Fernando Pereñíguez

Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations

Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service providers subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service providers domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards.

Analysis of Handover Key Management schemes under IETF perspective

The Extensible Authentication Protocol (EAP) has been standardized within the Internet Engineering Task Force (IETF) in order to provide flexible mechanisms for authentication and key management for network access control. However, some deficiencies have been revealed and recognized as a major obstacle to achieving secure and seamless handover in mobile scenarios. HOKEY (Handover Keying) Working Group in IETF is standardizing low-latency EAP re-authentication and key distribution protocols to address these deficiencies. This paper provides a critical analysis of the on-going work.

Secure three-party key distribution protocol for fast network access in EAP-based wireless networks

In this paper, we present a solution that reduces the time spent on providing network access in multi-domain mobile networks where the authentication process is based on the Extensible Authentication Protocol (EAP). The goal is to achieve fast and smooth handoffs by reducing the latency added by the authentication process. This process is typically required when a mobile user moves from one authenticator to another regardless of whether the new authenticator is in the same domain (intra-domain) or different domain (inter-domain). To achieve an efficient solution to this problem, it has been generally recognized that a fast and secure key distribution process is required. We propose a new fast re-authentication architecture that employs a secure three-party key distribution protocol which reduces the number of message exchanges during the network access control process. Our approach is proved to preserve security and verified by means of a formal tool. The resulting performance benefits are shown through our extensive simulations. 2010 Elsevier B.V. All rights reserved.

Comprehensive vehicular networking platform for V2I and V2V communications within the Walkie-Talkie Project

Communication architectures integrating vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications will be the key of success for the next generation of cars. Nevertheless, the integration of these communication partners in the same platform is a challenging issue because most of the literature is focused on individual parts, such as V2V routing protocols or specific safety services. The Walkie-Talkie project was proposed to fill this gap, focusing on the integration of V2V and V2I systems to equip vehicles with a set of intelligent services addressing safer, smarter, and sustainable driving. This paper describes the developed communications platform. The network design is based on IPv6 to support middleware and applications executed on both the vehicle and infrastructure sides. Whereas V2I is focused on the usage of IPv6 network mobility, V2V is provided by means of a hybrid solution based on intelligent delivery and delay tolerant networks. On top of the networking protocols, a service access middleware exploiting concepts from next generation networks is proposed, together with a proper on-board application management based on the open service gateway initiative. A prototype of the network and real evaluations are also presented as a proof of concept of our platform.

IPv6 Communication Stack for Deploying Cooperative Vehicular Services

New-age cooperative services for vehicles involve communication nodes in nomadic devices, vehicles, roads and central stations. However, as the number of vehicular services hosted in both the vehicle and infrastructure side increase, it is more and more necessary to use a proper framework to deploy them effectively using a common interconnection network. Following the ISO/ETSI recommendations, which provide a reference ITS communication architecture, the current work provides an implementation, deployment and experimental assessment of a vehicular communications stack for providing infrastructure-to-vehicle services. The architecture presented in this paper considers open issues such as communications security, the support of geo-referenced facilities, the need of a service deployment framework in vehicles and central stations, and the management of host software.

Vehicle-to-infrastructure messaging proposal based on CAM/DENM specifications

The European Telecommunications Standards Institute (ETSI) has proposed a middleware solution (called facility) to support vehicular safety and traffic efficiency services needing continuous status information about surrounding vehicles or wanting to send asynchronous warning notifications to vehicles. The former capability is offered by the Cooperative Awareness Basic Service, while the latter is provided by the Decentralized Environmental Notification Basic Service. Reference packet formats for both the Cooperative Awareness Message (CAM) and Decentralized Environmental Notification Message (DENM) have been specified by ETSI, together with the general message dissemination guidelines. This paper presents an implementation prototype that has been developed to validate both CAM and DENM messaging capabilities. We provide implementation decisions and demonstrate the usefulness of these facilities through two reference services which provide a way to third-party services to gather tracking and tracing information, and send asynchronous road events to drivers within a specific area.

A vehicular network mobility framework: Architecture, deployment and evaluation

Research on vehicular networks has increased for more than a decade, however, the maturity of involved technologies has been recently reached and standards/specifications in the area are being released these days. Although there are a number of protocols and network architecture proposals in the literature, above all in the Vehicular Ad-hoc Network (VANET) domain, most of them lack from realistic designs or present solutions far from being interoperable with the Future Internet. Following the ISO/ETSI guidelines in field of (vehicular) cooperative systems, this work addresses this problem by presenting a vehicular network architecture that integrates well-known Internet Engineering Task Force (IETF) technologies successfully employed in Internet. More precisely, this work describes how Internet Protocol version 6 (IPv6) technologies such as Network Mobility (NEMO), Multiple Care-of Address Registration (MCoA), IP Security (IPsec) or Internet Key Exchange (IKE), can be used to provide network access to in-vehicle devices. A noticeable contribution of this work is that it not only offers an architecture/design perspective, but also details a deployment viewpoint of the system and validates its operation under a real performance evaluation carried out in a Spanish highway. The results demonstrate the feasibility of the solution, while the developed testbed can serve as a reference in future vehicular network scenarios.

A transport-based architecture for fast re-authentication in wireless networks

In this paper we propose an architecture aimed for reducing the latency of network access authentication based on the Extensible Authentication Protocol (EAP). The architecture is based on the design of a new EAP method for which a standalone authenticator is used, and does not require any change to the EAP specification or the specifications of EAP lower-layers such as IEEE 802.11 and IEEE 802.16e. We also show

Deployment of vehicular networks in highways using 802.11p and IPv6 technologies

Most of the previous and current vehicular communication deployments, testbeds and, in general, experimental efforts come from research contributions evaluating particular solutions in the area. We have had to wait until recent days to see great testing campaigns in vehicular cooperative systems, coming from research projects supported by national or international funding. This paper reviews the deployment and operation of communication infrastructures in one of the major European projects in this area, i.e., European field operational test on safe, intelligent and sustainable road operation FOTsis. A key advance of FOTsis has been the integration of IEEE 802.11p and IPv6 technologies following the ISO/ETSI guidelines in cooperative systems for vehicle to infrastructure V2I communications. This work reports our main findings providing an interoperable IPv6 access to vehicular services, describes the main test-sites, provides vehicular network performance tests, and summarises our experience in these deployments. Our recommendations pave the way for future large-scale vehicular communication deployments in the V2I segment, which is expected to be the most relevant in the short and medium term.

The Use of IPv6 in Cooperative ITS: Standardization Viewpoint

Internet Protocol version 6 (IPv6) is envisaged to be the cornerstone for the future development of ITS services. Both research communities and standardization forums are considering the use of IPv6 as a media-agnostic carrier for non-time critical safety applications as well as for traffic management. This interest is based on the numerous benefits brought by IPv6: large addressing space able to cope with ambitious deployment scenarios such as the vehicular one, easier support of management operations related to node auto-configuration and native support of security mechanisms. This chapter surveys the current European standard specifications in the field of IPv6-based communications applied to cooperative ITS systems. The convenience of using IPv6 technology is demonstrated by identifying a wide set of relevant ITS specifications where the application of IPv6 networking protocols outperforms other protocol solutions. Furthermore, this study is complemented with a performance assessment of IPv6 communications over a cooperative ITS scenario using a real IPv6-enabled communications stack compliant with the standardized ITS station reference architecture specified by International Standards Organization (ISO) and European Telecommunications Standards Institute (ETSI).