Providing security vertical handoff in SARAH for heterogeneous networks

Journal of Network and Computer Applications 34 (2011) 1903–1907

Contents lists available at ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

Providing security vertical handoff in SARAH for heterogeneous networks Kyusuk Han a, Youngjoon Seo a, Sungjune Yoon a, James J. (Jong Hyuk) Park b, Taeshik Shon c, a b c

Korea Advanced Institute of Science and Technology (KAIST), 119, Munjiro, Yuseong-gu, Daejeon 305-732, South Korea Department of Computer Science and Engineering, Seoul National University of Science and Technology, 172, Gongreung 2-dong, Nowon, Seoul, South Korea Division of Information and Computer Engineering, College of Information Technology, Ajou University, Suwon 443-749, South Korea

a r t i c l e i n f o

abstract

Article history: Received 1 July 2010 Received in revised form 29 December 2010 Accepted 21 January 2011 Available online 4 February 2011

Vertical handoff is one of the most important issues in the heterogeneous networks. While Lee et al. introduced a selective advance reservations and resource-aware handoff direction (SARAH) mechanism in order to provide a fast and efficient handoff with combination of layer 2 (L2) and layer 3 (L3) communications, there was a drawback that there was no consideration of handoff between heterogeneous network. In this paper, we improve the mechanism by providing security functions such as the neighbor-mapping server that binds IP address and MAC address with security support. At first, we discuss security issues in SARAH and proposed enhanced protocol. Finally, we show simple implementation results of our design in order to verify the practical aspects of our design. & 2011 Elsevier Ltd. All rights reserved.

Keywords: Vertical handoff Security SARAH Mobile IP Authentication

1. Introduction Wireless communication technologies are becoming common and deployed in various areas, and recent mobile phones enable multimedia-streaming services, such as music and movies. In such environment, seamless handoff is one of the important issues for such environments (Liao et al., 2010). However, there could be a dead spot that communication is unavailable due to the missing deployment of access point. For supporting seamless communication avoiding dead spot, using other network from different network service providers or different networks that have different network coverage and form a hierarchical overlay network. A vertical handoff is occurred when moving between these different communication systems. When a mobile node is receiving the movie from a home agent to a foreign agent, the mobile node wants the seamless connection during roaming. Thus many researches such as Huang and Cai (2005), Kim and Copeland (2003), Bernaschi et al. (2004), and Kang et al. (2005) focus on the vertical handoff for the seamless communication in the heterogeneous networks. Lee et al. (2006) proposed a selective advance reservations based on host movement detection and resource-aware handoff (SARAH) that provides fast roaming service. They provide fast handoff from the combination of layer 2 (L2) and above layer communications. At first, the mobile node receives a L2 beacon message from a foreign agent (FA) and passes the message to the home agent (HA). L2 beacon message contains MAC address of FA.

 Corresponding author. Tel.: + 82 10 9530 5402.

E-mail addresses: [email protected], [email protected] (T. Shon). 1084-8045/$ - see front matter & 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.jnca.2011.01.006

HA search the stored neighbor-mapping table (NMT) to find the IP address matching to the MAC address. After that HA builds pseudo-random path (PRP) to FA. SARAH could reduce the connection latency using both L2 and L3 communications. However, SARAH has a drawback that it does not provide a vertical handoff in heterogeneous networks due to using NMT. Each base station (BS) needs to have the information of neighbor BS in their NMT using SARAH. When several distinct networks are deployed and provide the roaming services, it is hardly expected that the information of the entire neighbor BSs are stored in the NMT. Since the deployment of BSs fully up to the each service provider, it cannot be guaranteed that the information of new BS is stored to the NMT of neighbor BSs of other service providers. Therefore, we propose the improved design of SARAH that provides the secure vertical handoff. We introduce a neighbormapping server that provides authentication of neighbor BSs. The paper is organized as follows; Section 2 describes the brief of SARAH and discusses security issues on SARAH in the heterogeneous networks. Our security design is shown in Section 3. Section 5 shows the implementation result. Section 6 describes the further work and conclusion.

2. Deploying SARAH in heterogeneous network 2.1. Host movement detection in SARAH In order to detect the neighbor base station, mobile node detects L2 beacon frames from multiple reachable BSs. SARAH assumes the underlying networks operate like IEEE 802.11.

1904

K. Han et al. / Journal of Network and Computer Applications 34 (2011) 1903–1907

information (PRP_inform) to the foreign agent of the IP address. It works well if there is no change in the network. However, storing NMT inside of BS requires the update of list when the new BS joins to the network. Even only one BS joins, every neighbor BS has to update his or her NMT. In case of communication network services, network service providers negotiate the sharing of their networks for minimizing the duplicated infrastructure. They even agreed on the sharing of networks, none knows all information where other company’s wireless access points are deployed. It makes the case that there is no information of IP address in the neighbor-mapping table even the access point actually exists. Moreover, several security issues are raised with current SARAH architecture. The first issue is how to authenticate the mobile node and base stations, since it is more reasonable that there is no shared secret between the base stations with different service providers. The second issue is key management. Key agreement between the current base station and the foreign base station, and between the mobile node and the foreign base station should be considered. The third is privacy. For the secure communication, the message should be encrypted. Therefore, we are willing to introduce the neighbor-mapping server that enables secure vertical handoff and still provides efficient neighbor mapping with known MAC address for base station’s request in the next section.

In the communication for the pseudo-reservation path generation, there are two control messages as follows:

 PRP_init: notification of movement;  PRP_inform: initiation of PRP establishment. When each base station continually advertises L2 beacon message, only MAC address of the base station is included in the message. Assume a mobile host exists who has the link with a base station and moving around. The mobile host receives L2 beacon message as the advertisement. The mobile host transfers the MAC address in the message to the current base station as PRP_init message. The base station searches the IP address from the neighbor-mapping table (NMT). The base station finds the IPaddress and sends PRP_inform message for the initiation of PRP to that IP address (a foreign agent). Fig. 1 describes the process. Using NMT, the number of pseudo-reservation paths (PRPs) is reduced. Neighbor-mapping table of SARAH binds between neighboring BSs MAC address and IP address. It is referred for host movement detection. Table 1 shows an example of a neighbor-mapping table.

2.2. Security issues of SARAH in heterogeneous network In SARAH, each base station (BS) has a neighbor-mapping table (NMT) that bound MAC address and IP address. When a mobile node requests authentication to a BS, the BS searches the corresponding IP address in the table. When the IP address is found, the BS (or the home agent) sends the pseudo-random path

3. PRP_inform

cBS

3. Secure vertical handoff in SARAH We assume that the home agent (HA) and the mobile node (MN) have the secure association. HA and MN pre-share a key for encryption and authentication which enable secure communication. Also, we suggest the neighbor-mapping server (NMS) that provides the neighbor mapping to generate the pseudo-reservation path in SARAH. NMS also manages the security policies like handling the user access controlling. In this case, we can easily manage the update of the base station’s state also to achieve the security. Since every wireless network owner knows about the neighbor-mapping server, they send the updated information of the base stations to the server. Each base station can know the current neighbor state with the communication between the server and the base station and then make the secure communication.

nBS

cBS: Current BS nBS: New BS 1. L2 Beacon

2.PRP_init

MH Fig. 1. Host movement detection.

3.1. Neighbor-mapping server Table 1 Example of a neighbor-mapping table. BSID

MAC address

Network ID

IP Address

R

S

1 2 3 ^

00:20:A6:4C:99:BE 00:02:2D:0B:6F:E5 00:20:A6:4C:99:95 ^

220.69.186.0/24 192.168.1.0/24 220.69.187.0/24 ^

220.69.186.145 192.168.1.2 220.69.186.128 ^

1 1 1 ^

1 0 1 ^

The neighbor-mapping server (NMS) manages two tables: a neighbor-mapping table (NMT) and a user policy table (UPT). The examples of NMT and UPT are shown as in Fig. 2. MAC address and matching IP, a shared key between NMS and a base station, and group ID are stored in NMT, while user ID, the service level and other policies such as location information, or timing information are stored in UPT. The service level may be adjusted

User ID

Service Level Other Policies

...

MAC Address

IP

Shared Key

Group

MN1

1

...

...

MAC_BS1

210.107.248.161

KEY_BS1

1

MN2

2

...

...

MAC_BS2

210.107.248.201

KEY_BS2

2

MN3

...

...

...

...

...

...

...

...

...

...

...

Neighbor Mapping Table

User Policy Table

Fig. 2. Neighbor-mapping table and user policy table in neighbor-mapping server.

K. Han et al. / Journal of Network and Computer Applications 34 (2011) 1903–1907

based on the location or time. For example, a user may want different service level in other country. The ‘service level’ is used to decide whether the service is available for the user. In UPT, the service level of a user MN1 is ‘1’, while the service level of a user MN2 is ‘2’. For our experiment, we defined that service level ‘1’ as vertical handoff is available, while ‘2’ as unavailable. The service level is used when the service provider measures different cost for each level. For the data communication, users may not want the roaming service if the cost is too expensive.

1905

10. nBS then check TR ¼ HKnBS ðIDcBS JrÞ. nBS sends r to cBS and check the response from cBS. If nBS checks MAC KcBS ðrÞ from cBS, nBS authenticates cBS and receives a shared key between cBS and MH from cBS. We consider if nBS trusts cBS, nBS also trusts MH that was connected to cBS. After the authentication of cBS is done, cBS and nBS begin generating pseudo-reservation path. The last part is the same as SARAH (Lee et al., 2006) and continue as RSVP path and RSVP resv message transmission. We show the brief overall processes in Fig. 6.

3.2. Overall process 4. Analysis In this section, we describe the process of pseudo-reservation path generation with our modification of SARAH. There are four entities in the system: a mobile host (MH), a home agent (HA, or cBS), a foreign agent (FA, or nBS) and NMS. We assume that cBS already has the secure communication with NMS. 1. nBS broadcasts L2 beacon message. 2. MH receive the message and sends it to HA, as shown in Fig. 3. 3. cBS sends cBS’s ID, MAC_AddrnBS, IDMH, and MAC KcBS ðIDMH JMAC_AddrnBS Þ to NMS, where IDMH is MH’s ID and MAC_AddrnBS is nBS’s MAC address. KcBS is a share key between cBS and NMS. MACK(m) denotes a message authentication code of a message m using a key K. 4. NMS verifies messages from cBS and searches nBS’s Group and IP address binding the MAC address in his NMT. 5. NMS checks MH’s service level with ID in the UPT. If MH’s level is 1, NMS generates T. In other case, NMS discards the communication. 6. NMS generates T ¼ ðTL ,TR Þ ¼ ðencKnBS ðIDcBS JrJMAC KcBS ðrÞÞ,HKnBS ðIDcBS JrJL2beaconÞÞ where r is a random number, HK(m) is a keyed hash output of arbitrary message m with a key K, IDcBS is ID of cBS, L2beacon is the layer 2 beacon message in neighbor discovery. Fig. 4 shows the process. 7. After that, NMS sends T and nBS’s IP to cBS. If cBS and nBS are in the same group, skip this process. 8. cBS decrypts TL and verifies TR. cBS then sends PRP_Inform with Key exchange request to nBS. In this stage, nBS does not authenticate cBS yet. Therefore, the confidentiality of the communication holds but not the authentication yet. The process is shown in Fig. 5. 9. With the key establishment cBS sends shared key between cBS and MH, cBS’s ID, and T to nBS.

In this section, we analyze our design. At first we show the security analysis of proposed design, and then show the implementation result for the evaluation. 4.1. Security analysis 4.1.1. Against impersonation by adversary We assume that the secure associations between MH and cBS, also between cBS and NMS already exist. Let a malicious adversary A’s trial of impersonation of cBS with steps A.1–A.7. A.1. A sends MAC_Addr of nBS with MAC (message authentication code) to NMS. A.2. NMS verifies and finds IP address and KEYnBS, which is a shared key with nBS.

8) PRP_inform with Key Exchange cBS

nBS 9) Send a shared key of cBS-MH, cBS's ID and T

10) Verify T

Fig. 5. nBS authenticate cBS.

NMS 3 7

cBS

nBS

cBS

2.nBS's MAC

1. L2 Beacon

2.nBS's MAC

8 nBS 9 1. L2 Beacon

MH

MH Fig. 3. MH receive L2 beacon message.

Fig. 6. Overall processes of proposed design.

3) MH's ID, nBS's MAC NMS

cBS 7-1) Send T and nBS's IP to cBS and skip 7-2) 7-2) Send Reject

4) Find nBS's Group and IP 5) Find MH's Service level with ID (If cBS and nBS are in the same group skip 5)) 6) GenerateT (If MH's level is 2, skip 6) and send 7-2))

Fig. 4. cBS receives IP address of nBS.

1906

K. Han et al. / Journal of Network and Computer Applications 34 (2011) 1903–1907

A.3. NMS generates a random number r, and a message authentication code HKEY nBS ðrÞ. A.4. NMS sends T to A, and then A sends T to nBS. A.5. nBS decrypts TL and verifies TR using KnBS, r. A.6. nBS sends r to A, A returns MAC KA ðrÞ. A.7. nBS verifies MAC KA ðrÞ ¼ MAC KcBS ðrÞ.

cannot forge it. Thus, proposed protocol is secure against Man-inthe-Middle attack. We also assume that the secure association between cBS and NMS, between nBS and NMS exist from that Mobile IP requires that the AAA (authentication, authorization, and accounting) features are deployed in each agent (Glass et al.). L2beacon in TR is for prevention of replay attack.

Since only cBS and NMS have the shared key KcBS, the probability that an adversary A make MAC KA ðrÞ ¼ MAC KcBS ðrÞ follows the success probability that an adversary attacks a one-way function. Also, r is securely sent to nBS. Also, a malicious cBS

4.1.2. Against impersonation during key exchange In our design, we modified the sequence of authentication and key exchange. FA does not have to authenticate themselves to the MH or HA. A bogus FA could impersonate a real FA simply by

Fig. 7. Example: authentication result.

K. Han et al. / Journal of Network and Computer Applications 34 (2011) 1903–1907

following protocol and offering agent advertisements to the MH. The bogus agent could, for instance, then refuse to forward decapsulated packets to the mobile node when they were received. However, the result is no worse than if any node were tricked into using the wrong default router, which is possible using unauthenticated router advertisements as specified in RFC 1256 (Deering). Since only one-way authentication is necessary in mobile IP, authenticating FA by HA is not necessary, message authentication code can do the role of authentication of the entity. For example, in the movie theater, we only show the ticket to authenticate if we enter in.

4.2. Implementation We implemented our design using RSVP and mobile IP with SARAH. At first, we modified sarahd. When we execute sarahd, SARAH daemon configuration file is set up through sarahd_config.c. In our implementation, when NMS considers the foreign agent as an authorized one, the same procedure of sarahd follows. In other case, we use the implementation of us that there is no neighbor address in configuration file. So, when handoff occurs, no service is provided. Even though it is not shown in our protocol, it can reduce the computation cost during the communication with NMS. Storing the NMT of the same group in the base station can also reduce the communication and computational cost. And then, we implemented our design that is the process of authentication before the pseudo-reservation path generation process. For the process, we implemented following two authentication servers.

 AuthBS, authenticates the other BS.  NMS, authenticates whether MN can handoff to other networks NMS contains the neighbor-mapping table of all authorized base stations. Also user policy table is also built in NMS. AuthBS is built in each base station. For example, when the foreign agent authenticates the home agent, AuthBS of foreign agent begins the authentication process. For the evaluation of proposed design, we simplified the availability of the server just checking the MAC address and providing the authentication resource for the nBS as in Fig. 7. Fig. 7(a) shows that nBS authenticates cBS after protocol, and Fig. 7(b) shows the MAC address that nBS received from cBS. Overall performance is a little bit lower than original SARAH due to additional communication and computation with NMS.

1907

5. Conclusion In this paper, we issued the problem of SARAH for adapting in the heterogeneous networks and proposed the neighbor-mapping server that provides vertical handoff in SARAH. Also, we showed the security requirements in the procedure that the foreign agent should be able to authenticate the home agent. Since the base stations stores no neighbor-mapping table for themselves, they have to ask to the neighbor-mapping server. We claimed that the authentication of the foreign agent is unnecessary, because the home agent gets the information of the foreign agent from the neighbor-mapping server, and the strong security is unnecessary in the phase of the pseudo-reservation path. Our design and implementation showed that the modification of the model of the neighbor-mapping table enables the vertical handoff in SARAH. Evaluating the overall performances with comparison to original SARAH is the remaining work. Also, extending the real heterogeneous environment such as wireless sensor network is our future work. We believe that our idea is the meaningful solution for the use of SARAH in the heterogeneous environment.

Acknowledgments This research was supported by the MKE (The Ministry of Knowledge Economy), Korea, under the ITRC (Information Technology Research Center) support program supervised by the NIPA (National IT Industry Promotion Agency) (NIPA-2010-C10901031-0004). The preview of this paper was firstly shown in domestic conference of Korea Institute of Information Security & Cryptology, Chungcheong branch in 2006. References Bernaschi M, Cacace F, Iannello G. Vertical handoff performance in heterogeneous networks. In: Proceedings of the 2004 international conference on parallel processing workshops (ICPPW04); 2004. p. 100–7. Deering S. ICMP router discovery messages, RFC 1256. Glass S, Hiller T, Jacobs S, Perkins C. Mobile IP authentication, authorization, and accounting requirements, RFC 2977. Huang H, Cai J. Improving TCP performance during soft vertical handoff. In: Proceedings of the 19th international conference on advanced information networking and applications; 2005. p. 329–32. Kang R-J, Chang H-P, Chang R-C. A seamless vertical handoff scheme. In: First international conference on wireless internet (WICON’05); 2005. p. 64–71. Kim S-E, Copeland JA. TCP for seamless vertical handoff in hybrid mobile data networks. In: Proceedings of IEEE global telecommunications conference (GLOBECOM’03) 2003, vol. 2. p. 661-5. Lee K, Kim M, Yu C, Lee B, Hong S. Selective advance reservations based on host movement detection and resource-aware handoff. International Journal of Communication Systems 2006;19(2):163–84. Liao J, Qi Q, Zhu X, Cao Y, Li T. Enhanced IMS handoff mechanism for QoS support over heterogeneous network. The Computer Journal 2010;53(10):1719–37.