Post on 15-Mar-2018
NORTEL NETWORKS CONFIDENTIAL
IP Mobility“Always on, Everywhere”
Sprint Research Symposium
March 8-9, 2000
Emad Qaddoura, IPMobility Group
2
Wireless InternetNetwork Vision
Internet
Router
HubRtr
Device Independence:User Addressability
user@realm
Device Independence:RF access provided
by wireless NIC
Access Independence:2G, 3G, 802.11,xDSL, cable, ...
Network Independence:intranet, extranet,
mobile, SOHO
• Leveraging IP and the Internetto provide services acrossdevices, access technologiesand networks
3
A “Box” View
���
������������
���������������������������
�!��
"#$%&
"#$%�������'
�������������� ���� ���������������
Rtr
4
“Future” Mobile Terminals
• Commercially availableNOW
• 233MHz Pentium II MMXon your belt
• 1” screen = 17” monitor
5
Functional ArchitectureMobility Services Layer
PolicyMgmt
ServiceProvision
DirectoryServer
DHCP DNS
CertificateAuth
AAA Server
ServingMobilityManager
DHCP DNSAAA
Client
PolicyEnforce
AccessAccting
PayloadMediation
LocalServiceLayer
NetworkServiceLayer
Access Network Layer
Internetworking Layer
Firewall
SecureMsg
Gateway
Servers
MediaGateway
OA&M
VPNProxy /Firewall
Mo
bili
ty S
ervi
ces
Lay
er
ServiceBroker
SignallingGateway
MGCCall
Server
AccessMedia
Gateway
Internet PSTN
Router
Router
Vis
ited
Sys
tem
Ho
me
Sys
tem
HomeMobilityManager
AcctingServiceBureau
ServiceAgreement
Broker
UnifiedDirectory
SecureMsg
Gateway
Servers
MGC
Mobile Client
6
NSF
Functional ArchitectureAccess Independence
LSF
IPRAN
UMTS3GPP
NAC3GPP2
802.112G
RANWireline
LSFLSFLSFLSF
Acc
ess
Net
wo
rks
Co
reN
etw
ork
Ter
min
als
NSF
UMTSCore
Network
UMTSRAN
GGSN
SGSN
HLRVLR
MSC• The Core Network can support any accessnetwork capable of presenting an IP interface,either directly (e.g. 802.11) or via intermediatenetworks (e.g. GPRS)
• Access gateways can be used when theaccess network does not natively support IP
G/W G/W G/W G/W
7
IP MobilityDefinitions
• The Wireless Internet is an IP-centric, mobility-enablednetwork— IP addresses are used for all routing within the core network
— IP protocols and technologies are used in the control plane
— The network is functionally equivalent to a traditional cellular network(especially with respect to mobility and roaming)
• IP Mobility focuses on Layer 3 of the core network— Mobility functions are independent of the access technology (2G, 3G,
wireline, etc.) and the underlying network transport technology (ATM,Ethernet, etc.)
• The IP Mobility framework is a functional architecture— There are many alternative implementations
8
IP MobilityKey Principles
• Mobility is based on the user, not the terminal— Users will have a single subscription in a home network
• Security is essential within and between networks— Networks will employ a single network security framework
— Service Level Agreements (SLAs) must exist between all networksusers will roam in
• IP protocols will be used wherever practical— Terminals will support the IP stack (end-to-end packet data)
• The network architecture should be simple— The architecture will employ a single control plane protocol
— The architecture should avoid having anchor points
9
User / Mobile Node / Server Addressing
• Identity of all components based on the IETF NetworkAccess Identifier (NAI)— User, Mobile Node, Serving & Home Domains
— The NAI grammar based on IETF RFC 2486
— The general format is “user@realm” (rccoffin@nortelnetworks.com)
972 684 7737 rccoffin@nortelnetworks.com972 684 -> nortelnetworks.com
972 684 7737 -> rccoffin
NAI/E.164 Interworking
10
In the LSF:• The DHCP server is used to assign local
COAs to the terminals that access thenetwork
• The DNS server in the LSF is used by theterminal for address resolution functions
In the NSF:• The DHCP server is used to assign
temporary IP addresses to roaming mobilenodes that do not have configured(permanent) IP address
• The DNS server is updated with theterminal’s allocated IP address by the DHCPserver and with the terminal’s COA by theMobility Manager
• The Mobility Manager updates the locationof the terminal in the UDS
IP MobilityDNS, DHCP and UDS
Internet
DHCP
SMG
Router
MobilityManager
DNS
LSF NSF
DynamicDNS Update
AddressAllocation
DynamicDNS Update
DHCP
SMG
Router
MobilityManager
DNS
UDS
Location Update
11
IP MobilitySecurity Associations
SMG
AAA
Router
MobilityManager
LSF
NSF
Internet
AAA
SMG
Router
MobilityManager
SA 3
SA 2
SA 1
Visited Network
Home Network
User
CorrespondentNode
Private Network
SA 3SMG
Router
MobilityManager
SA 1
12
IP MobilitySingle SecureControl Channel
AAA
SMG
Router
SMM
AAA
SMG
Router
HMM
CorrespondentNode
Internet
AAA SMG
Router
Service Broker
xAN
• Single protocol for Mobility and AAA functions— AAA functions (Diameter based) are extended to include mobility functions
— NAI based routing relaxes the usage of IPv4 address space
• Single tunnel between LSF and NSF entities through SMG— Service providers maintain only one secure tunnel
— All entities (AAA, UDS, SMM, HMM etc.) can communicate securely
UDS
LSF NSF
13
IP MobilityAddress ManagementEvent Triggering
DHCP
SMG
Router
MobilityManager
DNS
LSFNSF
DynamicDNS Update
AddressAllocation
DynamicDNS Update
DHCP
SMG
Router
MobilityManager
DNS
UDS
Location Update
• User based mobility— Dynamic allocation of IP addresses using NAI— Integrated with DNS/DHCP— Terminal based mobility supported— Trigger for location based services
Internet
Servers
LocationEvent Triggers
14
LocationServers
IP MobilityMessage Flows - Initial Registration
SMG
MobilityManager
LSF
xAN2
xAN1
SMG
Router
MobilityManager
DNS
NSFInternet
Visited Network
Home NetworkRouter
Router
AuthServer
1
2
DHCP
2a
2b
3
3a
3b
4a
5
UDS
4b
4c
Router
15
NAS
PPP followed byCHAP/PAP
Registration with Other Access Networks
TCP/IP
PPP
Apps
IPM
MN Software
Drivers
AccessHMMHA
Home Network
CA
Router
IPM Registration[MIP orDiameter]
SMMFA
Visited Network
Router
MIP SMMFA
Visited Network
Router
Rout
er
PSTN
ISDN
GPRS
802.3
802.11
TCP/IP
PPP
Apps
IPM
MN Software
Drivers
Bluetooth, 802.3, 802.11
Bluetooth, 802.3, 802.11
16
GPRS (and others) Wireless LANInterworking
TCP/IP
PPP
Apps
IPM
MN Software
Drivers
Mobile Node Arbitrator• Transparency between driver and IP layer
• Tunneling and encapsulation
• IP Address manipulation
• Network point of attachment selection
• Network selection on
• Default
• Bandwidth
• Cost
• Signal Strength
• BER
• TOD
• …
GPRS
802.11
Bluetooth
802.3
802.11
17
IP MobilityMessage Flows - Handoff (Same COA)
SMG
Router
MobilityManager
LSF
xAN2
xAN1
SMG
Router
MobilityManager
DNS
NSF
Internet
Serving Network
Home Network
Router
Router
AuthServer
1
2
DHCP
CorrespondentNode
43
6 5
18
IP MobilityMessage Flows - Handoff (New COA)
SMG
MobilityManager
LSF
xAN2
xAN1
SMG
Router
MobilityManager
DNS
NSF
Internet
Serving Network
Home Network
Router
Router
AuthServer
1
2
DHCP
9a
9b
CorrespondentNode
43
5
6
789
10a
11
UDS
10b
Router
LocationServers 10c
19
IP MobilityMessage Flows - Handoff (Inter LSF)
SMG
MobilityManager
LSF
xAN4
xAN3
SMG
Router
MobilityManager
DNS
NSF
Serving Network
Home Network
Router
Router
AuthServer
1
DHCP
9b
CorrespondentNode
43
10aSMG
Router
MobilityManager
LSF
xAN2
xAN1
Visited Network
Router
Router7
2
9
2a
7a11
5
6
8
UDS
10b
Router
Internet
9a
LocationServers
10c
20
.
Subnet1 Subnet2
Home
IKE
KENA
• Fast security setup between two administrative domains— one step and one process vs. two steps and four messages
• Real time sensitive and proactive key distribution— Secure path is setup prior to need, I.e, during handoff
• Multitude of nodes in a sub-network share single security relationship— Distributed vs. point-to-point
• Security on per user (per communication channel) basis— Also supports per session basis
• Centralized key generation and distribution
• Complements IKE and ISAKMP
• Use IKE/ISAKMP for Primary [Home -Subnetwork] security
• Use KENA for Secondary [Sessionbased] security
IP MobilityKey Enabled Network Architecture (KENA)
21
.
Registration Request
• Home IP address is blank• HMM/HA’s IP address is in the clear• User NAI is encrypted• MN’s Layer 2 address is sent in the clear
We achieve PRIVACY and Authentication
Link not Secure Link Secure
Assumptions• Shared Secret or Asymmetric Keys between MN and Home• Secure path between the SMM/FA and Home
IP MobilityKENA over Mobile IP
MN SMM/FA HA
22
MNRegistration Reply
• User NAI is sent in the clear • MN’s IP address is sent in the clear• MN’s Layer 2 address is sent in the clear• K2 and K3 in the clear• K1 and K3 encrypted using Shared Secret
Link not Secure Link Secure
Registration Reply
• MN has K1 for MN-HA path• MN has K3 for MN-FA path
Link Secure K3 Link Secure K2
• SMM/FA now knows the MN’s identity• SMM/FA obtains the MN’s IP address• SMM/FA can map MN’IP address to MN’s
layer 2 address• SMM/FA has key K2 for FA-HA path• SMM/FA has key K3 for FA-MN path
Link Secure K1
IP MobilityKENA over Mobile IP Continued
SMM/FA HMM/HA
23
.• Mobile IP AAA Key Distribution Requirements
• MN and FA authentication
• Protection of user privacy until FA is authorized
• Distribution of keys per MN’s registration session
• Facilitation of Layer 3 encryption
• Central authority for key generation and distribution
• Enhances smooth handoff through proactive keygeneration and distribution
IP MobilityKENA Accomplishes
24
Unified Directory ServicesKey Architectural Principles• Carrier-focused, directory schema for profile
management (end-users and served networks)
• Virtual grouping/context management across all NEs
• Open and extensible directory schema enabling third-party integration
• Integration with leading customer care and billingsystems
• Support carrier-grade requirements for scaleability andavailability
• Allow functionality to be deployed as required bynetwork operator (modularity)
25
ServiceModules
ServiceCore
ServiceManagement
Unified Directory ServicesArchitecture Framework
NetworkElement
NetworkElement
NetworkElement
NetworkElement
NetworkElement
NetworkElement
RADIUS DNS DHCPVirtual
NetworkController
Class ofServiceManager
UnifiedMobilityManager
(HLR)
CertificateAuthority
Network NetworkElement
LDAP APIServerManager
Appl’nServer
ServiceActivation
ServiceAssurance &
CustomerCare
ServiceAccounting/
Billing
UnifiedDirectory
26
topThese auxiliary objectclasses may be
used to modify the “subscription”structural objectclass.
-ipmIpMobileNodeAddress : ipAddress-ipmIpmobileNodeAddressIsPermanent : boolean-ipmIpDhcpServerAddress : ipAddress-ipmMobileNodeIsRegistered : boolean-ipmIpCareOfAddr : ipAddress-ipmNaiLocalServingFunction : string
ipMobilityData
<< Auxiliary >>
* could the subscriptionID in the TBDsubscriptionentry be the NAI for the subscription?
If there are really multiple terminals under eachTBDsubscription, then it’s possible this andother auxiliary object classes must modify thestructural terminal entry as opposed to theTBDsubscription entry.
-is41HlrId : string (HLR serving the Mobile Node)-is41LocationAreaId : integer-is41MscId : string (MSC serving the Mobile Node)-is41Pcssn : string-is41QualInfoCode : integer-is41SysAccessType : integer-is41SysMyType : integer
is41InterworkingData
<< Auxiliary >>
-mapHlrNumber : string-mapMscNumber : string-mapVlrNumber :string
mapInterworkingData
<< Auxiliary >>
Common Schema/DIT Definition
27
Call and Session ManagementMessage Flows - Mobile Initiated Session
SMG
MobilityManager
LSF
xAN2
xAN1
SMG
Router
MobilityManager
DNS
NSF
Internet
Visited Network
Home Network
Router
Router
DHCP
CorrespondentNode
DNS
1
2
AuthServerUDS
Router
28
InternetRouter
Call and Session ManagementMessage Flows - Mobile Terminated Session
SMG
MobilityManager
LSF
xAN2
xAN1
SMG
MobilityManager
DNS
NSF
Visited Network
Home Network
Router
Router
DHCP
CorrespondentNode
1
24
4a
DNS
7
7a
6
AuthServerUDS
1.1
Router
35
3a
5a
29
Call and Session ManagementMessage Flows - Mobile Initiated Call
xAN2
xAN1
AAA+
SecurityGateway
Router
MobilityManager
DNS
NSF
Internet
Visited Network
Home Network
Router
Router
DHCP
AAA+
SecurityGateway
Router
MobilityManager
LSF
DNSCallServer
VoiceGateway
G/WController
PSTN
1 2
4
35 677a
88a8b
99a
9b
9c8c
AuthServerUDS
30
Call and Session ManagementMessage Flows - Mobile Terminated Call
AAA+
SecurityGateway
Router
MobilityManager
LSF
xAN2
xAN1
AAA+
SecurityGateway
Router
MobilityManager
DNS
NSF
Internet
Visited Network
Home Network
Router
Router
DHCP
DNSCallServer
PSTNVoice
Gateway
G/WController
1
23 8c
8a
99a
9b
9c8
4
56
6a
7 7a
8b
AuthServerUDS
31
Conclusions
• System approach makes the Internet fully mobile— Security, Trusted Relationships, Business Relationships
— Directories, Address Management, Address Resolution
— Heterogeneous Access, MAC layer independence
• New “Mobile Client” Paradigm— Not just a phone – rather an information appliance
— Small, Cheap, Very Powerful, …, Soon!
• Mobile Applications already exist— Heterogeneous Applications, TCP/IP layer independence
— Network Aware applications next step