A Cross-Layer Key Management Scheme for MIPv6 Fast Handover over IEEE 802.11 Wireless LAN

Park, Chang-Seop; Kang, Hyun-Sun; Jung, Jaijin

doi:https://doi.org/10.1155/2015/708064

Mobile Information Systems

On this page

Abstract Introduction Related Works Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2015 | Article ID 708064 | https://doi.org/10.1155/2015/708064

A Cross-Layer Key Management Scheme for MIPv6 Fast Handover over IEEE 802.11 Wireless LAN

Chang-Seop Park,¹Hyun-Sun Kang,²and Jaijin Jung³

Academic Editor: Francesco Gringoli

Received21 Jun 2015

Accepted29 Oct 2015

Published20 Dec 2015

Abstract

A new key management and security scheme is proposed to integrate Layer Two (L2) and Layer Three (L3) keys for secure and fast Mobile IPv6 handover over IEEE 802.11 Wireless Local Area Network (WLAN). Unlike the original IEEE 802.11-based Mobile IPv6 Fast Handover (FMIPv6) that requires time-consuming IEEE 802.1x-based Extensible Authentication Protocol (EAP) authentication on each L3 handover, the newly proposed key management and security scheme requires only one 802.1x-EAP regardless of how many L3 handovers occur. Therefore, the proposed scheme reduces the handover latency that results from a lengthy 802.1x-based EAP. The proposed key management and security scheme is extensively analyzed in terms of security and performance, and the proposed security scheme is shown to be more secure than those that were previously proposed.

1. Introduction

Mobile IPv6 Fast Handover (FMIPv6) [1] has been proposed in order to minimize the delay induced by handover operations of Mobile IPv6 [2]. When a wireless Mobile Node (MN) changes its attachment point to a new Access Router (AR), it is possible to provide IP connectivity in advance of the actual registration of the mobile IP by tunneling data between the current and the target access routers. The basic idea behind FMIPv6, which is a kind of Layer Three (L3) handover, is to leverage information from Layer Two (L2) technologies, such as IEEE 802.11 [3], to either predict or rapidly respond to a handover event. On the other hand, a wireless MN attached to an AR via an Access Point (AP) can move to a new AP without changing its attachment to the AR. In this case an L2 handover occurs, and the MN must reassociate and authenticate with the new AP using IEEE 802.1x-based Extensible Authentication Protocol (802.1x-EAP) [4]. Given that an L2 handover is also induced when an L3 handover occurs, IEEE 802.11-based FMIPv6 [5] has been proposed and has been analyzed in terms of its handover latency [6, 7].

There are two security issues associated with IEEE 802.11-based FMIPv6. One issue is that of establishing an L3 key between an MN and a new AR on each L3 handover. Based on the L3 key, the L3 signaling messages used to establish the tunnel between the current AR and the target AR can be authenticated. in particular, a compromise of the current L3 key should not induce that of the future L3 key to suppress the domino effect. Several security mechanisms [8–10] have been previously proposed to establish the L3 key. However, they have several weaknesses in terms of security and efficiency. The other issue is to reduce the authentication delay caused by the L3 handover. The MN would perform a lengthy 802.1x-EAP authentication with AAA (Authentication, Authorization, and Auditing) server on each L3 handover inducing the L2 handover. As a result of successful 802.1x-EAP authentication, the L2 key is shared and used for mutual authentication between the MN and a new AP. Since both L2 and L3 keys are generated and managed independently, key management for IEEE 802.11-based FMIPv6 becomes complex. A simplified key management scheme [10] to derive the L2 key from the L3 key has been proposed to reduce the authentication delay. However, it is still required for the MN to be interconnected with the AAA on each L3 handover, and it has a security problem in that a session hijacking attack is feasible, which will be shown in this paper.

A new key management and security scheme is proposed to secure IEEE 802.11-based FMIPv6 signaling messages. A contribution of this paper is twofold: first, a new L3 key establishment scheme is proposed, which is secure against a variety of session hijacking and redirection attacks in case of an L3 key compromise. Second, unlike the original IEEE 802.11-based FMIPv6 where the MN would perform a full IEEE 802.1x-EAP authentication with the AAA on each L3 handover, the newly proposed scheme requires only one IEEE 802.1x-EAP authentication regardless of how many L3 handovers occur. Therefore, the proposed scheme reduces the handover latency that results from the lengthy IEEE 802.1x-EAP authentication. In particular, the proposed key management scheme is of a cross-layer type in the sense that the L2 keys are derived from the L3 key. In Section 2, the background of FMIPv6 over IEEE 802.11 WLAN is introduced along with related works. A new key management and security scheme is proposed in Section 3. The new scheme is analyzed and compared with previous schemes in terms of security and performance in Sections 4 and 5. Finally, concluding remarks are given in Section 6.

2.1. FMIPv6 over IEEE 802.11 WLAN

We consider a network environment of Figure 1(a), where each subnet of the AR is comprised of one or more APs. When the MN moves from AP₀ to AP₁, then both L3 and L2 handovers occur. Namely, the MN’s subnet changes from subnet₀ to subnet₁.

(a)

(b)

(c)

Suppose an L2 handover from AP₀ to AP₁ is anticipated as in Figure 1(b). By exchanging both the Router Solicitation for Proxy Advertisement (RtSolPr) and the Proxy Router Advertisement (PrRtAdv) messages, the MN configures a new care-of-address (CoA), CoA₁, according to the subnet prefix, Prefix₁, of AR₁. Then, the MN sends a Fast Binding Update (FBU) message to request AR₀ to forward packets destined for the MN to AR₁, (ⓐ in Figure 1(c)). A tunnel is established between AR₀ and AR₁ by exchanging Handover Initiate (HI) and Handover Acknowledgment (Hack) messages (ⓑ in Figure 1(c)), where the HI message carries the current CoA of the MN, CoA₀, and a new CoA, CoA₁, to be used on a subnet of AR₁. The packets for the MN start to flow to and are buffered at AR₁. Then, a Fast Binding Acknowledgment (FBack) message is sent to the MN to notify of the completion of the tunnel establishment.

When finally disconnected from AP₀, namely, when the L2 handover occurs, the MN reassociates with AP₁ (❶ in Figure 1(c)) and performs a full IEEE 802.1x-EAP authentication with the AAA (❷ in Figure 1(c)). If it is successful, L2 key distribution starts based on the MSK₁ shared between the MN and AAA. The PMK₁ truncated from the MSK₁ is securely distributed to AP₁ (❸ in Figure 1(c)). Subsequently, a 4-way Handshake (❹ in Figure 1(c)) based on PMK₁ is performed between the MN and AP₁. At this point, the MN is successfully attached to a subnet of AR₁ (subnet₁) through AP₁. Finally, the MN sends an Unsolicited Neighbor Advertisement (UNA) message to request AR₁ to deliver the buffered packets forwarded from AR₀ (ⓓ in Figure 1(c)). The fields inherent to the L3 signaling messages (e.g., RtSolPr) are intentionally omitted for the sake of providing a simple explanation. Instead, they will be padded with the security-related fields when discussing the mechanism used to secure them.

2.2. Threat Models and Problem Statements

Without proper protection for L3 signaling messages in FMIPv6 (ⓐ and ⓓ in Figure 1), an adversary can forge or modify them to mount a variety of redirection attacks. Unless the previous AR (AR₀ in Figure 1) can verify that the FBU message comes from an authorized MN, legitimate traffic for the MN might be redirected to the adversary. Furthermore, the packets for the MN can be redirected to any other host to execute a flooding attack against it or against the subnet to which it belongs. The adversary can also forge the UNA message to steal the traffic destined for the legitimate MN. In order to avoid the above attacks, security associations should be established between the MN and ARs. An L3 key shared between the MN and AR₀ is used to authenticate the L3 signaling messages of ⓐ in Figure 1, while the L3 signaling messages of ⓓ in Figure 1 can be authenticated based on another L3 key shared between the MN and AR₁. Therefore, it is necessary to embed L3 key distribution protocol into the original 802.11-based FMIPv6. In particular, the domino effect should be suppressed in case of the L3 key compromise. Namely, the compromise of the current L3 key should not induce that of the future L3 key. On the other hand, the 802.1x-EAP authentication (❷ in Figure 1) is for the MN to share a new L2 key with the new AP attached to the target AR through AAA. The L2 key is used for mutual authentication between the MN and the new AP. However, the authentication delay caused by the 802.1x-EAP is a major source of the handover delay, since 8 messages should be exchanged between the MN and AAA in case of using EAP-Transport Layer Security (TLS) method. Hence, if the 802.1x-EAP can be skipped on each L3 handover of the IEEE 802.11-based FMIPv6, the overall handover delay can be greatly improved.

2.3. Previous Works

Several security schemes [11–13] have been investigated for sharing the L2 key to protect L2 signaling messages, which are based on a concept of ticket, key hiding technique, and authentication server, respectively. On the other hand, a security scheme [8] based on Cryptographically Generated Address (CGA) has been proposed to secure L3 signaling messages (ⓐ in Figure 1). CGA is formed by taking the IPv6 subnet prefix for a node’s subnet and combining it with an interface identifier suffix formed as the hash of the node’s public key. The L3 key, , generated by AR₀ is encrypted using the public encryption key of MN, , and it is sent to the MN. Both RtSolPr and PrRtAdv messages are protected by the digital signature while the FBU message is protected by the symmetric key. The definition of the notations is shown in Notations section. ConsiderHowever, the security scheme does not provide a method to establish a security association between the MN and the target router AR₁, so that the UNA message cannot be protected and can be forged to steal the traffic destined for the legitimate MN. Furthermore, a variety of DoS (Denial of Service) attacks can be mounted using the unauthenticated UNA message, which has also been mentioned in [14]. Another security scheme [9] has been proposed to protect L3 signaling messages including the UNA message. The security schemes proposed in [8, 9] are only for protecting L3 signaling messages (ⓐ and ⓓ in Figure 1).

Integrated handover authentication scheme [10] has been proposed to integrate the L3 key with the L2 key; namely, the L2 key can be derived directly from the L3 key. Before the MN handovers to the target AR, the MN transports a new L3 key, , to AR₁ through the AAA as in (2), where MSK is a secret key shared between the MN and AAA. Subsequently, AR₁ distributes the L2 key (PMK₁) derived from the L3 key () to the new AP. A current L3 key, , is used to secure the L3 signaling messages (ⓐ in Figure 1), while a new L3 key, , is for securing the L3 signaling messages (ⓓ in Figure 1). ConsiderAs mentioned in Section 2.2, it is desirable for the interaction with the AAA to be skipped in order to speed up the handover process. However, it has not actually been skipped; instead, it has been placed on the L3 protocol. Furthermore, it is not secure against the L3 key compromise attack. Namely, the domino effect occurs in that if is compromised, then is also compromised. The security weakness will be more discussed in Section 4.4.

3. The Proposed Key Management and Security Scheme

A new cross-layer scheme for key management and associated security is proposed, where an L2 key is derived from an L3 key to speed up the L3 handover procedure accompanying the L2 handover, so that it is similar to the one in [10]. However, there is much difference between them in terms of security and efficiency. It is assumed that preestablished security associations exist between AR₀ and AR₁, AR and AP. A security association between the MN and AAA is also assumed to exist for the initial access of MN to the network. The notations used in this paper are shown in Notations section.

3.1. Design Principles

Suppose an MN handover from a subnet of AR₀ to that of AR₁. Two L3 keys are required to protect the L3 signaling messages: the one () on the subnet of AR₀ and the other () on the subnet of AR₁. Unlike the previous schemes [8–10] based on the interaction with AAA, the MN generates and distributes proactively to AR₁ before it moves from AR₀ to AR₁. Furthermore, the L2 key (PMK₁) can be derived from on the subnet of AR₁ and pushed into new AP₁ attached to AR₁, so that the IEEE 802.1x-EAP can be skipped.

Since a new L3 key () to be used after handover is predistributed to AR₁ by the MN, it is important to guarantee that a compromise of the current L3 key () does not induce that of the future L3 key (); namely, the domino effect should be suppressed. For this purpose, double public-key encryptions are applied to before distribution: the one with the public key of AR₁ and the other with that of AR₀. In our proposed protocol, the authenticity of the public key of AR₁ is protected by . However, if is compromised, can also be exposed to an adversary. Therefore, it is also protected by the public key of AR₀ which has been provided to the MN during the previous handover session.

An IPv6 address of the MN on the subnet of is formed as (= ), where is an 64-bit interface identifier. There are two ways of configuring IID: the typical one is based on the L2 address of the MN, and the other is using a random number as IID. In our proposed protocol, we also use the random number, but in a slightly different way. It is derived as follows: based on a random number selected by the MN. When moving from to , the MN should reveal the random number to prove that was generated and owned by the MN. So plays a role of a commitment. A main reason to use this mechanism is to defend against a session hijacking attack when the current L3 key is compromised.

3.2. Initial Network Access Protocol

When the MN initially associates with AP₀ to access the network service (❶ in Figure 2), it performs full IEEE 802.1x-EAP authentication with the AAA (❷ in Figure 2). As a result, the MSK₀ is shared between them, and the information (AR₀ and ) for the default router of the MN is passed to the MN. Subsequently, the AAA derives two L3 keys IK and which are truncated from MSK₀ and transports them with securely to the default router, where is the Network Access Identifier (NAI) of the MN. IK is an initial L3 configuration key, while is an L3 handover key, based on which an L2 key (PMK₀) is also derived. Then, AR₀ pushes into AP₀ (❸ in Figure 2).

MN and AP₀ denote the L2 addresses of the MN and AP₀, while AR₀ denotes the L3 addresses of AR₀. The 4-way Handshake based on the PMK₀ is executed between the MN and AP₀ in order for the MN to attach to a subnet of AR₀ (subnet₀) through AP₀ (❹ in Figure 2). Finally, the MN performs an L3 configuration to check whether its IPv6 care-of-address, CoA₀, is duplicate on the subnet of AR₀:The MN sends an Router Solicitation (RtSol) message to AR₀. Based on , AR₀ can retrieve IK and can respond to the RtSol message by sending a Router Advertisement (RtAdv) message. The RtAdv message contains the subnet prefix of AR₀, Prefix₀, from which the MN configures CoA₀ (= ), and the MN then sends a Configuration (Conf) message where the interface identifier is computed based on a random number generated by the MN. If CoA₀ is verified to be unique on the subnet, the initial network access protocol is successfully terminated. Eventually, (CoA₀, ) is stored into the neighbor cache of AR₀.

3.3. Proposed Secure Handover Procedure

Suppose an L2 handover accompanying an L3 handover occurs from AP₀ to AP₁. A sequence of signaling messages is shown in Figure 3, where the L3 key, , at the subnet₀ has already been shared between the MN and AR₀ as a result of a previous handover process or an initial network access. After receiving the RtSolPr message, AR₀ responds by sending a PrRtAdv message with a subnet prefix of AR₁ (Prefix₁) and the public key of AR₁ ():After configuring CoA₁ (= ), where is computed based on a random number , the MN generates a new L3 key, , and sends an FBU message to AR₀ (ⓐ in Figure 3). Since is to be shared with AR₁, it is first encrypted with the public key of AR₁, , subsequently encrypted with the public key of AR₀, . When receiving the FBU message, AR₀ first obtains after decryption, in order to check if is equal to IID₀ of CoA₀. If not, the message is proven to be not sent from the MN whose IPv6 address is CoA₀ and the handover protocol is aborted. Otherwise, the L3 key, , is eventually passed to the target AR₁ for the purpose of sharing it with the MN at the subnet₁. A reason to encrypt twice is to defend against an L3 key compromise attack, which will be more discussed in Section 4.3. ConsiderThe target router AR₁ obtains through the HI message after decryption, and will be used to derive the L2 key and to secure the future L3 handover. AR₁ pushes PMK₁ into AP₁.

After reassociating with AP₁ (❶ in Figure 3), the MN performs a 4-way Handshake (❷ in Figure 3) based on PMK₁ without IEEE 802.1x-EAP authentication with the AAA. Subsequently, the MN sends an UNA message to request AR₁ to deliver the buffered packets forwarded from AR₀ (ⓓ in Figure 3). (CoA₁, ) is finally stored into the neighbor cache of AR₁.

4. Security Analysis and Comparisons

4.1. Comparison of Key Management Schemes

In this Section, three key management schemes are compared: security-enhanced IEEE 802.11-based FMIPv6 [8, 9], Integrated Scheme [10], and our proposed scheme, which are denoted as Schemes , , and , respectively. In case of Scheme , the security mechanisms [8, 9] to secure the L3 signaling messages are added to the original IEEE 802.11-based FMIPv6 [5]. However, there are no key management in that both L3 and L2 keys are separately generated and maintained, meaning that IEEE 802.1x-EAP authentication (ⓒ in Figure 4(a)) should be performed on each L3 handover. A method to integrate the L3 key with the L2 key has been proposed in Scheme . Before the MN moves to a new AP attached to the target subnet AR₁, it requests the AAA to transport a new L3 key () to AR₁, and then a new L2 key (PMK₁) derived from it is pushed into AP₁ (★ in Figure 4(b)). But the interaction with the AAA cannot be skipped either during the L3 handover. On the other hand, in the proposed scheme (Scheme ) of Figure 4(c), IEEE 802.1x-EAP authentication is performed only once during the initial network access in Figure 1. During a handover from AR₀ to AR₁, a new L3 key is sent to AR₁ via AR₀. Therefore, both the MN and AR₁ share , which can be used to secure L3 signaling messages and to derive a new L2 key (PMK₁) in the target subnet. Since is proactively distributed to AR₁ before the MN moves from AR₀ to AR₁, the MN can perform a 4-way Handshake immediately after reassociating with AP₁ (ⓒ in Figure 4(c)).

(a) Scheme

(b) Scheme

(c) Scheme

4.2. Replay and Redirection Attacks

In order to guarantee the freshness of FMIPv6 signaling messages, to be precise, to protect from a replay attack, challenge-response authentication based on the random numbers ( and ) is employed for our proposed scheme. A scenario to which the replay attack is applied is as follows: the MN is attached again to AR₀ at handover session , while it has been attached to the same AR₀ at handover session , (). Suppose the MN has moved to AR₁ during the handover session and plans now to move to AR₂ during the handover session . In this case, an adversary can try to replay the FMIPv6 signaling messages used during the handover session to redirect the traffic for the MN. However, the replay attack is not successful due to both nonce values and the L3 key which is unique for each handover session.

4.3. Compromised L3 Key and Session Hijacking Attack

A case of the L3 key compromise is considered in this section. We show that our proposed scheme is secure against a session hijacking attack through redirection even though the current L3 key, , of (5) and (6) is exposed to an adversary. To protect the FBU message in Section 3.3, our proposed security scheme employs two public-key encryptions with and as in (5) and (6).

The MN obtains the public key of AR₀ () as a result of an initial network access or a previous L3 handover, while the public key of AR₁ () is passed to the MN by AR₀.

4.3.1. Session Hijacking by Redirection Attack

Suppose an adversary disguising a victim MN knows the current L3 key and starts an L3 handover as follows:, , and are generated by that tries to hijack the current traffic for the MN (CoA₀) and forward it to (). When receiving the FBU message, AR₀ obtains after decryption and verifies if IID₀ of the source IPv6 address (CoA₀) is identical to . If the verification is not successful, the protocol stops. Since is based on a one-way hash function and the used to derive IID₀ is known only to the MN, all the adversary can do is attempt to guess (the probability of is 2⁻⁶⁴). Since CoA₀ is valid only on the subnet₀ and keeps changing as the MN moves, the probability is negligible enough to defend against such an attack.

4.3.2. Session Hijacking by Man-in-the-Middle Attack

Suppose an adversary knows the current L3 key and the victim MN starts an L3 handover to request AR₀ to forward its traffic to CoA₁. To see why the public-key encryption with is required, (6) is modified into :Then, the adversary can mount a man-in-the-middle attack as follows:Namely, observing between the MN and AR₀ modifies of (9) into of (10) generated by , so that can obtain a new L3 key and hijack the traffic for CoA₁ for the purpose of forwarding it to . Eventually, the connection with AR₁ is turned over to . On the other hand, if (6) is used instead of , (11) and (12) are changed into and , respectively:When intercepting , cannot modify CoA₁ or obtain since they are encrypted with . Therefore, when receiving through the message, AR₁ aborts the current protocol since it cannot be decrypted with . Therefore, a compromise of the current L3 key does not induce that of the future L3 key.

4.4. Security Comparisons

Table 1 shows security comparisons (Schemes , , and ) including the key management comparisons discussed in Section 4.1. It has been shown that our proposed scheme is secure against the session hijacking attack in case of the L3 key compromise. Scheme is also secure since the L3 key is always generated and shared as a result of 802.1x-EAP protocol. However, Scheme ((2) in Section 2.3) is not secure when the L3 key is compromised. Suppose is exposed to an adversary and (13) can be observed from the previous handover session:In this case, if the adversary replays a part of (13) as in (14) with the compromised L3 key , then the adversary can share the same L3 key with a new AR, so that the adversary can hijack the current session.

4.5. AAA Issues for Security and Billing

FMIPv6 can support handover across different administrative domains. As mentioned before, if the two ARs belong to two different administrative domains, there should be a prior roaming agreement between them for security and billing. Typically, the accounting data (information about MN’s resource consumption) collected by the network devices in the visiting domain is carried by the accounting protocol to the home domain. FMIPv6 over IEEE 802.11 is followed by the MIPv6 BU (Binding Update) protocol whose role is to inform MN’s HA (Home Agent) of the current AR. There are two service providers, Network Access Service Provider (NSP) and Mobility Service Provider (MSP), in MIPv6 bootstrapping environment [15]. The IEEE 802.11-based FMIPv6 service can be provided by the NSP offering a basic network access service to MN, while the MIPv6 BU service is provided by the MSP. So when the MIPv6 BU protocol is initiated, MSP’s authorizer (AAA) will be interacted with the MN and AR, which is beyond the scope of this paper.

5. Performance Analysis and Comparison

In this section, the three handover latencies from the previous schemes (Schemes and ) and from the proposed scheme (Scheme ) are compared. We first describe the analytical mobility model for the performance evaluation, and then we analyze and compare the handover costs and the numeric results of the analysis.

5.1. Analytical Mobility Model

For the sake of simplicity, a square-shaped network model is used to analyze and compare the performance of the protocol under the three different schemes. In the square-shaped network model, coverage of the entire administrative domain and that of each AP are all square-shaped, and APs are uniformly distributed over the area of the administrative FMIPv6 domain. Figure 5 shows the square-shaped mobility model where the bold lines indicate the boundary of the subnet consisting of 4 APs (AP₀₁, AP₀₂, AP₀₃, and AP₀₄) connected to AR₀.

The handover procedure is performed by the MN between ARs and APs. Hence, the handover rate is closely related to the mobility pattern of MN. The Fluid Flow (FF) model is widely used to analyze issues related to cell boundary crossing, such as a handover [16]. The FF model is suitable for MNs with a static speed and direction of motion. We adapt the FF model for use as the mobility model. Let and denote the perimeter of each AP and AR, while and , respectively, denote the average velocity and density of MN. The MNs are uniformly distributed with a density , and they move at an average velocity of in directions that are uniformly distributed over . In the next analysis, is varied from 0.1 m/s to 5 m/s and is set to 0.0002 MNs/m² (200 MNs per Km²). Let and be the crossing rates over the coverage of each AP and AR, respectively. They are then defined as follows:

5.2. Handover Cost Analysis and Numerical Results

In IEEE 802.11-based FMIPv6, an MN performs L2 and L3 handover procedures. When an MN changes its current address to a new AR, the MN performs an L3 handover procedure. On the other hand, if an MN changes its current AP to another one connected to the same AR, then MN performs an L2 handover procedure. In this section, the average handover cost per MN is defined as the sum of the cost of the L3 handover and the cost of the L2 handover per unit time in order to provide results for the performance comparison. Let be the average handover cost per MN in unit of time, and and are the L3 handover cost and the L2 handover cost for Scheme (= 1, 2, 3), respectively. and are defined as the sum of the signaling cost and the processing cost for the L3 and L2 handovers, respectively. Based on (15), the average handover cost per MN, , can be calculated as follows [16], where is the area of an AR domain:The parameter descriptions and values for the performance comparison, referenced from [16], are defined in Table 2. Note that the values other than , , , and are defined “relatively” for the purpose of this comparison, so the handover cost does not indicate the actual authentication delay for the corresponding scheme.

Using the parameters in Table 2, the L2 and L3 handover costs and the average handover cost can be calculated based on (17). The , , , , and indicate the processing costs on MN, AP, AR₀, AR₁, and AAA, respectively, of Scheme , and each of them is also calculated from the cost of cryptographic operations such as and . Let the number of hops between any two relatively close network devices (such as MN-to-AP, AP-to-AP, and AR-to-AR) be 1. and are specific coefficients of Scheme :The handover cost of each scheme evaluated according to Table 2 is shown in Figure 6. Figure 6(a) compares the L3 handover costs of the three schemes. It can be observed that the main contributor to the handover cost is the signaling cost, , and the handover cost of the previous schemes is larger than that of the proposed scheme as a result in the difference of when the interaction between the MN and AAA is required. Figure 6(b) shows the average handover cost per MN as the average velocity of the MN increases. The density of MN, , is set to 0.0002, the number of APs in an AR, , is set to 5, and the velocity of an MN varies from 0.1 m/s to 5 m/s. The average handover cost for three schemes increases as the velocity increases. Figure 6(c) shows the impact the number of APs in an AR has on the average handover cost per MN. The density of MN, , is set to 0.0002, and the velocity of an MN, , is set to 5. The average handover cost decreases as the number of APs in an AR increases.

(a) L3 handover cost

(b) Average handover cost ()

(c) Average handover cost ()

(d) Average handover cost of proposed scheme

As we can see from Figures 6(a), 6(b), and 6(c), the proposed scheme is much more or slightly efficient than the previous schemes. Figure 6(d) shows the impacts that the velocity of MN and the number of APs in an AR have on the average handover cost for the proposed scheme. The average handover cost increases rapidly as the velocity of MN increases. However, the average handover cost decreases gradually as the number of APs in an AR increases. Therefore, the velocity of MN, rather than the number of APs in an AR, is a more important factor to consider in order to achieve an efficient handover.

6. Conclusions

We have designed a key management and security scheme to enhance L2/L3 handover security and to reduce the authentication delay induced by the L3 handover. The proposed scheme is based on the original IEEE 802.11-based FMIPv6 where, first, based on the security assumptions, an initial network access protocol has been proposed to bootstrap the security associations among the network entities. Second, a cross-layer key management process has been introduced to integrate the L2 key with the L3 key. Namely, the L3 key can be judiciously employed to derive the L2 key, so that the time-consuming IEEE 802.1x-EAP authentication with the AAA can be skipped. Third, a method for protecting the seven L3 signaling messages has been proposed, as well as a scheme to securely transport the L3 key to the target AR. In particular, the case of a compromised L3 key has been considered for which even though the L3 key at the subnet of the current AR is compromised, an adversary with the compromised L3 key cannot perform any kind of redirection attack. In other words, a domino effect can be suppressed. FMIPv6 over IEEE 802.11 is followed by the MIPv6 BU (Binding Update) protocol which involves an interaction with the AAA of the MSP. In the integrated scenario of MIPv6 bootstrapping, the MSP plays the role of the NSP, while the MSP and NSP are two distinct service providers in the split scenario. As a follow-up to the current research, the AAA issues for security and billing will be more investigated, considering both the split and integrated scenarios for MIPv6 bootstrapping.

Notations

:	Message authentication code computed over all preceding message fields using a symmetric key
:	Encryption of using symmetric key
:	Key derivation function
:	Random number generated by ( = MN, 0 for AR₀, 1 for AR₁)
Nonce:	Nonce parameter
:	One-way hash function
:	64-bit truncation from the output of
:	L3 key shared between MN and
:	L2 key shared between MN and
, :	A pair of public and private keys of used for the signature
	A pair of public and private keys of used for the encryption
:	A digital signature based on the signing private key covering all preceding message fields
:	Encryption of with the public key of ( = MN, 0 for AR₀, 1 for AR₁).

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research was supported by the Employment Contract based Master Degree Program for Information Security supervised by the KISA (Korea Internet Security Agency) and also supported by the MSIP (Ministry of Science, ICT and Future Planning), Republic of Korea, under the CPRC (Communications Policy Research Center) Support Program supervised by the KCA (Korea Communications Agency) (KCA-2013-003).

References

R. Koodli, “Mobile IPv6 fast handovers,” RFC 5268, 2008.
View at: Google Scholar
C. Perkins, D. Johnson, and J. Arkko, “Mobility support in IPv6,” RFC 6725, 2011.
View at: Google Scholar
IEEE 802.11, Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Standard, 2012.
B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, “Extensible authentication protocol (EAP),” RFC 3748, 2004.
View at: Google Scholar
P. McCann, “Mobile IPv6 fast handovers for 802.11 networks,” RFC 4260, 2005.
View at: Google Scholar
Y. Song, M. Liu, Z. Li, and Q. Li, “Handover latency of predictive FMIPv6 in IEEE 802.11 WLANs: a cross layer perspective,” in Proceedings of the 18th International Conference on Computer Communications and Networks (ICCCN '09), pp. 1–6, San Francisco, Calif, USA, August 2009.
View at: Publisher Site | Google Scholar
M. Alnas, I. Awan, and R. D. W. Holton, “Performance evaluation of fast handover in mobile IPv6 based on link-layer information,” Journal of Systems and Software, vol. 83, no. 10, pp. 1644–1650, 2010.
View at: Publisher Site | Google Scholar
J. Kempf and R. Koodli, “Distributing a symmetric fast mobile IPv6 handover key using secure neighbor discovery,” RFC 5269, 2008.
View at: Google Scholar
C.-S. Park, “Security-enhanced fast mobile IPv6 handover,” IEICE Transactions on Communications, vol. E93-B, no. 1, pp. 178–181, 2010.
View at: Publisher Site | Google Scholar
J. Choi and S. Jung, “An integrated handover authentication for FMIPv6 over heterogeneous access link technologies,” Wireless Personal Communications, vol. 71, no. 2, pp. 839–856, 2013.
View at: Publisher Site | Google Scholar
L. Xu, Y. He, X. Chen, and X. Huang, “Ticket-based handoff authentication for wireless mesh networks,” Computer Networks, vol. 73, pp. 185–194, 2014.
View at: Publisher Site | Google Scholar
R. Singh and T. P. Sharma, “A key hiding communication scheme for enhancing the wireless LAN security,” Wireless Personal Communications, vol. 77, no. 2, pp. 1145–1165, 2014.
View at: Publisher Site | Google Scholar
X. Li, F. Bao, S. Li, and J. Ma, “FLAP: An efficient WLAN initial access authentication protocol,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 488–497, 2014.
View at: Publisher Site | Google Scholar
I. You, K. Sakurai, and Y. Hori, “A security analysis on Kempf-Koodli's security scheme for fast Mobile IPv6,” IEICE Transactions on Communications, vol. 92, no. 6, pp. 2287–2290, 2009.
View at: Publisher Site | Google Scholar
K. Chowdhury and A. Yegin, “Mobile IPv6 (MIPv6) bootstrapping for the integrated scenario,” RFC 6621, 2012.
View at: Google Scholar
G. Li, J. Ma, Q. Jiang, and X. Chen, “A novel re-authentication scheme based on tickets in wireless local area networks,” Journal of Parallel and Distributed Computing, vol. 71, no. 7, pp. 906–914, 2011.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2015 Chang-Seop Park et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

809

Downloads

973

Citations

Mobile Information Systems

A Cross-Layer Key Management Scheme for MIPv6 Fast Handover over IEEE 802.11 Wireless LAN

Abstract

1. Introduction

2. FMIPv6 over IEEE 802.11 WLAN and Related Works

2.1. FMIPv6 over IEEE 802.11 WLAN

2.2. Threat Models and Problem Statements

2.3. Previous Works

3. The Proposed Key Management and Security Scheme

3.1. Design Principles

3.2. Initial Network Access Protocol

3.3. Proposed Secure Handover Procedure

4. Security Analysis and Comparisons

4.1. Comparison of Key Management Schemes

4.2. Replay and Redirection Attacks

4.3. Compromised L3 Key and Session Hijacking Attack

4.3.1. Session Hijacking by Redirection Attack

4.3.2. Session Hijacking by Man-in-the-Middle Attack

4.4. Security Comparisons

4.5. AAA Issues for Security and Billing

5. Performance Analysis and Comparison

5.1. Analytical Mobility Model

5.2. Handover Cost Analysis and Numerical Results

6. Conclusions

Notations

Conflict of Interests

Acknowledgments

References

Copyright