A New EAP-based Signaling Protocol for IEEE Wireless LANs

Transcription

1 A New EAP-based Signaling Protocol for IEEE Wireless LANs Artur Hecker, Houda Labiod Département Informatique et Réseaux GET/Télécom Paris, LTCI-UMR 5141 CNRS 46 rue Barrault, Paris Cedex 13, France {hecker, Abstract In this paper, we propose a generalization of the 802.1X architecture introducing a new EAP-based protocol capable of transporting signaling data for various new purposes in future IEEE WLANs (Wireless Local Area s). The user will have the possibility of choosing between various services in different networks managed by different administrative authorities. We analyze the implications of the prevalent 802.1X access control usage in this context. We illustrate several negative effects instancing early service discovery and IP micromobility support. To overcome these difficulties arising from the missing signaling, we develop EAP- SIG (Extensible Authentication Protocol - SIGnaling), an effective and easy-to-implement generic signaling protocol for future wireless LANs. We discuss the advantages of this approach and provide some implementation guidelines. Our approach is extensible, being capable of transporting any signaling payload with a security support. Our approach does not require any changes to IEEE and 802.1X standards. Keywords-wireless access; system design; 802.1X; IEEE , EAP, EAP/SIG. I. INTRODUCTION Wireless local area networks (WLAN) have received a lot of interest in the last years resulting in the development and release of numerous standards like HIPERLAN2, HomeRF and IEEE Although originally meant as a mere wire replacement for the wired Ethernets (IEEE 802.3), the standard [1] has become the technology of choice for the emerging Wireless Internet Service Providers (WISP) and hotspot operators. Several international network operators (Orange, T-Mobile, Vodafone, etc.) already offer access to their data services. In the light of these events, is also actively discussed as an access network technology candidate for the future 4 th generation cellular networks. However, if is to be used in the 4G scope, it desperately needs additional signaling mechanisms. For now, as a pure LAN, only defines some indispensable access related signaling on a very low level [1]. However, as an access network in 4G, it will need to provide users means for service discovery, quality of service, inter-domain mobility support and, from the point of view of an operator, additional management functions. The latter include both terminal and network management. Future WLANs will thus require a flexible signaling channel between the concerned instances (as e.g. in GSM or Bluetooth). Obviously, enterprise-level WLANs and public hot spots could also profit from these new opportunities. Yet the standard does not natively provide any distinct signaling channels. Generally, no data communication is possible prior to authentication. Second, while the establishment of such signaling channels after the link layer (L2) access is feasible (e.g. on higher layers), it suffers from higher access delays and needs a delay-prone service endpoint discovery. We illustrate these shortcomings through the examples of service discovery mechanisms and micromobility support. The expected access control and security enhancement for the WLANs currently being finalized in the Task Group I of the IEEE Working Group is based on the IEEE 802.1X standard for port-based network access control [2] X features a centralized network access control architecture by defining a station authentication framework using IETF s Extensible Authentication Protocol (EAP). EAP [3] serves as a method-independent authentication payload transporter. We expect future WLANs to implement the new L2 security standards. In this paper we propose a generalization of the 802.1X framework using EAP as a flexible signaling transporter for future WLANs. We propose an implementation for our approach. Our implementation is a software solution and easy to deploy. It is backwards compatible with the existing WLANs since it does not require any changes to the and 802.1X standards. We then show how our approach can help to resolve the problems discussed above. Finally, we discuss some further new opportunities proposed by our approach and give a conclusion. II. RELATED WORK IETF s EAP WG is currently working on several issues regarding EAP. It has recently released the new base EAP standard reflecting the new usage scenarios of EAP [3]. Current work includes clarifications on the key framework and the EAP state machine. A panoply of new authentication methods has been proposed for EAP including e.g. EAP/TTLS, PEAP,

2 EAP/AKA and EAP/PSK. The new EAP base standard reflects this popularity by extending the number space reserved for the new EAP types. Probably the most close work is the EAP network selection problem discussed in [4]. The authors define a mechanism to enable a wireless client to discover roaming partners of an access network over EAP. From our point of view, it is a valid example of the EAP signaling. The main difference between the two propositions is that the authors propose a solution for a special problem whereas we try to establish a generic signaling channel much in the same manner as EAP serves as a generic authentication transport & 3G Terminal IP core (3G) (other) III. FUTURE WLAN ENVIRONMENT A. WLANs in the 4G scope Several major operators, 3GPP and others currently discuss the usage of in the 4G scope. Though the current 4G vision is still quite blur, we expect 4G work to focus on the integration of heterogeneous access technologies rather than to try to enhance the terminal links. Our 4G vision thus basically follows the 4G All-IP approach [5]. This is represented in Figure 1 where a common IP core (e.g. the Internet or a reserved part of it) interconnects different access networks such as 3G, , , etc. Combined terminals capable of establishing physical connections to different network types will need to be able to use available services transparently, independently of the access technology. Because of its relatively limited coverage but attractive prices, several independently operated access networks are likely to co-exist in the popular public areas such as business venues, city centers or airports. These networks will thus overlap with each other offering users different services. The offered services could vary from the basic L2 connectivity to typical Internet-services like SMTP, HTTP and more sophisticated services (seamless mobility support, telephony, Instant Messaging, etc.) Evidently, common access protocols and free service discovery are crucial in such an environment since otherwise the users will be required to have valid subscriptions with all potential operators. Instead, we expect the users to follow the concept of the virtual operator (VO) [6], validating one existing subscription over different access networks using his operator s roaming agreements. Also, some access networks could access the IP core by the means of another access networks. A typical example would be an WLAN accessing the backbone over a MAN or a different WLAN, thus building a radio mesh network. Security will also be a major concern in 4G. We expect future operators to protect their physical infrastructure and thus to establish a reliable L2 network access control. More precisely, we presume that any network technology provides appropriate L2 network access control measures. In particular, the access networks will use the i security [7] with the underlying 802.1X access control. Figure 1 Future WLANs in the 4G context B. Anticipated Shortcomings of in 4G 1) Common Protocol The service access problem in a heterogeneous environment can be solved by using some higher level protocol (e.g. IP because of its pervasiveness) as a common access protocol. However, in presence of the aforementioned L2 access control this solution is not very efficient since it merely doubles the access control measures and the associated delays. Besides, a higher level access method will have to additionally perform an access router discovery (usually involving broadcast) and a higher level configuration. Conversely, leaving the access control untouched (i.e. limited to the respective link layer access control) lacks integration, necessary for a consistent 4G access. 2) Discovery The roaming user faces the problem of choice between different available access networks. One of the problems is e.g. the selection of a network having a roaming agreement with the user s virtual operator [4]. However, even supposing that all users can freely roam in all networks, the problem of choice persists. If presented with two available networks of the same technology, how can a user decide which network to choose? Natively, only delivers a SSID an abstract network identifier without any guarantees. The user thus needs to fetch some network information in before he finally accesses the network. Such information could include e.g. the prices and the available services for this user (if an authentication is already possible). Practically, this could be easily achieved by the means of an existing service discovery protocol [8][9][10]. However, as data exchange protocols these can not be currently used prior to the successful L2 network access. Using these protocols after the L2 network access is a twofold problem. First, this is much less efficient since the actual L2 network access procedure has to be completed and higher level configuration and service discovery procedures have to be accomplished first. The latter will unavoidable involve broadcast messaging or a station pre-configuration. Second, in the commercial networks the user will be (unfairly) billed before being able to choose, since the billing is typically activated immediately after a successful L2 access.

3 Figure 2 Simulation setup 3) Mobility Support User mobility support appears as an interesting feature since users might want to quickly transfer their open sessions to the neighboring networks. L2 mobility and context transfer support for the WLANs is being developed in the Task Group F of the Working Group. The developed Inter Point Protocol (IAPP) [11] provides the necessary context transfer mechanisms between the old and the new access points and also features a proactive mode. L2 mobility can be very efficient but in the presented context it has two main disadvantages. First, the L2 mobility does not fit in a heterogeneous environment with different L2 technologies. E.g f does not provide 3G to mobility support. Second, the L2 mobility tightly couples the network elements, effectively forming one administrative domain. L2 mobility solutions generally aim LAN-scale network installations since the IP address remains unchanged during all movements. If the IP has to be changed, higher level mobility protocols have to be used in order to provide a seamless handover. Hence, IP mobility solutions seem more appropriate in the heterogeneous network context. However, we argue that IP mobility performance can be disturbed by the presence of a 802.1X access control. We have studied the practical 802.1X delays performing different network access delay measurements in our small test environment with a 802.1X access control. Though our AAA server was in the same network segment as the two access points (<1ms round trip time), the conclusion for all tested EAP authentication methods (EAP/TTLS, PEAP and EAP/TLS) was that the application traffic (CBR traffic over UDP, 50 byte packets sent every 10ms) from/to our client was interrupted for about 1s. This value seems to be confirmed by others [12]. For demonstration purposes, we then used the micromobility simulation suite from the Columbia University [13] under the Simulator 2 and tested the HAWAII and the HFA implementations [13] introducing traffic interruptions on the wireless link. The simulated environment is shown in Figure 2. While the mobile node moves along the illustrated axis from point 0 to point 360 and back, it receives constant bit rate (CBR) traffic (10ms interleave) from the corresponding host (CH), delivered through the used micromobility access network. Without our traffic interruptions no packet loss occurred in spite of L3 handovers (negligible packet loss occurred in HFA). In order to simulate the previously measured 802.1X delay, we interrupted the traffic at three different fixed locations for an average time of 1s (0.1s variation) in each case and could measure a linear increase of the packet loss with the number of L2-handovers. In all three schemes we observed about 8-10% packet loss, which corresponds quite exactly to the simulated environment (one L2 handover of 1s every 12s). We thus conclude that the tested micromobility suites were not able to correct the 802.1X delay of 1s. Even if the 10% packet loss is not per se a bad result, it linearly depends on the L2-handover frequency and proves that with 802.1X the L2-delay can not be considered negligible anymore an assumption which is typically made when designing an IP micromobility protocol [14]. This is analyzed in details in [15]. IV. PROPOSED SOLUTION A. Pervasiveness of EAP: Common Protocol As has been explained before, relying on a higher level access protocol is not efficient while using the native access protocols lacks integration. An alternative to this problem is to find a common part of the used L2 access protocols, to extract it and to transport it by the means of the respective technologies. This would separate the actual access logic from the communications specifics. This protocol would have to be very flexible and simple, being able to transport the security and signaling payloads over different media prior to the higher level access (IP). Originating from the dial-up access control architectures as an alternative to PAP and CHAP [16], EAP can currently be used over a panoply of transport protocols including PPP [17], various AAA protocols [18], IP, UDP, EAPOL [2] and finally EAP itself. Because of this, EAP can be directly used as a user authentication protocol in 2G, 3G, xdsl, dial-up and virtual private networks (over PPP), in wired and wireless Ethernets (over EAPOL) and on higher layers using either IP or UDP or AAA as transport protocols.. EAP thus covers a vast variety of the popular user equipment. Since its introduction for 802, EAP has gained a tremendous popularity. Today, EAP-based authentication methods comprise certificate and password based authentication but also permit the usage of GSM SIM cards [19], SecureID tokens etc. Given that reliable authentication protocols are difficult to design and using the EAP independence of the used medium, we propose to use EAP as the common access protocol in 4G.

4 B. Basic Idea Since the authentication is only one task of the access protocol, the main idea is to extend EAP to build a generic signaling channel. Principally, this could be done by designing a replacement protocol for EAP. However, it can be achieved more easily and preserving full backward-compatibility with the deployed equipment by defining a new EAP method, EAP/SIG. C. EAP/SIG EAP/SIG is defined as any other EAP method but is not limited to authentication transport. As a signaling transport protocol, EAP/SIG is capable of transporting arbitrary payloads much in the same manner as EAP transports arbitrary authentication payloads. Additionally, EAP/SIG provides a fragmentation support. To reuse the existing authentication protocols, EAP/SIG permits to transport the actual authentication payload as is, by encapsulating it in its own message format. By using the EAP Response/Identity, EAP/SIG also features a datagram mode enabling asynchronous message exchanges with the network. EAP/SIG is typically initiated by the user by issuing the activation method of the transporting mechanism (e.g. Start in EAPOL). It can also be activated by the network by sending the EAP Request/Identity datagram [3]. The usage of EAP/SIG provides the following advantages: EAP is IP-independent and can be used during the L2 access phase Since all 802.1X APs blindly forward the EAP/SIG PDUs to a predefined central server, EAP/SIG provides a direct channel from the user to the authoritative network instance without requiring any delay-prone solicitation or advertisement broadcast messages. EAP/SIG does not require any changes to the base EAP, the 802.1X framework or the standard. EAP/SIG is particularly easy to deploy in the networks: since the access points do not need to implement the EAP/SIG method, the installation is limited to one single server. We show now how EAP/SIG can be used on the example of a user connecting to networks co-existing in the same geographic area. D. Resulting Architecture The network architecture applying EAP/SIG is shown in Figure 3. The user activates his terminal in an area with several overlapping access networks. The latter implement EAP/SIG. 1) Discovery and In-Session Service Discovery The user starts the EAP/SIG-enabled 802.1X client and triggers the usual 802.1X procedure between the terminal and a first network s access point (detected by the means defined in Figure 3 Proposed Architecture the standard). User s EAP Response/Identity message contains a user identifier extended by a request for available services. The access point (AP) automatically copies and forwards these data to the Signaling Server (SIGS) which may (but does not need to) be co-located with the 802.1X authentication server (AS). If SIGS and AS are not co-located, an AAA protocol can be used as a transport protocol between these two entities. Depending on the security policy of the solicited network, SIGS can either directly reply to the user with a list of available services and prices or wait until the AS has finished the user authentication phase. Generally, the AS will not be able to authenticate the user by itself and thus forward the incoming request to the virtual operator (VO). If user s network access identifier (NAI) is unknown, the request can be directly rejected. In this example, we suppose that the overlapping access networks are public WLANs with well-known basic service sets and price lists. Thus, SIGS directly submits its offers to the user using EAP/SIG as EAP-type in its message. Now, the user can easily decide which network he prefers to use. He then connects to the first network, continuing now until the end of the encapsulated EAP authentication procedure between the station and his virtual operator (VO). During this exchange, the visited network s AS, SIGS and the access point obtain key material, necessary for the subsequent reauthentications, encryption and signing of EAP/SIG datagrams and L2-traffic protection respectively. Here, SIGS, AS and the access points form the control plane of the network during the routers and the access points build the data plane. A while later, the user opens a video application and wishes to find the next streaming server. He thus initiates a service discovery procedure using the EAP/SIG channel. Normally, any suitable service discovery protocol data units (PDU) can be transported over EAP/SIG [8][9][10]. The SIGS replies with the address of the next suitable video streaming server.

5 2) Mobility When the user starts moving,.he wishes to preserve his open session. Normally, the L2 handovers would badly influence the quality of his video service. However, in our architecture SIGS can translate the incoming AAA signaling from the access points in a suitable mobility signaling which it directs to a mobile agent on a router. SIGS can thus advise the next router to change the routing for the user s IP address to the new access point right after the first AAA datagram arrived. The L2 handoffs thus do not remain transparent. SIGS can now drastically reduce the 802.1X latency by immediately delivering the session key material to the new access point without repeating the whole EAP authentication procedure. If the user has a micromobility client, this client could use the EAP/SIG channel to inform SIGS of an imminent L2 handoff. Again, this could a (micro-)mobility protocol to create buffers at the concerned routers in a timely manner. Once the router has received the respective command, it can forward it to its top hierarchy router and thus also perform an inter-domain handover, following a chosen mobility protocol (such as HAWAII, HFA or Mobile IP [13]). In this manner the 802.1X-delay can be shortened. The L2 handoff is not transparent for the mobility solution. Hence, the packet loss illustrated above could be avoided. 3) Other opportunities Using EAP/SIG, other problems can be solved or at least mitigated. One of these problems is e.g. the access point selection problem discussed in [20]. Using EAP/SIG, SIGS can perform a load balancing, assigning the requesting stations uniformly to the available overlapping access points. EAP/SIG also provides new opportunities. If a access network uses another access network as backbone, EAP/SIG can be used between the networks for management and signaling exchange (current load requests, resource reservation/release, etc.). Compared to the IP-based management exchanges, the advantage is that the EAP/SIG frames are perceived as management frames by the serving AP rendering the accounting for the served network more precise. Further, it is fairly easy to separate EAP/SIG traffic from user data traffic, whereas IP-based separation typically demands highly dynamic states. Finally, EAP/SIG provides integrated security and integrity mechanisms. Similarly, EAP/SIG can be used when an infrastructure network is to be prolonged by adhoc communications as proposed in [6]. EAP/SIG can be used to assign bonus points to the connected users sharing their bandwidth and giving access to other users over their stations. V. CONCLUSION The proposed extended usage of EAP opens several new possibilities like e.g. pre-authentication signaling and early service discovery. EAP and the related architecture have many different advantages such as: Security (independence of IP) Efficiency (no required periodic messages, no need for additional broadcast messages) Ease of use, deployment and implementation (no need for pre-configuration of stations, compatibility with the deployed WLANs). Due to the generality of the 802.1X concept and its similarity to the dial-up model, our proposition can be directly applied to a variety of popular network technologies. Thus, EAP/SIG could principally serve as a common access protocol in the future 4G architectures. REFERENCES. [1] L.M.S.C of the IEEE Computer Society, Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, IEEE Standard , 1999 Editions, [2] L.M.S.C of the IEEE Computer Society, Port-based network access control, IEEE Standard 802.1X, June [3] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz, Ed., Extensible Authentication Protocol (EAP), RFC 3748, IETF, June [4] F. Adrangi, V. Lortz, F. Bari, P. Eronen, M. Watson, Mediating Discovery in the Extensible Authentication Protocol (EAP), Internet draft, work in progress, IETF, draft-adrangi-eap-networkdiscovery-00.txt. [5] H. Yumiba, K. Imai and M. Yabusaki, IP-Based IMT Platform, IEEE Personal Communications Magazine, pp , October [6] J. Zhang, J. Li, S. Weinstein, N. Tu, Virtual operator based AAA in Wireless LAN hot spots with ad-hoc networking support, ACM Mobile Computing and Communications Review, pp , vol. 6, No. 3, July [7] IEEE i, Draft Supplement to IEEE Std Part 11: Specifications for Enhanced Security, IEEE draft, work in progress. [8] A. Misra, S. Das, A. McAuley, S. K. Das, Autoconfiguration, registration, and mobility management for pervasive computing, pp , IEEE Personal Communications, August [9] UPnP Forum, [10] OSGi Alliance, [11] IEEE P802.11F, Draft recommended practice for multi-vendor access point interoperability via an Inter- Point Protocol across distribution systems supporting IEEE operation, IEEE draft, work in progress. [12] A. Mishra, M. H. Shin, N. L. Petroni, T. C. Clancy, W. Arbaugh, Proactive Key Distribution Using Neighbor Graphs, IEEE Wireless Communications, pp , February [13] A. Campbell et al., Comparison of IP Micromobility Protocols, IEEE Wireless Communications, pp , February [14] S. Das et al., IDMP: An Intradomain Mobility Management Protocol for Next-Generation Wireless s, IEEE Wireless Communications, pp , June [15] A. Hecker, H. Labiod, An Efficient Micromobility Implementaion For 802.1X WLANs, to appear in Proc. 15 th IEEE PIMRC, Barcelona, Spain, September [16] W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, IETF, August [17] W. Simpson, Ed., The Point-to-Point Protocol (PPP), IETF RFC 1661, July [18] P. Calhoun, J. Loughney, E. Guttman, G. Zon, J. Arkko, Diameter Base Protocol, RFC 3588, IETF, September [19] K. Ahmavaara, H. Haverinen and R. Pichna, Interworking architecture between 3GPP and WLAN systems, IEEE Communications, pp , vol. 41, no. 11, November [20] G. Judd and P. Steenkiste, Fixing access point selection, in Proc. ACM SIGCOMM 2002 Poster session, August 2002.