The Proposal and Evaluation of AAA for Bootstrapping Mobile IPv6 and ISATAP
8
0
0
全文
(2) the current specifications or the current services. At. first,. our. proposal. keeps. the. including our proposal will be evaluated in terms of. static. 2 technical perspectives.. configuration as small as possible, in other words,. One is the amount of information that must be. the dynamic configuration as much as possible. In. distributed to the clients and servers (or routers). our. the. p r e l i m i n a r i l y. T h i s i s r e l a t e d t o t h e o p e r a t i o n a l. authentication are necessary to the mobile nodes. All. s c a l a b i l i t y o r c o m p l e x i t y. F o r e x a m p l e , i n t h e c a s e o f. o t h e r c o n f i g u r a t i o n s , e . g . d i s c o v e r I S ATA P r o u t e r,. establishing IPsec Security Association (SA) for. assign Mobile IPv6 Home Address or establish the. Mobile. security association etc, will be done by the network. Acknowledgement, if both ends (Mobile Node and. side. So, the network operator can select the most. Home Agent) has agreed on all IPsec parameters. suitable server (Home Agent for Mobile IPv6 and. preliminarily (static configuration in other words),. I S ATA P r o u t e r f o r I S ATA P ) f o r e a c h m o b i l e n o d e .. the time of establishing IPsec SA is very low (or. And it can increase the degree of freedom for the. none), but the operational complexity is very high. It. network. could be awful operational costs to configure the. design.. IPsec. proposal,. only. IPsec protects MIPv6 Binding Updates and Acks. configurations. about. (e.g.. Update. shared. and. keys,. Binding. security. subscribers. and. maintain. millions. of. synchronization between Mobile Nodes and Home Agents. The other aspect of evaluation is the time to. ISATAP. bootstrap. There are some cases that the time to. (Malicious). bootstrap is critical. One example is the handover to. ISATAP. Net1 (IPv6). parameters. mobile. (IPv6). Nearest ISATAP server is dynamically assigned. Binding. parameter index (SPI), IP address etc) for millions of. Block the unauthorized traffic. HA. IPv6. a heterogeneous wireless network. Different from. Net2 (IPv4). doing handover within same wireless network, the. Net3 (IPv4). mobile. nodes. configurations. MN. will. have. nearly. to. from. setup scratch. the. network. when. doing. handover to the heterogeneous wireless networks.. 2. Assumptions and Definitions MIPv6 Home Address is dynamically assigned. Minimize handover delay to heterogeneous network. In. PPP, 802.1x, PANA are acceptable as the authentication protocol. this. section,. some. assumptions. that. are. necessary for our proposal are described and some words are defined to stands for the necessary concepts to explain our proposal.. 2 . 1 . A A A A rc h i t e c t u re M o d e l. Figure 1: Examples of Achievements At second, our proposal enables Mobile IPv6 and I S ATA P t o b e u s e d a s t h e r e l i a b l e c o m m e r c i a l services. Different from the experimental or closed networks,. the. authentication. is. necessary. for. accounting in the commercial networks and the security is necessary for the reliable networks. For example, IPsec SA is mandatory for Mobile IPv6 (as s p e c i f i e d i n [ 1 ] ) , I S ATA P r o u t e r n e e d s t o h a v e a u t h e n t i c a t e t h e m o b i l e n o d e ’s I P a d d r e s s t o e n a b l e the accounting and to drop the unauthorized traffic. Figure 1 includes some examples of how our p r o p o s a l i m p r o v e s M o b i l e I P v 6 a n d I S ATA P. this. p a p e r,. AAA framework assumed here is straightforward and very common in the current mobile networks. Figure 2 shows the assumed AAA framework model in this proposal. A mobile node (MN) is assumed to be a subscriber of Home Domain in Figure 2, which would be either the real mobile network operator or the mobile virtual network operator (MVNO). W h e n M N v i s i t s Vi s i t e d D o m a i n , i t w i l l s t a r t t h e authentication procedure to get authorized to access t o t h e n e t w o r k b y u s i n g s o m e A A A p r o t o c o l ( e . g . P P P,. 1.4. Evaluations In. Our proposal for bootstrapping is based on AAA framework and utilizes and extends it. But we think. 802.1x etc depending on the administrative policy of the. methods. of. bootstrapping. the visited domain). From the NAI or something else. −120−.
(3) that is used as the identifier of AAA protocol, the. p r e l i m i n a r i l y.. a c c e s s r o u t e r ( A R ) o r t h e A A A s e r v e r i n Vi s i t e d. 2 . 2 . A A A F ro n t e n d P ro t o c o l s. D o m a i n ( A A Av ) c a n k n o w H o m e D o m a i n t h a t M N. Between MN and AR, an authentication protocol is. subscribed. Then, the connection of AAA protocol. assumed. In the current cellular networks, PPP is. (which will be probably different from AAA protocol. widely adopted as the authentication protocol (PPP. between AR and MN) will be established toward. is used not only to authenticate but also to establish. Home Domain to inquire, e.g. whether MN is a valid. the access link and assign IP address etc). And. s u b s c r i b e r, w h a t k i n d o f s e r v i c e s s h o u l d b e s e r v e d ,. 8 0 2 . 1 x i s w i d e l y d e p l o y e d i n W- L A N h o t s p o t. or what kind of accounting should be used etc. If the. s e r v i c e s . We c a l l s u c h A A A p r o t o c o l s b e t w e e n M N. AAA. a n d A R a s “ A A A F r o n t e n d P r o t o c o l ” i n t h i s p a p e r.. server. in. the. home. network. (AAAh). authenticates the mobile node, the successful result. N e w a u t h e n t i c a t i o n p r o t o c o l , PA N A [ 7 ] , w h i c h i s. w i l l b e t r a n s f e r r e d t o A R i n Vi s i t e d D o m a i n t h r o u g h. n o w b e i n g s t a n d a r d i z e d i n I E T F, i s a l s o u s e d a s A A A. A A A p r o t o c o l . T h e n , A R w i l l o p e n t h e p o r t o f M N ’s. Frontend Protocol.. access link and MN gets the permission to access. 2 . 3 . A A A B a c k e n d P ro t o c o l s. Vi s i t e d D o m a i n a n d b e y o n d .. B e t w e e n A R a n d A A Av a n d b e t w e e n A A Av a n d AAAh, there are the inter-domain AAA protocols, e.g. Radius or Diameter[4]. AR will work as AAA. Home Domain HA. Dynamic Provisioning Protocol (Diameter, SNMP, COPS). AAAh. client of inter-domain AAA protocol when a mobile node starts to access the AR through AAA Frontend Protocol. AR establishes an AAA connection to. AAA Backend Protocol (Radius, Diameter). AAAh to which the mobile node subscribes. It would b e e i t h e r d i r e c t o r i n d i r e c t ( r e l a y e d b y A A Av ) . T h e word “AAA Backend Protocol” is used to represent. Visited Domain 1. such inter-domain AAA protocols.. Visited Domain 2. AAAv. 2.4. Extensible. AAAv. Authentication. P ro t o c o l. (EAP) EAP[8] is the most important assumption in our proposal. EAP is used as the authentication method,. AR. AR. AR. AR. AR. AR. which can replace the other authentication method, l i k e PA P o r C H A P. E A P i t s e l f d o e s n ’ t h a v e a n y. AAA Frontend Protocol (PPP, 802.1x, PANA). authentication. mechanism. but. can. convey. the. various authentication methods, e.g. MD5 challenge and response, X.500 certification based method.. MN. A c t u a l l y, a l m o s t A A A p r o t o c o l s ( P P P, 8 0 2 . 1 x , PA N A , Radius, AAAh - AAA Server in Home Domain AAAv - AAA Server in Visited Domain AR - Access Router MN - Mobile Node (Subscriber of Home Domain) HA - Home Agent (as example of Service Node). Diameter[5]. etc). use. EAP. as. the. authentication method. So the assumption of EAP is very. reasonable. even. for. the. existing. mobile. networks. Then, the authentication methods other than. EAP. (e.g.. PA P,. C H A P,. web-based. authentication) are out of scope in this proposal.. 2 . 5 . D y n a m i c P ro v i s i o n i n g P ro t o c o l s. Figure 2: AAA Architecture Model. We a l s o a s s u m e a n o t h e r p r o t o c o l u s e d t o m a n a g e. N o r m a l l y, t h e r e a r e r o a m i n g a g r e e m e n t s b e t w e e n. the network nodes within the single administrative. H o m e D o m a i n a n d Vi s i t e d D o m a i n ( f r o m t h e p u r e. domain. This protocol may be the used for the. t e c h n i c a l p o i n t o f v i e w, s u c h a g r e e m e n t s m a y n o t b e. management. n e c e s s a r y. B u t i t i s v e r y n a t u r a l t o a s s u m e t h e m i f. assumed to enable to configure the remote network. thinking. servers. node. In this model, AAAh will use this protocol to. ( A A Av a n d A A A h i n F i g u r e 2 ) w i l l h a v e m u t u a l t r u s t. configure the service node in the same domain. the. accounting. issues.).. AAA. −121−. or. provisioning.. This. protocol. is.
(4) (MIPv6 Home Agent is pictured as the example of the. So our proposal can be used with any visited. service node in Figure 2.. domain that conforms to our assumption described in. 2.6. User Data. section 2.. As the minimum data used in AAA operations, MN and AAAh must synchronize two kinds of data (that. 3 . P ro b l e m s 3 . 1 . P ro b l e m s f o r B o o t s t r a p p i n g M I P v 6. w i l l p r o b a b l y b e d i s t r i b u t e d i n o f f l i n e m a n n e r,. In order to bootstrapping MIPv6 from scratch,. embedded in ROM or SIM card for MN, recorded in. there are some issues should be solved.. the subscriber database for AAAh). They are:. •. Assign Home Address for Mobile Node. •. User Identifier (e.g. NAI, IMSI etc). •. Discover MIPv6 Home Agent. •. Shared Secret Key (any random octet string). •. Establish IPsec SA for Binding Update and. User-ID: user@home.net Shared-Secret: secret. Binding Acknowledgement. User-ID: user@home.net Shared-Secret: secret. C u r r e n t l y, t h e r e i s n o w a y t o a s s i g n H o m e - A d d r e s s within Mobile IPv6 specification. It is assumed that. MN. Mobile Node must be assigned Home-Address by. AAAh. some methods (statically or dynamically) other than MIPv6 signals before starting MIPv6. About discovering Home-Agent, Dynamic Home Agent. Address. Discovery. is. defined. in. MIPv6. Figure 3: User ID and Shared Secret. specification. But, it is not completely dynamic. The certificate like X.509 can be used instead of. address,. the. shared. secret. key. if. there. is. because MN must know the prefix of HA IPv6. appropriate. which. will. be. presumed. from. Home. Address.. authentication method that can generate the shared. Establishing IPsec SA for MIPv6 Binding Update. secret key between MN and AAAh. If so, we can. and Binding Acknowledgement is another problem. a s s u m e i t a s t h e e q u i v a l e n t o f t h e s h a r e d s e c r e t k e y.. because Home Address and Home Agent Address. 2 . 7 . A A A P ro t o c o l St a c k. must be necessary to establish IPsec SA between. Figure. 4 illustrates the. AAA Protocol. Stack. them. Even if IKE is used to establish IPsec SA. including all protocols described in this section. between MN and HA, MN and HA have a method to. (AAA Frontend Protocol, AAA Backend Protocol,. authenticate each other (in IKE specification, there. EAP and Dynamic Provisioning Protocol).. are two ways for authentication, shared secret and. As described in Figure 4, the “EAP method”. X.509. certificate).. But. it. introduces. another. protocol layer is built only on MN and AAAh. It is. restriction onto MN and HA. MN and its possible HA. very important for our proposal because our central. (could. idea is to introduce new EAP method, which means. method for IKE than what is used for AAA protocols.. that any unknown EAP methods have no impact on. 3 . 2 . P ro b l e m s f o r B o o t s t r a p p i n g I S ATA P. A R a n d A A Av ( b o t h r e s i d e i n t h e v i s i t e d d o m a i n ) . EAP Method EAP. EAP. AAA Frontend MN. AAA AAA Frontend Backend AR. Prov Appl AAA Prov Backend Protocol AAAh. AAA Backend AAAv. multiple). keep. other. authentication. I n o r d e r t o b o o t s t r a p I S ATA P, t h e s e i s s u e s m u s t b e solved.. EAP Method EAP. be. • Prov Appl Prov Protocol HA (ISATAP). AAA Frontend - For example, PPP, 802.1x, PANA AAA Backend - For example, Radius, Diameter Prov Appl - Dynamic Provisioning Application Prov Protocol - Dynamic Provisioning Protocol (e.g. SNMP, COPS, Diameter). D i s c o v e r s u i t a b l e I S ATA P r o u t e r f o r M o b i l e N o d e ( e . g . n e a r e s t I S ATA P r o u t e r t o M N ). •. Establish Security Association between MN and I S ATA P r o u t e r f o r a c c o u n t i n g I n I S ATA P s p e c i f i c a t i o n , s o m e w a y s a r e s u g g e s t e d. t o d i s c o v e r I S ATA P r o u t e r s . O n e i s t o u s e D N S t o f i n d t h e I S ATA P r o u t e r. B u t t h e r e a r e s o m e p r o b l e m s to. use. DNS.. specification,. From MN. the should. suggestion keep. PRL. of. I S ATA P. (Potential. R o u t e r L i s t ) t h a t i s t h e l i s t o f F Q D N f o r I S ATA P. F i g u r e 4 : A A A P ro t o c o l St a c k. routers. MN will select one FQDN and get IP address. −122−.
(5) o f I S ATA P r o u t e r b y u s i n g D N S . B u t s e l e c t i n g. which can be conveyed on any various access or. I S ATA P r o u t e r s h o u l d b e t a k e n m u c h c a r e b e c a u s e. a u t h e n t i c a t i o n p r o t o c o l s . E A P, b y i t s e l f , d o e s n ’ t. the user traffic could be forced the triangle routing. have. w h e n s e l e c t i n g I S ATA P r o u t e r t h a t i s f a r f r o m M N .. mechanism. It only defines 4 functions, Request,. A n d , i f Vi s i t e d D o m a i n a s s i g n s p r i v a t e I P a d d r e s s. Response, Success and Fail. Many variety methods. t o M N , M N m u s t s e l e c t I S ATA P r o u t e r w i t h i n Vi s i t e d. of authentication are defined as EAP methods, e.g.,. Network. It is not defined what FQDN can be used to. MD5-Challenge, TLS, AKA and PEAP etc. The. g e t I P a d d r e s s o f I S ATA P r o u t e r.. important feature of EAP methods is that it is an. any. authentication. and. authorization. Security and Authentication should be considered. End-to-End protocol. As shown in Figure 4, MN and. s e r i o u s l y. M o s t o f c u r r e n t n e t w o r k s i t e s t h a t a r e. AAAh (AAA server in Home Domain) implements. using private IPv4 addresses have natural security. EAP method, but the intermediate AAA nodes (AR. mechanism because it naturally prevents the direct. a n d A A Av ) a r e n o t r e q u i r e d t o i m p l e m e n t E A P. a t t a c k f r o m t h e o u t s i d e n e t w o r k s . B u t I S ATA P r o u t e r. methods.. assigns global IPv6 addresses automatically to all nodes in the private network.. Cracker can’t send IPv4 packet directly to Critical Server but can send IPv6 packet through ISATAP router. What we claim by this fact is that any EAP methods work independently from the implementation of. Critical Server can’t block packets from crackers by filtering IPv4 source address.. Vi s i t e d D o m a i n s . S o , n e w E A P m e t h o d w e w i l l p r o p o s e h e r e w i l l w o r k w i t h a n y c u r r e n t Vi s i t e d. Critical Server. Domain (Network Access Provider). On the other hand, new EAP method will be. MN. implemented on MN and AAA server in our proposal. MN and AAAh can be assumed to belong to the same. Private IPv4. network operator (because MN subscribes to Home Domain). So, single network operator can introduce. ISATAP router. any proprietary EAP method that works with any. Internet (IPv4/IPv6). Vi s i t e d D o m a i n ( N e t w o r k A c c e s s P r o v i d e r ) .. 4.2. AAA for bootstrapping Figure. Cracker. 6. shows. signal. flow. of. AAA. for. Bootstrapping. Some statically assigned data is pictured in the square representing the network node. F i g u r e 5 : A t t a c k f ro m o u t s i d e t h ro u g h I S ATA P ro u t e r. ( M N , S e r v e r ( M I P v 6 H A o r I S ATA P r o u t e r ) a n d AAAh).. As. mentioned. before,. User-ID. and. Master-Key is statically assigned in MN. They are. Figure 5 shows the example of attack from outside.. also registered in kind of database of AAAh. Server. N o r m a l l y, p r i v a t e I P v 4 a d d r e s s n a t u r a l l y a v o i d s t h e. h a s n o p r i o r s t a t i c d a t a a b o u t e a c h M N . P r o b a b l y,. direct. AAAh. attacks. from. the. outside. network,. and. and. Server. have. some. general. Service. currently many network sites use this fact as a. P a r a m e t e r s a b o u t e a c h S e r v i c e ( M I P v 6 o r I S ATA P ). s e c u r i t y m e a s u r e . B u t I S ATA P r o u t e r e n a b l e s d i r e c t. but no parameters about each MN. IP Address of. IPv6. when. I S ATA P r o u t e r i s o n e e x a m p l e o f S e r v i c e P a r a m e t e r s. i n t r o d u c i n g I S ATA P r o u t e r, I S ATA P r o u t e r s h o u l d. k e p t b y A A A h . A A A h k n o w s Vi s i t e d N e t w o r k o f M N ,. a u t h e n t i c a t e a n d a u t h o r i z e M N ’s I P a d d r e s s f o r b o t h. a n d t h e n i t c a n a s s i g n I S ATA P r o u t e r i n Vi s i t e d. security. Network of MN.. access. and. from. outside. accounting. networks.. purposes.. So. Any. traffic. to/from unauthorized IP address should be dropped. Next, each step of bootstrapping MIPv6 in Figure. i n I S ATA P r o u t e r.. 6 will be explained.. 4 . P ro p o s a l. 1. 4.1. EAP method for bootstrapping. EAP interaction starts between AAAh and MN. AAA front-end protocol invokes it and AAA. 4.1.1. Motivations. b a c k - e n d p r o t o c o l c o n n e c t s Vi s i t e d N e t w o r k a n d Home Network.. At first, we defined the new EAP method, which is o n e o f t h e a u t h e n t i c a t i o n m e t h o d s o f E A P. E A P,. 2. −123−. MN generates EAP-Nonce (random octet string).
(6) and calculates EAP-Key (= Hashing Master-Key. configured. a n d E A P - N o n c e ) . To p r e v e n t E A P - K e y o v e r t h e. assigns Service Parameters. It may also assign. a i r, M N w i l l s e n d E A P - N o n c e a n d a u t h e n t i c a t i o n. other Service Parameters configured (or newly. information (e.g. User-ID and MD5-Response). a s s i g n e d ) i n S e r v e r ( e . g . I P v 6 P r e f i x o f I S ATA P. (and Service Parameters owned by MN if exists). interface, SPI for IPsec SA).. 6. t o A A A h . E A P - K e y w i l l b e u s e d l a t e r. AAAh User-ID Master-Key 1. 3. 7. 2. registers. and. HA sends Service Parameters configured in (or assigned in Step 5 by ) Server to AAAh over AAAh will forward Service-Nonce and Service Parameters from Server and Service Parameters encrypted by EAP-Key (calculated in Step 3).. 8. 6. On receiving EAP packet from AAAh, MN decrypts this message by EAP-Key (calculated in Step. MN User-ID Master-Key. Server. configured in AAAh to MN. This message is. Provision Proto. EAP Method. AAAh,. Provision Protocol.. 4. 7. in. 5. 2).. The. decrypted. message. includes. Service-Nonce, Service Parameters configured. Server. i n b o t h A A A h a n d S e r v e r. T h e n , M N c a l c u l a t e s. 9. Shared-Key. MIPv 6 HA / ISATAP. 8. (1) Send Request for EAP/Serv ic e (MIPv 6 or ISATAP) (2) Generate EAP-Nonce, Calc EAP-Key (= HASH(Master-Key, EAP-Nonce) (Send (User-ID, EAP-Nonce, Serv ic e Parameters of MN, e.g. MN’s IP (3) Calc EAP-Key (= HASH(Master-Key, EAP-Nonce), Generate Serv ic eNonce and Calc Shared-Key(= HASH(Master-Key, Service-Nonce) and Assign (Serv ic e Parameters of AAAh, e.g. Server’s IP Address, Lifetime etc) (4) Send (Shared-Key, MN Parameters, Servic e Parameters of MN + AAAh) (5) Regis ter (Shared-Key, MN Parameters, Service Parameters of MN + AAAh) and Assign (Service Parameters of Server, e.g. ISATAP IPv6 Prefix ) (6) Send (Servic e Parameters of Server) (7) Send (Servic e-Nonce, Servic e Parameters of AAAh + Server) (encrypted by EAP-Key) (8) Decrypt the packet from AAAh by EAP-Key and Calc Shared-Key for Serv ic e Authentication (= Hash (Master-Key, Service-Nonce)) (9) Shared-Key and Serv ic e Parameters of MN + AAAh + Serv er are shared betw een MN and Server (then, Servic e will be establis hed). (=. Hashing. Service-Nonce). for. the. Master-Key. and. authentication. or. s e c u r i t y o f S e r v i c e b e t w e e n M N a n d S e r v e r.. 9. In the case of MIPv6, MN will send BU and HA will send BA. Service-Key protects both messages.. In. the. case. of. I S ATA P,. more. interaction would be necessary when using IPsec because MN might not been assigned IP address ( e . g . b y D H C P, P P P ) b e f o r e t h e a u t h e n t i c a t i o n finishes.. In. that. case,. another. protocol. is. n e c e s s a r y t o e s t a b l i s h I P s e c S A b e t w e e n I S ATA P router (Server) and MN. IKE can do it but lighter and simpler (maybe proprietary) protocol will be suitable if exists because the shared key has been g e n e r a t e d a n d s h a r e d a l r e a d y.. Figure 6: AAA for Bootstrapping. 3. 5. Evaluation. On receiving EAP packet from MN, AAAh will assign Service Parameters configured in AAAh ( e . g . M I P v 6 H o m e A g e n t , I S ATA P r o u t e r ) . H o w to select Service Parameters is out of scope in this paper but it could be based on the location of MN,. load. balance. of. Servers.. AAAh. will. calculate EAP-Key (= Hashing Master-Key and EAP-Nonce,. generates. Service-Nonce. and. calculates Shared-Key (= Hashing Master-Key and Service Nonce). Shared-Key will be used for authentication or security of Service between M N a n d S e r v e r.. 4. AAAh sends Shared-Key and Service Parameters configured in AAAh over Provision Protocol.. 5. On receiving Shared-Key and Service Parameters. In order to evaluate our proposal, we will compare 3 m e t h o d s t o b o o t s t r a p M I P v 6 a n d I S ATA P.. 5 . 1 . St a t i c M e t h o d f o r b o o t s t r a p p i n g In static methods, all necessary parameters to bootstrap (except IPv4 and IPv6 addresses) are assumed to be statically defined and manually configured. So, no dynamic service discovery is possible.. 5.2. Dynamic Method for bootstrapping In dynamic methods, all necessary parameters to bootstrap are dynamically allocated and configured as much as possible by using methods described in the specifications, e.g. Home Agent Address will be allocated. by. Dynamic. Home. Agent. D i s c o v e r y,. I S ATA P r o u t e r a d d r e s s w i l l b e a l l o c a t e d b y D N S ,. −124−.
(7) IPsec parameters are configured by IKE etc.. 5.5. Performance Evaluation. 5.3. AAA Method for bootstrapping. In most of wireless networks, especially cellular. Defined in Section 4.2.. networks, the delay of wireless link is dominant for t h e d e l a y o f p a c k e t t r a n s f e r. T h e n , w e c o u n t t h e. 5.4. Management Costs Evaluation It is difficult to quantify the management cost. So,. number of frames over the wireless link (in other. as a simple indication for this, we will use the. words, between mobile node and any network node). number of items to be configured in each node.. when bootstrapping.. E s p e c i a l l y,. the. number. of. configured. items. in. Mobile Node is important because they are hard to be. Static. r e m o t e l y c h a n g e d b y t h e n e t w o r k o p e r a t o r. E s p e c i a l l y, a n y s t a t i c I P a d d r e s s c o n f i g u r a t i o n i n M N ( e . g . M I P v 6 H o m e A d d r e s s , I S ATA P r o u t e r address) will restrict the network design. It makes it. Dynamic. difficult for the network operator to change their network topologies. Configuration Parameters Static AAA User-ID AAA Shared-Key Mobile IPv6 Home Address Mobile IPv6 Home Agent Address IPsec Shared-Key (BU) IPsec Encryption Algorithm (BU) IPsec SPI (BU) IPsec Shared-Key (BA) IPsec Encryption Algorithm (BA) IPsec SPI (BA) Dynamic AAA User-ID AAA Shared-Key Mobile IPv6 Home Address IKE User-ID IKE Shared-Key (or Certificate) AAA AAA User-ID AAA Shared-Key. AAA. Static. Dynamic. Configuration Parameters AAA User-ID AAA Shared-Key I S ATA P r o u t e r A d d r e s s IPsec Shared-Key IPsec Encryption Algorithm IPsec SPI AAA User-ID AAA Shared-Key IKE User-ID IKE Shared-Key (or Certificate) AAA User-ID AAA Shared-Key. Dynamic. AAA. Frames 3 2 2 2 9 3 2 2 2 6 2 17 3 4 2 2 11. Ta b l e 3 : W i r e l e s s L i n k F r a m e s t o b o o t s t r a p MIPv6. Ta b l e 1 : M N P a r a m e t e r s f o r M I P v 6 Static. Protocol 802.1x EAP (MD5) IPv6 RS/RA MIPv6 BU/BA To t a l 802.1x EAP (MD5) IPv6 RS/RA DHADP IKE[3] MIPv6 BU/BA To t a l 802.1x EAP (MIPv6) IPv6 RS/RA MIPv6 BU/BA To t a l. AAA. Protocol 802.1x EAP (MD5) DHCP IPv6 RS/RA To t a l 802.1x EAP (MD5) DHCP DNS IKE IPv6 RS/RA To t a l 802.1x E A P ( I S ATA P ) DHCP To t a l. Frames 3 2 3 2 10 3 2 3 2 6 2 18 3 4 3 10. Ta b l e 4 : W i r e l e s s L i n k F r a m e s t o b o o t s t r a p I S ATA P. Ta b l e 2 : M N P a r a m e t e r s f o r I S ATA P. We a s s u m e t h a t M D 5 - C h a l l e n g e i s u s e d a s E A P. A s s h o w n i n Ta b l e 1 a n d Ta b l e 2 , s t a t i c m e t h o d. method, 802.1x is used as frontend AAA protocol and. demands lots of configuration parameters. It is. shortest packet transfers for IKE (6 transfers) in case. unrealistic. SA. o f s t a t i c a n d d y n a m i c m e t h o d . A s s h o w n i n Ta b l e 3. p r e l i m i n a r i l y. E v e n d y n a m i c m e t h o d s d e m a n d s m o r e. a n d Ta b l e 4 , d y n a m i c m e t h o d d e m a n d s l o t s o f p a c k e t. parameters to be configured than our proposal.. transfers over the wireless link mainly because of. to. define. details. of. IPsec. IKE.. It. could. be. more. if. certificate-based. authentication is used for IKE. On the other hand,. −125−.
(8) AAA-based method is not so different from static. AAA method in terms of 2 points, management costs. method in respect to this performance evaluation.. a n d b o o t s t r a p p i n g d e l a y. F o r t h e e v a l u a t i o n o f t h e. 5 . 6 . P e r f o r m a n c e M e a s u re m e n t. management. costs,. we. listed. up. the. necessary. of. p a r a m e t e r s ( i n M N , A A A h , M I P v 6 H A a n d I S ATA P. bootstrapping in our test-bed. All functionalities are. router). The method that demands more parameters. implemented as software of NetBSD and are running. causes more management costs and more restrictions. on PC architecture. All nodes are connected via. for the network design. As described in section 5.5,. 100Base-T Ethernet. For Mobile IPv6, the delay. AAA. from starting AAA (authentication) and to finishing. parameters for MN than dynamic method.. We. also. measured. the. performance. method. demands. lesser. configuration. M I P v 6 B U / B A w a s m e a s u r e d . A n d f o r I S ATA P, t h e. In terms of the performance, the delays of static. delay from starting AAA and to finishing to assign. method and AAA method are not so different. But the. I S ATA P I P v 6 a d d r e s s t o M N w a s m e a s u r e d . I t i s s a m e. delay of dynamic method is clearly larger than others.. as described in the previous section.. If we assume the wireless link is more, the difference b e t w e e n d y n a m i c c a s e a n d o t h e r s a r e l a r g e r.. 6. When considering the packet loss of the wireless. 5. link, the dynamic method has weakness. It is because. 4. 100ms. 3. 0ms. 2. it has much more signals over the air then it is easy to loss the signals and retransmit them. The packet l o s s c a u s e s m u c h m o r e b o o t s t r a p p i n g d e l a y.. 1. C o n s i d e r i n g a l l t h e v a r i o u s f a c t o r s t o g e t h e r, s t a t i c. 0. method and dynamic method still has shortness for Static. Dynamic. bootstrapping.. AAA. architecture. Another is. supportive. necessary. for. protocol. or. bootstrapping,. e s p e c i a l l y i n t h e c o m m e r c i a l c e l l u l a r n e t w o r k s . We think our proposal, AAA method, can provide the. Figure 7: Delay to Bootstrap Mobile IPv6. solution for this.. R e f e re n c e 3 2.5 2 100ms. 1.5. 0ms. 1 0.5 0 Static. Dynamic. AAA. F i g u r e 8 : D e l a y t o B o o t s t r a p I S ATA P In each graph, 2 delay values are illustrated for each method. One is under the assumption that the wireless link delay is 0ms, and one is 100ms. Though those values include software delay that should be eliminated, significant software delays have been r e m o v e d f r o m t h e s e v a l u e s a l r e a d y.. 6. Conclusion We. considered. and. evaluated. 3. methods. for. bootstrapping, static method, dynamic method and. [1] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [ 2 ] Ya m a m o t o , S . , Yo k o t a , H . , Wi l l i a m s , C . , P a r t h a s a r a t h y, M . , “ M o b i l e I P v 6 N o d e t r a v e r s a l of IPv4 subnets using automatic tunnels”, draft-yamamoto-mipv6node-v4trav-00.txt, February 2004. [3] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [ 4 ] P. C a l h o u n , H . A k h t a r, J . A r k k o , E . G u t t m a n , A . Rubens, "Diameter Base Protocol", RFC 3588, September 2003. [ 5 ] P. E r o n e n , T. H i l l e r a n d G. Z o r n , “ D i a m e t e r Extensible Authentication Protocol (EAP) Application”, draft-ietf-aaa-eap-09.txt, August 2004. [ 6 ] C a l h o u n , P. , J o h a n s s o n , T. , P e r k i n s , C . , H i l l e r, T. a n d M c C a n n , P. , “ D i a m e t e r M o b i l e I P v 4 Application”, draft-ietf-aaa-diameter-mobileip-20.txt, August 2004. [ 7 ] D . F o r s b e r g , Y. O h b a , B . P a t i l , H . Ts c h o f e n i g , A . Ye g i n , “ P r o t o c o l f o r C a r r y i n g A u t h e n t i c a t i o n for Network Access ( PA N A ) ” , draft-ietf-pana-pana-05.txt, July 2004. [ 8 ] B . A b o b a , L . B l u n k , J . Vo l l b r e c h t , J . C a r l s o n , H . Levkowetz, “Extensible Authentication Protocol (EAP)”, RFC 3748, June 2004.. −126−.
(9)
関連したドキュメント
The Family Van は、The Mobile Healthcare Association(移動クリニック協会)と組んで WEB サイ ト「Mobile
Bu: Fabrication of Polymeric Microlens of Hemi‑ spherical Shape Using Micromolding, Optical Engineering, 41, 9 2002 2267.. Washbum etal.:Int.CriticalTables of Numerical Date,
Central Data Center vRAN (Group Center) Regional Data Center. Mobile Edge Computing NW Core
旧バージョンの Sierra Wireless Mobile Broadband Driver Package のアンインス
It is assumed that the reader is familiar with the standard symbols and fundamental results of Nevanlinna theory, as found in [5] and [15].. Rubel and C.C. Zheng and S.P. Wang [18],
本手順書は複数拠点をアグレッシブモードの IPsec-VPN を用いて FortiGate を VPN
When change occurs in the contact person name, address, telephone number and/or an e-mail address, which were registered when the Reporter ID was obtained, it is necessary to
【原因】 自装置の手動鍵送信用 IPsec 情報のセキュリティプロトコルと相手装置の手動鍵受信用 IPsec
