Wireless service integration architecture11

8/7/2019 Wireless service integration architecture11

http://slidepdf.com/reader/full/wireless-service-integration-architecture11 1/23

SEMINAR BY:GOPI.N1MS02EC054



NEXT FEW MINUTES!!!NEXT FEW MINUTES!!!

WHAT IS THIS?WHAT IS THIS?

WHY?WHY?

HOW?HOW?



Figure 1 shows a global architecture of the public wirelessFigure 1 shows a global architecture of the public wirelessInternet. Mobile IP is used throughout the architecture toInternet. Mobile IP is used throughout the architecture tosupport user roaming.support user roaming.

The new scheme is for, when the services of wireless LANThe new scheme is for, when the services of wireless LANand cellular network are integrated, the mobile station canand cellular network are integrated, the mobile station canmove across those networks.move across those networks.

There are two types of roaming: roaming between wirelessThere are two types of roaming: roaming between wirelessLANs is defined asLANs is defined as horizontalhorizontal roaming; roaming between aroaming; roaming between a

wireless LAN and a cellular network is defined aswireless LAN and a cellular network is defined as verticalverticalroaming.roaming.

INTRODUCTION



WIRELESS SERVICE INTEGRATION ARCHITECTUREWIRELESS SERVICE INTEGRATION ARCHITECTURE



THE ISSUES IN 802.11 Wireless LANTHE ISSUES IN 802.11 Wireless LAN

IEEE802.11 service integration functionalityIEEE802.11 service integration functionality

Wireless network securityWireless network security

Service qualityService quality



IEEE 802.11 WIRELESS LAN ROAMINGIEEE 802.11 WIRELESS LAN ROAMING



THE RADIUS PROXYTHE RADIUS PROXY

The RADIUS server retrieves the remoteserver¶sThe RADIUS server retrieves the remoteserver¶sdomain from the user¶s request that includes thedomain from the user¶s request that includes thenetwork access identifier (NAI) in the form of network access identifier (NAI) in the form of

identifier@domain_name, which identifies a user¶sidentifier@domain_name, which identifies a user¶sname and the domain to which he or she belongs.name and the domain to which he or she belongs.

Then it forwards the request to the remote server Then it forwards the request to the remote server identified by the domain. The remote server also repliesidentified by the domain. The remote server also replies

through the forwarding server.through the forwarding server.



THE NETWORK STRUCTURE OF AAATHE NETWORK STRUCTURE OF AAABROKERSBROKERS



IEEE 802.11 HORIZONTALIEEE 802.11 HORIZONTAL

ROAMINGROAMING



The architecture is able to processThe architecture is able to process

two horizontal roaming scenarios:two horizontal roaming scenarios:

The current IEEE802.11 device

connects to the network via the NAS

Seamless roaming



FLOW DIAGRAM OF NAS/FAFLOW DIAGRAM OF NAS/FA



MOBILE IP HANDOFF PERFORMANCEMOBILE IP HANDOFF PERFORMANCE

IMPROVEMENTIMPROVEMENT

To roam between a wireless LAN and a cellularTo roam between a wireless LAN and a cellularnetwork, the mobile station is equipped withnetwork, the mobile station is equipped withcorresponding network access interfaces.corresponding network access interfaces.

The data packets from the corresponding server areThe data packets from the corresponding server are

routed to the mobile station through its HA. When therouted to the mobile station through its HA. When themobile station roams to the foreign network, the twomobile station roams to the foreign network, the twonetwork access cards are assigned a temporary carenetwork access cards are assigned a temporary care--of of address by the FA.address by the FA.

The switching of the two interfaces can be consideredThe switching of the two interfaces can be considereda carea care--of address change in Mobile IP.of address change in Mobile IP.

This method ensures that the process of networkThis method ensures that the process of networkaccess interface switchover is dealt with using theaccess interface switchover is dealt with using the

switching process in Mobile IP.switching process in Mobile IP.



AUTHENTICATION FOR INTERNET APPLICATIONSAUTHENTICATION FOR INTERNET APPLICATIONS



ANALYSIS OF AUTHENTICATION FOR CURRENT ANALYSIS OF AUTHENTICATION FOR CURRENT

INTERNET APPLICATIONSINTERNET APPLICATIONS

Various types of authentication with different securityVarious types of authentication with different security

requirements, which may occur in applications running on arequirements, which may occur in applications running on a

mobile station. For clarity, these situations are sorted intomobile station. For clarity, these situations are sorted into

three categories:three categories:

Authenticating parties share a secret keyAuthenticating parties share a secret key

Authenticating parties do not share a secret keyAuthenticating parties do not share a secret key

Visit the Internet public resourceVisit the Internet public resource



Characteristics of key negotiation &Characteristics of key negotiation &authenticationauthentication

The design should be able to adapt to variousThe design should be able to adapt to variousapplication scenariosapplication scenarios

The number of different messages to the mobileThe number of different messages to the mobile

station must be limited compared to HAstation must be limited compared to HA

HA must have high computation compared toHA must have high computation compared tomobile stationmobile station

Major presence of latency must be in the wirelessMajor presence of latency must be in the wirelesspart. The design goal: max time taken to transmit part. The design goal: max time taken to transmit all message must be less than 3 secall message must be less than 3 sec



A WIRELESS TRANSMISSION PRIVACYA WIRELESS TRANSMISSION PRIVACY

MECHANISMMECHANISM



A WIRELESS TRANSMISSION PRIVACYA WIRELESS TRANSMISSION PRIVACY

MECHANISMMECHANISM

There are a few authentication scenarios. We assume that mobileThere are a few authentication scenarios. We assume that mobilestation 1 (station 1 (MS MS 1) wants to establish a connection with mobile station1) wants to establish a connection with mobile station22 ss

MS MS 1 finds1 finds MS MS 2¶s home address and creates a nonce with the2¶s home address and creates a nonce with thecorresponding hash value. The nonce is used to verify the identitycorresponding hash value. The nonce is used to verify the identityof of MS MS 2. The nonce and its hash value are encrypted by2. The nonce and its hash value are encrypted by H AH A1¶s1¶spublic key.public key. MS MS 1 sends the authentication request to1 sends the authentication request to H AH A1. The whole1. The wholemessage is encrypted by the shared secret key of message is encrypted by the shared secret key of MS MS 1 and1 and H AH A1.1.

H AH A1 decrypts the message from1 decrypts the message from MS MS 1;1; H AH A1 realizes that1 realizes that MS MS 11intends to authenticate with a third party.intends to authenticate with a third party. H AH A1 is able to find1 is able to find MS MS 2¶s2¶sHA,HA, H AH A2, from the IP of 2, from the IP of MS MS 2. In order to discover if 2. In order to discover if H AH A2 is legal,2 is legal,H AH A1 contacts1 contacts CACA for some information onfor some information on H AH A2, such as the public2, such as the publickey of key of H AH A2.2.



CACA decrypts the message fromdecrypts the message from H AH A1 and verifies1 and verifiesIDIDH AH A1.1. CACA searches its database, and finds the publicsearches its database, and finds the public

keys of bothkeys of bothH

AH

A1 and1 andH

AH

A2 and the device ID of 2 and the device ID of H

AH

A2.2.CACA attaches its digital signature and transmitsattaches its digital signature and transmits H AH A1¶s1¶spublic key and device ID topublic key and device ID to H AH A2 and2 and H AH A2¶s to2¶s to H AH A1.1.

H AH A1 decrypts the message from1 decrypts the message from CACA, and gets the, and gets the

public key and device ID of public key and device ID of H AH A2.2. H AH A1 stores the1 stores thepubH ApubH A2 and2 and IDH AIDH A2 pair.2 pair. H AH A1 generates the1 generates thetemporary session key.temporary session key. H AH A1 forwards the1 forwards theauthentication request and temporary session key toauthentication request and temporary session key toH AH A2. The key is encrypted by2. The key is encrypted by H AH A2¶s public key. So2¶s public key. So

far, there are two messages in step 3 and 4 sent tofar, there are two messages in step 3 and 4 sent toH AH A2.2.

H AH A2 will buffer the latter if the latter comes before2 will buffer the latter if the latter comes before

the former.the former.



Similar to step 1,Similar to step 1, MS MS 2 starts authentication with2 starts authentication with H AH A22using a nonce and its hash value pair.using a nonce and its hash value pair.

After After H AH A2 verifies the identity of 2 verifies the identity of MS MS 2,2, H AH A2 sends2 sendsMS MS 1¶s identify information and the session key to1¶s identify information and the session key toMS MS 2.2. H AH A2 also sends2 also sends MS MS 2¶s identity information to2¶s identity information toH AH A1.1.

MS MS

2 sends a confirmation to2 sends a confirmation toH

AH

A2 and contacts2 and contactsMS MS

11by using a new nonce and its hash value encrypted byby using a new nonce and its hash value encrypted bythe session key.the session key.

H AH A1 sends1 sends MS MS 2¶s identity information and the2¶s identity information and thesession key tosession key to MS MS 1.1.

MS MS 1 sends a confirmation message to1 sends a confirmation message to H AH A1 and1 andreplies toreplies to MS MS 2 by sending the hash value of the new2 by sending the hash value of the newnonce.nonce.

MS MS 2 verifies the received message from2 verifies the received message from MS MS 1.1.



SCHEME VARIATIONS IN VARIOUSSCHEME VARIATIONS IN VARIOUSAUTHENTICATION SCENARIOSAUTHENTICATION SCENARIOS

A mobile station to a fixed Internet A mobile station to a fixed Internet

server server

A fixed Internet server to a mobileA fixed Internet server to a mobilestationstation

A mobile station to another within theA mobile station to another within the

same home network same home network A mobile station to a home agent and aA mobile station to a home agent and a

home agent to a mobile stationhome agent to a mobile station



Scheme variations in other authenticationscenarios:



CONCLUSIONCONCLUSION

In this article a network architecture and a set of signalingIn this article a network architecture and a set of signalingmechanisms are developed to support current available wirelessmechanisms are developed to support current available wirelessLAN hot spot roaming.LAN hot spot roaming.

Offers a smooth transition of wireless LAN hot spots from nonOffers a smooth transition of wireless LAN hot spots from non--

roamingroaming--supported to seamlesssupported to seamless--roamingroaming-- supported, so previoussupported, so previousinvestment is protected.investment is protected.

A fast network switchover mechanism is available to improve theA fast network switchover mechanism is available to improve theperformance of streaming applications.performance of streaming applications.

Wireless transmission security is carefully considered.Wireless transmission security is carefully considered. The results can enable wireless LAN roaming, enhance wirelessThe results can enable wireless LAN roaming, enhance wireless

communications, and speed up deployment of public wirelesscommunications, and speed up deployment of public wirelessLAN applications.LAN applications.



THANK UTHANK U

Wireless service integration architecture11

Documents

Transcript of Wireless service integration architecture11