WO2006132540A1 - A method and arrangement for handing over a client from a first wireless lan to a second wireless lan - Google Patents
A method and arrangement for handing over a client from a first wireless lan to a second wireless lan Download PDFInfo
- Publication number
- WO2006132540A1 WO2006132540A1 PCT/NO2006/000209 NO2006000209W WO2006132540A1 WO 2006132540 A1 WO2006132540 A1 WO 2006132540A1 NO 2006000209 W NO2006000209 W NO 2006000209W WO 2006132540 A1 WO2006132540 A1 WO 2006132540A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- traffic
- authentication
- port
- client
- access
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000008569 process Effects 0.000 claims abstract description 28
- 238000013475 authorization Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims 1
- 238000012545 processing Methods 0.000 abstract description 11
- 230000001934 delay Effects 0.000 abstract description 6
- 230000004044 response Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012163 sequencing technique Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000003466 anti-cipated effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000010348 incorporation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000010561 standard procedure Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/08—Reselecting an access point
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- the present invention relates to handover procedures in Wireless Local Area Networks.
- WLAN Wireless LAN
- a WLAN user can move from access point to access point without loosing his established session or Internet connections; a so-called seamless handover.
- the problem is that the user device/client must re-authenticate to each and every new access point before the traffic channel is opened.
- the re-authentication process is time-consuming and represents a real obstacle especially for real-time applications like streaming and voice, where delays of more than 120 ms will degrade the functionality significantly.
- the port based security system IEEE 802. IX provides authentication and the opening of the traffic channel as. sequential processes, i.e. the access policy is to have no traffic allowed before the authentication process is successfully finished, see figure 1 below.
- the new idea is to introduce a trade-off between security and handover latency.
- the traffic channel/access port will first be closed if the authentication process fails. The cost for this will be that the access/network provider (Residential Gateway (RG) /Hotspot owner, etc.) must yield some resources/time without payment. This "free-time" should be configurable (anticipated to be a few seconds) .
- the proposed policy reflects that "everything” is allowed until something is proven wrong, in contrast to the traditional policy where "nothing” is allowed until something is proven right (i.e. authentication succeeds).
- Fig. 1 illustrates the traditional sequential port access policy
- FIG. 2 shows parallel processing access according to the present invention
- Fig. 3 illustrates a security enhancement of the inventive . process in Fig. 1 involving parallel processing with timer control of pending states
- Fig. 4 illustrates the access points and ports in a system according to the present invention
- Fig. 5 shows the message sequence during a successful client connection to a WLAN access point
- Fig. 6 shows the corresponding message sequence in case the connection process should be unsuccessful.
- Fig. 7 is a schematic illustration of the main building block in an arrangement according to the invention, for incorporation in a WLAN access point .
- the applicable port access authentication standard in use today (802. IX) executes the authentication functions, before the access port is opened for normal traffic . This means that information must be exchanged between the user client and the RG/ Hotspot access point. In some cases, i.e. when the user belongs to another domain the RG must even attend to the user's Internet Service Provider (ISP) to achieve authentication data. This introduces even more time delay ' to finish the process. Re-authentication is considered the. most time-consuming in handover situations.
- ISP Internet Service Provider
- Fig. 1 shows the sequencing of authentication and traffic handling in WLAN systems today.
- the present invention provides a new method to organize the process of port authentication for access network with port based access control such as WLAN and WMAN in connection with traffic handling by parallelizing the two processes instead of sequencing them.
- Figure 2 shows the new idea.
- the access point allows user traffic in parallel with the ongoing authentication process.
- the authentication result is clear, two things may happen: If authentication is a success, accounting is started for that user, who continues his Internet traffic with the already established session. If failing, the port will be closed and the user traffic rejected (i.e. according to standard procedures) .
- the access point will open the traffic channel for any non-authenticated User while processing the authentication function for the associated link address of the client (e.g. WLAN MAC address) . If the authentication succeeds, the accounting function is activated (through for instance RADIUS Accounting) , if the authentication fails, the traffic is stopped for that client . In parallel the terminal will open the traffic channel for any non- authenticated Access Point while processing the associated link address of the Access Point. If the authentication fails the traffic is stopped. For a WLAN terminal a disassociation notification can be sent to the Access Point .
- the new method is applicable to any access network with port based access control that controls the access to an external network. It applies for example to any Wireless Local Area Network (WLAN) using 802. IX protocol, such as WiFi (Wireless Fidelity (IEEE 802.11b wireless networking) Protected Access (WPA), WPA2, and 802. Hi based WLANs, as well as any
- WMAN Wireless Metropolitan Area Network
- Port Based access control such as 802.16e.
- the inventive method may be enhanced with additional functionality.
- a timer will be set. This timer is configurable. The timer may be configured off (deactivated) , on, and the duration of the timer may be set. If the authentication fails, or is not succeeded within the configurable time frame, the traffic will be rejected for that node (either the terminal or the access point or both the terminal and the access point) . If authentication of the terminal succeeds, the accounting function will be initiated in the access point .
- Fig. 3 illustrates the sequencing in this security enhanced method.
- a timer is added to control the latency time for a possible delayed authentication process. If no response is received from the authentication process in figure 2, the port may remain open. In order to avoid never-ending pending states, the timer will in case stop the traffic by closing the port. If there is a response from the authentication process before the timer elapses, the timer is cancelled, and the result from the authentication process defines whether the port shall remain open or be closed (as in the basic model) .
- Link address concerned e.g. WLAN MAC address
- Fig. 3 may even be further enhanced.
- the access server should include :
- Each cached rejected MAC address stores the associated counter .
- Management function to set the max number of access attempts .
- Management function to set the interval that resets the cache for a blocked MAC ID. Parameters : Hours : Minutes .
- a countermeasure for this type of attack is to measure the ratio between unaccounted and accounted traffic over a period. If the ratio surpasses a certain limit, the policy with parallel processing may be exchanged with the traditional policy illustrated in figure 1. Provided the precondition that the access point is able to toggle between the two policies, a state machine operating between two states is proposed:
- State 2 The valid/operating policy is the traditional sequential processing of authentication and traffic as in figure 1. In state 2 unaccounted traffic is not possible.
- the change of state is performed automatically after, the following events :
- State 1 -> State 2 When statistics based on the ratio Unaccounted/Accounted resource consumption reaches a configurable reaction point .
- State 2 -> State 1 : When a configurable timer elapses (manageable period) .
- the access server should include the following management functions: • Function for Setting the state permanently in state
- Figure 4 shows a system description with two important ports.
- the left port (A) is under the client's control; the client can control this port depending on own policy.
- the right port (B) to the access network (normally access point), and is under his control.
- the traffic port to be opened can be more sophisticated than an all or nothing port . Indeed the port at the access point could be open for voice and/or video traffic only, while web browsing could be closed until authentication is successful.
- Case 1 Successful case
- the policy in the Access point (AP) is such that the port is opened for a given time window that is dimensioned such that it covers twice the average time of an authentication process. If the authentication is successful the port will continue to be open after the time window has elapsed. Otherwise the port is closed and the event is recorded.
- Figure 5 shows the message sequence of successful client connection to WLAN AP.
- the various stages are indicated in stippled boxes and lines .
- the method includes the following individual steps :
- the terminal associates with an access point using standard 802.11 mechanisms.
- the WLAN AP sends an access request to the Radius server, providing the MAC address of the terminal, and the required service, e.g. WLAN access. This is part of Radius specification.
- the Radius server responds to the request positively.
- This response includes the IP address that should be allocated to the terminal that initiated the access process. This is part of Radius specification.
- the association response is sent back.
- Information in the association response indicates that the port can be • opened before authentication is successful.
- the terminal knows at this time that it can receive and send traffic even though the authentication is not completed.
- An alternative solution is to include this information in the probe response (before association) .
- association message one can include easily a new information element.
- the terminal can then establish its IP connection using mechanisms such as DHCP.
- DHCP the MAC address of the ⁇ terminal is included and the DHCP server in the AP can allocate the IP address assigned by the AAA/Radius- server (ref message 3 in figure 5) .
- the WLAN AP relates this EAP sequence with the radius sequence previously established.
- the AP starts the authentication process by requesting the identity of the terminal, as specified by WPA.
- the EAP authentication methods are run, as specified by the authentication methods used sequentially, as specified by WPA.
- a successful message is sent to the terminal when the authentication is successful, as specified by WPA.
- the master key is sent to the AP, as specified by WPA. ⁇
- This key material is used for generating the session keys, as specified by WPA. AT this point the traffic is secured, and accounting information is trustworthy and can be used for billing the user.
- Figure 6 above shows the message sequence of an unsuccessful client connection to WLAN AP.' The various stages are indicated in stippled boxes and lines, and. each stage includes the following actions : . 1.
- the terminal associates with an access point using . , standard IEEE 802.11 mechanisms .
- the WLAN AP sends an access request to the Radius server, providing the MAC address of the terminal > and the required service, e.g. "WLAN access. This is part of Radius specification.
- the Radius server responds to the request positively. This response includes the IP address that should be. allocated to the terminal that initiated the access process. This is part of Radius specification.
- the association response is sent back.
- Information in the association response indicates that the port can be opened before authentication is successful.
- the terminal knows at this time that it can receive and send traffic even though the authentication is not completed.
- An alternative solution is to include this information, in the probe response (before association) .
- association message one can include easily a new information element .
- the terminal can then establish its IP connection using mechanisms such as DHCP.
- DHCP the MAC address of the ⁇ terminal is included and the DHCP server in the AP can allocate the IP address assigned by the AAA/Radius server (ref message 3 in figure 6) .
- the WLAN AP relates this EAP sequence with the radius sequence previously established.
- the AP starts the authentication process by requesting the identity of the terminal, as specified by WPA.
- An EAP failure message is sent to the terminal, as specified by WPA.
- the Access Point notifies the terminal that.it has / been disconnected by sending a disassociation message
- Fig. 7 shows the 802. Ix port 1 that can be open or closed . for user traffic.
- the port 1 is connected to the user through a WLAN connection 2 , and to the Internet through a connection 3.
- the port 1 is controlled primarily by a WPA (WiFi (IEEE 802.11b wireless networking) Protected Access) controller 4, and a timer 5.
- the WPA function depends on communication with a RADIUS (AAA) server 7, which executes the authentication and authorization function on behalf of the WPA port controller 4.
- the WPA port controller 4 will operate depending on the access policy selector 8 (either closed until authentication succeeds, or open until . authentication fails) .
- the access policy selector 8 is controlled by a statistical supervision control function 6 that measures the quotient between accounted and non- . accounted traffic.
- the timer 5 will close the port 1 if . the WPA controller 4 remains in the pending state for too long (configurable time) .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NO20052689A NO324810B1 (no) | 2005-06-06 | 2005-06-06 | Fremgangsmate for a overlevere en klient fra et forste tradlost LAN til et andre tradlost LAN |
NO20052689 | 2005-06-06 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006132540A1 true WO2006132540A1 (en) | 2006-12-14 |
Family
ID=35295269
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/NO2006/000209 WO2006132540A1 (en) | 2005-06-06 | 2006-06-06 | A method and arrangement for handing over a client from a first wireless lan to a second wireless lan |
Country Status (2)
Country | Link |
---|---|
NO (1) | NO324810B1 (no) |
WO (1) | WO2006132540A1 (no) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009137625A2 (en) | 2008-05-06 | 2009-11-12 | Qualcomm Incorporated | Authenticating a wireless device in a visited network |
WO2013070862A1 (en) * | 2011-11-08 | 2013-05-16 | Qualcomm Incorporated | Enabling access to key lifetimes for wireless link setup |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004039116A1 (ja) * | 2002-10-25 | 2004-05-06 | Matsushita Electric Industrial Co., Ltd. | 無線通信管理方法及び無線通信管理サーバ |
EP1422875A2 (en) * | 2002-11-08 | 2004-05-26 | DoCoMo Communications Laboratories USA, Inc. | Wireless network handoff key |
WO2005002267A2 (en) * | 2003-06-30 | 2005-01-06 | Nokia Corporation | Seamless inter-system handover using pre-authentication and session pre-activation |
-
2005
- 2005-06-06 NO NO20052689A patent/NO324810B1/no not_active IP Right Cessation
-
2006
- 2006-06-06 WO PCT/NO2006/000209 patent/WO2006132540A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004039116A1 (ja) * | 2002-10-25 | 2004-05-06 | Matsushita Electric Industrial Co., Ltd. | 無線通信管理方法及び無線通信管理サーバ |
EP1555843A1 (en) * | 2002-10-25 | 2005-07-20 | Matsushita Electric Industrial Co., Ltd. | Radio communication management method and radio communication management server |
EP1422875A2 (en) * | 2002-11-08 | 2004-05-26 | DoCoMo Communications Laboratories USA, Inc. | Wireless network handoff key |
WO2005002267A2 (en) * | 2003-06-30 | 2005-01-06 | Nokia Corporation | Seamless inter-system handover using pre-authentication and session pre-activation |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009137625A2 (en) | 2008-05-06 | 2009-11-12 | Qualcomm Incorporated | Authenticating a wireless device in a visited network |
WO2009137625A3 (en) * | 2008-05-06 | 2010-04-01 | Qualcomm Incorporated | Authenticating a wireless device in a visited network |
CN102017577A (zh) * | 2008-05-06 | 2011-04-13 | 高通股份有限公司 | 认证到访网络中的无线设备 |
EP2372972A1 (en) * | 2008-05-06 | 2011-10-05 | Qualcomm Incorporated | Authenticating a wireless device in a visited network |
KR101229769B1 (ko) | 2008-05-06 | 2013-02-06 | 퀄컴 인코포레이티드 | 방문 네트워크에서의 무선 디바이스의 인증 |
WO2013070862A1 (en) * | 2011-11-08 | 2013-05-16 | Qualcomm Incorporated | Enabling access to key lifetimes for wireless link setup |
CN103999495A (zh) * | 2011-11-08 | 2014-08-20 | 高通股份有限公司 | 启用对无线链路建立的密钥生存期的访问 |
JP2015502701A (ja) * | 2011-11-08 | 2015-01-22 | クゥアルコム・インコーポレイテッドQualcomm Incorporated | ワイヤレスリンクのセットアップのために鍵のライフタイムへのアクセスを可能にすること |
US8984590B2 (en) | 2011-11-08 | 2015-03-17 | Qualcomm Incorporated | Enabling access to key lifetimes for wireless link setup |
CN103999495B (zh) * | 2011-11-08 | 2017-10-27 | 高通股份有限公司 | 启用对无线链路建立的密钥生存期的访问 |
Also Published As
Publication number | Publication date |
---|---|
NO324810B1 (no) | 2007-12-10 |
NO20052689L (no) | 2006-12-07 |
NO20052689D0 (no) | 2005-06-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2005236981B2 (en) | Improved subscriber authentication for unlicensed mobile access signaling | |
US7779071B2 (en) | Enterprise wireless local area network switching system | |
EP2103077B1 (en) | Method and apparatus for determining an authentication procedure | |
KR100762644B1 (ko) | Wlan-umts 연동망 시스템과 이를 위한 인증 방법 | |
EP1693995B1 (en) | A method for implementing access authentication of wlan user | |
EP1597866B1 (en) | Fast re-authentication with dynamic credentials | |
EP1757139B1 (en) | Method of preventing or limiting the number of simultaneous sessions in wireless local area network (wlan) | |
KR100602260B1 (ko) | 고속 핸드오버 방법 | |
US20080026724A1 (en) | Method for wireless local area network user set-up session connection and authentication, authorization and accounting server | |
US20070082656A1 (en) | Method and system for filtered pre-authentication and roaming | |
US7848513B2 (en) | Method for transmitting security context for handover in portable internet system | |
US8611859B2 (en) | System and method for providing secure network access in fixed mobile converged telecommunications networks | |
CN101217781A (zh) | 利用动态信道的移动装置的交递方法 | |
CN101945390A (zh) | 一种准入控制方法及装置 | |
WO2006132540A1 (en) | A method and arrangement for handing over a client from a first wireless lan to a second wireless lan | |
JP2006041594A (ja) | 移動通信システムおよび移動端末の認証方法 | |
Kwon et al. | Mobility Management for UMTS-WLAN Seamless Handover; Within the Framework of Subscriber Authentication | |
Nankani | Horizontal Handoffs within WLANs: A detailed analysis and measurement concerning voice like traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
DPE2 | Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06747664 Country of ref document: EP Kind code of ref document: A1 |