Proxy mobile IPv6 (PMIPv6) has been standardized by the NETLMN Working Group; it enables local network-based mobility management for meeting the needs of a heterogeneous handoff (HO) environment where client mobility can be performed without the use of another mobility management operation [1]. However, PMIPv6 cannot directly support global mobility and any specific authentication approach between different domains because it was originally designed for local mobility in a single domain. Because of these security issues, authentication is the fundamental security technology and has become the focus of security research [2].

Recently, some research has been conducted on the domain-level mobility of the PMIPv6 authentication method. This paper proposes secure pre-authentication and key management schemes for fast HO in PMIPv6. In addition to providing pre-authentication, the proposed authentication method can prevent threats such as replay attacks and key exposure. Further, analytic models have been used for measuring the authentication latency and for cost analysis. Then, the effects of mobility and traffic parameters on the authentication cost and latency, respectively, are analyzed.

In [3], Zhou et al. proposed a PMIPv6 authentication scheme based on diameter protocol, utilizing a pre-shared key between the AAA sever and the proxy mobile entities. They suggested that the interactions between the AAA sever and a proxy mobile entity can reduce the access efficiency. However, they do not mention sharing the key in advance. In [4], Zhang et al. proposed a certificateless signcryption scheme in the authentication process to solve the key management issue in a wireless environment during key negotiations with the AAA server, leading to an increase in the AAA server’s cost, and the scheme did not mention how to deal with handoff authentication. In [5], Gao et al. proposed an authentication scheme for PMIPv6 on the basis of a two-level identity-based signature scheme, which is a mutual access authentication protocol, for eliminating the interactions between the home network and an access network and thereby improving authentication efficiency and reducing cost. Nevertheless, their scheme is restricted to mobile access gateways (MAGs) in the same domain and does not consider a reduction in the authentication delay as in the case of the pre-authentication.

We use EAP-AKA, RADIUS, and the L2 triggers defined in IEEE 802.21 MIH for supporting a secure key distribution, mutual authentication, and inter-local mobility anchor (LMA) HO when a mobile node (MN) crosses the boundaries of a MAG within a PMIPv6 domain. We presume that the MAG and the LMA take charge of the authentication routine for a visiting MN. The AAA client is located at MAG and LMA. When the MN initiates a new session, the MN needs to be authenticated (i.e., initial authentication). In the standard EAP-AKA, the MN and the AAA must generate a master session key (MSK) and an extended MSK (EMSK) after successful authentication [6]. An MSK is delivered to the access point (AP) to be used in generating a transient session key (TSK). An EMSK is generated, but its use is not determined. We propose the use of an EMSK to derive additional keys in order to achieve secure pre-authentication without compromising security. We extend the key hierarchy in the EAP-AKA protocol by introducing MAG domain-level and local-level keys derived from the MSK and the EMSK as shown in Fig. 1. Globallevel keys are unique keys derived by the AAA and the MN for a PMIPv6 domain. Local-level keys are unique keys derived by the LMA and the MN for an AP within the MAG domain. Session keys are unique keys derived by the MAG and are later used for deriving TSKs. MSK is used for deriving additional keys for the MN’s re-authentication operations without HO. Further, we propose the use of the EMSK as the root key for HO pre-authentications.

The keys derived from the EMSK are the HO root key (HOK), the global-level HO key (GHK), and the local-level HO key (LHK). LHK is ultimately used for deriving TSK in intra- and inter-MAG HO.

When an MN initiates a new session in a PMIPv6 domain, an authentication procedure is started. To derive the required additional keys, we suggest the following modifications to the EAP-AKA message flow as depicted in Fig. 2. After the EAK-APA protocol is successfully performed, six new keys are generated. The HOK, that is, the root HO key is derived from the EMSK by the AAA and the MN. Both nodes use a special pseudo random function (PRF) similar to the one used in generating the MSK in the standard EAP-AKA protocol.

where “|” denotes concatenation and MN# represents the MN address in the medium access control layer. AAAID indicates the identity of the AAA server.

The global-level HO key, GHK, is derived from HOK by the AAA and the MN.

where LMAID and MAGID denote the identity.

The global-level and local-level re-authentication keys, GRK and LRK, are derived from the MSK and the GRK by the AAA and the LMA, respectively.

A key used for securing traffic between the MN and the AAA, K_MAG−MN. This key is exclusively inferred by the MN and the MAG.

Secure delivery of GRK, GHK and TMAGID is performed by the AAA to the LMA. Secure delivery of LRK is performed by LMA to the MAG. The derivation of HOK, GHK, LHK, GRK, LRK, and K_MAG−MN by the MN.

An MN roams to a neighbor AP when experiencing the low signal intensity level of the current AP (CAP). The target AP (TAP) may be in the same LMA domain or belong to a different LMA domain. Because of the lack of an LMA HO authentication protocol in the PMIPv6 domain and the inadaptability of existing MIPv4/MIPv6 authentication protocols, we have designed intra and inter-LMA HO preauthentication protocols to minimize the authentication delay and the signaling overhead. The proposed protocols utilize the EAP-AKA messages and can efficiently operate in the PMIPv6 domain. The intra-LMA HO is locally carried out when the CAP and the TAP reside in the same LMA domain. Further, the inter-LMA HO is executed when the CAP and the TAP reside in different LMA domains. The intra/inter-LMA HO minimizes the dependency on the HSS and the HAAA to authenticate the MN and thus results in improved performance without compromising security.

The MN needs to supply the identities of the TAP and the TMAG that it requires to execute an HO to TAPID and TMAGID, respectively. Thus, we propose an adjustment of the IEEE 802.11 probe response management frames sent by the TAP to include its identity and the identity of the MAG associated with it as the information elements (IEs). A part of the IEs is set aside for future use and can be utilized for this purpose [7]. Do note that HO-related decisions such as HO triggers and the best TAP selection are out of the scope of this paper. Further, Fig. 3 depicts the inter-MAG HO authentication operation; here, the MAG controls the MN authentication instead of the HSS and the HAAA. The inter-MAG HO authentication protocol proceeds as follows:

The MAG also increments CTR and sends an EAP success message to the MN. Consequently, the MN derives LHK and increments CTR. CMAG and TMAG exchange a notify-request and notify-accept RADIUS AAA message to confirm the HO operation. Finally, LHK is sent to the TAP in the RADIUS access-accept messages with the MS-MPPE-Recv-Key attribute [8].

In the inter-LMA HO, the authentication procedure is completed without the need to retrieve security keys from the HSS, as shown in Fig. 4. The protocol procedure is as follows:

At the conclusion of a successful intra- or inter-LMA HO, a fresh LHK is retained by the MN and the TAP. The LHK is used for deriving TSK, which is then applied to generate additional keys that are demanded to secure the channel between the MN and the TAP.

We define the authentication cost as the amount of signaling load and processing load during each authentication procedure. Then, the initial authentication cost, C_i, can be represented as follows:

where N_h denotes the number of hops between the MN and the AAA server. The first item is the signaling cost, and the other items are the processing costs. The cost parameters C_t, C_v, C_ed, and C_k denote the transmission cost on one hop, the verification cost of the AAA server, a pair of encryption and decryption costs for a value, the key generation cost, respectively. As shown in Fig. 2, an MN needs to request identity from the MAG first. The distance that the messages traverse is 2 in this step. Then, the authentication messages need to reach the AAA. The distance between the MN and the AAA is assumed to be N_h hops. Since no security association (SA) exists between the MAG and the LMA, a mutual authentication process to the LMA is needed, which requires the messages to traverse four more hops in a roundtrip transmission. Thus, the total number of hops that the authentication messages traverse in the round-trip transmission is 2 + 2N_h + 4 = 2(N_h + 3). In this authentication process, the challenge/response values are verified twice at the AAA and the MN for mutual authentication. Thus, the coefficient for C_v is 2. In this process, three pairs of encryption and decryption costs are needed. The first pair is for encrypting and decrypting the challenge/response values between the MN and the AAA; the second is for encrypting and decrypting the session key between the AAA and the LMA; and the third is for encrypting and decrypting the session key between the AAA and the MAG. Thus, the coefficient for C_ed is 3. Because the AAA needs to generate a dynamic key for the LMA, the MAG, and the MN, the coefficient for C_k is 12. As shown in Fig. 3, we can determine the inter-MAG HO authentication cost, C_mh, as follows:

where the last processing cost, 2N_mC_t, is the transmission cost for the notify-request, notify-accept, and AAA messages between the CMAG and the TMAG. The cost parameter N_m denotes the number of hops between the CMAG and the TMAG. The average authentication cost is defined as the sum of the authentication cost over a number of ARs per unit time, which can be written as follows:

where C_i and C_mh represent the initial and the HO authentication cost expressed in Eqs. (13) and (14), respectively, and λ_µ denotes the call arrival rate. As shown in Fig. 4, we can determine the inter-LMA HO authentication cost, C_lh, as follows:

where the last processing cost, 4N_mC_t, is the transmission cost for the notify-request, notify-accept, and two AAA messages between the CLMA and the TLMA. The cost parameter N_m denotes the number of hops between the CLMA and the TLMA. The average authentication cost is defined as the sum of the authentication cost over a number of ARs per unit time, which can be written as follows:

where C_i and C_lh denotes the initial and the HO authentication cost in Eqs. (13) and (16), respectively, and λ_µ represents the call arrival rate.

We define authentication delay as the time from when an MN sends out an AR to when the MN receives the authentication reply (i.e., the EAP success message). Then, the delay per initial authentication, T_i, can be written as follows:

where the time parameters T_pr, T_tr, T_wm, T_wa, T_ed, T_v, and T_k represent the message propagation time on one hop, the message transmission time on one hop, the AR service and waiting time at the MAG, the AR service and waiting time at the AAA, a pair of encryption and decryption times for a value, the verification time at the MN/the AAA, and the key generation time at the AAA, the LMA, the MAG and the MN, respectively. The coefficients in front of the time variables in T_i denote the number of time variables for each authentication. Similar to the analysis in Eq. (13), we can calculate the number of hops that the round-trip signaling messages traverse in the authentication process to be 2(N_h + 3). Then, the coefficient in front of T_pr + T_tr is 2(N_h + 3). Since the authentication process needs to pass the MAG four times, the coefficient of T_wm, i.e., the AR service and waiting time, is 4. Because the authentication message traverses the AAA twice, the coefficient of T_wa, i.e., the AR service and waiting time at the AAA, is 2. Similar to the coefficient analysis in front of C_ed and C_k in Eq. (13), we can calculate the coefficient of T_ed to be 3 and the coefficient of T_k to be 12. As shown in Fig. 3, the delay per inter-MAG HO authentication, T_mh, can be expressed as follows:

where the time parameter N_m denotes the number of hops between the PMAG and the TMAG. The average authentication delay is defined as the sum of an authentication delay over a number of ARs in unit time, which can be expressed as follows:

where T_i and T_mh denote the delay per initial and inter-MAG HO authentication expressed in Eqs. (18) and (19), respectively, and λ_µ represents the call arrival rate. As shown in Fig. 4, the delay per inter-LMA HO authentication, T_lh, can be expressed as follows:

where the time parameter N_m denotes the number of hops between the previous LMA (PLMA) and the target LMA (TLMA). The average authentication delay is defined as the sum of an authentication delay over a number of ARs in unit time, which can be expressed as follows:

where T_i and T_lh represent the delay per initial and interLMA HO authentication shown in Eqs. (18) and (21), respectively, and λ_µ represents the call arrival rate.

The parameters to evaluate the authentication cost and delay are shown in Table 1. Some parameter values for the analysis have been taken from [3]. The authentication cost in Eqs. (13), (14), and (16) can be calculated using the number of messages [10]. We utilize the ratio of the processing times to obtain the authentication cost because the time required to complete an operation represents the payload of the server to complete it [11]. The key generation cost, C_k, is normalized to a cost unit because it is the lightest load compared to the other costs. The values of the other costs are determined by a comparison with C_k using the time taken to complete the procedure. In Eqs. (13), (14), and (16), we only consider T_wm, T_wa, and T_v to be the random variables because the variance of the other time variables is small. T_pr is a function of the distance between two points, T_tr is determined by the message length and the link speed, T_ed is mainly related to the performance of the computer and the message length, and T_k is directly related to the computer performance. In practice, the distance between two points, the message length, the link speed, and the computer performance are all fixed. Therefore, we do not consider T_pr, T_tr, T_ed, and T_k random variables in this work. However, T_wm, T_wa and T_v are all related to the traffic load, queue length, and service time, which are varied from time to time and have a large variance. For the sake of simplification, we consider that the M/M/1 queues are applied at the MAGs, LMAs and the AAA and that the PDFs of T_wm, T_wa, and T_v are independent, identical distributions. The effects of the mobility and the traffic pattern on the average authentication cost and delay are shown in Figs. 5–12. In Figs 5 and 6, the average authentication costs decrease with an increase in the residence time of an MN in a MAG because the longer an MN stays in the MAGs, the lower is the handoff AR. Thus, if the residence time of an MN approaches infinity, the authentication cost will be stable and will be the same as the initial authentication cost because only the initial authentication exists in this case. Conversely, when the residence time approaches 0, most of the authentications are handoff authentications and the average authentication cost approaches infinity. However, for the sake of clarity, this is not depicted in Figs. 5 and 6. Figs. 7 and 8 show that the average authentication costs increase with an increase in the call arrival rate of an MN. As shown in Eqs. (15) and (17), the authentication cost is proportional to the call arrival rate λ_µ.

Figs. 5–8 show that the average authentication cost increases with an increase in the number of hops between the AAA servers. This is attributed to the fact that a relatively high transmission cost will be needed in such a case. Figs. 9 and 10 show the effect of the residence time on the average authentication delay. As we can see, the authentication delay decreases with an increase in the residence time of an MN in a MAG. As in the case of the authentication cost, this trend is attributed to the decrease in the handoff AR. Thus, if the residence time of an MN approaches infinity, the authentication delay will be the same as the initial authentication delay. In contrast, when the residence time approaches 0, most of the authentications are handoff authentications and the average authentication delay approaches infinity. However, for the sake of clarity, this is not shown in Figs. 9 and 10. Figs. 11 and 12 show that the average authentication delay increases with an increase in the call arrival rate of an MN. As shown in Eqs. (20) and (22), the authentication delay is proportional to the call arrival rate λ_µ. Figs. 9–12 show that the average authentication delay increases with an increase in the number of hops between the MN and the AAA server as more message propagation time and message transmission time are needed.

In this paper, we proposed a pre-authentication method for the PMIPv6 protocol, which invokes the EAP-AKA signaling messages towards the AAA system. The proposed secure pre-authentication method prevents threats such as replay attacks and key exposure. We also conducted a performance analysis of the authentication cost and delay with respect to the mobility and traffic patterns. Therefore, this scheme presents a further understanding of the authentication mechanism in PMIPv6 networks. In the future, we plan to improve the proposed authentication method with a more detailed security analysis and better comparisons with other new authentication mechanisms in a PMIPv6-based network.