Survivability_Evaluation_of_SIGMA_and_Mobile_IP

Survivability Evaluation of SIGMA and Mobile IP Shaojian Fu, Mohammed Atiquzzaman TR-OU-TNRL-05-109 April 2005 Telecommunication & Network Research Lab School of Computer Science THE UNIVERSITY OF OKLAHOMA 200 Felgar Street, Room 159, Norman, Oklahoma 73019-6151 (405)-325-4042, atiq@ou.edu, www.cs.ou.edu/˜atiq Survivability Evaluation of SIGMA and Mobile IP Shaojian Fu, Mohammed Atiquzzaman Telecommunications and Networks Research Lab School of Computer Science, University of Oklahoma, Norman, OK 73019-6151, USA. Email: {sfu,atiq}@ou.edu Abstract Mobile IP has been developed by IETF to handle mobility of Internet hosts at the network layer. Mobile IP suffers from a number of drawbacks, one of which is low survivability due to single-point failure of Home Agents. In our previous study, Seamless IP diversity based Generalized Mobility Architecture (SIGMA) was proposed to support low latency, low packet loss IP mobility. In this paper, we show that the location management scheme used in SIGMA can enhance the survivability of the mobile network. We develop an analytical model to evaluate the survivability of SIGMA as compared to that of Mobile IP. Numerical results have shown the improvement in system response time and service blocking probability of SIGMA over Mobile IP in practical environments under the risk of hardware failures and distributed DoS attacks. I. INTRODUCTION Mobile IP (MIP) [1] is designed to handle mobility of Internet hosts at the network layer. Several drawbacks exist when using MIP in a mobile computing environment, one of which is low survivability due to single-point failure of Home Agents. Mobile IP is based on the concept of Home Agent (HA) for recording the current location of the Mobile Host (MH) and forwarding packets to MH when it moves out of its home network. In MIP, the location database of all the mobile nodes are distributed across all the HAs that are scattered at different locations (home networks). According to principles of distributed computing, this approach appears to have good survivability. However, there are two major drawbacks to this location management scheme as given below: • Each user’s location and account information can only be accessible through its HA. The transparent replication of the HA, if not impossible, is not an easy task as it involves extra signaling support as proposed in [2]. • HAs have to be located in the home network of an MH in order to intercept the packets sent to the MH. The complete home network could be located in a hostile environment, in the case of failure of the home networks, all the MHs belonging to the home network would no longer be accessible. As the amount of real-time traffic over wireless networks keeps growing, the deficiencies of the network layer based Mobile IP, in terms of high latency and packet loss, becomes more obvious. Since most of the applications in the Internet are end-to-end, a transport layer mobility solution would be a natural candidate for an alternative approach. A number of transport layer mobility protocols have been proposed, for example, MSOCKS [3] and connection migration solution [4] in the context of TCP, and M-SCTP [5] and mobile SCTP [6] in the context of SCTP [7]. In our previous study in [8], we proposed an new architecture for supporting low latency, low packet loss mobility called Seamless IP diversity based Generalized Mobility Architecture (SIGMA), and evaluated its handover performance compared with MIPv6 enhancements. The location management and data traffic forwarding functions in SIGMA are decoupled, allowing it to overcome the drawbacks of MIP in terms of survivability. In SIGMA, Location Managers (LM) can be combined with DNS servers, which can be deployed anywhere in the Internet and in a highly secure location. Also, it would be fairly straightforward to duplicate the LMs since they are not responsible for user data forwarding. In the literature, two recent papers that have addressed the problem of MIP survivability are [9] and [10]. Ref [9] proposed a procedure to let MH register with multiple MAPs to avoid single point failure. Ref [10] used a similar idea as SIGMA, and the authors proposed a way to move HA (they call it Location Register) to a secure location and duplicate HA through some translation servers or a Quorum Consensus algorithm borrowed from distributed database systems. But none of the papers analytically models the survivability of MIP. Through analytical models, the objective of this paper is to show that the location management scheme used in SIGMA can enhance the survivability of the mobile network. The contributions of the current study can be summarized as: • Illustrate the reason of SIGMA can achieve better survivability than MIP. • Develop a analytical model based Markov Reward Process to determine the survivability of location management schemes. • Compare the survivability of SIGMA and MIP in terms of system availability and user response time. The rest of this paper is structured as follows: Sec. II reviews the location management scheme used by SIGMA, Sec. III illustrates the basic reason of SIGMA being able to achieve better survivability than MIP. The analytical model is described in Sec. IV and the numerical results are shown in Sec. V. Finally, the concluding remarks are presented in Sec. VI. Internet Correspondent Node DNS Server Mobile Host 6 . S e t u p & D a t a P a c k e t s 5 . A n s w e r t o t h e Q u e r y Root Name Server 2. Query for current MH location 3. Answer with IP of the DNS Server 4 . Q u e r y P r i m a r y S e r v e r 1 . U p d a t e c u r r e n t M H ’ s l o c a t i o n New Domain Previous Domain Fig. 1. Location management in SIGMA II. LOCATION MANAGEMENT OF SIGMA SIGMA needs to setup a location manager for maintaining a database of the correspondence between MH’s identity and its current primary IP address. Unlike MIP, the location manager in SIGMA is not restricted to the same subnet as MH’s home network (in fact, SIGMA has no concept of home or foreign network). The location of the LM does not have impact on the handover performance of SIGMA. This will make the deployment of SIGMA much more flexible than MIP. The location management can be done in the following sequence as shown in Fig. 1: (1) MH updates the location manager with the current primary IP address. (2) When CN wants to setup a new association with MH, CN sends a query to the location manager with MH’s identity (home address, domain name, or public key, etc.) (3) Location manager replies to CN with the current primary IP address of MH. (4) CN sends an SCTP INIT chunk to MH’s new primary IP address to setup the association. If we use the domain name as MH’s identity, we can merge the location manager into a DNS server. The idea of using a DNS server to locate mobile users can be traced back to [11]. The advantage of this approach is its transparency to existing network applications that use domain name to IP address mapping. An Internet administrative domain can allocate one or more location servers for its registered mobile users. Compared to MIP’s requirement that each subnet must have a location management entity (HA), SIGMA can reduce system complexity and operating cost significantly by not having such a requirement. Moreover, the survivability of the whole system will also be enhanced as discussed in Sec. III. III. SURVIVABILITY COMPARISON OF SIGMA AND MIP In this section we discuss the survivability of MIP and SIGMA. We highlight the disadvantages of MIP in terms of survivability, and then discuss how those issues are taken care of in SIGMA. A. Survivability of MIP In MIP, the location database of all the mobile nodes are distributed across all the HAs that are scattered at different locations (home networks). According to principles of distributed computing, this approach appears to have good survivability. However, there are two major drawbacks to this distributed nature of location management as given below: • If we examine the actual distribution of the mobile users’ location information in the system, we can see that each user’s location and account information can only be accessible through its HA; these information are not truly distributed to increase the survivability of the system. The transparent replication of the HA, if not impossible, is not an easy task as it involves extra signaling support as proposed in [2]. • Even if we replicate HA to another agent, these HAs have to be located in the home network of an MH in order to intercept the packets sent to the MH. The complete home network could be located in a hostile environment, such as a battlefield, where the possibility of all HAs being destroyed is still relatively high. In the case of failure of the home networks, all the MHs belonging to the home network would no longer be accessible. B. Centralized Location Management of SIGMA offers Higher Survivability Referring to Fig. 1, SIGMA uses a centralized location management approach. As discussed in Sec. II, the location management and data traffic forwarding functions in SIGMA are decoupled, allowing it to overcome many of the drawbacks of MIP in terms of survivability (see Sec. III-A) as given below: • The LM uses a structure which is similar to a DNS server, or can be directly combined with a DNS server. It is, therefore, easy to replicate the Location Manager of SIGMA at distributed secure locations to improve survivability. • Only location updates/queries need to be directed to the LM. Data traffic do not need to be intercepted and forwarded by the LM to the MH. Thus, the LM does not have to be located in a specific network to intercept data packets destined to a particular MH. It is possible to avoid physically locating the LM in a hostile environment; it can be located in a secure environment, making it highly available in the network. Internet Correspondent Node Mobile Host 4 . T r y B a c k u p S e r v e r 1 Access Router 6 . S e t u p & D a t a P a c k e t s 5 . A n s w e r t o t h e Q u e r y Backup Server 1 Root Name Server 1. Query for current MH location 2. IP of primary and backup servers 3 . T r y P r i m a r y S e r v e r Primary Server Backup Server 2 DNS Zone Fig. 2. Survivability of SIGMA’s location management. Fig. 2 illustrates the survivability of SIGMA’s location management, implemented using DNS servers as location servers. Currently, there are 13 servers in the Internet [12] which constitute the root of the DNS name space hierarchy. There are also several delegated name servers in the DNS zone [13], one of which is primary and the others are for backup and they share a common location database. If an MH’s domain name belongs to this DNS zone, the MH is managed by the name servers in that zone. When the CN wishes to establish a connection with the MH, it first sends a request to one of the root name servers, which will direct the CN to query the intermediate name servers in the hierarchy. At last, CN obtains the IP addresses of the name servers in the DNS zone to which the MH belongs. The CN then tries to contact the primary name server to obtain MH’s current location. If the primary server is down, CN drops the previous request and retries backup name server 1, and so on. When a backup server replies with the MH’s current location, the CN sends a connection setup message to MH. There is an important difference between the concept of MH’s DNS zone in SIGMA and MH’s home network in MIP. The former is a logical or soft boundary defined by domain names while the latter is a hard boundary determined by IP routing infrastructure. If special software is installed in the primary/backup name servers to constitute a high-availability cluster, the location lookup latency can be further reduced. During normal operation, heart beat signals are exchanged within the cluster. When the primary name server goes down, a backup name server automatically takes over the IP address of the primary server. A query requests from a CN is thus transparently routed to the backup server without any need for retransmission of the request from the CN. Other benefits SIGMA’s centralized location management over MIP’s location management can be summarized as follows: • Security: Storing user location information in a central secure database is much more secure than being scattered over various Home Agents located at different sub-networks (in the case of Mobile IP). • Scalability: Location servers do not intervene with data forwarding task, which helps in adapting to the growth in the number of mobile users gracefully. • Manageability: Centralized location management provides a mechanism for an organization/service provider to control user accesses from a single server. IV. ANALYTICAL MODEL The aim of our model is to perform a combined analysis of system availability and performance evaluation. J. Meyer created a new measure called performability in [14], [15], which will be used in this paper to measure the survivability of a system. A performability model consists of a availability sub- model, a performance sub-model, and a glue model that combine these two sub-models. We choose Markov Reward Model as the glue model since it provides a natural framework for an integrated specification of state transitions due to server failures and the system performance (equivalent to reward) under each system state. A. Networking Architecture The networking architecture been considered in the analytical model is shown in Fig. 3. The router in Fig. 3 forwards location updates from MHs, location queries from CNs, and DDoS attack traffic to N location managers according to a round-robin policy. Each location manager has an independent queue of size K packets. After being processed by one of location managers, the acknowledgement/reply to the update/query/attack packets are transmitted back to their originators. B. Assumptions and Notations We have made the following assumptions in our analytical model to make it computationally tractable: • Arrival of location updates, queries, and DDoS attacks are Poisson processes. • Location managers can not differentiate DDoS attack traffic from legitimate traffic. • All location managers share common set of MH’s mobility bindings. • Processing time of location updates, queries, and DDoS attacks are exponential distributed and have same mean value. Router S 1 S 2 S N K Location updates/queries/ DDoS attacks Ack/Replies Fig. 3. Queuing model of N location managers • Hardware failures can be perfectly covered1, i.e. system can degrade gracefully when one of the working server fails. • Hardware failures always occurs on the servers with heaviest load. Following are the notations that will be used in the analytical model: N total number of location managers. λu, λq, λa arrival rate of location updates, queries, and DDoS attack, respectively. λ summation of λu, λq, λa. µ location manager processing rate. K queue size of each location manager (packets). γ, δ hardware failure rate and repair rate, respectively. τ mean time to failure (MTTF) φ mean time to repair (MTTR) C. Combined System Availability & Performance model for SIGMA survivability The objective of our model is to determine the average response time and blocking probability of SIGMA under the impact of hardware failures and DDoS attacks. We use a two-dimensional Continuous Time Markov Chain (CTMC) to capture system characteristics. The state transition diagram is shown in Fig. 4, in which each state is labelled as (Nw, L), where Nw is the number of currently working servers and L is the total number of packets in the system. When Nw equals N , since each server has a queue size of K, the maximum value of L is K ′′ = N ×K. Similarly, When Nw equals N − 1, the maximum value of L is K ′ = (N − 1)×K. We illustrate the transition diagram through several examples: 1In an imperfect coverage system, some failures are impossible to be detected and the failure of one component will halt the whole system. • current state is (N ,0), the hardware failure of any one server (happens with a rate of Nγ) will make the next state (N − 1,0). • current state is (N ,1), arrival of one update/query/attack packet will change the state to (N ,2). Since router use a round-robin policy, each server has equal share of load. Therefore, the transition rate is λ/N . • current state is (N ,2), departure of one packet will change the state to (N ,1). Since each server has equal processing rate of µ, therefore, the transition rate is µ/N . • current state is (N ,2), one hardware failure will make the next state (N − 1,1). Since we assume the hardware failure always occurs on the servers with heaviest load (equals one in this case), the packets assigned to the failed server will be lost. • current state is (N − 1,1), the repair of the failed server will change the state of (N ,1). (0,0) (1,0) δ γ (1,1) λ µ (1,K) λ µ λ µ γ γ δ δ 2γ 2γδ δ 2γ (N − 1)γ (N-1,0) (N-1,1) λ N−1 µ (N-1,K’) λ N−1 µ λ N−1 µ (N − 1)γ (N − 1)γ (N,0) (N,1) (N,2) δ Nγ Nγ Nγ δ δ λ N µ λ N µ (N,K") Nγ λ N µ λ N µ Fig. 4. State digram of N location managers We can determine each element of infinitesimal generator matrix Q of CTMC shown in Fig. 4 as follows: qi,j =   λ/Nw j = i+ 1, Li ≤ NwK (arrival) µ j = i− 1, Li ≥ 1 (departure) γNw j = i− ⌈ i−1 Nw ⌉ − K(Nw−1) 2 (failure) δ j = i+NwK + 1 (repair) 0 other j 6= i − ∑m k=1 qi,k j = i, k 6= i (1) Where Li is the total number of packets in system when current state is labelled as i, and m is the size of matrix, which is given by: m = K N(N + 1) 2 + (N + 1) (2) In the failure case in Eqn. 1, j is determined by: j = ( i− 1− Nw−1∑ x=0 xK∑ z=0 1 ) −   ( i− 1− ∑Nw−1 x=0 ∑xK z=0 1 ) Nw  + ( 1 + Nw−2∑ x=0 xK∑ z=0 1 ) = [i− (Nw − 1)K − 1]−   ( i− 1− ∑Nw−1 x=0 ∑xK z=0 1 ) Nw   = i− ⌈ i− 1 Nw ⌉ − K(Nw − 1) 2 (3) Once we have determined the infinitesimal generator matrix Q, we can compute the stationary distrib- ution of the CTMC pi by: piQ = 0 (4) When a packet arrives, if the system is in state (0,0) or a state where (Nw,NwK), the packet is dropped since no service is possible. Therefore, the blocking probability can be calculated by: Pb = piB T where B = [1, B1, · · ·Bj · · ·BN ], and Bj = [0, · · · 0, 1]jK+1, j = 1, · · · , N (5) The average number of packets in the whole system can be calculated by: E[n] = pivT where v = [v0, v1, · · · vj · · · vN ], and vj = [0, 1, · · · jK], j = 0, · · · , N (6) According to Little’s law, the system response time can be determined by: E[T ] = E[n] λaccepted = E[n] λ(1− Pb) (7) D. Analytical Model for MIP survivability In this section, the survivability of MIP is analyzed. We use the same assumptions and notations as used for SIGMA in Sec. IV-B. In addition to the notations in Sec. IV-B, let λd be the arrival payload data traffic rate at HA, then λ = λu + λq + λa + λd. Two modes of MIP will be considered here: • single server mode: only one HA available for one network. Once failure happens, all service requests are blocked until the server repaired. • standby mode: there are multiple HAs available, one of which is the primary HA. Once the primary HA fails, one of the backup HAs will be switched in within time Tsw. During Tsw, all service requests are blocked. Both these two MIP modes can be modelled by a CMTC as shown in Fig. 5. At any time, there can only be at most one HA serving req