March 2006

Thomas Haslestad et al, Telenor R&D

Slide 1

doc.: IEEE 802.11-06/0353r0

Submission

[A presentation of the OBAN conceptAn IST Project under EC’s 6th

framework]

Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.

Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <stuart.kerry@philips.com> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <patcom@ieee.org>.

Date: 2006-03-07Name Company Address Phone email Thomas Haslestad

Telenor R&D Snarøyveien 30, 1331 Fornebu, Norway

+4797082034 Thomas.Haslestad@telenor.com

Einar Edvardsen Telenor R&D Snarøyveien 30, 1331 Fornebu, Norway

+4791529029 Einar.edvardsen@telenor.com

Tor-Hjalmar Johannessen

Telenor R&D Snarøyveien 30, 1331 Fornebu, Norway

+4797542737 Tor-Hjalmar.johannessen@telenor.com

Authors:

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 2

doc.: IEEE 802.11-06/0353r0

Submission

Abstract

• This presentation introduces the concept of OBAN (Open Broadband Access Network), an European funded project under the IST 6th framework program.

• The presentation focus on the mobility architecture and the challenges and potential solutions for fast handovers.

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 3

doc.: IEEE 802.11-06/0353r0

Submission

Open Broadband Access Networks

IST 6FP Contract No 001889

Project Presentation

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 4

doc.: IEEE 802.11-06/0353r0

Submission

OBAN in briefDuration: 3 years 2004/1 – 2006/12

Budget/EC cont: 11/5 M€

14 partners coordinated by Telenor• 4 telecom operators

(Telenor, Telefonica, Swisscom, France Telecom)

• 6 industrial partners (Lucent(NL), Birdstep(N), ObexCode(N), Motorola(I), EuroConcepts(I), Lucent(UK)

• 3 universities/institutes Sintef(N), Techn. Univ. Berlin(D), ISMB(I)

• 1 national telecom regulatorNPT(N)

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 5

doc.: IEEE 802.11-06/0353r0

Submission

Main objective

ADSL modems VDSL modems optical cables, cable modems

Any wireless

LAN

To explore how a high performance broadband mobile networkbased upon wireless LAN technology and unused capacity in the fixed access networks can be established

By-passing user

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 6

doc.: IEEE 802.11-06/0353r0

Submission

Rational behind

• Most users will in few years have broadband access over the fixed network

• The capacity of these access line is poorly exploited

• Wireless LAN technology is getting popular as the dominant home networking technology.

• Wireless LANs have large capacity and are often poorly exploited

• OBAN intends to investigate how the public can obtain access to these resources and what kind of services can be provided over this network.

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 7

doc.: IEEE 802.11-06/0353r0

Submission

Rational behind (cont’d)

Coverage per base station in mobile networks:

• GSM (14 kb/s) - 50 km2 (r < 4 km)

• UMTS1 (384 kb/s) - 3 km2 (r < 1 km)

• UMTS2 (2 Mb/s) - 1 km2 (r < 600 m)

• 4G (< 20 Mb/s) - 0,03 km2 (r < 100 m)

GSMUMTS

1 4G

No of base stations

>100 000(Norway)

2

The high number of base stations in broadband mobile networks requires a new broadband infrastructure to feed all base stations. The required invest-ments will therefore be extremely high. The OBAN project introduces an alternative way to achieve the same, but at much lower cost.

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 8

doc.: IEEE 802.11-06/0353r0

Submission

Areas of foci toreach the main objective

Security: because we are opening up today’s privately disposed access lines and wireless LANs for public use

Mobility: because we need to know what degree of mobility can be provided in areas of randomly located WLAN access points connected overthe fixed networks access lines

QoS: because we want to know how to provide QoSto users in a heterogeneous network composed by technologies with limited QoS abilities

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 9

doc.: IEEE 802.11-06/0353r0

Submission

Areas of foci toreach the main objective

3G/B3G to explore and evaluate how the OBAN concept can be integrated with the 3G/B3G visions.

Coverage: to estimate potential coverage and capacity of an OBAN network. Smart antennas are investigatedin order to improve network performance

Commercial: to investigate how the OBAN concept may be utilised commercially and how legal and regulatory issues may affect deployment in large scale

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 10

doc.: IEEE 802.11-06/0353r0

Submission

Areas of foci toreach the main objective

The RG is the key component in the system and need extensive investigation through implementationto verify the concept

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 11

doc.: IEEE 802.11-06/0353r0

Submission

..the wireless RG.. ..a key component in the concept

Broadband access line (xDSL)

wRG

Open Access capacity

Guest

GSM, UMTS, ….Local traffic (inhouse and external)

Concept associated patent: 03754318.8-2416-NO0300339

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 12

doc.: IEEE 802.11-06/0353r0

Submission

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 13

doc.: IEEE 802.11-06/0353r0

Submission

The concept contains numerous challenges

• How to match QoS in the legacy network with what can be achieved in a wireless LAN and while traversing from RG to RG ?

• Mobility aspects – nomadic or continuous mobility• Security and authentication• Roaming agreements between

– different network operators – owners of RGs • How to deal with the large variety of terminals ?• Interference between RGs and with other equipment –

frequency planning• Business models and commercial aspects

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 14

doc.: IEEE 802.11-06/0353r0

Submission

The Security & Mobility Challenge

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 15

doc.: IEEE 802.11-06/0353r0

Submission

Security and mobility (2)

• The security level expected for OBAN architecture has to coexist with strong time and QoS constraints

• goal of 120 ms maximum handover latency implies that a full authentication that involves several actors and ditto round-trip times is not acceptable.

• Fast handover requires an authentication mechanism that only involves the terminal and the RGW.

• Security in relation to fast re-authentication during handoff:– Two potential solutions:

• delayed authentication, • fast hand-over using Kerberos Tickets

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 16

doc.: IEEE 802.11-06/0353r0

Submission

WiFi Challenges in the OBAN concept• No preprocessing of keys and session parameters by

network to prepare handover in advance.– 2G and 3G does this by default

• An STA can only be associated with one AP at a time.

• The mobile station must after sensing beacon, negotiate with next AP that again must performs a full RADIUS roundtrip with ISP to handle AAA and security session– In practice: a reauthentication (roaming) based on eg. EAP will

include a full time consuming RADIUS roundtrip involving STA, AP, and ISP(s). In addition; rerouting of traffic as well as 802.1X functions for port control and crypto session establishment on radio link.

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 17

doc.: IEEE 802.11-06/0353r0

Submission

Handover Task -Time Considerations

T1 T2 T3 T4 T5

Handover Starts here

Session continues

here

Session OrientedSession Oriented Security OrientedSecurity Oriented

< 100 ms>> 150 ms (!)

Interruption delay

T1: Beacon + Physical connection setup between the STA and the next AP/RGW

T2: Messaging session parameters, including STA’s ID / auth. info between the VU and the next AP/RGW.

T3: Processing of rerouting the traffic to and from STA via the new AP.

T4: AAA roundtrip for re-authentication of the STA between AP/RGW and H-ISP of the STA

T5: 802.1X port handling and IKE-based encryption of radio link between VU and AP

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 18

doc.: IEEE 802.11-06/0353r0

Submission

High level Architecture

OBAN deliverable D27

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 19

doc.: IEEE 802.11-06/0353r0

Submission

Mobility Broker• A node serving a

geographical area, composed of several RGWs

• Makes the access network look like a conventional WLAN/IP network, such that standard mechanisms can be reused

• Simplify the hand-off complexity, and reduce signalling round trips by managing mobility, security and QoS events locally during hand-off

AAAAAAProxyProxy

ISPRU-1 H-ISPRU-2

AAAAAAProxyProxy

OBAN-ISP

AAAAAAServerServerVV--UserUserprofilesprofiles

BroadbandNetwork

BroadbandNetwork

DSLAM(eg.)

DSLAM(eg.)

BRAS1 BRAS2

RGW1 RGW2

Res.User

Res.User FA2FA1

VUSession param’s

VU

RR--UserUserprofilesprofiles

RR--UserUserprofilesprofiles HAHA(VU)(VU)

Hand-off path

AAAAAAProxyProxy

MobilityMobilityBrokerBroker

AA

A AA

A

AAAAAAProxyProxy

ISPRU-1 H-ISPRU-2

AAAAAAProxyProxy

OBAN-ISP

AAAAAAServerServerVV--UserUserprofilesprofiles

BroadbandNetwork

BroadbandNetwork

DSLAM(eg.)

DSLAM(eg.)

BRAS1 BRAS2

RGW1 RGW2

Res.User

Res.User FA2FA1

VUSession param’s

VU

RR--UserUserprofilesprofiles

RR--UserUserprofilesprofiles HAHA(VU)(VU)

Hand-off path

AAAAAAProxyProxy

MobilityMobilityBrokerBroker

AA

A AA

A

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 20

doc.: IEEE 802.11-06/0353r0

Submission

Fast Handover using Kerberos tickets

• Using Kerberos tickets for fast and secure layer 2 authentication – The ticket consist primarily of an access key and an encrypted

timestamp with a key known to the issuer and the final recipient• Issuer = Mobility Broker• Final recipient = RGW

– The ticket is issued to the client (user terminal) and encrypted with a key that is in the possesssion of the client. (shared secret)

– The client uses the ticket for authentication towards the RGW• Proves that is possesses the session key within the ticket

– By encrypting a challenge from the RGW with the session key

• RGW also checks that the timestamp is not expired

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 21

doc.: IEEE 802.11-06/0353r0

Submission

Fast Handover using Kerberos tickets

• First time authentication – No tickets => full authentication towards HAAA. ie. Anything that

generates a session key (eg. EAP – SIM)

– The final EAP SUCCESS is not proxied to the terminal but exchanged in the Mobility broker with a Ticket-granting Ticket

– The terminal requests MB for a suitable set of tickets.

– EAP SUCCESS is then finally delivered

– The MB is geographically aware.

• successive re-auth– Only between terminal and RGW

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 22

doc.: IEEE 802.11-06/0353r0

Submission

Fast Handover using Kerberos tickets

• Delay estimation– Network Authentication + MIP registration = total delay

– Full auth: <120-290ms> + <35-100ms> = <155-390ms>

– Re-auth in same domain: <10-40ms> + <25-45ms> = <35-85ms>

– Re-auth in diff domain: <10-40ms> + <35-100ms> = <45-140ms>

• Standard compliance– ”the full authentication” does not comply with the EAP

requirement regarding sequence of methods.

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 23

doc.: IEEE 802.11-06/0353r0

Submission

Delayed Authentication (Patent Pending)

• Open 802.1x for user traffic as fast as possible, and before security functions/authentication are completed.

• Full AAA roundtrip to be executed while ongoing user traffic from STA.

• New / Increased Security risks: – Unaccounted user traffic for a few seconds

– No encryption on the radio link

– Potential DoS attacks (in addition to those already existing )

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 24

doc.: IEEE 802.11-06/0353r0

Submission

Delayed Authentication

T1 T2 T3 T4 T5

Handover starts here

discontinued session(< 100 msec !)

Session continues

here

FullSecurity

established

Continued, but unsecure session( some seconds)

Secured andaccounted

traffic

< 100 ms

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 25

doc.: IEEE 802.11-06/0353r0

Submission

Delayed Authentication: Security countermeasures

• Introduce a timer to limit the maximum pending time for a RADIUS response (success or reject)

• Possible for AP to cache and block MAC addresses with repeated failing attempts

• Policy selector: Monitor accounted vs unaccounted traffic and allow to toggle back to standard 802.11 state machine (ie. standard policy) if unaccounted level is bad. (toggle back after a configurable time)

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 26

doc.: IEEE 802.11-06/0353r0

Submission

Consequence 1: Change of the IEEE State model

Introducing a new state: Pending_Authenticated Authenticated& Associated

AuthenticatedUnAssociated

UnAuthenticatedUnAssociated

Pending_AuthenticatedAssociated

Class 1, 2 & 3frames allowed

SuccessfulAuthentication

DeAuthenticationNotification

Class 1, 2 & 3frames allowed

Class 1& 2 frames allowed

Class 1frames allowed

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 27

doc.: IEEE 802.11-06/0353r0

Submission

Consequence 2 Changes needed in the 802.1X implementation

• Must allow for class 3 traffic (both STA and AP)

• Extra robustness functions to minimize the new risks (timer, MAC cache etc)

• Compensation functions also to account for conveyed STA traffic before successful RADIUS response. (STA traffic conveyed before a RADIUS reject (or timer elapse etc) cannot be accounted for).

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 28

doc.: IEEE 802.11-06/0353r0

Submission

Possible gain

• Applications with strict real-time requirements can be handled more comfortably also in the mobile case increased popularity & New Business opportunities

• Seamless functionality also delivered with high-speed broadband – 2G/EDGE: max ~200 Kbit/s,

– 3G/UMTS ~400 Kbit/s,

– 802.11(): 1Mbit/s ++

• Enabling true roaming for 802.11-based access networks

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 29

doc.: IEEE 802.11-06/0353r0

Submission

Thanks for your attention

• Questions?

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 30

doc.: IEEE 802.11-06/0353r0

Submission

Contact information

Coordinator: Telenor R&DSnarøyveien 30, N-1331 Fornebu, Norway

+47 6789 0000

Project manager: Einar Edvardsen

+47 915 29029

einar-paul.edvardsen@ telenor.com

URL: www.ist-oban.org

March 2006

Thomas Haslestad et al, Telenor R&D

Slide 31

doc.: IEEE 802.11-06/0353r0

Submission

References

• OBAN Consortium [online] http://www.ist-oban.org• M. G. Jaatun, I. A. Tøndel, M. B. Dahl, and T. J. Wilke, ”A Security Architecture for an

Open Broadband Access Network," in Proceedings of the 10th Nordic Workshop on Secure IT Systems (Nordsec), 2005

• E. Edvardsen, T. G. Eskedal, and A. Arnes, \Open Access Networks," in INTERWORKING, ser. IFIP Conference Proceedings, C. McDonald, Ed., vol. 247.Kluwer, 2002, pp. 91-107.

• M. G. Jaatun, I. A. Tøndel, F.Paint, T.H. Johannessen, J.C. Francis, C. Duranton”Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets” in IFIPSEC 2006 21st IFIP TC-11 International Information Security Conference

• Hoekstra G. J., Østerbø O., Schwendener R., Schneider J.,Panken F. J. M., Bemmel, J. van. Quality of Service Solution for Open Wireless Access. Submitted to 14th IST Summit, Dresden 19-23 June 2005.

• E. Edvardsen. (2004) Fixed and Mobile Convergence. BroadBand Europe 2004. [Online]. Available: https://medicongress.be/UploadBroad/Session%2009/Paper%2009-01.pdf

• T.-G. Eskedal, R. Venturin, I. Grgic, R. Andreassen, J. C. Francis, and C. Fischer, \Open Access Network Concept, a B3G Case Study," in Proceedings of 13th IST Mobile & Wireless Communication Summit, 2003.