ISBN 978-952-5726-10-7 Proceedings of the Third International Symposium on Computer Science and Computational Technology(ISCSCT 10) Jiaozuo, P. R.

China, 14-15, August 2010, pp. 405-408

A Handoff Method Based on AAA for MIPv6

Jia Zong-pu1, Zhang Jing2
1

Computer Science and Technology Department, He Nan Polytechnic University Jiao Zuo, China Email: jiazp@hpu.edu.cn 2 Computer Science and Technology Department, He Nan Polytechnic University Jiao Zuo, China Email: zhangjing8754@hotmial.com

AbstractIn the era of commercial demand increased day by day, the mobile IP protocol combined with AAA (Authentication, Authorization and Accounting) technology is widely used in authentication, authorization and billing issues. However, compared to single mobile IP switch protocol, because MIPv6-AAA model need achieve AAA users authentication and authorization in the process of switch, so it will generate more switch time delay, and also have security issues. Therefore, this article give a new MIPv6 switch method, it is when MN switch in the inner-domain, do not need the authentication of home domain, and reduce the switch time; but when switch in the inter-domain it will set mobile node agent (MNA) to save original MN information temporarily, to avoid the registration process failed, and increase the security. This solution achieved MIPv6-AAA model optimization through improve these two areas. Index TermsMIPv6, AAA, handoff, MN, agent

I. INTRODUCTION As computer and communication technologies developed, people have more and more requirement for the network services. Traditional fixed access Internet mode can not afford people's requirement; they need wireless internet services. Mobile IP protocol can combine with any link layer technology, and support the vertical switch, make the user can continue access the network when they are moving, and this is considered as the best solution for the mobility problems of network layer. Currently, large-scale increased in mobile users, and the Internet for business applications is also become popular. For this, IETF (Internet Engineering Task Force) make AAA (Authentication, Authorization and Accounting) combined with mobile IP technology, focus on solving the user's authentication, authorization and accounting issues, provide security for mobile IP achieve large-scale commercial business. At present, there are many researches on combine the AAA with mobile IP, reference [1] described a solution to design the layer structure and set facilities, give the normalizing process of AAA certification and MIPv6 registration process, and the process of establish local SA authenticate, and also compared with the existing solution, pointing out the advantages of the solution. From the performance analysis we can see that, MN's movement character is the important parameter which
This project was supported by the Open Foundation of the Key National Defense Science and Technology Laboratory of Education Ministry in JiLin University (No. 421060701421). 2010 ACADEMY PUBLISHER AP-PROC-CS-10CN007

affecting the performance. But this solution did not consider how to use mobile switching rate, dwell time and other parameters to describe the MN movement characteristics, and guide AAA structure become layer and dynamic adjustment. Reference [2] give a structure of combine mobile IPv6 with AAA based on WLAN, use RADIUS as the protocol of AAA, but RADIUS just can support IPv4, so under the situation of MIPv6, there has problem that AAAH and AAAL use RADIUS protocol to communicate, reference [2] said use NAT-PT to solve the problem of transmit IPv4 packet though IPv6 network, but when they use this mechanism the system become instability. The system in [6] is under MIPv6 they use netfilter structure of Linux operation system to implement the function of authentication, authorization and billing of Diameter AAA, and use IPSec6 to catch stream of IPv6, and then use proper AH/ESP process module to deal with it. In this solution even it realize access control and safety communication, but it can cause communicate efficiency reduced and time delay increased and more bad effects. Reference [11] extends the RFC4285 authentication mechanism of Mobile IPv6, it use common AAA authentication platform, give a solution suit layer mobile IPv6 and mobile IPv6 authentication, and it also achieved by software. However, in the solution of preconfigured NAI and the key stored in the file or database as clear text, did not provide data security; authentication option provides data integrity and authentication, but did not provide confidentiality. In this article it gives a new MIPv6-AAA switch method based on AAA, this solution shows that when mobile node switched in the same AAA administration domain and different sub network, the authentication process do not need though home domain; when mobile node switched in different AAA administration domains, set up MNA to store related information of mobile node MN temporary, in order to make registration and authentication process safety and reliability. II. RELATED BACKGROUND A. MIPv6(Mobile IPv6) Mobile IPv6 is the improved protocol of mobility support for IPv6. The basic aim of its design is let the connection of the transport layer and higher levels not changed with the IP address changes, the mobile node should be always reached by the user [3]. Mobile IPv6 includes three parts: mobile node (MN), home agent (HA)
405

and correspondent node (CN). MN has one permit IP address HoA(home of address) in home network. When MN move to foreign network it will have one temporary transfer address CoA(care-of address), after this MN need to complete mobile registration with HA, MN will send binding update (BU) message to tell HA the CoA, and then HA respond to the previous BU though binding acknowledge (BA) message. When CN communicate with MN, because it didnt know MN had moved, so it send data packet to HoA as terminal address, the data package was caught by the HA of MN, and HA transfer the data package to MN of foreign network with tunnel. After MN realize the data come from CN and transferred by HA, it will send BU message to CN and tell the current CoA, after this the rest data packages send to MN will send to CoA directly as terminal address. B. AAA Authentication, Authorization and Accounting (AAA) is an important mechanism to ensure security of network and rational use of resources, especially for the Internet provider's point, it is the key point to ensure the normal operation of network. The use of all kinds of resources on network, need to be managed by the AAA. Authentication, authorization and accounting system together to make the network system to accurately recorded the usage of network resource for a particular user. In this way it can effectively safeguarding the rights of legitimate users, and also can protect the operation of network system security and reliable [4]. The AAA architecture was shown in Fig. 1.

detail extend the basic protocol [7]. Basic Diameter protocol must be combined with extend application to use, and provides basic AAA functions for mobile IPv6 in the extend application of mobile IPv6. Among the Diameter authentications based on MIPv6, in Mobile IP, it includes the mobile node MN, the home agent HA, foreign agent (FA) and other functional entities, except these it also joined the foreign AAA server, home AAA and server AAAF AAAH, the application model shown in Fig. 2 below.

Figure 2. The application model of diameter based on MIPv6

According to the region of AAA server it defined management domain, when the MN switched between different administrative domains of AAA server, it called inter-domain switch; when the MN switched in the same AAA server administrative domain but within different FA subnets, it called inner-domain switch. And also satisfy the following assumptions [7]: (1) the mobile user's identity use NAI [8] (Network Access Identifier) for the only sign, the format of NAI is user@realm, which realm presents the administrative domain where MN located; (2) in long terms between mobile users and AAAH share one key; (3) the communication between AAAF and AAAH is safe; (4) all CN have consensus on the use of public key and symmetric key encryption mechanism. MIPv6-AAA provides solution for the authentication, authorization, registration and key distribution and other issues of mobile IP, provide a reliable guarantee for large-scale implementation of mobile IP.The authenticate registration process was shown in Fig. 3, and the specific message exchange description see [9].

Figure 1. The architecture of AAA

C. The AAA structure under Mobile IPv6 environment There are two AAA protocols, which are remote authentication dial in user service (RADIUS) protocol and Diameter protocol [5]. Currently, the Diameter protocol was most used. Diameter protocol is a protocol stack [6], which includes the basic protocol and the extend application protocols, such as mobile IP protocol (MIP), Network Access Services protocol (NASREQ), multimedia protocols (IMS), Extensible Authentication Protocol (EAP) and SIP protocols and so on. In the basic protocol, it defines some common functions, such as message format, message transfer mechanism and so on; in the application extension, based on the application
406

Figure 3. Basic model of authentication and registration process for MIPv6-AAA

Among these, Attendant is the entrance of access domain AAA system, provide and register access domain

address; AMR (AAA mobile node request): mobile node requests; HAR (home agent MIPv6 request): request of MIPv6 home agent; HAA (home agent MIPv6 answer): home agent MIPv6 response; AMA (AAA mobile node answer) mobile node response; RegRep (registration reply): Registration Response. III. IMPROVED SOLUTIONS MIP-AAA basic infrastructure provides the integration method of Mobile IP and AAA authentication, but when the mobile node switched in this model, it should complete to register mobile IP, and also should complete the users authentication and authorization by the AAA. Therefore, MIP-AAA has more delay in switching. If foreign region is far from home region, the transmission time of transmit message will consume a long time, and the main time delay of authentication process took place on the message exchange between foreign region and home region. One part of the improved solution is the authentication processes do not go though the home region [10] when mobile node switched between different subnets of the same AAA control region. In addition, according to the related data shows that, in the normal movement, 69% of movements occurred in the same region. Therefore, this solution can effectively reduce the switch time delay. On the other hand, when mobile nodes switched between different AAA administrative domain, MN need to send both authentication request and registration request. In general, the two requests should received responses at the same time. After the process of registration completed, MN can use a new transfer address to receive the data packet transferred by the HA, at this time the MN identity address information has changed, if the process of authentication occur error or delays, it needs to require re-authentication process of MN, and also needs the original MN identity address information, but this time the information has changed, so it can not complete the authentication. And another part of this improved solution is to set a new data structure: the mobile node agent (MNA), use MNA to temporary store related information of the mobile node MN, and then it can guarantee the process of registration and authentication safety and reliable. A. The MN handoff analysis inner-domain When switch happened in the inner-domain, the

authentication process will no longer go though the home domain. The message flow chart is shown in Fig. 4. 1) MNFA: MN sends registration request message and certification message to the FA, and judge whether the switch of MN taken place inside domain or not by the realm value of NAI; 2) FAAAAF: FA continue to send transfer message 1) to AAAF; 3) After AAAF received message 2), verify the identity of MN, and separate the authentication process and registration process: a) AAAFFA: AAAF send authentication responds to FA; b) AAAFHA: AAAF send registration request message to HA 4) FAMN: FA transfer the authentication responds, then the process of authentication finished. MN can use the resources of foreign network, enjoy the service provide by FA; 5) HAFA: After HA received the message 3b), it directly give the registration responds message back to FA 6) FAMN: FA transfer the registration responds message, then the process of registration finished. MN can use the new transfer address to receive the data packet transferred by HA. B. MN Handoff Analysis Inter-domain When MN roaming to a new administrative domain, just AAAH has the full detail information of MN, so the process of switch inter-domain need though home domain, and the registration model shown in Fig. 5: 1) MNFA: MN send registration request message

Figure 5. Authentication and handoff process for home network

and authentication message to FA, and judge the realm value of NAI has changed or not. If it changed, start the inter-domain switch; 2) FAAAAF: After FA received the message 1), it generates the MNA of mobile node, set the legal tag in the original MNA to FALSE, then sends authentication requests to AAAF; 3) AAAFAAAH: If AAAF can not authenticate, then transfer the message to AAAH; 4) AAAH: a) AAAHAAAF After AAAH successfully authenticate the identity of MN, then send the
Figure 4. Authentication and handoff process for home network

407

authentication responds to AAAF b) AAAHHA: AAAH send binding update message to HA 5) AAAFFA: AAAF received the authentication responds message from AAAH, then continue transfer to FA and tell MN authentication has succeed; 6) HAFA: HA send binding update confirm message to FA; 7) FAMN: FA sends authentication responds and confirmed binding update to MN, and also set the legal tab on MNA in registry to TURE, notice MN the new mobile node agent MNA have produced; Till now authentication process and registration process have all finished, MN can use foreign network resources, enjoy FA service, and can use new transfer address to receive the data packet transferred by HA. IV. CONCLUSION In this solution, when mobile node switch happened in the inner-domain, because of the authentication process do not go though home domain, after AAAF authenticate the MN identity directly back to FA, reduced the message transmit and process time go and back to home domain, and greatly increase the switch speed; when switch happened in the inter-domain, because set the MNA of mobile node, and make it temporarily keep the original information of MN in case of use, then it can guarantee the switch process safety and reliably. The next stage is: in this solution it doesnt provide any security for the process of switch inner-domain; when the switch happens in the inter-domain, the data integrity and authentication of the configure of new data structure MNA need to improved, all these are need improved.

REFERENCES
[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8] [9]

[10]

[11]

W. S. Xiao, Y. J. Zang, and Z. C. Li, Hierarchical AAA in mobile IPv6 networks, Journal on Communications, vol. 27, Feb. 2006, pp. 50-55. R I Chen, R C Wang, and H C Chao, Mobile IPv6 and AAA architecture based on WLAN[A], Proc. of the 2004 International Symposium on Applications and the Internet Workshops, 2004. G. M. Wang, Security Issues and Solutions on IPv6 Mobile, Journal of University of Electronic Science and Technology of China, vol. 36, Dec. 2007, pp. 1417-1419. P. Chen, and J. G Yu, Access authentication in MIPv6 based on hierarchical AAA, Journal of Network Security Technology and Application, May.2009, pp. 32-35. C R igney, A Rubens, and S W illens, Remote authentication dial in user service (RADIUS), Science, RFC 2865, Jun. 2000. Z. P. Lan, F. L. Jin, and Z. S. Wang, Study on AAA and security system based on MIPv6, Computer Engineering and Design,vol. 30,Mar. 2009, pp. 3778-3779. T. Lin, D. Tang, Y. Zhang, H. B. Zhao, and Z. Q. Hou, Research and implementation of mobile IPv6 fast handoff with AAA functions, Mini-Micro Systems, vol. 26, Jul. 2007, pp. 1125-1129. A Boba, and Beadles, The network access identifier, Science, RFC 2486,Jan. 1999. M Cappiello, AFloris, and L Velt ri, Mobility amongst heterogeneous networks with AAA support, Proc. IEEE International Conference on Communications, 2002, pp. 2064-2069. D. Ma, D. K. He, Y. Zheng, and W. F. Zhang, A fast anthentication and registration scheme for AAA-based Mobile IP, Journal of the China Railway Society, vol. 30, Feb.2008, pp. 98-103. H. Chen, H. C. Zhou, Y. J. Qin, and S. D. Zhang, Design and implementation of hierarchical mobile IPv6 authentication based on NAI, Computer Engineering and Applications, vol. 43, 2007, pp. 125-128.

408