doc.: ieee 802.11-06/0353r0 submission march 2006 thomas haslestad et al, telenor r&dslide 1 [a...
TRANSCRIPT
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 1
doc.: IEEE 802.11-06/0353r0
Submission
[A presentation of the OBAN conceptAn IST Project under EC’s 6th
framework]
Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <[email protected]> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.
Date: 2006-03-07Name Company Address Phone email Thomas Haslestad
Telenor R&D Snarøyveien 30, 1331 Fornebu, Norway
+4797082034 [email protected]
Einar Edvardsen Telenor R&D Snarøyveien 30, 1331 Fornebu, Norway
+4791529029 [email protected]
Tor-Hjalmar Johannessen
Telenor R&D Snarøyveien 30, 1331 Fornebu, Norway
+4797542737 [email protected]
Authors:
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 2
doc.: IEEE 802.11-06/0353r0
Submission
Abstract
• This presentation introduces the concept of OBAN (Open Broadband Access Network), an European funded project under the IST 6th framework program.
• The presentation focus on the mobility architecture and the challenges and potential solutions for fast handovers.
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 3
doc.: IEEE 802.11-06/0353r0
Submission
Open Broadband Access Networks
IST 6FP Contract No 001889
Project Presentation
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 4
doc.: IEEE 802.11-06/0353r0
Submission
OBAN in briefDuration: 3 years 2004/1 – 2006/12
Budget/EC cont: 11/5 M€
14 partners coordinated by Telenor• 4 telecom operators
(Telenor, Telefonica, Swisscom, France Telecom)
• 6 industrial partners (Lucent(NL), Birdstep(N), ObexCode(N), Motorola(I), EuroConcepts(I), Lucent(UK)
• 3 universities/institutes Sintef(N), Techn. Univ. Berlin(D), ISMB(I)
• 1 national telecom regulatorNPT(N)
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 5
doc.: IEEE 802.11-06/0353r0
Submission
Main objective
ADSL modems VDSL modems optical cables, cable modems
Any wireless
LAN
To explore how a high performance broadband mobile networkbased upon wireless LAN technology and unused capacity in the fixed access networks can be established
By-passing user
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 6
doc.: IEEE 802.11-06/0353r0
Submission
Rational behind
• Most users will in few years have broadband access over the fixed network
• The capacity of these access line is poorly exploited
• Wireless LAN technology is getting popular as the dominant home networking technology.
• Wireless LANs have large capacity and are often poorly exploited
• OBAN intends to investigate how the public can obtain access to these resources and what kind of services can be provided over this network.
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 7
doc.: IEEE 802.11-06/0353r0
Submission
Rational behind (cont’d)
Coverage per base station in mobile networks:
• GSM (14 kb/s) - 50 km2 (r < 4 km)
• UMTS1 (384 kb/s) - 3 km2 (r < 1 km)
• UMTS2 (2 Mb/s) - 1 km2 (r < 600 m)
• 4G (< 20 Mb/s) - 0,03 km2 (r < 100 m)
GSMUMTS
1 4G
No of base stations
>100 000(Norway)
2
The high number of base stations in broadband mobile networks requires a new broadband infrastructure to feed all base stations. The required invest-ments will therefore be extremely high. The OBAN project introduces an alternative way to achieve the same, but at much lower cost.
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 8
doc.: IEEE 802.11-06/0353r0
Submission
Areas of foci toreach the main objective
Security: because we are opening up today’s privately disposed access lines and wireless LANs for public use
Mobility: because we need to know what degree of mobility can be provided in areas of randomly located WLAN access points connected overthe fixed networks access lines
QoS: because we want to know how to provide QoSto users in a heterogeneous network composed by technologies with limited QoS abilities
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 9
doc.: IEEE 802.11-06/0353r0
Submission
Areas of foci toreach the main objective
3G/B3G to explore and evaluate how the OBAN concept can be integrated with the 3G/B3G visions.
Coverage: to estimate potential coverage and capacity of an OBAN network. Smart antennas are investigatedin order to improve network performance
Commercial: to investigate how the OBAN concept may be utilised commercially and how legal and regulatory issues may affect deployment in large scale
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 10
doc.: IEEE 802.11-06/0353r0
Submission
Areas of foci toreach the main objective
The RG is the key component in the system and need extensive investigation through implementationto verify the concept
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 11
doc.: IEEE 802.11-06/0353r0
Submission
..the wireless RG.. ..a key component in the concept
Broadband access line (xDSL)
wRG
Open Access capacity
Guest
GSM, UMTS, ….Local traffic (inhouse and external)
Concept associated patent: 03754318.8-2416-NO0300339
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 13
doc.: IEEE 802.11-06/0353r0
Submission
The concept contains numerous challenges
• How to match QoS in the legacy network with what can be achieved in a wireless LAN and while traversing from RG to RG ?
• Mobility aspects – nomadic or continuous mobility• Security and authentication• Roaming agreements between
– different network operators – owners of RGs • How to deal with the large variety of terminals ?• Interference between RGs and with other equipment –
frequency planning• Business models and commercial aspects
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 14
doc.: IEEE 802.11-06/0353r0
Submission
The Security & Mobility Challenge
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 15
doc.: IEEE 802.11-06/0353r0
Submission
Security and mobility (2)
• The security level expected for OBAN architecture has to coexist with strong time and QoS constraints
• goal of 120 ms maximum handover latency implies that a full authentication that involves several actors and ditto round-trip times is not acceptable.
• Fast handover requires an authentication mechanism that only involves the terminal and the RGW.
• Security in relation to fast re-authentication during handoff:– Two potential solutions:
• delayed authentication, • fast hand-over using Kerberos Tickets
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 16
doc.: IEEE 802.11-06/0353r0
Submission
WiFi Challenges in the OBAN concept• No preprocessing of keys and session parameters by
network to prepare handover in advance.– 2G and 3G does this by default
• An STA can only be associated with one AP at a time.
• The mobile station must after sensing beacon, negotiate with next AP that again must performs a full RADIUS roundtrip with ISP to handle AAA and security session– In practice: a reauthentication (roaming) based on eg. EAP will
include a full time consuming RADIUS roundtrip involving STA, AP, and ISP(s). In addition; rerouting of traffic as well as 802.1X functions for port control and crypto session establishment on radio link.
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 17
doc.: IEEE 802.11-06/0353r0
Submission
Handover Task -Time Considerations
T1 T2 T3 T4 T5
Handover Starts here
Session continues
here
Session OrientedSession Oriented Security OrientedSecurity Oriented
< 100 ms>> 150 ms (!)
Interruption delay
T1: Beacon + Physical connection setup between the STA and the next AP/RGW
T2: Messaging session parameters, including STA’s ID / auth. info between the VU and the next AP/RGW.
T3: Processing of rerouting the traffic to and from STA via the new AP.
T4: AAA roundtrip for re-authentication of the STA between AP/RGW and H-ISP of the STA
T5: 802.1X port handling and IKE-based encryption of radio link between VU and AP
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 18
doc.: IEEE 802.11-06/0353r0
Submission
High level Architecture
OBAN deliverable D27
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 19
doc.: IEEE 802.11-06/0353r0
Submission
Mobility Broker• A node serving a
geographical area, composed of several RGWs
• Makes the access network look like a conventional WLAN/IP network, such that standard mechanisms can be reused
• Simplify the hand-off complexity, and reduce signalling round trips by managing mobility, security and QoS events locally during hand-off
AAAAAAProxyProxy
ISPRU-1 H-ISPRU-2
AAAAAAProxyProxy
OBAN-ISP
AAAAAAServerServerVV--UserUserprofilesprofiles
BroadbandNetwork
BroadbandNetwork
DSLAM(eg.)
DSLAM(eg.)
BRAS1 BRAS2
RGW1 RGW2
Res.User
Res.User FA2FA1
VUSession param’s
VU
RR--UserUserprofilesprofiles
RR--UserUserprofilesprofiles HAHA(VU)(VU)
Hand-off path
AAAAAAProxyProxy
MobilityMobilityBrokerBroker
AA
A AA
A
AAAAAAProxyProxy
ISPRU-1 H-ISPRU-2
AAAAAAProxyProxy
OBAN-ISP
AAAAAAServerServerVV--UserUserprofilesprofiles
BroadbandNetwork
BroadbandNetwork
DSLAM(eg.)
DSLAM(eg.)
BRAS1 BRAS2
RGW1 RGW2
Res.User
Res.User FA2FA1
VUSession param’s
VU
RR--UserUserprofilesprofiles
RR--UserUserprofilesprofiles HAHA(VU)(VU)
Hand-off path
AAAAAAProxyProxy
MobilityMobilityBrokerBroker
AA
A AA
A
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 20
doc.: IEEE 802.11-06/0353r0
Submission
Fast Handover using Kerberos tickets
• Using Kerberos tickets for fast and secure layer 2 authentication – The ticket consist primarily of an access key and an encrypted
timestamp with a key known to the issuer and the final recipient• Issuer = Mobility Broker• Final recipient = RGW
– The ticket is issued to the client (user terminal) and encrypted with a key that is in the possesssion of the client. (shared secret)
– The client uses the ticket for authentication towards the RGW• Proves that is possesses the session key within the ticket
– By encrypting a challenge from the RGW with the session key
• RGW also checks that the timestamp is not expired
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 21
doc.: IEEE 802.11-06/0353r0
Submission
Fast Handover using Kerberos tickets
• First time authentication – No tickets => full authentication towards HAAA. ie. Anything that
generates a session key (eg. EAP – SIM)
– The final EAP SUCCESS is not proxied to the terminal but exchanged in the Mobility broker with a Ticket-granting Ticket
– The terminal requests MB for a suitable set of tickets.
– EAP SUCCESS is then finally delivered
– The MB is geographically aware.
• successive re-auth– Only between terminal and RGW
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 22
doc.: IEEE 802.11-06/0353r0
Submission
Fast Handover using Kerberos tickets
• Delay estimation– Network Authentication + MIP registration = total delay
– Full auth: <120-290ms> + <35-100ms> = <155-390ms>
– Re-auth in same domain: <10-40ms> + <25-45ms> = <35-85ms>
– Re-auth in diff domain: <10-40ms> + <35-100ms> = <45-140ms>
• Standard compliance– ”the full authentication” does not comply with the EAP
requirement regarding sequence of methods.
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 23
doc.: IEEE 802.11-06/0353r0
Submission
Delayed Authentication (Patent Pending)
• Open 802.1x for user traffic as fast as possible, and before security functions/authentication are completed.
• Full AAA roundtrip to be executed while ongoing user traffic from STA.
• New / Increased Security risks: – Unaccounted user traffic for a few seconds
– No encryption on the radio link
– Potential DoS attacks (in addition to those already existing )
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 24
doc.: IEEE 802.11-06/0353r0
Submission
Delayed Authentication
T1 T2 T3 T4 T5
Handover starts here
discontinued session(< 100 msec !)
Session continues
here
FullSecurity
established
Continued, but unsecure session( some seconds)
Secured andaccounted
traffic
< 100 ms
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 25
doc.: IEEE 802.11-06/0353r0
Submission
Delayed Authentication: Security countermeasures
• Introduce a timer to limit the maximum pending time for a RADIUS response (success or reject)
• Possible for AP to cache and block MAC addresses with repeated failing attempts
• Policy selector: Monitor accounted vs unaccounted traffic and allow to toggle back to standard 802.11 state machine (ie. standard policy) if unaccounted level is bad. (toggle back after a configurable time)
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 26
doc.: IEEE 802.11-06/0353r0
Submission
Consequence 1: Change of the IEEE State model
Introducing a new state: Pending_Authenticated Authenticated& Associated
AuthenticatedUnAssociated
UnAuthenticatedUnAssociated
Pending_AuthenticatedAssociated
Class 1, 2 & 3frames allowed
SuccessfulAuthentication
DeAuthenticationNotification
Class 1, 2 & 3frames allowed
Class 1& 2 frames allowed
Class 1frames allowed
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 27
doc.: IEEE 802.11-06/0353r0
Submission
Consequence 2 Changes needed in the 802.1X implementation
• Must allow for class 3 traffic (both STA and AP)
• Extra robustness functions to minimize the new risks (timer, MAC cache etc)
• Compensation functions also to account for conveyed STA traffic before successful RADIUS response. (STA traffic conveyed before a RADIUS reject (or timer elapse etc) cannot be accounted for).
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 28
doc.: IEEE 802.11-06/0353r0
Submission
Possible gain
• Applications with strict real-time requirements can be handled more comfortably also in the mobile case increased popularity & New Business opportunities
• Seamless functionality also delivered with high-speed broadband – 2G/EDGE: max ~200 Kbit/s,
– 3G/UMTS ~400 Kbit/s,
– 802.11(): 1Mbit/s ++
• Enabling true roaming for 802.11-based access networks
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 29
doc.: IEEE 802.11-06/0353r0
Submission
Thanks for your attention
• Questions?
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 30
doc.: IEEE 802.11-06/0353r0
Submission
Contact information
Coordinator: Telenor R&DSnarøyveien 30, N-1331 Fornebu, Norway
+47 6789 0000
Project manager: Einar Edvardsen
+47 915 29029
einar-paul.edvardsen@ telenor.com
URL: www.ist-oban.org
March 2006
Thomas Haslestad et al, Telenor R&D
Slide 31
doc.: IEEE 802.11-06/0353r0
Submission
References
• OBAN Consortium [online] http://www.ist-oban.org• M. G. Jaatun, I. A. Tøndel, M. B. Dahl, and T. J. Wilke, ”A Security Architecture for an
Open Broadband Access Network," in Proceedings of the 10th Nordic Workshop on Secure IT Systems (Nordsec), 2005
• E. Edvardsen, T. G. Eskedal, and A. Arnes, \Open Access Networks," in INTERWORKING, ser. IFIP Conference Proceedings, C. McDonald, Ed., vol. 247.Kluwer, 2002, pp. 91-107.
• M. G. Jaatun, I. A. Tøndel, F.Paint, T.H. Johannessen, J.C. Francis, C. Duranton”Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets” in IFIPSEC 2006 21st IFIP TC-11 International Information Security Conference
• Hoekstra G. J., Østerbø O., Schwendener R., Schneider J.,Panken F. J. M., Bemmel, J. van. Quality of Service Solution for Open Wireless Access. Submitted to 14th IST Summit, Dresden 19-23 June 2005.
• E. Edvardsen. (2004) Fixed and Mobile Convergence. BroadBand Europe 2004. [Online]. Available: https://medicongress.be/UploadBroad/Session%2009/Paper%2009-01.pdf
• T.-G. Eskedal, R. Venturin, I. Grgic, R. Andreassen, J. C. Francis, and C. Fischer, \Open Access Network Concept, a B3G Case Study," in Proceedings of 13th IST Mobile & Wireless Communication Summit, 2003.