7/29/2019 iscsct10p405

1/4

405

A Handoff Method Based on AAA for MIPv6Jia Zong-pu

1, Zhang Jing

2

1

Computer Science and Technology Department, He Nan Polytechnic University Jiao Zuo, ChinaEmail: jiazp@hpu.edu.cn2 Computer Science and Technology Department, He Nan Polytechnic University Jiao Zuo, China

Email: zhangjing8754@hotmial.com

AbstractIn the era of commercial demand increased day

by day, the mobile IP protocol combined with AAA

(Authentication, Authorization and Accounting) technology

is widely used in authentication, authorization and billing

issues. However, compared to single mobile IP switch

protocol, because MIPv6-AAA model need achieve AAA

users authentication and authorization in the process of

switch, so it will generate more switch time delay, and also

have security issues. Therefore, this article give a newMIPv6 switch method, it is when MN switch in the

inner-domain, do not need the authentication of home

domain, and reduce the switch time; but when switch in the

inter-domain it will set mobile node agent (MNA) to save

original MN information temporarily, to avoid the

registration process failed, and increase the security. This

solution achieved MIPv6-AAA model optimization through

improve these two areas.

Index TermsMIPv6, AAA, handoff, MN, agent

I. INTRODUCTION

As computer and communication technologies

developed, people have more and more requirement for

the network services. Traditional fixed access Internet

mode can not afford people's requirement; they need

wireless internet services. Mobile IP protocol can

combine with any link layer technology, and support the

vertical switch, make the user can continue access the

network when they are moving, and this is considered as

the best solution for the mobility problems of network

layer. Currently, large-scale increased in mobile users,

and the Internet for business applications is also become

popular. For this, IETF (Internet Engineering Task Force)

make AAA (Authentication, Authorization and

Accounting) combined with mobile IP technology, focus

on solving the user's authentication, authorization and

accounting issues, provide security for mobile IP achieve

large-scale commercial business.

At present, there are many researches on combine the

AAA with mobile IP, reference [1] described a solutionto design the layer structure and set facilities, give the

normalizing process of AAA certification and MIPv6

registration process, and the process of establish local SA

authenticate, and also compared with the existing

solution, pointing out the advantages of the solution.

From the performance analysis we can see that, MN'smovement character is the important parameter which

affecting the performance. But this solution did not

consider how to use mobile switching rate, dwell time

and other parameters to describe the MN movement

characteristics, and guide AAA structure become layer

and dynamic adjustment.

Reference [2] give a structure of combine mobile IPv6

with AAA based on WLAN, use RADIUS as the protocol

of AAA, but RADIUS just can support IPv4, so underthe situation of MIPv6, there has problem that AAAH

and AAAL use RADIUS protocol to communicate,

reference [2] said use NAT-PT to solve the problem of

transmit IPv4 packet though IPv6 network, but when

they use this mechanism the system become instability.

The system in [6] is under MIPv6 they use netfilter

structure of Linux operation system to implement the

function of authentication, authorization and billing of

Diameter AAA, and use IPSec6 to catch stream of IPv6,

and then use proper AH/ESP process module to deal with

it. In this solution even it realize access control and

safety communication, but it can cause communicate

efficiency reduced and time delay increased and morebad effects.

Reference [11] extends the RFC4285 authentication

mechanism of Mobile IPv6, it use common AAA

authentication platform, give a solution suit layer mobile

IPv6 and mobile IPv6 authentication, and it also

achieved by software. However, in the solution of

preconfigured NAI and the key stored in the file or

database as clear text, did not provide data security;

authentication option provides data integrity and

authentication, but did not provide confidentiality.

In this article it gives a new MIPv6-AAA switch

method based on AAA, this solution shows that when

mobile node switched in the same AAA administrationdomain and different sub network, the authentication

process do not need though home domain; when mobile

node switched in different AAA administration domains,

set up MNA to store related information of mobile node

MN temporary, in order to make registration and

authentication process safety and reliability.

II. RELATED BACKGROUND

A. MIPv6(Mobile IPv6)

Mobile IPv6 is the improved protocol of mobility

support for IPv6. The basic aim of its design is let the

connection of the transport layer and higher levels notchanged with the IP address changes, the mobile node

should be always reached by the user [3]. Mobile IPv6

includes three parts: mobile node (MN), home agent (HA)

This project was supported by the Open Foundation of the Key

National Defense Science and Technology Laboratory of Education

Ministry in JiLin University (No. 421060701421).

2010 ACADEMY PUBLISHER

AP-PROC-CS-10CN007

ISBN 978-952-5726-10-7

Proceedings of the Third International Symposium on Computer Science and Computational Technology(ISCSCT 10)

Jiaozuo, P. R. China, 14-15, August 2010, pp. 405-408

7/29/2019 iscsct10p405

2/4

406

and correspondent node (CN). MN has one permit IP

address HoA(home of address) in home network. When

MN move to foreign network it will have one temporary

transfer address CoA(care-of address), after this MN

need to complete mobile registration with HA, MN will

send binding update (BU) message to tell HA the CoA,and then HA respond to the previous BU though binding

acknowledge (BA) message. When CN communicate

with MN, because it didnt know MN had moved, so it

send data packet to HoA as terminal address, the data

package was caught by the HA of MN, and HA transfer

the data package to MN of foreign network with tunnel.

After MN realize the data come from CN and transferred

by HA, it will send BU message to CN and tell the

current CoA, after this the rest data packages send to MN

will send to CoA directly as terminal address.

B. AAA

Authentication, Authorization and Accounting (AAA)is an important mechanism to ensure security of network

and rational use of resources, especially for the Internet

provider's point, it is the key point to ensure the normal

operation of network. The use of all kinds of resources

on network, need to be managed by the AAA.

Authentication, authorization and accounting system

together to make the network system to accurately

recorded the usage of network resource for a particular

user. In this way it can effectively safeguarding the rights

of legitimate users, and also can protect the operation of

network system security and reliable [4]. The AAA

architecture was shown in Fig. 1.

C. The AAA structure under Mobile IPv6 environment

There are two AAA protocols, which are remote

authentication dial in user service (RADIUS) protocol

and Diameter protocol [5]. Currently, the Diameter

protocol was most used. Diameter protocol is a protocol

stack [6], which includes the basic protocol and the

extend application protocols, such as mobile IP protocol

(MIP), Network Access Services protocol (NASREQ),

multimedia protocols (IMS), Extensible Authentication

Protocol (EAP) and SIP protocols and so on. In the basic

protocol, it defines some common functions, such as

message format, message transfer mechanism and so on;

in the application extension, based on the application

detail extend the basic protocol [7]. Basic Diameter

protocol must be combined with extend application to

use, and provides basic AAA functions for mobile IPv6

in the extend application of mobile IPv6.

Among the Diameter authentications based on MIPv6,

in Mobile IP, it includes the mobile node MN, the homeagent HA, foreign agent (FA) and other functional

entities, except these it also joined the foreign AAA

server, home AAA and server AAAF AAAH, the

application model shown in Fig. 2 below.

According to the region of AAA server it defined

management domain, when the MN switched between

different administrative domains of AAA server, it called

inter-domain switch; when the MN switched in the same

AAA server administrative domain but within different

FA subnets, it called inner-domain switch. And also

satisfy the following assumptions [7]: (1) the mobile

user's identity use NAI [8] (Network Access Identifier)for the only sign, the format of NAI is user@realm,

which realm presents the administrative domain where

MN located; (2) in long terms between mobile users and

AAAH share one key; (3) the communication between

AAAF and AAAH is safe; (4) all CN have consensus on

the use of public key and symmetric key encryption

mechanism.

MIPv6-AAA provides solution for the authentication,

authorization, registration and key distribution and other

issues of mobile IP, provide a reliable guarantee for

large-scale implementation of mobile IP.The authenticate

registration process was shown in Fig. 3, and the specific

message exchange description see [9].

Among these, Attendant is the entrance of access

domain AAA system, provide and register access domain

Figure 2. The application model of diameter based on MIPv6

Fi ure 1. The architecture of AAA

Figure 3. Basic model of authentication and registration

process for MIPv6-AAA

7/29/2019 iscsct10p405

3/4

407

address; AMR (AAA mobile node request): mobile node

requests; HAR (home agent MIPv6 request): request of

MIPv6 home agent; HAA (home agent MIPv6 answer):

home agent MIPv6 response; AMA (AAA mobile node

answer) mobile node response; RegRep (registration

reply): Registration Response.

III. IMPROVED SOLUTIONS

MIP-AAA basic infrastructure provides the integration

method of Mobile IP and AAA authentication, but when

the mobile node switched in this model, it should

complete to register mobile IP, and also should complete

the users authentication and authorization by the AAA.

Therefore, MIP-AAA has more delay in switching.

If foreign region is far from home region, the

transmission time of transmit message will consume a

long time, and the main time delay of authentication

process took place on the message exchange betweenforeign region and home region. One part of the

improved solution is the authentication processes do not

go though the home region [10] when mobile node

switched between different subnets of the same AAA

control region. In addition, according to the related data

shows that, in the normal movement, 69% of movementsoccurred in the same region. Therefore, this solution can

effectively reduce the switch time delay.

On the other hand, when mobile nodes switched

between different AAA administrative domain, MN need

to send both authentication request and registration

request. In general, the two requests should received

responses at the same time. After the process ofregistration completed, MN can use a new transfer

address to receive the data packet transferred by the HA,

at this time the MN identity address information has

changed, if the process of authentication occur error or

delays, it needs to require re-authentication process ofMN, and also needs the original MN identity address

information, but this time the information has changed,

so it can not complete the authentication. And another

part of this improved solution is to set a new data

structure: the mobile node agent (MNA), use MNA to

temporary store related information of the mobile nodeMN, and then it can guarantee the process of registration

and authentication safety and reliable.

A. The MN handoff analysis inner-domain

When switch happened in the inner-domain, the

authentication process will no longer go though the home

domain. The message flow chart is shown in Fig. 4.

1) MNFA: MN sends registration request messageand certification message to the FA, and judge whether

the switch of MN taken place inside domain or not by the

realm value of NAI;2) FAAAAF: FA continue to send transfer

message 1) to AAAF;

3) After AAAF received message 2), verify theidentity of MN, and separate the authentication process

and registration process:

a)AAAFFA: AAAF send authentication respondsto FA;

b)AAAFHA: AAAF send registration requestmessage to HA

4) FAMN: FA transfer the authentication responds,then the process of authentication finished. MN can use

the resources of foreign network, enjoy the service

provide by FA;5) HAFA: After HA received the message 3b), it

directly give the registration responds message back to

FA

6) FAMN: FA transfer the registration respondsmessage, then the process of registration finished. MN

can use the new transfer address to receive the data

packet transferred by HA.

B. MN Handoff Analysis Inter-domain

When MN roaming to a new administrative domain,

just AAAH has the full detail information of MN, so theprocess of switch inter-domain need though home

domain, and the registration model shown in Fig. 5:1) MNFA: MN send registration request message

and authentication message to FA, and judge the realm

value of NAI has changed or not. If it changed, start the

inter-domain switch;

2) FAAAAF:After FA received the message 1), itgenerates the MNA of mobile node, set the legal tag inthe original MNA to FALSE, then sends authentication

requests to AAAF;

3) AAAFAAAH: If AAAF can not authenticate,then transfer the message to AAAH;4) AAAH:

a)AAAHAAAF After AAAH successfullyauthenticate the identity of MN, then send the

Figure 4. Authentication and handoff process for home network

Figure 5. Authentication and handoff process for home network

7/29/2019 iscsct10p405

4/4

408

authentication responds to AAAF

b)AAAHHA: AAAH send binding updatemessage to HA

5) AAAFFA: AAAF received the authenticationresponds message from AAAH, then continue transfer to

FA and tell MN authentication has succeed;6) HAFA: HA send binding update confirm

message to FA;

7) FAMN: FA sends authentication responds andconfirmed binding update to MN, and also set the legal

tab on MNA in registry to TURE, notice MN the new

mobile node agent MNA have produced;

Till now authentication process and registration

process have all finished, MN can use foreign networkresources, enjoy FA service, and can use new transfer

address to receive the data packet transferred by HA.

IV. CONCLUSIONIn this solution, when mobile node switch happened in

the inner-domain, because of the authentication process

do not go though home domain, after AAAF authenticate

the MN identity directly back to FA, reduced the

message transmit and process time go and back to home

domain, and greatly increase the switch speed; when

switch happened in the inter-domain, because set the

MNA of mobile node, and make it temporarily keep the

original information of MN in case of use, then it can

guarantee the switch process safety and reliably.

The next stage is: in this solution it doesnt provide

any security for the process of switch inner-domain;

when the switch happens in the inter-domain, the dataintegrity and authentication of the configure of new data

structure MNA need to improved, all these are need

improved.

REFERENCES

[1] W. S. Xiao, Y. J. Zang, and Z. C. Li, Hierarchical AAAin mobile IPv6 networks, Journal on Communications,

vol. 27, Feb. 2006, pp. 50-55.

[2] R I Chen, R C Wang, and H C Chao, Mobile IPv6 andAAA architecture based on WLAN[A], Proc. of the 2004International Symposium on Applications and the Internet

Workshops, 2004.

[3] G. M. Wang, Security Issues and Solutions on IPv6Mobile, Journal of University of Electronic Science and

Technology of China, vol. 36, Dec. 2007, pp. 1417-1419.

[4] P. Chen, and J. G Yu, Access authentication in MIPv6based on hierarchical AAA, Journal of Network Security

Technology and Application, May.2009, pp. 32-35.

[5] C R igney, A Rubens, and S W illens, Remoteauthentication dial in user service (RADIUS), Science,

RFC 2865, Jun. 2000.

[6] Z. P. Lan, F. L. Jin, and Z. S. Wang, Study on AAA andsecurity system based on MIPv6, Computer Engineering

and Design,vol. 30,Mar. 2009, pp. 3778-3779.

[7] T. Lin, D. Tang, Y. Zhang, H. B. Zhao, and Z. Q. Hou,Research and implementation of mobile IPv6 fast

handoff with AAA functions, Mini-Micro Systems, vol.

26, Jul. 2007, pp. 1125-1129.

[8] A Boba, and Beadles, The network access identifier,Science, RFC 2486,Jan. 1999.

[9] M Cappiello, AFloris, and L Velt ri, Mobility amongstheterogeneous networks with AAA support, Proc. IEEE

International Conference on Communications, 2002, pp.

2064-2069.

[10] D. Ma, D. K. He, Y. Zheng, and W. F. Zhang, A fastanthentication and registration scheme for AAA-based

Mobile IP, Journal of the China Railway Society, vol. 30,

Feb.2008, pp. 98-103.

[11] H. Chen, H. C. Zhou, Y. J. Qin, and S. D. Zhang, Designand implementation of hierarchical mobile IPv6

authentication based on NAI, Computer Engineering and

Applications, vol. 43, 2007, pp. 125-128.