1. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 1 [A presentation of the OBAN concept An IST Project under EC’s 6th framework] Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at.http:// ieee802.org/guides/bylaws/sb-bylaws.pdfstuart.kerry@philips.compatcom@ieee.org Date: 2006-03-07 Authors:

2. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 2 Abstract This presentation introduces the concept of OBAN (Open Broadband Access Network), an European funded project under the IST 6th framework program. The presentation focus on the mobility architecture and the challenges and potential solutions for fast handovers.

3. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 3 Open Broadband Access Networks IST 6FP Contract No 001889 Project Presentation

4. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 4 OBAN in brief Duration: 3 years 2004/1 – 2006/12 Budget/EC cont: 11/5 M€ 14 partners coordinated by Telenor 4 telecom operators (Telenor, Telefonica, Swisscom, France Telecom) 6 industrial partners (Lucent(NL), Birdstep(N), ObexCode(N), Motorola(I), EuroConcepts(I), Lucent(UK) 3 universities/institutes Sintef(N), Techn. Univ. Berlin(D), ISMB(I) 1 national telecom regulator NPT(N)

5. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 5 Main objective To explore how a high performance broadband mobile network based upon wireless LAN technology and unused capacity in the fixed access networks can be established By-passing user

6. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 6 Rational behind Most users will in few years have broadband access over the fixed network The capacity of these access line is poorly exploited Wireless LAN technology is getting popular as the dominant home networking technology. Wireless LANs have large capacity and are often poorly exploited OBAN intends to investigate how the public can obtain access to these resources and what kind of services can be provided over this network.

7. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 7 Rational behind (cont’d) Coverage per base station in mobile networks: GSM (14 kb/s) - 50 km 2 (r < 4 km) UMTS1 (384 kb/s) - 3 km 2 (r < 1 km) UMTS2 (2 Mb/s) - 1 km 2 (r < 600 m) 4G (< 20 Mb/s) - 0,03 km 2 (r < 100 m) GSM UMTS 14G No of base stations >100 000 (Norway) 2 The high number of base stations in broadband mobile networks requires a new broadband infrastructure to feed all base stations. The required invest- ments will therefore be extremely high. The OBAN project introduces an alternative way to achieve the same, but at much lower cost.

8. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 8 Areas of foci to reach the main objective Security: because we are opening up today’s privately disposed access lines and wireless LANs for public use Mobility: because we need to know what degree of mobility can be provided in areas of randomly located WLAN access points connected over the fixed networks access lines QoS: because we want to know how to provide QoS to users in a heterogeneous network composed by technologies with limited QoS abilities

9. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 9 Areas of foci to reach the main objective 3G/B3Gto explore and evaluate how the OBAN concept can be integrated with the 3G/B3G visions. Coverage: to estimate potential coverage and capacity of an OBAN network. Smart antennas are investigated in order to improve network performance Commercial: to investigate how the OBAN concept may be utilised commercially and how legal and regulatory issues may affect deployment in large scale

10. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 10 Areas of foci to reach the main objective The RGis the key component in the system and need extensive investigation through implementation to verify the concept

11. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 11..the wireless RG....a key component in the concept Broadband access line (xDSL) wRG Open Access capacity Guest GSM, UMTS, …. Local traffic (inhouse and external) Concept associated patent: 03754318.8-2416-NO0300339

12. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 12

13. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 13 The concept contains numerous challenges How to match QoS in the legacy network with what can be achieved in a wireless LAN and while traversing from RG to RG ? Mobility aspects – nomadic or continuous mobility Security and authentication Roaming agreements between – different network operators – owners of RGs How to deal with the large variety of terminals ? Interference between RGs and with other equipment – frequency planning Business models and commercial aspects

14. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 14 The Security & Mobility Challenge

15. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 15 Security and mobility (2) The security level expected for OBAN architecture has to coexist with strong time and QoS constraints goal of 120 ms maximum handover latency implies that a full authentication that involves several actors and ditto round-trip times is not acceptable. Fast handover requires an authentication mechanism that only involves the terminal and the RGW. Security in relation to fast re-authentication during handoff: –Two potential solutions: delayed authentication, fast hand-over using Kerberos Tickets

16. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 16 WiFi Challenges in the OBAN concept No preprocessing of keys and session parameters by network to prepare handover in advance. –2G and 3G does this by default An STA can only be associated with one AP at a time. The mobile station must after sensing beacon, negotiate with next AP that again must performs a full RADIUS roundtrip with ISP to handle AAA and security session –In practice: a reauthentication (roaming) based on eg. EAP will include a full time consuming RADIUS roundtrip involving STA, AP, and ISP(s). In addition; rerouting of traffic as well as 802.1X functions for port control and crypto session establishment on radio link.

17. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 17 Handover Task -Time Considerations T 1 T 2 T 3 T 4 T 5 Handover Starts here Session continues here Session Oriented Security Oriented < 100 ms >> 150 ms (!) Interruption delay T1: Beacon + Physical connection setup between the STA and the next AP/RGW T2: Messaging session parameters, including STA’s ID / auth. info between the VU and the next AP/RGW. T3: Processing of rerouting the traffic to and from STA via the new AP. T4: AAA roundtrip for re-authentication of the STA between AP/RGW and H-ISP of the STA T5: 802.1X port handling and IKE-based encryption of radio link between VU and AP

18. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 18 High level Architecture OBAN deliverable D27

19. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 19 Mobility Broker A node serving a geographical area, composed of several RGWs Makes the access network look like a conventional WLAN/IP network, such that standard mechanisms can be reused Simplify the hand-off complexity, and reduce signalling round trips by managing mobility, security and QoS events locally during hand-off

20. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 20 Fast Handover using Kerberos tickets Using Kerberos tickets for fast and secure layer 2 authentication –The ticket consist primarily of an access key and an encrypted timestamp with a key known to the issuer and the final recipient Issuer = Mobility Broker Final recipient = RGW –The ticket is issued to the client (user terminal) and encrypted with a key that is in the possesssion of the client. (shared secret) –The client uses the ticket for authentication towards the RGW Proves that is possesses the session key within the ticket –By encrypting a challenge from the RGW with the session key RGW also checks that the timestamp is not expired

21. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 21 Fast Handover using Kerberos tickets First time authentication –No tickets => full authentication towards HAAA. ie. Anything that generates a session key (eg. EAP – SIM) –The final EAP SUCCESS is not proxied to the terminal but exchanged in the Mobility broker with a Ticket-granting Ticket –The terminal requests MB for a suitable set of tickets. –EAP SUCCESS is then finally delivered –The MB is geographically aware. successive re-auth –Only between terminal and RGW

22. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 22 Fast Handover using Kerberos tickets Delay estimation –Network Authentication + MIP registration = total delay –Full auth: + = –Re-auth in same domain: + = –Re-auth in diff domain: + = Standard compliance –”the full authentication” does not comply with the EAP requirement regarding sequence of methods.

23. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 23 Delayed Authentication (Patent Pending) Open 802.1x for user traffic as fast as possible, and before security functions/authentication are completed. Full AAA roundtrip to be executed while ongoing user traffic from STA. New / Increased Security risks: –Unaccounted user traffic for a few seconds –No encryption on the radio link –Potential DoS attacks (in addition to those already existing )

24. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 24 Delayed Authentication T 1 T 2 T 3 T 4 T 5 Handover startshere discontinued session (< 100msec!) Session continues here Full Security established Continued,but unsecure session ( some seconds) Securedand accounted traffic < 100 ms

25. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 25 Delayed Authentication: Security countermeasures Introduce a timer to limit the maximum pending time for a RADIUS response (success or reject) Possible for AP to cache and block MAC addresses with repeated failing attempts Policy selector: Monitor accounted vs unaccounted traffic and allow to toggle back to standard 802.11 state machine (ie. standard policy) if unaccounted level is bad. (toggle back after a configurable time)

26. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 26 Consequence 1: Change of the IEEE State model Introducing a new state: Pending_Authenticated Authenticated & Associated Authenticated UnAssociated UnAuthenticated UnAssociated Pending_Authenticated Associated Class 1, 2 & 3 frames allowed Successful Authentication DeAuthentication Notification Class 1, 2 & 3 frames allowed Class 1& 2 frames allowed Class 1 frames allowed

27. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 27 Consequence 2 Changes needed in the 802.1X implementation Must allow for class 3 traffic (both STA and AP) Extra robustness functions to minimize the new risks (timer, MAC cache etc) Compensation functions also to account for conveyed STA traffic before successful RADIUS response. (STA traffic conveyed before a RADIUS reject (or timer elapse etc) cannot be accounted for).

28. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 28 Possible gain Applications with strict real-time requirements can be handled more comfortably also in the mobile case  increased popularity & New Business opportunities Seamless functionality also delivered with high-speed broadband –2G/EDGE: max ~200 Kbit/s, –3G/UMTS ~400 Kbit/s, –802.11(): 1Mbit/s ++ Enabling true roaming for 802.11-based access networks

29. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 29 Thanks for your attention Questions?

30. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 30 Contact information Coordinator:Telenor R&D Snarøyveien 30, N-1331 Fornebu, Norway +47 6789 0000 Project manager: Einar Edvardsen +47 915 29029 einar-paul.edvardsen@ telenor.com URL:www.ist-oban.org

31. doc.: IEEE 802.11-06/0353r0 Submission March 2006 Thomas Haslestad et al, Telenor R&DSlide 31 References OBAN Consortium [online] http://www.ist-oban.org M. G. Jaatun, I. A. Tøndel, M. B. Dahl, and T. J. Wilke, ”A Security Architecture for an Open Broadband Access Network," in Proceedings of the 10th Nordic Workshop on Secure IT Systems (Nordsec), 2005 E. Edvardsen, T. G. Eskedal, and A. Arnes, \Open Access Networks," in INTERWORKING, ser. IFIP Conference Proceedings, C. McDonald, Ed., vol. 247.Kluwer, 2002, pp. 91-107. M. G. Jaatun, I. A. Tøndel, F.Paint, T.H. Johannessen, J.C. Francis, C. Duranton”Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets” in IFIPSEC 2006 21st IFIP TC-11 International Information Security Conference Hoekstra G. J., Østerbø O., Schwendener R., Schneider J.,Panken F. J. M., Bemmel, J. van. Quality of Service Solution for Open Wireless Access. Submitted to 14th IST Summit, Dresden 19-23 June 2005. E. Edvardsen. (2004) Fixed and Mobile Convergence. BroadBand Europe 2004. [Online]. Available: https://medicongress.be/UploadBroad/Session%2009/Paper%2009- 01.pdf T.-G. Eskedal, R. Venturin, I. Grgic, R. Andreassen, J. C. Francis, and C. Fischer, \Open Access Network Concept, a B3G Case Study," in Proceedings of 13th IST Mobile & Wireless Communication Summit, 2003.