Internet Research Task Force (IRTF) A. Dutta, Ed.
Request for Comments: 6252 V. Fajardo
Category: Informational NIKSUN
ISSN: 2070-1721 Y. Ohba
K. Taniuchi
Toshiba
H. Schulzrinne
Columbia Univ.
June 2011
Internet Research Task Force (IRTF) A. Dutta, Ed.
Request for Comments: 6252 V. Fajardo
Category: Informational NIKSUN
ISSN: 2070-1721 Y. Ohba
K. Taniuchi
Toshiba
H. Schulzrinne
Columbia Univ.
June 2011
A Framework of Media-Independent Pre-Authentication (MPA) for Inter-Domain Handover Optimization
一种用于域间切换优化的媒体无关预认证(MPA)框架
Abstract
摘要
This document describes Media-independent Pre-Authentication (MPA), a new handover optimization mechanism that addresses the issues on existing mobility management protocols and mobility optimization mechanisms to support inter-domain handover. MPA is a mobile-assisted, secure handover optimization scheme that works over any link layer and with any mobility management protocol, and is most applicable to supporting optimization during inter-domain handover. MPA's pre-authentication, pre-configuration, and proactive handover techniques allow many of the handoff-related operations to take place before the mobile node has moved to the new network. We describe the details of all the associated techniques and their applicability for different scenarios involving various mobility protocols during inter-domain handover. We have implemented the MPA mechanism for various network-layer and application-layer mobility protocols, and we report a summary of experimental performance results in this document.
本文档描述了媒体独立预认证(MPA),这是一种新的切换优化机制,解决了现有移动性管理协议和支持域间切换的移动性优化机制的问题。MPA是一种移动辅助的安全切换优化方案,可在任何链路层和任何移动性管理协议上工作,最适用于支持域间切换期间的优化。MPA的预认证、预配置和主动切换技术允许在移动节点移动到新网络之前进行许多与切换相关的操作。我们描述了所有相关技术的细节及其在域间切换期间对涉及各种移动协议的不同场景的适用性。我们已经为各种网络层和应用层移动协议实现了MPA机制,并在本文中报告了实验性能结果的摘要。
This document is a product of the IP Mobility Optimizations (MOBOPTS) Research Group.
本文档是IP移动性优化(MOBOPTS)研究组的产品。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the MOBOPTS Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网研究工作组(IRTF)的产品。IRTF发布互联网相关研究和开发活动的结果。这些结果可能不适合部署。本RFC代表了互联网研究工作组(IRTF)MOBOPTS研究小组的共识。IRSG批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6252.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6252.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Specification of Requirements ..............................5
1.2. Performance Requirements ...................................5
2. Terminology .....................................................7
3. Handover Taxonomy ...............................................7
4. Related Work ...................................................11
5. Applicability of MPA ...........................................12
6. MPA Framework ..................................................13
6.1. Overview ..................................................13
6.2. Functional Elements .......................................14
6.3. Basic Communication Flow ..................................16
7. MPA Operations .................................................20
7.1. Discovery .................................................21
7.2. Pre-Authentication in Multiple-CTN Environment ............22
7.3. Proactive IP Address Acquisition ..........................23
7.3.1. PANA-Assisted Proactive IP Address Acquisition .....24
7.3.2. IKEv2-Assisted Proactive IP Address Acquisition ....24
7.3.3. Proactive IP Address Acquisition Using
DHCPv4 Only ........................................24
7.3.4. Proactive IP Address Acquisition Using Stateless
Autoconfiguration ..................................26
7.4. Tunnel Management .........................................26
7.5. Binding Update ............................................28
7.6. Preventing Packet Loss ....................................29
7.6.1. Packet Loss Prevention in Single-Interface MPA .....29
7.6.2. Preventing Packet Losses for Multiple Interfaces ...29
7.6.3. Reachability Test ..................................30
1. Introduction ....................................................3
1.1. Specification of Requirements ..............................5
1.2. Performance Requirements ...................................5
2. Terminology .....................................................7
3. Handover Taxonomy ...............................................7
4. Related Work ...................................................11
5. Applicability of MPA ...........................................12
6. MPA Framework ..................................................13
6.1. Overview ..................................................13
6.2. Functional Elements .......................................14
6.3. Basic Communication Flow ..................................16
7. MPA Operations .................................................20
7.1. Discovery .................................................21
7.2. Pre-Authentication in Multiple-CTN Environment ............22
7.3. Proactive IP Address Acquisition ..........................23
7.3.1. PANA-Assisted Proactive IP Address Acquisition .....24
7.3.2. IKEv2-Assisted Proactive IP Address Acquisition ....24
7.3.3. Proactive IP Address Acquisition Using
DHCPv4 Only ........................................24
7.3.4. Proactive IP Address Acquisition Using Stateless
Autoconfiguration ..................................26
7.4. Tunnel Management .........................................26
7.5. Binding Update ............................................28
7.6. Preventing Packet Loss ....................................29
7.6.1. Packet Loss Prevention in Single-Interface MPA .....29
7.6.2. Preventing Packet Losses for Multiple Interfaces ...29
7.6.3. Reachability Test ..................................30
7.7. Security and Mobility .....................................31
7.7.1. Link-Layer Security and Mobility ...................31
7.7.2. IP-Layer Security and Mobility .....................32
7.8. Authentication in Initial Network Attachment ..............33
8. Security Considerations ........................................33
9. Acknowledgments ................................................34
10. References ....................................................34
10.1. Normative References .....................................34
10.2. Informative References ...................................36
Appendix A. Proactive Duplicate Address Detection .................40
Appendix B. Address Resolution ....................................41
Appendix C. MPA Deployment Issues .................................42
C.1. Considerations for Failed Switching and Switch-Back ........42
C.2. Authentication State Management ............................43
C.3. Pre-Allocation of QoS Resources ............................44
C.4. Resource Allocation Issue during Pre-Authentication ........45
C.5. Systems Evaluation and Performance Results .................47
C.5.1. Intra-Technology, Intra-Domain .........................47
C.5.2. Inter-Technology, Inter-Domain .........................49
C.5.3. MPA-Assisted Layer 2 Pre-Authentication ................49
C.6. Guidelines for Handover Preparation ........................54
7.7. Security and Mobility .....................................31
7.7.1. Link-Layer Security and Mobility ...................31
7.7.2. IP-Layer Security and Mobility .....................32
7.8. Authentication in Initial Network Attachment ..............33
8. Security Considerations ........................................33
9. Acknowledgments ................................................34
10. References ....................................................34
10.1. Normative References .....................................34
10.2. Informative References ...................................36
Appendix A. Proactive Duplicate Address Detection .................40
Appendix B. Address Resolution ....................................41
Appendix C. MPA Deployment Issues .................................42
C.1. Considerations for Failed Switching and Switch-Back ........42
C.2. Authentication State Management ............................43
C.3. Pre-Allocation of QoS Resources ............................44
C.4. Resource Allocation Issue during Pre-Authentication ........45
C.5. Systems Evaluation and Performance Results .................47
C.5.1. Intra-Technology, Intra-Domain .........................47
C.5.2. Inter-Technology, Inter-Domain .........................49
C.5.3. MPA-Assisted Layer 2 Pre-Authentication ................49
C.6. Guidelines for Handover Preparation ........................54
As wireless technologies, including cellular and wireless LANs, are becoming popular, supporting terminal handovers across different types of access networks, such as from a wireless LAN to CDMA or to General Packet Radio Service (GPRS), is considered a clear challenge. On the other hand, supporting seamless terminal handovers between access networks of the same type is still more challenging, especially when the handovers are across IP subnets or administrative domains. To address those challenges, it is important to provide terminal mobility that is agnostic to link-layer technologies in an optimized and secure fashion without incurring unreasonable complexity. In this document, we discuss a framework to support terminal mobility that provides seamless handovers with low latency and low loss. Seamless handovers are characterized in terms of performance requirements as described in Section 1.2. [MPA-WIRELESS] is an accompanying document that describes implementation of a few MPA-based systems, including performance results to show how existing protocols could be leveraged to realize the functionalities of MPA.
随着包括蜂窝和无线局域网在内的无线技术的普及,支持跨不同类型接入网络的终端切换(如从无线局域网到CDMA或通用分组无线业务(GPRS))被认为是一个明显的挑战。另一方面,支持相同类型的接入网络之间的无缝终端切换仍然更具挑战性,尤其是当切换跨越IP子网或管理域时。为了应对这些挑战,重要的是提供终端移动性,这种移动性对于以优化和安全的方式连接层技术来说是不可知的,而不会产生不合理的复杂性。在本文中,我们讨论了一个支持终端移动性的框架,该框架提供了低延迟和低损耗的无缝切换。无缝切换的特点是性能要求,如第1.2节所述。[MPA-WIRELESS]是一份随附文档,描述了一些基于MPA的系统的实现,包括性能结果,以展示如何利用现有协议实现MPA的功能。
Terminal mobility is accomplished by a mobility management protocol that maintains a binding between a locator and an identifier of a mobile node, where the binding is referred to as the mobility binding. The locator of the mobile node may dynamically change when there is a movement of the mobile node. The movement that causes a
终端移动性通过移动性管理协议来实现,该协议维护定位器和移动节点的标识符之间的绑定,其中该绑定被称为移动性绑定。当存在移动节点的移动时,移动节点的定位器可以动态地改变。引起震动的运动
change of the locator may occur when there is a change in attachment point due to physical movement or network change. A mobility management protocol may be defined at any layer. In the rest of this document, the term "mobility management protocol" refers to a mobility management protocol that operates at the network layer or higher.
当由于物理运动或网络变化导致连接点发生变化时,定位器可能发生变化。可以在任何层定义移动性管理协议。在本文档的其余部分中,术语“移动性管理协议”是指在网络层或更高层上运行的移动性管理协议。
There are several mobility management protocols at different layers. Mobile IP [RFC5944] and Mobile IPv6 [RFC3775] are mobility management protocols that operate at the network layer. Similarly, MOBIKE (IKEv2 Mobility and Multihoming) [RFC4555] is an extension to the Internet Key Exchange Protocol (IKEv2) that provides the ability to deal with a change of an IP address of an IKEv2 end-point. There are several ongoing activities in the IETF to define mobility management protocols at layers higher than the network layer. HIP (Host Identity Protocol) [RFC5201] defines a new protocol layer between the network layer and transport layer to provide terminal mobility in a way that is transparent to both the network layer and transport layer. Also, SIP-based mobility is an extension to SIP to maintain the mobility binding of a SIP user agent [SIPMM].
在不同的层上有几种移动性管理协议。移动IP[RFC5944]和移动IPv6[RFC3775]是在网络层运行的移动性管理协议。类似地,MOBIKE(IKEv2移动和多归属)[RFC4555]是互联网密钥交换协议(IKEv2)的扩展,它提供了处理IKEv2端点的IP地址变化的能力。IETF中有几个正在进行的活动,用于在高于网络层的层上定义移动性管理协议。HIP(主机标识协议)[RFC5201]定义了网络层和传输层之间的新协议层,以对网络层和传输层透明的方式提供终端移动性。此外,基于SIP的移动性是SIP的扩展,用于维护SIP用户代理[SIPMM]的移动性绑定。
While mobility management protocols maintain mobility bindings, these cannot provide seamless handover if used in their current form. An additional optimization mechanism is needed to prevent the loss of in-flight packets transmitted during the mobile node's binding update procedure and to achieve seamless handovers. Such a mechanism is referred to as a mobility optimization mechanism. For example, mobility optimization mechanisms for Mobile IPv4 [RFC4881] and Mobile IPv6 [RFC5568] are defined to allow neighboring access routers to communicate and carry information about mobile terminals. There are protocols that are considered as "helpers" of mobility optimization mechanisms. The CARD (Candidate Access Router Discovery) protocol [RFC4066] is designed to discover neighboring access routers. CXTP (Context Transfer Protocol) [RFC4067] is designed to carry state that is associated with the services provided for the mobile node, or context, among access routers. In Section 4, we describe some of the fast-handover schemes that attempt to reduce the handover delay.
虽然移动性管理协议维护移动性绑定,但如果以其当前形式使用,则无法提供无缝切换。需要额外的优化机制来防止在移动节点的绑定更新过程中传输的飞行中数据包的丢失,并实现无缝切换。这种机制被称为移动性优化机制。例如,移动IPv4[RFC4881]和移动IPv6[RFC5568]的移动性优化机制被定义为允许相邻接入路由器通信和携带关于移动终端的信息。有一些协议被认为是移动性优化机制的“助手”。卡(候选接入路由器发现)协议[RFC4066]设计用于发现相邻接入路由器。CXTP(上下文传输协议)[RFC4067]设计用于在接入路由器之间传输与为移动节点或上下文提供的服务相关联的状态。在第4节中,我们描述了一些试图减少切换延迟的快速切换方案。
There are several issues in existing mobility optimization mechanisms. First, existing mobility optimization mechanisms are tightly coupled with specific mobility management protocols. For example, it is not possible to use mobility optimization mechanisms designed for Mobile IPv4 or Mobile IPv6 with MOBIKE. What is strongly desired is a single, unified mobility optimization mechanism that works with any mobility management protocol. Second, there is no existing mobility optimization mechanism that easily supports handovers across administrative domains without assuming a pre-established security association between administrative domains.
现有的移动性优化机制存在几个问题。首先,现有的移动性优化机制与特定的移动性管理协议紧密耦合。例如,不可能在MOBIKE中使用为移动IPv4或移动IPv6设计的移动优化机制。强烈期望的是一个单一、统一的移动优化机制,它可以与任何移动管理协议一起工作。其次,现有的移动性优化机制无法轻松支持跨管理域的切换,而无需假设管理域之间预先建立的安全关联。
A mobility optimization mechanism should work across administrative domains in a secure manner only based on a trust relationship between a mobile node and each administrative domain. Third, a mobility optimization mechanism needs to support not only terminals with multiple interfaces where simultaneous connectivity through multiple interfaces or connectivity through a single interface can be expected, but also terminals with a single interface.
移动优化机制应仅基于移动节点和每个管理域之间的信任关系,以安全的方式跨管理域工作。第三,移动性优化机制不仅需要支持具有多个接口的终端,其中可以预期通过多个接口的同时连接或通过单个接口的连接,还需要支持具有单个接口的终端。
This document describes a framework of Media-independent Pre-Authentication (MPA), a new handover optimization mechanism that addresses all those issues. MPA is a mobile-assisted, secure handover optimization scheme that works over any link layer and with any mobility management protocol, including Mobile IPv4, Mobile IPv6, MOBIKE, HIP, and SIP mobility. In cases of multiple operators without a roaming relationship or without an agreement to participate in a key management scheme, MPA provides a framework that can perform pre-authentication to establish the security mechanisms without assuming a common source of trust. In MPA, the notion of IEEE 802.11i pre-authentication is extended to work at a higher layer, with additional mechanisms to perform early acquisition of an IP address from a network where the mobile node may move, as well as proactive handover to the network while the mobile node is still attached to the current network. Since this document focuses on the MPA framework, it is left to future work to choose the protocols for MPA and define detailed operations. The accompanying document [MPA-WIRELESS] provides one method that describes usage and interactions between existing protocols to accomplish MPA functionality.
本文档描述了媒体独立预认证(MPA)的框架,这是一种解决所有这些问题的新切换优化机制。MPA是一种移动辅助的安全切换优化方案,可在任何链路层和任何移动管理协议上工作,包括移动IPv4、移动IPv6、MOBIKE、HIP和SIP移动。在多个运营商没有漫游关系或没有参与密钥管理方案的协议的情况下,MPA提供了一个框架,可以执行预认证以建立安全机制,而无需假设公共信任源。在MPA中,IEEE 802.11i预认证的概念被扩展到在更高的层上工作,具有额外的机制来执行从移动节点可能移动的网络的IP地址的早期获取,以及在移动节点仍然连接到当前网络时主动切换到网络。由于本文档的重点是MPA框架,因此选择MPA协议并定义详细操作将留待将来的工作。随附文档[MPA-WIRELESS]提供了一种方法,描述了实现MPA功能的现有协议之间的使用和交互。
This document represents the consensus of the IP Mobility Optimizations (MOBOPTS) Research Group. It has been reviewed by Research Group members active in the specific area of work.
本文件代表了IP移动性优化(MOBOPTS)研究小组的共识。它已由活跃于特定工作领域的研究小组成员审查。
In this document, several words are used to signify the requirements of the specification. These words are often capitalized. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
在本文件中,使用了几个词来表示规范的要求。这些词通常大写。本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
In order to provide desirable quality of service for interactive Voice over IP (VoIP) and streaming traffic, one needs to limit the value of end-to-end delay, jitter, and packet loss to a certain threshold level. ITU-T and ITU-E standards define the acceptable values for these parameters. For example, for one-way delay, ITU-T
为了为IP交互式语音(VoIP)和流式通信提供理想的服务质量,需要将端到端延迟、抖动和数据包丢失的值限制在一定的阈值水平。ITU-T和ITU-E标准定义了这些参数的可接受值。例如,对于单向延迟,ITU-T
G.114 [RG98] recommends 150 ms as the upper limit for most of the applications, and 400 ms as generally unacceptable delay. One-way delay tolerance for video conferencing is in the range of 200 to 300 ms [ITU98]. Also, if an out-of-order packet is received after a certain threshold, it is considered lost. According to ETSI TR 101 [ETSI], a normal voice conversation can tolerate up to 2% packet loss. But this is the mean packet loss probability and may be applicable to a scenario when the mobile node is subjected to repeated handoff during a normal conversation. Measurement techniques for delay and jitter are described in [RFC2679], [RFC2680], and [RFC2681].
G.114[RG98]建议将150 ms作为大多数应用的上限,将400 ms作为一般不可接受的延迟。视频会议的单向延迟容差范围为200到300毫秒[ITU98]。此外,如果在某个阈值之后接收到无序数据包,则认为该数据包丢失。根据ETSI TR 101[ETSI],正常的语音对话可以容忍高达2%的数据包丢失。但是,这是平均分组丢失概率,并且可能适用于当移动节点在正常会话期间经受重复切换时的场景。[RFC2679]、[RFC2680]和[RFC2681]中描述了延迟和抖动的测量技术。
In the case of interactive VoIP traffic, end-to-end delay affects the jitter value, and thus is an important issue to consider. An end-to-end delay consists of several components, such as network delay, operating system (OS) delay, codec delay, and application delay. A complete analysis of these delays can be found in [WENYU]. During a mobile node's handover, in-flight transient traffic cannot reach the mobile node because of the associated handover delay. These in-flight packets could either be lost or buffered. If the in-flight packets are lost, this packet loss will contribute to jitter between the last packet before handoff and the first packet after handoff. If these packets are buffered, packet loss is minimized, but there is additional jitter for the in-flight packets when these are flushed after the handoff. Buffering during handoff avoids the packet loss, but at the cost of additional one-way delay. A tradeoff between one-way delay and packet loss is desired based on the type of application. For example, for a streaming application, packet loss can be reduced by increasing the playout buffer, resulting in longer one-way packet delay.
在交互式VoIP业务的情况下,端到端时延影响抖动值,因此是一个需要考虑的重要问题。端到端延迟由几个组件组成,例如网络延迟、操作系统(OS)延迟、编解码器延迟和应用程序延迟。关于这些延迟的完整分析可以在[文语]中找到。在移动节点的切换期间,由于相关的切换延迟,飞行中的瞬时业务无法到达移动节点。这些飞行中的数据包可能丢失或被缓冲。如果飞行中的数据包丢失,该数据包丢失将导致切换前的最后一个数据包和切换后的第一个数据包之间的抖动。如果对这些数据包进行缓冲,数据包丢失将最小化,但在切换后刷新这些数据包时,飞行中的数据包会有额外的抖动。切换期间的缓冲避免了数据包丢失,但代价是额外的单向延迟。根据应用程序的类型,需要在单向延迟和数据包丢失之间进行权衡。例如,对于流应用程序,可以通过增加播放缓冲区来减少数据包丢失,从而导致更长的单向数据包延迟。
The handover delay is attributed to several factors, such as discovery, configuration, authentication, binding update, and media delivery. Many of the security-related procedures, such as handover keying and re-authentication procedures, deal with cases where there is a single source of trust at the top, and the underlying Authentication, Authorization, and Accounting (AAA) domain elements trust the top source of trust and the keys it generates and distributes. In this scenario, there is an appreciable delay in re-establishing link-security-related parameters, such as authentication, link key management, and access authorization during inter-domain handover. The focus of this document is the design of a framework that can reduce the delay due to authentication and other handoff-related operations such as configuration and binding update.
切换延迟归因于多个因素,例如发现、配置、身份验证、绑定更新和媒体交付。许多与安全相关的过程(如切换密钥和重新身份验证过程)都处理这样的情况:在顶部有一个单一的信任源,而底层的身份验证、授权和记帐(AAA)域元素信任顶部的信任源及其生成和分发的密钥。在这种情况下,在域间切换期间重新建立链路安全相关参数(如身份验证、链路密钥管理和访问授权)会有明显的延迟。本文档的重点是设计一个框架,该框架可以减少由于身份验证和其他与切换相关的操作(如配置和绑定更新)而导致的延迟。
Mobility Binding: A binding between a locator and an identifier of a mobile terminal.
移动绑定:移动终端的定位器和标识符之间的绑定。
Mobility Management Protocol (MMP): A protocol that operates at the network layer or above to maintain a binding between a locator and an identifier of a mobile node.
移动性管理协议(MMP):一种在网络层或以上运行的协议,用于维护定位器和移动节点标识符之间的绑定。
Binding Update (BU): A procedure to update a mobility binding.
绑定更新(BU):更新移动绑定的过程。
Media-independent Pre-Authentication Mobile Node (MN): A mobile node using Media-independent Pre-Authentication (MPA). MPA is a mobile-assisted, secure handover optimization scheme that works over any link layer and with any mobility management protocol. An MPA mobile node is an IP node. In this document, the term "mobile node" or "MN" without a modifier refers to "MPA mobile node". An MPA mobile node usually has a functionality of a mobile node of a mobility management protocol as well.
媒体独立预认证移动节点(MN):使用媒体独立预认证(MPA)的移动节点。MPA是一种移动辅助的安全切换优化方案,适用于任何链路层和任何移动性管理协议。MPA移动节点是IP节点。在本文档中,术语“移动节点”或“MN”(不带修饰语)指的是“MPA移动节点”。MPA移动节点通常也具有移动性管理协议的移动节点的功能。
Candidate Target Network (CTN): A network to which the mobile node may move in the near future.
候选目标网络(CTN):移动节点在不久的将来可能移动到的网络。
Target Network (TN): The network to which the mobile node has decided to move. The target network is selected from one or more candidate target networks.
目标网络(TN):移动节点决定移动到的网络。从一个或多个候选目标网络中选择目标网络。
Proactive Handover Tunnel (PHT): A bidirectional IP tunnel [RFC2003] [RFC2473] that is established between the MPA mobile node and an access router of a candidate target network. In this document, the term "tunnel" without a modifier refers to "proactive handover tunnel".
主动切换隧道(PHT):在MPA移动节点和候选目标网络的接入路由器之间建立的双向IP隧道[RFC2003][RFC2473]。在本文件中,术语“隧道”(不带修改器)指“主动切换隧道”。
Point of Attachment (PoA): A link-layer device (e.g., a switch, an access point, or a base station) that functions as a link-layer attachment point for the MPA mobile node to a network.
连接点(PoA):链路层设备(例如,交换机、接入点或基站),用作MPA移动节点到网络的链路层连接点。
Care-of Address (CoA): An IP address used by a mobility management protocol as a locator of the MPA mobile node.
转交地址(CoA):移动性管理协议用作移动节点定位器的IP地址。
Based on the type of movement, type of access network, and underlying mobility support, one can primarily define the handover as inter-technology, intra-technology, inter-domain, and intra-domain. We describe briefly each of these handover processes. However, our focus of the discussion is on inter-domain handover.
基于移动的类型、接入网络的类型和底层移动支持,可以将切换主要定义为技术间、技术内、域间和域内。我们简要描述了每一个切换过程。然而,我们讨论的重点是域间切换。
Inter-technology: A mobile node may be equipped with multiple interfaces, where each interface can support a different access technology (e.g., 802.11, CDMA). A mobile node may communicate with one interface at any time in order to conserve power. During the handover, the mobile node may move out of the footprint of one access technology (e.g., 802.11) and move into the footprint of a different access technology (e.g., CDMA). This will warrant switching of the communicating interface on the mobile node as well. This type of inter-technology handover is often called "vertical handover", since the mobile node moves between two different cell sizes.
内部技术:移动节点可配备多个接口,其中每个接口可支持不同的接入技术(例如,802.11、CDMA)。移动节点可随时与一个接口通信以节省功率。在切换期间,移动节点可以移出一种接入技术(例如,802.11)的覆盖区,并移入另一种接入技术(例如,CDMA)的覆盖区。这也将保证移动节点上通信接口的切换。这种类型的技术间切换通常被称为“垂直切换”,因为移动节点在两个不同的小区大小之间移动。
Intra-technology: An intra-technology handover is defined as when a mobile node moves within the same type of access technology, such as between 802.11[a,b,n] and 802.11 [a,b,n] or between CDMA1XRTT and CDMA1EVDO. In this scenario, a mobile node may be equipped with a single interface (with multiple PHY types of the same technology) or with multiple interfaces. An intra-technology handover may involve intra-subnet or inter-subnet movement and thus may need to change its L3 locator, depending upon the type of movement.
内部技术:技术内切换定义为移动节点在相同类型的接入技术内移动,例如在802.11[a,b,n]和802.11[a,b,n]之间或在CDMA1XRTT和CDMA1EVDO之间移动。在该场景中,移动节点可以配备单个接口(具有相同技术的多个PHY类型)或多个接口。技术内切换可能涉及子网内或子网间移动,因此可能需要根据移动类型更改其L3定位器。
Inter-domain: A domain can be defined in several ways. But for the purposes of roaming, we define "domain" as an administrative domain that consists of networks managed by a single administrative entity that authenticates and authorizes a mobile node for accessing the networks. An administrative entity may be a service provider, an enterprise, or any organization. Thus, an inter-domain handover will by default be subjected to inter-subnet handover, and in addition it may be subjected to either inter-technology or intra-technology handover. A mobile node is subjected to inter-subnet handover when it moves from one subnet (broadcast domain) to another subnet (broadcast domain). Inter-domain handover will be subjected to all the transition steps a subnet handover goes through, and it will be subjected to authentication and authorization processes as well. It is also likely that the type of mobility support in each administrative domain will be different. For example, administrative domain A may have Mobile IP version 6 (MIPv6) support, while administrative domain B may use Proxy MIPv6 [RFC5213].
域间:可以用几种方式定义域。但出于漫游的目的,我们将“域”定义为由单个管理实体管理的网络组成的管理域,该管理实体对用于访问网络的移动节点进行身份验证和授权。行政实体可以是服务提供商、企业或任何组织。因此,域间切换在默认情况下将经受子网间切换,此外,它可以经受技术间切换或技术内切换。当移动节点从一个子网(广播域)移动到另一个子网(广播域)时,将进行子网间切换。域间切换将经历子网切换所经历的所有转换步骤,并且还将经历身份验证和授权过程。每个行政领域的流动支持类型也可能不同。例如,管理域A可能支持移动IP版本6(MIPv6),而管理域B可能使用代理MIPv6[RFC5213]。
Intra-domain: When a mobile node's movement is confined to movement within an administrative domain, it is called "intra-domain movement". An intra-domain movement may involve intra-subnet, inter-subnet, intra-technology, and inter-technology as well.
域内:当移动节点的移动仅限于管理域内的移动时,称为“域内移动”。域内移动也可能涉及子网内、子网间、技术内和技术间。
Both inter-domain and intra-domain handovers can be subjected to either inter-technology or intra-technology handover based on the network access characteristics. Inter-domain handover requires authorization for acquisition or modification of resources assigned to a mobile node, and the authorization needs interaction with a central authority in a domain. In many cases, an authorization procedure during inter-domain handover follows an authentication procedure that also requires interaction with a central authority in a domain. Thus, security associations between the network entities, such as routers in the neighboring administrative domains, need to be established before any interaction takes place between these entities. Similarly, an inter-domain mobility may involve different mobility protocols, such as MIPv6 and Proxy MIPv6, in each of its domains. In that case, one needs a generalized framework to achieve the optimization during inter-domain handover. Figure 1 shows a typical example of inter-domain mobility involving two domains, domain A and domain B. It illustrates several important components, such as a AAA Home server (AAAH); AAA visited servers (e.g., AAAV1 and AAAV2); an Authentication Agent (AA); a layer 3 point of attachment, such as an Access Router (AR); and a layer 2 point of attachment, such as an Access Point (AP). Any mobile node may be using a specific mobility protocol and associated mobility optimization technique during intra-domain movement in either domain. But the same optimization technique may not be suitable to support inter-domain handover, independent of whether it uses the same or a different mobility protocol in either domain.
域间和域内切换都可以基于网络接入特性进行技术间或技术内切换。域间切换需要授权来获取或修改分配给移动节点的资源,并且授权需要与域中的中央机构交互。在许多情况下,域间切换期间的授权过程遵循身份验证过程,该过程还需要与域中的中央机构进行交互。因此,在这些实体之间发生任何交互之前,需要在网络实体(例如相邻管理域中的路由器)之间建立安全关联。类似地,域间移动可以在其每个域中涉及不同的移动协议,例如MIPv6和代理MIPv6。在这种情况下,需要一个通用的框架来实现域间切换期间的优化。图1显示了涉及两个域(域a和域B)的域间移动的典型示例。它说明了几个重要组件,例如AAA家庭服务器(AAAH);AAA访问的服务器(如AAAV1和AAAV2);认证代理(AA);第3层连接点,如接入路由器(AR);以及第2层连接点,例如接入点(AP)。任何移动节点都可以在任一域中的域内移动期间使用特定的移动协议和相关联的移动优化技术。但同一优化技术可能不适合支持域间切换,这与它在任一域中使用相同或不同的移动协议无关。
+-----------------------------+
| +--------+ |
| | | |
| | AAAH ------------------|
| | | | |
| +|-------+ | |
| | | |
| | Home Domain | |
| | | |
+-------|---------------------+ |
| |
| |
| |
+----------------------------|---------+ +-------------|------------+
| Domain A | | | Domain B | |
| | | | +|-------+ |
| +-------|+ | | +-----+ | | |
| | | | | | ------ AAAV2 | |
| | AAAV1 | | | | AA | | | |
| +-------------- | | | +|----+ +--------+ |
| | | +--------+ | | | |
| |AA | | | |--- ---- |
| +--|--+ | | / \ / \ |
| | /----\ | || AR |-----| AR | |
| -|-- / \ | | \ / \ / |
| / \ | AR | | | -|-- --|- |
| | AR ----------- / | |+--|---+ +------|------+ |
| \ / \--|-/ | || AP4 | | L2 Switch | |
| -/-- +-----|------+ | || | +-|---------|-+ |
| / | L2 Switch | | |+------+ | | |
| / +-|-------|--+ | | +---|--+ +----|-+ |
| +----/-+ +----|-+ +-|----+ | | | | | | |
| | | | | | | | | | AP5 | |AP6 | |
| | AP1 | | AP2 | | AP3 | | | +----|-+ +------+ |
| +------+ +------+ +--|---+ | | | |
+--------------------------------|-----+ +------------ |------------+
--|--------- |
//// \\\\ -----|-----
// +------+ //// +------+ \\\\
| | MN ------------->|MN | \\\
| | | | | | | |
| +------+ | | +------+ |
\\ | // |
\\\\ \\\/ ///
------------ \\\\------------- ////
+-----------------------------+
| +--------+ |
| | | |
| | AAAH ------------------|
| | | | |
| +|-------+ | |
| | | |
| | Home Domain | |
| | | |
+-------|---------------------+ |
| |
| |
| |
+----------------------------|---------+ +-------------|------------+
| Domain A | | | Domain B | |
| | | | +|-------+ |
| +-------|+ | | +-----+ | | |
| | | | | | ------ AAAV2 | |
| | AAAV1 | | | | AA | | | |
| +-------------- | | | +|----+ +--------+ |
| | | +--------+ | | | |
| |AA | | | |--- ---- |
| +--|--+ | | / \ / \ |
| | /----\ | || AR |-----| AR | |
| -|-- / \ | | \ / \ / |
| / \ | AR | | | -|-- --|- |
| | AR ----------- / | |+--|---+ +------|------+ |
| \ / \--|-/ | || AP4 | | L2 Switch | |
| -/-- +-----|------+ | || | +-|---------|-+ |
| / | L2 Switch | | |+------+ | | |
| / +-|-------|--+ | | +---|--+ +----|-+ |
| +----/-+ +----|-+ +-|----+ | | | | | | |
| | | | | | | | | | AP5 | |AP6 | |
| | AP1 | | AP2 | | AP3 | | | +----|-+ +------+ |
| +------+ +------+ +--|---+ | | | |
+--------------------------------|-----+ +------------ |------------+
--|--------- |
//// \\\\ -----|-----
// +------+ //// +------+ \\\\
| | MN ------------->|MN | \\\
| | | | | | | |
| +------+ | | +------+ |
\\ | // |
\\\\ \\\/ ///
------------ \\\\------------- ////
Figure 1: Inter-Domain Mobility
图1:域间移动性
While basic mobility management protocols such as Mobile IP [RFC5944], Mobile IPv6 [RFC3775], and SIP-Mobility [SIPMM] provide continuity to TCP and RTP traffic, these are not optimized to reduce the handover latency during a mobile node's movement between subnets and domains. In general, these mobility management protocols introduce handover delays incurred at several layers, such as layer 3 and the application layer, for updating the mobile node's mobility binding. These protocols are affected by underlying layer 2 delay as well. As a result, applications using these mobility protocols suffer from performance degradation.
虽然诸如移动IP[RFC5944]、移动IPv6[RFC3775]和SIP移动[SIPMM]之类的基本移动管理协议提供TCP和RTP通信的连续性,但这些协议并未优化以减少移动节点在子网和域之间移动期间的切换延迟。通常,这些移动性管理协议引入了在几个层(例如第3层和应用层)产生的切换延迟,用于更新移动节点的移动性绑定。这些协议也受到底层第2层延迟的影响。因此,使用这些移动协议的应用程序的性能会下降。
There have been several optimization techniques that apply to current mobility management schemes that try to reduce handover delay and packet loss during a mobile node's movement between cells, subnets, and domains. Micro-mobility management schemes such as [CELLIP] and [HAWAII], and intra-domain mobility management schemes such as [IDMP], [MOBIP-REG], and [RFC5380], provide fast handover by limiting the signaling updates within a domain. Fast Mobile IP protocols for IPv4 and IPv6 networks [RFC4881] [RFC5568] utilize mobility information made available by link-layer triggers. Yokota et al. [YOKOTA] propose the joint use of an access point and a dedicated Media Access Control (MAC) bridge to provide fast handover without altering the MIPv4 specification. Shin et al. [MACD] propose a scheme that reduces the delay due to MAC-layer handoff by providing a cache-based algorithm. In this scheme, the mobile node caches the neighboring channels that it has already visited and thus uses a selective scanning method. This helps to reduce the associated scanning time.
有几种优化技术应用于当前的移动性管理方案,这些方案试图减少移动节点在小区、子网和域之间移动期间的切换延迟和数据包丢失。诸如[CELLIP]和[HAWAII]之类的微移动性管理方案以及诸如[IDMP]、[MOBIP-REG]和[RFC5380]之类的域内移动性管理方案通过限制域内的信令更新来提供快速切换。IPv4和IPv6网络的快速移动IP协议[RFC4881][RFC5568]利用链路层触发器提供的移动性信息。Yokota等人[Yokota]建议联合使用接入点和专用媒体访问控制(MAC)网桥,以在不改变MIPv4规范的情况下提供快速切换。Shin等人[MACD]提出了一种方案,通过提供基于缓存的算法来减少MAC层切换造成的延迟。在该方案中,移动节点缓存其已经访问的相邻信道,因此使用选择性扫描方法。这有助于减少相关的扫描时间。
Some mobility management schemes use dual interfaces, thus providing make-before-break [SUM]. In a make-before-break situation, communication usually continues with one interface when the secondary interface is in the process of getting connected. The IEEE 802.21 working group is discussing these scenarios in detail [802.21]. Providing fast handover using a single interface needs more careful design than for a client with multiple interfaces. Dutta et al. [SIPFAST] provide an optimized handover scheme for SIP-based mobility management, where the transient traffic is forwarded from the old subnet to the new one by using an application-layer forwarding scheme. [MITH] provides a fast-handover scheme for the single-interface case that uses mobile-initiated tunneling between the old Foreign Agent and a new Foreign Agent. [MITH] defines two types of handover schemes: Pre-MIT (Mobile Initiated Tunneling) and Post-MIT (Media Initiated Tunneling). The proposed MPA scheme is very similar to Mobile Initiated Tunneling Handoff's (MITH's) predictive scheme, where the mobile node communicates with the
一些移动性管理方案使用双接口,因此提供先通后断[和]。在先通后断的情况下,当辅助接口处于连接过程中时,通常通过一个接口继续通信。IEEE 802.21工作组正在详细讨论这些场景[802.21]。与具有多个接口的客户端相比,使用单个接口提供快速切换需要更仔细的设计。Dutta等人[SIPFAST]为基于SIP的移动性管理提供了一种优化的切换方案,其中通过使用应用层转发方案将瞬态流量从旧子网转发到新子网。[MITH]为单一接口情况提供了一种快速切换方案,该方案在旧的外部代理和新的外部代理之间使用移动启动的隧道。[MITH]定义了两种类型的切换方案:前MIT(移动启动的隧道)和后MIT(媒体启动的隧道)。所提出的MPA方案非常类似于移动发起隧道切换(MITH)的预测方案,其中移动节点与移动节点通信
Foreign Agent before actually moving to the new network. However, the MPA scheme is not limited to MIP; this scheme takes care of movement between domains and performs pre-authentication in addition to proactive handover. Thus, MPA reduces the overall delay to a period close to that of link-layer handover delay. Most of the mobility optimization techniques developed so far are restricted to a specific type of mobility protocol only. While supporting optimization for inter-domain mobility, these protocols assume that there is a pre-established security arrangement between two administrative domains. But this assumption may not always be viable. Thus, there is a need to develop an optimization mechanism that can support inter-domain mobility without any underlying constraints or security-related assumptions.
在实际移动到新网络之前,使用外部代理。然而,MPA方案并不限于MIP;该方案除了主动切换之外,还负责域之间的移动,并执行预认证。因此,MPA将总体延迟减少到接近链路层切换延迟的周期。目前开发的大多数移动性优化技术仅限于特定类型的移动性协议。在支持域间移动优化的同时,这些协议假定两个管理域之间存在预先建立的安全安排。但这一假设并不总是可行的。因此,需要开发一种优化机制来支持域间移动性,而无需任何底层约束或安全相关假设。
Recently, the HOKEY working group within the IETF has been defining ways to expedite the authentication process. In particular, it has defined pre-authentication [RFC5836] and fast re-authentication [RFC5169] mechanisms to expedite the authentication and security association process.
最近,IETF内的HOKEY工作组一直在确定加快认证过程的方法。特别是,它定义了预认证[RFC5836]和快速重新认证[RFC5169]机制,以加快认证和安全关联过程。
MPA is more applicable where an accurate prediction of movement can be easily made. For other environments, special care must be taken to deal with issues such as pre-authentication to multiple CTNs (Candidate Target Networks), and failed switching and switching back as described in [MPA-WIRELESS]. However, addressing those issues in actual deployments may not be easier. Some of the deployment issues are described in Appendix C.
MPA更适用于易于准确预测运动的情况。对于其他环境,必须特别注意处理问题,如对多个CTN(候选目标网络)的预认证,以及[MPA-WIRELESS]中所述的切换和回切失败。但是,在实际部署中解决这些问题可能并不容易。附录C中描述了一些部署问题。
The authors of the accompanying document [MPA-WIRELESS] have cited several use cases of how MPA can be used to optimize several network-layer and application-layer mobility protocols. The effectiveness of MPA may be relatively reduced if the network employs network-controlled localized mobility management in which the MN does not need to change its IP address while moving within the network. The effectiveness of MPA may also be relatively reduced if signaling for network access authentication is already optimized for movements within the network, e.g., when simultaneous use of multiple interfaces during handover is allowed. In other words, MPA is more viable as a solution for inter-administrative domain predictive handover without the simultaneous use of multiple interfaces. Since MPA is not tied to a specific mobility protocol, it is also applicable to support optimization for inter-domain handover where each domain may be equipped with a different mobility protocol.
随附文档[MPA-WIRELESS]的作者列举了几个使用案例,说明如何使用MPA优化多个网络层和应用层移动协议。如果网络采用网络控制的局部移动性管理,其中MN在网络内移动时不需要改变其IP地址,则MPA的有效性可能相对降低。如果用于网络接入认证的信令已经针对网络内的移动进行了优化,例如,当允许在切换期间同时使用多个接口时,MPA的有效性也可能相对降低。换句话说,MPA是一种更可行的跨管理域预测切换解决方案,无需同时使用多个接口。由于MPA不绑定到特定的移动性协议,因此它也适用于支持域间切换的优化,其中每个域可以配备不同的移动性协议。
Figure 1 shows an example of inter-domain mobility where MPA could be applied. For example, domain A may support just Proxy MIPv6, whereas domain B may support Client Mobile IPv6. MPA's different functional components can provide the desired optimization techniques proactively.
图1显示了可以应用MPA的域间迁移率示例。例如,域A可能只支持代理MIPv6,而域B可能支持客户端移动IPv6。MPA的不同功能组件可以主动提供所需的优化技术。
Media-independent Pre-Authentication (MPA) is a mobile-assisted, secure handover optimization scheme that works over any link layer and with any mobility management protocol. With MPA, a mobile node is not only able to securely obtain an IP address and other configuration parameters for a CTN, but also able to send and receive IP packets using the IP address obtained before it actually attaches to the CTN. This makes it possible for the mobile node to complete the binding update of any mobility management protocol and use the new CoA before performing a handover at the link layer.
媒体独立预认证(MPA)是一种移动辅助的安全切换优化方案,可在任何链路层和任何移动性管理协议上工作。使用MPA,移动节点不仅能够安全地获得CTN的IP地址和其他配置参数,而且能够使用在实际连接到CTN之前获得的IP地址发送和接收IP分组。这使得移动节点能够在链路层执行切换之前完成任何移动性管理协议的绑定更新并使用新的CoA。
MPA adopts the following basic procedures to provide this functionality. The first procedure is referred to as "pre-authentication", the second procedure is referred to as "pre-configuration", and the combination of the third and fourth procedures is referred to as "secure proactive handover". The security association established through pre-authentication is referred to as an "MPA-SA".
MPA采用以下基本程序来提供此功能。第一个过程称为“预认证”,第二个过程称为“预配置”,第三和第四个过程的组合称为“安全主动切换”。通过预认证建立的安全关联称为“MPA-SA”。
This functionality is provided by allowing a mobile node that has connectivity to the current network, but is not yet attached to a CTN, to
此功能是通过允许已连接到当前网络但尚未连接到CTN的移动节点
(i) establish a security association with the CTN to secure the subsequent protocol signaling, then
(i) 与CTN建立安全关联以保护后续协议信令,然后
(ii) securely execute a configuration protocol to obtain an IP address and other parameters from the CTN as well as execute a tunnel management protocol to establish a Proactive Handover Tunnel (PHT) [RFC2003] between the mobile node and an access router of the CTN, then
(ii)安全地执行配置协议以从CTN获取IP地址和其他参数,以及执行隧道管理协议以在移动节点和CTN的接入路由器之间建立主动切换隧道(PHT)[rfc203],然后
(iii) send and receive IP packets, including signaling messages for the binding update of an MMP and data packets transmitted after completion of the binding update, over the PHT, using the obtained IP address as the tunnel inner address, and finally
(iii)使用获得的IP地址作为隧道内部地址,通过PHT发送和接收IP分组,包括MMP绑定更新的信令消息和绑定更新完成后发送的数据分组,以及
(iv) delete or disable the PHT immediately before attaching to the CTN when it becomes the target network, and then re-assign the inner address of the deleted or disabled tunnel to its physical interface immediately after the mobile node is attached to the target network through the interface. Instead of deleting or disabling the tunnel before attaching to the target network, the tunnel may be deleted or disabled immediately after being attached to the target network.
(iv)当PHT成为目标网络时,在连接到CTN之前立即删除或禁用PHT,然后在移动节点通过接口连接到目标网络之后,立即将已删除或禁用的隧道的内部地址重新分配到其物理接口。与在连接到目标网络之前删除或禁用隧道不同,可以在连接到目标网络之后立即删除或禁用隧道。
Step (iii) above (i.e., the binding update procedure), in particular, makes it possible for the mobile node to complete the higher-layer handover before starting a link-layer handover. This means that the mobile node is able to send and receive data packets transmitted after completing the binding update over the tunnel, while data packets transmitted before completion of the binding update do not use the tunnel.
具体而言,上述步骤(iii)(即绑定更新过程)使得移动节点能够在开始链路层切换之前完成高层切换。这意味着移动节点能够通过隧道发送和接收在完成绑定更新之后发送的数据分组,而在完成绑定更新之前发送的数据分组不使用隧道。
In the MPA framework, the following functional elements are expected to reside in each CTN to communicate with a mobile node: an Authentication Agent (AA), a Configuration Agent (CA), and an Access Router (AR). These elements can reside in one or more network devices.
在MPA框架中,以下功能元件预期驻留在每个CTN中以与移动节点通信:认证代理(AA)、配置代理(CA)和接入路由器(AR)。这些元素可以驻留在一个或多个网络设备中。
An authentication agent is responsible for pre-authentication. An authentication protocol is executed between the mobile node and the authentication agent to establish an MPA-SA. The authentication protocol MUST be able to establish a shared key between the mobile node and the authentication agent and SHOULD be able to provide mutual authentication. The authentication protocol SHOULD be able to interact with a AAA protocol, such as RADIUS or Diameter, to carry authentication credentials to an appropriate authentication server in the AAA infrastructure. This interaction happens through the authentication agent, such as the PANA Authentication Agent (PAA). In turn, the derived key is used to derive additional keys that will be applied to protecting message exchanges used for pre-configuration and secure proactive handover. Other keys that are used for bootstrapping link-layer and/or network-layer ciphers MAY also be derived from the MPA-SA. A protocol that can carry the Extensible Authentication Protocol (EAP) [RFC3748] would be suitable as an authentication protocol for MPA.
身份验证代理负责预身份验证。在移动节点和认证代理之间执行认证协议以建立MPA-SA。认证协议必须能够在移动节点和认证代理之间建立共享密钥,并且应该能够提供相互认证。身份验证协议应能够与AAA协议(如RADIUS或Diameter)交互,以将身份验证凭据传送到AAA基础结构中的适当身份验证服务器。这种交互通过身份验证代理(如PANA身份验证代理(PAA))进行。反过来,派生密钥用于派生附加密钥,这些密钥将应用于保护用于预配置和安全主动切换的消息交换。用于引导链路层和/或网络层密码的其他密钥也可以从MPA-SA导出。可携带可扩展认证协议(EAP)[RFC3748]的协议适合作为MPA的认证协议。
A configuration agent is responsible for one part of pre-configuration, namely securely executing a configuration protocol to deliver an IP address and other configuration parameters to the mobile node. The signaling messages of the configuration protocol (e.g., DHCP) MUST be protected using a key derived from the key corresponding to the MPA-SA.
配置代理负责预配置的一部分,即安全地执行配置协议以向移动节点传送IP地址和其他配置参数。配置协议(例如DHCP)的信令消息必须使用从对应于MPA-SA的密钥派生的密钥进行保护。
An access router in the MPA framework is a router that is responsible for the other part of pre-configuration, i.e., securely executing a tunnel management protocol to establish a proactive handover tunnel to the mobile node. IP packets transmitted over the proactive handover tunnel SHOULD be protected using a key derived from the key corresponding to the MPA-SA. Details of this procedure are described in Section 6.3.
MPA框架中的接入路由器是负责预配置的另一部分的路由器,即,安全地执行隧道管理协议以建立到移动节点的主动切换隧道。应使用从对应于MPA-SA的密钥派生的密钥来保护通过主动切换隧道传输的IP数据包。第6.3节描述了该程序的详细信息。
Figure 2 shows the basic functional components of MPA.
图2显示了MPA的基本功能组件。
+----+
| CN |
+----+
/
(Core Network)
/ \
/ \
+----------------/--------+ +----\-----------------+
| +-----+ | |+-----+ |
| | | +-----+ | || | +-----+ |
| | AA | |CA | | ||AA | | CA | |
| +--+--+ +--+--+ | |+--+--+ +--+--+ |
| | +------+ | | | | +-----+ | |
| | | pAR | | | | | |nAR | | |
| ---+---+ +---+-----+----+---+-+ +-----+ |
| +---+--+ | | +-----+ |
| | | | |
| | | | |
| | | | |
+------------+------------+ +--------|-------------+
Current | Candidate| Target Network
Network | |
+------+ +------+
| oPoA | | nPoA |
+--.---+ +--.---+
. .
. .
+------+
| MN | ---------->
+------+
+----+
| CN |
+----+
/
(Core Network)
/ \
/ \
+----------------/--------+ +----\-----------------+
| +-----+ | |+-----+ |
| | | +-----+ | || | +-----+ |
| | AA | |CA | | ||AA | | CA | |
| +--+--+ +--+--+ | |+--+--+ +--+--+ |
| | +------+ | | | | +-----+ | |
| | | pAR | | | | | |nAR | | |
| ---+---+ +---+-----+----+---+-+ +-----+ |
| +---+--+ | | +-----+ |
| | | | |
| | | | |
| | | | |
+------------+------------+ +--------|-------------+
Current | Candidate| Target Network
Network | |
+------+ +------+
| oPoA | | nPoA |
+--.---+ +--.---+
. .
. .
+------+
| MN | ---------->
+------+
Figure 2: MPA Functional Components
图2:MPA功能组件
Assume that the mobile node is already connected to a point of attachment, say oPoA (old point of attachment), and assigned a care-of address, say oCoA (old care-of address). The communication flow of MPA is described as follows. Throughout the communication flow, data packet loss should not occur except for the period during the switching procedure in Step 5 below, and it is the responsibility of link-layer handover to minimize packet loss during this period.
假设移动节点已经连接到一个连接点,例如oPoA(旧连接点),并分配了一个转交地址,例如oCoA(旧转交地址)。MPA的通信流程描述如下。在整个通信流中,除了下面步骤5中的交换过程期间,不应发生数据分组丢失,链路层切换的责任是将该期间的分组丢失降至最低。
Step 1 (pre-authentication phase): The mobile node finds a CTN through some discovery process, such as IEEE 802.21, and obtains the IP addresses of an authentication agent, a configuration agent, and an access router in the CTN (Candidate Target Network) by some means. Details about discovery mechanisms are discussed in Section 7.1. The mobile node performs pre-authentication with the authentication agent. As discussed in Section 7.2, the mobile node may need to pre-authenticate with multiple candidate target networks. The decision regarding with which candidate network the mobile node needs to pre-authenticate will depend upon several factors, such as signaling overhead, bandwidth requirement (Quality of Service (QoS)), the mobile node's location, communication cost, handover robustness, etc. Determining the policy that decides the target network with which the mobile node should pre-authenticate is out of scope for this document.
步骤1(预认证阶段):移动节点通过一些发现过程(如IEEE 802.21)找到CTN,并通过某种方式获得CTN(候选目标网络)中认证代理、配置代理和接入路由器的IP地址。第7.1节讨论了有关发现机制的详细信息。移动节点使用认证代理执行预认证。如第7.2节所述,移动节点可能需要与多个候选目标网络进行预认证。关于移动节点需要预认证的候选网络的决定将取决于几个因素,例如信令开销、带宽要求(服务质量(QoS))、移动节点的位置、通信成本、切换鲁棒性,等等。确定决定移动节点应使用其进行预认证的目标网络的策略超出本文档的范围。
If the pre-authentication is successful, an MPA-SA is created between the mobile node and the authentication agent. Two keys are derived from the MPA-SA, namely an MN-CA key and an MN-AR key, which are used to protect subsequent signaling messages of a configuration protocol and a tunnel management protocol, respectively. The MN-CA key and the MN-AR key are then securely delivered to the configuration agent and the access router, respectively.
如果预认证成功,则在移动节点和认证代理之间创建MPA-SA。从MPA-SA派生出两个密钥,即MN-CA密钥和MN-AR密钥,分别用于保护配置协议和隧道管理协议的后续信令消息。然后,MN-CA密钥和MN-AR密钥分别安全地传送到配置代理和访问路由器。
Step 2 (pre-configuration phase): The mobile node realizes that its point of attachment is likely to change from the oPoA to a new one, say nPoA (new point of attachment). It then performs pre-configuration with the configuration agent, using the configuration protocol to obtain several configuration parameters such as an IP address, say nCoA (new care-of address), and a default router from the CTN. The mobile node then communicates with the access router using the tunnel management protocol to establish a proactive handover tunnel. In the tunnel management protocol, the mobile node registers the oCoA and the nCoA as the tunnel outer address and the tunnel inner address, respectively. The signaling messages of the pre-configuration protocol are protected using the MN-CA key and the MN-AR key. When the configuration agent and the access router are co-located in the same device, the two protocols may be integrated into a single protocol, such as IKEv2. After completion of the tunnel establishment, the mobile node is able to communicate using both the oCoA and the nCoA by the end of Step 4. A configuration protocol and a tunnel management protocol may be combined in a single protocol or executed in different orders depending on the actual protocol(s) used for configuration and tunnel management.
步骤2(预配置阶段):移动节点意识到其连接点可能会从oPoA更改为新的,例如nPoA(新连接点)。然后,它使用配置协议与配置代理一起执行预配置,以获得多个配置参数,例如IP地址,例如nCoA(新转交地址),以及来自CTN的默认路由器。然后,移动节点使用隧道管理协议与接入路由器通信以建立主动切换隧道。在隧道管理协议中,移动节点将oCoA和nCoA分别注册为隧道外部地址和隧道内部地址。预配置协议的信令消息使用MN-CA密钥和MN-AR密钥进行保护。当配置代理和接入路由器位于同一设备中时,这两个协议可以集成到单个协议中,例如IKEv2。在完成隧道建立之后,移动节点能够在步骤4结束时使用oCoA和nCoA两者进行通信。配置协议和隧道管理协议可以组合在单个协议中,或者根据用于配置和隧道管理的实际协议以不同的顺序执行。
Step 3 (secure proactive handover main phase): The mobile node decides to switch to the new point of attachment by some means. Before the mobile node switches to the new point of attachment, it starts secure proactive handover by executing the binding update operation of a mobility management protocol and transmitting subsequent data traffic over the tunnel (main phase). This proactive binding update could be triggered based on certain local policy at the mobile node end, after the pre-configuration phase is over. This local policy could be Signal-to-Noise Ratio, location of the mobile node, etc. In some cases, it may cache multiple nCoA addresses and perform simultaneous binding with the Correspondent Node (CN) or Home Agent (HA).
步骤3(安全主动切换主阶段):移动节点决定通过某种方式切换到新的连接点。在移动节点切换到新的连接点之前,它通过执行移动性管理协议的绑定更新操作并通过隧道传输随后的数据流量来启动安全主动切换(主阶段)。预配置阶段结束后,可以根据移动节点端的特定本地策略触发此主动绑定更新。该本地策略可以是信噪比、移动节点的位置等。在某些情况下,它可以缓存多个nCoA地址,并与对应节点(CN)或归属代理(HA)同时执行绑定。
Step 4 (secure proactive handover pre-switching phase): The mobile node completes the binding update and becomes ready to switch to the new point of attachment. The mobile node may execute the tunnel management protocol to delete or disable the proactive handover tunnel and cache the nCoA after deletion or disabling of the tunnel. This transient tunnel can be deleted prior to or after the handover. The buffering module at the next access router buffers the packets once the tunnel interface is deleted. The decision as to when the mobile node is ready to switch to the new point of attachment depends on the handover policy.
步骤4(安全主动切换预切换阶段):移动节点完成绑定更新并准备切换到新的连接点。移动节点可以执行隧道管理协议来删除或禁用主动切换隧道,并在删除或禁用隧道后缓存nCoA。可在移交之前或之后删除此瞬态隧道。一旦隧道接口被删除,下一个接入路由器处的缓冲模块将对数据包进行缓冲。关于移动节点何时准备好切换到新连接点的决定取决于切换策略。
Step 5 (switching): It is expected that a link-layer handover occurs in this step.
第5步(切换):预计在该步骤中会发生链路层切换。
Step 6 (secure proactive handover post-switching phase): The mobile node executes the switching procedure. Upon successful completion of the switching procedure, the mobile node immediately restores the cached nCoA and assigns it to the physical interface attached to the new point of attachment. If the proactive handover tunnel was not deleted or disabled in Step 4, the tunnel is deleted or disabled as well. After this, direct transmission of data packets using the nCoA is possible without using a proactive handover tunnel.
步骤6(安全主动切换切换后阶段):移动节点执行切换过程。成功完成切换过程后,移动节点立即恢复缓存的nCoA,并将其分配给连接到新连接点的物理接口。如果在步骤4中未删除或禁用主动切换隧道,则该隧道也将被删除或禁用。在此之后,可以使用nCoA直接传输数据分组,而无需使用主动切换隧道。
Call flow for MPA is shown in Figures 3 and 4.
MPA的调用流程如图3和图4所示。
IP address(es)
Available for
Use by MN
|
+-----------------------------------+ |
| Candidate Target Network | |
| (Future Target Network) | |
MN oPoA | nPoA AA CA AR | |
| | | | | | | | |
| | +-----------------------------------+ |
| | | | | | .
+---------------+ | | | | | .
|(1) Found a CTN| | | | | | .
+---------------+ | | | | | |
| Pre-authentication | | | |
| [authentication protocol] | | |
|<--------+------------->|MN-CA key| | |
| | | |-------->|MN-AR key| |
+-----------------+ | | |------------------>| |
|(2) Increased | | | | | | [oCoA]
|chance to switch | | | | | | |
| to CTN | | | | | | |
+-----------------+ | | | | | |
| | | | | | |
| Pre-configuration | | | |
| [configuration protocol to get nCoA] | |
|<--------+----------------------->| | |
| Pre-configuration | | | |
| [tunnel management protocol to establish PHT] V
|<--------+--------------------------------->|
| | | | | | ^
+-----------------+ | | | | | |
|(3) Determined | | | | | | |
|to switch to CTN | | | | | | |
+-----------------+ | | | | | |
| | | | | | |
| Secure proactive handover main phase | |
| [execution of binding update of MMP and | |
| transmission of data packets through AR | [oCoA, nCoA]
| based on nCoA over the PHT] | | |
|<<=======+================================>+--->... |
. . . . . . .
. . . . . . .
. . . . . . .
IP address(es)
Available for
Use by MN
|
+-----------------------------------+ |
| Candidate Target Network | |
| (Future Target Network) | |
MN oPoA | nPoA AA CA AR | |
| | | | | | | | |
| | +-----------------------------------+ |
| | | | | | .
+---------------+ | | | | | .
|(1) Found a CTN| | | | | | .
+---------------+ | | | | | |
| Pre-authentication | | | |
| [authentication protocol] | | |
|<--------+------------->|MN-CA key| | |
| | | |-------->|MN-AR key| |
+-----------------+ | | |------------------>| |
|(2) Increased | | | | | | [oCoA]
|chance to switch | | | | | | |
| to CTN | | | | | | |
+-----------------+ | | | | | |
| | | | | | |
| Pre-configuration | | | |
| [configuration protocol to get nCoA] | |
|<--------+----------------------->| | |
| Pre-configuration | | | |
| [tunnel management protocol to establish PHT] V
|<--------+--------------------------------->|
| | | | | | ^
+-----------------+ | | | | | |
|(3) Determined | | | | | | |
|to switch to CTN | | | | | | |
+-----------------+ | | | | | |
| | | | | | |
| Secure proactive handover main phase | |
| [execution of binding update of MMP and | |
| transmission of data packets through AR | [oCoA, nCoA]
| based on nCoA over the PHT] | | |
|<<=======+================================>+--->... |
. . . . . . .
. . . . . . .
. . . . . . .
Figure 3: Example Communication Flow (1/2)
图3:示例通信流(1/2)
| | | | | | |
+----------------+ | | | | | |
|(4) Completion | | | | | | |
|of MMP BU and | | | | | | |
|ready to switch | | | | | | |
+----------------+ | | | | | |
| Secure proactive handover pre-switching phase |
| [tunnel management protocol to delete PHT] V
|<--------+--------------------------------->|
+---------------+ | | | |
|(5)Switching | | | | |
+---------------+ | | | |
| | | | |
+---------------+ | | | |
|(6) Completion | | | | |
|of switching | | | | |
+---------------+ | | | |
o<- Secure proactive handover post-switching phase ^
| [Re-assignment of Tunnel Inner Address | |
| to the physical I/F] | |
| | | | | |
| Transmission of data packets through AR | [nCoA]
| based on nCoA| | | | |
|<---------------+---------------------------+-->... |
| | | | | .
| | | | | | |
+----------------+ | | | | | |
|(4) Completion | | | | | | |
|of MMP BU and | | | | | | |
|ready to switch | | | | | | |
+----------------+ | | | | | |
| Secure proactive handover pre-switching phase |
| [tunnel management protocol to delete PHT] V
|<--------+--------------------------------->|
+---------------+ | | | |
|(5)Switching | | | | |
+---------------+ | | | |
| | | | |
+---------------+ | | | |
|(6) Completion | | | | |
|of switching | | | | |
+---------------+ | | | |
o<- Secure proactive handover post-switching phase ^
| [Re-assignment of Tunnel Inner Address | |
| to the physical I/F] | |
| | | | | |
| Transmission of data packets through AR | [nCoA]
| based on nCoA| | | | |
|<---------------+---------------------------+-->... |
| | | | | .
Figure 4: Example Communication Flow (2/2)
图4:示例通信流(2/2)
In order to provide an optimized handover for a mobile node experiencing rapid movement between subnets and/or domains, one needs to look into several operations. These issues include:
为了为经历子网和/或域之间快速移动的移动节点提供优化的切换,需要研究几种操作。这些问题包括:
i) discovery of neighboring networking elements,
i) 发现相邻的网络元素,
ii) connecting to the right network based on certain policy,
ii)根据特定策略连接到正确的网络,
iii) changing the layer 2 point of attachment,
iii)更改第2层附着点,
iv) obtaining an IP address from a DHCP or PPP server,
iv)从DHCP或PPP服务器获取IP地址,
v) confirming the uniqueness of the IP address,
v) 确认IP地址的唯一性,
vi) pre-authenticating with the authentication agent,
vi)与认证代理进行预认证,
vii) sending the binding update to the Correspondent Host (CH),
vii)向对应主机(CH)发送绑定更新,
viii) obtaining the redirected streaming traffic to the new point of attachment,
viii)获取重定向到新连接点的流式传输流量,
ix) ping-pong effect, and
ix)乒乓球效应,以及
x) probability of moving to more than one network and associating with multiple target networks.
x) 移动到多个网络并与多个目标网络关联的概率。
We describe these issues in detail in the following paragraphs and describe how we have optimized these issues in the case of MPA-based secure proactive handover.
我们将在以下段落中详细描述这些问题,并描述我们如何在基于MPA的安全主动切换的情况下优化这些问题。
Discovery of neighboring networking elements such as access points, access routers, and authentication servers helps expedite the handover process during a mobile node's movement between networks. After discovering the network neighborhood with a desired set of coordinates, capabilities, and parameters, the mobile node can perform many of the operations, such as pre-authentication, proactive IP address acquisition, proactive address resolution, and binding update, while in the previous network.
在移动节点在网络之间移动期间,发现邻近的网络元素(如接入点、接入路由器和认证服务器)有助于加快切换过程。在发现具有所需坐标集、能力和参数的网络邻居之后,移动节点可以在先前网络中执行许多操作,例如预认证、主动IP地址获取、主动地址解析和绑定更新。
There are several ways a mobile node can discover neighboring networks. The Candidate Access Router Discovery protocol [RFC4066] helps discover the candidate access routers in the neighboring networks. Given a certain network domain, SLP (Service Location Protocol) [RFC2608] and DNS help provide addresses of the networking components for a given set of services in the specific domain. In some cases, many of the network-layer and upper-layer parameters may be sent over link-layer management frames, such as beacons, when the mobile node approaches the vicinity of the neighboring networks. IEEE 802.11u is considering issues such as discovering the neighborhood using information contained in the link layer. However, if the link-layer management frames are encrypted by some link-layer security mechanism, then the mobile node may not be able to obtain the requisite information before establishing link-layer connectivity to the access point. In addition, this may add burden to the bandwidth-constrained wireless medium. In such cases, a higher-layer protocol is preferred to obtain the information regarding the neighboring elements. Some proposals, such as [802.21], help obtain information about the neighboring networks from a mobility server. When the movement is imminent, the mobile node starts the discovery process by querying a specific server and obtains the required parameters, such as the IP address of the access point, its characteristics, routers, SIP servers, or authentication servers of the neighboring networks. In the event of multiple networks, it may obtain the required parameters from more than one neighboring network
移动节点可以通过多种方式发现相邻网络。候选接入路由器发现协议[RFC4066]有助于在相邻网络中发现候选接入路由器。给定某个网络域,SLP(服务位置协议)[RFC2608]和DNS帮助为特定域中的给定服务集提供网络组件的地址。在一些情况下,当移动节点接近相邻网络的附近时,许多网络层和上层参数可以通过链路层管理帧(例如信标)发送。IEEE 802.11u正在考虑使用链路层中包含的信息发现邻居等问题。然而,如果链路层管理帧由某种链路层安全机制加密,则移动节点可能无法在建立到接入点的链路层连接之前获得必要的信息。此外,这可能会给带宽受限的无线媒体增加负担。在这种情况下,优选更高层协议来获得关于相邻元件的信息。一些建议,如[802.21],有助于从移动服务器获取有关相邻网络的信息。当移动即将发生时,移动节点通过查询特定服务器来启动发现过程,并获得所需参数,例如接入点的IP地址、其特征、路由器、SIP服务器或相邻网络的认证服务器。在多个网络的情况下,它可以从多个相邻网络获得所需的参数
and keep these in a cache. At some point, the mobile node finds several CTNs out of many probable networks and starts the pre-authentication process by communicating with the required entities in the CTNs. Further details of this scenario are in Section 7.2.
并将其保存在缓存中。在某个时刻,移动节点从许多可能的网络中找到几个ctn,并通过与ctn中所需的实体通信来启动预认证过程。有关此场景的更多详细信息,请参见第7.2节。
In some cases, although a mobile node selects a specific network to be the target network, it may actually end up moving into a neighboring network other than the target network, due to factors that are beyond the mobile node's control. Thus, it may be useful to perform the pre-authentication with a few probable candidate target networks and establish time-bound transient tunnels with the respective access routers in those networks. Thus, in the event of a mobile node moving to a candidate target network other than that chosen as the target network, it will not be subjected to packet loss due to authentication and IP address acquisition delay that could occur if the mobile node did not pre-authenticate with that candidate target network. It may appear that by pre-authenticating with a number of candidate target networks and reserving the IP addresses, the mobile node is reserving resources that could be used otherwise. But since this happens for a time-limited period, it should not be a big problem; it depends upon the mobility pattern and duration. The mobile node uses a pre-authentication procedure to obtain an IP address proactively and to set up the time-bound tunnels with the access routers of the candidate target networks. Also, the MN may retain some or all of the nCoAs for future movement.
在某些情况下,尽管移动节点选择特定网络作为目标网络,但由于移动节点无法控制的因素,它实际上可能最终移动到目标网络以外的相邻网络中。因此,可以使用几个可能的候选目标网络执行预认证,并使用这些网络中的各个接入路由器建立有时间限制的瞬态隧道。因此,在移动节点移动到被选择为目标网络以外的候选目标网络的情况下,它将不会由于认证和IP地址获取延迟而遭受分组丢失,如果移动节点没有与该候选目标网络进行预认证,则可能会发生认证和IP地址获取延迟。可能看起来,通过与多个候选目标网络预认证并保留IP地址,移动节点正在保留可以以其他方式使用的资源。但是,由于这是一个时间有限的时期,这应该不是一个大问题;这取决于流动模式和持续时间。移动节点使用预认证过程来主动获取IP地址,并与候选目标网络的接入路由器建立有时限的隧道。此外,MN可能保留部分或全部NCOA以备将来移动。
The mobile node may choose one of these addresses as the binding update address and send it to the CN (Correspondent Node) or HA (Home Agent), and will thus receive the tunneled traffic via the target network while in the previous network. But in some instances, the mobile node may eventually end up moving to a network that is other than the target network. Thus, there will be a disruption in traffic as the mobile node moves to the new network, since the mobile node has to go through the process of assigning the new IP address and sending the binding update again. There are two solutions to this problem. As one solution to the problem, the mobile node can take advantage of the simultaneous mobility binding and send multiple binding updates to the Correspondent Host or HA. Thus, the Correspondent Host or HA forwards the traffic to multiple IP addresses assigned to the virtual interfaces for a specific period of time. This binding update gets refreshed at the CH after the mobile node moves to the new network, thus stopping the flow to the other candidate networks. RFC 5648 [RFC5648] discusses different scenarios of mobility binding with multiple care-of-addresses. As the second
移动节点可以选择这些地址中的一个作为绑定更新地址,并将其发送到CN(对应节点)或HA(归属代理),从而在前一网络中通过目标网络接收隧道传输的业务。但在某些情况下,移动节点可能最终移动到目标网络以外的网络。因此,当移动节点移动到新网络时,业务将中断,因为移动节点必须经历分配新IP地址并再次发送绑定更新的过程。这个问题有两种解决方案。作为该问题的一个解决方案,移动节点可以利用同步移动绑定并向对应主机或HA发送多个绑定更新。因此,对应的主机或HA将流量转发到分配给虚拟接口的多个IP地址一段特定时间。该绑定更新在移动节点移动到新网络后在CH处刷新,从而停止到其他候选网络的流。RFC 5648[RFC5648]讨论了具有多个转交地址的移动性绑定的不同场景。作为第二个
solution, in case simultaneous binding is not supported in a specific mobility scheme, forwarding of traffic from the previous target network will help take care of the transient traffic until the new binding update is sent from the new network.
解决方案,在特定移动性方案中不支持同时绑定的情况下,来自先前目标网络的流量转发将有助于处理瞬时流量,直到从新网络发送新的绑定更新。
In general, a mobility management protocol works in conjunction with the Foreign Agent or in the co-located address mode. The MPA approach can use both the co-located address mode and the Foreign Agent address mode. We discuss here the address assignment component that is used in the co-located address mode. There are several ways a mobile node can obtain an IP address and configure itself. In some cases, a mobile node can configure itself statically in the absence of any configuration element such as a server or router in the network. In a LAN environment, the mobile node can obtain an IP address from DHCP servers. In the case of IPv6 networks, a mobile node has the option of obtaining the IP address using stateless autoconfiguration or DHCPv6. In some wide-area networking environments, the mobile node uses PPP (Point-to-Point Protocol) to obtain the IP address by communicating with a NAS (Network Access Server).
一般来说,移动性管理协议与外部代理一起工作,或者在同一地址模式下工作。MPA方法可以同时使用同一地址模式和外部代理地址模式。我们在此讨论在同一地址模式中使用的地址分配组件。移动节点可以通过多种方式获取IP地址并进行自我配置。在某些情况下,移动节点可以在网络中没有任何配置元素(例如服务器或路由器)的情况下静态地配置自身。在LAN环境中,移动节点可以从DHCP服务器获取IP地址。在IPv6网络的情况下,移动节点可以选择使用无状态自动配置或DHCPv6获取IP地址。在某些广域网络环境中,移动节点使用PPP(点对点协议)通过与NAS(网络访问服务器)通信来获取IP地址。
Each of these processes takes on the order of few hundred milliseconds to a few seconds, depending upon the type of IP address acquisition process and operating system of the clients and servers. Since IP address acquisition is part of the handover process, it adds to the handover delay, and thus it is desirable to reduce this delay as much as possible. There are a few optimized techniques available, such as DHCP Rapid Commit [RFC4039] and GPS-coordinate-based IP address [GPSIP], that attempt to reduce the handover delay due to IP address acquisition time. However, in all these cases, the mobile node also obtains the IP address after it moves to the new subnet and incurs some delay because of the signaling handshake between the mobile node and the DHCP server.
根据IP地址获取过程的类型以及客户机和服务器的操作系统,这些过程中的每一个都需要几百毫秒到几秒钟的时间。由于IP地址获取是切换过程的一部分,它增加了切换延迟,因此希望尽可能减少该延迟。有一些优化技术可用,例如DHCP快速提交[RFC4039]和基于GPS坐标的IP地址[GPSIP],它们试图减少由于IP地址获取时间而导致的切换延迟。然而,在所有这些情况下,移动节点在移动到新子网后也会获得IP地址,并且由于移动节点和DHCP服务器之间的信令握手而产生一些延迟。
In Fast MIPv6 [RFC5568], through the RtSolPr and PrRtAdv messages, the MN also formulates a prospective new CoA (nCoA) when it is still present on the Previous Access Router's (pAR's) link. Hence, the latency due to new prefix discovery subsequent to handover is eliminated. However, in this case, both the pAR and the Next Access Router (nAR) need to cooperate with each other to be able to retrieve the prefix from the target network.
在Fast MIPv6[RFC5568]中,通过RtSolPr和PrRtAdv消息,MN还制定了一个潜在的新CoA(nCoA),当它仍然存在于先前的接入路由器(pAR)链路上时。因此,由于切换之后的新前缀发现而导致的延迟被消除。然而,在这种情况下,PAR和下一个接入路由器(NAR)都需要相互协作,以便能够从目标网络中检索前缀。
In the following paragraph, we describe a few ways that a mobile node can obtain the IP address proactively from the CTN, and the associated tunnel setup procedure. These can broadly be divided into four categories: PANA-assisted proactive IP address acquisition,
在下面的段落中,我们描述了移动节点可以主动从CTN获取IP地址的几种方法,以及相关的隧道设置过程。可大致分为四类:PANA辅助的主动IP地址获取,
IKE-assisted proactive IP address acquisition, proactive IP address acquisition using DHCP only, and stateless autoconfiguration. When DHCP is used for address configuration, a DHCP server is assumed to be serving one subnet.
IKE辅助的主动IP地址获取、仅使用DHCP的主动IP地址获取和无状态自动配置。当DHCP用于地址配置时,假定DHCP服务器服务于一个子网。
In the case of PANA-assisted proactive IP address acquisition, the mobile node obtains an IP address proactively from a CTN. The mobile node makes use of PANA [RFC5191] messages to trigger the IP address acquisition process via a DHCP client that is co-located with the PANA authentication agent in the access router in the CTN acting on behalf of the mobile node. Upon receiving a PANA message from the mobile node, the DHCP client on the authentication agent performs normal DHCP message exchanges to obtain the IP address from the DHCP server in the CTN. This address is piggy-backed in a PANA message and is delivered to the mobile node. In the case of IPv6, a Router Advertisement (RA) is carried as part of the PANA message. In the case of stateless autoconfiguration, the mobile node uses the prefix(es) obtained as part of the RA and its MAC address to construct the unique IPv6 address(es) as it would have done in the new network. In the case of stateful address autoconfiguration, a procedure similar to DHCPv4 can be applied.
在PANA辅助的主动IP地址获取的情况下,移动节点主动地从CTN获取IP地址。移动节点利用PANA[RFC5191]消息经由DHCP客户端触发IP地址获取过程,DHCP客户端与代表移动节点的CTN中的接入路由器中的PANA认证代理位于同一位置。从移动节点接收到PANA消息后,身份验证代理上的DHCP客户端执行正常的DHCP消息交换,以从CTN中的DHCP服务器获取IP地址。该地址在PANA消息中得到支持,并发送到移动节点。在IPv6的情况下,路由器广告(RA)作为PANA消息的一部分携带。在无状态自动配置的情况下,移动节点使用作为RA的一部分获得的前缀及其MAC地址来构造唯一的IPv6地址,就像它在新网络中所做的那样。在有状态地址自动配置的情况下,可以应用类似于DHCPv4的过程。
IKEv2-assisted proactive IP address acquisition works when an IPsec gateway and a DHCP relay agent [RFC3046] are resident within each access router in the CTN. In this case, the IPsec gateway and DHCP relay agent in a CTN help the mobile node acquire the IP address from the DHCP server in the CTN. The MN-AR key established during the pre-authentication phase is used as the IKEv2 pre-shared secret needed to run IKEv2 between the mobile node and the access router. The IP address from the CTN is obtained as part of the standard IKEv2 procedure, using the co-located DHCP relay agent for obtaining the IP address from the DHCP server in the target network using standard DHCP. The obtained IP address is sent back to the client in the IKEv2 Configuration Payload exchange. In this case, IKEv2 is also used as the tunnel management protocol for a proactive handover tunnel (see Section 7.4). Alternatively, a VPN gateway can dispense the IP address from its IP address pool.
当IPsec网关和DHCP中继代理[RFC3046]驻留在CTN中的每个访问路由器内时,IKEv2辅助的主动式IP地址获取工作。在这种情况下,CTN中的IPsec网关和DHCP中继代理帮助移动节点从CTN中的DHCP服务器获取IP地址。在预认证阶段建立的MN-AR密钥用作在移动节点和接入路由器之间运行IKEv2所需的IKEv2预共享密钥。来自CTN的IP地址是作为标准IKEv2过程的一部分获得的,使用位于同一位置的DHCP中继代理使用标准DHCP从目标网络中的DHCP服务器获得IP地址。获得的IP地址将在IKEv2配置有效负载交换中发送回客户端。在这种情况下,IKEv2还用作主动切换隧道的隧道管理协议(参见第7.4节)。或者,VPN网关可以从其IP地址池分配IP地址。
As another alternative, DHCP may be used for proactively obtaining an IP address from a CTN without relying on PANA or IKEv2-based approaches by allowing direct DHCP communication between the mobile node and the DHCP relay agent or DHCP server in the CTN. The
作为另一备选方案,通过允许移动节点与CTN中的DHCP中继代理或DHCP服务器之间的直接DHCP通信,DHCP可用于主动地从CTN获取IP地址,而不依赖于基于PANA或IKEv2的方法。这个
mechanism described in this section is applicable to DHCPv4 only. The mobile node sends a unicast DHCP message to the DHCP relay agent or DHCP server in the CTN requesting an address, while using the address associated with the current physical interface as the source address of the request.
本节中描述的机制仅适用于DHCPv4。移动节点向CTN中的DHCP中继代理或DHCP服务器发送单播DHCP消息以请求地址,同时使用与当前物理接口相关联的地址作为请求的源地址。
When the message is sent to the DHCP relay agent, the DHCP relay agent relays the DHCP messages back and forth between the mobile node and the DHCP server. In the absence of a DHCP relay agent, the mobile node can also directly communicate with the DHCP server in the target network. The broadcast option in the client's unicast DISCOVER message should be set to 0 so that the relay agent or the DHCP server can send the reply directly back to the mobile node using the mobile node's source address.
当消息发送到DHCP中继代理时,DHCP中继代理在移动节点和DHCP服务器之间来回中继DHCP消息。在没有DHCP中继代理的情况下,移动节点还可以直接与目标网络中的DHCP服务器通信。客户端单播发现消息中的广播选项应设置为0,以便中继代理或DHCP服务器可以使用移动节点的源地址将应答直接发送回移动节点。
In order to prevent malicious nodes from obtaining an IP address from the DHCP server, DHCP authentication should be used, or the access router should be configured with a filter to block unicast DHCP messages sent to the remote DHCP server from mobile nodes that are not pre-authenticated. When DHCP authentication is used, the DHCP authentication key may be derived from the MPA-SA established between the mobile node and the authentication agent in the candidate target network.
为了防止恶意节点从DHCP服务器获取IP地址,应使用DHCP身份验证,或者访问路由器应配置过滤器,以阻止未经预身份验证的移动节点发送到远程DHCP服务器的单播DHCP消息。当使用DHCP认证时,DHCP认证密钥可以从移动节点和候选目标网络中的认证代理之间建立的MPA-SA导出。
The proactively obtained IP address is not assigned to the mobile node's physical interface until the mobile node has moved to the new network. The IP address thus obtained proactively from the target network should not be assigned to the physical interface but rather to a virtual interface of the client. Thus, such a proactively acquired IP address via direct DHCP communication between the mobile node and the DHCP relay agent or the DHCP server in the CTN may be carried with additional information that is used to distinguish it from other addresses as assigned to the physical interface.
在移动节点移动到新网络之前,不会将主动获取的IP地址分配给移动节点的物理接口。因此主动从目标网络获得的IP地址不应分配给物理接口,而应分配给客户端的虚拟接口。因此,通过移动节点与CTN中的DHCP中继代理或DHCP服务器之间的直接DHCP通信,这种主动获取的IP地址可以携带用于将其与分配给物理接口的其他地址区分开来的附加信息。
Upon the mobile node's entry to the new network, the mobile node can perform DHCP over the physical interface to the new network to get other configuration parameters, such as the SIP server or DNS server, by using DHCP INFORM. This should not affect the ongoing communication between the mobile node and Correspondent Host. Also, the mobile node can perform DHCP over the physical interface to the new network to extend the lease of the address that was proactively obtained before entering the new network.
当移动节点进入新网络时,移动节点可以通过使用DHCP通知通过新网络的物理接口执行DHCP以获得其他配置参数,例如SIP服务器或DNS服务器。这不应影响移动节点和对应主机之间正在进行的通信。此外,移动节点可以通过新网络的物理接口执行DHCP,以延长在进入新网络之前主动获得的地址的租约。
In order to maintain the DHCP binding for the mobile node and keep track of the dispensed IP address before and after the secure proactive handover, the same DHCP client identifier needs to be used
为了维护移动节点的DHCP绑定并在安全主动切换前后跟踪分配的IP地址,需要使用相同的DHCP客户端标识符
for the mobile node for both DHCP for proactive IP address acquisition and for DHCP performed after the mobile node enters the target network. The DHCP client identifier may be the MAC address of the mobile node or some other identifier.
对于移动节点,用于主动IP地址获取的DHCP和在移动节点进入目标网络后执行的DHCP。DHCP客户端标识符可以是移动节点的MAC地址或某个其他标识符。
7.3.4. Proactive IP Address Acquisition Using Stateless Autoconfiguration
7.3.4. 使用无状态自动配置的主动IP地址获取
For IPv6, a network address is configured either using DHCPv6 or stateless autoconfiguration. In order to obtain the new IP address proactively, the router advertisement of the next-hop router can be sent over the established tunnel, and a new IPv6 address is generated based on the prefix and MAC address of the mobile node. Generating a CoA from the new network will avoid the time needed to obtain an IP address and perform Duplicate Address Detection.
对于IPv6,使用DHCPv6或无状态自动配置配置网络地址。为了主动获取新的IP地址,可以通过已建立的隧道发送下一跳路由器的路由器通告,并基于移动节点的前缀和MAC地址生成新的IPv6地址。从新网络生成CoA将避免获取IP地址和执行重复地址检测所需的时间。
Duplicate Address Detection and address resolution are part of the IP address acquisition process. As part of the proactive configuration, these two processes can be done ahead of time. Details of how these two processes can be done proactively are described in Appendix A and Appendix B, respectively.
重复地址检测和地址解析是IP地址获取过程的一部分。作为主动配置的一部分,这两个过程可以提前完成。附录A和附录B分别描述了如何主动完成这两个过程的详细信息。
In the case of stateless autoconfiguration, the mobile node checks to see the prefix of the router advertisement in the new network and matches it with the prefix of the newly assigned IP address. If these turn out to be the same, then the mobile node does not go through the IP address acquisition phase again.
在无状态自动配置的情况下,移动节点检查新网络中路由器广告的前缀,并将其与新分配的IP地址的前缀匹配。如果结果是相同的,则移动节点不会再次经历IP地址获取阶段。
After an IP address is proactively acquired from the DHCP server in a CTN, or via stateless autoconfiguration in the case of IPv6, a proactive handover tunnel is established between the mobile node and the access router in the CTN. The mobile node uses the acquired IP address as the tunnel's inner address.
在主动从CTN中的DHCP服务器获取IP地址后,或者在IPv6的情况下通过无状态自动配置,在移动节点和CTN中的接入路由器之间建立主动切换隧道。移动节点使用获取的IP地址作为隧道的内部地址。
There are several reasons why this transient tunnel is established between the nAR and the mobile node in the old PoA, unlike the transient tunnel in FMIPv6 (Fast MIPv6) [RFC5568], where it is set up between the mobile node's new point of attachment and the old access router.
与FMIPv6(Fast MIPv6)[RFC5568]中的瞬态隧道不同,在旧PoA中nAR和移动节点之间建立此瞬态隧道有几个原因,在FMIPv6(Fast MIPv6)[RFC5568]中,它是在移动节点的新连接点和旧接入路由器之间建立的。
In the case of inter-domain handoff, it is important that any signaling message between the nPoA and the mobile node needs to be secured. This transient secured tunnel provides the desired functionality, including securing the proactive binding update and transient data between the end-points before the handover has taken place. Unlike the proactive mode of FMIPv6, transient handover
在域间切换的情况下,需要保护nPoA和移动节点之间的任何信令消息是重要的。此瞬态安全隧道提供了所需的功能,包括在切换发生之前保护主动绑定更新和端点之间的瞬态数据。与FMIPv6的主动模式不同,瞬时切换
packets are not sent to the pAR, and thus a tunnel between the mobile node's new point of attachment and the old access router is not needed.
分组不发送到PAR,因此不需要移动节点的新连接点和旧接入路由器之间的隧道。
In the case of inter-domain handoff, the pAR and nAR could logically be far from each other. Thus, the signaling and data during the pre-authentication period will take a longer route, and thus may be subjected to longer one-way delay. Hence, MPA provides a tradeoff between larger packet loss or larger one-way packet delay for a transient period, when the mobile node is preparing for handoff.
在域间切换的情况下,PAR和NAR可以在逻辑上彼此远离。因此,预认证期间的信令和数据将采用更长的路由,并且因此可能经受更长的单向延迟。因此,当移动节点准备切换时,MPA在较大的分组丢失或较大的单向分组延迟之间提供了一个过渡期的折衷。
The proactive handover tunnel is established using a tunnel management protocol. When IKEv2 is used for proactive IP address acquisition, IKEv2 is also used as the tunnel management protocol. Alternatively, when PANA is used for proactive IP address acquisition, PANA may be used as the secure tunnel management protocol.
主动切换隧道是使用隧道管理协议建立的。当IKEv2用于主动IP地址获取时,IKEv2也用作隧道管理协议。或者,当PANA用于主动IP地址获取时,PANA可用作安全隧道管理协议。
Once the proactive handover tunnel is established between the mobile node and the access router in the candidate target network, the access router also needs to perform proxy address resolution (Proxy ARP) on behalf of the mobile node so that it can capture any packets destined to the mobile node's new address.
一旦在移动节点和候选目标网络中的接入路由器之间建立了主动切换隧道,接入路由器还需要代表移动节点执行代理地址解析(代理ARP),以便它能够捕获目的地为移动节点的新地址的任何包。
Since the mobile node needs to be able to communicate with the Correspondent Node while in the previous network, some or all parts of the binding update and data from the Correspondent Node to the mobile node need to be sent back to the mobile node over a proactive handover tunnel. Details of these binding update procedures are described in Section 7.5.
由于移动节点需要能够在前一网络中与对应节点通信,因此需要通过主动切换隧道将来自对应节点到移动节点的绑定更新和数据的部分或全部部分发送回移动节点。第7.5节描述了这些绑定更新程序的详细信息。
In order for the traffic to be directed to the mobile node after the mobile node attaches to the target network, the proactive handover tunnel needs to be deleted or disabled. The tunnel management protocol used for establishing the tunnel is used for this purpose. Alternatively, when PANA is used as the authentication protocol, the tunnel deletion or disabling at the access router can be triggered by means of the PANA update mechanism as soon as the mobile node moves to the target network. A link-layer trigger ensures that the mobile node is indeed connected to the target network and can also be used as the trigger to delete or disable the tunnel. A tunnel management protocol also triggers the router advertisement (RA) from the next access router to be sent over the tunnel, as soon as the tunnel creation is complete.
为了在移动节点连接到目标网络之后将业务定向到移动节点,需要删除或禁用主动切换隧道。用于建立隧道的隧道管理协议用于此目的。或者,当使用PANA作为认证协议时,只要移动节点移动到目标网络,就可以借助PANA更新机制触发接入路由器处的隧道删除或禁用。链路层触发器确保移动节点确实连接到目标网络,并且还可以用作删除或禁用隧道的触发器。一旦隧道创建完成,隧道管理协议也会从下一个接入路由器触发路由器广告(RA),该路由器将通过隧道发送。
There are several kinds of binding update mechanisms for different mobility management schemes.
对于不同的移动性管理方案,有几种绑定更新机制。
In the case of Mobile IPv4 and Mobile IPv6, the mobile node performs a binding update with the Home Agent only, if route optimization is not used. Otherwise, the mobile node performs the binding update with both the Home Agent (HA) and Correspondent Node (CN).
在移动IPv4和移动IPv6的情况下,如果未使用路由优化,则移动节点仅与归属代理执行绑定更新。否则,移动节点执行与归属代理(HA)和对应节点(CN)两者的绑定更新。
In the case of SIP-based terminal mobility, the mobile node sends a binding update using an INVITE to the Correspondent Node and a REGISTER message to the Registrar. Based on the distance between the mobile node and the Correspondent Node, the binding update may contribute to the handover delay. SIP-fast handover [SIPFAST] provides several ways of reducing the handover delay due to binding update. In the case of secure proactive handover using SIP-based mobility management, we do not encounter the delay due to the binding update at all, as it takes place in the previous network.
在基于SIP的终端移动性的情况下,移动节点使用INVITE向对应节点发送绑定更新,并使用REGISTER消息向注册器发送绑定更新。基于移动节点和对应节点之间的距离,绑定更新可能导致切换延迟。SIP快速切换[SIPFAST]提供了几种减少绑定更新导致的切换延迟的方法。在使用基于SIP的移动性管理的安全主动切换的情况下,我们根本不会遇到绑定更新导致的延迟,因为它发生在以前的网络中。
Thus, this proactive binding update scheme looks more attractive when the Correspondent Node is too far from the communicating mobile node. Similarly, in the case of Mobile IPv6, the mobile node sends the newly acquired CoA from the target network as the binding update to the HA and CN. Also, all signaling messages between the MN and HA and between the MN and CN are passed through this proactive tunnel that is set up. These messages include Binding Update (BU); Binding Acknowledgement (BA); and the associated return routability messages, such as Home Test Init (HoTI), Home Test (HoT), Care-of Test Init (CoTI), and Care-of Test (CoT). In Mobile IPv6, since the receipt of an on-link router advertisement is mandatory for the mobile node to detect the movement and trigger the binding update, a router advertisement from the next access router needs to be advertised over the tunnel. By proper configuration on the nAR, the router advertisement can be sent over the tunnel interface to trigger the proactive binding update. The mobile node also needs to make the tunnel interface the active interface, so that it can send the binding update using this interface as soon as it receives the router advertisement.
因此,当对应节点距离通信移动节点太远时,这种主动绑定更新方案看起来更有吸引力。类似地,在移动IPv6的情况下,移动节点将新获取的CoA作为绑定更新从目标网络发送到HA和CN。此外,MN和HA之间以及MN和CN之间的所有信令消息都通过此设置的主动隧道传递。这些消息包括绑定更新(BU);具有约束力的确认书(BA);以及相关的返回路由性消息,如Home Test Init(HoTI)、Home Test(HoT)、Care of Test Init(CoTI)和Care of Test(CoT)。在移动IPv6中,由于移动节点必须接收链路上路由器公告才能检测移动并触发绑定更新,因此需要通过隧道公告来自下一个接入路由器的路由器公告。通过nAR上的适当配置,可以通过隧道接口发送路由器公告,以触发主动绑定更新。移动节点还需要将隧道接口设置为活动接口,以便在接收到路由器公告后立即使用该接口发送绑定更新。
If the proactive handover tunnel is realized as an IPsec tunnel, it will also protect these signaling messages between the tunnel end-points and will make the return routability test secured as well. Any subsequent data will also be tunneled through, as long as the mobile node is in the previous network. The accompanying document [MPA-WIRELESS] talks about the details of how binding updates and signaling for return routability are sent over the secured tunnel.
如果主动切换隧道实现为IPsec隧道,它还将保护隧道端点之间的这些信令消息,并使返回路由性测试也安全。只要移动节点位于前一个网络中,任何后续数据也将通过隧道传输。随附文档[MPA-WIRELESS]详细介绍了如何通过安全隧道发送绑定更新和返回路由性信令。
In the MPA case, packet loss due to IP address acquisition, secured authentication, and binding update does not occur. However, transient packets during link-layer handover can be lost. Possible scenarios of packet loss and its prevention are described below.
在MPA情况下,不会发生由于IP地址获取、安全身份验证和绑定更新而导致的数据包丢失。然而,链路层切换期间的瞬态数据包可能会丢失。包丢失及其预防的可能场景如下所述。
For single-interface MPA, there may be some transient packets during link-layer handover that are directed to the mobile node at the old point of attachment before the mobile node is able to attach to the target network. Those transient packets can be lost. Buffering these packets at the access router of the old point of attachment can eliminate packet loss. Dynamic buffering signals from the MN can temporarily hold transient traffic during handover, and then these packets can be forwarded to the MN once it attaches to the target network. A detailed analysis of the buffering technique can be found in [PIMRC06].
对于单接口MPA,在链路层切换期间,在移动节点能够连接到目标网络之前,可能存在一些在旧连接点处定向到移动节点的瞬态分组。这些瞬态数据包可能会丢失。在旧连接点的接入路由器处缓冲这些数据包可以消除数据包丢失。来自MN的动态缓冲信号可以在切换期间暂时保持瞬时业务,然后一旦MN连接到目标网络,这些分组就可以被转发到MN。缓冲技术的详细分析见[PIMRC06]。
An alternative method is to use bicasting. Bicasting helps to forward the traffic to two destinations at the same time. However, it does not eliminate packet loss if link-layer handover is not seamlessly performed. On the other hand, buffering does not reduce packet delay. While packet delay can be compensated by a playout buffer at the receiver side for a streaming application, a playout buffer does not help much for interactive VoIP applications that cannot tolerate large delay jitters. Thus, it is still important to optimize the link-layer handover anyway.
另一种方法是使用双播。双向广播有助于将流量同时转发到两个目的地。然而,如果链路层切换没有无缝执行,则不能消除分组丢失。另一方面,缓冲并不能减少数据包延迟。虽然对于流应用程序,数据包延迟可以通过接收端的播放缓冲区来补偿,但播放缓冲区对于不能容忍大延迟抖动的交互式VoIP应用程序没有多大帮助。因此,优化链路层切换仍然很重要。
MPA usage in multi-interface handover scenarios involves preparing the second interface for use via the current active interface. This preparation involves pre-authentication and provisioning at a target network where the second interface would be the eventual active interface. For example, during inter-technology handover from a WiFi to a CDMA network, pre-authentication at the CDMA network can be performed via the WiFi interface. The actual handover occurs when the CDMA interface becomes the active interface for the MN.
MPA在多接口切换场景中的使用涉及准备第二个接口以通过当前活动接口使用。此准备工作涉及在目标网络上进行预认证和资源调配,其中第二个接口将是最终的活动接口。例如,在从WiFi到CDMA网络的技术间切换期间,可以通过WiFi接口在CDMA网络处执行预认证。当CDMA接口成为MN的活动接口时,实际切换发生。
In such scenarios, if handover occurs while both interfaces are active, there is generally no packet loss, since transient packets directed towards the old interface will still reach the MN. However, if sudden disconnection of the current active interface is used to initiate handover to the prepared interface, then transient packets for the disconnected interface will be lost while the MN attempts to be reachable at the prepared interface. In such cases, a specialized
在这种情况下,如果在两个接口都处于活动状态时发生切换,则通常不会出现分组丢失,因为指向旧接口的瞬态分组仍将到达MN。然而,如果使用当前活动接口的突然断开来发起到准备好的接口的切换,则当MN试图在准备好的接口处可到达时,断开的接口的瞬态分组将丢失。在这种情况下,一个专门的
form of buffering can be used to eliminate packet loss where packets are merely copied at an access router in the current active network prior to disconnection. If sudden disconnection does occur, copied packets can be forwarded to the MN once the prepared interface becomes the active reachable interface. The copy-and-forward mechanism is not limited to multi-interface handover.
缓冲的形式可用于消除数据包丢失,其中数据包仅在断开连接之前在当前活动网络中的接入路由器处复制。如果突然断开连接,一旦准备好的接口成为活动的可访问接口,复制的数据包就可以转发到MN。复制转发机制不限于多接口切换。
A notable side-effect of this process is the possible duplication of packets during forwarding to the new active interface. Several approaches can be employed to minimize this effect. Relying on upper-layer protocols such as TCP to detect and eliminate duplicates is the most common approach. Customized duplicate detection and handling techniques can also be used. In general, packet duplication is a well-known issue that can also be handled locally by the MN.
此过程的一个显著副作用是,在转发到新的活动接口期间,数据包可能会重复。可以采用几种方法来最小化这种影响。依靠上层协议(如TCP)来检测和消除重复是最常见的方法。还可以使用定制的重复检测和处理技术。一般来说,包复制是一个众所周知的问题,MN也可以在本地处理。
If the mobile node takes a longer amount of time to detect the disconnection event of the current active interface, this can also have an adverse effect on the length of the handover process. Thus, it becomes necessary to use an optimized scheme of detecting interface disconnection in such scenarios. Use of the current interface to perform pre-authentication instead of the new interface is desirable in certain circumstances, such as to save battery power, or in cases where the adjacent cells (e.g., WiFi or CDMA) are non-overlapping, or in cases when the carrier does not allow the simultaneous use of both interfaces. However, in certain circumstances, depending upon the type of target network, only parts of MPA operations can be performed (e.g., pre-authentication, pre-configuration, or proactive binding update). In a specific scenario involving handoff between WiFi and CDMA networks, some of the PPP context can be set up during the pre-authentication period, thus reducing the time for PPP activation.
如果移动节点花费更长的时间来检测当前活动接口的断开事件,这也会对切换过程的长度产生不利影响。因此,有必要在这种情况下使用检测接口断开的优化方案。在某些情况下,例如为了节省电池电量,或者在相邻小区(例如WiFi或CDMA)不重叠的情况下,或者在运营商不允许同时使用两个接口的情况下,希望使用当前接口来执行预认证而不是新接口。但是,在某些情况下,根据目标网络的类型,只能执行MPA操作的一部分(例如,预认证、预配置或主动绑定更新)。在涉及WiFi和CDMA网络之间切换的特定场景中,可以在预认证期间设置一些PPP上下文,从而缩短PPP激活的时间。
In addition to previous techniques, the MN may also want to ensure reachability of the new point of attachment before switching from the old one. This can be done by exchanging link-layer management frames with the new point of attachment. This reachability check should be performed as quickly as possible. In order to prevent packet loss during this reachability check, transmission of packets over the link between the MN and the old point of attachment should be suspended by buffering the packets at both ends of the link during the reachability check. How to perform this buffering is out of scope of this document. Some of the results of using this buffering scheme are explained in the accompanying document [MPA-WIRELESS].
除了先前的技术之外,MN还可能希望在从旧连接点切换之前确保新连接点的可达性。这可以通过将链路层管理框架与新的连接点交换来实现。应尽快执行此可达性检查。为了防止在该可达性检查期间的分组丢失,应当通过在可达性检查期间缓冲链路两端的分组来暂停在MN和旧连接点之间的链路上的分组传输。如何执行此缓冲超出了本文档的范围。随附文件[MPA-WIRELESS]中解释了使用该缓冲方案的一些结果。
This section describes how MPA can help establish layer 2 and layer 3 security association in the target networks while the mobile node is in the previous network.
本节描述当移动节点位于前一个网络中时,MPA如何帮助在目标网络中建立第2层和第3层安全关联。
Using the MPA-SA established between the mobile node and the authentication agent for a CTN, during the pre-authentication phase, it is possible to bootstrap link-layer security in the CTN while the mobile node is in the current network, as described in the following steps. Figure 5 shows the sequence of operation.
使用在移动节点和CTN的认证代理之间建立的MPA-SA,在预认证阶段期间,可以在移动节点处于当前网络中时引导CTN中的链路层安全性,如以下步骤中所述。图5显示了操作的顺序。
(1) The authentication agent and the mobile node derive a PMK (Pair-wise Master Key) [RFC5247] using the MPA-SA that is established as a result of successful pre-authentication. Successful operation of EAP and a AAA protocol may be involved during pre-authentication to establish the MPA-SA. From the PMK, distinct TSKs (Transient Session Keys) [RFC5247] for the mobile node are directly or indirectly derived for each point of attachment of the CTN.
(1) 认证代理和移动节点使用作为成功预认证的结果而建立的MPA-SA导出PMK(成对主密钥)[RFC5247]。在建立MPA-SA的预认证过程中,可能涉及EAP和AAA协议的成功运行。从PMK,针对CTN的每个连接点直接或间接地导出移动节点的不同tsk(瞬时会话密钥)[RFC5247]。
(2) The authentication agent may install the keys derived from the PMK and used for secure association to points of attachment. The derived keys may be TSKs or intermediary keys from which TSKs are derived.
(2) 认证代理可以安装从PMK派生并用于与连接点安全关联的密钥。派生密钥可以是tsk或派生tsk的中间密钥。
(3) After the mobile node chooses a CTN as the target network and switches to a point of attachment in the target network (which now becomes the new network for the mobile node), it executes a secure association protocol such as the IEEE 802.11i 4-way handshake [802.11], using the PMK in order to establish PTKs (Pair-wise Transient Keys) and group keys [RFC5247] used for protecting link-layer packets between the mobile node and the point of attachment. No additional execution of EAP authentication is needed here.
(3) 在移动节点选择CTN作为目标网络并切换到目标网络(现在成为移动节点的新网络)中的连接点后,它使用PMK执行安全关联协议,例如IEEE 802.11i 4路握手[802.11],以建立PTK(成对瞬态密钥)以及用于保护移动节点和连接点之间的链路层分组的组密钥[RFC5247]。此处不需要额外执行EAP身份验证。
(4) While the mobile node is roaming in the new network, the mobile node only needs to perform a secure association protocol with its point of attachment, and no additional execution of EAP authentication is needed either. Integration of MPA with link-layer handover optimization mechanisms such as 802.11r can be archived this way.
(4) 当移动节点在新网络中漫游时,移动节点只需要执行与其连接点的安全关联协议,并且也不需要额外执行EAP认证。MPA与链路层切换优化机制(如802.11r)的集成可以通过这种方式存档。
The mobile node may need to know the link-layer identities of the points of attachment in the CTN to derive TSKs.
移动节点可能需要知道CTN中的连接点的链路层标识以导出tsk。
_________________ ____________________________
| Current Network | | CTN |
| ____ | | ____ |
| | | (1) pre-authentication | | |
| | MN |<------------------------------->| AA | |
| |____| | | |____| |
| . | | | |
| . | | | |
|____.____________| | | |
.movement | |(2) Keys |
____.___________________| | |
| _v__ _____ | |
| | |(3) secure assoc. | | | |
| | MN |<------------------>| AP1 |<-------+ |
| |____| |_____| | |
| . | |
| .movement | |
| . | |
| . | |
| _v__ _____ | |
| | |(4) secure assoc. | | | |
| | MN |<------------------>| AP2 |<-------+ |
| |____| |_____| |
|_____________________________________________________|
_________________ ____________________________
| Current Network | | CTN |
| ____ | | ____ |
| | | (1) pre-authentication | | |
| | MN |<------------------------------->| AA | |
| |____| | | |____| |
| . | | | |
| . | | | |
|____.____________| | | |
.movement | |(2) Keys |
____.___________________| | |
| _v__ _____ | |
| | |(3) secure assoc. | | | |
| | MN |<------------------>| AP1 |<-------+ |
| |____| |_____| | |
| . | |
| .movement | |
| . | |
| . | |
| _v__ _____ | |
| | |(4) secure assoc. | | | |
| | MN |<------------------>| AP2 |<-------+ |
| |____| |_____| |
|_____________________________________________________|
Figure 5: Bootstrapping Link-Layer Security
图5:引导链接层安全性
IP-layer security is typically maintained between the mobile node and the first-hop router, or any other network element such as SIP proxy by means of IPsec. This IPsec SA can be set up either in tunnel mode or in ESP mode. However, as the mobile node moves, the IP address of the router and outbound proxy will change in the new network. The mobile node's IP address may or may not change, depending upon the mobility protocol being used. This will warrant re-establishing a new security association between the mobile node and the desired network entity. In some cases, such as in a 3GPP/3GPP2 IMS/MMD environment, data traffic is not allowed to pass through unless there is an IPsec SA established between the mobile node and outbound proxy. This will of course add unreasonable delay to the existing real-time communication during a mobile node's movement. In this scenario, key exchange is done as part of a SIP registration that follows a key exchange procedure called AKA (Authentication and Key Agreement).
IP层安全性通常通过IPsec在移动节点和第一跳路由器或任何其他网络元素(例如SIP代理)之间维护。可以在隧道模式或ESP模式下设置此IPsec SA。然而,随着移动节点的移动,路由器和出站代理的IP地址将在新网络中发生变化。移动节点的IP地址可以改变,也可以不改变,这取决于所使用的移动协议。这将保证在移动节点和所需网络实体之间重新建立新的安全关联。在某些情况下,例如在3GPP/3GPP2 IMS/MMD环境中,除非在移动节点和出站代理之间建立了IPsec SA,否则不允许数据通信通过。这当然会在移动节点的移动期间给现有的实时通信增加不合理的延迟。在这个场景中,密钥交换作为SIP注册的一部分进行,该注册遵循一个称为AKA(身份验证和密钥协议)的密钥交换过程。
MPA can be used to bootstrap this security association as part of pre-authentication via the new outbound proxy. Prior to the movement, if the mobile node can pre-register via the new outbound proxy in the target network and completes the pre-authentication procedure, then the new SA state between the mobile node and new outbound proxy can be established prior to the movement to the new network. A similar approach can also be applied if a key exchange mechanism other than AKA is used or the network element with which the security association has to be established is different than an outbound proxy.
MPA可用于引导此安全关联,作为通过新出站代理进行预身份验证的一部分。在移动之前,如果移动节点可以通过目标网络中的新出站代理预注册并完成预认证过程,则可以在移动到新网络之前建立移动节点和新出站代理之间的新SA状态。如果使用除AKA以外的密钥交换机制,或者必须与之建立安全关联的网元不同于出站代理,则也可以应用类似的方法。
By having the security association established ahead of time, the mobile node does not need to be involved in any exchange to set up the new security association after the movement. Any further key exchange will be limited to renew the expiry time. This will reduce the delay for real-time communication as well.
通过提前建立安全关联,移动节点不需要参与任何交换来在移动后建立新的安全关联。任何进一步的密钥交换将仅限于延长到期时间。这也将减少实时通信的延迟。
When the mobile node initially attaches to a network, network access authentication would occur regardless of the use of MPA. The protocol used for network access authentication when MPA is used for handover optimization can be a link-layer network access authentication protocol such as IEEE 802.1X, or a higher-layer network access authentication protocol such as PANA.
当移动节点最初连接到网络时,无论使用MPA,都将发生网络接入认证。当MPA用于切换优化时,用于网络接入认证的协议可以是链路层网络接入认证协议(如IEEE 802.1X)或更高层网络接入认证协议(如PANA)。
This document describes a framework for a secure handover optimization mechanism based on performing handover-related signaling between a mobile node and one or more candidate target networks to which the mobile node may move in the future. This framework involves acquisition of the resources from the CTN as well as data packet redirection from the CTN to the mobile node in the current network before the mobile node physically connects to one of those CTNs.
本文档描述了基于在移动节点和移动节点将来可能移动到的一个或多个候选目标网络之间执行切换相关信令的安全切换优化机制的框架。该框架涉及从CTN获取资源以及在移动节点物理连接到其中一个CTN之前从CTN到当前网络中的移动节点的数据分组重定向。
Acquisition of the resources from the candidate target networks must be done with appropriate authentication and authorization procedures in order to prevent an unauthorized mobile node from obtaining the resources. For this reason, it is important for the MPA framework to perform pre-authentication between the mobile node and the candidate target networks. The MN-CA key and the MN-AR key generated as a result of successful pre-authentication can protect subsequent handover signaling packets and data packets exchanged between the mobile node and the MPA functional elements in the CTNs.
必须通过适当的身份验证和授权程序从候选目标网络获取资源,以防止未经授权的移动节点获取资源。因此,MPA框架必须在移动节点和候选目标网络之间执行预认证。由于成功的预认证而生成的MN-CA密钥和MN-AR密钥可以保护随后的切换信令分组和在移动节点和ctn中的MPA功能元件之间交换的数据分组。
The MPA framework also addresses security issues when the handover is performed across multiple administrative domains. With MPA, it is possible for handover signaling to be performed based on direct communication between the mobile node and routers or mobility agents in the candidate target networks. This eliminates the need for a context transfer protocol [RFC5247] for which known limitations exist in terms of security and authorization. For this reason, the MPA framework does not require trust relationships among administrative domains or access routers, which makes the framework more deployable in the Internet without compromising the security in mobile environments.
MPA框架还解决了跨多个管理域执行切换时的安全问题。利用MPA,可以基于移动节点与候选目标网络中的路由器或移动代理之间的直接通信来执行切换信令。这消除了对上下文传输协议[RFC5247]的需要,对于该协议,在安全性和授权方面存在已知的限制。因此,MPA框架不需要管理域或访问路由器之间的信任关系,这使得该框架在不损害移动环境中的安全性的情况下更易于在Internet上部署。
We would like to thank Farooq Anjum and Raziq Yaqub for their review of this document, and Subir Das for standardization support in the IEEE 802.21 working group.
我们要感谢Farooq Anjum和Raziq Yaqub对本文件的审查,感谢Subir Das在IEEE 802.21工作组中对标准化的支持。
The authors would like to acknowledge Christian Vogt, Rajeev Koodli, Marco Liebsch, Juergen Schoenwaelder, and Charles Perkins for their thorough review of the document and useful feedback.
作者要感谢Christian Vogt、Rajeev Koodli、Marco Liebsch、Juergen Schoenwaeld和Charles Perkins对文件的全面审查和有用的反馈。
Author and Editor Ashutosh Dutta would like to thank Telcordia Technologies, and author Victor Fajardo would like to thank Toshiba America Research and Telcordia Technologies, for supporting the development of their document while they were employed in their respective organizations.
作者兼编辑Ashutosh Dutta要感谢Telcordia Technologies,作者Victor Fajardo要感谢东芝美国研究公司和Telcordia Technologies,感谢他们在各自的组织中工作时支持其文档的开发。
[RFC5944] Perkins, C., Ed., "IP Mobility Support for IPv4, Revised", RFC 5944, November 2010.
[RFC5944]Perkins,C.,Ed.,“IPv4的IP移动支持,修订版”,RFC 59442010年11月。
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.
[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,Ed.,“可扩展认证协议(EAP)”,RFC 3748,2004年6月。
[RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004.
[RFC3775]Johnson,D.,Perkins,C.,和J.Arkko,“IPv6中的移动支持”,RFC 37752004年6月。
[RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, September 1997.
[RFC2205]Braden,R.,Ed.,Zhang,L.,Berson,S.,Herzog,S.,和S.Jamin,“资源预留协议(RSVP)——版本1功能规范”,RFC 22052997年9月。
[RFC5380] Soliman, H., Castelluccia, C., El Malki, K., and L. Bellier, "Hierarchical Mobile IPv6 (HMIPv6) Mobility Management", RFC 5380, October 2008.
[RFC5380]Soliman,H.,Castelluccia,C.,El Malki,K.,和L.Bellier,“分层移动IPv6(HMIPv6)移动性管理”,RFC 53802008年10月。
[RFC5568] Koodli, R., Ed., "Mobile IPv6 Fast Handovers", RFC 5568, July 2009.
[RFC5568]Koodli,R.,Ed.,“移动IPv6快速切换”,RFC 5568,2009年7月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4555] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", RFC 4555, June 2006.
[RFC4555]Eronen,P.,“IKEv2移动和多址协议(MOBIKE)”,RFC4555,2006年6月。
[RFC4881] El Malki, K., Ed., "Low-Latency Handoffs in Mobile IPv4", RFC 4881, June 2007.
[RFC4881]El Malki,K.,编辑,“移动IPv4中的低延迟切换”,RFC 4881,2007年6月。
[RFC4066] Liebsch, M., Ed., Singh, A., Ed., Chaskar, H., Funato, D., and E. Shim, "Candidate Access Router Discovery (CARD)", RFC 4066, July 2005.
[RFC4066]Liebsch,M.,Ed.,Singh,A.,Ed.,Chaskar,H.,Funato,D.,和E.Shim,“候选接入路由器发现(卡)”,RFC 4066,2005年7月。
[RFC4067] Loughney, J., Nakhjiri, M., Perkins, C., and R. Koodli, "Context Transfer Protocol (CXTP)", RFC 4067, July 2005.
[RFC4067]Loughney,J.,Nakhjiri,M.,Perkins,C.,和R.Koodli,“上下文传输协议(CXTP)”,RFC 4067,2005年7月。
[RFC5247] Aboba, B., Simon, D., and P. Eronen, "Extensible Authentication Protocol (EAP) Key Management Framework", RFC 5247, August 2008.
[RFC5247]Aboba,B.,Simon,D.,和P.Eronen,“可扩展认证协议(EAP)密钥管理框架”,RFC 5247,2008年8月。
[RFC5191] Forsberg, D., Ohba, Y., Ed., Patil, B., Tschofenig, H., and A. Yegin, "Protocol for Carrying Authentication for Network Access (PANA)", RFC 5191, May 2008.
[RFC5191]Forsberg,D.,Ohba,Y.,Ed.,Patil,B.,Tschofenig,H.,和A.Yegin,“承载网络接入认证(PANA)的协议”,RFC 51912008年5月。
[RG98] ITU-T, "General Characteristics of International Telephone Connections and International Telephone Circuits: One-Way Transmission Time", ITU-T Recommendation G.114, 1998.
[RG98]ITU-T,“国际电话连接和国际电话电路的一般特征:单向传输时间”,ITU-T建议G.114,1998年。
[ITU98] ITU-T, "The E-Model, a computational model for use in transmission planning", ITU-T Recommendation G.107, 1998.
[ITU98]ITU-T,“E模型,用于传输规划的计算模型”,ITU-T建议G.107,1998年。
[ETSI] ETSI, "Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 3; End-to-end Quality of Service in TIPHON systems; Part 1: General aspects of Quality of Service (QoS)", ETSI TR 101 329-1 V3.1.2, 2002.
[ETSI]ETSI,“网络上的电信和互联网协议协调(TIPHON)第3版;TIPHON系统中的端到端服务质量;第1部分:服务质量(QoS)的一般方面”,ETSI TR 101 329-1 V3.1.22002。
[RFC5201] Moskowitz, R., Nikander, P., Jokela, P., Ed., and T. Henderson, "Host Identity Protocol", RFC 5201, April 2008.
[RFC5201]Moskowitz,R.,Nikander,P.,Jokela,P.,Ed.,和T.Henderson,“主机身份协议”,RFC 52012008年4月。
[RFC2679] Almes, G., Kalidindi, S., and M. Zekauskas, "A One-way Delay Metric for IPPM", RFC 2679, September 1999.
[RFC2679]Almes,G.,Kalidini,S.,和M.Zekauskas,“IPPM的单向延迟度量”,RFC 2679,1999年9月。
[RFC2680] Almes, G., Kalidindi, S., and M. Zekauskas, "A One-way Packet Loss Metric for IPPM", RFC 2680, September 1999.
[RFC2680]Almes,G.,Kalidini,S.,和M.Zekauskas,“IPPM的单向数据包丢失度量”,RFC 2680,1999年9月。
[RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip Delay Metric for IPPM", RFC 2681, September 1999.
[RFC2681]Almes,G.,Kalidini,S.,和M.Zekauskas,“IPPM的往返延迟度量”,RFC 2681,1999年9月。
[RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, October 1996.
[RFC2003]Perkins,C.,“IP内的IP封装”,RFC 2003,1996年10月。
[RFC2608] Guttman, E., Perkins, C., Veizades, J., and M. Day, "Service Location Protocol, Version 2", RFC 2608, June 1999.
[RFC2608]Guttman,E.,Perkins,C.,Veizades,J.,和M.Day,“服务位置协议,版本2”,RFC 26081999年6月。
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 Specification", RFC 2473, December 1998.
[RFC2473]Conta,A.和S.Deering,“IPv6规范中的通用数据包隧道”,RFC 2473,1998年12月。
[RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, January 2001.
[RFC3046]Patrick,M.,“DHCP中继代理信息选项”,RFC3046,2001年1月。
[RFC4039] Park, S., Kim, P., and B. Volz, "Rapid Commit Option for the Dynamic Host Configuration Protocol version 4 (DHCPv4)", RFC 4039, March 2005.
[RFC4039]Park,S.,Kim,P.,和B.Volz,“动态主机配置协议版本4(DHCPv4)的快速提交选项”,RFC 4039,2005年3月。
[RFC5172] Varada, S., Ed., "Negotiation for IPv6 Datagram Compression Using IPv6 Control Protocol", RFC 5172, March 2008.
[RFC5172]Varada,S.,Ed.,“使用IPv6控制协议进行IPv6数据报压缩的协商”,RFC 5172,2008年3月。
[RFC5648] Wakikawa, R., Ed., Devarapalli, V., Tsirtsis, G., Ernst, T., and K. Nagami, "Multiple Care-of Addresses Registration", RFC 5648, October 2009.
[RFC5648]Wakikawa,R.,Ed.,Devarapalli,V.,Tsirtsis,G.,Ernst,T.,和K.Nagami,“多重托管地址注册”,RFC 5648,2009年10月。
[RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD) for IPv6", RFC 4429, April 2006.
[RFC4429]Moore,N.,“IPv6的乐观重复地址检测(DAD)”,RFC4429,2006年4月。
[RFC5836] Ohba, Y., Ed., Wu, Q., Ed., and G. Zorn, Ed., "Extensible Authentication Protocol (EAP) Early Authentication Problem Statement", RFC 5836, April 2010.
[RFC5836]Ohba,Y.,Ed.,Wu,Q.,Ed.,和G.Zorn,Ed.,“可扩展认证协议(EAP)早期认证问题声明”,RFC 58362010年4月。
[RFC5213] Gundavelli, S., Ed., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008.
[RFC5213]Gundavelli,S.,Ed.,Leung,K.,Devarapalli,V.,Chowdhury,K.,和B.Patil,“代理移动IPv6”,RFC 5213,2008年8月。
[RFC5974] Manner, J., Karagiannis, G., and A. McDonald, "NSIS Signaling Layer Protocol (NSLP) for Quality-of-Service Signaling", RFC 5974, October 2010.
[RFC5974]Way,J.,Karagiannis,G.,和A.McDonald,“用于服务质量信令的NSIS信令层协议(NSLP)”,RFC 5974,2010年10月。
[RFC5169] Clancy, T., Nakhjiri, M., Narayanan, V., and L. Dondeti, "Handover Key Management and Re-Authentication Problem Statement", RFC 5169, March 2008.
[RFC5169]Clancy,T.,Nakhjiri,M.,Narayanan,V.,和L.Dondeti,“移交密钥管理和重新认证问题声明”,RFC 5169,2008年3月。
[SIPMM] Schulzrinne, H. and E. Wedlund, "Application-Layer Mobility Using SIP", ACM MC2R, July 2000.
[SIPMM]Schulzrinne,H.和E.Wedlund,“使用SIP的应用层移动性”,ACM MC2R,2000年7月。
[CELLIP] Campbell, A., Gomez, J., Kim, S., Valko, A., Wan, C., and Z. Turanyi, "Design, Implementation, and Evaluation of Cellular IP", IEEE Personal Communications, August 2000.
[CELLIP]Campbell,A.,Gomez,J.,Kim,S.,Valko,A.,Wan,C.,和Z.Turanyi,“蜂窝式IP的设计、实施和评估”,IEEE个人通信,2000年8月。
[MOBIQUIT07] Lopez, R., Dutta, A., Ohba, Y., Schulzrinne, H., and A. Skarmeta, "Network-layer assisted mechanism to optimize authentication delay during handoff in 802.11 networks", IEEE Mobiquitous, June 2007.
[MOBIQUIT07]Lopez,R.,Dutta,A.,Ohba,Y.,Schulzrinne,H.,和A.Skarmeta,“802.11网络切换期间优化认证延迟的网络层辅助机制”,IEEE Mobiquitous,2007年6月。
[MISHRA04] Mishra, A., Shin, M., Petroni, N., Clancy, T., and W. Arbaugh, "Proactive key distribution using neighbor graphs", IEEE Wireless Communications Magazine, February 2004.
[MISHRA04]Mishra,A.,Shin,M.,Petroni,N.,Clancy,T.,和W.Arbaugh,“使用邻居图的主动密钥分配”,IEEE无线通信杂志,2004年2月。
[SPRINGER07] Dutta, A., Das, S., Famolari, D., Ohba, Y., Taniuchi, K., Fajardo, V., Lopez, R., Kodama, T., Schulzrinne, H., and A. Skarmeta, "Seamless proactive handover across heterogeneous access networks", Wireless Personal Communications, November 2007.
[SPRINGER07]Dutta,A.,Das,S.,Famolari,D.,Ohba,Y.,Taniuchi,K.,Fajardo,V.,Lopez,R.,Kodama,T.,Schulzrinne,H.,和A.Skarmeta,“跨异构接入网络的无缝主动切换”,无线个人通信,2007年11月。
[HAWAII] Ramjee, R., La Porta, T., Thuel, S., Varadhan, K., and S. Wang, "HAWAII: A Domain-based Approach for Supporting Mobility in Wide-area Wireless networks", International Conference on Network Protocols ICNP'99.
[夏威夷]Ramjee,R.,La Porta,T.,Thuel,S.,Varadhan,K.,和S.Wang,“夏威夷:支持广域无线网络移动性的基于域的方法”,网络协议国际会议ICNP'99。
[IDMP] Das, S., McAuley, A., Dutta, A., Misra, A., Chakraborty, K., and S. Das, "IDMP: An Intra-Domain Mobility Management Protocol for Next Generation Wireless Networks", IEEE Wireless Communications Magazine, October 2000.
[IDMP]Das,S.,McAuley,A.,Dutta,A.,Misra,A.,Chakraborty,K.,和S.Das,“IDMP:下一代无线网络的域内移动性管理协议”,IEEE无线通信杂志,2000年10月。
[MOBIP-REG] Gustafsson, E., Jonsson, A., and C. Perkins, "Mobile IPv4 Regional Registration", Work in Progress, June 2004.
[MOBIP-REG]Gustafsson,E.,Jonsson,A.,和C.Perkins,“移动IPv4区域注册”,正在进行的工作,2004年6月。
[YOKOTA] Yokota, H., Idoue, A., Hasegawa, T., and T. Kato, "Link Layer Assisted Mobile IP Fast Handoff Method over Wireless LAN Networks", Proceedings of ACM MobiCom02, 2002.
[横田]横田,H.,Idoue,A.,长谷川,T.,和T.加藤,“无线LAN网络上的链路层辅助移动IP快速切换方法”,ACM MobiCom02,2002年论文集。
[MACD] Shin, S., Forte, A., Rawat, A., and H. Schulzrinne, "Reducing MAC Layer Handoff Latency in IEEE 802.11 Wireless LANs", MobiWac Workshop, 2004.
[MACD]Shin,S.,Forte,A.,Rawat,A.,和H.Schulzrinne,“减少IEEE 802.11无线局域网中的MAC层切换延迟”,MobiWac研讨会,2004年。
[SUM] Dutta, A., Zhang, T., Madhani, S., Taniuchi, K., Fujimoto, K., Katsube, Y., Ohba, Y., and H. Schulzrinne, "Secured Universal Mobility for Wireless Internet", WMASH'04, October 2004.
[SUM]Dutta,A.,Zhang,T.,Madhani,S.,Taniuchi,K.,Fujimoto,K.,Katsube,Y.,Ohba,Y.,和H.Schulzrinne,“无线互联网的安全通用移动”,WMASH'04,2004年10月。
[SIPFAST] Dutta, A., Madhani, S., Chen, W., Altintas, O., and H. Schulzrinne, "Fast-handoff Schemes for Application Layer Mobility Management", PIMRC 2004.
[SIPFAST]Dutta,A.,Madhani,S.,Chen,W.,Altintas,O.,和H.Schulzrinne,“应用层移动性管理的快速切换方案”,PIMRC 2004。
[PIMRC06] Dutta, A., Berg, E., Famolari, D., Fajardo, V., Ohba, Y., Taniuchi, K., Kodama, T., and H. Schulzrinne, "Dynamic Buffering Control Scheme for Mobile Handoff", Proceedings of PIMRC 2006, 1-11.
[PIMRC06]Dutta,A.,Berg,E.,Famolari,D.,Fajardo,V.,Ohba,Y.,Taniuchi,K.,Kodama,T.,和H.Schulzrinne,“移动切换的动态缓冲控制方案”,PIMRC会议录,2006,1-11。
[MITH] Gwon, Y., Fu, G., and R. Jain, "Fast Handoffs in Wireless LAN Networks using Mobile initiated Tunneling Handoff Protocol for IPv4 (MITHv4)", Wireless Communications and Networking 2003, January 2005.
[MITH]Gwon,Y.,Fu,G.,和R.Jain,“使用移动发起的IPv4隧道切换协议(MITHv4)的无线LAN网络中的快速切换”,无线通信和网络2003,2005年1月。
[WENYU] Jiang, W. and H. Schulzrinne, "Modeling of Packet Loss and Delay and their Effect on Real-Time Multimedia Service Quality", NOSSDAV 2000, June 2000.
[WENYU]Jiang,W.和H.Schulzrinne,“分组丢失和延迟的建模及其对实时多媒体服务质量的影响”,NOSSDAV 2000,2000年6月。
[802.21] "IEEE Standard for Local and Metropolitan Area Networks: Media Independent Handover Services, IEEE 802.21-2008", a contribution to IEEE 802.21 WG, January 2009.
[802.21]“局域网和城域网IEEE标准:媒体独立切换服务,IEEE 802.21-2008”,对IEEE 802.21工作组的贡献,2009年1月。
[802.11] "IEEE Wireless LAN Edition A compilation based on IEEE Std 802.11-1999(R2003)", Institute of Electrical and Electronics Engineers, September 2003.
[802.11]“基于IEEE标准802.11-1999(R2003)的IEEE无线局域网版本汇编”,电气和电子工程师协会,2003年9月。
[GPSIP] Dutta, A., Madhani, S., Chen, W., Altintas, O., and H. Schulzrinne, "GPS-IP based fast-handoff approaches for Mobiles", IEEE Sarnoff Symposium 2006.
[GPSIP]Dutta,A.,Madhani,S.,Chen,W.,Altintas,O.,和H.Schulzrinne,“基于GPS-IP的移动设备快速切换方法”,2006年IEEE Sarnoff研讨会。
[MAGUIRE] Vatn, J. and G. Maguire, "The effect of using co-located care-of addresses on macro handover latency", 14th Nordic Teletraffic Seminar 1998.
[MAGUIRE]Vatn,J.和G.MAGUIRE,“使用同一位置的转交地址对宏切换延迟的影响”,1998年第14届北欧电信业务研讨会。
[MPA-MOBIKE] El Mghazli, Y., Bournelle, J., and J. Laganier, "MPA using IKEv2 and MOBIKE", Work in Progress, June 2006.
[MPA-MOBIKE]El Mghazli,Y.,Bournelle,J.,和J.Laganier,“MPA使用IKEv2和MOBIKE”,正在进行的工作,2006年6月。
[MPA-WIRELESS] Dutta, A., Famolari, D., Das, S., Ohba, Y., Fajardo, V., Taniuchi, K., Lopez, R., and H. Schulzrinne, "Media- Independent Pre-authentication Supporting Secure Interdomain Handover Optimization", IEEE Wireless Communications Magazine, April 2008.
[MPA-WIRELESS]Dutta,A.,Famolari,D.,Das,S.,Ohba,Y.,Fajardo,V.,Taniuchi,K.,Lopez,R.,和H.Schulzrinne,“支持安全域间切换优化的媒体独立预认证”,IEEE无线通信杂志,2008年4月。
When the DHCP server dispenses an IP address, it updates its lease table, so that this same address is not given to another client for that specific period of time. At the same time, the client also keeps a lease table locally so that it can renew when needed. In some cases where a network consists of both DHCP and non-DHCP-enabled clients, there is a probability that another client in the LAN may have been configured with an IP address from the DHCP address pool. In such a scenario, the server detects a duplicate address based on ARP (Address Resolution Protocol) or IPv6 Neighbor Discovery before assigning the IP address. This detection procedure may take from 4 sec to 15 sec [MAGUIRE] and will thus contribute to a larger handover delay. In the case of a proactive IP address acquisition process, this detection is performed ahead of time and thus does not affect the handover delay at all. By performing the Duplicate Address Detection (DAD) ahead of time, we reduce the IP address acquisition time.
当DHCP服务器分配IP地址时,它会更新其租约表,以便在该特定时间段内不会将相同的地址提供给另一个客户端。同时,客户机还在本地保留一个租赁表,以便在需要时可以续订。在某些情况下,如果网络由DHCP和未启用DHCP的客户端组成,则LAN中的另一个客户端可能已配置DHCP地址池中的IP地址。在这种情况下,服务器在分配IP地址之前会根据ARP(地址解析协议)或IPv6邻居发现检测到重复地址。此检测过程可能需要4秒到15秒[MAGUIRE],因此将导致更大的切换延迟。在主动IP地址获取处理的情况下,该检测提前执行,因此根本不影响切换延迟。通过提前执行重复地址检测(DAD),我们减少了IP地址获取时间。
The proactive DAD over the candidate target network should be performed by the nAR on behalf of the mobile node at the time of proactive handover tunnel establishment, since DAD over a tunnel is not always performed. For example, in the case of IPv6, DAD over an IP-IP tunnel interface is turned off in an existing implementation. In the case of IPv6 over PPP [RFC5172], the IP Control Protocol (IPCPv6) negotiates the link-local addresses, and hence DAD over the tunnel is not needed. After the mobile node has moved to the target network, a DAD procedure may be started because of reassignment of the nCoA to the physical interface to the target network. In that case, the mobile node should use optimistic DAD [RFC4429] over the physical interface so that the nCoA that was used inside the proactive handover tunnel before handover can be immediately used over that physical interface after handover. The schemes used for the proactive DAD and optimistic DAD are applicable to both stateless and stateful address autoconfiguration schemes used for obtaining a nCoA.
在主动切换隧道建立时,候选目标网络上的主动DAD应由nAR代表移动节点执行,因为并非总是通过隧道执行DAD。例如,在IPv6的情况下,在现有实现中关闭IP-IP隧道接口上的DAD。在IPv6 over PPP[RFC5172]的情况下,IP控制协议(IPCPv6)协商链路本地地址,因此不需要通过隧道进行DAD。在移动节点已经移动到目标网络之后,由于nCoA被重新分配到目标网络的物理接口,因此可以启动DAD过程。在这种情况下,移动节点应该在物理接口上使用乐观DAD[RFC4429],以便在切换之前在主动切换隧道内使用的nCoA可以在切换之后立即在该物理接口上使用。用于主动DAD和乐观DAD的方案适用于用于获取nCoA的无状态和有状态地址自动配置方案。
Address resolution involves updating the next access router's neighbor cache. We briefly describe these two operations below.
地址解析涉及更新下一个访问路由器的邻居缓存。下面我们简要介绍这两种操作。
During the process of pre-configuration, the MAC address resolution mappings needed by the mobile node to communicate with nodes in the target network after attaching to the target network can also be known, where the communicating nodes may be the access router, authentication agent, configuration agent, or Correspondent Node. There are several possible ways of performing such proactive MAC address resolution.
在预配置过程中,还可以知道移动节点在连接到目标网络之后与目标网络中的节点通信所需的MAC地址解析映射,其中通信节点可以是接入路由器、认证代理、配置代理或对应节点。有几种可能的方法来执行这种主动MAC地址解析。
o One can use an information service mechanism [802.21] to resolve the MAC addresses of the nodes. This might require each node in the target network to be involved in the information service so that the server of the information service can construct the database for proactive MAC address resolution.
o 可以使用信息服务机制[802.21]来解析节点的MAC地址。这可能需要目标网络中的每个节点都参与到信息服务中,以便信息服务的服务器可以构建用于主动MAC地址解析的数据库。
o One can extend the authentication protocol used for pre-authentication or the configuration protocol used for pre-configuration to support proactive MAC address resolution. For example, if PANA is used as the authentication protocol for pre-authentication, PANA messages may carry attribute-value pairs (AVPs) used for proactive address resolution. In this case, the PANA authentication agent in the target network may perform address resolution on behalf of the mobile node.
o 可以扩展用于预认证的认证协议或用于预配置的配置协议,以支持主动MAC地址解析。例如,如果PANA用作预认证的认证协议,则PANA消息可能携带用于主动地址解析的属性值对(AVP)。在这种情况下,目标网络中的PANA认证代理可以代表移动节点执行地址解析。
o One can also make use of DNS to map the MAC address of the specific interface associated with a specific IP address of the network element in the target network. One may define a new DNS resource record (RR) to proactively resolve the MAC addresses of the nodes in the target network. But this approach may have its own limitations, since a MAC address is a resource that is bound to an IP address, and not directly to a domain name.
o 还可以利用DNS来映射与目标网络中的网元的特定IP地址相关联的特定接口的MAC地址。可以定义新的DNS资源记录(RR)以主动地解析目标网络中的节点的MAC地址。但这种方法可能有其自身的局限性,因为MAC地址是绑定到IP地址的资源,而不是直接绑定到域名。
When the mobile node attaches to the target network, it installs the proactively obtained address resolution mappings without necessarily performing address resolution queries for the nodes in the target network.
当移动节点连接到目标网络时,它安装主动获取的地址解析映射,而不必对目标网络中的节点执行地址解析查询。
On the other hand, the nodes that reside in the target network and that are communicating with the mobile node should also update their address resolution mappings for the mobile node as soon as the mobile node attaches to the target network. The above proactive address resolution methods could also be used for those nodes to proactively resolve the MAC address of the mobile node before the mobile node attaches to the target network. However, this is not useful, since
另一方面,驻留在目标网络中并且与移动节点通信的节点也应该在移动节点连接到目标网络后立即更新其移动节点的地址解析映射。上述主动地址解析方法还可用于那些节点在移动节点连接到目标网络之前主动解析移动节点的MAC地址。然而,这是没有用的,因为
those nodes need to detect the attachment of the mobile node to the target network before adopting the proactively resolved address resolution mapping. A better approach would be integration of attachment detection and address resolution mapping update. This is based on gratuitously performing address resolution [RFC5944], [RFC3775] in which the mobile node sends an ARP Request or an ARP Reply in the case of IPv4, or a Neighbor Advertisement in the case of IPv6, immediately after the mobile node attaches to the new network, so that the nodes in the target network can quickly update the address resolution mapping for the mobile node.
在采用主动解析的地址解析映射之前,这些节点需要检测移动节点到目标网络的连接。更好的方法是连接检测和地址解析映射更新的集成。这是基于免费执行地址解析[RFC5944]、[RFC3775],其中移动节点在连接到新网络后立即发送ARP请求或ARP回复(对于IPv4),或者发送邻居公告(对于IPv6),因此,目标网络中的节点可以快速更新移动节点的地址解析映射。
In this section, we describe some of the deployment issues related to MPA.
在本节中,我们将描述一些与MPA相关的部署问题。
The ping-pong effect is one of the common problems found during handover. The ping-pong effect arises when a mobile node is located at the borderline of the cell or decision point and a handover procedure is frequently executed. This results in higher call drop probability, lower connection quality, increased signaling traffic, and waste of resources. All of these affect mobility optimization. Handoff algorithms are the deciding factors for performing the handoff between the networks. Traditionally, these algorithms employ a threshold to compare the values of different metrics to decide on the handoff. These metrics include signal strength, path loss, Carrier-to-Interference Ratio (CIR), Signal-to-Interference Ratio (SIR), Bit Error Rate (BER), and power budget. In order to avoid the ping-pong effect, some additional parameters are employed by the decision algorithm, such as hysteresis margin, dwell timers, and averaging window. For a vehicle moving at a high speed, other parameters, such as the distance between the mobile node and the point of attachment, velocity of the mobile node, location of the mobile node, traffic, and bandwidth characteristics are also taken into account to reduce the ping-pong effect. More recently, there are other handoff algorithms available that help reduce the ping-pong effect in a heterogeneous network environment and that are based on techniques such as hypothesis testing, dynamic programming, and pattern recognition techniques. While it is important to devise smart handoff algorithms to reduce the ping-pong effect, it is also important to devise methods to recover from this effect.
乒乓效应是切换过程中常见的问题之一。当移动节点位于小区或决策点的边界处并且频繁地执行切换过程时,乒乓效应产生。这会导致较高的掉话概率、较低的连接质量、增加的信令流量和资源浪费。所有这些都会影响移动性优化。切换算法是在网络之间执行切换的决定因素。传统上,这些算法使用一个阈值来比较不同度量的值来决定切换。这些指标包括信号强度、路径损耗、载波干扰比(CIR)、信号干扰比(SIR)、误码率(BER)和功率预算。为了避免乒乓效应,判决算法采用了一些附加参数,如滞后裕度、驻留定时器和平均窗口。对于高速移动的车辆,还考虑了其他参数,例如移动节点与连接点之间的距离、移动节点的速度、移动节点的位置、流量和带宽特性,以减少乒乓效应。最近,还有其他切换算法可用于帮助减少异构网络环境中的乒乓效应,这些算法基于假设测试、动态规划和模式识别技术等技术。设计智能切换算法以减少乒乓效应固然重要,但设计从乒乓效应中恢复的方法也很重要。
In the case of the MPA framework, the ping-pong effect will result in the back-and-forth movement of the mobile node between the current network and target network, and between the candidate target networks. MPA in its current form will be affected because of the
在MPA框架的情况下,乒乓效应将导致移动节点在当前网络和目标网络之间以及候选目标网络之间来回移动。MPA的当前形式将受到以下因素的影响:
number of tunnels set up between the mobile node and neighboring access routers, the number of binding updates, and associated handoff latency resulting from the ping-pong situation. The mobile node's handoff rate may also contribute to delay and packet loss. We propose a few techniques that will help reduce the probability of the ping-pong effect and propose several methods for the MPA framework so that it can recover from the packet loss resulting from the ping-pong effect.
移动节点和相邻接入路由器之间设置的隧道数量、绑定更新数量以及乒乓情况导致的相关切换延迟。移动节点的切换速率也可能导致延迟和分组丢失。我们提出了一些有助于降低乒乓效应概率的技术,并为MPA框架提出了几种方法,以便它能够从乒乓效应导致的数据包丢失中恢复。
The MPA framework can take advantage of the mobile node's geo-location with respect to APs in the neighboring networks using GPS. In order to avoid the oscillation between the networks, a location-aware algorithm can be derived by using a co-relation between the user's location and cached data from the previous handover attempts. In some cases, location may not be the only indicator for a handoff decision. For example, in Manhattan-type grid networks, although a mobile node is close to an AP, it may not have enough SNR (Signal-to-Noise Ratio) to make a good connection. Thus, knowledge of the mobility pattern, dwell time in a call, and path identification will help avoid the ping-pong problem to a great extent.
MPA框架可以利用移动节点相对于使用GPS的相邻网络中的AP的地理位置。为了避免网络之间的振荡,可以通过使用用户位置和来自先前切换尝试的缓存数据之间的协同关系来导出位置感知算法。在某些情况下,位置可能不是切换决策的唯一指标。例如,在曼哈顿类型的网格网络中,尽管移动节点靠近AP,但它可能没有足够的SNR(信噪比)来建立良好的连接。因此,了解移动模式、通话停留时间和路径识别将在很大程度上帮助避免乒乓球问题。
In the absence of a good handoff algorithm that can avoid the ping-pong effect, it may be required to put in place a good recovery mechanism so as to mitigate the effect of ping-pong. It may be necessary to keep the established context in the current network for a period of time, so that it can be quickly recovered when the mobile node comes back to the network where the context was last used. This context may include security association, IP address used, and tunnels established. Bicasting the data to both the previous network and the new network for a predefined period will also help the mobile node to take care of the lost packets in case the mobile node moves back and forth between the networks. The mobile node can also take certain action, after it determines that it is in a stable state with respect to a ping-pong situation.
在缺乏能够避免乒乓效应的良好切换算法的情况下,可能需要建立良好的恢复机制以减轻乒乓效应。可能需要将建立的上下文在当前网络中保持一段时间,以便在移动节点返回到上次使用上下文的网络时能够快速恢复。此上下文可能包括安全关联、使用的IP地址和建立的隧道。在预定义的时间段内将数据双向广播到先前网络和新网络也将有助于移动节点处理丢失的分组,以防移动节点在网络之间来回移动。在移动节点确定其处于关于乒乓球情况的稳定状态之后,移动节点还可以采取某些动作。
When the MPA framework takes advantage of a combination of IKEv2 and MOBIKE, the ping-pong effect can be reduced further [MPA-MOBIKE].
当MPA框架利用IKEv2和MOBIKE的组合时,乒乓效应可以进一步降低[MPA-MOBIKE]。
In the case of pre-authentication with multiple target networks, it is useful to maintain the state in the authentication agent of each of the neighboring networks for a certain time period. Thus, if the mobile node does move back and forth between neighboring networks, already-maintained authentication state can be helpful. We provide some highlights on multiple security association state management below.
在使用多个目标网络进行预认证的情况下,将每个相邻网络的认证代理中的状态保持一定时间段是有用的。因此,如果移动节点确实在相邻网络之间来回移动,则已经维护的认证状态可能是有用的。下面我们将重点介绍多个安全关联状态管理。
A mobile node that has pre-authenticated with an authentication agent in a candidate target network and has an MPA-SA may need to continue to keep the MPA-SA while it continues to stay in the current network or even after it makes a handover to a network that is different from the candidate target network.
在候选目标网络中已经使用认证代理预认证并且具有MPA-SA的移动节点可能需要在其继续留在当前网络中时或甚至在其切换到与候选目标网络不同的网络之后继续保持MPA-SA。
When an MN that has been authenticated and authorized by an authentication agent in the current network makes a handover to a target network, it may want to hold the SA that has been established between the MN and the authentication agent for a certain time period so that it does not have to go through the entire authentication signaling to create an SA from scratch, in case it returns to the previous network. Such an SA being held at the authentication agent after the MN's handover to another network is considered as an MPA-SA. In this case, the authentication agent should change the fully authorized state for the MN to an unauthorized state. The unauthorized state can be changed to the fully authorized state only when the MN comes back to the network and provides proof of possession of a key associated with the MPA-SA.
当已经由当前网络中的认证代理进行认证和授权的MN向目标网络进行切换时,它可能希望将在MN和认证代理之间建立的SA保持一定的时间段,以便它不必通过整个认证信令来从头创建SA,以防它返回到先前的网络。在MN切换到另一网络之后在认证代理处持有的这种SA被认为是MPA-SA。在这种情况下,身份验证代理应该将MN的完全授权状态更改为未授权状态。只有当MN返回网络并提供拥有与MPA-SA相关联的密钥的证据时,未授权状态才能更改为完全授权状态。
While an MPA-SA is being held at an authentication agent, the MN will need to keep updating the authentication agent when an IP address of the MN changes due to a handover, to re-establish the new SA.
当MPA-SA被保持在认证代理处时,当MN的IP地址由于切换而改变时,MN将需要不断更新认证代理以重新建立新SA。
In the pre-configuration phase, it is also possible to pre-allocate QoS resources that may be used by the mobile node not only after handover but also before handover. When pre-allocated QoS resources are used before handover, they are used for application traffic carried over a proactive handover tunnel.
在预配置阶段,还可以预分配不仅在切换之后而且在切换之前可由移动节点使用的QoS资源。当在切换前使用预先分配的QoS资源时,它们将用于通过主动切换隧道承载的应用程序流量。
It is possible that QoS resources are pre-allocated in an end-to-end fashion. One method to achieve this proactive end-to-end QoS reservation is to execute the NSIS Signaling Layer Protocol (NSLP) [RFC5974] or the Resource Reservation Protocol (RSVP) [RFC2205] over a proactive handover tunnel where pre-authentication can be used for bootstrapping a security association for the proactive handover tunnel to protect the QoS signaling. In this case, QoS resources are pre-allocated on the path between the Correspondent Node and a target access router and can be used continuously before and after handover. On the other hand, duplicate pre-allocation of QoS resources between the target access router and the mobile node is necessary when using pre-allocated QoS resources before handover, due to differences in
QoS资源可能以端到端的方式预先分配。实现这种主动端到端QoS预留的一种方法是执行NSIS信令层协议(NSLP)[RFC5974]或资源预留协议(RSVP)[RFC2205]通过主动切换隧道,其中预认证可用于引导主动切换隧道的安全关联,以保护QoS信令。在这种情况下,QoS资源预先分配在对应节点和目标接入路由器之间的路径上,并且可以在切换前后连续使用。另一方面,当在切换之前使用预先分配的QoS资源时,目标接入路由器和移动节点之间的QoS资源的重复预先分配是必要的,这是由于在切换过程中的差异造成的
paths between the target access router and the mobile node before and after handover. QoS resources to be used for the path between the target access router and the mobile node after handover may be pre-allocated by extending NSLP to work for off-path signaling (Note: this path can be viewed as off-path before handover) or by media-specific QoS signaling at layer 2.
切换前后目标接入路由器和移动节点之间的路径。切换后用于目标接入路由器和移动节点之间的路径的QoS资源可通过扩展NSLP以用于非路径信令(注意:该路径可被视为切换前的非路径)或通过第2层的媒体特定QoS信令来预分配。
In the case of multiple CTNs, establishing multiple tunnels with the neighboring target networks provides some additional benefits. But it contributes to some resource utilization issues as well. A pre-authentication process with multiple candidate target networks can happen in several ways.
在多个CTN的情况下,与相邻目标网络建立多个隧道提供了一些额外的好处。但它也导致了一些资源利用问题。多个候选目标网络的预认证过程可以通过多种方式进行。
The very basic scheme involves authenticating the mobile node with the multiple authentication agents in the neighboring networks, but actual pre-configuration and binding update take place only after layer 2 movement to a specific network is complete.
最基本的方案涉及使用相邻网络中的多个身份验证代理对移动节点进行身份验证,但实际的预配置和绑定更新仅在第2层移动到特定网络完成后进行。
Similarly, in addition to pre-authentication, the mobile node can also complete the pre-configuration while in the previous network, but can postpone the binding update until after the mobile node has moved. Like the previous case, in this case the mobile node also does not need to set up the pre-configured tunnels. While the pre-authentication process and part of the pre-configuration process are taken care of before the mobile node has moved to the new network, the binding update is actually done after the mobile node has moved.
类似地,除了预认证之外,移动节点还可以在前一网络中完成预配置,但是可以将绑定更新推迟到移动节点移动之后。与前面的情况一样,在这种情况下,移动节点也不需要设置预先配置的隧道。虽然在移动节点移动到新网络之前处理预认证过程和部分预配置过程,但绑定更新实际上是在移动节点移动之后完成的。
The third type of multiple pre-authentication involves all the three steps while the mobile node is in the previous networks, such as authentication, configuration, and binding update. But, this specific process utilizes the highest amount of resources. Some of the resources that get used during this process are as follows:
第三种类型的多重预认证涉及移动节点在先前网络中时的所有三个步骤,例如认证、配置和绑定更新。但是,这个特定的过程使用了最多的资源。在此过程中使用的一些资源如下:
(1) Additional signaling for pre-authentication in the neighboring networks
(1) 用于相邻网络中预认证的附加信令
(2) Holding the IP address of the neighboring networks in the mobile node's cache for a certain amount of time. Additional processing in the mobile node is needed for storing these IP addresses. In addition, this caching of addresses also uses up the temporary IP addresses from the neighboring routers.
(2) 在移动节点的缓存中保留相邻网络的IP地址一段时间。存储这些IP地址需要移动节点中的附加处理。此外,这种地址缓存还使用了来自相邻路由器的临时IP地址。
(3) There is an additional cost associated with setting up additional transient tunnels with the target routers in the neighboring networks and the mobile node.
(3) 与相邻网络和移动节点中的目标路由器建立附加瞬态隧道相关联的额外成本。
(4) In the case of a binding update with multiple IP addresses obtained from the neighboring networks, multiple transient streams flow between the CN and mobile node using these transient tunnels.
(4) 在使用从相邻网络获得的多个IP地址进行绑定更新的情况下,多个瞬态流使用这些瞬态隧道在CN和移动节点之间流动。
However, there are pros and cons related to sending the binding update after the handover. If the binding update is sent after the mobile node has moved to the new network, this will contribute to the delay if the CH or HA is far from the MN. Multiple binding updates can be taken care of in many different ways. We describe a few of these update mechanisms below.
但是,在切换后发送绑定更新有其优点和缺点。如果绑定更新是在移动节点移动到新网络之后发送的,那么如果CH或HA远离MN,这将导致延迟。可以通过许多不同的方式处理多个绑定更新。下面我们将介绍其中的一些更新机制。
When only pre-authentication and pre-configuration are done ahead of time with multiple networks, the mobile node sends one binding update to the CN. In this case, it is important to find out when to send the binding update after the layer 2 handoff.
当在多个网络中仅提前完成预认证和预配置时,移动节点向CN发送一个绑定更新。在这种情况下,确定在第2层切换后何时发送绑定更新非常重要。
In case a binding update with multiple contact addresses is sent, multiple media streams stem out of the CN, using the transient tunnels. But in that case, one needs to send another binding update after the handover, with the contact address set to the new address (only one address) where the mobile node has moved. This way, the mobile node stops sending media to other neighboring networks where the mobile node did not move.
在发送具有多个联系人地址的绑定更新的情况下,多个媒体流使用临时隧道从CN中流出。但在这种情况下,需要在切换后发送另一个绑定更新,联系人地址设置为移动节点移动的新地址(仅一个地址)。这样,移动节点停止向移动节点未移动的其他相邻网络发送媒体。
The following is an illustration of this specific case that takes care of multiple binding streams, when the mobile node moves only to a specific network, but sends multiple binding updates in the previous network. The MN sends a binding update to the CH with multiple contact addresses, such as c1, c2, and c3, that were obtained from three neighboring networks. This allows the CN to send transient multiple streams to the mobile node over the pre-established tunnels. After the mobile node moves to the actual network, it sends another binding update to the CN with the care-of address of the mobile node in the network where the mobile node has moved. One issue with multiple streams is consumption of extra bandwidth for a small period of time.
以下是当移动节点仅移动到特定网络,但在先前网络中发送多个绑定更新时,处理多个绑定流的该特定情况的说明。MN使用从三个相邻网络获得的多个联系人地址(例如c1、c2和c3)向CH发送绑定更新。这允许CN通过预先建立的隧道向移动节点发送瞬时多个流。在移动节点移动到实际网络之后,它向CN发送另一个绑定更新,该绑定更新包含移动节点已移动的网络中的移动节点的地址。多个流的一个问题是在短时间内消耗额外带宽。
Alternatively, one can apply the buffering technique at the target access router or at the Home Agent. Transient data can be forwarded to the mobile node after it has moved. Forwarding of data can be triggered by the mobile node either as part of Mobile IP registration or as a separate buffering protocol.
或者,可以在目标接入路由器或归属代理处应用缓冲技术。瞬态数据在移动后可以转发到移动节点。移动节点可以作为移动IP注册的一部分或作为单独的缓冲协议来触发数据转发。
In this section, we present some of the results from MPA implementation when applied to different handover scenarios. We present the summary of results from our experiments using MPA techniques for two types of handovers: i) intra-technology and intra-domain, and ii) inter-technology and inter-domain. We also present the results of how the MPA can bootstrap layer 2 security for both roaming and non-roaming cases. Detailed procedures and results are explained in [MOBIQUIT07] and [SPRINGER07].
在本节中,我们将介绍MPA实现在应用于不同切换场景时的一些结果。我们总结了使用MPA技术进行两种类型切换的实验结果:i)内部技术和域内切换,以及ii)内部技术和域间切换。我们还介绍了MPA如何为漫游和非漫游情况引导第2层安全性的结果。详细的程序和结果见[MOBIQUIT07]和[SPRINGER07]。
The results for MIPv6 and SIP mobility involving intra-domain mobility are shown in Figures 6 and 7, respectively.
涉及域内移动性的MIPv6和SIP移动性的结果分别如图6和图7所示。
Buffering Buffering Buffering Buffering
(disabled) (enabled) (disabled) (enabled)
& RO & RO & RO & RO
(disabled) (disabled) (enabled) (enabled)
-------------------------------------------------------------------
L2 handoff (ms) 4.00 4.33 4.00 4.00
Buffering Buffering Buffering Buffering
(disabled) (enabled) (disabled) (enabled)
& RO & RO & RO & RO
(disabled) (disabled) (enabled) (enabled)
-------------------------------------------------------------------
L2 handoff (ms) 4.00 4.33 4.00 4.00
L3 handoff (ms) 1.00 1.00 1.00 1.00
三级切换(ms)1.00 1.00 1.00 1.00
Avg. packet loss 1.33 0 0.66 0
平均丢包率1.33 0 0.66 0
Avg. inter-packet 16.00 16.00 16.00 16.00 arrival interval (ms)
平均数据包间16.00 16.00 16.00 16.00到达间隔(ms)
Avg. inter-packet n/a 45.33 n/a 66.60 arrival time during handover (ms)
平均分组间n/a 45.33 n/a 66.60切换期间的到达时间(ms)
Avg. packet jitter n/a 29.33 n/a 50.60 (ms)
平均数据包抖动n/a 29.33 n/a 50.60(毫秒)
Buffering Period n/a 50.00 n/a 50.00 (ms)
缓冲期不适用50.00不适用50.00(毫秒)
Buffered Packets n/a 2.00 n/a 3.00
缓冲数据包n/a 2.00 n/a 3.00
RO = Router Optimization
RO = Router Optimization
Figure 6: Mobile IPv6 with MPA Results
图6:具有MPA结果的移动IPv6
Buffering Buffering
disabled enabled
-----------------------------------------------
L2 handoff (ms) 4.00 5.00
Buffering Buffering
disabled enabled
-----------------------------------------------
L2 handoff (ms) 4.00 5.00
L3 handoff (ms) 1.00 1.00
三级切换(ms)1.00 1.00
Avg. packet loss 1.50 0
平均数据包丢失1.50 0
Avg. inter-packet 16.00 16.00 arrival interval (ms)
平均数据包间16.00 16.00到达间隔(ms)
Avg. inter-packet n/a 29.00 arrival time during handover (ms)
平均分组间n/a 29.00移交期间的到达时间(ms)
Avg. packet jitter n/a 13.00 (ms)
平均数据包抖动n/a 13.00(毫秒)
Buffering Period n/a 20.00 (ms)
缓冲期不适用20.00(毫秒)
Buffered Packets n/a 3.00
缓冲数据包不适用3.00
Figure 7: SIP Mobility with MPA Results
图7:具有MPA结果的SIP迁移率
For all measurements, we did not experience any performance degradation during handover in terms of the audio quality of the voice traffic.
对于所有测量,我们在切换期间并没有遇到任何语音通信音频质量方面的性能下降。
With the use of buffering during handover, packet loss during the actual L2 and L3 handover is eliminated with appropriate and reasonable settings of the buffering period for both MIP6 and SIP mobility. In the case of MIP6, there is not a significant difference in results with and without route optimization. It should be noted that results with more samples would be necessary for a more detailed analysis.
通过在切换期间使用缓冲,通过对MIP6和SIP移动性的缓冲期进行适当和合理的设置,消除了实际L2和L3切换期间的分组丢失。在MIP6的情况下,有无路由优化的结果没有显著差异。应注意,对于更详细的分析,需要更多样本的结果。
In the case of non-MPA-assisted handover, handover delay and associated packet loss occur from the moment the link-layer handover procedure begins, up to successful processing of the binding update. During this process, IP address acquisitions via DHCP incur the longest delay. This is due to the detection of duplicate IP addresses in the network before the DHCP request completes. The binding update exchange also experiences a long delay if the CN is too far from the MN. As a result, the non-MPA-assisted handover took
在非MPA辅助切换的情况下,从链路层切换过程开始到绑定更新的成功处理,切换延迟和相关的分组丢失都会发生。在此过程中,通过DHCP获取IP地址的延迟最长。这是因为在DHCP请求完成之前检测到网络中存在重复的IP地址。如果CN距离MN太远,则绑定更新交换也会经历较长的延迟。因此,非MPA协助的移交发生了变化
an average of 4 seconds to complete, with an approximate packet loss of about 200 packets. The measurement is based on the same traffic rate and traffic source as the MPA-assisted handover.
平均4秒完成,大约有200个数据包丢失。测量基于与MPA辅助切换相同的流量率和流量源。
Handoff involving heterogeneous access can take place in many different ways. We limit the experiment to two interfaces, and therefore results in several possible setup scenarios, depending upon the activity of the second interface. In one scenario, the second interface comes up when the link to the first interface goes down. This is a reactive scenario and usually gives rise to undesirable packet loss and handoff delay. In a second scenario, the second interface is being prepared while the mobile node still communicates using the old interface. Preparation of the second interface should include setup of all the required state and security associations (e.g., PPP state, the Link Control Protocol (LCP), the Challenge Handshake Authentication Protocol (CHAP)). If such a lengthy process is established ahead of time, it reduces the time taken for the secondary interface to be attached to the network. After preparation, the mobile node decides to use the second interface as the active interface. This results in less packet loss, as it uses make-before-break techniques. This is a proactive scenario and can have two "flavors". The first is where both interfaces are up; the second is when only the old interface is up and the prepared interface is brought up only when handoff is about to occur. This scenario may be beneficial from a battery management standpoint. Devices that operate two interfaces simultaneously can rapidly deplete their batteries. However, by activating the second interface only after an appropriate network has been selected, the client may utilize battery power effectively.
涉及异构访问的切换可以以多种不同的方式进行。我们将实验限制为两个接口,因此根据第二个接口的活动,会产生几种可能的设置场景。在一个场景中,当第一个接口的链接断开时,第二个接口出现。这是一种反应性场景,通常会导致不必要的数据包丢失和切换延迟。在第二个场景中,当移动节点仍然使用旧接口进行通信时,正在准备第二个接口。第二个接口的准备应包括设置所有必需的状态和安全关联(例如,PPP状态、链路控制协议(LCP)、质询握手认证协议(CHAP))。如果提前建立了这样一个漫长的过程,则可以减少将辅助接口连接到网络所需的时间。在准备之后,移动节点决定使用第二接口作为活动接口。这将减少数据包丢失,因为它使用先通后断技术。这是一个积极主动的场景,可以有两种“风格”。第一个是两个接口都在哪里;第二种情况是,只有旧接口启动,准备好的接口仅在切换即将发生时启动。从电池管理的角度来看,这种情况可能是有益的。同时操作两个接口的设备可能会迅速耗尽电池。然而,通过仅在选择了适当的网络之后激活第二接口,客户端可以有效地利用电池功率。
As compared to non-optimized handover that may result in a delay of up to 18 sec and loss of 1000 or more packets during the handover from the wireless LAN (WLAN) to CDMA, we observed 0 packet loss and a 50-ms handoff delay between the last pre-handoff packet and the first in-handoff packet. This handoff delay includes the time due to link down detection and time needed to delete the tunnel after the mobile node has moved. However, we observed about 10 duplicate packets because of the copy-and-forward mechanism at the access routers. But these duplicate packets are usually handled easily by the upper-layer protocols.
与非优化切换相比,在从无线局域网(WLAN)到CDMA的切换过程中,可能导致高达18秒的延迟和1000个或更多数据包的丢失,我们观察到在最后一个预切换数据包和第一个进入切换数据包之间存在0个数据包丢失和50毫秒的切换延迟。该切换延迟包括由于链路断开检测而产生的时间和移动节点移动后删除隧道所需的时间。然而,由于接入路由器的复制转发机制,我们观察到大约10个重复数据包。但是这些重复数据包通常很容易被上层协议处理。
In this section, we discuss the results obtained from MPA-assisted layer 2 pre-authentication and compare these with EAP authentication and IEEE 802.11i's pre-authentication techniques. Figure 8 shows the
在本节中,我们将讨论由MPA辅助的第2层预认证获得的结果,并将其与EAP认证和IEEE 802.11i的预认证技术进行比较。图8显示了
experimental testbed where we have conducted the MPA-assisted pre-authentication experiment for bootstrapping layer 2 security as explained in Section 7. By pre-authenticating and pre-configuring the link, the security association procedure during handoff reduces to a 4-way handshake only. Then the MN moves to the AP and, after association, runs a 4-way handshake by using the PSKap (Pre-shared Key at AP) generated during PANA pre-authentication. At this point, the handoff is complete. Details of this experimental testbed can be found in [MOBIQUIT07].
我们在实验台上进行了MPA辅助的预认证实验,用于引导第2层安全性,如第7节所述。通过对链路进行预认证和预配置,切换期间的安全关联过程减少为仅4路握手。然后,MN移动到AP,在关联之后,通过使用在PANA预认证期间生成的PSKap(AP处的预共享密钥),运行4路握手。此时,切换完成。有关该实验台的详细信息,请参见[MOBIQUIT07]。
+----------------------------+-----------+ +-------------+----------+
| | | |
| Home Domain +-------++ | | |
| | | | | |
| |AAAHome | | | |
| + | | | |
| +-----+--+ | | |
| | | | Network B |
| Network A | | | |
| /----\ | | /---\ |
| /nAR \ | | / \ |
| | PAA |--------+-+----------+ pAR | |
| \ / | | \ / |
| \----/ | | \-+-/ |
| | | | | |
| +-------------------| | | | |
| | IEEE 802.11i| | | | |
| +------+ +------+ | | +---+--+ |
| | | | | | | | | |
| |AP2 | |AP1 | | | |AP0 | |
| +------+ +------+ | | +------+ |
| +------+ +-----+ | | +-----+ |
| | | | | | | | | |
| |MN +----------->|MN |<+------------- |MN | |
| +------+ +-----+ | | ++----+ |
|----------------------------------------+ +------------+-----------+
+----------------------------+-----------+ +-------------+----------+
| | | |
| Home Domain +-------++ | | |
| | | | | |
| |AAAHome | | | |
| + | | | |
| +-----+--+ | | |
| | | | Network B |
| Network A | | | |
| /----\ | | /---\ |
| /nAR \ | | / \ |
| | PAA |--------+-+----------+ pAR | |
| \ / | | \ / |
| \----/ | | \-+-/ |
| | | | | |
| +-------------------| | | | |
| | IEEE 802.11i| | | | |
| +------+ +------+ | | +---+--+ |
| | | | | | | | | |
| |AP2 | |AP1 | | | |AP0 | |
| +------+ +------+ | | +------+ |
| +------+ +-----+ | | +-----+ |
| | | | | | | | | |
| |MN +----------->|MN |<+------------- |MN | |
| +------+ +-----+ | | ++----+ |
|----------------------------------------+ +------------+-----------+
Figure 8: Experimental Testbed for MPA-Assisted L2 Pre-Authentication (Non-Roaming)
图8:MPA辅助L2预认证(非漫游)实验台
+-----------------------------+
| +--------+ |
| | | |
| | AAAH + |
| | | |
| ++-------+ |
| | |
| | Home AAA Domain |
| | |
+-------+---------------------+
|
|
|
RADIUS/ |
Diameter |
|
|
+----------------------------+-----------+ +-------------+----------+
| | | | |
| Roaming +-------++ | | |
| AAA Domain A | | | | |
| | AAAV | | | |
| + | | | |
| Network A +-----+--+ | | Network B |
| | | | |
| | | | |
| /----\ | | /---\ |
| /nAR \ | | / \ |
| | PAA |--------+-+----------+ pAR | |
| \ / | | \ / |
| \----/ | | \-+-/ |
| | | | | |
| +-------------------| | | | |
| | IEEE 802.11i| | | | |
| +------+ +------+ | | +---+--+ |
| | | | | | | | | |
| |AP2 | |AP1 | | | |AP0 | |
| +------+ +------+ | | +------+ |
| +------+ +-----+ | | +-----+ |
| | | | | | | | | |
| |MN +----------->|MN |<---------------| MN | |
| +------+ +-----+ | | ++----+ |
-----------------------------------------+ +------------+-----------+
+-----------------------------+
| +--------+ |
| | | |
| | AAAH + |
| | | |
| ++-------+ |
| | |
| | Home AAA Domain |
| | |
+-------+---------------------+
|
|
|
RADIUS/ |
Diameter |
|
|
+----------------------------+-----------+ +-------------+----------+
| | | | |
| Roaming +-------++ | | |
| AAA Domain A | | | | |
| | AAAV | | | |
| + | | | |
| Network A +-----+--+ | | Network B |
| | | | |
| | | | |
| /----\ | | /---\ |
| /nAR \ | | / \ |
| | PAA |--------+-+----------+ pAR | |
| \ / | | \ / |
| \----/ | | \-+-/ |
| | | | | |
| +-------------------| | | | |
| | IEEE 802.11i| | | | |
| +------+ +------+ | | +---+--+ |
| | | | | | | | | |
| |AP2 | |AP1 | | | |AP0 | |
| +------+ +------+ | | +------+ |
| +------+ +-----+ | | +-----+ |
| | | | | | | | | |
| |MN +----------->|MN |<---------------| MN | |
| +------+ +-----+ | | ++----+ |
-----------------------------------------+ +------------+-----------+
Figure 9: Experimental Testbed for MPA-Assisted L2 Pre-Authentication (Roaming)
图9:MPA辅助L2预认证(漫游)实验台
We have experimented with three types of movement scenarios involving both non-roaming and roaming cases, using the testbeds shown in Figures 8 and 9, respectively. In the roaming case, the MN is visiting in a domain different than its home domain. Consequently, the MN needs to contact the AAA server in the home domain (AAAH) from its new domain. For the non-roaming case, we assume the MN is moving within its home domain, and only the local AAA server (AAAHome), which is the home AAA server for the mobile node, is contacted.
我们分别使用图8和图9所示的测试床,对涉及非漫游和漫游情况的三种移动场景进行了实验。在漫游情况下,MN正在不同于其归属域的域中访问。因此,MN需要从其新域联系主域(AAAH)中的AAA服务器。对于非漫游情况,我们假设MN在其主域内移动,并且仅联系本地AAA服务器(AAAHome),即移动节点的主AAA服务器。
The first scenario does not involve any pre-authentication. The MN is initially connected to AP0 and moves to AP1. Because neither network-layer authentication nor IEEE 802.11i pre-authentication is used, the MN needs to engage in a full EAP authentication with AP1 to gain access to the network after the move (post-authentication). This experiment shows the effect of the absence of any kind of pre-authentication.
第一个场景不涉及任何预认证。MN最初连接到AP0并移动到AP1。由于既不使用网络层身份验证,也不使用IEEE 802.11i预身份验证,因此MN需要使用AP1进行完整的EAP身份验证,以便在移动后(后身份验证)访问网络。这个实验显示了没有任何类型的预认证的效果。
The second scenario involves 802.11i pre-authentication and involves movement between AP1 and AP2. In this scenario, the MN is initially connected to AP2, and starts IEEE 802.11i pre-authentication with AP1. This is an ideal scenario to compare the values obtained from 802.11i pre-authentication with that of network-layer assisted pre-authentication. Both scenarios use RADIUS as the AAA protocol (APs implement a RADIUS client). The third scenario takes advantage of network-layer assisted link-layer pre-authentication. It involves movement between two APs (e.g., between AP0 and AP1) that belong to two different subnets where 802.11i pre-authentication is not possible. Here, Diameter is used as the AAA protocol (PAA implements a Diameter client).
第二个场景涉及802.11i预认证,并涉及AP1和AP2之间的移动。在此场景中,MN最初连接到AP2,并使用AP1启动IEEE 802.11i预认证。这是比较802.11i预认证与网络层辅助预认证获得的值的理想方案。两种方案都使用RADIUS作为AAA协议(AP实现RADIUS客户端)。第三种方案利用网络层辅助链路层预认证。它涉及属于两个不同子网的两个AP之间的移动(例如,在AP0和AP1之间),其中802.11i预认证是不可能的。这里,Diameter用作AAA协议(PAA实现Diameter客户端)。
In the third movement scenario, the MN is initially connected to AP0. The MN starts PANA pre-authentication with the PAA, which is co-located on the AR in the new candidate target network (nAR in network A) from the current associated network (network B). After authentication, the PAA proactively installs two keys, PSKap1 and PSKap2, in AP1 and AP2, respectively. By doing the key installations proactively, the PAA preempts the process of communicating with the AAA server for the keys after the mobile node moves to the new network. Finally, because PSKap1 is already installed, AP1 immediately starts the 4-way handshake. We have used measurement tools such as ethereal and kismet to analyze the measurements for the 4-way handshake and PANA authentication. These measurements reflect different operations involved during network-layer pre-authentication.
在第三个移动场景中,MN最初连接到AP0。MN使用PAA启动PAA预认证,PAA与当前关联网络(网络B)共同位于新候选目标网络(网络A中的nAR)中的AR上。认证后,PAA主动在AP1和AP2中分别安装两个密钥PSKap1和PSKap2。通过主动安装密钥,PAA在移动节点移动到新网络后,抢占了与AAA服务器进行密钥通信的过程。最后,因为已经安装了PSKap1,AP1立即开始4路握手。我们使用了诸如ethereal和kismet等测量工具来分析4路握手和PANA身份验证的测量结果。这些测量反映了网络层预认证期间涉及的不同操作。
In our experiment, as part of the discovery phase, we assume that the MN is able to retrieve the PAA's IP address and all required information about AP1 and AP2 (e.g., channel, security-related
在我们的实验中,作为发现阶段的一部分,我们假设MN能够检索PAA的IP地址以及有关AP1和AP2的所有必需信息(例如,通道、安全相关信息)
parameters, etc.) at some point before the handover. This avoids the scanning during link-layer handoff. We have applied this assumption to all three scenarios. Because our focus is on reducing the time spent on the authentication phase during handoff, we do not discuss the details of how we avoid the scanning.
参数等),在移交前的某个时间点。这避免了链路层切换期间的扫描。我们将这一假设应用于所有三种情况。因为我们的重点是减少切换过程中在身份验证阶段花费的时间,所以我们不讨论如何避免扫描的细节。
=====================================================================
Types |802.11i | 802.11i | MPA-assisted
|Post- | Pre- | Layer 2
|authentication | authentication | Pre-authentication
=====================================================================
Operation| Non- | Roaming | Non- | Roaming |Non- | Roaming|
| Roaming | | Roaming | |Roaming| |
===================================================================
Tauth | 61 ms | 599 ms | 99 ms | 638 ms | 177 ms| 831 ms |
-------------------------------------------------------------------
Tconf | -- | -- | -- | -- | 16 ms | 17ms |
-------------------------------------------------------------------
Tassoc+ | | | | | | |
4way | 18 ms | 17 ms | 16 ms | 17 ms | 16 ms | 17 ms |
------------------------------------------------------------------|
Total | 79 ms | 616 ms | 115 ms | 655 ms | 208 ms| 865 ms |
------------------------------------------------------------------|
Time | | | | | | |
affecting| 79 ms | 616 ms | 16 ms | 17 ms | 15 ms | 17 ms |
handover | | | | | | |
------------------------------------------------------------------|
=====================================================================
Types |802.11i | 802.11i | MPA-assisted
|Post- | Pre- | Layer 2
|authentication | authentication | Pre-authentication
=====================================================================
Operation| Non- | Roaming | Non- | Roaming |Non- | Roaming|
| Roaming | | Roaming | |Roaming| |
===================================================================
Tauth | 61 ms | 599 ms | 99 ms | 638 ms | 177 ms| 831 ms |
-------------------------------------------------------------------
Tconf | -- | -- | -- | -- | 16 ms | 17ms |
-------------------------------------------------------------------
Tassoc+ | | | | | | |
4way | 18 ms | 17 ms | 16 ms | 17 ms | 16 ms | 17 ms |
------------------------------------------------------------------|
Total | 79 ms | 616 ms | 115 ms | 655 ms | 208 ms| 865 ms |
------------------------------------------------------------------|
Time | | | | | | |
affecting| 79 ms | 616 ms | 16 ms | 17 ms | 15 ms | 17 ms |
handover | | | | | | |
------------------------------------------------------------------|
Figure 10: Results of MPA-Assisted Layer 2 Pre- and Post-Authentication
图10:MPA辅助第2层认证前后的结果
Figure 10 shows the timing (rounded off to the most significant number) associated with some of the handoff operations we have measured in the testbed. We describe each of the timing parameters below.
图10显示了与我们在测试台上测量的一些切换操作相关的时间(四舍五入到最有效的数字)。我们将在下面描述每个定时参数。
"Tauth" refers to the execution of EAP-Transport Layer Security (TLS) authentication. This time does not distinguish whether this authentication was performed during pre-authentication or a typical post-authentication.
“Tauth”指执行EAP传输层安全(TLS)认证。这一次不区分此身份验证是在预身份验证期间执行的,还是典型的后身份验证期间执行的。
"Tconf" refers to the time spent during PSK generation and installation after EAP authentication is complete. When network-layer pre-authentication is not used, this time is not considered.
“Tconf”是指EAP身份验证完成后生成和安装PSK所花费的时间。如果未使用网络层预身份验证,则不考虑这一次。
"Tassoc+4way" refers to the time dedicated to the completion of the association and the 4-way handshake with the target AP after the handoff.
“Tassoc+4way”是指切换后完成关联和与目标AP的4路握手所需的时间。
The first two columns in the figure show the results for non-roaming and roaming cases, respectively, when no pre-authentication is used at all. The second two columns depict the same cases when IEEE 802.11i pre-authentication is used. The last two columns show when we used network-layer-assisted layer 2 pre-authentication. When pre-authentication is used, only the factor Tassoc+4way affects the handoff time. When no pre-authentication is used, the time affecting the handoff includes Tauth (the complete EAP-TLS authentication) plus Tassoc+4way.
图中的前两列分别显示了未使用预身份验证的非漫游和漫游情况的结果。后两列描述了使用IEEE 802.11i预认证时的相同情况。最后两列显示了我们何时使用网络层辅助的第2层预认证。当使用预认证时,只有因素Tassoc+4way会影响切换时间。当未使用预认证时,影响切换的时间包括Tauth(完整EAP-TLS认证)加上Tassoc+4way。
That is precisely the time affecting the handoff in the case where the MN moves from AP0 to AP1 in the absence of pre-authentication. As it is seen, these delays are not suitable for real-time applications. Indeed, for the non-roaming case, we obtained a ~80-ms delay for re-establishing the connection with target AP1. It takes about 600 ms to complete the handoff when the MN moves to a visited domain and the home AAA server is located far away. However, network-layer pre-authentication is only affected by Tassoc+4way (~17 ms) involving any kind of handoff authentication. As is evident, IEEE 802.11i pre-authentication provides a comparable benefit (~16 ms) in terms of handoff but is limited to cases when APs are in the same Distribution System (DS). Additionally, network-layer pre-authentication leverages a single EAP authentication to bootstrap security in several target APs by allowing the MN to move among APs under the same PAA without running EAP and consequently without contacting the AAA server. In this sense, it extends IEEE 802.11r advantages over IEEE 802.11i by allowing inter-subnet and inter-domain and even inter-technology handoffs.
这正是在没有预认证的情况下MN从AP0移动到AP1的情况下影响切换的时间。可以看出,这些延迟不适合实时应用。事实上,对于非漫游情况,我们获得了约80毫秒的延迟来重新建立与目标AP1的连接。当MN移动到访问的域并且家庭AAA服务器位于很远的地方时,完成切换需要大约600毫秒。然而,网络层预认证仅受涉及任何类型切换认证的Tassoc+4way(~17 ms)的影响。显而易见,IEEE 802.11i预认证在切换方面提供了相当的优势(~16 ms),但仅限于AP位于同一配电系统(DS)中的情况。此外,网络层预认证通过允许MN在同一PAA下的AP之间移动而无需运行EAP,从而无需联系AAA服务器,从而利用单个EAP认证来引导多个目标AP中的安全性。从这个意义上讲,它通过允许子网间、域间甚至技术间切换,扩展了IEEE 802.11r相对于IEEE 802.11i的优势。
In this section, we provide some guidelines for the roaming clients that use pre-authentication mechanisms to reduce the handoff delay. These guidelines can help determine the extent of the pre-authentication operation that is needed based on a specific type of movement of the client. IEEE 802.11i and 802.11r take advantage of the pre-authentication mechanism at layer 2. Thus, many of the guidelines observed for 802.11i-based pre-authentication and 802.11r-based fast roaming could also be applicable to the clients that use MPA-based pre-authentication techniques. However, since MPA operations are not limited to a specific subnet and involve inter-subnet and inter-domain handover, the guidelines need to take into account other factors, such as movement pattern of the mobile node, cell size, etc.
在本节中,我们将为使用预认证机制以减少切换延迟的漫游客户端提供一些指导。这些指导原则有助于根据客户端的特定移动类型确定所需的预身份验证操作的范围。IEEE 802.11i和802.11r利用了第2层的预认证机制。因此,为基于802.11i的预认证和基于802.11r的快速漫游所遵循的许多准则也可适用于使用基于MPA的预认证技术的客户端。然而,由于MPA操作不限于特定子网,并且涉及子网间和域间切换,因此指南需要考虑其他因素,例如移动节点的移动模式、小区大小等。
The time needed to complete the pre-authentication mechanism is an important parameter, since the mobile node needs to determine how much ahead of time the mobile node needs to start the pre-authentication process so that it can finish the desired operations before the handover to the target network starts. The pre-authentication time will vary, depending upon the speed of the mobile node (e.g., pedestrian vs. vehicular) and cell sizes (e.g., WiFi, Cellular). Cell residence time is defined as the average time the mobile node stays in the cell before the next handoff takes place. Cell residence time is dependent upon the coverage area and velocity of the mobile node. Thus, cell residence time is an important factor in determining the desirable pre-authentication time that a mobile node should consider.
完成预认证机制所需的时间是一个重要参数,因为移动节点需要确定移动节点需要提前多少时间开始预认证过程,以便在开始向目标网络的切换之前完成所需的操作。预认证时间将根据移动节点的速度(例如,行人与车辆)和小区大小(例如,WiFi、蜂窝)而变化。小区驻留时间定义为下一次切换发生前移动节点在小区内停留的平均时间。小区停留时间取决于移动节点的覆盖面积和速度。因此,小区驻留时间是确定移动节点应该考虑的期望的预认证时间的重要因素。
Since the pre-authentication operation involves six steps as described in Section 6.3 and each step takes some discrete amount of time, only part of these sub-operations may be completed before handoff, depending upon the available delay budget.
由于预认证操作涉及第6.3节所述的六个步骤,并且每个步骤都需要一些离散的时间,因此根据可用的延迟预算,在切换之前只能完成这些子操作的一部分。
For example, a mobile node could complete only network discovery and the network-layer authentication process before the handoff and postpone the rest of the operations until after the handover is complete. On the other hand, if it is a slow-moving vehicle and the adjacent cells are sparsely spaced, a mobile node could complete all the desired MPA-related operations. Finishing all the MPA-related operations ahead of time reduces the handoff delay but adds other constraints, such as cell residence time.
例如,移动节点可以在切换之前仅完成网络发现和网络层认证过程,并将其余操作推迟到切换完成之后。另一方面,如果移动节点是慢速移动的车辆,并且相邻小区间隔稀疏,则移动节点可以完成所有期望的MPA相关操作。提前完成所有与MPA相关的操作会减少切换延迟,但会增加其他限制,例如小区停留时间。
We give a numerical example here, similar to [MISHRA04].
我们在这里给出一个数值例子,类似于[MISHRA04]。
D = Coverage diameter
D = Coverage diameter
v = Mobile node's velocity
v=移动节点的速度
RTT = round trip time from AP to AAA server, including processing time for authentication (Tauth)
RTT=从AP到AAA服务器的往返时间,包括身份验证的处理时间(Tauth)
Tpsk = Time spent to install keys proactively on the target APs
Tpsk=在目标AP上主动安装密钥所花费的时间
If for a given value of D = 100 ft, Tpsk = 10 ms, and RTT = 100 ms, a mobile node needs to execute only the pre-authentication procedure associated with MPA, then the following can be calculated for a successful MPA procedure before the handoff is complete.
如果对于给定的D=100 ft、Tpsk=10 ms和RTT=100 ms的值,移动节点只需要执行与MPA相关联的预认证过程,那么在切换完成之前,可以为成功的MPA过程计算以下内容。
2RTT + Tpsk < D/v
2RTT + Tpsk < D/v
v = 100 ft/(200 ms + 10 ms) = ~500 ft/sec
v = 100 ft/(200 ms + 10 ms) = ~500 ft/sec
Similarly, for a similar cell size, if the mobile node is involved in both pre-authentication and pre-configuration operations as part of the MPA procedure, and it takes an amount of time Tconf = 190 ms to complete the layer 3 configuration including IP address configuration, then for a successful MPA operation,
类似地,对于类似的小区大小,如果移动节点作为MPA过程的一部分同时参与预认证和预配置操作,并且完成包括IP地址配置的第3层配置需要时间Tconf=190 ms,则对于成功的MPA操作,
2RTT + Tpsk + Tconf < D/v
2RTT + Tpsk + Tconf < D/v
v = 100 ft/(200 ms + 10 ms + 190 ms) = ~250 ft/sec
v = 100 ft/(200 ms + 10 ms + 190 ms) = ~250 ft/sec
Thus, compared to only the pre-authentication part of the MPA operation, in order to be able to complete both pre-authentication and pre-configuration operations successfully, either the mobile node needs to move at a slower pace or it needs to expedite these operations for this given cell size. Thus, types of MPA operations will be constrained by the velocity of the mobile node.
因此,与MPA操作的仅预认证部分相比,为了能够成功地完成预认证和预配置操作,移动节点需要以较慢的速度移动,或者需要针对该给定小区大小加快这些操作。因此,MPA操作的类型将受到移动节点的速度的约束。
As an alternative, if a mobile node does complete all of the pre-authentication procedure well ahead of time, it uses up the resources accordingly by way of an extra IP address, tunnel, and extra bandwidth. Thus, there is always a tradeoff between the performance benefit obtained from the pre-authentication mechanism and network characteristics, such as movement speed, cell size, and resources utilized.
作为替代方案,如果移动节点确实提前完成了所有预认证过程,那么它会通过额外的IP地址、隧道和额外带宽相应地消耗资源。因此,在从预认证机制获得的性能优势和网络特性(例如移动速度、小区大小和所利用的资源)之间总是存在权衡。
Authors' Addresses
作者地址
Ashutosh Dutta (editor) NIKSUN 100 Nassau Park Blvd. Princeton, NJ 08540 USA
Ashutosh Dutta(编辑)NIKSUN拿骚公园大道100号。美国新泽西州普林斯顿08540
EMail: ashutosh.dutta@ieee.org
EMail: ashutosh.dutta@ieee.org
Victor Fajardo NIKSUN 100 Nassau Park Blvd. Princeton, NJ 08540 USA
维克多·法哈多·尼克森拿骚公园大道100号。美国新泽西州普林斯顿08540
EMail: vf0213@gmail.com
EMail: vf0213@gmail.com
Yoshihiro Ohba Corporate R&D Center, Toshiba Corporation 1 Komukai-Toshiba-cho, Saiwai-ku Kawasaki, Kanagawa 212-0001 Japan
日本神奈川市川崎赛维区Komukai Toshiba cho东芝1号东芝公司研发中心大叶吉弘212-0001
EMail: yoshihiro.ohba@toshiba.co.jp
EMail: yoshihiro.ohba@toshiba.co.jp
Kenichi Taniuchi Toshiba Corporation 2-9 Suehiro-cho Ome, Tokyo 198-8710 Japan
Kenichi Taniuchi Toshiba Corporation 2-9 Suehiro-cho Ome, Tokyo 198-8710 Japantranslate error, please retry
EMail: kenichi.taniuchi@toshiba.co.jp
EMail: kenichi.taniuchi@toshiba.co.jp
Henning Schulzrinne Columbia University Department of Computer Science 450 Computer Science Building New York, NY 10027 USA
美国纽约州纽约市哥伦比亚大学计算机科学系计算机科学大楼450号
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu