user management architecture based on software-defined...
TRANSCRIPT
User Management Architecture Based onSoftware-Defined Networking
Rastislav Bencel∗
Institute of Computer Engineering and Applied InformaticsFaculty of Informatics and Information Technologies
Slovak University of Technology in BratislavaIlkovicova 2, 842 16 Bratislava, Slovakia
AbstractWLAN networks are widely spread today and representone of the main accesses to the Internet. Their major ben-efit is the ability to make mobility of the end-station pos-sible and that is why the goal is to reach an effective usermanagement. In our research we deal with the deficienciesin IEEE 802.11 standard which is aimed at the mobility ofthe client. There are many ways to deal with these draw-backs. In order to address these shortcomings, it is clearthat the new trend in the Software-Defined Networkingnetwork is being advantageous. SDN allows more effec-tive management of the network and the research showsthat this is true for the primary area of wired networks butalso for the wireless. We have extended the SDN archi-tecture for the wireless network based on SDN principleson the basis of the actual research. We have defined newcomponents for encrypting and decrypting WPA2 securi-ty in our architecture. We have verified this architectureusing Colored Petri Nets and experimental verification inreal environment.
Categories and Subject DescriptorsC.2.1 [ Computer- Communication Networks ]:Network Architecture and Design; C.2.2 [ Computer-Communication Networks ]: Network Protocols;C.2.3 [ Computer-Communication Networks ]:Network Operations
KeywordsNetwork architecture, handover, OpenFlow, IEEE 802.11standard, Software-Defined Networking
∗Recommended by thesis supervisor: Prof. Ivan KotuliakTo be defended at Faculty of Informatics and InformationTechnologies, Slovak University of Technology in Bratisla-va on [To be specified later]
c© Copyright 2018. All rights reserved. Permission to make digitalor hard copies of part or all of this work for personal or classroom useis granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies show this notice onthe first page or initial screen of a display along with the full citation.Copyrights for components of this work owned by others than ACMmust be honored. Abstracting with credit is permitted. To copy other-wise, to republish, to post on servers, to redistribute to lists, or to useany component of this work in other works requires prior specific per-mission and/or a fee. Permissions may be requested from STU Press,Vazovova 5, 811 07 Bratislava, Slovakia.
1. IntroductionThe original IEEE 802.11 standard [1] was not focusedon the mobility of the client but primarily on providingof the connection. The legacy IEEE 802.11 standard uses4-way handshake within handover process. Moreover, thehandover requires also a scanning process before the 4-way handshake. This scanning process takes a long timeand its duration is depended on the used method (activeor passive). It is not enough secure for wireless mediumto extend the IEEE 802.11 standard to increase security(IEEE 802.11i) due to WEP security . The IEEE 802.11iadds additional messages to the original 4-way handshakein the IEEE 802.11 standard. These messages increase thehandover time.
The handover time consists of:
• Scanning time - finding a new available access point.
• Authentication time - legacy authentication and newauthentication for WPA2.
• Reasociation time - time for exchange reassociationrequest and response between mobile station andnew access point.
The family of IEEE 802.11 standards were extended bystandards 802.11k and 802.11r. These standards mitigatedrawbacks of a long handover process. The IEEE 802.11kfocuses on the decrease of scanning time. The IEEE802.11r uses only 4-way handshake during handover. De-creasing messages to 4-way handshake is reached by spe-cial hierarchy encryption keys and by exchange informa-tion before handover. Usage protocols IEEE 802.11k and802.11r can significantly improve handover time. Al-though the time is decreased by IEEE 802.11 standardfamily handover is still decided on the side of a mobilestation. The mobile station decision is not efficient forthe network because of the limited view of network.
The Software-Defined Networking (SDN) architecture [9]is a new trend in the network area. SDN architecture iscentralized and decouples control and data plane. Themost important advantage of SDN is more efficient net-work management than in traditional networks. The pri-mary target of SDN are wired networks but recent re-search [4] [3] shows that SDN can be used in wirelessnetworks as well.
2 Bencel, R.: User Management Architecture Based on Software-Defined Networking
The structure of this extended abstract is as follows. Thesecond section describes existing solutions and their draw-backs. The architecture design is presented in the thirdsection and the fourth section describes the evaluation ofdesign. The last fifth section is the conclusion.
2. Related WorkA lot of solutions exist for usage mobility nowadays inthe IEEE 802.11 networks. Some of them are not intend-ed for the SDN architecture but principles and ideas canbe applied. A good example for this solution is a personalaccess point [13]. This solution uses a migration of a vir-tual access point for user mobility. Every mobile stationhas its own virtual access point. This virtual access pointis called a personal access point and is generated duringan association process. The handover is performed by re-moving a personal access point from an old access pointand adding it to a new access point. The mobile stationdoes not recognize handover and does not have to sendany additional message for performing handover. A deci-sion of handover is made in an access control componentwhich represents a centralized component in traditionalnetwork.
The examples of solutions interconnect SDN architectureand IEEE 802.11 standards are [12] [6]. Moreover twomain principles using in SDN architecture are recognizedfor client mobility without its modification. These prin-ciples are:
• Personal Access Point.
• All network has the same SSID and BSSID.
The personal access point in SDN architecture is repre-sented by the Odin solution [11]. It uses a light virtualaccess point (LVAP) which is generated by the Odin mas-ter. It is a part of the SDN controller and a the OdinAgent is part of an access point. The Odin master com-municates with the Odin Agent via custom protocol. TheOdin solution has separated control channels for wiredand wireless part. The similar solution to Odin is SWAN[5]. A lot of projects use this Odin solution as a foun-dation for their research [10]. These extensions take overdrawbacks from Odin solutions in the form of separatedcontrol channels. A security area is not well defined andit is only mentioned in the Odin solution.
The second principle is defined by a fact that all networkhas the same SSID and BSSID. The mobile station con-nects to the network and data are transferred via an avail-able physical access point. The handover is performed bydata flow change to a new physical access point. The oldphysical access point does not send any frame to wirelessmedium for the mobile station. Drawbacks of this solu-tion are interferences due to overlapping cells in the sameradio frequencies. This principle has also limitations ininterchannel handover. Representers of this principle are[14][7].
The state of the art shows a lack of architecture designfor user management usage SDN concept. On the basisof the acquired knowledge we defined two goals for ourthesis. These goals are:
• Modification of centralized architecture for usermanagement without modification of mobile station
- handover can not have significant impact on thequality of the connection.
• Proposed protocols to control virtual access pointsin proposed architecture.
3. Architecture DesignThe architecture design is built on a personal access pointwhich is represented by a virtual access point context(VAP context). The parameters of VAP context are:
• Mobile station MAC address.
• Mobile station IP address.
• BSSID.
• SSID.
The VAP context does not contain encryption keys for theWPA2 security as LVAP in the Odin solution [11]. Theencryption keys are moved to a specialized component.The architecture use only one control channel between acontrol layer and an infrastructure layer for the wired andwireless parts of the network. Common control channelshave following advantages:
• Clear design and transparency - using standardizedSDN interfaces with purpose they were defined.There are no additional interfaces or new protocolsimplemented into our architecture.
• Higher security due to encryption between the S-DN Controller and the SDN forwarding device us-ing OpenFlow protocol. The OpenFlow protocol as-sumes usage underlay security protocols for increas-ing security of SDN network management.
3.1 High-Level ArchitectureThe high-level architecture is depicted in Figure 1 andthis figure contains all key components for ensuring IEEE802.11 functionality. Colored parts of the figure are newor modified components in the architecture. The archi-tecture extends the SDN architecture and contains threemain layers:
• Application layer - contains applications for provid-ing network services e.g. authentication, user mobil-ity. Communication between this layer and controllayer is ensure via API which depends on controlsoftware implementation.
• Control layer - represents the main control elementin the architecture. This layer ensures control planeand controls the infrastructure layer. It has to sup-port all IEEE 802.11 extensions of OpenFlow pro-tocol and applications for correct managing IEEE802.11 functionality.
• Infrastructure layer - is divided into two sublayersdue to the fact that architecture contains two trans-fer mediums. These two sublayers are linked byWTP component. These sublayers are:
– Transport - represents wired part of the net-work utilization Ethernet protocol.
Information Sciences and Technologies Bulletin of the ACM Slovakia 3
Figure 1: High-level architecture.
– Radio - represents wireless part of the networkutilization IEEE 802.11 standard.
The main architecture components are:
• Authentication server - a standard architecture el-ement that performs WPA2 Enterprise authentica-tion.
• SDN controller - represents the main central com-ponent that performs network management. It con-tains applications which perform network services.These application are on the top of the SDN con-troller. The SDN controller is dependent on theimplementation.
• SDN forwarder - represents a standard OpenFlowforwarder without modifications.
• Encryption and Decryption component - specializedhardware that encrypts and decrypts WPA2 Enter-prise security.
• Wireless Termination Point - represents an accesspoint that contains an extended OpenFlow protocoland does not have full logic of standard access pointlogic in IEEE 802.11 networks. Split-MAC access isused.
• Mobile station - represents a terminal station thatis not modified in any way.
3.2 Communication ProtocolThe communication protocol between the control layerand the infrastructure layer has to ensure correct manage-ment of the VAP context in the individual WTP compo-nents. We have identified the basics scenarios for propermanagement of a mobile station:
• Mobile station connection to the network - involvesreaching 802.11 associated state, performs WPA2authentication and assigned IP address for the userstation. The user station is available to access tonetwork resources after assigned IP address. Thecontrol layer generates the VAP context during thisprocess.
• Handover - add VAP context to a new WTP andremove VAP context from an old WTP.
• Mobile station disconnection - disconnect a mobilestation from the network. The control layer removesVAP context from the WTP.
The control layer must also correctly manage the encryp-tion and decryption component in addition to managingVAP contexts. The mobile data without correct decryp-tion are not usable. The control layer must be able toadd, remove, update, and delete all encryption keys, de-pending on the event that may occur.
The communication protocol is implemented using the ex-tension of OpenFlow protocol following specification forextension design [8]. The extension parts are called Ex-perimenter. Within our extension, we have defined newOpenFlow messages, and a new packet type, matches, anda new instruction for generating control messages basedon the received IEEE 802.11 frames as part of the WTPComponent.
3.3 Association and Handover ProcessThe WTP sends information about mobile station to S-DN Controller after receiving the probe request from themobile station. This probe request must have the same S-SID as the WTP has associated networks. The SDN Con-troller receives the information about mobile station anddecides about the next step. If the association processis continuing, so the SDN Controller sends message foradding VAP context to the WTP. On the other hand, the
4 Bencel, R.: User Management Architecture Based on Software-Defined Networking
A1
PACKET
A2
PACKET
B1
PACKET
B2
PACKET
C1
PACKET
C2
PACKET
Data1 in
PACKET
Data1 out
PACKET
Control1
PACKET
Control1
PACKETControl22
PACKET
Control2
PACKET
D1
PACKET
D2
PACKET
Control3
PACKET
Control3 in
PACKET
Data2 in
PACKET
Data2 out
PACKET
MS A
Mobile station AMobile station A
802.11 medium802.11 medium
MS 2
Mobile station BMobile station B
WTP 1
WTP1WTP1
SDN Controller
SDN controllerSDN controller
EnDeC
EnDeCEnDeC
WTP 2
WTP2WTP2
Figure 2: Architecture model in Colored Petri nets.
SDN Controller ignores information about the receivedprobe request frame on the WTP. The message for addingVAP context does not contain user station IP address inthis step. The IP address is assigned by DHCP serverimmediately after mobile station perform WPA2 enter-prise authentication. All DHCP and EAPOL messagesare transferred via the SDN Controller to the DHCP orAuthentication server. The WTP and the SDN Controlleradd the IP address to the user VAP context. The encryp-tion keys are stored in the SDN controller. Performinghandover is done on a basis of reported statistic from theWTP. After SDN controller decides to perform handover,It is sends messages for adding VAP context to the newWTP and removing VAP context from the old WTP. TheSDN controller has to change traffic flow of mobile stationfrom the old WTP to the new WTP.
3.4 Data CommunicationData communication from the radio sublayer has to passthrough an encryption and decryption component thatcontains encryption keys. The rules for forwarding traffichave to be set to the correct WTP. They change duringhandover from an old WTP to a new WTP. Data trans-ferred between WTP and an encryption and decryptioncomponent has to be tunnelled with Additional Authen-tication Data header. Tunneled data does not need con-tain information about used modulation, channel, RSSIetc. The encrypted data has to be transferred to an en-cryption component also if data communication is usedbetween mobile stations which are connected to the sameWTP.
4. EvaluationWe used two methods to evaluate the accuracy of theproposed architecture whose implementation is mutuallyindependent. These two ways are:
• Colored Petri nets.
• Experimental verification of a common control chan-nel.
4.1 Colored Petri NetsColored Petri nets were used to verify the entire architec-ture design to simulate concurrent systems and are there-fore a suitable tool for verifying the architecture proposed.The model topology shown in Figure 2 was used to verify
the architecture and allowed to verify the main processeswithin the architecture:
• Mobile station association - the verification was per-formed on one and two connecting mobile stations.
• Mobile station handover - the handover of the sta-tion between WTP during which we monitored theeffect of the handover on the transmitted frames.
• Mobile station disconnection - is related to the dis-connection from the network.
Individual processes were verified by both methods: usingand without the use of the time extension of the color-ful Petri nets. Liveness, reachability and boundedness ofplaces have been achieved in both cases. We have eval-uated the correctness of the proposed architecture. Wemonitored the effect on frame rate in time-based mea-surements. Packet loss and duplicity were affected by thetime difference of adding and removing the VAP contextto WTP components.
4.2 Experimental SolutionAs part of this verification we focused on the ability to usea common management channel effectively to manage thewired and wireless parts of the network. We have foundout that it is possible to use one control channel for bothparts of the network as part of our measurements in realenvironment that have been published [2]. We have notfound any significant worsening of the parameters due tothe handover of the station between the WTP componentsin our solution compared with the Odin solution. Thepacket loss from one measurement is shown in Figure 3.In addition, the maximum throughput was not affecteddue to the station handover.
5. ConclusionThis thesis presents an architecture that allow user man-agement in IEEE 802.11 standard networks using SDNarchitecture. Interfaces between parts are well definedin the extended SDN architecture. In addition, a con-trol protocol is defined between the SDN controller andthe WTP component, the SDN controller and the crypto-graphic component. The control protocol was implement-ed by extended the OpenFlow protocol according to theits specification.
Information Sciences and Technologies Bulletin of the ACM Slovakia 5
Figure 3: Packet loss in experimental solutionwith common control channel.
The verification of the architecture was done in two ways.The first method was to verify the whole concept and wasrealized by using colorful Petri nets. The second methodverified the possibility of effective using a common controlchannel for controlling the wired and wireless part of thenetwork. We came to the conclusion after deeper analysisof both approaches that the design of the architecture iscorrect.
The proposed architecture presents a good basis for nextextensions which can be e.g. to optimize a decision aboutthe handover, using interchannel handover or usage of thenewest security standard WPA3.
Acknowledgements. This work is a partial result of theResearch and Development Operational Program for theprojects Support of Center of Excellence for Smart Tech-nologies, Systems and Services II, ITMS 26240120029,co-funded by ERDF. It is also a part of APVV-15-0731project and VEGA 1/0836/16, KEGA 011STU-4/2017.The authors would like to thank for financial contribu-tion from the STU Grant scheme for Support of YoungResearchers.
References[1] IEEE Standard for Information technology–Telecommunications
and information exchange between systems Local andmetropolitan area networks–Specific requirements - Part 11:Wireless LAN Medium Access Control (MAC) and PhysicalLayer (PHY) Specifications. IEEE Std 802.11-2016 (Revision ofIEEE Std 802.11-2012), pages 1–3534, 2016.
[2] R. Bencel, K. Kost’al, I. Kotuliak, and M. Ries. Common SDNcontrol channel for seamless handover in 802.11. In 2018 WirelessDays (WD), pages 34–36. IEEE, apr 2018.
[3] I. T. Haque and N. Abu-Ghazaleh. Wireless Software DefinedNetworking: A Survey and Taxonomy. IEEE CommunicationsSurveys and Tutorials, 18(4):2713–2737, 2016.
[4] D. Kreutz, F. M. V. Ramos, P. Esteves Verissimo, C. EsteveRothenberg, S. Azodolmolky, and S. Uhlig. Software-DefinedNetworking: A Comprehensive Survey. Proceedings of the IEEE,103(1):14–76, jan 2015.
[5] T. Lei, Z. Lu, X. Wen, X. Zhao, and L. Wang. SWAN: An SDNbased campus WLAN framework. In 2014 4th InternationalConference on Wireless Communications, Vehicular Technology,Information Theory and Aerospace & Electronic Systems(VITAE), pages 1–5. IEEE, may 2014.
[6] S. Monin, A. Shalimov, and R. Smeliansky. Chandelle: Smoothand Fast WiFi Roaming with SDN/OpenFlow. A Poster Presentedat the US Ignite, pages 31–32, 2014.
[7] K. Nakauchi and Y. Shoji. WiFi network virtualization to controlthe connectivity of a target service. Journal of the NationalInstitute of Information and Communications Technology,62(2):55–62, 2015.
[8] Open Networking Foundation. OpenFlow Switch SpecificationVersion 1.5.1. OpenFlow Switch Specification, pages 1–283, 2015.
[9] O. N. F. W. Paper. Software-Defined Networking : The NewNorm for Networks. 2012.
[10] A. K. Rangisetti, H. B. Baldaniya, P. K. B, and B. R. Tamma.Load-aware hand-offs in software defined wireless LANs. In 2014IEEE 10th International Conference on Wireless and MobileComputing, Networking and Communications (WiMob), pages685–690. IEEE, oct 2014.
[11] L. Suresh, J. Schulz-Zander, R. Merz, A. Feldmann, and T. Vazao.Towards programmable enterprise WLANS with Odin. InProceedings of the first workshop on Hot topics in softwaredefined networks - HotSDN ’12, volume HotSDN ’12, pages115–120, New York, New York, USA, 2012. ACM Press.
[12] J. Vestin, P. Dely, A. Kassler, N. Bayer, H. Einsiedler, andC. Peylo. CloudMAC. In Proceedings of the 18th annualinternational conference on Mobile computing and networking -Mobicom ’12, page 393, New York, New York, USA, 2012. ACMPress.
[13] L. Zan, J. Wang, and L. Bao. Personal AP protocol for mobilitymanagement in IEEE 802.11 systems. In The Second AnnualInternational Conference on Mobile and Ubiquitous Systems:Networking and Services, pages 418–425. IEEE, 2005.
[14] D. Zhao, M. Zhu, and M. Xu. Supporting "One Big AP" illusionin enterprise WLAN: An SDN-based solution. In 2014 SixthInternational Conference on Wireless Communications and SignalProcessing (WCSP), pages 1–6. IEEE, 2014.
Selected Papers by the AuthorJ. Balažia, R. Bencel, I. Kotuliak. Architecture proposal for seamless
handover in 802.11 network. In 2016 9th IFIP Wireless andMobile Networking Conference (WMNC), 95–102, Colmar,France, 2016. IEEE.
R. Bencel, K. Košt’ál, I. Kotuliak, M. Ries. Common SDN controlchannel for seamless handover in 802.11. In WD 2018. 10thWireless Days Conference,34–36, Dubai, UAE, 2018. IEEE.
T. Kovácik, R. Bencel, J. Mat’o, R. Broniš, P. Trúchly, I. Kotuliak.Enhanced hybrid TV platform with multiscreen, advanced EPGand recommendation enablers. Journal of ElectricalEngineering,68, pages 224–234.