Rafael Marín López

Media-independent pre-authentication supporting secure interdomain handover optimization

Handovers may cause delays and packet losses that affect real-time communication performance. Mobility protocols at several layers are designed to support handover, but they need to be optimized to ensure high-quality application performance. Existing optimization techniques are not sufficient to take care of interdomain and intertechnology handovers involving different access technologies, such as Wi-Fi, GSM, CDMA, and WiMAX. We categorize several types of handover, describe handover delay components, and propose a handover optimization framework called media independent pre-authentication that can provide optimizations for interdomain and intertechnology handover in a manner that is transparent to mobility management protocols. In addition, we also present experimental results demonstrating that this framework can achieve a significant reduction in handover delays for both network-layer and application-layer mobility management protocols.

Seamless proactive handover across heterogeneous access networks

Dual-mode handsets and multimode terminals are generating demand for solutions that enable convergence and seamless handover across heterogeneous access networks. The IEEE 802.21 working group is creating a framework that defines a Media Independent Handover Function (MIHF), facilitates handover across heterogeneous access networks, and helps mobile users experience better performance during mobility events. In this paper, we describe this 802.21 framework and also summarize a Media-independent Pre-Authentication (MPA) mechanism currently under discussion within the IRTF that can further optimize handover performance. We discuss how the 802.21 framework and the MPA technique can be integrated to improve handover performance. Finally, we describe a test-bed implementation and validate experimental performance results of the combined mobility technique.

Providing efficient SSO to cloud service access in AAA-based identity federations

The inclusion of cloud services within existing identity federations has gained interest in the last years, as a way to simplify the access to them, reducing the user management costs, and increasing the utilization of the cloud resources. Whereas several federation technologies have been developed along the years for the Web world (e.g. SAML, Oauth, OpenID), non-web application services have been largely forgotten. The ABFAB IETF WG was created to define an architecture and a set of technologies for providing identity federation to non-Web application services, such as the cloud. ABFAB provides a way to use the existing EAP/AAA infrastructure to perform federated access control to any kind of application service, thanks to the definition of a new GSS-API mechanism called GSS-EAP. However, the ABFAB architecture does not define an efficient way of providing SSO. This paper defines a way to include such an SSO support into ABFAB, by introducing the required extensions to make use of the EAP Re-authentication Protocol (ERP), the IETF standard for providing fast re-authentication in EAP. Moreover, to demonstrate the feasibility of the proposed extensions, we have implemented a proof-of-concept based on Moonshot, the open-source implementation of ABFAB, and OpenStack as an example of cloud service. Finally, using this prototype we have completed a performance analysis that compares our proposal with the standard ABFAB operation. This analysis confirms the substantial reduction in terms of computational time and network traffic that can be achieved using ERP for providing efficient SSO to cloud service access in ABFAB-based identity federations. Defines a way to provide efficient SSO by extending the GSS-EAP mechanism.Implements the proposed solution demonstrating its feasibility.Provides a performance analysis comparing it with the standard GSS-EAP mechanism.

OpenIKEv2: Design and Implementation of an IKEv2 Solution

This paper describes the IKEv2 protocol and presents how an open-source IKEv2 implementation, in particular OpenIKEv2 has been designed and implemented. All the issues found during this process and how they were solved are also described. Finally, a comparison between existing open-source implementations is presented.

Integrating an AAA-based federation mechanism for OpenStack-The CLASSe view

Identity federations enable users, service providers, and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper, we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an authentication, authorization, and accounting infrastructure. Specifically, we analyse how this type of authentication, authorization, and accounting–based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the Internet Engineering Task Force (IETF) Application Bridging for Federated Access Beyond web specification for authentication and authorization. We provide details of the implementation undertaken in GÉANTs CLASSe project and show its validation in a real testbed.

Providing AAA services in IPv6 networks

AAA (Authentication, Authorisation, and Accounting) frameworks are defined as a set of models, infrastructures, and protocols needed to interconnect AAA entities. They have been mainly deployed so far using the RADIUS protocol in IPv4 networks. However, when taking such AAA systems to IPv6 networks some interesting issues appear that need to be addressed. This is the main focus of this paper where both RADIUS and Diameter protocols are deployed in different IPv6-related scenarios after a deep analysis.