1

Public Access Mobility LAN:Extending The Wireless Internet into The LAN EnvironmentJUN LI, STEPHEN B.WEINSTEIN, JUNBIAO ZHANG,NAN TU . NEC USA Inc.

IEEE Wireless Communications June 2002報告者 : 通訊所 鍾國麟

2

Introduction

Aim is to meet Ubiquitous access High data rate Local services

Need for Wireless LAN environments

3

Introduction (cont’d)

Architectural guidelines for WLAN environments Large-scale IP-based Supporting mobile/portable

appliances

4

Introduction (cont’d)

公眾 WLAN 目前的問題 End User 網路環境提供業者 (Hotel, 機場 , 餐廳 ..etc) ISPs

5

交 200 元無線上網

User

6

買 xxx 上網易付卡

漫遊 ? QoS ?

7

User 的需要 :1. 帳號 , 密碼 , 帳單能統一2. Mobility3. Qos

8

提供無線場地的業者1. 愈多人來上網愈好2. 設備維護3. 管理方便4. 拆帳5. 商業形像 ..etc

ISPs…

ISP 業者1. 無線環境範圍愈大愈好2. 設備維護方便3. 提供 USER 不同 QoS4. 提供 Mobility

9

PamLAN

IP-based Public Access Mobility LANSupports Internet Access via WLANs Multiple air interfaces Multiple virtual operators(isp, 電信業者 ) Location dependent services Local IP mobility QoS (within wired network)

10

PamLAN business model

Network operators Hotel, airport, ...

Third-party service providers (like ISPs) Franchises obtained from PamLAN

operator Also called: virtual operators

End users

11

PamLAN

May have multiple LAN segments Airports, hotels, universities, ...

Can be built on existing LANs By adding wireless access points

12

PamLAN vs. Cellular Systems

Even 3G mobile communication systems would not be sufficient for evolving Internet applications 384 kb/s outdoors, 2 Mb/s indoors

downstream burst rates Intrinsic problem: providing continuous

coverage in reserved spectrum Investment/Capacity scalability???

13

PamLAN vs. Cellular Systems

WLANs have free spectrumProblem: Potential interfarence i.e. IEEE 802.11b & Bluetooth

Property owners may be agreed or enforced on compatibility

14

Promises of PamLAN

Addresses problems in current WLANs Lack of public access Being tied down to a single access point Single air interface

Not a breakthrough in technological capacitiesCombination of available technologies

15

Architecture

PamLAN/VOLAN/VLAN hierarchy PamLAN: multiple virtual operators VOLAN: Virtual Operator LAN

Extends VLAN capabilities across subnetworks

VLAN: Virtual LAN Implements user group feaures Simulates a physical LAN on a

multisegment LAN environment

16

PamLAN

ISPs

VOLAN1

vlan1 vlan2vlan3 vlan4

VOLAN2

17

Architecture (cont’d)

18

Architecture (cont’d)

Switched Ethernet LANAccess Points Supporting IEEE, Bluetooth,

Cellular, ... IP-based access router with proxies

Gateway routers

19

Architecture (cont’d)

QoS is supported by Ethernet Switches CSMA/CD + full duplex (no contention)

Integration of Cellular IP & Mobile IP for supporting mobilityMPLS (Multi-Protocol Label Switching) Brings QoS across multiple LAN segments

20

Large Scale PamLAN

For single VLAN QoS can be easily supportedFor large scale WLANs? Intermediate routers work at layer 3

Layer 2 information is lost Source & destination addresses must

be used for VOLAN membership Intermediate routers must know all IP

addresses for VLAN mapping

21

Large Scale PamLAN (cont’d)

Solution: MPLS Simple & efficient Access points & Internet gateways

handle VOLAN provisioning Intermediate routers are shielded

from details

VLAN for grouping traffic per VOLANMPLS for whole PamLAN

22

MPLS (Multi-Protocol Label Switching)

Tunnels traffic between gateways & access points Intermediate routers only examine MPLS

labels, which imposes a path

Forwarding Equivalence Class (FEC) Formed based on VOLAN membership &

QoS

FEC is inserted in MPLS label Used for 802.1p priority within VLAN

23

MPLS (cont’d)

24

MPLS (cont’d)

Traffic engineered paths can be set up among access points and Internet gateways according to service contracts between PamLan & virtual operators

25

Protocol Stack

26

Security Issues

Mutual authentication user 和 AP 都需經過 Virtual operators‘s

RADIUS 認證Secure Channel Establishement Public-key-based secure channel

establishment

Authorization Filtering at the access point

27

Mutual Authentication

IP-based authentication 5 Basic Steps: MN 經由 AP 取得 IP (DHCP) MN Login session

access point: relay agent to virtual operator(ISP’s RADIUS)

Challenge-responce protocol for authentication

Public key for securing channel

28

Mutual Authentication (cont’d)

29

MN AP/Radius client Radius(RS)UID

A(UID,Krc)Krc 是 ap 和 Radius serve 互相知道的 key

A(M,k) MD5 系統

UserID

A(UID,s1,E(E(s1,kmu),krc)),krc)Kmu 是 MN 和 RS 之間的 keyUID,s1( 亂數 )

UID,s1,E(s1,kmu),s2A((UID,E(s1,kmu),s2,krc)

A((UID,s1,E(E(s1,kmu),krc),Pkmu),krc)

Pkmu 是 mn 的 public key

UID,EP((E(s2,kmu),SK,Pkmu)

30

Securing Channel

After authentication AP 有 user 的 profile (public key, qos 等

級 , 會員資料等 ..) AP sends session key encrypted

under the corresponding public key IPSEC together with ESP can be used

for security at IP layer depending on user requests

31

Authorization Control

Based on user credentials, packets can be filtered at the access point 使用者可以經由 PamLAN 上 Internet 使用者可以使用當地的 printer 或是其他服

務

32

Accounting

3 possible charging policies Flat-fee based

PamLAN 管理員和 ISP 收取一定費用，則該 isp user 可以無限制使用

Per-session ISP 依 USER 使用時間收錢 .(IDLE….? )

Usage based( 計量 ) Avoidance dispute by digital signature

33

Mobility Issues

Micromobility Roaming within PamLAN

Possible approaches Cellular IP: refreshing router contents

can be a burden for too many users MPLS based: only end points have to

update location Old, new access points and Internet

gateway need to be informed

34

Mobility Issues

Fast handoff 一個 MN 移動到了新的 AP 還要在做一次認

證是很浪費時間的

Move user profile from old AP to the new AP

35

Fast handoff flow

新 AP 向舊 AP 拿取 user 的 profile(Public-key, Session-key,IP, policies….)舊 AP 向 Radius 發出訊息終止現在的 session 計費 .新的 AP 產生新的 Session key, 在將新的 S-KEY和舊的 S-key 用 user 的 Public-key 封裝給 user.User 比對 Session key 資料 , 用新的 S-key 和新AP 傳輸資料新 AP 上的 IP filter 資料由舊 AP 取得 , 同時發訊息給 Radius 開始計費 .

36

Experimental Implementation

一台 12port switch 三台 PC,OS:Linux 二台 PC 裝了 802.11b 卡當成是 AP

測試方法 1. 確認 Vlan 和 diffserv 可以在 switch 上使

用 2. 結合 cellular ip protocol 在這個網路上 3. 實作基本的 AAA 功能

37

Experimental Implementation

Mobility Cellular IP

Linux Kernel(AP) IP Filter IPSEC

OpenSource Radius client(AP)

38

Further work

MPLS-based MobilityQoS admission control

39

Conclusion

ExtensibleMultiple servicesMultiple air interfacesAre all appliances capable of handling PKC opreations?