ISD Agenda
Transcription
ISD Agenda
May 2014 doc.: IEEE 802.11-14/0158r2 TGaq Pre-Association Discovery Protocol for ANDSF Discovery Service Date: 2014-05-14 Authors: Name Company Joe Kwak InterDigital Michael Montemurro BlackBerry Submission Address Phone email PO Box 93 Hawkesbury, ON, Canada K6A2R4 4701 Tahoe Blvd Mississauga, ON, Canada L4W0B4 +1-630-739-4159 [email protected] +1-905-629-4746 x14999 [email protected] Slide 1 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Abstract This is a TGaq Pre-Association Discovery (PAD) Protocol example showing how a pre-associated STA may access ANDSF Service for WLAN discovery and selection. This builds upon the 11aq draft text in 11-14-0657-00-00aq-pre-association-discoveryprotocol and is intended to be the basis for an informative annex in our 11aq draft. Submission Slide 2 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Background • TGaq develops simple MAC protocol – Defines over-the-air messages only (PAM) • Meets low level requirements of use cases • Other Fora deal with higher layers (L2+) – Liaison to other fora of our use cases • 3GPP has developed a discovery service for dual mode smartphones and other dual mode (cell/WLAN) devices that uses assistance data to discover and select WLANs suitable for offload. • Access Network Discovery and Selection Function (ANDSF) has been specified by 3GPP to provide this assistance data. • ANDSF is normally implemented in a server accessible on the internet, and discovered by DNS lookup. Submission Slide 3 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Pre-Association Discovery Protocol (PADP) Review • PADP is different from ANQP – PADP is not limited to simple Request/Response mechanism. – Using transparent packet containers, PADP provides flexible transport for pre-associated STAs to communicate with different existing Upper Layer Protocols (ULPs) for service discovery, bonjour, UPnP, etc. – Service/discovery information is transparently encapsulated for transport to a Service Transaction Proxy (PADPxy) which implements this protocol for a particular (or set) of discovery ULP. – Packets are routed from the pre-associated STA, through the AP, to the PADPxy, which acts on behalf of the STA to communicate with the intended discovery protocol server. – In other words, PADP sets up a short-term tunnel from the STA to the PADPxy which proxies for the STA for internet packet exchanges. Submission Slide 4 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Pre-Association Discovery Protocol (PADP) Review 1 • Part of the PAM (Pre-Association Messages) • The TP is implemented as an advertisement protocol enabling it to be carried, over the IEEE 802.11 air interface, by the existing GAS mechanism. • Use a new advertisement protocol id “PADP” – PreAssociation Discovery (e.g. like RLQP • Define a new IE for use in Beacon, Probe Response frames to advertise service capabilities. [1] Transaction Protocol Review (slides 5-10) from 11-13-0788-03-00aq-transaction-protocol Submission Slide 5 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Pre-Association Discovery Protocol Review • A mobile device requires service information prior to association. • The mobile device supports one or more ULP’s • The Access Point advertises (in this example using ANQP) service types as well as a list of ULP’s that are supported. • An PADP Encapsulation message carries the ULP service information request to the AP, which relays the request to the PADPxy. • The PADPxy proxies for the STA to exchange service information using the discovery ULP. • The PADPxy provides service information in a response that is encapsulated and sent back to the mobile device through the Access Point. Submission Slide 6 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Pre-Association Discovery Protocol Review • PADP operates between the ULP applications in the pre-associated STA and the Service Transaction Proxy (PADPxy). • As this ANDSF example shows, the encapsulation mechanism must be transparent to enable this service for ANDSF and perhaps other popular discovery services. Submission Slide 7 Joe Kwak, InterDigital May 2014 Upper Layer Protocol (ULP) doc.: IEEE 802.11-14/0158r2 STA AP TXP / ULP 1) ULP message A 2) Encapsulation (token, “ULP message A”) 3) Encapsulation (token, “ULP message B”) 4) ULP message B Submission Slide 8 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Pre-Association Discovery Review • ULP does not need to be standardised within Tgaq – deliberately hide the details of the ULP so that we can focus on MAC design • When the higher layer ULP responds with another message B, the TXP uses another PADP Encapsulation message to transmit message B back to the mobile device including the PADP token. If an error occurs in the TXP transaction a Return Code may be alternatively returned to the mobile. • When the PADP Encapsulation message is received by the mobile terminal the contents are passed back to the service discovery ULP. Submission Slide 9 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Pre-Association Discovery Protocol Review • The message sequence is bi-directional and can be initiated by the ULP co-located with the PADPxy. The service information is constructed based on the ULP – it does not necessarily execute the ULP protocol over frames transmitted in the pre-associated state • IDs of ULP protocols for the STA and the AP infrastructure are required for encapsulation/decapsulation. • Possibly need to fragment large ULP frames. – GAS already has the capability for fragmentation/reassembly • To conserve the medium, using a hash of the service information in the encapsulated PADP exchange may be feasible for some applications of PADP. (see 13-893r0) • Messages could be signed to provide some level of data integrity. • Need to do some additional work on defining the ULP ID space and its management Submission Slide 10 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 ANDSF Example Using 11aq Pre-Association Discovery Protocol ANDSF Network ANDSF IP messages between STPxy and ANDSF AP2 Local Access Network Service Transaction Proxy (STPxy) AP1 Pre-association Messages Submission STA Slide 11 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 3GPP WLAN Network Architecture • Both trusted (integrated) and untrusted (over-the-top) interfaces exist • The trusted interface involves operator deployed WLAN and is being evolved in 3GPP Release 12 Submission TWAG Slide 12 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 ANDSF UE 1. UE connected with the EPC over a 3GPP or non -3GPP access 2. Discover ANDSF and establish secure communication 3. Access Network Info Request 4. Access Network Info Response 5. UE makes access network selection and handover decision 6. UE initiates the inter-system handover Normal discovery for 3GPP UE(STA) after association and using IP transport (Figure 8.5.1-1 from 3GPP TS 23.402) Submission Slide 13 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 UE AP/PADPxy ANDSF 1. STPxy Limited IP connectivity 2. Discover ANDSF IP address 3. Establish secure communication 4. Access Network Info Request 5. Access Network Info Response 6. UE makes access network selection and handover decision 7. UE associates to selected WLAN - Pre-association discovery for 3GPP UE(STA) using PADPxy with limited IP transport Submission Slide 14 Joe Kwak, InterDigital May 2014 ULP doc.: IEEE 802.11-14/0158r2 PADPxy-a STA PADPxy-a AP DNS Server ANDSFb PLMNc 1. STPxy Limited IP connectivity ANQP Req(STPxy.ANDSF) ANQP Resp(STPxy-a) Limited IP connectivity) 2. Discover ANDSF IP address DNS Req(ANDSF.MCC.MNC)) PADP-Encap(DNS Req(ANDSF.MCC.MNC) ) A DNS Req(ANDSF.MCC.MNC)) DNS Resp(IP Add of ANDSFb) PADP-Encap(DNS Resp(IP Add of ANDSFb)) ) DNS Resp(IP Add of ANDSFb) B 3. Establish secure communication http:TLS-ClientHello({Ks1,Ks2…}) PADP-Encap(http:TLS-ClientHello({Ks1,Ks2…}) ) A http:TLS-ClientHello({Ks1,Ks2…}) ) http:TLS-ServerHello(Ks2) - - http:TLS-ServerHello(Ks2) PADP-Encap(http:TLS-ServerHello(Ks2) ) B ) A: PADPxy decapsulates message and substitutes its own IP add in header to replace dummy IP add from STA B: PADPxy substitutes dummy IP add from STA to replace its own IP add in header, then encapsulates and sends to AP Submission Slide 15 Joe Kwak, InterDigital May 2014 ULP doc.: IEEE 802.11-14/0158r2 PADPxy-a http:TLS-ClientKeyExchange STA PADPxy-a AP ANDSFb PLMNc PADP-Encap(http:TLS-ClientKeyExchangee) ) ) A http:TLS-ClientKeyExchange ) http:TLS-ServerChangeCipherSuite&Finished PADP-Encap(http:TLS-ServerChangeCipherSuite&Finished) ) B http:TLS-ServerChangeCipherSuite&Finished 3. Establish secure communication https:Access Network Info Request PADP-Encap(https:Access Network Info Request) A ) ) https:Access Network Info Request https:Access Network Info Response ) PADP-Encap(https:Access Network Info Response)B https:Access Network Info )Response ) - ) UE makes access network WLAN selection decision and then associates. A: PADPxy decapsulates message and substitutes its own IP add in header to replace dummy IP add from STA B: PADPxy substitutes dummy IP add from STA to replace its own IP add in header, then encapsulates and sends to AP - Submission Slide 16 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 Security Notes • Using PADPxy to setup secure IP connection for PAD STA needs careful setup and configuration to prevent abuse and spoofing. • The AP configuration should include means to authenticate the PADPxy server(s) used. A rogue PADPxy may be used to route and implement services beyond discovery services. • The PADPxy server should authenticate each ANDSF server when first setting up connection for PAD. • Available techniques for authentication include preconfigured certificates and secure IP tunnels. THANK YOU Submission Slide 17 Joe Kwak, InterDigital May 2014 doc.: IEEE 802.11-14/0158r2 REFERENCES (listed in order of relevance to this example) 1. 2. 3. 4. 5. 6. 7. http://www.3gpp.org/DynaReport/23003.htm 3GPP Network Elements: Numbering, Addressing, and Identification –Explains ANDSF discovery mechanism using DNS http://www.3gpp.org/DynaReport/33222.htm Generic Authentication Architecture and Access to 3GPP Network Using https: --Explains authentication and TLS security for ANDSF connection based on preconfigured or bootstrapped shared key. http://tools.ietf.org/html/rfc2818 HTTP over TLS—General reference for setting up https: http://www.3gpp.org/DynaReport/23234.htm Specification of 3GPP-WLAN Interworking—Broad reference that provides detail on WLAN-ANDSF interface http://www.3gpp.org/DynaReport/23402.htm Specification for non-3GPP Access to 3GPP Network—Includes architecture and interworking descriptions for WLAN discovery and connection to ANDSF http://www.3gpp.org/DynaReport/23865.htm Study of WLAN Selection and Policy Application using ANDSF Information—provides set of illustrative examples showing how STAs use ANDSF Management Object (MO) data to select WLAN. http://www.3gpp.org/DynaReport/234312htm Specification of ANDSF MO—Complete MO details and structure of WLAN selection policy MO tree. Submission Slide 18 Joe Kwak, InterDigital