Secure Transparent Mobile IP for Intelligent Transportation Systems

7 downloads 0 Views 308KB Size Report
Mar 22, 2004 - Single sign-on. • Protocol Analysis and ... WPAN. 802.11. WLAN. Bluetooth. L. E. O. Suburban. Urban. Cost. (dollars/1 kbps) ... fast handoff and fast re-authentication process ... The FA can send out a mobile IP registration request message to the IP address of ... notification message sent from HA with a valid ...
Secure Transparent Mobile IP for Intelligent Transportation Systems Ann-Tzung Cheng, Chun-Hsin Wu, Jan-Ming Ho, D.T. Lee {jahorng, wuch, hoho, dtlee}@iis.sinica.edu.tw Institute of Information Science Academia Sinica, Taiwan 2004 IEEE Int’l Conference on Networking, Sensing, and Control March 22, 2004

Outline • Introduction – Mobile network issues for ITS

• Design of Transparent Mobile VPN – Transparent direct registration – Tunnel-in-tunnel design – VPN-based access control – Single sign-on

• Protocol Analysis and Experiments • Conclusions 2

Types of Wireless Access Networks Cost (dollars/1 kbps)

Mobility (km/hr) 80

50

Cellular

L E O

PACS PHS GSM GPRS 3G DSRC

5 WLL 0

0.001

0.01

0.1

Wireless mobile data services are getting Rural popular 1. Wide-area Suburban communication systems: • 3G, GPRS, PHS Urban • Higher mobility 802.11 WLAN 2. Short-range HyperLAN communication WPAN systems: Bluetooth • DSRC, WLAN • Larger capacity Spatial 1 10 Capacity • Lower cost 2 (kbps/m )

3

Requirements of Wireless Access Networks for ITS • High mobility

– Allow drivers and passengers to access ITS services on road

• Large spatial capacity

– Allow more users to access ITS services simultaneously in a dense population environment

• Open secure bi-directional transmission

– Allow the ITS services to be provided by many different operators or providers, and requested by various users using common onboard units or wireless devices

• Low cost

4

Challenges to Providing ITS Services with Mobile IP over Wireless LAN • Handoff latency becomes a significant problem because WLAN has small cell size that would cause more frequent handoffs • User roaming and traffic protection are more critical in WLAN than in GSM due to its openness • The design of IP mobility management should be transparent to existing on-board equipments and hand-held devices to compatible with heterogeneous mobile devices 5

Transparent mobile VPN • New techniques to enhance mobile IP – – – –

Transparent direct registration Tunnel-in-tunnel design VPN-based access control Single sign-on

• Advantages – Integrate VPN technique to provide secure user roaming and traffic protection – Make the design of secure mobility fully transparent to heterogeneous mobile devices – Improve transparent mobile IP to pursue fast handoff and fast re-authentication process 6

Transparent Direct Registration •Approach 1.When an MN visits a foreign network, the FA can learn the IP address of the MN by monitoring the packets sent from the MN 2.The FA can send out a mobile IP registration request message to the IP address of MN without having to resolve HA’s IP address first 3.HA can intercept the registration request message by Proxy ARP and handle it, which uses a specific port number, i.e. UDP 434 4.After verifying the validity of the request, the HA will reply to the originating FA with its real IP address. Then the HA’s IP address is automatically and efficiently resolved by the FA

•Advantages – This enables a FA to reach an HA successfully without relying on home agent server (HAS) to identify MN’s HA •The method of maintaining mobile node information in base mobile IP need not be modified => transparency •No extra messages are required to look up HA’s address => scalability 7

Tunneling in Transparent Mobile VPN Application End Point

Application

(IP cn, IP vpn-cli)

Application

(Security) VPN Tunneling (IP vpn-srv, IP mn)

VPN

VPN

(IP ha, IP fa)

Network

Tunnel

Tunnel

(Transparency)

MIP Tunneling Network Corresponding Node

(Mobility)

Home Agent/VPN server

Network Foreign Agent

Network

Mobile Node

Mobile IP Tunneling Data Traffic

decapsulated

Control Messages

Description: IP cn: IP address of the CN IP vpn-cli: IP addressassigned from VPN Server to the VPN Client, that is also the foreign agent

VPNTunneling Mobile IP signal VPN signal

IP vpn-srv: IP address of VPN server, it is also the HA. IP mn: Home IP address of the MN IP ha: IP address of the HA IP fa: IP address of the FA.

Tunnel-in-tunnel mechanism • Outer tunnel: mobile IP tunneling between FA and HA • Inner tunnel: VPN tunneling between MN and HA

8

VPN-based Access Control: First Login Home Agent/VPN Server

3

5 2 4

• MN is directly authenticated by HA following VPN protocols • FA examines the authorization notification message sent from HA Mobile IP signaling with a valid signature to decide VPN signaling whether it would grant the visitor the access request

• A user can use his home account to access foreign networks of other ISPs in the world Mobile Node • Using a VPN tunnel, it is difficult for third-party nodes, including previous 1.VPN initiating and current FAs, to eavesdrop or 2.Mobile IP request 3.Mobile IP reply tamper with MN’s communication data 4.VPN setup messages • VPN tunnel is transparent to the FA, 5.MN authorization The tunnel is valid only after HA authenticates and the mobile IP tunnel is transparent MN and FA recognizes the VPN connection to the MN 1

Foreign Agent

9

VPN-based Access Control: Single Sign-on • Problem: Time to setup a VPN connection is significant => Heavy handoff/roaming cost • If HA can successfully decrypt an Home Agent/VPN Server incoming VPN packet from a new FA and verify the correctness of Mobile IP signaling the associated sequence number, VPN signaling the HA can trust that the MN is 3 2 now moving to the requested 4 foreign network Previous • FA can decide to allow the access Foreign foreign 1 of the MN by trusting the reply Agent netw ork message from the HA Moving Mobile Node

1. 2. 3. 4.

MN arrival Mobile IP request Mobile IP reply VPN communication resumes

• If a roaming user has logged in once, the user need not do extra login process after each handoff • The authenticated VPN session will keep continuous and not be affected by handoff 10

Experiment Environment Compared Methods 1.Mobile IP with 802.1x authentication (EAPTLS ) for user roaming 2.Mobile IP with VPN 3.Transparent mobile VPN The process of layer 2 handoff is the same in three compared methods

Experiments 1.Protocol analysis 2.Handoff latency 3.Number of control messages delivered 11

Protocol Analysis: Handoff Details MN

AP

FA

RADIUS

HA

Five parts: 1. Layer 2 handoff 2. Re-authentication process (EAP-TLS) 3. Layer 3 handoff detection 4. Mobile IP registration 5. Connection resume

CN

Probe 802.11bHandoff

Probe auth auth Associ Associ EAPOL Start EAP-ID

Hello

MN

ServerCertification

AP

HA

FA

CN

ClientCertification SSLHandshake SSLHandshake

MN

Probe

EAP-Chal EAP-Response EAP-Accept

auth Associ

Request

Reply

Request Reply Reply

(a) mobile IP with EAP-TLS

Connection Resume

Data

Data

(b) mobile IP with VPN/SSO

Connection Mobile IP Resume Registration

Reply

Request Mobile IP Registration

Request

HA

FA

CN

Probe auth auth Associ Associ

AgentAdv

L3 Handoff Detection

AgentAdv

AP Probe

auth

Associ L3 Handoff Detection

L3Handoff MobileIP Connection Detection Registration Resume

Success

Probe 802.11b Handoff

802.11b Handoff

EAP-TLSRe-Authentication

• Security assured by VPN • Handoff triggered by data pkt (Transparent)

EAP-Req EAP-TLS

packet Request Reply

Data

(c) transparent mobile VPN

12

Experiment Results: Handoff Latency 3.00

(Seconds)

Mobile IP with EAP-TLS 2.50

Mobile IP with VPN

2.00

Transparent Mobile VPN

1.50 1.00 0.50 0.00 T otal Latency

Re-Auth

L3 Handoff

Mobile IP

Connection

Detection

Registration

Resume

except layer 2 handoff

1.Mobile IP with EAP-TLS • 2.32 sec averaged (re-authentication process: 1.58 sec) 2.mobile IP with VPN/SSO (no re-login performed) • 0.68 sec averaged; mainly contributed by mobile IP/L3 handoff detection (average: 0.54 sec, around half of the agent advertisement interval) 3.Transparent mobile VPN • 0.16 sec averaged (0.02 sec in L3 handoff detection) 13

Experiment Results: Number of Messages 35 (Messages)

30

Mobile IP with EAP-TLS

27

25

Mobile IP with VPN

20

Transparent mobile VPN

15 10 5

12 5

2

0 T otal

10 0 0

0 0

3 3

0

2 2 2

auth(mnHA)

• Te design of single sign-on significantly reduces the number of messages mainly delivered across WAN • The design of transparent mobile VPN further reduces the overhead of L3 handoff detection and registration between MN and FA usually within the same LAN 14

Application: Campus Navigation and Guidance System

(a) WLAN infrastructure (b) AutoPC

(d) MPEG-4 video streaming

(c) Navigation

(e) MP3 audio streaming 15

Conclusions • Several novel ideas such as transparent direct registration, VPN tunnel inside mobile IP tunnel, VPN-based access control and single sign-on are proposed to provide secure transparent access using enhanced mobile IP – Security assured by VPN – Transparency supported by intelligent FA – L3 Handoff latency reduced by SSO

• We demonstrate that it is feasible to use shortrange communication systems such as WLAN to support mobile access for broadband ITS applications 16