Mar 22, 2004 - Single sign-on. ⢠Protocol Analysis and ... WPAN. 802.11. WLAN. Bluetooth. L. E. O. Suburban. Urban. Cost. (dollars/1 kbps) ... fast handoff and fast re-authentication process ... The FA can send out a mobile IP registration request message to the IP address of ... notification message sent from HA with a valid ...
Secure Transparent Mobile IP for Intelligent Transportation Systems Ann-Tzung Cheng, Chun-Hsin Wu, Jan-Ming Ho, D.T. Lee {jahorng, wuch, hoho, dtlee}@iis.sinica.edu.tw Institute of Information Science Academia Sinica, Taiwan 2004 IEEE Int’l Conference on Networking, Sensing, and Control March 22, 2004
Outline • Introduction – Mobile network issues for ITS
• Design of Transparent Mobile VPN – Transparent direct registration – Tunnel-in-tunnel design – VPN-based access control – Single sign-on
• Protocol Analysis and Experiments • Conclusions 2
Types of Wireless Access Networks Cost (dollars/1 kbps)
Mobility (km/hr) 80
50
Cellular
L E O
PACS PHS GSM GPRS 3G DSRC
5 WLL 0
0.001
0.01
0.1
Wireless mobile data services are getting Rural popular 1. Wide-area Suburban communication systems: • 3G, GPRS, PHS Urban • Higher mobility 802.11 WLAN 2. Short-range HyperLAN communication WPAN systems: Bluetooth • DSRC, WLAN • Larger capacity Spatial 1 10 Capacity • Lower cost 2 (kbps/m )
3
Requirements of Wireless Access Networks for ITS • High mobility
– Allow drivers and passengers to access ITS services on road
• Large spatial capacity
– Allow more users to access ITS services simultaneously in a dense population environment
• Open secure bi-directional transmission
– Allow the ITS services to be provided by many different operators or providers, and requested by various users using common onboard units or wireless devices
• Low cost
4
Challenges to Providing ITS Services with Mobile IP over Wireless LAN • Handoff latency becomes a significant problem because WLAN has small cell size that would cause more frequent handoffs • User roaming and traffic protection are more critical in WLAN than in GSM due to its openness • The design of IP mobility management should be transparent to existing on-board equipments and hand-held devices to compatible with heterogeneous mobile devices 5
Transparent mobile VPN • New techniques to enhance mobile IP – – – –
Transparent direct registration Tunnel-in-tunnel design VPN-based access control Single sign-on
• Advantages – Integrate VPN technique to provide secure user roaming and traffic protection – Make the design of secure mobility fully transparent to heterogeneous mobile devices – Improve transparent mobile IP to pursue fast handoff and fast re-authentication process 6
Transparent Direct Registration •Approach 1.When an MN visits a foreign network, the FA can learn the IP address of the MN by monitoring the packets sent from the MN 2.The FA can send out a mobile IP registration request message to the IP address of MN without having to resolve HA’s IP address first 3.HA can intercept the registration request message by Proxy ARP and handle it, which uses a specific port number, i.e. UDP 434 4.After verifying the validity of the request, the HA will reply to the originating FA with its real IP address. Then the HA’s IP address is automatically and efficiently resolved by the FA
•Advantages – This enables a FA to reach an HA successfully without relying on home agent server (HAS) to identify MN’s HA •The method of maintaining mobile node information in base mobile IP need not be modified => transparency •No extra messages are required to look up HA’s address => scalability 7
Tunneling in Transparent Mobile VPN Application End Point
Application
(IP cn, IP vpn-cli)
Application
(Security) VPN Tunneling (IP vpn-srv, IP mn)
VPN
VPN
(IP ha, IP fa)
Network
Tunnel
Tunnel
(Transparency)
MIP Tunneling Network Corresponding Node
(Mobility)
Home Agent/VPN server
Network Foreign Agent
Network
Mobile Node
Mobile IP Tunneling Data Traffic
decapsulated
Control Messages
Description: IP cn: IP address of the CN IP vpn-cli: IP addressassigned from VPN Server to the VPN Client, that is also the foreign agent
VPNTunneling Mobile IP signal VPN signal
IP vpn-srv: IP address of VPN server, it is also the HA. IP mn: Home IP address of the MN IP ha: IP address of the HA IP fa: IP address of the FA.
Tunnel-in-tunnel mechanism • Outer tunnel: mobile IP tunneling between FA and HA • Inner tunnel: VPN tunneling between MN and HA
8
VPN-based Access Control: First Login Home Agent/VPN Server
3
5 2 4
• MN is directly authenticated by HA following VPN protocols • FA examines the authorization notification message sent from HA Mobile IP signaling with a valid signature to decide VPN signaling whether it would grant the visitor the access request
• A user can use his home account to access foreign networks of other ISPs in the world Mobile Node • Using a VPN tunnel, it is difficult for third-party nodes, including previous 1.VPN initiating and current FAs, to eavesdrop or 2.Mobile IP request 3.Mobile IP reply tamper with MN’s communication data 4.VPN setup messages • VPN tunnel is transparent to the FA, 5.MN authorization The tunnel is valid only after HA authenticates and the mobile IP tunnel is transparent MN and FA recognizes the VPN connection to the MN 1
Foreign Agent
9
VPN-based Access Control: Single Sign-on • Problem: Time to setup a VPN connection is significant => Heavy handoff/roaming cost • If HA can successfully decrypt an Home Agent/VPN Server incoming VPN packet from a new FA and verify the correctness of Mobile IP signaling the associated sequence number, VPN signaling the HA can trust that the MN is 3 2 now moving to the requested 4 foreign network Previous • FA can decide to allow the access Foreign foreign 1 of the MN by trusting the reply Agent netw ork message from the HA Moving Mobile Node
1. 2. 3. 4.
MN arrival Mobile IP request Mobile IP reply VPN communication resumes
• If a roaming user has logged in once, the user need not do extra login process after each handoff • The authenticated VPN session will keep continuous and not be affected by handoff 10
Experiment Environment Compared Methods 1.Mobile IP with 802.1x authentication (EAPTLS ) for user roaming 2.Mobile IP with VPN 3.Transparent mobile VPN The process of layer 2 handoff is the same in three compared methods
Experiments 1.Protocol analysis 2.Handoff latency 3.Number of control messages delivered 11
Protocol Analysis: Handoff Details MN
AP
FA
RADIUS
HA
Five parts: 1. Layer 2 handoff 2. Re-authentication process (EAP-TLS) 3. Layer 3 handoff detection 4. Mobile IP registration 5. Connection resume
CN
Probe 802.11bHandoff
Probe auth auth Associ Associ EAPOL Start EAP-ID
Hello
MN
ServerCertification
AP
HA
FA
CN
ClientCertification SSLHandshake SSLHandshake
MN
Probe
EAP-Chal EAP-Response EAP-Accept
auth Associ
Request
Reply
Request Reply Reply
(a) mobile IP with EAP-TLS
Connection Resume
Data
Data
(b) mobile IP with VPN/SSO
Connection Mobile IP Resume Registration
Reply
Request Mobile IP Registration
Request
HA
FA
CN
Probe auth auth Associ Associ
AgentAdv
L3 Handoff Detection
AgentAdv
AP Probe
auth
Associ L3 Handoff Detection
L3Handoff MobileIP Connection Detection Registration Resume
Success
Probe 802.11b Handoff
802.11b Handoff
EAP-TLSRe-Authentication
• Security assured by VPN • Handoff triggered by data pkt (Transparent)
EAP-Req EAP-TLS
packet Request Reply
Data
(c) transparent mobile VPN
12
Experiment Results: Handoff Latency 3.00
(Seconds)
Mobile IP with EAP-TLS 2.50
Mobile IP with VPN
2.00
Transparent Mobile VPN
1.50 1.00 0.50 0.00 T otal Latency
Re-Auth
L3 Handoff
Mobile IP
Connection
Detection
Registration
Resume
except layer 2 handoff
1.Mobile IP with EAP-TLS • 2.32 sec averaged (re-authentication process: 1.58 sec) 2.mobile IP with VPN/SSO (no re-login performed) • 0.68 sec averaged; mainly contributed by mobile IP/L3 handoff detection (average: 0.54 sec, around half of the agent advertisement interval) 3.Transparent mobile VPN • 0.16 sec averaged (0.02 sec in L3 handoff detection) 13
Experiment Results: Number of Messages 35 (Messages)
30
Mobile IP with EAP-TLS
27
25
Mobile IP with VPN
20
Transparent mobile VPN
15 10 5
12 5
2
0 T otal
10 0 0
0 0
3 3
0
2 2 2
auth(mnHA)
• Te design of single sign-on significantly reduces the number of messages mainly delivered across WAN • The design of transparent mobile VPN further reduces the overhead of L3 handoff detection and registration between MN and FA usually within the same LAN 14
Application: Campus Navigation and Guidance System
(a) WLAN infrastructure (b) AutoPC
(d) MPEG-4 video streaming
(c) Navigation
(e) MP3 audio streaming 15
Conclusions • Several novel ideas such as transparent direct registration, VPN tunnel inside mobile IP tunnel, VPN-based access control and single sign-on are proposed to provide secure transparent access using enhanced mobile IP – Security assured by VPN – Transparency supported by intelligent FA – L3 Handoff latency reduced by SSO
• We demonstrate that it is feasible to use shortrange communication systems such as WLAN to support mobile access for broadband ITS applications 16