A Framework of Media-Independent Pre-authentication (MPA) for Inter-domain Handover optimization draft-ohba-mobopts-mpa-framework-05.txt Ashutosh Dutta Victor Fajardo Yoshihiro Ohba Kenichi Taniuchi Henning Schulzrinne (See also draft-ohba-mobopts-mpa-implementation-04.txt for performance results)

Media-independent Pre- Authentication (MPA) MPA is a mobile-assisted higher-layer authentication, authorization and handover scheme that is performed before establishing L2 connectivity to a network where mobile may move in near future MPA provides a secure and seamless mobility optimization that works for Inter-subnet handoff, Inter-domain handoff and Inter-technology handoff MPA works with any mobility management protocol Time Conventional Method AP Discovery AP Switching MPA Pre-authentication IP address configuration & IP handover Time Client Authentic ation Packet Loss Period

MPA Phases 1.Pre-authentication: EAP pre-authentication to CTN (Candidate Target Network) 2.Pre-configuration: Proactive IP address acquisition from CTN 3.Pre-switching: L3 HO execution over MN-nAR tunnel 4.Switching: L2 handover 5.Post-switching: Tunnel deletion Not all MPA phases have to be executed and can be replaced with other mechanisms MPA Operation can stop at phase 1 (pre-auth only) or at phase 2 (pre-auth + pre-authorization),

Proactive Handover Tunnel in pre-switching phase Home Network HA AR Serving NetworkTarget Network CN BU Tunneled Data MN

Agreement in IETF68 Revise MPA framework draft to focus on inter-domain handover problem Specific changes are explained in next slides

“Inter-domain Handover” Section Added Definition of an administrative domain (or a domain): –Networks that are managed by a single administrative entity –An administrative entity may be a service provider, an enterprise and any organization. An Inter-domain handover will by-default be subjected to inter-subnet handover and in addition it may be subjected to either inter-technology or intra-technology handover. Inter-domain handover will be subjected to all the transition steps a subnet handover goes through and in addition it will be subjected to authentication and authorization process as well. It is also likely that type of mobility support in each administrative domain will be different. For example, administrative domain A may have MIPv6 support, while administrative domain B may use Proxy MIPv6.

Inter-domain Handover between CMIPv6 & PMIPv6 domains HA PMA MN AR MPA PMIPv6 domain CMIPv6 domain LMA

“Detailed Issues” Section split MPA Operations (Section 7) –7.1 Discovery –7.2 Pre-authentication in multiple CTN environment –7.3 Proactive IP address acquisition –7.4 Address resolution –7.5 Tunnel management –7.6 Binding Update –7.7 Preventing packet loss –7.8 Link-layer security and mobility –7.9 IP layer security and mobility –7.10 Authentication in initial network attachment MPA Deployment Issues (Section 8) –8.1 Considerations for failed switching and switch-back –8.2 Pre-allocation of QoS resources –8.3 Resource allocation issue during pre-authentication MPA Case Studies for Inter-Domain Handoff (Section 9) –9.1 Homogeneous Mobility Protocol in each domain (MIPv6, SIP Mobility, MIPv4 FA-CoA, PMIPv6) MPA for PMIPv6: –9.2 Diverse Mobility Protocol in each domain –9.3 Multicast mobility –9.4 Coexistence of MPA with other optimization technique

“Applicability Statement” Section moved to earlier section (Section 4) MPA is categorized as a proactive handover optimization mechanism. In other words, MPA is more applicable where an accurate prediction of movement can be easily made Even if accurate prediction of movement is easily made, effectiveness of MPA may be relatively reduced if the network employs network- controlled localized mobility management in which the MN does not need to change its IP address while moving within the network. Effectiveness of MPA may also be relatively reduced if signaling for network access authentication is already optimized for movements within the network, e.g., when simultaneous use of multiple interfaces during handover is allowed In other words, MPA is most viable solution for inter-administrative domain predictive handover without simultaneous use of multiple interfaces

Performance result: MPA with L2sec bootstrapping Use of MPA to bootstrap L2 security, e.g., IEEE 80211i, required for candidate networks, before handover Handover performance between network-layer assisted pre-authentication and i pre-authentication is similar Network-layer assisted pre-authentication works across multiple subnets/domains/media whereas i pre-authentication works only within the and in the same ESS. Type of authentication i post- authentication i pre- authentication Network-layer assisted pre-authentication OperationNon- roaming RoamingNon- roaming RoamingNon- roaming Roaming Authentication and authorization delay 61ms599ms99ms636ms177ms831ms Configuration delayN/A 17ms Secure association18m17ms16ms17ms Total79m616ms115ms655ms211ms865ms Handover Delay79m616ms16ms17ms

Performance result: MPA with multiple Mobility Management Protocols

Summary MPA framework draft has been presented 5 times since IETF62 The draft has been revised to focus on inter- domain handover and it’s in a good shape The draft is fully ready to be a RG draft

Thank You!

MPA for L2 Pre-auth & bootstrapping: Scenario