4.1 Analysis
Based on extended IAPP we proposed a fast handover mechanism. The proposed mechanism has the properties of:
(1) Fast handover;
(2) Requirement of roaming agreement;
(3) Dynamic trust relation;
(4) Capability of re-authentication;
(5) Reduce burden of AS;
(6) Based on present protocol;
(1) Fast Handover:
Our method is based on IAPP to do fast handover. When MN wants to handover, current AP transfers the context of MN to new AP. New AP uses the context to establish connection with MN without authentication with AS again to reduce the authentication delay. [14] mentioned that the overall latency in layer 2 and layer 3 should not exceed 50 ms to prevent excessive jitter. Fast handover using IAPP can reduce the handover delay to an average 15.37 ms.
When the new domain has no roaming agreement with visited domain, the two domains need to do certificate verification and establish roaming agreement firstly that can bring about roaming delay. However, the trust relation of the two domains is established during the process of certificate verification, if the other MN wants
(2) Requirement of roaming agreement:
Most methods need to do authentication with home domain during handover.
MN can only access the network domain which has roaming agreement with the MN’s home domain. In actual environment, domains which are located in different areas unlikely have roaming agreement with each other. A domain usually has roaming agreements with neighboring domains to extend the service range. Therefore, the domains an MN can visit are limited and the range an MN can visit is restricted by using the former methods.
Our proposed method is based on extending IAPP which has characteristic that an MN can visit a domain without roaming agreement with the MN’s home domain. MN and the new domain establish an implicit trust relation via the visited domain which adjoins the new domain. Via the trust relation between the visited domain and other domains, the trust relation is implicitly implied to the MN’s home domain, thus an MN can roam to other domains..
(3) Dynamic trust relation:
If the new domain that MN wants to connect has no roaming agreement with the visited domain nor the MN’s home domain, the connection will be refused.
Our method provides the certificate chain verification mechanism to dynamically establish the trust relation between domains. Each domain has its certificate.
When domain A wants to verify whether the certificate of domain B is valid, domain A checks the CA which signed the certificate of domain B. If domain A does not trust the CA, it checks the next CA in the certificate chain until meets a trusted CA. Then domain A trusts that the certificate of domain B is valid and domain B is trustable.
(4) Capability of re-authentication:
Based on the concept of certificate chain, we propose one-hop re-authentication to overcome the shortcoming of extended IAPP-based fast handover methods that can not perform re-check if new domain has no roaming agreement with home domain. The one-hop re-authentication method establishes trust relations of domains via certificate chains, and uses the EAP-TLS for full authentication between MN and AP to verify the validity of peers and generate a new secret key PMK. This method allows MN roaming between different network domains without worrying about the security.
(5) Reduce burden of AS:
When MN moves to the service region of a new AP, it needs not to execute the authentication process to establish a trust relation between itself and the AP. This method can alleviate the computing effort of AS and enhance the roaming efficiency.
(6) Based on present protocol:
The method we proposed is developed on the existing protocols including IAPP, certificate chain, EAP-TLS. Therefore the implementation of the proposed method requires neither the modification of existing protocols nor the upgrade of network facilities.
4.2 Comparison
In this section we compare the proposed mechanism with existing fast handover method to prove the feasibility and the advantages of our mechanism.
(1) Roaming agreement relation:
The fast handover methods include proactive key distribution, pre-authentication and roaming key. All the mentioned mechanisms require that the domains which MN roams to need to have roaming agreement with the MN’s home domain. In other words, MN using those methods can not roam to the domains without cooperation with the MN’s home domain.
The method using extending IAPP and the method we proposed can roam to the domains do not have roaming agreement with home domain. Because MN and the new domain have implicit trust relation between them via the trust relation in visited domain.
(2) Re-authentication is available in the visiting domain:
The fast handover methods include proactive key distribution, pre-authentication, and roaming key can do re-authentication because visited domains need to have roaming agreement with home domain.The method using extending IAPP can not do re-authentication directly. Therefore, the method we proposed utilizes the properties of certificate chain to add the one-hop re-authentication mechanism to enable re-authentication between MN and AP.
Table 4.1 shows the result of comparing our proposed method, proactive key distribution, pre-authentication, methods using extending IAPP and roaming key in
direct agreement and re-authentication.
Without direct agreement
Re-authentication
Proposed method Yes Yes
Proactive key distribution No Yes
Pre-authentication No Yes
Methods using extending IAPP
Yes No
Roaming key No Yes
Table 4.1 Comparison
Table 4.1 shows our proposed method can make MN to roam to a domain without direct agreement with MN’s home domain and can do re-authentication in the visiting domain. The proposed methods fulfill all the requirements of fast authentication.
Items Methods