WO2006132540A1 - Procede et agencement permettant transferer un client d'un premier lan sans fil vers un second lan sans fil - Google Patents

Procede et agencement permettant transferer un client d'un premier lan sans fil vers un second lan sans fil Download PDF

Info

Publication number
WO2006132540A1
WO2006132540A1 PCT/NO2006/000209 NO2006000209W WO2006132540A1 WO 2006132540 A1 WO2006132540 A1 WO 2006132540A1 NO 2006000209 W NO2006000209 W NO 2006000209W WO 2006132540 A1 WO2006132540 A1 WO 2006132540A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
authentication
port
client
access
Prior art date
Application number
PCT/NO2006/000209
Other languages
English (en)
Inventor
Tor Hjalmar Johannesen
Frederic Paint
Original Assignee
Telenor Asa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telenor Asa filed Critical Telenor Asa
Publication of WO2006132540A1 publication Critical patent/WO2006132540A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/08Reselecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present invention relates to handover procedures in Wireless Local Area Networks.
  • WLAN Wireless LAN
  • a WLAN user can move from access point to access point without loosing his established session or Internet connections; a so-called seamless handover.
  • the problem is that the user device/client must re-authenticate to each and every new access point before the traffic channel is opened.
  • the re-authentication process is time-consuming and represents a real obstacle especially for real-time applications like streaming and voice, where delays of more than 120 ms will degrade the functionality significantly.
  • the port based security system IEEE 802. IX provides authentication and the opening of the traffic channel as. sequential processes, i.e. the access policy is to have no traffic allowed before the authentication process is successfully finished, see figure 1 below.
  • the new idea is to introduce a trade-off between security and handover latency.
  • the traffic channel/access port will first be closed if the authentication process fails. The cost for this will be that the access/network provider (Residential Gateway (RG) /Hotspot owner, etc.) must yield some resources/time without payment. This "free-time" should be configurable (anticipated to be a few seconds) .
  • the proposed policy reflects that "everything” is allowed until something is proven wrong, in contrast to the traditional policy where "nothing” is allowed until something is proven right (i.e. authentication succeeds).
  • Fig. 1 illustrates the traditional sequential port access policy
  • FIG. 2 shows parallel processing access according to the present invention
  • Fig. 3 illustrates a security enhancement of the inventive . process in Fig. 1 involving parallel processing with timer control of pending states
  • Fig. 4 illustrates the access points and ports in a system according to the present invention
  • Fig. 5 shows the message sequence during a successful client connection to a WLAN access point
  • Fig. 6 shows the corresponding message sequence in case the connection process should be unsuccessful.
  • Fig. 7 is a schematic illustration of the main building block in an arrangement according to the invention, for incorporation in a WLAN access point .
  • the applicable port access authentication standard in use today (802. IX) executes the authentication functions, before the access port is opened for normal traffic . This means that information must be exchanged between the user client and the RG/ Hotspot access point. In some cases, i.e. when the user belongs to another domain the RG must even attend to the user's Internet Service Provider (ISP) to achieve authentication data. This introduces even more time delay ' to finish the process. Re-authentication is considered the. most time-consuming in handover situations.
  • ISP Internet Service Provider
  • Fig. 1 shows the sequencing of authentication and traffic handling in WLAN systems today.
  • the present invention provides a new method to organize the process of port authentication for access network with port based access control such as WLAN and WMAN in connection with traffic handling by parallelizing the two processes instead of sequencing them.
  • Figure 2 shows the new idea.
  • the access point allows user traffic in parallel with the ongoing authentication process.
  • the authentication result is clear, two things may happen: If authentication is a success, accounting is started for that user, who continues his Internet traffic with the already established session. If failing, the port will be closed and the user traffic rejected (i.e. according to standard procedures) .
  • the access point will open the traffic channel for any non-authenticated User while processing the authentication function for the associated link address of the client (e.g. WLAN MAC address) . If the authentication succeeds, the accounting function is activated (through for instance RADIUS Accounting) , if the authentication fails, the traffic is stopped for that client . In parallel the terminal will open the traffic channel for any non- authenticated Access Point while processing the associated link address of the Access Point. If the authentication fails the traffic is stopped. For a WLAN terminal a disassociation notification can be sent to the Access Point .
  • the new method is applicable to any access network with port based access control that controls the access to an external network. It applies for example to any Wireless Local Area Network (WLAN) using 802. IX protocol, such as WiFi (Wireless Fidelity (IEEE 802.11b wireless networking) Protected Access (WPA), WPA2, and 802. Hi based WLANs, as well as any
  • WMAN Wireless Metropolitan Area Network
  • Port Based access control such as 802.16e.
  • the inventive method may be enhanced with additional functionality.
  • a timer will be set. This timer is configurable. The timer may be configured off (deactivated) , on, and the duration of the timer may be set. If the authentication fails, or is not succeeded within the configurable time frame, the traffic will be rejected for that node (either the terminal or the access point or both the terminal and the access point) . If authentication of the terminal succeeds, the accounting function will be initiated in the access point .
  • Fig. 3 illustrates the sequencing in this security enhanced method.
  • a timer is added to control the latency time for a possible delayed authentication process. If no response is received from the authentication process in figure 2, the port may remain open. In order to avoid never-ending pending states, the timer will in case stop the traffic by closing the port. If there is a response from the authentication process before the timer elapses, the timer is cancelled, and the result from the authentication process defines whether the port shall remain open or be closed (as in the basic model) .
  • Link address concerned e.g. WLAN MAC address
  • Fig. 3 may even be further enhanced.
  • the access server should include :
  • Each cached rejected MAC address stores the associated counter .
  • Management function to set the max number of access attempts .
  • Management function to set the interval that resets the cache for a blocked MAC ID. Parameters : Hours : Minutes .
  • a countermeasure for this type of attack is to measure the ratio between unaccounted and accounted traffic over a period. If the ratio surpasses a certain limit, the policy with parallel processing may be exchanged with the traditional policy illustrated in figure 1. Provided the precondition that the access point is able to toggle between the two policies, a state machine operating between two states is proposed:
  • State 2 The valid/operating policy is the traditional sequential processing of authentication and traffic as in figure 1. In state 2 unaccounted traffic is not possible.
  • the change of state is performed automatically after, the following events :
  • State 1 -> State 2 When statistics based on the ratio Unaccounted/Accounted resource consumption reaches a configurable reaction point .
  • State 2 -> State 1 : When a configurable timer elapses (manageable period) .
  • the access server should include the following management functions: • Function for Setting the state permanently in state
  • Figure 4 shows a system description with two important ports.
  • the left port (A) is under the client's control; the client can control this port depending on own policy.
  • the right port (B) to the access network (normally access point), and is under his control.
  • the traffic port to be opened can be more sophisticated than an all or nothing port . Indeed the port at the access point could be open for voice and/or video traffic only, while web browsing could be closed until authentication is successful.
  • Case 1 Successful case
  • the policy in the Access point (AP) is such that the port is opened for a given time window that is dimensioned such that it covers twice the average time of an authentication process. If the authentication is successful the port will continue to be open after the time window has elapsed. Otherwise the port is closed and the event is recorded.
  • Figure 5 shows the message sequence of successful client connection to WLAN AP.
  • the various stages are indicated in stippled boxes and lines .
  • the method includes the following individual steps :
  • the terminal associates with an access point using standard 802.11 mechanisms.
  • the WLAN AP sends an access request to the Radius server, providing the MAC address of the terminal, and the required service, e.g. WLAN access. This is part of Radius specification.
  • the Radius server responds to the request positively.
  • This response includes the IP address that should be allocated to the terminal that initiated the access process. This is part of Radius specification.
  • the association response is sent back.
  • Information in the association response indicates that the port can be • opened before authentication is successful.
  • the terminal knows at this time that it can receive and send traffic even though the authentication is not completed.
  • An alternative solution is to include this information in the probe response (before association) .
  • association message one can include easily a new information element.
  • the terminal can then establish its IP connection using mechanisms such as DHCP.
  • DHCP the MAC address of the ⁇ terminal is included and the DHCP server in the AP can allocate the IP address assigned by the AAA/Radius- server (ref message 3 in figure 5) .
  • the WLAN AP relates this EAP sequence with the radius sequence previously established.
  • the AP starts the authentication process by requesting the identity of the terminal, as specified by WPA.
  • the EAP authentication methods are run, as specified by the authentication methods used sequentially, as specified by WPA.
  • a successful message is sent to the terminal when the authentication is successful, as specified by WPA.
  • the master key is sent to the AP, as specified by WPA. ⁇
  • This key material is used for generating the session keys, as specified by WPA. AT this point the traffic is secured, and accounting information is trustworthy and can be used for billing the user.
  • Figure 6 above shows the message sequence of an unsuccessful client connection to WLAN AP.' The various stages are indicated in stippled boxes and lines, and. each stage includes the following actions : . 1.
  • the terminal associates with an access point using . , standard IEEE 802.11 mechanisms .
  • the WLAN AP sends an access request to the Radius server, providing the MAC address of the terminal > and the required service, e.g. "WLAN access. This is part of Radius specification.
  • the Radius server responds to the request positively. This response includes the IP address that should be. allocated to the terminal that initiated the access process. This is part of Radius specification.
  • the association response is sent back.
  • Information in the association response indicates that the port can be opened before authentication is successful.
  • the terminal knows at this time that it can receive and send traffic even though the authentication is not completed.
  • An alternative solution is to include this information, in the probe response (before association) .
  • association message one can include easily a new information element .
  • the terminal can then establish its IP connection using mechanisms such as DHCP.
  • DHCP the MAC address of the ⁇ terminal is included and the DHCP server in the AP can allocate the IP address assigned by the AAA/Radius server (ref message 3 in figure 6) .
  • the WLAN AP relates this EAP sequence with the radius sequence previously established.
  • the AP starts the authentication process by requesting the identity of the terminal, as specified by WPA.
  • An EAP failure message is sent to the terminal, as specified by WPA.
  • the Access Point notifies the terminal that.it has / been disconnected by sending a disassociation message
  • Fig. 7 shows the 802. Ix port 1 that can be open or closed . for user traffic.
  • the port 1 is connected to the user through a WLAN connection 2 , and to the Internet through a connection 3.
  • the port 1 is controlled primarily by a WPA (WiFi (IEEE 802.11b wireless networking) Protected Access) controller 4, and a timer 5.
  • the WPA function depends on communication with a RADIUS (AAA) server 7, which executes the authentication and authorization function on behalf of the WPA port controller 4.
  • the WPA port controller 4 will operate depending on the access policy selector 8 (either closed until authentication succeeds, or open until . authentication fails) .
  • the access policy selector 8 is controlled by a statistical supervision control function 6 that measures the quotient between accounted and non- . accounted traffic.
  • the timer 5 will close the port 1 if . the WPA controller 4 remains in the pending state for too long (configurable time) .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un agencement de transfert entre des WLAN. L'ouverture d'un canal de trafic (port) tout en traitant parallèlement une authentification permet de limiter les retards de transfert. Le canal de trafic/port d'accès sera le premier fermé si le processus d'authentification échoue.
PCT/NO2006/000209 2005-06-06 2006-06-06 Procede et agencement permettant transferer un client d'un premier lan sans fil vers un second lan sans fil WO2006132540A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NO20052689A NO324810B1 (no) 2005-06-06 2005-06-06 Fremgangsmate for a overlevere en klient fra et forste tradlost LAN til et andre tradlost LAN
NO20052689 2005-06-06

Publications (1)

Publication Number Publication Date
WO2006132540A1 true WO2006132540A1 (fr) 2006-12-14

Family

ID=35295269

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NO2006/000209 WO2006132540A1 (fr) 2005-06-06 2006-06-06 Procede et agencement permettant transferer un client d'un premier lan sans fil vers un second lan sans fil

Country Status (2)

Country Link
NO (1) NO324810B1 (fr)
WO (1) WO2006132540A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009137625A2 (fr) 2008-05-06 2009-11-12 Qualcomm Incorporated Authentification d’un dispositif sans fil dans un réseau visité
WO2013070862A1 (fr) * 2011-11-08 2013-05-16 Qualcomm Incorporated Autorisation d'accès à des clés à durée de vie limitée, pour la configuration d'une liaison sans fil

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004039116A1 (fr) * 2002-10-25 2004-05-06 Matsushita Electric Industrial Co., Ltd. Procede et serveur de gestion des communications radio
EP1422875A2 (fr) * 2002-11-08 2004-05-26 DoCoMo Communications Laboratories USA, Inc. Clef de transfert pour réseau sans fil
WO2005002267A2 (fr) * 2003-06-30 2005-01-06 Nokia Corporation Methode d'optimisation du transfert entre reseaux de communications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004039116A1 (fr) * 2002-10-25 2004-05-06 Matsushita Electric Industrial Co., Ltd. Procede et serveur de gestion des communications radio
EP1555843A1 (fr) * 2002-10-25 2005-07-20 Matsushita Electric Industrial Co., Ltd. Procede et serveur de gestion des communications radio
EP1422875A2 (fr) * 2002-11-08 2004-05-26 DoCoMo Communications Laboratories USA, Inc. Clef de transfert pour réseau sans fil
WO2005002267A2 (fr) * 2003-06-30 2005-01-06 Nokia Corporation Methode d'optimisation du transfert entre reseaux de communications

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009137625A2 (fr) 2008-05-06 2009-11-12 Qualcomm Incorporated Authentification d’un dispositif sans fil dans un réseau visité
WO2009137625A3 (fr) * 2008-05-06 2010-04-01 Qualcomm Incorporated Authentification d’un dispositif sans fil dans un réseau visité
CN102017577A (zh) * 2008-05-06 2011-04-13 高通股份有限公司 认证到访网络中的无线设备
EP2372972A1 (fr) * 2008-05-06 2011-10-05 Qualcomm Incorporated Authentification d'un dispositif sans fil dans un réseau visité
KR101229769B1 (ko) 2008-05-06 2013-02-06 퀄컴 인코포레이티드 방문 네트워크에서의 무선 디바이스의 인증
WO2013070862A1 (fr) * 2011-11-08 2013-05-16 Qualcomm Incorporated Autorisation d'accès à des clés à durée de vie limitée, pour la configuration d'une liaison sans fil
CN103999495A (zh) * 2011-11-08 2014-08-20 高通股份有限公司 启用对无线链路建立的密钥生存期的访问
JP2015502701A (ja) * 2011-11-08 2015-01-22 クゥアルコム・インコーポレイテッドQualcomm Incorporated ワイヤレスリンクのセットアップのために鍵のライフタイムへのアクセスを可能にすること
US8984590B2 (en) 2011-11-08 2015-03-17 Qualcomm Incorporated Enabling access to key lifetimes for wireless link setup
CN103999495B (zh) * 2011-11-08 2017-10-27 高通股份有限公司 启用对无线链路建立的密钥生存期的访问

Also Published As

Publication number Publication date
NO20052689D0 (no) 2005-06-06
NO324810B1 (no) 2007-12-10
NO20052689L (no) 2006-12-07

Similar Documents

Publication Publication Date Title
AU2005236981B2 (en) Improved subscriber authentication for unlicensed mobile access signaling
US7779071B2 (en) Enterprise wireless local area network switching system
EP2103077B1 (fr) Procédé et appareil de détermination d'une procédure d'authentification
KR100762644B1 (ko) Wlan-umts 연동망 시스템과 이를 위한 인증 방법
EP1693995B1 (fr) Procédé d'application d'une authentification d'accès d'un utilisateur wlan
EP1597866B1 (fr) Re-authentificatiion rapide à l'aide d'authentifiants dynamiques
EP1757139B1 (fr) Procede permettant d'empecher ou de limiter le nombre de sessions simultanees dans un reseau local sans fil
KR100602260B1 (ko) 고속 핸드오버 방법
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
US20070082656A1 (en) Method and system for filtered pre-authentication and roaming
US7848513B2 (en) Method for transmitting security context for handover in portable internet system
US8611859B2 (en) System and method for providing secure network access in fixed mobile converged telecommunications networks
CN101217781A (zh) 利用动态信道的移动装置的交递方法
CN101945390A (zh) 一种准入控制方法及装置
WO2006132540A1 (fr) Procede et agencement permettant transferer un client d'un premier lan sans fil vers un second lan sans fil
JP2006041594A (ja) 移動通信システムおよび移動端末の認証方法
Kwon et al. Mobility Management for UMTS-WLAN Seamless Handover; Within the Framework of Subscriber Authentication
Chen et al. A seamless handoff mechanism for IEEE 802.11 WLANs supporting IEEE 802.11 i security enhancements
Nankani Horizontal Handoffs within WLANs: A detailed analysis and measurement concerning voice like traffic

Legal Events

Date Code Title Description
DPE2 Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06747664

Country of ref document: EP

Kind code of ref document: A1