fast handoff in mobile virtual private networks · pdf filefast handoff in mobile virtual...

Fast Handoff in Mobile Virtual Private Networks∗

Jyh-Cheng Chen1,2, Jui-Chi Liang2, Siao-Ting Wang1, Shin-Ying Pan2, Yin-Shin Chen1, Ying-Yu Chen1

1Department of Computer Science2Institute of Communications Engineering

National Tsing Hua University

Hsinchu, Taiwan

Abstract

This paper presents the dynamic external HomeAgent (x-HA) assignment, fast authentication, and pre-authentication in mobile Virtual Private Networks (VPNs).The proposed architecture is based on the mobile VPN pro-posed by the IETF, which adopts Mobile IP and IPsec.The IETF solution, however, leads to two questions: whereshould we put the x-HA and how should we trust the x-HA?We propose to assign the x-HA dynamically so the hand-off latency and end-to-end latency could be reduced signifi-cantly. By using Diameter Mobile IPv4 application, we alsopropose a technique such that the x-HA can be associatedwith the VPN securely. In addition, we also propose fast au-thentication and pre-authentication to further reduce hand-off delay. The proposed technique has been implementedin a mobile VPN testbed. Performance analysis based onempirical experiments is discussed.

1 Introduction

Security has become a critical issue for today’s Internet.Virtual Private Network (VPN) has been developed to se-cure user’s communication between untrusted external net-works and the protected private internal network (intranet).There are many security protocols which could be appliedto VPN. This paper emphasizes on IPsec-based VPN tech-nologies. By the virtue of IPsec [6], it can provide not onlydata integrity and confidentiality, but also replay protectionand access control. With the rapid evolution of wirelesstechnologies, mobility has become the most imperative de-mand recently. Considering mobility for VPN users, Mo-bile IPv4 (MIPv4, IETF RFC 3344) has been adopted in the

∗This work was sponsored in part by National Science Council (NSC)under the grant numbers 95-2752-E-007-003-PAE, 94-2213-E-007-073,and 94-2219-E-009-024.

Mobile VPN (MVPN) architecture proposed by the IETF[10].

However, there are some technical issues needed to beresolved when incorporating Mobile IP (MIP) into IPsec-based VPN gateway [1]. When Mobile Node (MN) movesout of intranet, it must establish an IPsec tunnel with theVPN gateway before registering with the Home Agent(HA). During movement, the MN would get a new care-ofaddress (CoA). It requires the VPN gateway refresh IPsectunnel each time when MN moves into a new IP subnet. Be-sides, all packets including MIPv4 signaling messages areencrypted by IPsec. Therefore, Foreign Agent (FA) cannotdecrypt MIPv4 messages. Thus, FA is unable to relay MIPmessages.

In order to overcome these problems, the IETF MIP4Working Group (WG) is working on a mechanism to sup-port seamless roaming for VPN users [10]. There are twoHAs for internal and external networks, respectively. Be-cause the standard MIPv4 is used for MN’s mobility man-agement inside intranet, an internal HA (i-HA) is requiredfor intranet. If the MN moves out of intranet, an externalHA (x-HA) is required for external networks. The purposeof the extra x-HA is to support another layer of MIP whichis underneath IPsec. Therefore, the IPsec tunnel will notbreak when MN gets a new CoA. The FA will also be ableto understand the MIP messages. The registration proce-dure is illustrated in Fig 1. After MN obtains its CoA in ex-ternal networks, it registers the external CoA with the x-HA(Step 1 in Fig 1). It will then build an IPsec tunnel with thehome VPN gateway through Internet Key Exchange (IKE,IETF RFC 2409) by using its external Home Address (x-HoA) (Step 2 in Fig 1). During the IKE negotiation, aVPN Tunnel Inner Address (VPN-TIA) will be assigned tothe MN as the MS’s internal CoA. The MN then registersthe VPN-TIA with its i-HA via the IPsec tunnel (Step 3 inFig 1). After the three steps are completed, the triple tun-nels (x-MIP, IPsec, i-MIP), depicted in the bottom of Fig 1,are constructed to provide session continuity, communica-

Proceedings of the 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM'06) 0-7695-2593-8/06 $20.00 © 2006 IEEE

802.11b AP

Subnet 2

i−HA

i−FA

Subnet 3

DHCP802.11b AP

802.11b AP

IntranetDMZ

802.11b AP

802.11b AP

:1. Register to x−HA

by using CoA

:2. Establish IPsec tunnel

with VPN by using x−HoA

3. Register to i−HA: by using VPN−TIA

Subnet 1

MN

Exterior Router Interior Router

x−HA

Subnet 4

Subnet 5

DHCP

MN

x−FAInternet

VPN Gateway

Triple Tunnels Constructed

Original Packet(i−HA to VPN−TIA)

i−MIP(VPN GW to x−HoA)

IPsec(x−HA to MN CoA)

x−MIP

Figure 1. Mobile VPN proposed by IETF

tion security on the external networks, and reachability fromintranet. By using the IETF solution, there is no modifica-tion to MIPv4 and IPsec standards. Only some changes arenecessary for MN.

The IETF solution, however, leads to two questions:where should we put the x-HA and how should we trust thex-HA? The placement of x-HA will impact the handoff la-tency and end-to-end latency. In addition, the x-HA is out-side VPN and might not be under the control of the VPN.Therefore, there should be a trusted mechanism to assignthe x-HA. We have proposed to assign the x-HA dynam-ically so the handoff latency and end-to-end latency couldbe minimized [8]. We have also proposed a technique basedon Diameter Mobile IPv4 application [2] such that the x-HAcould be associated with the VPN securely [8]. In this pa-per, we propose fast authentication and pre-authenticationto further reduce handoff latency for mobile VPN. Thus,it can achieve fast handoff. The proposed techniques havebeen implemented in a mobile VPN testbed. Performanceanalysis based on empirical experiments is discussed in thispaper.

Section 2 presents the proposed solutions. Section 3 dis-cusses the testbed and experimental results. Section 4 sum-marizes this paper.

2 Proposed Fast Handoff for Mobile VPN

As that in IETF MVPN, in this section we assume thatthe MN is a legitimate user in the private network. The nec-essary Security Associations (SAs) or secrets between theMN and the VPN gateway, home AAA server (referred toas AAAH), and i-HA have been established already. Wemainly consider the security issues when the MN movesout of the private network. The following sections discussthe proposed dynamic x-HA assignment, fast authentica-tion, and pre-authentication, respectively.

802.11b AP

802.11b AP

ExternalNetwork 1

802.11b AP

ExternalNetwork 2

802.11b AP

DMZ

802.11b AP

i−HA

Subnet 1

802.11b AP

Subnet 2

Intranet

(or DHCP)i−FA

MN

GatewayVPN

Internet

Subnet 1Subnet 2

(or DHCP)

AAAF 2

(or DHCP)

(or DHCP) (or DHCP)

AAAF 1

x−HA 1

x−HA 2

Exterior Router Interior Router

AAAH

x−FA1x−FA2

Subnet 3Subnet 4

x−FA3x−FA4

Router Router

RouterRouter

Router

Router

Figure 2. Mobile VPN with dynamic x-HA assign-ment

Figure 3. Message flows for dynamic x-HA assign-ment

2.1 Dynamic x-HA Assignment

Without considering MVPN, dynamic HA assignment isdeveloping by the IETF [7]. It defines techniques to allo-cate HA in visited domain for an MN by using DynamicHost Configuration Protocol (DHCP), Authentication, Au-thorization and Accounting (AAA), and Domain Name Ser-vice (DNS). The goal is to choose an optimal HA for MNin geographical distant locations. Because HA is assignedclosely to MN, the latency for packet transmission betweenHA and MN could be drastically reduced. Besides, theinter-subnet handoff would be faster. Moreover, the loadamong a group of HAs could also be balanced by adminis-trative policies.

Although dynamic HA assignment has been proposed,how to assign x-HA dynamically in MVPN still needs more


Table 1. Messages

Reg-Req Registration RequestAMR AA-Mobile-Node-RequestHAR Home-Agent-MIP-RequestHAA Home-Agent-MIP-AnswerAMA AA-Mobile-Node-AnswerMLU MN Location UpdateACU Authentication Cache UpdatePAI Pre-Authentication Information

investigation. In addition, how to trust the x-HA is a ma-jor concern. The x-HA must be authenticated and autho-rized before it is assigned to an MN. Therefore, AAA servershould be adopted. We employ the Diameter [3] as ourAAA server because it can cooperate with various appli-cations including MIPv4. By using Diameter Mobile IPv4application [2], the Diameter can not only assign HA forMN in foreign administrative domains, but also serve asthe Key Distribution Center (KDC) to establish the Secu-rity Association (SA) dynamically between mobility agentsand MNs. Diameter server will allocate session keys afterMN is successfully authenticated and authorized. By us-ing the Diameter protocol, the derived session keys can besecurely transmitted to the external FA (x-FA) and x-HA.Once the SA has been established, the mobility devices canexchange registration information securely without involv-ing the Diameter infrastructure before the session keys areexpired.

Fig. 2 depicts the network architecture for the MVPNwith dynamic x-HA assignment. Fig. 3 illustrates the pro-posed message exchanges for roaming in public networks.Instead of deploying a static x-HA for all external net-works, the x-HA is assigned dynamically by foreign Diame-ter server (referred to as AAAF in Fig. 2). Fig. 2 shows thatthe x-HA1 is the MN’s HA in the External Network 1. Thex-HA2 is the MN’s HA in the External Network 2. Basedon Diameter Mobile IPv4 application, we design some mes-sages to register with the i-HA when the MN is in visitedrealms. For detailed discussion, please refer to our earlierpublication [8]. Table 1 summarizes the messages depictedin Figs 3–6. Most of them are defined by the IETF. Few ofthem are defined by ourselves, which will be explained inthe following sections.

2.2 Fast Authentication

In Diameter Mobile IPv4 application, each time to au-thenticate a MN, the external AAA server (AAAF) needsto consult with the AAA server in the MN’s home network(AAAH). If the two AAA servers are far away, it takes cer-tain time to perform authentication. Thus, it prolongs hand-off process. In order to further reduce handoff delay, we

Figure 4. Message flows for fast authentication

Figure 5. Message flows when fast authentication isfailed

propose fast authentication for mobile VPN.In the proposed fast authentication, the AAAH will gen-

erate a random long string, which is called Random SharedSecret (RSS), when the MN is authenticated by the AAAH.The RSS is sent to a group of AAAFs which are potentialAAAFs the MN may move to. Besides, the MN keeps theRSS too. Thereafter, the AAAF can authenticate the MN byusing the RSS without interacting with the AAAH. There-fore, the authentication process can be simplified. Thus, itcan achieve fast authentication.

Fig. 4 shows the message flows for the proposed fast au-thentication. When MN moves out of the private networkand registers with an external network successfully, theAAAH will send out Authentication Cache Update (ACU)to a set of AAAFs. The set of AAAFs could be determinedby running certain algorithms which normally make the de-cision by using statistical theory or geographical informa-


Figure 6. Message flows for pre-authentication

tion. Thus, the set of AAAFs could include the AAAFsthe MN will roam into. Each time when the AAAH re-ceives the location update from the MN, it will generate arandom number. Along with the random number and theshared secret between the AAAH and the MN, the AAAHuses a hash function to generate the RSS. The ACU sentto AAAFs comprises of the MN’s ID and the RSS. In ad-dition, the RSS will also be sent to the MN. Because theIPsec tunnel has been established when the MN registeredwith the VPN gateway, the RSS will not be revealed whensending from AAAH to MN. To further assure that the RSSwill not be pirated by other users, there is a lifetime asso-ciated with the RSS. Once the lifetime is expired, the RSSwill be regenerated. After receiving the ACU, AAAFs willauthenticate the MN by using the RSS instead of perform-ing complete authentication with the AAAH.

The MN can decide whether the fast authentication orstandard authentication should be executed by carrying therequest in Reg-Req. If fast authentication is requested,the x-FA only needs to issue an AA-Mobile-Node-Request(AMR) to the AAAF. The AAAF then performs the fast au-thentication. If the MN is authenticated successfully, theMN then can connect to the external network. The AAAFwill also send out MN Location Update (MLU) (Flow 7.1in Fig. 4) to inform the AAAH the new location of the MN.Based on the new location of the MN, the AAAH could cal-culate the new set of potential AAAFs. If the MN fails theauthentication, standard authentication is executed. Fig. 5depicts the flows when the fast authentication is failed. AReg-Fail is sent to the MN, which triggers standard authen-tication procedure.

2.3 Pre-Authentication

The fast authentication discussed earlier could reduce thehandoff delay significantly. In this section, we discuss pre-

authentication which can further reduce handoff delay.The idea of pre-authentication has been proposed in

many wireless systems. In pre-authentication, a MN canbe authenticated before the MN moves into a network.Besides, many necessary resources could be pre-reserved.Therefore, the MN can connect to a network immediatelyonce the handoff process is completed. However, we ar-gue that only certain numbers of MNs should be pre-authenticated because pre-authentication is costly. In pre-authentication, before handing off to a network, the authen-tication has been performed. Resources have been reservedas well. They cannot be used for other users even thoughthe MN is still in other networks. The problem is exag-gerated if the MN does not move into the network whichhas completed pre-authentication and resource reservation.Therefore, we propose that only high priority users can per-form pre-authentication. The fast authentication discussedin Section 2.2 is good enough for most users.

Fig. 6 illustrates the pre-authentication in our proposedmobile VPN. When the AAAF receives the ACU for a highpriority MN, the AAAF will trigger the authentication forthe MN. Because the authentication has been completed,the MN does not need to perform authentication when theMN moves into the network. Therefore, it expedites thehandoff process.

3 Testbed and Experiments

To realize the proposed idea and perform various experi-ments, a testbed based on Fig. 2 has been constructed. In thetestbed, we adopt the source of FreeSWAN [4] to build theVPN gateway. The WIRE Diameter [11] is used as the AAAserver. Because the proposed technique is based on IP layer,the radio access network (RAN) could be based on any tech-nologies. In the testbed, we adopt IEEE 802.11b, one of themost popular wireless technologies, as our RANs. Besides,NISTnet [9] is used to emulate the Internet traffic. Althoughwe have experimented with various Internet delays, the re-sults shown here are primarily based on 500 ms of Internetdelay. To support the Diameter MIPv4 application, both HAand FA must understand Diameter protocol. In addition tothe dynamic x-HA assignment, we have also implementedthe Diameter MIPv4 application [11]. The Mobile IPv4 im-plementation is based on Dynamics-HUT [5].

To compare the handoff latency and end-to-end latency,we have also constructed the IETF MVPN. The IETFMVPN testbed is built with the same RAN, VPN gateway,and Internet delays as described above.

Because the experimental results in FA mode are similarto those in co-located mode, this paper presents the resultsbased on FA mode only. In the testbed, FA sends agentadvertisement containing its NAI in every second. Aftereach handoff, the MN detects agent advertisement and relies


7776.82

473.83 389.53

7709.297732.35

1255.01

2529.67

7914.26

external network5,6,7,8: From one external

network to another

1,2,3,4: From intranet to

Fast Authentication

IETF MVPN

Dynamic x−HA Assignment

Pre−Authentication

0

2000

4000

6000

8000

1 2 3 4 5 6 7 8

Handoff Latency (ms)

Figure 7. Comparison of handoff latency with500 ms Internet delay

on the FA’s NAI to register the FA CoA with HA or askingfor dynamic x-HA assignment.

Fig. 7 depicts the handoff latency in which the Internetdelay is set to 500 ms. It shows the handoff latencies formoving from intranet to an external network, and from theexternal network to another external network. One can ob-serve that in our proposed MVPN, MN spends almost thesame time while moving from intranet to an external net-work when comparing with IETF MVPN (1, 2, 3, and 4 inFig. 7). Although not shown in the figure, once the first reg-istration with the AAAH is completed, the handoff latencyin our proposed MVPN is shorter when the MN moves in-side the external network. This is because in our proposedMVPN the x-HA is assigned dynamically and is geographi-cally close to the MN. In IETF MVPN, traffic usually needsto traverse through the Internet to reach the x-HA. Pleaserefer to [8] for the results when MN moves inside an au-thorized external network. Fig. 7 further shows the resultswhen moving from an external network to another exter-nal network. The handoff latency of dynamic x-HA assign-ment is higher than that of IETF MVPN (6 and 5 in Fig. 7).This is because the x-HA has been changed in dynamic x-HA assignment. It requires some time to reassociate withthe new x-HA. However, once the new x-HA is allocated,the handoff delay is reduced because the new x-HA is closeto the MN as discussed above. Fig. 7 also illustrates theresults of fast authentication and pre-authentication whenmoving from an external network to another external net-work. Comparing with IETF MVPN, our proposed fast au-thentication and pre-authentication reduce the handoff la-tency significantly. They improve the performance of thedynamic x-HA assignment. Although results of other Inter-net delays are not shown here, the benefit of our proposed

MVPN is more apparent when the Internet delay is high.The longer the Internet delay, the larger the handoff latencyin IETF MVPN when comparing to our proposed MVPN.

4 Summary

Comparing to the IETF MVPN, we replace the static x-HA with dynamic x-HA. In addition, we propose fast au-thentication and pre-authentication. The handoff latencyand end-to-end latency, therefore, could be reduced signif-icantly. The proposed MVPN has been implemented in atestbed. Performance analysis based on empirical experi-ments is presented. Results show that the handoff latency inour proposed MVPN is almost the same as the IETF MVPNwhen MN moves out of the intranet to an external network.After that, the handoff latency is much shorter in our pro-posed MVPN when moving within external networks, ormoving from an external network to another external net-work. The longer the Internet delay, the better the proposedMVPN. Our approach would be especially useful for mobileusers when the Internet delay is long, such as when mobileusers are far away from home network.

References

[1] F. Adrangi and H. Levkowetz. Problem Statement: MobileIPv4 Traversal of Virtual Private Network (VPN) Gateways.IETF RFC 4093, Aug. 2005.

[2] P. Calhoun, T. Johansson, C. Perkins, T. Hiller, and P. Mc-Cann. Diameter Mobile IPv4 Application. IETF RFC 4004,Aug. 2005.

[3] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, and J. Arkko.Diameter Base Protocol. IETF RFC 3588, Sept. 2003.

[4] FreeS/WAN - Implementation of IPsec and IKE for Linux.http://www.freeswan.org/.

[5] Dynamics - HUT Mobile IP.http://dynamics.sourceforge.net/.

[6] S. Kent and R. Atkinson. Security Architecture for the In-ternet Protocol. IETF RFC 2401, Nov. 1998.

[7] M. Kulkarni, A. Patel, and K. Leung. Mobile IPv4 Dy-namic Home Agent (HA) Assignment. IETF RFC 4433,Mar. 2006.

[8] Y.-W. Liu, J.-C. Chen, and L.-W. Lin. Dynamic ExternalHome Agent Assignment in Mobile VPN. In Proc. of IEEESemiannual Vehicular Technology Conference (VTC ’04),pages 3281–3285, Los Angles, CA, Sept. 2004.

[9] NIST Net - a Linux-based Network Emulation Tool.http://snad.ncsl.nist.gov/itg/nistnet/.

[10] S. Vaarala and E. Klovning. Mobile IPv4 TraversalAcross IPsec-based VPN Gateways. <draft-ietf-mip4-vpn-problem-solution-02>, Nov. 2005.

[11] W.-T. Wu, J.-C. Chen, K.-H. Chen, and K.-P. Fan. Designand Implementation of WIRE Diameter. In Proc. of 3rdInternational Conference on Information Technology: Re-search and Education (ITRE ’05), pages 428–443, Hsinchu,Taiwan, June 2005.


fast handoff in mobile virtual private networks · pdf filefast handoff in mobile virtual...

Documents