Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba."— Presentation transcript:

1 Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba Toshiba America Research Inc. H. Schulzrinne Columbia University Presented by: Ashutosh Dutta adutta@research.telcordia.com

2 Outline  Motivation  Related Work  SUM Architecture  Experimental Test-bed  Results  SIP and MOBIKE approach  Conclusion and Future Work

3 802.11a/b/g Network Access Network 2 Access Network 3 UMTS/ CDMA Network UMTS/CDMA Access Point S1 S2 S3 S4 Access Networks Access Networks Access Networks UMTS/CDMA Network Internet Domain1 Domain2 Pocket PC Web phone BT Access Point802.11a/b/g Access Point Blue Tooth Network Multi-media Terminal AN Access Network 1 Mobile Wireless Internet: A Scenario

4 Motivation Objective: To provide mobile enterprise users with the same working environment as they are at their office regardless of where they are (e.g., Intranet, Extranet), especially –provide persistent and seamless application session continuity –provide the same level of security as currently deployed in enterprise network environment –provide persistent and seamless reachability (or traceability) from internal network to mobile users –Provide VPN-agnostic roaming model independent of subscribed carrier –Provide no impact on the existing IT infrastructure –Optimize the solution as needed

5 SUM Scenario DMZ Internal (Protected)External (unprotected) CN WLAN LAN WLAN Cellular Hot Spot MN secure the communication while MN is at external network provide session continuity while moving from one network to the other provide reachability from internal network to mobile nodes CN: Correspondence Node MN: Mobile Node

6 Issues to be Resolved  “ IPsec VPN ”, that is deployed to secure the communication, cannot currently cope with the session continuity while moving  “ Mobile IP ”, that is deployed to cope with the session continuity, cannot secure the communication contents itself (1) Combination of IPsec VPN and Mobile IP is necessary  Seamlessness is sometimes unsatisfactory due to “ hand-off delay ” (e.g., internal WLAN to Cellular data network) especially due to VPN establishment delay (more than 5 sec) (2) Way to reduce hand-off delay by Mobile Node is preferable

7 Related Work  Miu and Bahl et al - Movement between similar kinds of networks  Rodriguez et al - MAR to support heterogeneous Access  Snoeren et al - Fine-grained TCP Migrate approach  Barton et al - Integration of Mobile IP and IP-Sec  Cheng et al (ICNSC) - Foreign agent based client driven  Adrangi et al – (IETF) Mobile IP Traversal for VPN gateways  Luo et al – Integration of wireless LAN and Cellular  Birdstep Technologies (www.birdstep.com)www.birdstep.com Smooth handoff, dynamic tunnel management, Integration with SIP

8 SUM Architecture(1) DMZ Internal (protected)External (unprotected) CN Internal Home Network VPN tunnel x-MIP tunnel VPN GW x-HA Based on its current location, MN dynamically establishes/changes/terminates tunnels without changing current standards of IPsec VPN or Mobile IP. Triple encapsulation tunnel is constructed by: i-HA (Internal Home Agent): Forwards IP packets to MN’s current internal location VPN GW: Protects (encrypts and authenticates) IP packets transmitted in external networks x-HA (External Home Agent): Forwards IP packets to MN’s current external location MN i-MIP tunnel Internal Visited Network i-HA MN External Network 1 External Network N

9 IKE + VPN address assignment SUM Architecture Protocol Flow Message flow for triple-encapsulation tunnel establishment Internal (protected)External (unprotected) CN i-HA MN VPN GW x-HA x-MIP Registration Request x-MIP Registration Reply x-MIP tunnel established VPN tunnel established i-MIP Registration Request i-MIP Registration Reply i-MIP tunnel established

10 Make-before-Break for Hand-off Delay Reduction  Prepare to use another better path before stop using current path –MN watches signal strength level of WLAN (or any other policy) –Before internal WLAN signal goes away (becomes lower than a threshold A), MN starts using cellular network and establishes x-HA tunnel and VPN tunnel as a stand-by path –MN stops using WLAN when its signal level becomes lower than threshold B (A>B), starts using cellular network, establishes i-MIP tunnel, then starts using x-MIP/VPN/i-MIP tunnel over the cellular  This could remove major factor of hand-off delay since VPN is established (that will take more than 5 sec) before switch-over

11 Demonstration Scenario DMZ Internal (protected) External (unprotected) CN VPN GW x-HA MN External Network (Cellular) Internal Home Network (WLAN) i-HA MN Step 1: MN (at its home network over WLAN) and CN start an application session, then MN starts moving

12 Demonstration Scenario DMZ Internal (protected) External (unprotected) CN VPN tunnel x-MIP tunnel VPN GW x-HA MN External Network (Cellular) Internal Home Network (WLAN) i-HA MN Step 2: MN starts preparing alternate path by establishing x-MIP and VPN tunnel over the cellular link, while keeping communication via the home network over WLAN

13 Demonstration Scenario DMZ Internal (protected) External (unprotected) CN VPN tunnel x-MIP tunnel VPN GW x-HA MN i-MIP tunnel MN External Network (Cellular) Internal Home Network (WLAN) i-HA MN Step 3: MN stops using its home WLAN, starts using cellular and establishes i-MIP tunnel, then continues communication with CN

14 Internet X-HA 205.132.6.64/27 65.66 -.94 DMZ Network External Cellular 66 67 HoA = 70-75 VPN GW 100 (99) Internal Visited TIA = 111-120 10.1.10.0/24 98 10.1.20.0/24 3 CH i- HA Linux R 1 HoA = 210-215 Internal Home (SSID=ITSUMO home) (demo.tari.toshiba.com) AP SIP Monitor 2 4 DNS External Hotspot Earth Link DSL MN Verizon CDMA 1XRTT DHCP Enterprise Firewall Secure Universal Mobility Testbed

15 Protocol Sequence flow

16 CBR Voice Traffic (a) Packet Transmission Delay (b) Inter-packet departure and arrival delay variation for CBR (Voice)

17 VBR Video Traffic a) Packet transmission delay b) Inter-packet departure and arrival variation delay for VBR (Video)

18 RTP Packet Sequence

19 Dynamic Tunnel Management

20 Dynamic Tunnel Management Flow

21 SIP with MOBIKE

22 Conclusion and Future Work  Active area of research within IETF’s Mobile IP working group  Triple-encapsulation mandates “always-on VPN” – Provides persistent reachability from internal network to mobile users, –May not be practical with currently deployed VPN  Capability of dual MIP (i-MIP and x-MIP) tunnel without VPN –Dynamic Tunnel Management will allow VPN setup on-demand basis –Adds additional values to the base triple-encapsulation architecture –Provides light-weight persistent reachability without consuming VPN resources  Dual MIP is enabled by SMG (Secure Mobility Gateway) that provides; –strong authentication to MIP messages to securely manage dual MIP tunnels –packet filtering to restrict packets transmitted over the dual MIP tunnels –Interaction with AAA domains  Robust header compression to take care of the overhead associated  SIP and MOBIKE approach will provide an optimized solution

23 Backup Slides

24 Multimedia Test-bed Architecture Backbone VLAN Switch 3600 Domain 1 tari.toshiba.com Domain 2 research.telcordia.com R1 ERC1 ERC3 VLAN Switch R2 ERC2 R3 ERC4 VLAN Switch SIP Server/Call Agent SIP Server Border Router QOS HA/DRCP Server DRCP Server Multicast Proxy DRCP Server DRCP Server AAA Server AAA Server External Omni Antenna MicroMacroDomain External Coverage QOS PANA IPSec SIP Server/Call Agent MAS IPv6 PANA IPSec PANA IPSec MH GPS client BT 802.11b Internet FW Smarts Bits Generator Dynamic DNS CDMA/GPRS Coverage

25 Future / On-going Work (cont’d) DMZ Internal (protected)External (unprotected) CN Internal Home Network Internal Visited Internal Visited Internal Visited Network External Network N External Network 2 External Network 1 i-HA MN VPN GW SMG i-MIP tunnel x-MIP tunnel  MN is in “Incoming Call Waiting Mode” when it maintains the dual MIP tunnel  SMG authenticates MIP registration messages as well as filters packets going through the established dual MIP tunnel

26 Step-by-step protocol flow PPP setup over CDMA at SNR (S1) Make-before-break scenario at SNR = S2 Mobile coming back home

Download ppt "Secure Universal Mobility for Wireless Internet Authors: A. Dutta, T. Zhang, S. Madhani Telcordia Technologies K. Taniuchi, K. Fujimoto, Y. Katsube, Y.Ohba."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
LMF/TTR Raimo Vuopionperä 6WINIT: Ericsson (Research) Objectives (6WINIT Kick-Off, London) Raimo Vuopionperä (Ph. D.), NomadicLab (LMF/TTR)

LMF/TTR Raimo Vuopionperä 6WINIT: Ericsson (Research) Objectives (6WINIT Kick-Off, London) Raimo Vuopionperä (Ph. D.), NomadicLab (LMF/TTR)
Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI

Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
1 PERFORMANCE COMPARISON OF VERTICAL HANDOVER STRATEGIES FOR PSDR HETEROGENEOUS NETWORK 學生 : 鄭宗建 學號 :697430023.

1 PERFORMANCE COMPARISON OF VERTICAL HANDOVER STRATEGIES FOR PSDR HETEROGENEOUS NETWORK 學生 : 鄭宗建 學號 :
IDMP: AN INTRADOMAIN MOBILITY MANAGEMENT PROTOCOL FOR NEXT-GENERATION WIRELESS NETWORK SUBIR DAS, ANTHONY MCAULEY AND ASHUTOSH DUTTA, TELCORDIA TECHNOLOGIES.

IDMP: AN INTRADOMAIN MOBILITY MANAGEMENT PROTOCOL FOR NEXT-GENERATION WIRELESS NETWORK SUBIR DAS, ANTHONY MCAULEY AND ASHUTOSH DUTTA, TELCORDIA TECHNOLOGIES.
MaGMA: Supporting Groupware in Wireless Networks Idit Keidar Technion EE Joint work with N. Lavi and I. Cidon.

MaGMA: Supporting Groupware in Wireless Networks Idit Keidar Technion EE Joint work with N. Lavi and I. Cidon.
Inter-Subnet Mobile IP Handoffs in 802.11b Wireless LANs Albert Hasson.

Inter-Subnet Mobile IP Handoffs in b Wireless LANs Albert Hasson.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

Similar presentations

Ads by Google