iscsct10p405
TRANSCRIPT
-
7/29/2019 iscsct10p405
1/4
405
A Handoff Method Based on AAA for MIPv6Jia Zong-pu
1, Zhang Jing
2
1
Computer Science and Technology Department, He Nan Polytechnic University Jiao Zuo, ChinaEmail: [email protected] Computer Science and Technology Department, He Nan Polytechnic University Jiao Zuo, China
Email: [email protected]
AbstractIn the era of commercial demand increased day
by day, the mobile IP protocol combined with AAA
(Authentication, Authorization and Accounting) technology
is widely used in authentication, authorization and billing
issues. However, compared to single mobile IP switch
protocol, because MIPv6-AAA model need achieve AAA
users authentication and authorization in the process of
switch, so it will generate more switch time delay, and also
have security issues. Therefore, this article give a newMIPv6 switch method, it is when MN switch in the
inner-domain, do not need the authentication of home
domain, and reduce the switch time; but when switch in the
inter-domain it will set mobile node agent (MNA) to save
original MN information temporarily, to avoid the
registration process failed, and increase the security. This
solution achieved MIPv6-AAA model optimization through
improve these two areas.
Index TermsMIPv6, AAA, handoff, MN, agent
I. INTRODUCTION
As computer and communication technologies
developed, people have more and more requirement for
the network services. Traditional fixed access Internet
mode can not afford people's requirement; they need
wireless internet services. Mobile IP protocol can
combine with any link layer technology, and support the
vertical switch, make the user can continue access the
network when they are moving, and this is considered as
the best solution for the mobility problems of network
layer. Currently, large-scale increased in mobile users,
and the Internet for business applications is also become
popular. For this, IETF (Internet Engineering Task Force)
make AAA (Authentication, Authorization and
Accounting) combined with mobile IP technology, focus
on solving the user's authentication, authorization and
accounting issues, provide security for mobile IP achieve
large-scale commercial business.
At present, there are many researches on combine the
AAA with mobile IP, reference [1] described a solutionto design the layer structure and set facilities, give the
normalizing process of AAA certification and MIPv6
registration process, and the process of establish local SA
authenticate, and also compared with the existing
solution, pointing out the advantages of the solution.
From the performance analysis we can see that, MN'smovement character is the important parameter which
affecting the performance. But this solution did not
consider how to use mobile switching rate, dwell time
and other parameters to describe the MN movement
characteristics, and guide AAA structure become layer
and dynamic adjustment.
Reference [2] give a structure of combine mobile IPv6
with AAA based on WLAN, use RADIUS as the protocol
of AAA, but RADIUS just can support IPv4, so underthe situation of MIPv6, there has problem that AAAH
and AAAL use RADIUS protocol to communicate,
reference [2] said use NAT-PT to solve the problem of
transmit IPv4 packet though IPv6 network, but when
they use this mechanism the system become instability.
The system in [6] is under MIPv6 they use netfilter
structure of Linux operation system to implement the
function of authentication, authorization and billing of
Diameter AAA, and use IPSec6 to catch stream of IPv6,
and then use proper AH/ESP process module to deal with
it. In this solution even it realize access control and
safety communication, but it can cause communicate
efficiency reduced and time delay increased and morebad effects.
Reference [11] extends the RFC4285 authentication
mechanism of Mobile IPv6, it use common AAA
authentication platform, give a solution suit layer mobile
IPv6 and mobile IPv6 authentication, and it also
achieved by software. However, in the solution of
preconfigured NAI and the key stored in the file or
database as clear text, did not provide data security;
authentication option provides data integrity and
authentication, but did not provide confidentiality.
In this article it gives a new MIPv6-AAA switch
method based on AAA, this solution shows that when
mobile node switched in the same AAA administrationdomain and different sub network, the authentication
process do not need though home domain; when mobile
node switched in different AAA administration domains,
set up MNA to store related information of mobile node
MN temporary, in order to make registration and
authentication process safety and reliability.
II. RELATED BACKGROUND
A. MIPv6(Mobile IPv6)
Mobile IPv6 is the improved protocol of mobility
support for IPv6. The basic aim of its design is let the
connection of the transport layer and higher levels notchanged with the IP address changes, the mobile node
should be always reached by the user [3]. Mobile IPv6
includes three parts: mobile node (MN), home agent (HA)
This project was supported by the Open Foundation of the Key
National Defense Science and Technology Laboratory of Education
Ministry in JiLin University (No. 421060701421).
2010 ACADEMY PUBLISHER
AP-PROC-CS-10CN007
ISBN 978-952-5726-10-7
Proceedings of the Third International Symposium on Computer Science and Computational Technology(ISCSCT 10)
Jiaozuo, P. R. China, 14-15, August 2010, pp. 405-408
-
7/29/2019 iscsct10p405
2/4
406
and correspondent node (CN). MN has one permit IP
address HoA(home of address) in home network. When
MN move to foreign network it will have one temporary
transfer address CoA(care-of address), after this MN
need to complete mobile registration with HA, MN will
send binding update (BU) message to tell HA the CoA,and then HA respond to the previous BU though binding
acknowledge (BA) message. When CN communicate
with MN, because it didnt know MN had moved, so it
send data packet to HoA as terminal address, the data
package was caught by the HA of MN, and HA transfer
the data package to MN of foreign network with tunnel.
After MN realize the data come from CN and transferred
by HA, it will send BU message to CN and tell the
current CoA, after this the rest data packages send to MN
will send to CoA directly as terminal address.
B. AAA
Authentication, Authorization and Accounting (AAA)is an important mechanism to ensure security of network
and rational use of resources, especially for the Internet
provider's point, it is the key point to ensure the normal
operation of network. The use of all kinds of resources
on network, need to be managed by the AAA.
Authentication, authorization and accounting system
together to make the network system to accurately
recorded the usage of network resource for a particular
user. In this way it can effectively safeguarding the rights
of legitimate users, and also can protect the operation of
network system security and reliable [4]. The AAA
architecture was shown in Fig. 1.
C. The AAA structure under Mobile IPv6 environment
There are two AAA protocols, which are remote
authentication dial in user service (RADIUS) protocol
and Diameter protocol [5]. Currently, the Diameter
protocol was most used. Diameter protocol is a protocol
stack [6], which includes the basic protocol and the
extend application protocols, such as mobile IP protocol
(MIP), Network Access Services protocol (NASREQ),
multimedia protocols (IMS), Extensible Authentication
Protocol (EAP) and SIP protocols and so on. In the basic
protocol, it defines some common functions, such as
message format, message transfer mechanism and so on;
in the application extension, based on the application
detail extend the basic protocol [7]. Basic Diameter
protocol must be combined with extend application to
use, and provides basic AAA functions for mobile IPv6
in the extend application of mobile IPv6.
Among the Diameter authentications based on MIPv6,
in Mobile IP, it includes the mobile node MN, the homeagent HA, foreign agent (FA) and other functional
entities, except these it also joined the foreign AAA
server, home AAA and server AAAF AAAH, the
application model shown in Fig. 2 below.
According to the region of AAA server it defined
management domain, when the MN switched between
different administrative domains of AAA server, it called
inter-domain switch; when the MN switched in the same
AAA server administrative domain but within different
FA subnets, it called inner-domain switch. And also
satisfy the following assumptions [7]: (1) the mobile
user's identity use NAI [8] (Network Access Identifier)for the only sign, the format of NAI is user@realm,
which realm presents the administrative domain where
MN located; (2) in long terms between mobile users and
AAAH share one key; (3) the communication between
AAAF and AAAH is safe; (4) all CN have consensus on
the use of public key and symmetric key encryption
mechanism.
MIPv6-AAA provides solution for the authentication,
authorization, registration and key distribution and other
issues of mobile IP, provide a reliable guarantee for
large-scale implementation of mobile IP.The authenticate
registration process was shown in Fig. 3, and the specific
message exchange description see [9].
Among these, Attendant is the entrance of access
domain AAA system, provide and register access domain
Figure 2. The application model of diameter based on MIPv6
Fi ure 1. The architecture of AAA
Figure 3. Basic model of authentication and registration
process for MIPv6-AAA
-
7/29/2019 iscsct10p405
3/4
407
address; AMR (AAA mobile node request): mobile node
requests; HAR (home agent MIPv6 request): request of
MIPv6 home agent; HAA (home agent MIPv6 answer):
home agent MIPv6 response; AMA (AAA mobile node
answer) mobile node response; RegRep (registration
reply): Registration Response.
III. IMPROVED SOLUTIONS
MIP-AAA basic infrastructure provides the integration
method of Mobile IP and AAA authentication, but when
the mobile node switched in this model, it should
complete to register mobile IP, and also should complete
the users authentication and authorization by the AAA.
Therefore, MIP-AAA has more delay in switching.
If foreign region is far from home region, the
transmission time of transmit message will consume a
long time, and the main time delay of authentication
process took place on the message exchange betweenforeign region and home region. One part of the
improved solution is the authentication processes do not
go though the home region [10] when mobile node
switched between different subnets of the same AAA
control region. In addition, according to the related data
shows that, in the normal movement, 69% of movementsoccurred in the same region. Therefore, this solution can
effectively reduce the switch time delay.
On the other hand, when mobile nodes switched
between different AAA administrative domain, MN need
to send both authentication request and registration
request. In general, the two requests should received
responses at the same time. After the process ofregistration completed, MN can use a new transfer
address to receive the data packet transferred by the HA,
at this time the MN identity address information has
changed, if the process of authentication occur error or
delays, it needs to require re-authentication process ofMN, and also needs the original MN identity address
information, but this time the information has changed,
so it can not complete the authentication. And another
part of this improved solution is to set a new data
structure: the mobile node agent (MNA), use MNA to
temporary store related information of the mobile nodeMN, and then it can guarantee the process of registration
and authentication safety and reliable.
A. The MN handoff analysis inner-domain
When switch happened in the inner-domain, the
authentication process will no longer go though the home
domain. The message flow chart is shown in Fig. 4.
1) MNFA: MN sends registration request messageand certification message to the FA, and judge whether
the switch of MN taken place inside domain or not by the
realm value of NAI;2) FAAAAF: FA continue to send transfer
message 1) to AAAF;
3) After AAAF received message 2), verify theidentity of MN, and separate the authentication process
and registration process:
a)AAAFFA: AAAF send authentication respondsto FA;
b)AAAFHA: AAAF send registration requestmessage to HA
4) FAMN: FA transfer the authentication responds,then the process of authentication finished. MN can use
the resources of foreign network, enjoy the service
provide by FA;5) HAFA: After HA received the message 3b), it
directly give the registration responds message back to
FA
6) FAMN: FA transfer the registration respondsmessage, then the process of registration finished. MN
can use the new transfer address to receive the data
packet transferred by HA.
B. MN Handoff Analysis Inter-domain
When MN roaming to a new administrative domain,
just AAAH has the full detail information of MN, so theprocess of switch inter-domain need though home
domain, and the registration model shown in Fig. 5:1) MNFA: MN send registration request message
and authentication message to FA, and judge the realm
value of NAI has changed or not. If it changed, start the
inter-domain switch;
2) FAAAAF:After FA received the message 1), itgenerates the MNA of mobile node, set the legal tag inthe original MNA to FALSE, then sends authentication
requests to AAAF;
3) AAAFAAAH: If AAAF can not authenticate,then transfer the message to AAAH;4) AAAH:
a)AAAHAAAF After AAAH successfullyauthenticate the identity of MN, then send the
Figure 4. Authentication and handoff process for home network
Figure 5. Authentication and handoff process for home network
-
7/29/2019 iscsct10p405
4/4
408
authentication responds to AAAF
b)AAAHHA: AAAH send binding updatemessage to HA
5) AAAFFA: AAAF received the authenticationresponds message from AAAH, then continue transfer to
FA and tell MN authentication has succeed;6) HAFA: HA send binding update confirm
message to FA;
7) FAMN: FA sends authentication responds andconfirmed binding update to MN, and also set the legal
tab on MNA in registry to TURE, notice MN the new
mobile node agent MNA have produced;
Till now authentication process and registration
process have all finished, MN can use foreign networkresources, enjoy FA service, and can use new transfer
address to receive the data packet transferred by HA.
IV. CONCLUSIONIn this solution, when mobile node switch happened in
the inner-domain, because of the authentication process
do not go though home domain, after AAAF authenticate
the MN identity directly back to FA, reduced the
message transmit and process time go and back to home
domain, and greatly increase the switch speed; when
switch happened in the inter-domain, because set the
MNA of mobile node, and make it temporarily keep the
original information of MN in case of use, then it can
guarantee the switch process safety and reliably.
The next stage is: in this solution it doesnt provide
any security for the process of switch inner-domain;
when the switch happens in the inter-domain, the dataintegrity and authentication of the configure of new data
structure MNA need to improved, all these are need
improved.
REFERENCES
[1] W. S. Xiao, Y. J. Zang, and Z. C. Li, Hierarchical AAAin mobile IPv6 networks, Journal on Communications,
vol. 27, Feb. 2006, pp. 50-55.
[2] R I Chen, R C Wang, and H C Chao, Mobile IPv6 andAAA architecture based on WLAN[A], Proc. of the 2004International Symposium on Applications and the Internet
Workshops, 2004.
[3] G. M. Wang, Security Issues and Solutions on IPv6Mobile, Journal of University of Electronic Science and
Technology of China, vol. 36, Dec. 2007, pp. 1417-1419.
[4] P. Chen, and J. G Yu, Access authentication in MIPv6based on hierarchical AAA, Journal of Network Security
Technology and Application, May.2009, pp. 32-35.
[5] C R igney, A Rubens, and S W illens, Remoteauthentication dial in user service (RADIUS), Science,
RFC 2865, Jun. 2000.
[6] Z. P. Lan, F. L. Jin, and Z. S. Wang, Study on AAA andsecurity system based on MIPv6, Computer Engineering
and Design,vol. 30,Mar. 2009, pp. 3778-3779.
[7] T. Lin, D. Tang, Y. Zhang, H. B. Zhao, and Z. Q. Hou,Research and implementation of mobile IPv6 fast
handoff with AAA functions, Mini-Micro Systems, vol.
26, Jul. 2007, pp. 1125-1129.
[8] A Boba, and Beadles, The network access identifier,Science, RFC 2486,Jan. 1999.
[9] M Cappiello, AFloris, and L Velt ri, Mobility amongstheterogeneous networks with AAA support, Proc. IEEE
International Conference on Communications, 2002, pp.
2064-2069.
[10] D. Ma, D. K. He, Y. Zheng, and W. F. Zhang, A fastanthentication and registration scheme for AAA-based
Mobile IP, Journal of the China Railway Society, vol. 30,
Feb.2008, pp. 98-103.
[11] H. Chen, H. C. Zhou, Y. J. Qin, and S. D. Zhang, Designand implementation of hierarchical mobile IPv6
authentication based on NAI, Computer Engineering and
Applications, vol. 43, 2007, pp. 125-128.