[Mobopts] review of draft-irtf-mobopts-mpa-framework-05.txt
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Mobopts] review of draft-irtf-mobopts-mpa-framework-05.txt
Hi,
I have reviewed <draft-irtf-mobopts-mpa-framework-05.txt> and I have
some issues with the document. I believe the document is not ready
for publication. Given the number of things I have found while reading
the document, I am wondering whether this version of the document has
had sufficient research group review. That said, let me state that I
am not a mobility expert and hence I am reading the document from the
viewpoint of an informed reader, but not as an expert in this field.
a) I would prefer more consistent terminology. For example, the
document seems to use 'mobile terminal', 'mobile node', 'mobile',
'terminal' to refer to the same concept. I believe the document
gains clarity by choosing one term and sticking to it throughout
the document.
b) Similar to a), I had a hard time to deal with the many acronyms
that are being used in the document and sometimes the acronyms are
not spelled the same or it seems different acronyms are used to
refer to the same concept, making lookups harder than necessary.
c) The document references IDs that are seem to be in a limbo state,
most notably the "accompanying document
ID.ohta-mobopts-mpa-implementation" (last updated July 2007). Some
of the contents of this ID seems to have been moved into the
appendix? There is also I-D.taniuchi-netlmm-mpa-proxymipv6 (last
updated March 2007), which will actually block publication. I
think any text related to ProxyMIPv6 should reference RFC 5213
(which is not referenced at all).
d) I found section 8 somewhat weak and not too helpful in order to
understand the MPA framework itself, which is the main contribution
of this document. I am actually not sure section 8 is needed in the
current form since the focus of the document announced at the
beginning is on the MPA framework. Should section 8 really be part
of this ID? If yes, then 8.1.1 and 8.1.2 are probably not
sufficiently specified, since they essentially refer to a dead (?)
ID. The section on Proxy MIPv6 probably needs an update to align it
with RFC 5213. I also find the figures 7-9 somewhat confusing (what
is the meaning of the *,x,+,- characters?).
e) In general, the document is quite long and takes a while to read. I
had the feeling that there is also some repetition (for example, I
think I read several times that DAD is slow or about the advantages
of using multiple interfaces during handover etc). I guess I would
have been happier with a shorter document concentrating on the
framework and either a separate document discussing concrete
implementations or have _all_ discussions about framework
implementation experiments in the appendix.
I am attaching a unified context diff with several editorial nits and
some additional questions placed in [[ ]] brackets where the context
is important to understand the question.
I hope you find this review useful!
/js
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
--- draft-irtf-mobopts-mpa-framework-05.txt 2009-04-06 16:53:12.000000000 +0200
+++ draft-irtf-mobopts-mpa-framework-05-hacked.txt 2009-04-06 17:39:19.000000000 +0200
@@ -234,21 +234,21 @@
supporting seamless terminal handovers between access networks of the
same type is still more challenging, especially when the handovers
are across IP subnets or administrative domains. To address those
challenges, it is important to provide terminal mobility that is
agnostic to link-layer technologies in an optimized and secure
fashion without incurring unreasonable complexity. In this document
we discuss a framework to support terminal mobility that provides
seamless handovers with low latency and low loss. Seamless handovers
are characterized in terms of performance requirements as described
in Section 1.2. [I-D.ohba-mobopts-mpa-implementation] is an
- accompanying document which shows few sets of implementation of MPA
+ accompanying document which presents some implementations of MPA
including performance results to show how existing protocols could be
leveraged to realize the functionalities of MPA.
Terminal mobility is accomplished by a mobility management protocol
that maintains a binding between a locator and an identifier of a
mobile terminal, where the binding is referred to as the mobility
binding. The locator of the mobile node may dynamically change when
there is a movement of the mobile terminal. The movement that causes
a change of the locator may occur when there is a change in
attachment point due to physical movement or network change. A
@@ -399,21 +399,21 @@
The handover delay is attributed due to several factors, such as
discovery, configuration, authentication, binding update and media
delivery. Many of the security related procedures such as handover
keying and re-authentication procedures deal with cases where there
is a single source of trust at the top and the underlying AAA domain
elements trust the top source of trust and the keys it generates and
distributes. In this scenario, there is an appreciable delay in re-
establishing link security related parameters, such as
authentication, link key management and access authorization during
- inter-domain handover. Focus of this draft is to design a framework
+ inter-domain handover. The focus of this draft is the design of a framework
that can reduce the delay due to authentication and other handoff
related operations such as configuration and binding update.
2. Terminology
Mobility Binding: A binding between a locator and an identifier of a
mobile terminal.
Mobility Management Protocol (MMP): A protocol that operates at
@@ -460,21 +460,21 @@
Care-of Address (CoA): An IP address used by a mobility management
protocol as a locator of the MPA mobile node.
3. Handover Taxonomy
Based on the type of movement, type of access network, and underlying
mobility support, one can primarily define the handover as inter-
technology, intra-technology, inter-domain, and intra-domain. We
- describe briefly each of these handover process. However, our focus
+ describe briefly each of these handover processes. However, our focus
of the dicussion is on Inter-domain handover.
Inter-technology: A mobile may be equipped with multiple interfaces,
where each interface can support different access technology (802.11,
CDMA). A mobile may communicate with one interface at any time in
order to conserve the power. During the handover the mobile may move
out of the footprint of one access technology (e.g., 802.11) and move
into the footprint of a different access technology (e.g., CDMA).
This will warrant switching of the communicating interface on the
mobile as well. This type of Inter-technology handover is often
@@ -502,43 +502,43 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 9]
�
Internet-Draft MPA Framework February 2009
addition it may be subjected to either inter-technology or intra-
technology handover. Inter-domain handover will be subjected to all
the transition steps a subnet handover goes through and in addition
it will be subjected to authentication and authorization process as
- well. It is also likely that type of mobility support in each
+ well. It is also likely that the type of mobility support in each
administrative domain will be different. For example, administrative
domain A may have MIPv6 support, while administrative domain B may
use Proxy MIPv6.
Intra-domain: When a mobile's movement is confined to movement within
an administrative domain it is called intra-domain movement. An
intra-domain movement may involve intra-subnet, inter-subnet, intra-
technology and inter-technology as well.
Both inter-domain and intra-domain handovers can be subjected to
either inter-technology or intra-technology handover based on the
network access characteristics. Inter-domain handover requires
authorization for acquisition or modification of resources assigned
to a mobile and the authorization needs interaction with a central
authority in a domain. In many cases, an authorization procedure
during inter-domain handover follows an authentication procedure that
also requires interaction with a central authority in a domain.
Thus, security association between the network entities such as
routers in the neighboring administrative domains need to be
established before any interaction takes place between these
- entities. Similarly, an inter-domain mobility may involve different
- mobility protocol in each of its domains, such as MIPv6 and Proxy-
+ entities. Similarly, inter-domain mobility may involve different
+ mobility protocols in each of its domains, such as MIPv6 and Proxy-
MIPv6. In that case, one needs a generalized framework to achieve
the optimization during inter-domain handover. Figure 1 shows a
typical example of inter-domain mobility involving two domains, such
as domain A and domain B. It illustrates several important components
such as AAA Home server (AAAH), AAA visited servers (e.g., AAAV1 and
AAAV2), Authentication Agent (AA), Layer 3 point of attachment, such
as Access Router (AR) and layer 2 point of attachment, such as Access
Point. Any mobile maybe using a specific mobility protocol and
associated mobility optimization technique during intra-domain
movement in either domain. But the same optimization technique may
@@ -637,21 +637,21 @@
mobility management schemes that try to reduce handover delay and
packet loss during a mobile's movement between cells, subnets and
domain. Micro-mobility management schemes [CELLIP], [HAWAII], and
intra-domain mobility management schemes such as [IDMP],
[I-D.ietf-mobileip-reg-tunnel] and [RFC5380] provide fast-handover by
limiting the signaling updates within a domain. Fast Mobile IP
protocols for IPv4 and IPv6 networks [RFC4881], [RFC5268] utilize
mobility information made available by link layer triggers. Yokota
et al. [YOKOTA] propose joint use of access point and a dedicated
MAC bridge to provide fast-handover without altering the MIPv4
- specification. Shin et al [MACD] propose a scheme reduces the delay
+ specification. Shin et al [MACD] propose a scheme reducing the delay
due to MAC layer handoff by providing a cache-based algorithm. In
this scheme, the mobile caches the neighboring channels that it has
already visited and thus uses a selective scanning method. This
helps to reduce the associated scanning time.
Some mobility management schemes use dual interfaces thus providing
make-before-break [SUM]. In a make-before-break situation,
communication usually continues with one interface, when the
secondary interface is in the process of getting connected. The IEEE
802.21 working group is discussing these scenarios in details
@@ -668,63 +668,63 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 12]
�
Internet-Draft MPA Framework February 2009
MPA scheme is very similar to MITH's predictive scheme where the
mobile communicates with the foreign agent before actually moving to
- the new network. However, MPA scheme is not limited to MIP type
- mobility protocol only and in addition this scheme takes care of
+ the new network. However, the MPA scheme is not limited to MIP type
+ mobility protocols only and in addition this scheme takes care of
movement between domains and performs pre-authentication in addition
to proactive handover. Thus, MPA reduces the overall delay to close
to link-layer handover delay. Most of the mobility optimization
techniques developed so far are restricted to a specific type of
mobility protocol only. While supporting optimization for inter-
domain mobility, these protocols assume that there is a pre-
established security arrangement between two administrative domains.
But this assumption may not be viable always. Thus, there is a need
to develop an optimization framework that can support inter-domain
mobility without any underlying constraints or security related
assumption.
- Recently, HOKEY WG within IETF is defining the ways to expedite the
+ Recently, the HOKEY WG within IETF is defining the ways to expedite the
authentication process. In particular, it has defined pre-
authentication [I-D.ietf-hokey-preauth-ps] and fast re-authentication
[RFC5169] mechanisms to expedite the authentication and security
association process.
5. Applicability of MPA
MPA is more applicable where an accurate prediction of movement can
- be easily made. For other environments, a special care must be taken
+ be easily made. For other environments, special care must be taken
to deal with issues such as pre-authentication to multiple CTNs
(Candidate Target Networks) as explained in Section 5.2 and failed
switching and switching back as described in Section 5.8. However,
addressing those issues in actual deployments may not be easier.
Some of the deployment issues are described in Appendix C.
- Effectiveness of MPA may be relatively reduced if the network employs
+ The effectiveness of MPA may be relatively reduced if the network employs
network-controlled localized mobility management in which the MN does
not need to change its IP address while moving within the network.
- Effectiveness of MPA may also be relatively reduced if signaling for
+ The effectiveness of MPA may also be relatively reduced if signaling for
network access authentication is already optimized for movements
within the network, e.g., when simultaneous use of multiple
interfaces during handover is allowed. In other words, MPA is most
viable solution for inter-administrative domain predictive handover
without the simultaneous use of multiple interfaces. Since MPA is
not tied to a specific mobility protocol, it is also applicable to
support optimization for inter-domain handover where each domain
- maybe equipped with different mobility protocol. Figure 1 shows an
+ may be equipped with a different mobility protocol. Figure 1 shows an
example of Inter-domain mobility where MPA could be applied. For
example, domain A may support just Proxy MIPv6, whereas domain B may
support Client Mobile IPv6. MPA's different functional components
Dutta (Ed.), et al. Expires August 18, 2009 [Page 13]
�
Internet-Draft MPA Framework February 2009
@@ -811,26 +811,26 @@
derived from the MPA-SA. A protocol that can carry EAP [RFC3748]
would be suitable as an authentication protocol for MPA.
A configuration agent is responsible for one part of pre-
configuration, namely securely executing a configuration protocol to
deliver an IP address and other configuration parameters to the
mobile node. The signaling messages of the configuration protocol
MUST be protected using a key derived from the key corresponding to
the MPA-SA.
+[[What are "signaling messages" of a configuration protocol?]]
+
An access router is a router that is responsible for the other part
of pre-configuration, i.e., securely executing a tunnel management
protocol to establish a proactive handover tunnel to the mobile node.
- The signaling messages of the configuration protocol MUST be
- protected using a key derived from the key corresponding to the
- MPA-SA. IP packets transmitted over the proactive handover tunnel
+ IP packets transmitted over the proactive handover tunnel
SHOULD be protected using a key derived from the key corresponding to
the MPA-SA. Details of this procedure are described in Section 6.3.
@@ -855,20 +855,23 @@
/ \
/ \\
+-------------/-----------+ +--------\-------------+
| +-----+ | |+-----+ |
| | | +-----+ | || | +-----+ |
| | AA | |CA | | ||AA | | CA | |
| +--+--+ +--+--+ | |+--+--+ +--+--+ |
| | +------+ | | | | +-----+ | |
| | | pAR | | | | | |nAR | | |
| ---+---+ +---+-----+----+---+-+ +-----+ |
+
+[[Should this be oAR to be consistent with oPoA?]]
+
| +---+--+ | | +-----+ |
| | | | |
| | | | |
| | | | |
+------------+------------+ +--------|--------------+
Current | Candidate| Target Network
Network | |
| |
| |
| |
@@ -904,24 +907,24 @@
care-of address, say oCoA (old care-of address). The communication
flow of MPA is described as follows. Throughout the communication
flow, data packet loss should not occur except for the period during
the switching procedure in Step 5, and it is the responsibility of
link-layer handover to minimize packet loss during this period.
Step 1 (pre-authentication phase): The mobile node finds a CTN
through some discovery process such as IEEE 802.21 and obtains the IP
addresses of an authentication agent, a configuration agent and an
access router in the CTN (Candidate Target Network) by some means.
- Details of discovery mechanism is discussed in Section 7.1. The
+ Details of discovery mechanisms are discussed in Section 7.1. The
mobile node performs pre-authentication with the authentication
agent. As discussed in Section 7.2, the mobile may need to pre-
- authenticate with multiple candidate target networks. Decision
+ authenticate with multiple candidate target networks. The decision
regarding which candidate network the mobile needs to pre-
authenticate with will depend upon several policies, such as
signaling overhead, bandwidth requirement (QoS), mobile's location,
communication cost, and handover robustness etc. Determining the
policy that decides the target network the mobile should pre-
authenticate with is out of scope for this document.
If the pre-authentication is successful, an MPA-SA is created between
the mobile node and the authentication agent. Two keys are derived
from the MPA-SA, namely an MN-CA key and an MN-AR key, which are used
@@ -1010,20 +1013,23 @@
IP address(es)
Available for
Use by MN
|
+-----------------------------------+ |
| Candidate Target Network | |
| (Future Target Network) | |
MN oPoA | nPoA AA CA AR | |
+
+[[ Should AR be nAR for consistency? ]]
+
| | | | | | | | |
| | +-----------------------------------+ |
| | | | | | .
+---------------+ | | | | | .
|(1) Found a CTN| | | | | | .
+---------------+ | | | | | |
| Pre-authentication | | | |
| [authentication protocol] | | |
|<--------+------------->|MN-CA key| | |
| | | |-------->|MN-AR key| |
@@ -1138,32 +1144,32 @@
management frames such as beacons when the mobile approaches the
vicinity of the neighboring networks. IEEE 802.11u is considering
issues such as discovering neighborhood using information contained
in link layer. However, if the link-layer management frames are
encrypted by some link layer security mechanism, then the mobile node
may not be able to obtain the requisite information before
establishing link layer connectivity to the access point. In
addition this may add burden to the bandwidth constrained wireless
medium. In such cases a higher layer protocol is preferred to obtain
the information regarding the neighboring elements. There is some
- proposal such as [802.21] that helps obtain these information about
+ proposal such as [802.21] that helps obtain information about
the neighboring networks from a mobility server. When the mobile's
movement is imminent, it starts the discovery process by querying a
specific server and obtains the required parameters such as the IP
address of the access point, its characteristics, routers, SIP
servers or authentication servers of the neighboring networks. In
the event of multiple networks, it may obtain the required parameters
- from more than one neighboring networks and keep these in cache. At
- some point the mobile finds out several CTN's out of many probable
+ from more than one neighboring networks and keep these in a cache. At
+ some point the mobile finds out several CTNs out of many probable
networks and starts the pre-authentication process by communicating
- with the required entities in the CTN's. Further details of this
- scenario is in Section 7.2.
+ with the required entities in the CTNs. Further details of this
+ scenario are discussed in Section 7.2.
7.2. Pre-authentication in multiple CTN environment
In some cases, although a mobile decides a specific network to be the
target network, it may actually end up with moving into a neighboring
network other than the target network due to factors that are beyond
the mobile's control. Thus it may be useful to perform the pre-
authentication with a few probable candidate target networks and
establish time-bound tunnels with the respective access routers in
those networks. Thus, in the event of a mobile moving to a candidate
@@ -1206,30 +1212,30 @@
candidate networks. Wakikawa [I-D.wakikawa-mobileip-multiplecoa]
discusses different scenarios of mobility binding with multiple care-
of-addresses. In case simultaneous binding is not supported in a
specific mobility scheme, forwarding of traffic from the previous
target network will help take care of the transient traffic until the
new binding update is sent from the new network.
7.3. Proactive IP address acquisition
In general a mobility management protocol works in conjunction with
- the Foreign Agent or in co-located address mode. MPA approach can
+ the Foreign Agent or in co-located address mode. The MPA approach can
use both co-located address mode and foreign agent address mode. We
discuss here the address assignment component that is used in co-
located address mode. There are several ways a mobile node can
obtain an IP address and configure itself. Most commonly a mobile
can configure itself statically in the absence of any configuration
element such as a server or router in the network. The IETF Zeroconf
working group defines auto-IP mechanism where a mobile is configured
in an ad-hoc manner and picks a unique address from a specified range
- such as 169.254.x.x. In a LAN environment the mobile can obtain an
+ such as 169.254.0.0/16. In a LAN environment the mobile can obtain an
IP address from DHCP servers. In case of IPv6 networks, a mobile has
the option of obtaining the IP address using stateless auto-
Dutta (Ed.), et al. Expires August 18, 2009 [Page 22]
�
Internet-Draft MPA Framework February 2009
@@ -1262,21 +1268,21 @@
node obtains an IP address proactively from a CTN. The mobile node
makes use of PANA [RFC5191] messages to trigger the address
acquisition process on the DHCP relay agent [RFC3046] that is
colocated with the PANA authentication agent in the access router in
the CTN. Upon receiving a PANA message from the mobile node, the
DHCP relay agent performs normal DHCP message exchanges to obtain the
IP address from the DHCP server in the CTN. This address is piggy-
backed in a PANA message and is delivered to the client. In case of
MIPv6 with stateless autoconfiguration, the router advertisement from
the new target network is passed to the client as part of PANA
- message. Mobile uses this prefix and its MAC address to construct
+ message. The mobile uses this prefix and its MAC address to construct
the unique IPv6 address as it would have done in the new network.
Mobile IPv6 in stateful mode works very similar to DHCPv4.
7.3.2. IKEv2-assisted proactive IP address acquisition
IKEv2-assisted proactive IP address acquisition works when an IPsec
gateway and a DHCP relay agent are resident within each access router
in the CTN. In this case, the IPsec gateway and DHCP relay agent in
a CTN help the mobile node acquire the IP address from the DHCP
server in the CTN. The MN-AR key established during the pre-
@@ -1307,21 +1313,21 @@
node and the DHCP relay or DHCP server in the CTN. In this case, the
mobile node sends a unicast DHCP message to the DHCP relay agent or
DHCP server in the CTN requesting an address, while using the address
associated with the current physical interface as the source address
of the request.
When the message is sent to the DHCP relay agent, the DHCP relay
agent relays the DHCP messages back and forth between the mobile node
and the DHCP server. In the absence of a DHCP relay agent the mobile
can also directly communicate with the DHCP server in the target
- network. The broadcast option in client's unicast DISCOVER message
+ network. The broadcast option in the client's unicast DISCOVER message
should be set to 0 so that the relay agent or the DHCP server can
send the reply directly back to the mobile using the mobile node's
source address. This mechanism also works for an IPv6 node using
stateful configuration.
In order to prevent malicious nodes from obtaining an IP address from
the DHCP server, DHCP authentication should be used or the access
router should install a filter to block unicast DHCP message sent to
the remote DHCP server from mobile nodes that are not pre-
authenticated. When DHCP authentication is used, the DHCP
@@ -1338,55 +1344,61 @@
node and the DHCP relay or the DHCP server in the CTN may be carried
with additional information that is used to distinguish it from other
Dutta (Ed.), et al. Expires August 18, 2009 [Page 24]
�
Internet-Draft MPA Framework February 2009
- address as assigned to the physical interface.
+ addresses assigned to the physical interface.
Upon the mobile's entry to the new network, the mobile node can
perform DHCP over the physical interface to the new network to get
- other configuration parameters such as SIP server, DNS server by
+ other configuration parameters such as the SIP server or the DNS server by
using DHCP INFORM. This should not affect the ongoing communication
between the mobile and correspondent host. Also, the mobile node can
perform DHCP over the physical interface to the new network to extend
the lease of the address that was proactively obtained before
entering the new network.
7.3.4. Proactive IP address acquisition using stateless
autoconfiguration
- For IPv6, network address is configured either using DHCPv6 or
+[[ Should this section not also talk about IPv4 zeroconf? ]]
+
+ For IPv6, a network address can be configured either using DHCPv6 or
stateless autoconfiguration. In order to obtain the new IP address
proactively, the router advertisement of the next hop router can be
sent over the established tunnel, and a new IPv6 address is generated
based on the prefix and MAC address of the mobile. Generating a COA
from the new network will avoid the time needed to obtain an IP
address and perform Duplicate Address Detection.
Duplicate address detection and address resolution are part of the IP
address acquisition process. As part of the proactive configuration
these two processes can be done ahead of time. Details of how these
two processes can be done proactively are described in Appendix A and
Appendix B, respectively.
In order to maintain the DHCP binding for the mobile node and keep
track of the dispensed IP address before and after the secure
proactive handover, the same DHCP client identifier needs to be used
for the mobile node for both DHCP for proactive IP address
acquisition and DHCP performed after the mobile node enters the
target network. The DHCP client identifier may be the MAC address of
- the mobile node or some other identifier. In case of stateless
+ the mobile node or some other identifier.
+
+[[ The above text seems to belong to section 7.3.3 and not 7.3.4.]]
+
+ In case of stateless
autoconfiguration, the mobile checks to see the prefix of the router
advertisement in the new network and matches it with the prefix of
newly assigned IP address. If these turn out to be the same then the
mobile does not go through the IP address acquisition phase again.
7.4. Tunnel management
After an IP address is proactively acquired from the DHCP server in a
CTN or via stateless autoconfiguration in case of IPv6, a proactive
handover tunnel is established between the mobile node and the access
@@ -1399,20 +1411,22 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 25]
�
Internet-Draft MPA Framework February 2009
There are several reasons why this transient tunnel is established
between the NAR and the mobile in the old PoA, unlike transient
tunnel in FMIPv6, where it is set up between mobile's new point of
attachment and the old access router.
+[[ Where is the acronym FMIPv6 introduced?? ]]
+
In case of inter-domain handoff, it is important that any signaling
message between nPoA and the mobile needs to be secured. This
transient secured tunnel provides the desired functionality including
the securing the proactive binding update and transient data between
the end-points before the handover has taken place. Unlike proactive
mode of FMIPv6, transient handover packets are not sent to PAR, and
thus a tunnel between mobile's new point of attachment and old access
router is not needed.
In case of inter-domain handoff, PAR and NAR could logically be far
@@ -1453,21 +1467,21 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 26]
�
Internet-Draft MPA Framework February 2009
target network. A link-layer trigger ensures that the mobile node is
indeed connected to the target network and can also be used as the
trigger to delete or disable the tunnel. A tunnel management
- protocol also triggers the router advertisement (RA) from next access
+ protocol also triggers the router advertisement (RA) from the next access
router to be sent over the tunnel, as soon as the tunnel creation is
complete.
7.5. Binding Update
There are several kinds of binding update mechanisms for different
mobility management schemes.
In case of Mobile IPv4 and Mobile IPv6, the mobile performs a binding
update with the home agent only, if route optimization is not used.
@@ -1491,79 +1505,82 @@
and CN. Also all signaling messages between MN and HA and between MN
and CN are passed through this proactive tunnel that is set up.
These messages include Binding Update (BU), Binding Acknowledgement
(BA) and the associated return routability messages such as Home Test
Init (HoTI), Home Test (HoT), Care-of Test Init (CoTI), Care-of Test
(COT). In Mobile IPv6, since the receipt of on-link router
advertisement is mandatory for the mobile to detect the movement and
trigger the binding update, router advertisement from next access
router needs to be advertised over the tunnel. By proper
configuration on NAR, router advertisement can be sent over the
- tunnel interface to trigger the proactive binding update. Mobile
- also needs to make the tunnel interface as the active interface, so
+ tunnel interface to trigger the proactive binding update. The mobile
+ also needs to make the tunnel interface the active interface, so
that it can send the binding update using this interface as soon as
it receives the router advertisement.
If the proactive handover tunnel is realized as an IPsec tunnel, it
will also protect these signaling messages between the tunnel end
Dutta (Ed.), et al. Expires August 18, 2009 [Page 27]
�
Internet-Draft MPA Framework February 2009
points and will make the return routability test more secured. Any
+
+[[ What is "more secured"? More compared to what? ]]
+
subsequent data will also be tunneled through as long as the mobile
is in the previous network. The accompanying document
[I-D.ohba-mobopts-mpa-implementation] talks about the details of how
binding updates and signaling for return routability are sent over
the secured tunnel.
7.6. Preventing packet loss
7.6.1. Packet loss prevention in single interface MPA
For single interface MPA, there may be some transient packets during
link-layer handover that are directed to the mobile node at the old
point of attachment before the mobile node is able to attach to the
target network. Those transient packets can be lost. Buffering
these packets at the access router of the old point of attachment can
eliminate packet loss. Dynamic buffering signals that are signalled
from the MN can temporarily hold transient traffic during handover
and then these packets can be forwarded to the MN once it attaches to
- the target network. A detailed analysis of buffering can technique
+ the target network. A detailed analysis of this buffering technique
can be found in [PIMRC06].
An alternative method is to use bicasting. Bicasting helps to
forward the traffic to two destinations at the same time. However,
it does not eliminate packet loss if link-layer handover is not
seamlessly performed. On the other hand, buffering does not reduce
- packet delay. While packet delay can be compensated by playout
- buffer at the receiver side for streaming application, playout buffer
+ packet delay. While packet delay can be compensated by a playout
+ buffer at the receiver side for streaming application, a playout buffer
does not help much for interactive VoIP application that cannot
tolerate for large delay jitters. Thus it is still important to
optimize the link-layer handover anyway.
7.6.2. Preventing packet losses for multiple interfaces
- MPA usage in multi-interface handover scenario involves preparing the
+ MPA usage in multi-interface handover scenarios involves preparing the
second interface for use via the current active interface. This
preparation involves pre-authentication and provisioning at a target
network where the second interface would be the eventual active
- interface. An example, during inter-technology handover from a Wi-Fi
+ interface. For example, during inter-technology handover from a Wi-Fi
to a CDMA network, pre-authentication at the CDMA network can be
- performed via the Wi-Fi interface. Handover occurs when the CDMA
+ performed via the Wi-Fi interface. The actual handover occurs when the CDMA
interface becomes the active interface for the MN.
- In such scenario, if handover occurs while both interfaces are
+ In such scenarios, if handover occurs while both interfaces are
active, there is generally no packet loss since transient packets
directed towards the old interface will still reach the MN. However,
if sudden disconnection of the current active interface is used to
initiate handover to the prepared interface then transient packets
Dutta (Ed.), et al. Expires August 18, 2009 [Page 28]
�
Internet-Draft MPA Framework February 2009
@@ -1583,42 +1600,42 @@
approaches can be employed to minimize this effect. Relying on upper
layer protocols such as TCP to detect and eliminate duplicates is the
most common approach. Customized duplicate detection and handling
techniques can also be used. In general, packet duplication is a
well known issue that can also be handled locally by the MN.
If the mobile takes a longer amount of time to detect the
disconnection event of the current active interface, it can also have
an adverse effect on the length of the handover process. Thus it
becomes necessary to use an optimized scheme of detecting interface
- disconnection in such scenarios. Use of current interface to perform
+ disconnection in such scenarios. Use of the current interface to perform
pre-authentication instead of the new interface is desirable in
certain circumstances, such as to save battery power or in cases
where the adjacent cells (e.g., WiFi, and CDMA) are non-overlapping
or in cases when the carrier does not allow simultaneous use of both
interfaces. However, in certain circumstances, depending upon the
type of target network, only parts of MPA operations can be performed
(e.g., pre-authentication, pre-configuration, proactive binding
update). In a specific scenario involving handoff between WiFi and
CDMA network, some of the PPP context can be set up during the pre-
authentication period, thus reducing the time for PPP activation.
7.6.3. Reachability test
In addition to previous techniques, the MN may also want to ensure
reachability of the new point of attachment before switching from the
old one. This can be done by exchanging link-layer management frames
with the new point of attachment. This reachability check should be
performed as quickly as possible. In order to prevent packet loss
during this reachability check, transmission of packets over the link
between the MN and old point of attachment should be suspended by
- buffering the packets at the both ends of the link during the
+ buffering the packets at both ends of the link during the
reachability check. How to perform this buffering is out of scope of
this document. Some of the results using this buffering scheme are
explained in the accompanying implementation document.
Dutta (Ed.), et al. Expires August 18, 2009 [Page 29]
�
@@ -1706,35 +1723,35 @@
| |____| |_____| |
|_____________________________________________________|
Figure 5: Bootstrapping Link-layer Security
7.7.2. IP layer security and mobility
IP layer security is typically maintained between the mobile and
first hop router or any other network element such as SIP proxy by
means of IPsec. This IPSec SA can be set up either in tunnel mode or
- in ESP mode. However, as the mobile moves IP address of the router
- and outbound proxy will change in the new network, mobile's IP
+ in ESP mode. However, as the mobile moves, the IP address of the router
+ and outbound proxy will change in the new network. The mobile's IP
address may or may not change depending upon the mobility protocol
being used. This will warrant re-establishing a new security
association between the mobile and the desired network entity. In
some cases such as in 3GPP/3GPP2 IMS/MMD environment data traffic is
not allowed to pass through unless there is an IPsec SA established
between the mobile and outbound proxy. This will of course add
unreasonable delay to the existing real-time communication during
mobile's movement. In this scenario, key exchange is done as part of
SIP registration that follows a key exchange procedure called AKA
(Authentication and Key Agreement).
MPA can be used to bootstrap this security association as part of
- pre-authentication via the new outbound proxy. Prior to the movement
+ pre-authentication via the new outbound proxy. Prior to the movement,
if the mobile can pre-register via the new outbound proxy in the
Dutta (Ed.), et al. Expires August 18, 2009 [Page 31]
�
Internet-Draft MPA Framework February 2009
target network and completes the pre-authentication procedure, then
@@ -1764,21 +1781,21 @@
8. MPA Case Studies for Inter-Domain Handoff
In this section, we illustrate various case studies where MPA can be
used to optimize Inter-domain handoff.
8.1. Homogeneous Mobility Protocol in each domain
In this section we provide illustration of how MPA can be used to
optimize inter-domain handoff for several mobility protocols, such as
MIPv6, SIP-based mobility, MIPv4, ProxyMIP, and Multicast. In this
- specific case each domain has similar type of mobility protocol.
+ specific case each domain uses a similar type of mobility protocol.
Also it is noteworthy to mention that MPA can help bootstrap layer 2
security for all the mobility protocols.
8.1.1. Mobile IPv6
MPA can provide proactive optimization, if the neighboring domains
are MIPv6 enabled. Detailed explanation about MPA's implementation
with MIPv6 can be found in the accompanying implementation draft
[I-D.ohba-mobopts-mpa-implementation].
@@ -1796,48 +1813,51 @@
8.1.2. SIP Mobility
MPA can provide proactive optimization during inter-domain handover
when the neighboring domains support SIP-based mobility. Detailed
explanation about MPA's demonstration with SIP-based mobility can be
found in the accompanying implementation draft
[I-D.ohba-mobopts-mpa-implementation].
8.1.3. MIPv4 FA-CoA
- In many of the deployment scenarios such as in IMS/MMD (IP Multimedia
+ In many of the deployment scenarios such as in the IMS/MMD (IP Multimedia
Subsystem/Multimedia Domain) architecture using MIPv4 as the binding
- protocol, IP address of the mobile does not change as the mobile
+ protocol, the IP address of the mobile does not change as the mobile
moves from one visited network to another. A typical example is when
the mobile uses MIPv4 and uses FA Care-of-Address and interacts with
the outbound SIP proxy. In such a situation the mobile has only its
- Home Address (HoA) assigned to its interface. MPA mechanism in its
+ Home Address (HoA) assigned to its interface. The MPA mechanism in its
current form will give rise to routing loop, if the mobile uses HoA
as the outer address of the MPA proactive tunnel described
previously.
In this scenario while the mobile is still with pFA, if it sets up a
proactive tunnel with nFA using the HoA as the outer address and
sends the binding update with with nFA's care-of-address, then any
- packet destined to mobile will first be routed to nFA and then
+ packet destined to the mobile will first be routed to nFA and then
because of the associated tunnel, it will be sent back to the HA,
resulting in a routing loop.
+[[ Please spell out what pFA and nFA are.]
+
+
In order to take care of this routing problem we propose different
ways of creating two tunnels such as forward proactive and reverse
- proactive tunnels. Forward proactive tunnel helps tunnel the traffic
- from nFA to MN whereas the packets from the mobile goes over the
+ proactive tunnels. The forward proactive tunnel helps tunnel the traffic
+ from nFA to MN whereas the packets from the mobile go over the
reverse proactive tunnel. We propose to use p-FA's CoA as the tunnel
outer address of the MN for forward proactive tunnel and propose to
use mobile's HoA as the outer address of the reverse proactive
- tunnel. Traffic destined to HoA when arrives at nFA will get routed
- to pFA over proactive tunnel using the host based routing set up at
- nFA. Figure 6 shows a scenario of asymmetric proactive tunnel that
+ tunnel. Traffic destined to HoA, when it arrives at the nFA, will get routed
+ to pFA over the proactive tunnel using the host based routing set up at
+ the nFA. Figure 6 shows a scenario of asymmetric proactive tunnel that
is needed to care of this routing loop.
This will work only when both serving and target networks support FA-
CoA.
@@ -1872,32 +1892,36 @@
| |
+----+
Figure 6: MPA with FA-CoA Scenario
8.1.4. Proxy MIPv6
In this section, we describe how one can achieve fast handoff for
ProxyMIPv6 using Media-independent Pre-Authentication (MPA)
- technique. PrxyMIPv6 is a network layer localized protocol being
+ technique. ProxyMIPv6 is a network layer localized protocol being
discussed in NETLMM working group within IETF currently. The goals
and advantages for local mobility management have duly been
documented in the problem statement [RFC4830] and no-host-requirement
[RFC4831] drafts.
- Advantage of local mobility management is to optimize many of the
+ The advantage of local mobility management is to optimize many of the
functions related to mobility and reduce the number of signaling
messages over the air. ProxyMIPv6 [I-D.sgundave-mipv6-proxymipv6] is
currently one of the candidate protocols that can take care of the
localized mobility management when the mobile's movement is limited
- within a domain. It follows many of the goals and advantages that
+ within a domain.
+
+[[ Is this still true? RFC 5213 appeared in August 2008.]]
+
+ It follows many of the goals and advantages that
have been discussed as part of the problem statement and no host-
requirement drafts. However, ProxyMIPv6 in its current form still
needs a mechanism to provide fast-handover. There are several
components within ProxyMIPv6 that contribute to the overall handoff
delay. These components include access authentication, profile
verification, home address reconfiguration, and binding update.
Dutta (Ed.), et al. Expires August 18, 2009 [Page 34]
@@ -2124,28 +2148,31 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 38]
�
Internet-Draft MPA Framework February 2009
8.2. Diverse Mobility Protocol in each domain
- In some cases, each administrative domain maybe equipped with
+ In some cases, each administrative domain may be equipped with
different kind of mobility protocol, such as domain A may use Mobile
- IP protocol and domain B maybe equipped with PMIPv6 or vice-versa.
+ IP protocol and domain B may be equipped with PMIPv6 or vice-versa.
Since MPA's optimization technique is not tightly coupled with any
mobility protocol, as long as it is aware of the mobility protocol in
the target domain, it can utilize its pre-authentication and
proactive handoff technique accordingly during the inter-domain
handoff. However, it needs to consider other CMIPv6 and PMIPv6
+
+[[ What is CMIPv6 and what is PMIPv6?? ]]
+
interactions on the client. Similarly, it can support handover
between two domains, one supporting MIPv6 and other SIP-based
mobility.
8.3. Multicast mobility
A specific mobile can subscribe to one or more IP multicast group.
When a mobile moves to a new network multicast communication is
interrupted because of the associated join latency. This
interruption can be minimized by reducing the join latency during the
@@ -2187,49 +2214,49 @@
is configured as a multicast router as well. When the mobile is in
the current network, it can still receive the multicast traffic via
the PAR on its currently configured IP address. But as soon as the
mobile moves to the new network and deletes the tunnel, it starts
receiving the multicast traffic on the same group multicast address
with almost zero join latency. Since the mobile already has obtained
an address ahead of time it also does not spend any time to configure
its interface.
- In case of home subscription based approach, MPA can provide the
+ In case of the home subscription based approach, MPA can provide the
mobility support for multicast services the way it provides unicast
services for both MIPv4 and MIPv6. The data gets delivered to the
mobile in the previous network via the transient MPA tunnel between
the mobile and the next access router. This tunnel is usually a
- tunnel within a tunnel. As the mobile moves to the new network,
+ tunnel within a tunnel. As the mobile moves to the new network, the
regular MIP tunnel takes care of delivering the multicast traffic in
the new network. This mechanism provides fast delivery of multicast
stream, as the home agent has already started to send multicast
traffic destined to the new network.
8.4. Coexistence of MPA with other optimization technique
Although MPA can provide optimization techniques by itself, it can
also augment other optimization techniques and thus can co-exist.
There are some similarities between the techniques associated with
- MPA and other related fast-handoff mechahnisms such as proactive part
+ MPA and other related fast-handoff mechanisms such as the proactive part
of FMIPv6. Experimental results from both of these handoff
techniques demonstrate that these results are bounded by layer 2
delay. However if these could be augmented by IEEE 802.21 network
discovery mechanism, layer 2 handoff delay can also be optimized.
This has been demonstrated in the accompanying draft
[I-D.ohba-mobopts-mpa-implementation]. On the other hand, certain
features of MPA could also be used to enhance the functionality of
FMIPv6 [RFC5268]. In particular, MPA's pre-authentication feature
for both layer-2 and layer-3, and stateful pre-configuration feature
can also be used for FMIPv6. MPA's layer-2 security bootstrapping
feature can also reduce the layer-2 authentication delay associated
- with FMIPv6 [FMIP-results]. Support for pre-authentication technique
+ with FMIPv6 [FMIP-results]. Support for the pre-authentication technique
to augment FMIPv6 during inter-domain mobility is future work.
9. Security Considerations
This document describes a framework of a secure handover optimization
mechanism based on performing handover-related signaling between a
mobile node and one or more candidate target networks to which the
mobile node may move in the future. This framework involves
acquisition of the resources from the CTN as well as data packet
@@ -2240,39 +2267,47 @@
�
Internet-Draft MPA Framework February 2009
redirection from the CTN to the mobile node in the current network
before the mobile node physically connects to one of those CTN.
Acquisition of the resources from the candidate target networks must
accompany with appropriate authentication and authorization
procedures in order to prevent unauthorized mobile node from
+
+[[ I do not understand what "must accompany with" means here. ]]
+
obtaining the resources. For this reason, it is important for the
MPA framework to perform pre-authentication between the mobile node
and the candidate target networks. The MN-CA key and the MN-AR key
generated as a result of successful pre-authentication can protect
subsequent handover signaling packets and data packets exchanged
between the mobile node and the MPA functional elements in the CTN's.
The MPA framework also addresses security issues when the handover is
performed across multiple administrative domains. With MPA, it is
possible for handover signaling to be performed based on direct
communication between the mobile node and routers or mobility agents
in the candidate target networks. This eliminates the need for a
context transfer protocol for which known limitations exist in terms
of security and authorization. [RFC5247]. For this reason, the MPA
+
+[[ I do not get the reference to [RFC5247]. Please expand. Does MPA require EAP?]]
+
framework does not require trust relationship among administrative
domains or access routers, which makes the framework more deployable
in the Internet without compromising the security in mobile
environments.
+[[ Any DoS issues that should be discussed? ]]
+
10. IANA Considerations
This document has no actions for IANA.
11. Acknowledgments
We would like to thank Farooq Anjum and Raziq Yaqub for their review
of this document, and Subir Das for standardization support in the
@@ -2561,40 +2596,43 @@
table, so that this same address is not given to another client for
that specific period of time. At the same time the client also keeps
a lease table locally so that it can renew when needed. In some
cases where a network consists of both DHCP and non-DHCP enabled
clients, there is a probability that another client in the LAN may
have been configured with an IP address from the DHCP address pool.
In such scenario the server detects a duplicate address based on ARP
(Address Resolution Protocol) or IPv6 Neighbor Discovery before
assigning the IP address. This detection procedure may take from 4
sec to 15 sec [MAGUIRE] and will thus contribute to a larger handover
- delay. In case of proactive IP address acquisition process, this
+ delay. In case of a proactive IP address acquisition process, this
Dutta (Ed.), et al. Expires August 18, 2009 [Page 46]
�
Internet-Draft MPA Framework February 2009
detection is performed ahead of time and thus, does not affect the
handover delay at all. By performing the duplicate address detection
ahead of time, we reduce the IP address acquisition time.
The proactive duplicate address detection (DAD) over the candidate
target network should be performed by the PAR on behalf of the mobile
at the time of proactive handover tunnel establishment since
duplicate address detection over a tunnel is not always performed.
For example, in the case of IPv6, DAD over an IP-IP tunnel interface
is turned off in an existing implementation. In the case of IPv6
over PPP [RFC5172], IPv6CP negotiates the link local addresses and
+
+[[ What is IPv6CP? ]]
+
hence DAD over the tunnel is not needed. After the mobile has moved
to the target network, a DAD procedure may be started because of
reassignment of the nCoA to the physical interface to the target
network. In that case, the mobile should use optimistic DAD
[RFC4429] over the physical interface so that the nCoA that was used
inside the proactive handover tunnel before handover can be
immediately used over that physical interface after handover. The
schemes used for the proactive DAD and optimistic DAD are applicable
to both stateless and stateful address autoconfiguration schemes used
for obtaining a nCoA.
@@ -2636,20 +2674,23 @@
perform address resolution for on behalf of the mobile node.
o One can also make use of DNS to map the MAC address of the
specific interface associated with a specific IP address of the
network element in the target network. One may define a new DNS
resource record (RR) to proactively resolve the MAC addresses of
the nodes in the target network. But this approach may have its
own limitations since a MAC address is a resource that is bound to
an IP address, not directly to a domain name.
+[[ I doubt storing MAC addresses in the DNS ever makes sense. Is this
+ a serious proposal?? ]]
+
When the mobile node attaches to the target network, it installs the
proactively obtained address resolution mappings without necessarily
performing address resolution queries for the nodes in the target
network.
On the other hand, the nodes that reside in the target network and
are communicating with the mobile node should also update their
address resolution mappings for the mobile node as soon as the mobile
node attaches to the target network. The above proactive address
resolution methods could also be used for those nodes to proactively
@@ -2699,78 +2740,88 @@
averaging window. For a vehicle moving with a high speed, other
parameters such as distance between the mobile node and the point of
attachment, velocity of the mobile, location of the mobile, traffic
and bandwidth characteristics are also taken into account to reduce
the ping-pong effect. Most recently there are other handoff
algorithms that help reduce the ping-pong effect in a heterogeneous
network environment that are based on techniques such as hypothesis
testing, dynamic programming and pattern recognition techniques.
While it is important to devise smart handoff algorithms to reduce
the ping-pong effect, it is also important to devise methods to
- recover from these effect.
+ recover from this effect.
- In the case of MPA framework, the ping-pong effect will result in the
+ In the case of the MPA framework, the ping-pong effect will result in the
back-and-forth movement of the mobile between the current network and
target network and between the candidate target networks. MPA in its
current form will be affected because of many number of tunnel setup,
+
+[[ What is "many number of tunnel setup"? ]]
+
number of binding updates and associated handoff latency resulting
- out of ping-pong situation. Mobile's handoff rate may also
+ out of ping-pong situation. The mobile's handoff rate may also
contribute to delay and packet loss. We propose several algorithms
that will help reduce the probability of ping-pong and propose
several methods for the MPA framework so that it can recover from the
- packet loss resulting out of ping-pong effect.
+ packet loss resulting out of the ping-pong effect.
+
+[[ Do you really propose _several_ algorithms and methods?? ]]
The MPA framework can take advantage of the mobile's geo-location
with respect to APs in the neighboring networks using GPS. In order
to avoid the oscillation between the networks, a location-based
intelligent algorithm can be derived by using a co-relation between
+
+[[ Replace "location-based intelligent" with "location-aware"? ]]
+
user's location and cached data from the previous handover attempts.
In some cases only location may not be the only indicator for a
handoff decision. For example in Manhattan type grid networks,
although a mobile is close to an AP, it may not have enough SNR
(Signal to Noise Ration) to make a good connection. Thus knowledge
of mobility pattern, dwell time in a call and path identification
will help avoid the ping-pong problem to a great extent.
In the absence of a good handoff algorithm that can avoid ping-pong
effect, it may be required to put in place a good recovery mechanism
so as to mitigate the effect of ping-pong. It may be necessary to
keep the established context in the current network for a period of
time, so that it can be quickly recovered when the mobile comes back
- to the network where the context was last used. These context may
+ to the network where the context was last used. This context may
Dutta (Ed.), et al. Expires August 18, 2009 [Page 49]
�
Internet-Draft MPA Framework February 2009
include security association, IP address used, tunnels established.
- Bicasting the data to both previous network and new network for a
- predefined period will also the mobile help take care of the lost
+ Bicasting the data to both the previous network and the new network for a
+ predefined period will also help the mobile to take care of lost
packets in case the mobile moves back and forth between the networks.
The mobile can also take certain action, after it determines that it
- is in a stable state with respect to ping-pong situation.
+ is in a stable state with respect to a ping-pong situation.
- When MPA framework takes advantage of a combination of IKEv2 and
+ When the MPA framework takes advantage of a combination of IKEv2 and
MOBIKE, the ping-pong effect can be reduced further [mpa-mobike].
C.2. Authentication state management
In case of pre-authentication with multiple target networks, it is
useful to maintain the state in the authentication agent of each of
the neighboring networks for certain time. Thus if the mobile does
move back and forth between neighboring networks, already maintained
authentication state can be helpful. We provide some highlights on
multiple security association state management below.
+[[ What are "highlights on multiple security association state management"?? ]
+
A MN that has pre-authenticated to an authentication agent in a
candidate target network and has a MPA-SA, may need to continue to
keep the MPA-SA while it continues to stay in the current network or
even after it does handover to a network that is different from the
candidate target network.
When an MN that has been authenticated and authorized by an
authentication agent in the current network makes a handover to a
target network, it may want to hold the SA that has been established
between the MN and the authentication agent for a certain time period
@@ -2820,35 +2871,35 @@
to be used for the path between the target access router and the
mobile node after handover may be pre-allocated by extending NSLP to
work for off-path signaling (Note: this path can be viewed as off-
path before handover) or by media-specific QoS signaling at layer 2.
C.4. Resource allocation issue during pre-authentication
In case of multiple CTNs, establishing multiple tunnels with the
neighboring target networks provides some additional benefits. But
it also contributes to some resource utilization issues as well.
- Pre-authentication process with multiple candidate target networks
+ A pre-authentication process with multiple candidate target networks
can happen in several ways.
The very basic scheme involves authenticating the mobile with the
multiple authentication agents in the neighboring networks, but
actual pre-configuration and binding update take place only after
layer 2 movement to a specific network is complete.
Similarly, in addition to pre-authentication, the mobile can also
complete the pre-configuration while in the previous network, but can
postpone the binding update until after the mobile has moved. Like
the previous case, in this case the mobile also does not need to set
- up the pre-configured the tunnels. While pre-authentication process
- and part of pre-configuration process are taken care of before the
- mobile has moved to the new network, binding update is actually done
+ up the pre-configured tunnels. While the pre-authentication process
+ and part of the pre-configuration process are taken care of before the
+ mobile has moved to the new network, the binding update is actually done
after the mobile has moved.
The third type of multiple pre-authentication involves all the three
steps while the mobile is in the previous networks, such as
authentication, configuration and binding update. But, this specific
process utilizes the most amount of resources. Some of the resources
that get used during this process are as follows:
@@ -2888,21 +2939,21 @@
The following is an illustration of this specific case that takes
care of multiple binding streams, when the mobile moves only to a
specific network, but sends multiple binding updates in the previous
network. MN sends a binding update to CH with multiple contact
addresses such as c1,c2, and c3 that were obtained from three
neighboring networks. This allows the CN to send transient multiple
streams to the mobile over the pre-established tunnels. After the
mobile moves to the actual network, it sends another binding update
to the CN with the care-of-address of the mobile in the network where
- the mobile has moved in. Some of the issues with multiple stream are
+ the mobile has moved in. Some of the issues with multiple streams are
consumption of extra bandwidth for a small period of time.
Alternatively, one can apply the buffering technique at the target
access router or at the home agent. Transient data can be forwarded
to the mobile after it has moved in. Forwarding of data can be
triggered by the mobile either as part of Mobile IP registration or
as a separate buffering protocol.
@@ -2996,32 +3047,32 @@
Buffered Packets n/a 3.00
Figure 11: SIP Mobility with MPA Results
For all measurement, we did not experience any performance
degradation during handover in terms of the audio quality of the
voice traffic.
With the use of buffering during handover, packet loss during the
actual L2 and L3 handover is eliminated with an appropriate and
- reasonable settings of buffering period for both MIP6 and SIP
+ reasonable settings of the buffering period for both MIP6 and SIP
mobility. In the case of MIP6, there is not a significant difference
in results with and without route optimization. It should be noted
- that results with more samples would be necessary to do more detailed
+ that results with more samples would be necessary for a more detailed
analysis.
In case of non-MPA assisted handover, handover delay and associated
packet loss occurs from the moment the link-layer handover procedure
begins up to successful processing of the binding update. During
this process, IP address acquisitions via DHCP incurs the longest
- delay. This is due to the detection of duplicate of IP address in
- the network before DHCP request completes. Binding update exchange
+ delay. This is due to the detection of duplicate IP addresses in
+ the network before the DHCP request completes. The binding update exchange
also experiences long delay if the CN is too far from the MN. As a
result, the Non-MPA assisted handover took an average of 4 seconds to
Dutta (Ed.), et al. Expires August 18, 2009 [Page 54]
�
Internet-Draft MPA Framework February 2009
@@ -3040,23 +3091,23 @@
packet loss and handoff delay. In a second scenario, the second
interface is being prepared while the mobile still communicates using
the old interface. Preparation of the second interface should
include setup of all the required state and security associations
(e.g., PPP state, LCP, CHAP). If such lengthly process is
established ahead of time, it reduces the time taken for the
secondary interface to be attached to the network. After
preparation, the mobile decides to use the second interface as the
active interface. This results in less packet loss as it uses make-
before-break techniques. This is a proactive scenario and can have
- two(2) flavors. The first is where both interfaces are up and the
- second is when only the old interface is up the prepared interface is
- brougth up only when handoff is about to occur. This scenario may be
+ two flavors. The first is where both interfaces are up and the
+ second is when only the old interface is up and the prepared interface is
+ brought up only when handoff is about to occur. This scenario may be
beneficial from a battery management standpoint. Devices that
operate two interfaces simultaneously can rapidly deplete their
batteries. However, by activating the second interface only after an
appropriate network has been selected the client may utilize battery
effectively.
As compared to non-optimized handover that may result in delay up to
18 sec and 1000 packet loss during handover from WLAN to CDMA, we
observed 0 packet loss, and 50 ms handoff delay between the last pre-
handoff packet and first in-handoff packet. This handoff delay
@@ -3076,22 +3127,25 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 55]
�
Internet-Draft MPA Framework February 2009
explained in Section 7. By pre-authenticating and pre-configuring
the link, the security association procedure during handoff reduces
- to 4-way handshake only. Then MN moves to the AP and, after
+ to a 4-way handshake only. Then MN moves to the AP and, after
association, runs a 4-way handshake by using the PSKap generated
+
+[[ What is PSKap? ]]
+
during PANA pre-authentication. At this point the handoff is
complete. Details of this experimental testbed can be found in
[MOBIQUIT07].
+----------------------------+-----------+ +-------------+------------+
| | | |
| Home Domain +-------++ | | |
| | | | | |
@@ -3188,64 +3242,64 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 57]
�
Internet-Draft MPA Framework February 2009
We have experimented with three types of movement scenarios involving
both non-roaming and roaming cases using the testbeds shown in
- figures 12 and 13, respectively. In roaming case, MN is visiting in
+ figures 12 and 13, respectively. In the roaming case, the MN is visiting in
a domain different than its home domain. Consequently, the AAAh
needs to be contacted which is placed in a location far from the
visiting domain. For the non-roaming case, we assume the MN is
moving within its home domain and only local AAA server (AAAHome) is
contacted which is the home AAA server for the mobile.
- First scenario does not involve any pre-authentication. MN is
+ The first scenario does not involve any pre-authentication. The MN is
initially connected to AP0 and moves to AP1. Because neither
network-layer authentication is enabled nor IEEE 802.11i pre-
- authentication is used, MN needs to engage in a full EAP
+ authentication is used, the MN needs to engage in a full EAP
authentication with AP1 to gain access to the network after the move
(post-authentication). This experiment shows the effect of absence
of any kind of pre-authentication.
- Second scenario involves 802.11i pre-authentication and involves
- movement between AP1 and AP2. MN is initially connected to AP2, and
+ The second scenario involves 802.11i pre-authentication and involves
+ movement between AP1 and AP2. The MN is initially connected to AP2, and
starts IEEE 802.11i pre-authentication with AP1. This is an ideal
scenario to compare the values obtained from 802.11i pre-
authentication with that of network-layer assisted pre-
- authentication. Both first and this second scenarios use RADIUS as
- AAA protocol (APs implement a RADIUS client). Third scenario takes
+ authentication. Both scenarios use RADIUS as
+ AAA protocol (APs implement a RADIUS client). The third scenario takes
advantage of network layer assisted link-layer pre-authentication.
It involves movement between two APs (e.g., between AP0 and AP1) that
belong to two different subnets where 802.11i pre-authentication is
not possible. Here, Diameter is used as AAA protocol (PAA implements
a Diameter client).
- In this third movement scenario, MN is initially connected to AP0.
- MN starts PANA pre-authentication with the PAA which is co-located on
+ In this third movement scenario, the MN is initially connected to AP0.
+ The MN starts PANA pre-authentication with the PAA which is co-located on
the AR in the new candidate target network (nAR in network A) from
the current associated network (network B). After authentication,
- PAA installs two keys, PSKap1 and PSKap2 in both AP1 and AP2
- respectively by proactively. By doing the key installations
- proactively, it preempts the process of communicating with AAA server
+ PAA proactive installs two keys, PSKap1 and PSKap2, in both AP1 and AP2
+ respectively. By doing the key installations
+ proactively, it preempts the process of communicating with the AAA server
for the keys after the mobile moves to the new network. Finally
because PSKap1 is already installed, AP1 starts immediately the 4-way
handshake. We have used measurement tools such as ethereal and
kismet to analyze the measurements for the 4-way handshake and PANA
authentication. These measurements reflect different operations
involved during network-layer pre-authentication.
In our experiment, as part of the discovery phase, we assume that the
- MN is able to retrieve PAAs IP address and all required information
+ MN is able to retrieve the PAA's IP address and all required information
about AP1 and AP2 (e.g. channel, security-related parameters, etc.)
at some point before the handover. This avoids the scanning during
Dutta (Ed.), et al. Expires August 18, 2009 [Page 58]
�
Internet-Draft MPA Framework February 2009
@@ -3313,27 +3367,27 @@
operation that is needed based on a specific type of movement of the
client. IEEE 802.11i and 802.11r take advantage of preauthentication
mechanism at layer 2. Thus, many of the guidelines observed for
802.11i-based pre-authentication and 802.11r-based fast roaming could
also be applicable to the clients that use MPA-based pre-
authentication techniques. However, since MPA operations are not
limited to a specific subnet and involve inter-subnet and inter-
domain handover the guidelines need to take into account other
factors such as movement pattern of the mobile, cell size etc.
- Time needed to complete pre-authentication mechanism is an important
+ The time needed to complete the pre-authentication mechanism is an important
parameter since the mobile node needs to determine how much ahead of
- time the mobile needs to start the preauthentication process so that
+ time the mobile needs to start the pre-authentication process so that
it can finish the desired operations before the handover to the
target network starts. The pre-authentication time will vary
depending upon the speed of the mobile (e.g., pedestrian, vs.
- vehicular), cell sizes (e.g., WiFi, Cellular). Cell residence time
+ vehicular) and cell sizes (e.g., WiFi, Cellular). Cell residence time
is defined as the average time the mobile stays in the cell before
the next handoff takes place. Cell residence time is dependent upon
the coverage area and velocity of the mobile. Thus, cell residence
time is an important factor in determining the desirable pre-
authentication time that a mobile should consider.
Since pre-authentication operation involves six sub-operations as
described in Section 7.2 and each sub-operation takes some discrete
amount of time, only part of these sub-operations may be completed
before handoff depending upon the available delay budget.
@@ -3359,22 +3413,22 @@
Dutta (Ed.), et al. Expires August 18, 2009 [Page 60]
�
Internet-Draft MPA Framework February 2009
RTT = round trip time from AP to AAA server including processing time
for authentication Tauth
Tpsk = Time spent to install keys proactively on the target APs
- If for a given value of D = 100ft, Tpsk = 10 ms, and RTT = 100 ms, if
- a mobile needs to do only pre-authentication procedure associated
+ If for a given value of D = 100ft, Tpsk = 10 ms, and RTT = 100 ms
+ a mobile needs to execute only the pre-authentication procedure associated
with MPA, then the following can be calculated for a successful MPA
procedure before the handoff is complete.
2RTT+Tpsk < D/v
v = 100 ft/(200 ms +10 ms) = ~500 ft/sec
Similarly, for a similar cell size, if the mobile is involved in both
pre-authentication and pre-configuration operations as part of the
MPA procedure, and it takes an amount of time Tconfig= 190 ms to
@@ -3387,24 +3441,24 @@
Thus, compared to only pre-authentication part of MPA operation, in
order to be able to complete both pre-autentication and pre-
configuration operations successfully, either the mobile needs to
move at a slower pace or it needs to expedite these operations for
this given cell size. Thus, types of MPA operations will be
constrained by the velocity of the mobile.
As an alternative if a mobile does complete all the pre-
authentication procedure much ahead of time, it uses up the resources
- accordingly by way of extrat IP address, tunnel and extra bandwidth.
+ accordingly by way of extra IP address, tunnel and extra bandwidth.
Thus, there is always a tradeoff between the performance benefit
- obtained from pre-authentication mechanism and network
- characteristics, such as movement speed, cell size, resources
+ obtained from the pre-authentication mechanism and network
+ characteristics, such as movement speed, cell size, and resources
utilized.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
