Transcript IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-07-xxxx-00-0000 Title: Secure Handover with QoS Support Date Submitted: November, 14, 2007 Presented at IEEE 802.21 session #23

IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: 21-07-xxxx-00-0000
Title: Secure Handover with QoS Support
Date Submitted: November, 14, 2007
Presented at IEEE 802.21 session #23 in Atlanta
Authors or Source(s): Roland Bless (Institut für Telematik,
Universität Karlsruhe (TH)), Michael Grigat (Deutsche
Telekom)
Abstract: This document discusses synergy issues between security
and QoS signaling and suggests that MIH security solution
should taken into account exchange of security credential by a
different pre-authentication signaling mechanism.
21-07-xxxx-00-0000
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working Group. It is
offered as a basis for discussion and is not binding on the contributing
individual(s) or organization(s). The material in this document is subject to
change in form and content after further study. The contributor(s) reserve(s)
the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate
material contained in this contribution, and any modifications thereof, in the
creation of an IEEE Standards publication; to copyright in the IEEE’s name
any IEEE Standards publication even though it may include portions of this
contribution; and at the IEEE’s sole discretion to permit others to reproduce in
whole or in part the resulting IEEE Standards publication. The contributor also
acknowledges and accepts that this contribution may be made public by IEEE
802.21.
The contributor is familiar with IEEE patent policy, as stated
outlined
in in
Section
Section
6 of
6.3the
of
the IEEE-SA
IEEE-SA
Standards
Standards
Board
Board
bylaws
Operations Manual
<http://standards.ieee.org/guides/opman/sect6.html#6.3> and
<http://standards.ieee.org/guides/bylaws/sect6-7.html#6>
and in
in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/guide.html>
http://standards.ieee.org/board/pat/faq.pdf>
21-07-xxxx-00-0000
Motivation
• Provide seamless mobility with Quality-of-Service (QoS)
• Quality-of-Service Signaling for requesting resource
reservations (at IP layer) on-demand
• Using QoS NSLP signaling protocol (->NSIS WG IETF)
• QoS usage only with authentication and authorization
• Inter-domain handover may lead to longer signaling
exchange -> not really seamless QoS support if signaling
starts after handover
• Idea: pre-reserve resources before performing handover
• Anticipated handover
• Signaling for new reservation in next domain via current
access before handover is performed
• Analogy to pre-authentication signaling approach
21-07-xxxx-00-0000
Synergies between QoS
and Security Signaling
• Same problem for QoS signaling as with authentication
signaling
• Signaling and processing takes time
• Same goal for QoS signaling optimisation
• => Decrease handover latency
• Similar solution as for Security: pre-reservation signaling
• Approach to combine Security and QoS signaling
• Get credentials for new access via pre-reservation QoS
signaling:
•
•
•
•
request reservation and authentication at new access
response carries also new credentials
Avoids extra pre-authentication signaling in case that MN
uses QoS signaling anyway
NSIS Session Authentication Object may carry credential
(can provide end-to-end integrity)
21-07-xxxx-00-0000
Example: Integration of AAA
and QoS signaling
Separate
Signaling
MN
SA
AAA RACS
AAA
RACS
MN authenticated
QoSestablished
Pre-Authentication
Pre-Authentication
Pre-Reservation
Handover
Integrated
Signaling
TA
Pre-Reservation
Fast Authentication
MN
SA
AAA RACS
TA
AAA
RACS
MN authenticated
QoSestablished
Pre-Reservation
including Pre-Authentication
Pre-Reservation
including Pre-Authentication
Handover
Fast Authentication
RACS Resource and Admission Control Subsystem
21-07-xxxx-00-0000
Example: Message Sequence
Integrated
Signaling
MN
SA
AAA
RACS
TA
AAA
RACS
MN authenticated
QoS established
Reserve
Reserve
Request
Response
Response
Response
Handover
Fast Authentication
Notify(Handover complete)
RACS Resource and Admission Control Subsystem
21-07-xxxx-00-0000
QoS NSLP
Diameter
Conclusions
• Similar handover latency problem for QoS signaling exists
• If QoS signaling is used, it may carry credential that is
otherwise exchanged via separate pre-authentication signaling
(e.g., EAP)
• Reduces latency
• Saves messages (thus energy)
• Allows for secure exchange
• MIH solution should consider that credential may be exchanged
by a different pre-authentication signaling
21-07-xxxx-00-0000
References
•
http://www.ietf.org/html.charters/nsis-charter.html
•
http://www.scalenet.de/
21-07-xxxx-00-0000
Comments/Q&A
21-07-xxxx-00-0000
Backup
21-07-xxxx-00-0000
NSIS protocol suite
Resource Management Function (RMF)
Signaling application-specific functions
NAT/Firewall
Metering
NSLP
QoS
API
GIST
2 Layer concept
GIST
(Generic Internet Signaling Transport)
NSIS QoSis more flexible than RSVP
•
•
•
•
•
•
QoSModel independent (Intserv/ Diffserv, other)
Sender/Receiver initiated
Reliable (TCP,STCP) / datagram (UDP, DCCP)
E-t-e/host-t-edge/edge-t-edge(Proxy operation supp.)
Better support for mobility
Bi-directional signaling
• NSLP: NSIS Signaling Layer Protocol
• NTLP: NSIS Transport Layer Protocol
Transport Layer Security (opt.)
NTLP
GIST functions (transport)
UDP
TCP
SCTP
IP Layer Security
IP
21-07-xxxx-00-0000
DCCP
• Routing of signaling messages
• Reliability
• Cryptographic protection
Signaling Security
• Security
• QoS signaling messages are transmitted via GIST
•
•
can be protected by transport via TLS (provides hop-by-hop security)
•
are protected against Denial-of-Service attacks (late state installation)
Some content can be integrity protected in an end-to-end
fashion by a session authentication object within QoS NSLP
21-07-xxxx-00-0000