輔大資工所在職研一 ...

輔大資工所在職研一

報告人：林煥銘學號： 492515241

Public Access Mobility LAN:Extending The Wireless Internet into The LA

N Environment

Jun Li, Stephen B. Weinstein, Junbiao Zhang, And Nan Tu NEC USA Inc.

P.2 Presented by Herman Lin

Outline

Introduction Architecture & Protocol Components Security Issues Mobility Management Conclusion


Introduction PamLAN: Public Access Mobility LAN Aim is to meet

Ubiquitous access High data rate Local services demands

Architectural guidelines for WLAN environments Large-scale IP-based Supporting mobile/portable appliances (Simultaneously support different air interfaces)


Introduction (cont’d)

Based on wired LAN environment Wireless access points are imbeded

Multi-segment LAN Supporting handoffs



Supports Internet Access via WLANs Multiple air interfaces Multiple virtual operators Location dependent services Local IP mobility QoS (within wired network)



The main disadvantage of current WLANs Lack of public access Being tied down to a single access point

(i.e.,restriction to subscribers of the WLAN operator) Single air interface

(reducing the range of appliances) Not a breakthrough in technological capacities

Combination of available technologies


Architecture

PamLAN Multiple virtual operators, each operation a VOLAN, AAA features.

VOLAN Virtual operator LAN, extending VLAN capabilities across subnetworks for each virtual operator.

VLAN Virtual LAN, implementing user group features such as broadcast containment within a physical LAN.

Table 1. PamLAN/VOLAN/VLAN hierarchy.


Architecture (cont’d)

Switched Ethernet LAN Access Points

Supporting IEEE, Bluetooth, Cellular, ... IP-based access router with proxies

Gateway routers Internet access through IP-tunneling



Integration of Cellular IP & Mobile IP for supporting mobility

MPLS (Multi-Protocol Label Switching) Brings QoS across multiple LAN segments

IEEE VLAN standard 802.1Q IEEE 802.1p header for QoS


Large Scale PamLAN For single VLAN QoS can be easily

supported For large scale WLANs?

Intermediate routers work at layer 3 Source & destination addresses must be used

for VOLAN membershipIntermediate routers must know all IP addresses

for VLAN mapping VLAN for grouping traffic per VOLAN MPLS for whole PamLAN


MPLS (Multi-Protocol Label Switching)

Tunnels traffic between gateways & access points Intermediate routers only examine MPLS

labels, which imposes a path Forwarding Equivalence Class (FEC)

Formed based on VOLAN membership & QoS FEC is inserted in MPLS label

Used for 802.1p priority within VLAN


MPLS (cont’d)


MPLS (cont’d)

Traffic engineered paths can be set up among access points and Internet gateways according to service contracts between PamLan & virtual operators

DiffServ QoS service: IEEE 802.1p & MPLS traffic engineering


Protocol Stack


Security Issues

Four major components: Mutual Authentication Secure Channel Establishement Per packet encryption Filtering function


Security Issues

路由器

路由器路由器

路由器

Internet Geteway

Access Point 1 Access Point 2

RADIUS server

RADIUS clientDHCPFilter

User’s Profile： Public Key Subscription status


Mutual Authentication

RADIUS (Remote Authentication Dial-In User Service) IP-based authentication (~802.11 proposal) Basic Steps:

Obtaining IP (DHCP)Login sessionaccess point: relay agent to virtual operatorChallenge-responce protocol for authenticationSend the user’s profile


Securing Channel Establishment

After authentication User’s profile is transfered to the access point

including his/her public key Access point sends session key encrypted

under the corresponding public key IPSec together with ESP can be used for

security at IP layer depending on user requests


Authorization Control

Based on user credentials, packets can be filtered at the access point Through (authenticated with the session key) Sent to the authentication engine (login in) Blocked (unauthorized traffic)


Mobility Issues

Mobility should be supported at layer 3 Multiple subnetworks within PamLAN

Micromobility Roaming within PamLAN


Mobility Issues (cont’d) Possible approaches

Cellular IP: Routing update message is sent from mobile deviceNew AP, each router along the way, gateway update

their routing tableThe mobile device periodically send paging packetsThe process is burden when a large number of

mobile devices being served MPLS based: only end points have to update

locationOld, new access points and Internet gateway need to

be informed


路由器

路由器路由器

路由器

Internet Geteway


Cellular IP


路由器

路由器路由器

路由器

Internet Geteway


Cellular IP

Routing update

Routing entries are refreshed periodically


Mobility Issues (cont’d) Fast AAA handoff

No repetative authentication Move user profile from old access point to the

new one(contain public key, old session key, mobile device IP, old session’s access policy)

Old AP signals to the RADIUS server terminate the current accounting session

New AP generates a new session key New AP sends old session key and new

session key encrypted under user’s public key User uses the new session key to establish a

secure connection with the new AP


Fast AAA handoff

路由器

路由器路由器

路由器

Internet Geteway


Contains : user’s public key, old session key, mobile device’s IP, access policy….

Fetch the profile

old AP new AP

RADIUS server


路由器

路由器路由器

路由器

Internet Geteway


The old AP signals to the RADIUS server the termination of the current accounting session.

old AP new AP

RADIUS server

Fast AAA handoff


路由器

路由器路由器

路由器

Internet Geteway


Encrypts new session key and old session key using public key and send the result to the user in a UDP packet

old AP new APNew session key

+Old session key

RADIUS server

Fast AAA handoff


路由器

路由器路由器

路由器

Internet Geteway


The mobile deveice decrypts these keys and compares the old session key

old AP new APNew session key

Establish a secure connection

RADIUS server

Fast AAA handoff


Conclusion

Secure Economical Extensible Multiple service providers Multiple air interfaces Variety of services appropriate for coming

generations of Internet appliances.


Reference

輔大資工所 在職研一 ...

Documents

輔大資工所在職研一 ...