration with
SIP
SUM Architecture(1)
Internal (protected)
External (unprotected)
CN
i-HA
Internal
Home
Network
MN
i-MIP tunnel
Internal
Visited
Network
MN
VPN
GW
External
Network 1
x-HA
VPN tunnel
External
Network N
x-MIP tunnel
DMZ
MN
Based on its current location, MN dynamically establishes/changes/terminates tunnels
without changing current standards of IPsec VPN or Mobile IP.
Triple encapsulation tunnel is constructed by:
•
•
•
i-HA (Internal Home Agent): Forwards IP packets to MN’s current internal location
VPN GW: Protects (encrypts and authenticates) IP packets transmitted in external networks
x-HA (External Home Agent): Forwards IP packets to MN’s current external location
MN
SUM Architecture Protocol Flow
Message flow for triple-encapsulation tunnel
establishment
Internal (protected)
CN
i-HA
External (unprotected)
VPN
GW
MN
x-HA
x-MIP Registration Request
x-MIP Registration Reply
x-MIP tunnel established
IKE + VPN address assignment
VPN tunnel established
i-MIP Registration Request
i-MIP Registration Reply
i-MIP tunnel established
Make-before-Break for Hand-off Delay Reduction
 Prepare to use another better path before stop using current
path
– MN watches signal strength level of WLAN (or any other policy)
– Before internal WLAN signal goes away (becomes lower than a
threshold A), MN starts using cellular network and establishes x-HA
tunnel and VPN tunnel as a stand-by path
– MN stops using WLAN when its signal level becomes lower than
threshold B (A>B), starts using cellular network, establishes i-MIP
tunnel, then starts using x-MIP/VPN/i-MIP tunnel over the cellular
 This could remove major factor of hand-off delay since VPN is
established (that will take more than 5 sec) before switch-over
Demonstration Scenario
Step 1: MN (at its home network over WLAN) and CN start an application
session, then MN starts moving
DMZ
VPN
GW
CN
x-HA
External
Network
(Cellular)
i-HA
Internal Home Network
(WLAN)
External (unprotected)
Internal (protected)
MN
MN
MN
Demonstration Scenario
Step 2: MN starts preparing alternate path by establishing x-MIP and VPN
tunnel over the cellular link, while keeping communication via the home
network over WLAN
DMZ
VPN
GW
x-HA
VPN tunnel
CN
x-MIP tunnel
External
Network
(Cellular)
i-HA
Internal Home Network
(WLAN)
External (unprotected)
Internal (protected)
MN
MN
MN
Demonstration Scenario
Step 3: MN stops using its home WLAN, starts using cellular and
establishes i-MIP tunnel, then continues communication with CN
DMZ
VPN
GW
x-HA
VPN tunnel
x-MIP tunnel
i-MIP tunnel
CN
External
Network
(Cellular)
i-HA
Internal Home Network
(WLAN)
External (unprotected)
Internal (protected)
MN
MN
MN
Secure Universal Mobility Testbed
Earth Link DSL
External
Hotspot
Internet
MN
External
Cellular
Verizon
CDMA 1XRTT
Enterprise Firewall
65
VPN
HoA = 70-75
GW
66
100
(99)
Internal Home
(SSID=ITSUMO home) i(demo.tari.toshiba.com) HA
MN
2
Linux
R
HoA = 210-215 1
AP
3
DNS
67
98
10.1.10.0/24
.66 - .94
Monitor
205.132.6.64/27
4
10.1.20.0/24
DHCP
DMZ Network
Internal Visited
SIP
CH
X-HA
TIA = 111-120
Protocol Sequence flow
Protocol Sequence during handoff
4
X-MIP
Protocol
3
I-MIP
VPN Setup
Home
De-registration
VPN
Break up
2
RTP
IPSEC
MIP
1
0
0
50
Time in Seconds
100
CBR Voice Traffic
Inter-Packet Delay Variation betw een CH and MH (Voice)
Packet Transmission Delay for Voice Traffic
Packet Numbers
0.00100000
62900
61 876
60852
58 2 79
54172
51671
4886 7
4601 9
4 4012
42604
41 580
40556
39 532
38508
37 4 84
36460
63620
62280
60940
56933
52624
49317
45586
43252
41820
40480
39140
37800
0.01000000
Inter-Packet Delay difference
(log scale)
Transmission Delay
1.00000000
36460
Transmission Delay in (Log Scale)
Packet Numbers
0.10000000
Delay Variation
10.0000
1.0000
802.11
802.11
0.1000
0.00010000
0.00001000
802.11
802.11
0.0100
0.00000100
Cellular
0.00000010
0.0010
(a) Packet Transmission Delay
(b) Inter-packet departure and arrival delay variation for
CBR (Voice)
T ime in S eco nd s (L og S ca le)
00.000
00.000
00.086
802.11
24.000
26.400
08.640
Delay
00.864
802.11
a) Packet transmission delay
24 163
24 1 10
Inter-P a ck e t D e la y Va riatio n (L og S c a le )
Cellular
24 0 57
24 0 04
23 9 51
2 38 98
2 38 4 5
2 37 9 2
2 3 7 39
2 36 8 2
2 36 2 9
2 3 57 6
2 352 3
2 3 47 0
23 41 7
1.000000
0.100000
2 41 9 7
2 41 6 6
2 4 1 35
2 4 10 4
2 40 7 3
Cellular
24 0 42
2 4 01 1
2 39 8 0
23 9 4 9
2 3 91 8
2 3 88 7
23 8 5 6
23 8 25
802.11b
2 3 79 4
2 37 6 3
23 7 32
2 3 6 97
2 36 6 6
2 36 3 5
2 3 6 04
2 3 57 3
2 35 4 2
23 5 1 1
VIC Packet Transm ission Delay (CH-MH)
23 4 80
2 3 44 9
Packet number
2 34 1 8
VBR Video Traffic
Inter-Packet Delay v ariation between CH and MH (Video)
10.000000
802.11b
Packet Number
Inter D iff
0.010000
00.009
00.001
0.001000
b) Inter-packet departure and arrival variation delay
for VBR (Video)
RTP Packet Sequence
RTP Sequence numbers
802.11-Cellular Secured Handoff
2600
2500
802.11
2400
2300
Out-of-order
Packets
80211-cellular
2200
2100
2000
57:07.2
Low
gradient
57:50.4
Cellular
58:33.6
Time in Minutes
59:16.8
802-11Cellular
handoff
Dynamic Tunnel Management
Dynamic Tunnel Management Flow
SIP with MOBIKE
Conclusion and Future Work
 Active area of research within IETF’s Mobile IP working group
 Triple-encapsulation mandates “always-on VPN”
– Provides persistent reachability from internal network to mobile users,
– May not be practical with currently deployed VPN
 Capability of dual MIP (i-MIP and x-MIP) tunnel without VPN
– Dynamic Tunnel Management will allow VPN setup on-demand basis
– Adds additional values to the base triple-encapsulation architecture
– Provides light-weight persistent reachability without consuming VPN resources
 Dual MIP is enabled by SMG (Secure Mobility Gateway) that provides;
– strong authentication to MIP messages to securely manage dual MIP tunnels
– packet filtering to restrict packets transmitted over the dual MIP tunnels
– Interaction with AAA domains
 Robust header compression to take care of the overhead associated
 SIP and MOBIKE approach will provide an optimized solution
Backup Slides
Multimedia Test-bed Architecture
Internet
3600
Domain 2
research.telcordia.com
FW
Domain 1
tari.toshiba.com
Border Router
Backbone
Border Router
MAS
3600
Dynamic
DNS
Smarts Bits Generator
IPv6
SIP
Server/Call
Agent
IPv6
Multicast
Proxy
R1
AAA
Server
AAA
Server
PANA
IPSec
ERC1
HA/DRCP
Server
QOS
VLAN Switch
PANA
IPSec
DRCP
Server
R2
CDMA/GPRS
R3
SIP
Server
PANA
IPSec
DRCP
Server
DRCP
Server
ERC4
ERC3
ERC2
QOS
VLAN Switch
QOS
QOS
VLAN Switch
BT
Macro
MH
Domain
External
Omni
Antenna
VLAN Switch
GPS
client
802.11b
Micro
SIP
Server/Call
Agent
802.11b
External Coverage
CDMA/GPRS
Coverage
Future / On-going Work (cont’d)
Internal (protected)
External (unprotected)
VPN GW
CN
SMG
x-MIP tunnel
i-MIP tunnel
i-HA
Internal
Home
Network
Internal
Internal
Internal
Visited
Visited
Visited
Network
External
External
Network 2
Network 1
External
Network N
DMZ
MN
MN
MN

MN is in “Incoming Call Waiting Mode” when it maintains the dual MIP tunnel

SMG authenticates MIP registration messages as well as filters packets going
through the established dual MIP tunnel
MN
Step-by-step protocol flow
CN
MN
i-HA
VPN-GW
x-HA
i-MIP Reply
i-HA
RTP
RTP
SNR = S1
MN
CN
i-MIP Request
ESP
SNR=S2
i-MIP Request
i-MIP Reply
ESP
x-MIP Reply
Data
on
802.11
x-HA
ESP + x-MIP
Make
Before
Break
CDMA
PPP
Connection
setup
x-MIP Request
VPN-GW
ESP + x-MIP
ISAKMP + x-MIP
RTP
ISAKMP
UDP + i-MIP
ISAKMP
ESP
ISAKMP + x-MIP
…
…
Data
Over
CDMA
(tripple
Tunneled)
ESP + x-MIP
…
…
…
…
PPP setup over CDMA at SNR (S1)
CN
Make-before-break scenario at SNR = S2
MN
i-HA
VPN-GW
x-HA
i-MIP Request
RTP
MN
Back
home
Data
On
802.11
i-MIP Reply
VPN
Tunnel
Teardown
ISAKMP + x-MIP
ISAKMP
ISAKMP
ISAKMP + x-MIP
1xrtt
Disconnection
…
…
Mobile coming back home
Related documents