A Secure Relay-Assisted Handover Protocol For Proxy Mobile Ipv6 in 3Gpp Lte Systems

Wireless Pers Commun manuscript No.
(will be inserted by the editor)
A Secure Relay-Assisted Handover Protocol

for Proxy Mobile IPv6 in 3GPP LTE Systems
Yuh-Shyan Chen*, Tong-Ying Juang, Yao-Tsu Lin
the date of receipt and acceptance should be inserted later
Abstract The LTE (Long Term Evolution) technologies dened by 3GPP is the last step
toward the 4th generation (4G) of radio technologies designed to increase the capacity and
speed of mobile telephone networks. Mobility management for supporting seamless han-
dover is the key issue for the next generation wireless communication networks. The evolved
packet core (EPC) standard adopts the proxy mobile IPv6 protocol (PMIPv6) to provide
the mobility mechanisms. However, the PMIPv6 still suers the high hando delay and the
large packet lost. Our protocol provides a new secure handover protocol to reduce hando
delay and packet lost with the assistance of relay nodes over LTE networks. In this paper,
we consider the security issue when selecting relay nodes during the hando procedure. Dur-
ing the relay node discovery, we extend the access network discovery and selection function
(ANDSF) in 3GPP specications to help mobile station or UE to obtain the information
of relay nodes. With the aid of the relay nodes, the mobile station or UE performs the
pre-handover procedure, including the security operation and the proxy binding update to
signicantly reduce the handover latency and packet loss. The simulation results illustrate
that our proposed protocol actually achieves the performance improvements in the hando
delay time and the packet loss rate.
Keywords LTE mobility handover relay-assisted security
*Correspondence to: Yuh-Shyan Chen

Department of Computer Science and Information Engineering, National Taipei University, San-Shia, Taipei
237, Taiwan, R.O.C.
E-mail: [email protected]
Tong-Ying Juang
Department of Computer Science and Information Engineering, National Taipei University, San-Shia, Taipei
237, Taiwan, R.O.C.
Yao-Tsu Lin
Graduate Institute of Communications Engineering, National Taipei University, San-Shia, Taipei 237,
Taiwan, R.O.C.
Contract/grant sponsor: National Science Council of the Republic of China; contract/grant number:
NSC-97-2221-E-305-003-MY3 and NSC-98-2219-E-305-001
2 Yuh-Shyan Chen*, Tong-Ying Juang, Yao-Tsu Lin
1 Introduction
With the rapid growth of personal mobile communications, a mobile device with the user
equipment (UE) connected to the Internet for IP-based multimedia service is signicantly
increased. The LTE (Long Term Evolution) technologies dened by 3GPP is the last step
toward the 4th generation (4G) of radio technologies designed to increase the capacity and
speed of mobile telephone networks. The core network (CN) part of the evolution of the
LTE system is classied into the system architecture evolution (SAE) and the radio access
network (RAN). The main objective of RAN part is to increase the system capacity, the
transmission coverage, the throughput, and reduce the hando latency. The LTE system is
the IP based architecture, in which all radio control functions, such as handover control and
admission control, are enforcement in eNB. LTE system not need the central control entity.
User plane follows the same radio link standards, such as RLC/MAC in eNB.
When a mobile user is roaming between dierent base stations, called as eNodeB (eNB),
of LTE networks, UE needs to perform the handover protocol to keep the data connections.
Traditional handover protocol suers from high handover latency and large packet loss. Our
main objective is to develop a new hando protocol to reduce the handover latency and
improve the packet loss rate.
Fig. 1 illustrates the 3GPP long term evolution (LTE) architecture, which is dened by
3GPP [6]. The LTE is all-IP network architecture to provide higher bit rate, lower trans-
mission latency, and wider service coverage. The 3GPP LTE becomes a major competitive
3GPP connection technology to deal with the rapid development of IP data trac. When
the UMTS system currently builds in the world, the system performance and cost optimiza-
tion must take into account two issues [16]. The rst issue is to upgrade the existing UMTS
performance; for instance, HSDPA standard in 3GPP Release 5 and HSUPA standard in
3GPP Release 6. However, the maximum data rate is 14.4Mbps in downlink and 5.76Mbps
in uplink. Second issue is to develop the evolved radio interfaces, 3GPP dened evolved
UTRA and E-UTRAN, which are packet based network architecture. The main objective of
LTE is to achieve 100Mbps in downlink and 50Mbps in uplink. The evolution of LTE system
is the core network (CN) part. The CN is generally classied into the system architecture
evolution (SAE) and the radio access network (RAN). The most important of RAN is the
increased capacity, the better coverage, the high throughput, and the reduced latency. The
LTE has been introduced IP based architecture, all radio control functions, such as handover
control and admission control, etc., are enforced in eNB.
The main demand of the Evolved Packet Core (EPC) is to provide the IP-layer seamless
mobility, when a UE moves between dierent eNBs. In the EPC standard, proxy mobile
IPv6 based on the network-based mobility mechanism is used to provide mobility issue.
Two methods are dened in LTE EPC standard, known as network-based mobility proto-
col, proxy mobile IPv6 (PMIPv6) [12], and client-based mobility protocol, dual-stack mobile
IPv6 (DSMIPv6) [20] and mobile IPv4 (MIPv4) [19]. Therefore, this paper focus on discussed
how to improve the PMIPv6 handover in the LTE system. A network-based management
protocol, called PMIPv6, is network-based localized mobility management (NetLMM) from
the IETF working group. Unlike MIPv6, PMIPv6 allows controlling the network-based mo-
bility management on the behalf of MN. Therefore, PMIPv6 can remove some MN-related
signalings. However, network-based mobility management, such as PMIPv6, still suers from
the high packet loss and handover latency.
In this paper, we propose a secure relay-assisted handover, called RN PMIPv6, protocol
for proxy MIPv6 in 3GPP LTE networks. The proxy MIPv6 protocol [15] still suers from the
high hando delay and the large packet lost. Our protocol provides a new protocol to reduce
hando delay and packet lost with the assistance of relay nodes over LTE networks. The basic
A Secure Relay-Assisted Handover Protocol 3
UTRAN
3GPP IP access ISC
HSS Application
S-CSCF
Cx Server
GERAN
S6a
PCRF
S1-MME Mw
MME S4/S12 Cx
S11 S7 Rx
E-UTRAN S10 Serving-GW PDN-GW

(MAG) S5 (LMA) P-CSCF I-CSCF
S1-U Mw
SGi
S14
S2a/b
IM-MGW Other PDN
Access-GW/ePDG +
ANDSF
Non-3GPP IP access Diameter
Signaling
IMS Core
Fig. 1 The LTE architecture.
idea of the relay node performing the pre-handover procedure is already developed in [8][9]
for IEEE 802.11 networks and IEEE 802.16e systems, respectively. The design dierences of
these protocols are given in Table I. Unfortunately, none of them have considered the security
issue. In this paper, we specically consider the security issue when selecting relay nodes
during hando. During the relay node discovery, we extend the access network discovery
and selection function (ANDSF) in 3GPP specications to help mobile station or UE to
obtain the information of relay nodes. With the aid of the relay nodes, the mobile station
or UE performs the pre-handover procedure, including the security operation and the proxy
binding update to signicantly reduce the handover latency and packet loss. The simulation
results illustrate that our proposed protocol actually achieves the performance improvements
in the hando delay time and the packet loss rate.
The rest of this paper is organized as follows. Section 2 describes related works. Section
3 describes the system architecture and basic idea. The proposed protocol is presented
in section 4. Performance evaluation is discussed in section 5. Section 6 nally gives a
conclusion.
2 Related works
This section rst introduces IPv6-based mobility protocols, including MIPv6, PMIPv6, and
SPMIPv6 protocols. The PMIPv6 protocol in LTE system is then described in Section 2.2.
2.1 IPv6-based mobility protocol
Mobility management is the most important mechanism in the IP-based next generation
network environment. The MIPv6 [13] protocol necessary to exchange signaling messages
between a UE and the home agent (HA), in order to maintain correspondence between
the permanent IP address and temporary IP address. The client functionality of mobility
support must be provided to the UE in MIPv6 protocol. However, some results discuss
how to improve MIPv6-based handover scheme [18]. The recent advances in network-based
localized mobility management (NetLMM) have facilitated the realization of All-IP based
wireless networks. In addition, Proxy mobile IPv6 (PMIPv6) [14, 17] is a solution to support
the NetLMM, the network is utilized to perform the location update signalings.
The MIPv6 protocol [18] allows UE to maintain the communications from a correspond-
ing node (CN) to the UE. Each UE used the home address (HoA) to identify its location.
When the connection to the external network, UE may receive the router advertisement to
obtain external network prex and automatically congurations a care-of address (CoA).
After CoA congured, UE then performs the DAD procedure to ensure the unique of the
CoA. If CoA is available, the UE sends the location information to the CN and HA for the
location binding, and then packet tunnels to the new location.
The PMIPv6 protocol [14, 17] allows a UE to maintain the original IP address, which
means the new network has partially extracted by the address prex. The UE does not be
required to perform the IP address conguration if the network connection changes. The
PMIPv6 protocol dened the local mobility anchor (LMA) and the mobile access gateway
(MAG) [15]. All PMIPv6 domains of the mobility management functions are used by LMAs
and MAGs. When a UE moves and connect to the new MAG, the MAG must detect the
connection and initiates the required authentication and authorization procedures to connect
with the network for the IP session for UE. The local mobility anchor (LMA) is similar to the
home agent. The LMA is the topological anchor point, keeps the current UE location binding
information. The mobile access gateway (MAG) acts as a proxy agent and controls the
mobility signalings to LMA. MIPv6 protocol has ability to control the IP handover between
dierent based stations, large handover latency makes MIPv6 protocol cannot be fully used
in the real-time services; such as voice over IP (VoIP) application. The PMIPv6 protocol uses
the network-based mobility management actually reduces the signaling overhead, PMIPv6
protocol still suers the high handover latency and packet loss.
Lee et al. [17] proposed a fast handover for proxy mobile IPv6 based on 802.11 networks.
This scheme uses the conversion scheme by the context information from the previous MAG
to the new MAG by IAPP (Inter-Access Point Protocol) (authentication information, prole
information of UE). With the advanced conversion of the context information, this scheme
can reduce the hando delay.
Kang et al. [14] proposed a seamless handover scheme for proxy mobile IPv6, illustrated
in Fig. 2. This scheme uses the neighbor discovery (ND) messages in IPv6 to reduce the
handover latency. The ND message sends the MN-prole to neighboring MAGs before the
handover operation. This scheme can eliminate the MAGs obtained from policy store (PS)
of the MN-prole procedure when the UE needs handover. To prevent on-the-y packet loss,
this caused by the routing between previous LMA and MAG. A packet buering is needed
on the MAG and LMA to solve the problem of packet loss.
Chen et al. [8][9] recently proposed a cross-layer partner-assisted handover mechanism

based on HMIPv6, termed as P-HMIPv6 protocol. P-HMIPv6 protocol is a cross-layer, layer2
+ layer3, solution as show in Fig. 3. The basic idea of the partner node (PN) is to perform
the pre-hando procedure based on [8]. The UE can detect in advance the existence of the
nearby base station, and the layer 2 handover operation tries to invite a number of PNs.
Selected PN then pre-perform the duplicate address detection (DAD) procedure of new care-
of-address of UE, when the UE is in movement. P-HMIPv6 protocol signicantly reduces
the handover latency and packet loss.
Buffering
LMA
LMA Address (LMAA)
tunnel entry-point
Home Network
nel MNs Home Network
tun
MIP
PMIP tunnel
P
P-MAG
Buffering
Proxy Binding Update (PBU)
Control message sent by MAG to LMA
N-MAG to establish a binding between MN-HoA
and Proxy-CoA
Proxy Care of Address (Proxy-CoA)

The address of MAG
tunnel end-point
UE movement
MN-HNP MN Home Address (MN-HoA)

MN continues to use it as long as
it roams within a same domain
Fig. 2 Seamless proxy mobile IPv6.
2.2 Proxy mobile IPv6 protocol in LTE system
The 3GPP LTE standard may adopt the network-based and client-based mobility protocols.
Example of the network-based and client-based mobility protocols are proxy mobile IPv6
(PMIPv6) and MIPv6 protocols, respectively.
In the network-based mobility management, network detects whether a UE has moved
to another point of attachment, and provides the same IP address of the previously point
of attachment to the UE. Network components provide IP addresses to the UE, and control
the mobility anchor updating. Thus, these packets can successfully reach the new point of
attachment. In the client-based mobility management, a UE obtains a new local IP address
or care-of-address if the UE moves to a new point of attachment. Then, the UE updates
the address information to the home agent. Home agent maintains a binding between the
care-of-address and the home address of UE.
The LTE system introduces two functionality entities for supporting the PMIPv6 proto-
col, there are PDN gateway (P-GW) and Serving Gateway (S-GW). First, the PDN gateway
(P-GW) provides the access in dierent packet data networks (PDN). Through the address
space of the PDN, P-GW gives a UE an IP address, which is IPv4 address or IPv6 prex.
The P-GW is a mobility anchor point. The main role of P-GW is the management of IP
address and prex of UE, and also is a role of PMIPv6 LMA. Second, S-GW includes the
MAG functionality of PMIPv6 which is used for the IP mobility management. The S-GW is
also a role of layer 2 mobility anchor. The main function is to detect and control procedures
if a UE moves into the 3GPP access network. The 3GPP standard Release 8 [3] describes
the attachment of UE to EPC. The function of MAG is sending a proxy binding update
(PBU) to the LMA. Thus, the P-GW uses tunnel technique for the downlink packets of UE
to avoid the problem of packet loss. The P-GW provides an IP address/prexes in the proxy
Internet
CN
HA
GW
pMAP nMAP
AR1 AR2
BS PS BS
MS
BS BS
Fig. 3 Partner-assisted mechanism based on HMIPv6.
binding agent (PBA) to the UE. The P-GW uses Generic Routing Encapsulation (GRE)
key, and the S-GW also uses tunnel technique for the uplink packets of UE.
Traditional client-based mobility protocol suers the high signaling overhead. Although,
the network-based mobility protocol improves problem of the heavy signaling overhead. The
network-based mobility protocol, PMIPv6, still suers the high handover latency and packet
loss. Eorts made in this work is to develop a secure relay-assisted handover protocol for
PMIPv6 in 3GPP LTE Systems to signicantly improve the handover latency and packet
loss. One main contribution of this work is to develop a new relay-assisted handover protocol
with consideration of the security for PMIPv6 in 3GPP LTE Systems.
3 Preliminary
This section initially describes the handover procedure dened in 3GPP LTE [7]. The system
architecture and the challenge are then explained. The basic idea is nally introduced.
3.1 Mobility in 3GPP LTE system
The mobility management of the 3GPP LTE standard has been dened in [7]. The control
plane handling during the E-UTRAN mobility activity for UEs is done by the handover
preparation signaling which is a part of the handover command to the target eNB, as follows.
The preparation work of handover is that source eNB sends all necessary information; for
instance, RRC (radio resource control context information; to the target eNB. Source eNB
and UE retain some context; for instance, C-RNTI (cell radio network temporary identier)
information. The UE connects to target cell by the random access channel (RACH) by a ded-
icated contention-free procedure using the RACH preamble or dedicated contention-based
procedure if RACH preamble cannot be used. The UE uses the dedicate RACH preamble
until the handover procedure is initiated. If the target cell in the RACH procedure is not
Internet IMS
Server
IPsec
SGi S14
ANDSF
S5 l PM
ne IP S8
tun P-GW1 tun
IP nel
PM
MME1/S-GW1 (LMA) MME2/S-GW2
KNASenc
(MAG) HPLMN VPLMN (MAG)
S6a S6a
[da
[d
ata
ta ]
KN
]K
HSS/AuC AS
N
e nc S1
A
S1
Se
S1 _N
nc
EW
_O
LD
X2 X2
KRRCenc EW
[da
_N
nc
Se
eNB2
ta]
A eNB3
eNB1 a]K
KA
t
KASenc=KUPenc+KRRCenc [da
Se
nc_O
LD
UE1 [data]KRelay-enc
UE2/RN1
P-GW: PDN Gateway LMA: Local Mobility Anchor MME: Mobile Management Entity AuC: Authentication Center HPLMN: Home Public Land Mobile Network
S-GW: Serving Gateway MAG: Mobile Access Gateway HSS: Home Subscriber Server RN: Relay Node VPLMN: Visit Public Land Mobile Network
Fig. 4 System architecture.
successful, the UE begins to select the best cell from the radio link recovery. In the handover
procedure, the header compression (ROHC) context exchange is not robust. It is noted
that handover procedure not negotiate with EPC, and the preparation messages directly
exchanged between eNBs.
The user plane handling during the E-UTRAN mobility activity for UEs is to avoid the
data loss during handover. When the handover preparation is done, the user plane tunnel is
built between the source eNB and the target eNB. The establishment of tunnels is used to
transmit uplink and downlink data. When the handover execution, user data is re-forward
from the source eNB to the target eNB. When the handover completion, the target eNB
sends and informs to the MME a path switch message to perform the path switch. The
MME sends a user plane update request message to the serving gateway, thus the path of
user-plane from the serving gateway is switched to the target eNB.
3.2 System architecture
The system architecture of our scheme is illustrated in Fig. 4, where is the 3GPP LTE
system environment. In this study, network-based mobility protocol, proxy mobile IPv6, is
considered as the mobility management in the 3GPP LTE systems. A little portion of the
components of LTE system needs to increase its functionality. When a UE with the weak
signal strength received from the serving eNB to enable the handover procedure, but still
not reach to the coverage of neighbor eNB. The UE tries to nd out some UEs located at
the coverage of neighbor eNB. Such UEs is called as relay node (RN). The functionality of
S14
3GPP IP Access or
UE ANDSF+
Trusted/Untrusted
Non-3GPP IP Access
Fig. 5 Access network discovery and selection function+ .
the RN is to help the UE to perform the pre-hando procedure and to reduce the hando
latency. The formal denition of RN is given.
Denition 1: Relay Node (RN): Given a UE located at serving eNB, all possible neighbor
UEs of the UE located at the coverage of neighboring eNB are called as relay nodes or
RNs of the UE, where the UE can directly communicate with all relay nodes (RNs).
The main function of the RN is to assist the UE to pre-perform the partial handover
procedures which is defined in the 3GPP LTE Intra E-UTRAN mobility.
If a UE needs the assistance from a RN, the rst task for the US is to search for useful
RNs. This task is called as the RN discovery. The main goal of the RN discovery is to nd the
best RN for the UE. The 3GPP LTE specications introduces the access network discovery
and selection function (ANDSF) [4], illustrated in Fig. 5. The main function of ANDSF is to
search for the suitable neighbor access networks. Our RN discovery is utilized the ANDSF
and add additional information table in the ANDSF to be ANDSF+ . The formal denition
of ANDSF+ is given as follow.
Denition 2: ANDSF+ : Given an access network discovery and selection function (ANDSF)
[4]. The ANDSF + is an ANDSF and appended additional information table into the
ANDSF. The main function of ANDSF + is used for a UE to execute the relay node
discovery.
A UE who wants to become a RN needs to satisfy the following conditions:
The RSSI of the eNB downlink to the UE must less than RSSIthreshold to ensure that
the UE is nearly in boundary of the neighbor eNBs coverage.
The UE is stable.
The UE belongs to dierent eNBs.
The UE supports the ad hoc communication capability.
The UE provides the location information.
A RN is near to the edge of the coverage of serving eNB, because the major function
of RN is viewed as an extension coverage to the next eNB to assist the UE to pre-perform
the handover procedure. The second condition is that the RN must be stable, not moving
rapidly. This ensures the selected RN can be stable for a long period of time. The third
condition is that the RN is belong to the dierent eNB domain. The last one is that the
RNs must support the ad hoc communication with the UE. In addition, Fig. 6 also gives the
protocol stack. This gure shows that our protocol stack is modied from the 3GPP LTE
specications. Ad hoc communication interface between the UE and RN is also illustrated
in the protocol stack.
Application
IP IP IP IP
Relay Relay
Tunnelling
PDCP PDCP PDCP GTP-U GTP-U Tunnelling
Layer
Layer
IPv4/IPv6
RLC RLC RLC UDP/IP UDP/IP IPv4/IPv6 IPv4/IPv6
MAC MAC MAC L2 L2 L2 L2 L2
L1 L1 L1 L1 L1 L1 L1 L1
WiFi LTE-Uu S1-U S5/S8 SGi

UE Relay UE eNB Serving GW PDN GW CSCF
Fig. 6 The LTE protocol stack.
Fig. 7 The LTE key hierarchy.
3.3 Motivation and basic idea
This work mainly improves the results from [8][9]. There are partner-based hando proto-
cols in IEEE 802.11 [8] and IEEE 802.16 [9], respectively. In [8], Chen et al. proposed a
cross-layer partner-based fast hando mechanism for IEEE 802.11 wireless networks. In [9],
Chen et al. proposed a cross-layer partner-assisted hando scheme for hierarchical mobile
IPv6 in IEEE 802.16e systems. Unfortunately, these two partner-based hando protocols do
Table I: The comparison of existing results with our approach.

Schemes P HMIPv6 in 802.11 [8] P HMIPv6 in 802.16e [9] RN PMIPv6
network model IEEE 802.11 system IEEE 802.16e system 3GPP LTE system
mobility protocol hierarchical mobile IPv6 hierarchical mobile IPv6 proxy mobile IPv6
mobility management client-based client-based network-based
pre-handover process DAD DAD security and PBU
security no no yes
not consider the security issue. Therefore, it is not guarantee the reliable and safety data
transmission if the protocol design not further consider the security issue. This is because
that the data transmission is done through possible non-reliable and no-safety relay nodes.
The main motivation of this work is to consider the security issue to develop a secure realy-
assisted hando protocol. Two contributions of this work is developed; (1) one is to develop
a new network-based mobility protocol with the assistance of relay node in LTE systems, (2)
another one is that a security scheme is investigated for the communication between UE and
RN. Fig. 7 gives the LTE key hierarchy. In this work, Because of add RN in this protocol,
we modied specications to enhance the secure communication between UE and RN. The
usage of RN is execute the partial handover procedures for UE before the UE entering the
coverage of the target eNB. This idea mainly comes from result from [8][9]. The comparison
of existing results with our new approach is given in Table I.
The basic idea is stated as follows. The goal of RN is to assist UE to pre-execute par-
tial handover procedures before the UE entering the target eNB coverage of a new public
land mobile network (PLMN) domain. In the 3GPP LTE standard [2], UE handover proce-
dures is divided into two modes; there are X2-based (intra-domain handover) and S1-based
(inter-domain handover) handover procedures. The standard handover process is divided
into three phases; (1) handover preparation, (2) handover execution, and (3) handover com-
pletion. Initially, the handover execution phase contains some important security operations.
The security operation includes that a target eNB not only performs the encryption and de-
cryption algorithms, but also check the new authentication key. The security operation is
to ensure the safely handover procedure to the target eNB. The handover completion phase
performs the operations of proxy binding update (PBU) and proxy binding acknowledge-
ment (PBA). The PMIPv6 tunnel between eNB and serving gateway (S-GW) achieves the
network-based mobility. The handover latency and packet loss caused during the handover
procedure. Eorts will be made to develop a security RN-based procedure of the PMIPv6
binding procedure.
4 Secure relay-assisted handover protocol for PMIPv6
The secure relay-assisted handover protocol for PMIPv6 in 3GPP LTE systems is split into
relay node discovery phase, secure communication phase, secure relay-assisted handover
phase, as follows.
Relay node discovery phase is to discover RNs by the UE. Because of the RN coverage
extension of the neighbor eNBs, the UE detects and identies the existence of all possible
RNs located at neighbor eNBs before entering the transmission range of next eNB by
negotiating with ANDSF+ . With the assistance of the RN, the UE pre-perform partial
layer 3 hando procedures before the UE entering into the transmission range of target
eNB.
Internet IMS UE Infomation

Server NAME eNB RSSI stable Ad hoc Location
SSID Info.
SGi S14 UE1 1 > RSSIth No none EN
Info.
2 < RSSIth Yes RN1 E Info.

UE2
ANDSF N
E Info.
UE3 2 < RSSIth Yes RN2 N
S5 S8 UE4 3 < RSSIth Yes RN3 E Info.
P-GW1 N
(MAG) (MAG)
HPLMN VPLMN
S6a S6a
Reg Node
Rel gister
ister
Re
ay N
S1 S1
y
Rela S1 HSS/AuC
ode
S1
Rel
X2
ay N
UE3/RN2
ode
eNB1 eNB2
Reg
UE1
iste
r
X2
X2
UE2/RN1
UE4/RN3
eNB3
RSSIth
Fig. 8 The relay node registers to ANDSF+ .
Secure handover phase establishes a security mechanism to provide the secure commu-
nication between UE and RN during the handover.
Secure relay-assisted handover phase provides a complete relay-assisted handover proto-
col with security for PMIPv6.
action
To explain the secure operation of the relay-assisted handover protocol, let X = Y
denote that X executes a communication action to Y , where X and Y ={UE, RN, ANDSF,
CN, source eNB, source MME, target eNB, target MME} and communication action =
{forward, register, negotiation, request, response}. The detailed operations are described as
follows.
4.1 Relay node discovery phase
The main task of this phase is to discover the relay node when UE needs to handover to
the target eNB. A relay discovery scenario is given in Fig. 8. The operation of relay node
discovery is given.
Internet IMS
Server
SGi S14
ANDSF
S5 S8
P-GW1
(MAG) (MAG)
HPLMN VPLMN
S6a S6a
Req Info.
uest
S1 S1
y
Rela
HSS/AuC
X2
UE3/RN2
eNB1 eNB2
UE1
Relay Infomation
X2
X2
NAME eNB Ad hoc

SSID UE2/RN1
UE2 2 RN1
UE3 2 RN2
UE4 3 RN3 UE4/RN3
eNB3
RSSIth
Fig. 9 The UE requests relay node information.
register
S1: UE = ANDSF+ : Before the UE inquiring the RN information from ANDSF+ ,
each UE registers its information to ANDSF+ . These information includes UE name,
eNB information, RSSI strength, mobility information, ad hoc or infrastructure modes,
and the location information. These information stores in the table of the ANDSF+
database, as illustrated in Fig. 8.
query
S2: UE = ANDSF+ : The UE inquiries the RN information from ANDSF+ . The UE
sends a request message to ANDSF+ . When the UE not reach to coverage of all possible
target eNB. Observe that, now UE still not determine the nal target eNB. Logically,
the usage of RN is to extend to the coverage area of target eNB, as illustrated in Fig.
9. The UE sends a request to ANDSF+ , and received RN information from ANDSF+ .
By the location information of RNs, the UE discovers the closest RN as the candidate
of RN.
negotiation
S3: UE = RN : When the UE obtained the candidate of RN, the UE has to decide
target eNB. After determining the nal target eNB, the UE selects one best RN from
Internet IMS
Server
SGi S14
ANDSF
S5 S8
P-GW1
(MAG) (MAG)
HPLMN VPLMN
S6a S6a
S1 S1
HSS/AuC
X2
eNB1 R eNB2
neg elay
otia
tion
UE1
Relay Infomation
X2
X2
NAME eNB Ad hoc

SSID UE2/RN1
UE2 2 RN1
UE3 2 RN2
UE4 3 RN3 UE4/RN3
eNB3
RSSIth
Fig. 10 The UE negotiates with relay nodes.
many RN candidates, by the signal strength, in the nal target eNB domain. Then,
the authentication mechanism is performed to improve the security of the UE-to-RN
connection.
Example can be seen in Fig. 10, UE2 is a RN (RN1 ) of UE1 if the target eNB is eNB2
and UE4 is a RN (RN3 ) of UE1 if the target eNB is eNB3 .
4.2 Secure handover phase
This subsection aims to establish a security mechanism to provide the secure communication
between UE and RN during the handover.
Before describing the security mechanism with consideration of relay nodes, a secure
handover procedure, including authentication key and encryption key, is investigated as
follows. Through the key exchange procedure, the authentication operation is done during
UE Source Target
Source eNB Target eNB MME MME
Measurement report
HO decision
1. Derive KeNB* from KeNB 3.HO request (KeNB*) +

2. HO request (KeNB*) NAS keys, KASME,
COUNT,
1a. Derive new KeNB*+ from KeNB*
4. HO request (KeNB*+) + Allowed RRC/UP algorithms

Select C-RNTI and
RRC/UP algorithm
5. HO response (C-RNTI, selected RRC/UP algorithms)
2. Derive new KeNB from KeNB*+, and C-RNTI
3. Derive RRC/UP keys from new KeNB
6. HO response (C-
RNTI, selected RRC/UP
6. HO request ack (C-RNTI, selected RRC/UP algorithms) + selected
7. HO command (C-RNTI, algorithms) + selected NAS algorithms NAS Algorithms
selected RRC/UP
algorithms) + selected NAS
Algorithms
1. Derive KeNB* from KeNB
1a. Depending on notification derive KeNB*+
2. Derive new KeNB from KeNB*+ and C-RNTI
3. Derive RRC/UP keys from new KeNB
8. HO confirm
9. HO complete
10. HO complete ack
11. Release Request
Fig. 11 Message flow of the secure LTE handover protocol.
the handover. With the authentication key and encryption key, the UE can safely transmit
data to the target eNB. Fig. 11 [6] shows the detailed message ow of the LTE handover
procedure with security. The detailed steps are described as follows.
S1: When a source eNB initiates a handover procedure. The source eNB creates an authen-
tication key. Source eNB calculates a hash function over the current KeN B and cell ID
of target eNB to have KeN B .
request
S2: Source eNB = source MME : The KeN B is sent by source eNB through the han-
dover request message to the source MME.
request
S3: Source MME = target MME : Source MME sends KeN B and related security in-
formation of MME (KN AS , COUNT, KASME ) by the handover request message.
request
S4: Target MME = target eNB : Target MME uses KeN B and KASME to calculate
KeN B+ , from the denition of generated key deviation function [5]. Target MME adds
KeN B+ and the information of RRC/UP algorithm in handover request message and
then is transmitted to the target eNB.
response
S5: Target eNB = target MME : Target eNB selects a target MME permitted by the
selected RRC/UP algorithm. Target eNB returns the handover response to the target
MME. The handover response message contains new C-RNTI and selected RRC/UP
algorithm. Target eNB uses C-RNTI and KeN B+ to compute a new KeN B , by the key
deviation function [5].
Internet IMS
Server
IPsec SGi
S14
ANDSF
S5 nel PM S8
IP
tun P-GW1 tun
M IP nel
P
(MAG) (MAG)
HPLMN VPLMN
S1 S1 KeNB*+ KeNB*
[dat
S6a S6a
_OL
HO request HO response
Senc
a]K
KeNB*+KNAS ]KNA
C-RNTI+ KAS+ KNAS
NA
HSS/AuC
Se n
[data
c_N
EW
X2
KeNB* KeNB
[da KNAS: KNASint, KNASenc
eNB1 ta] _N
EW eNB2
K AS Se
nc
KAS: KASint, KASenc
KA
ta]
en
c_
[da
OL
D
KASenc=KUPenc+KRRCenc
UE1
1. KeNB*+ KeNB* KeNB
2. New KeNB KeNB*+ and C-RNTI
3. KAS new KeNB
Fig. 12 The LTE handover procedure with security.
response
S6: Target MME = source eNB : Target MME sends the handover response back to
the source MME and the source eNB. The handover response information contains the
selected C-RNTI and the MME safety information (NAS-MAC).
HOcommand
S7: Source eNB = UE : Source eNB receives the handover response message, the
handover command message then is transmitted to the UE, it contains a C-RNTI, the
target domain of the NAS, and AS new safety information. The UE uses the information
from handover command message to generate KeN B+ . The UE uses KeN B+ and C-RNTI
to produce the target domain KeN B . After having the target domain KeN B , then we can
have KRRCenc , KRRCint ,and KUP enc .
HOconf irm
S8: UE = target eNB : The UE sends the handover conrm message and new RRC
key to the target eNB if the handover is completed.
Fig. 12 shows an example of the LTE handover procedure with security. The source
eNB initially knows the UE into the cell boundary region. The UE initiates the handover
procedure. Fig. 12 shows the data transmission of encryption key, the usage of encryption
between source eNB, source MME, target eNB, and target MME. Fig. 12 mainly shows how
to have the keys of KAS and KN AS , where KAS is used for many communication protocol,
such as the radio resource control (RRC) and the packet data convergence protocol (PDCP).
The KN AS is mainly used for the communication service link set up protocol, mobility
UE Relay Node
Source eNB Source Target Target eNB
1. Derive KRelay from MME MME
KeNB and Relay SSID
Derive KeNB* from KeNB
2. Relay request (KRelay)+Relay
encryption algorithm 2. Relay request (K eNB*, KRelay)+NAS keys+Relay encryption algorithm
Select C-RNTI and
RRC/UP algorithm
2. Relay request (KRelay)Relay
encryption algorithm
3. Derive KRelay enc from
KRelay and C-RNTI and
Relay encryption
algorithm
4. Relay response (C-RNTI)
4. Relay response (C-RNTI, selected RRC/UP algorithms) + selected NAS algorithms)
5-1. KRelay enc C-RNTI, create
connection
5-2. KeNB*+ KeNB* KeNB
5-3. New KeNB KeNB*+ and C-RNTI
5-4. KAS_RN new KeNB
5-5. KNAS_RN NAS_MAC
Fig. 13 The message flow of a secure relay-assisted handover protocol.
management (MM), and GPRS mobility management (GMM). The source eNB generates a
key KeN B which is used for the certication.
In the following, the detailed operations of security of handover procedure by adding the
relay node (RN) is presented. Fig 13 illustrates the message ow of the security of handover
procedure with the relay node (RN). It is observed that two new security keys, KRelay and
KRelay enc , are generated to guarantee the secure communication for the relay nodes.
S1: The UE generates KeN B and simultaneously performs the relay node discovery to nd
SSID of RN to obtain an authentication key, KRelay , to verify with the selected RN.
request
S2: UE = RN : After the UE obtaining KRelay , the information of KRelay and en-
cryption algorithms used by the RN are added into the relay request message, and the
relay request message is sent through the LTE core network to the target eNB. Target
MME appends KeN B+ and the information of RRC/UP algorithm into the handover
request message, and then sent to the target eNB. The target eNB selects the permitted
RRC/UP algorithm from the handover request message.
S3: When a RN receives KRelay and encryption algorithm from the relay request mes-
sage. The RN uses the received information and C-RNTI of target eNB to re-produce
KRelay enc . This is used the data encryption key between the UE and RN.
response
S4: RN = UE : The RN reply relay response message, which contains the C-RNTI of
target cell information, to the UE.
S5: The UE receives the relay response message and produced KRelay enc by the received
C-RNTI information. Then, the UE and the RN have two keys, KRelay and KRelay enc .
Establish a connection using these two keys for the secure communication. Then, UE
uses the information of relay response message to generate KeN B+ , and then use KeN B+
and C-RNTI to generate KeN B . Finally, the UE keeps KeN B , KRRCenc , KRRCint , and
KUP enc .
Internet IMS
Server
IPsec SGi
S14
ANDSF
S5 PM S8
el IP
unn P-GW1 tun
I Pt nel
PM (LMA)
MME1/S-GW1 MME2/S-GW2
(MAG) (MAG)
HPLMN VPLMN
S1 S1
2. Relay Request S6a S6a 4. Relay Response
[dat
U
enc_
KRelay+KeNB*+KNAS+Relay C-RNTI+ KAS+ KNAS
a]K
encryption algorithm
S
]KNA
HSS/AuC
NAS
[data
enc_
RN
KeNB* KeNB X2
[da
ta]
eNB1 _ RN eNB2
enc
K
AS
AS
K
ta] KNAS: KNASint, KNASenc
e
[da
nc_
KAS: KASint, KASenc

UE
KASenc_RN=KUPenc+KRRCenc
5-1.KRelay enc C-RNTI, create UE2/RN1
connection n c
y-e
5-2. KeNB*+ KeNB* KeNB ela 3.KRelay- enc (KRelay , C-RNTI,
UE1 ta]
KR
[da
5-3. New KeNB KeNB*+ and C-RNTI Relay encryption algorithm)
5-4. KAS_NEW new KeNB
1. KRelay (KeNB ,
5-5. KNAS_NEW NAS_MAC
Relay SSID)
Fig. 14 The relay-assisted handover operation with security.
Example is given in Fig 14 for a scenario of relay-assisted handover with consideration of

security. When a UE obtains relay discovery information by the ANDSF+ . The UE generates
an authentication key by KDF. The UE determines a key encryption algorithm and adds this
information into the relay request message. The relay request message sends to the source
eNB, MME, target MME, eNB, and RN. When the RN receives the relay request message, it
can completes the successful authentication procedure. The RN returns the request response
message back to UE. The UE identies the relay response message to complete the RN
authentication process. Thus, the UE can use the security information to establish the safe
ad hoc connection with RN. In the handover period, the UE simultaneously obtains the
authentication key and information of AS and NAS encryption algorithms. After through
the security procedure above mentioned, the UE can obtain security keys and establish of
secure connection by adding two security keys, KRelay and KRelay enc , where KRelay used
in the authentication to ensure that the RN is not a malicious node, and KRelay enc used in
verication, ensure between the UE and RN data validity and usability.
4.3 Secure relay-assisted handover phase
This subsection describes the secure relay-assisted hando protocol for PMIPv6. The main
contribution of the proposed scheme is to improve the hando latency and packet loss with
UE Source eNB Target eNB

Source Target Source Target P-GW HSS CN
MME MME S-GW S-GW CSCF
Radio and Access Bearer PMIP tunnel IP connectivity
Relay Node
Discovery
UE decide to
attach target eNB
and selected RN Relay Nde
UE and RN perform security operation and create temp connection

L2/L3 attach trigger
Handover Request
Handover Preparation
Path Switch Request
Update Bearer Request
Getway control Session Establishment
PBU
PBA
Update Bearer Response
Path Switch Response
Radio and Access Bearer PMIP tunnel

IP connectivity
Handover Command
Handover Command
Handover execution
Detach from old cell and synchronize Handover Completion

to new cell
Handover Confirm
Handover
Path Switch Request

delay

Path Switch Response Update Bearer Response
Radio and Access Bearer PMIP tunnel

IP connectivity
Tracking Area Update Procedure
UE Context Release Command
UE Context Release Complete
Delete Bearer Request
Delete Bearer Response
Fig. 15 The message flow of relay-assisted handover with security for PMIPv6.
the assistance of RN. If a UE cannot nd out any RN, our scheme can automatically switches
to default LTE hando procedure to ensure that the UE can successfully perform the secure
handover operation. The message ow of the secure relay-assisted handover procedure is
given in Fig. 15. The detailed steps are also given below.
action
S1: UE = ANDSF+ : The relay node discovery phase is performed and described in Sec-
tion 4.1. The UE obtains a list of the RN candidates. The UE chooses a RN belongs to
target eNB, and nally selects the best RN from the RN candidates.
action
S2: UE = RN : The secure handover phase is performed and introduced in Section 4.2.
When a UE selects the RN for the pre-handover, the UE must establish a secure UE-RN
connection.
action
S3: Source eNB = target S-GW : The step is the handover preparation. The source
eNB sends the handover request to source MME. The source eNB sets bearers of data
forwarding. The target MME forward the handover request message to target eNB.
This message creates the UE context information by the used target eNB, including
information of bearers. Observe that, step 2 pre-executes the secure process to reduce
the handover preparation time.
P BU
S4: Target eNB = P-GW : The step is the pre-handover procedure. The UE has the
assistance from RN. The UE performs pre-handover procedure. The target eNB sends
path switch request message to target MME. The target MME sends update bearer request
message to serving gateway. Then serving gateway sends proxy binding update message
Table II: System parameters.

Variable Description
BWwire LT E Bandwidth of the wire link
Lwire LT E Latency of the wire link
Sctr Average size of the control message
DL2 The time of layer 2 handover delay
DHO Security The time of perform LTE handover processing with security
tRN The time of the RN performing the pre-handover procedure
tU E S GW The time of the delay for transmission between UE and S-GW
tS GW P GW The time of the delay for transmission between P-GW and S-GW
tP BU The time of Proxy Binding Update delay
tD internet The time of average delay of that a packet traveling in the Internet
tLM A OP The time of LTE execution request
tacq prof ile The time of acquire MN profile in SPMIPv6
U The average cost of proxy binding update to LMA
L The cost for connection between nMAG and pMAG in SPMIPv6
R The cost for relay node discovery of pre-handover
S The cost for security operation of EPC
to PDN gateway. The PDN gateway prior switches path to target domain. Secure data
trac goes though RN to UE.
handover
S5: UE = target MME : The step is the handover execution. The source MME sends
a handover command message to the source eNB. This step ensures that the handover
preparation is executed. The source sends a command to inform UE to start layer 2
handover procedure.
switch
S6: UE = PDN Gateway : The step is the handover completion. With the assistance of
RN, the handover procedure is pre-executed. When UE knows that the layer 2 handover
procedure is nished, the UE sends path switch request message to the serving gateway.
The serving gateway switches path to UE.
T AU
S7: UE = HSS : The step is the tracking area update procedure. The target MME knows
that the handover procedure has been executed, the source eNB releases resource of the
UE and responds context release complete message.
5 Performance evaluation
In this section, the mathematical analysis and simulation results are described.
5.1 Mathematical analysis
The handover latency, packet loss, location update cost of our proposed scheme are analyzed.
The variables and notations followed the system parameters dened from [8][21], and given
in Table II.
5.1.1 Handover latency
Let DL2 denote as the layer-2 handover latency, let DLT E OP be the execution delay of the
LTE handover preparation procedure, including bearer setup procedure and location update
procedure. The handover latency of PMIPv6, THO,P MIP , is derived as follow.
THO,P MIP = DL2 + DL3 + DHO Security

= DL2 + tP BU + 4tUE S GW + DHO Security , (1)
where DL3 is layer-3 handover delay latency, including the delay time of the proxy
binding update and time cost of packet transmissions between UE and serving gateway. In
addition, DHO Security is the processing time of LTE handing with security procedure during
handover. The tP BU is
tP BU = 2tS GW P GW + tLMA OP ,
(2)
where tS GW P GW is the delay time for packet transmission between serving gateway
and PDN gateway, and tLMA OP is the proxy binding update request time for LMA. The
tS GW P GW is
tS GW P GW = n ( BWwire
Sctr
+ Lwire LT E ) + tD internet ,
LT E (3)
where Sctr is the average size of the control message, BWw LT E is the bandwidth of
wired link, Lw LT E is the latency of wired link, tD internet is the average delay of a packet
traveling in Internet. The handover of PMIPv6 is
THO,P MIP = DL2 + tP BU + 4tUE S GW + DHO Security

Sctr
= DL2 + 2n ( + Lwire LT E ) + tD internet (4)
BWwire LT E
+ tLMA OP + 4tUE S GW + DHO Security
The seamless PMIPv6 handover latency, THO,SMIP , is derived as follow.
THO,SP MIP = DL2 + DL3 + DHO Security

= DL2 + tP BU tacq prof ile + 4tUE S GW + DHO Security
Sctr
BWwire LT E
+ tLMA OP tacq prof ile + 4tUE S GW + DHO Security
It is observed that the usage of RN to perform the pre-handover procedure to eliminate

tRN OP as follow.
tRN OP = DL2 + tP BU + DHO Security

Sctr
= DL2 + 2n ( + Lwire LT E ) (6)
BWwire LT E
+ tD internet + tLMA OP + DHO Security
Consequently, the handover latency of proposed protocol, THO,RN P MIP , is derived as

follow.
THO,RN P MIP = DL2 + DL3 + DHO Security tRN OP

= 4tUE S GW (7)
Let t1 be the time dierence between THO,P MIP and THO,RN P MIP .
t1 = THO,P MIP THO,RN P MIP

= DL2 + tP BU + DHO Security
Sctr
= DL2 + 2n ( + Lwire LT E ) (8)
BWwire LT E
+ tD internet + tLMA OP + DHO Security
Observed that t1 > 0 illustrates that the handover latency of RN PMIPv6 is better
than PMIPv6. Let t2 be the time of dierence between THO,SP MIP and THO,RN P MIP .
t2 = THO,SP MIP THO,RN P MIP

= DL2 + tP BU + DHO Security + DHO Security tacq prof ile
Sctr
BWwire LT E
+ tLMA OP + DHO Security tacq prof ile
Observed that t2 > 0 illustrates that the handover latency of the RN PMIPv6 is better
than that of seamless PMIPv6.
5.1.2 Packet loss
Let p be the packet arrival rate [21], where be the Poisson random variable. The number
of packet loss is counted under the packet lost is exponentially distribution. The number of
lost packet during handover of is
LHO,P MIP = p (THO,P MIP tUE S GW )

Sctr
= p (DL2 + 2n ( + Lwire LT E ) + tD internet (10)
BWwire LT E
+ tLMA OP + 4tUE S GW + DHO Security tUE S GW )
The seamless PMIPv6 protocol utilizes the buering scheme. Let Buf f erMAG,LMA de-
note the packet buer size of LMA and MAG. The number of lost packet during handover
of seamless PMIPv6 is
LHO,SP MIP = p (THO,SP MIP tUE S GW ) Buf f erMAG,LMA

Sctr
= p (DL2 + 2n ( + Lwire LT E )
BWwire LT E
+ tD internet + tLMA OP tacq prof ile + 4tUE S GW (11)
+ DHO Security tUE S GW ) Buf f erMAG,LMA
Our scheme adopts the RN to perform the pre-handover procedure. The number of lost
packet during handover of our scheme is
LHO,RN P MIP = p (THO,RN P MIP tUE S GW )

= p (4tUE S GW tUE S GW ) (12)
5.1.3 Location update cost
The system parameters are followed the similar denitions from [21]. Let is the UE call
to mobility ratio, = p/t, where p denotes the call arrival rate. The mean stay time
of UE in a cell is 1/t second. Let CU be the average cost of location update to the LMA.
The cost is the delay of the signaling messages, including the transmission and propagation
delay. Let CS be the cost of security procedure during a UE moves from one serving eNB to
target eNB. Let CL be the cost of establishing a direct connection between serving MAG and
target MAG in the seamless PMIPv6 protocol. Let (i) be the probability of a UE moving
i steps between two consecutive packet arrivals, where (i) is the exponential distribution.
The probability density function is dened as f (x) = ex . The location update cost of
PMIPv6 is

CU + CS
CP MIP = i(CU + CS )(i) =
i=0

The seamless PMIPv6 protocol reduces the packet lost by forwarding the packets from
serving MAG to the target MAG, and from LMA to the target MAG. There is additional
signaling cost to establish a direct connection between the serving MAG and the target
MAG. The location update cost of seamless PMIPv6 protocol is

CU + CL + CS
CSP MIP = i(CU + CL + CS )(i) =
i=0

Our proposed protocol needs more control packets for handling with the RNs to consider
the security issue. The location update cost of our proposed protocol is

CU + CR + 2CS
CRN P MIP = i(CU + CR + 2CS )(i) =
i=0

5.2 Simulation results
To evaluate the relay-assisted PMIPv6 (denoted as RN PMIPv6) PMIPv6 [12], seamless

PMIPv6 (denoted as SPMIPv6) [14] protocols in 3GPP LTE systems, all of these protocols
are mainly implemented using the network simulator-2 (ns-2) [1] with PMIPv6 module [10]
and eurane module [11]. Observe that the eurane module is the HSDPA module, and we
modify eurane module to simulate the 3GPP LTE environment in our simulation. Fig. 16
shows the simulation scenario for the handover. To simplify the scenario, each eNB is also
the mobility access gateway. The transmission range and the link bandwidth of all eNB
CN
P-GW
(LMA)
MME/S-GW MME/S-GW MME/S-GW MME/S-GW

(MAG) (MAG) (MAG) (MAG)
eNB RN eNB RN eNB RN eNB
UE
Fig. 16 The simulation scenario for the handover.
are assumed to be 50km and 100 Mbps. A cbr (udp) trac application between CN to UE
is 0.01 second intervals in our simulation. In addition, a snier program was developed to
estimate the hando delay times for all implemented protocols. The performance metrics to
be observed are:
Handover latency (HL): The handover latency is the delay time from a UE disconnects
the serving eNB, then re-connects to the target eNB, and to receive data packet from
CN through target eNB.
Packet loss (HL): The packet loss counts from the UE disconnecting to serving eNB to
receiving new packets from the target eNB.
Handover jitter (HJ): The handover jitter is the jitter that counts during the handover
time. Assumed that three consecutive packets, Pi2 , Pi1 and Pi are received by UE.
Let Ti2 , Ti1 and Ti denote the time to receive packets Pi2 , Pi1 and Pi . Therefore,
handover jitter is HJj2 = (Ti Ti1 ) (Ti1 Ti2 ) = Ti 2Ti1 + Ti2 .
Location update cost (LUC): The location update cost is the total number of signal
messages for a UE roaming from the serving eNB to the target eNB.
It is worth mentioning that an ecient secure hando protocol in LTE networks is

achieved with a low handover latency, low packet loss, low handover jitter, and low location
update cost. In the following, we illustrate our simulation results for handover latency, packet
loss, handover jitter, and location update cost from several aspects.
5.2.1 Handover latency (HL)
Before describing the simulation results of handover latency, we give the simulation results of
the sequence number below. Fig. 17 illustrates the simulation results of the sequence number
vs time for PMIPv6, SPMIPv6 and RN PMIPv6, protocols. Fig. 17 shows the simulation
100
PMIPv6
90 SPMIPv6
RN_PMIPv6
80
70
Sequence number
60
End handover of RN_PMIPv6
50
Start handover
40
30
End handover of PMIPv6
20
End handover of SPMIPv6
10
Receive buffer packet
0
0 100 200 300 400 500 600 700 800 900 1000
Time (ms)
Fig. 17 The performance of sequence number vs time.
800
PMIPv6 PMIPv6
600 SPMIPv6 SPMIPv6
700
RN_PMIPv6 RN_PMIPv6
PMIPv6A
500 SPMIPv6A 600
Handoff latency (ms)
RN_PMIPv6A
500
400
400
300
300
200 200
100
100
0
2 4 6 8 10 12 14 16 18 20 200 250 300 350 400 450 500 550
Number of handover PBU time (ms) CI = 90%
(a) (b)
Fig. 18 The performance of handover latency vs (a) number of handover, (b) proxy binding update time.
results of the sequence number vs time. We observed that from the start hando time
to hando time of PMIPv6, SPMIPv6 and RN PMIPv6, the RN PMIPv6 scheme receives
packets from the UE earlier than that of PMIPv6 and SPMIPv6. The curves of PMIPv6,
SPMIPv6 and RN PMIPv6 start the hando at a time of 180 ms. The RN PMIPv6 receives
the new packets at a time of 250 ms which was lower than the SPMIPv6 at a time of 295
ms and PMIPv6 at a time of 390 ms. This is because that RN PMIPv6 has the assistance
of relay nodes.
Fig. 18(a) and Fig. 18(b) illustrate the simulation results of handover latency vs. number
of handover and proxy binding update time for the PMIPv6, SPMIPv6 and RN PMIPv6 pro-
tocols. Fig. 18(a) shows that the average HL values were in the following order: RN PMIPv6
< SPMIPv6 < PMIPv6 from the perspective of number of handover. This veries that the
and our RN PMIPv6 protocol had better HL than the other protocols. Figure 18(a) also dis-
plays the use of mathematical analysis for the PMIPv6-A, SPMIPv6-A, and RN PMIPv6-A.
600
PMIPv6 PMIPv6
900
SPMIPv6 SPMIPv6
RN_PMIPv6 RN_PMIPv6
500 800
700

400
600
300 500
400
200
300
100 200
100
0
60 80 100 120 140 160 180 200 220 5 10 15 20 25 30 35
Distance between LMA and MAG (ms) CI=90% Distance between serving MAG and target MAG (hops) CI=90%
(a) (b)
Fig. 19 The performance of handover latency vs (a) distance between LMA and MAG, (b) distance between
serving MAG and target MAG (hops).
It was nearly the same as our implementation as illustrated by the curves of PMIPv6 and
PMIPv6-A about 400 ms, the curves of SPMIPv6 and SPMIPv6-A about 300 ms, and the
curves of RN PMIPv6 and RN PMIPv6-A about 100 ms.
Fig. 18(b) shows the handover latency under various proxy binding update (PBU) time.
In general, the HL increases as the PBU time increases. We observe that PMIPv6 and
SPMIPv6 has the curves of HL between 410900 ms and 305710 ms, but the curve of
RN PMIPv6 was around 100 ms. This is because that the RN PMIPv6 can eliminate the
partial proxy binding update time due to the assistance of relay node (RN).
Fig. 19(a) illustrates the handover latency vs distance between LMA and MAG, for
the PMIPv6, SPMIPv6 and RN PMIPv6 protocols. For each case, the higher the distance
between LMA and MAG, the higher the HL. Fig. 19(a) shows that the average HL values
were in the following order: RN PMIPv6 < SPMIPv6 < PMIPv6 from the perspective of
distance between LMA and MAG. Fig. 19(b) illustrates the handover latency vs. distance
between serving MAG and target MAG. For each case, the higher the distance between
serving MAG and target MAG, the higher the HL. Fig. 19(a) shows that the average HL
values were in the following order: RN PMIPv6 < SPMIPv6 < PMIPv6 from the perspective
of distance between serving MAG and target MAG.
5.2.2 Packet loss (PL)
Fig. 20(a) illustrates the mathematical analysis and simulation result of packet loss vs the
number of handover. In general, the PL increased as the number of handover increases.
The RN PMIPv6 has low packet loss that of PMIPv6 and SPMIPv6. Is is observed that
SPMIPv6 has lower packet loss if the number of handover is less. This is because that the
buering scheme is used in SPMIPv6 with extra hardware cost. It was nearly the same as
our implementation as illustrated by the curves of PMIPv6 and PMIPv6-A , the curves of
SPMIPv6 and SPMIPv6-A, and the curves of RN PMIPv6 and RN PMIPv6-A.
Fig. 20(b) displays the simulation result of PL vs PBU time. The PL increased as PBU
time increases. The RN PMIPv6 has low packet loss that of PMIPv6 and SPMIPv6. Is is
45 35
PMIPv6 PMIPv6
SPMIPv6 SPMIPv6
40
RN_PMIPv6 30 RN_PMIPv6
PMIPv6A
35
SPMIPv6A
Number of packet loss

25
Number of packet loss
RN_PMIPv6A
30
20
25
20 15
15
10
10
5
5
0 0
2 4 6 8 10 12 14 16 18 20 200 250 300 350 400 450 500 550
Number of handover PBU time (ms) CI = 90%
(a) (b)
Fig. 20 The performance of packet loss ratio vs (a) distance between LMA and MAG, (b) proxy binding
update time.
600 800
PMIPv6 PMIPv6
SPMIPv6 SPMIPv6
700
RN_PMIPv6 RN_PMIPv6
500
600
Handoff jitter (ms)
Handoff jitter (ms)
400
500
300 400
300
200
200
100
100
0 0
60 80 100 120 140 160 180 200 220 200 250 300 350 400 450 500 550
Distance between LMA and MAG (ms) CI=90% PBU time (ms) CI = 90%
(a) (b)
Fig. 21 The performance of handover jitter vs (a) distance between LMA and MAG, (b) proxy binding
update time.
observed that SPMIPv6 has lower packet loss if PBU time is small. This is because that the
buering scheme is used in SPMIPv6 with extra hardware cost.
5.2.3 Handover jitter (HJ)
Fig. 21(a) and Fig. 21(b) illustrate the simulation result of handover jitter vs distance be-
tween LMA and MAG, and PBU time for PMIPv6, SPMIPv6 and RN PMIPv6 protocols.
The HJ was measured as the time from the serving eNB to the target eNB. Traditional
4
x 10
4
PMIPv6
SPMIPv6
3.5
RN_PMIPv6
PMIPv6A
3 SPMIPv6A
Location update cost

RN_PMIPv6A
2.5
1.5
0.5
0
1 0
10 10
Call to mobility ratio ()
Fig. 22 The performance of location update cost vs call to mobility ratio.
wireless-link delay time between the UE and target eNB is between 10 ms and 50 ms. Fig.
21(a) illustrates that PMIPv6 has the highest jitter compared to SPMIPv6 and RN PMIPv6.
The curve of RN PMIPv6 was lower than those of SPMIPv6 and PMIPv6. The average han-
dover jitter values were in the following order: RNPMIPv6 < SPMIPv6 < PMIPv6 from
perspective of distances between LMA and MAG. Fig. 21(b) also illustrates the handover jit-
ter vs PBU time. The average handover jitter values were in the following order: RNPMIPv6
< SPMIPv6 < PMIPv6 from perspective of PBU time. This is because the overlapping result
caused by the relay node for our relay-assisted design can signicantly reduce the HJ.
5.2.4 Location update cost (LUC)
Fig. 22 illustrates mathematical analysis and simulation result of the location update cost
(times) vs. the call to mobility ratio for PMIPv6, SPMIPv6 and RN PMIPv6 protocols, while
the x-axes sets to be the logarithmic scale. It is observed that the result is not-linear. The
increase in packet arrival to mobility ratio means that the movement of UE becomes slower.
In general, the LUC drops as the call to mobility ratio increases. The average LUC were in
the following order: RN PMIPv6 > SPMIPv6 > PMIPv6. The mathematical analysis of LUC
were in the following order: RN PMIPv6-A > SPMIPv6-A > PMIPv6-A. This shows that
RN PMIPv6-A needs more location update cost than that of SPMIPv6-A and PMIPv6-A
due to the relay node managements.
6 Conclusion
In this paper, we presented a new protocol to reduce hando delay and packet lost with the
assistance of relay nodes over LTE networks. We considered the security issue when selecting
relay nodes during hando. During the relay node discovery, we extend the access network
discovery and selection function (ANDSF) in 3GPP specications to help mobile station or
UE to obtain the information of relay nodes. With the aid of the relay nodes, the mobile
station or UE performs the pre-handover procedure, including the security operation and
the proxy binding update to signicantly reduce the handover latency and packet loss. The
simulation results illustrated that our proposed protocol actually achieves the performance
improvements in the hando delay time and the packet loss rate.
References
1. The Network Simulator NS-2., http://www.isi.edu/nsnam/ns/.

2. 3rd Generation Partnership Project TS23.401. General Packet Radio Service (GPRS)
enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN),
Release 8, v8.5.0. March 2009.
3. 3rd Generation Partnership Project TS23.402. Architecture enhancements for non-
3GPP accesses, Release 8, v8.4.1. January 2009.
4. 3rd Generation Partnership Project TS24.312. Access Network Discovery and Selection
Function (ANDSF) Management Object (MO), Release 8, v8.0.0. December 2008.
5. 3rd Generation Partnership Project TS33.401. 3GPP System Architecture Evolution
(SAE) Security architecture, Release 8, v8.3.1. December 2008.
6. 3rd Generation Partnership Project TS33.821. Rationale and track of security deci-
sions in Long Term Evolved (LTE) RAN/3GPP System Architecture Evolution (SAE),
Release 8, v8.0.0. March 2009.
7. 3rd Generation Partnership Project TS36.300. Evolved Universal Terrestrial Radio
Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN)
Overall description, Release 8, v8.8.0. March 2009.
8. Y.-S. Chen, W.-H. Hsiao, and K.-L. Chiu. Cross-Layer Partner-Based Fast Hando
Mechanism for IEEE 802.11 Wireless Networks. International Journal of Communica-
tion Systems, 23(5):596632, May 2010.
9. Y.-S. Chen and K.-L. Wu. A Cross-Layer Partner-Assisted Hando Scheme for Hier-
archical Mobile IPv6 in IEEE 802.16e Systems. Wireless Communications and Mobile
Computing, Published online: Oct. 2009.
10. H. Choi. Proxy Mobile IPv6 for Ns-2. http://commani.net/pmip6ns/ .
11. T. I. for Wireless and M. Communications. Enhanced UMTS Radio Access Network
Extensions for NS-2 (EURANE). http://eurane.ti-wmc.nl/eurane/ .
12. S. Gundavelli. Proxy Mobile IPv6. Internet Engineering Task Force (IETF ), RFC-
5213, 2008.
13. D. Johnson. Mobility Support in IPv6. Internet Engineering Task Force (IETF ),
RFC-3775, 2004.
14. J. Kang, D. Kum, Y. Li, and Y. Cho. Seamless Handover Scheme for Proxy Mobile
IPv6. IEEE International Conference on Wireless and Mobile Computing, (WIMOB),
Washigton, DC, USA, pp. 410-414, October 2008.
15. L. Le and M. Liebsch. Preliminary Binding: An Extension to Proxy Mobile IPv6 for
Inter-Technology Handover. IEEE International Conference on Wireless Communica-
tions and Networking Conference, (WCNC), Budapest, Hungary, pp. 1-6, April 2009.
16. J. Lee, S. Kimura, and Y. Ebihara. An approach to mobility management in Cellular
IP networks utilising power-save mode of IEEE 802.11. International Journal of Ad
Hoc and Ubiquitous Computing, 3(3):191203, 2008.
17. J. Lee and J. Park. Fast Handover for Proxy Mobile IPv6 based on 802.11 Networks.
IEEE International Conference on Advanced Communication Technology, (ICACT),
Phoenix Park, Korea, pp. 1051-1054, February 2008.
18. H. Oh, K. Yoo, J. Na, and C. Kimi. A seamless handover scheme in IPv6-based mobile
networks. International Journal of Ad Hoc and Ubiquitous Computing, 4(1):5460,
2009.
19. C. Perkins. IP Mobility Support for IPv4. Internet Engineering Task Force (IETF ),
RFC-3344, 2002.
20. H. Soliman. Mobile IPv6 support for dual stack Hosts and Routers (DSMIPv6).
Internet Engineering Task Force (IETF ), draft-ietf-mip6-nemo-v4traversal-06 (work in
progress), May 2007.
21. J.-H. Yeh, J.-C. Chen, and P. Agrawal. Fast Intra-Network and Cross-Layer Handover
(FINCH) for WiMAX and Mobile Internet. IEEE Transactions on Mobile Computing,
8(4):558574, 2009.
Author Biographies
Yuh-Shyan Chen received the B.S. degree in Computer Science from Tamkang
University, Taiwan, R. O. C., in June 1988 and the M.S. and Ph.D. degrees in
Computer Science and Information Engineering from the National Central Uni-
versity, Taiwan, R. O. C., in June 1991 and January 1996, respectively. He joined
the faculty of Department of Computer Science and Information Engineering at
Chung-Hua University, Taiwan, R. O. C., as an associate professor in February
1996. He joined the Department of Statistic, National Taipei University in August
2000, and joined the Department of Computer Science and Information Engineer-
ing, National Chung Cheng University in August 2002. Since 2006, he has been a
Professor at the Department of Computer Science and Information Engineering,
National Taipei University, Taiwan. Prof. Chen served as Editor-in-Chief of Inter-
national Journal of Ad Hoc and Ubiquitous Computing (SCIE), Regional Editor
(Asia and Pacific) of IET Communications (SCI), Editorial Board of Telecom-
munication System Journal (SCIE), EURASIP Journal on Wireless Communica-
tions and Networking (SCIE), International Journal of Communication Systems
(SCIE), Mobile Information Systems (SCIE), and Journal of Internet Technol-
ogy (SCIE). He also served as Guest Editor of ACM/Springer Mobile Networks
and Applications (MONET), Wireless Communications and Mobile Computing,
The Computer Journal, and Wireless Personal Communications. His paper wins
the 2001 IEEE 15th ICOIN-15 Best Paper Award. Prof. Chen was a recipient
of the 2005 Young Scholar Research Award, National Chung Cheng University,
R.O.C.. His recent research topics include wireless communications, mobile com-
puting, and next-generation personal communication system. Dr. Chen is a senior
member of the IEEE Communication Society and Phi Tau Phi Society.
Tong-Ying Tony Juang is a professor in the Department of Computer Engi-

neering and Information Science, and director of Computer Center at National
Taipei University. His research interests include and mobile computing, wireless
networks and distributed and parallel computing. He received a B.S. in naval ar-
chitecture from National Taiwan University, and his M.S. and Ph.D. in computer
science from the University of Texas at Dallas. Contact him at the Department
of Computer Engineering and Information Science, National Taipei University,
Taipei, 10433, Taiwan.
Yao-Tsu Lin received the B.S. degree in Department of Computer and Com-
munication Engineering from National Kaohsiung First University of Science and
Technology, Taiwan, ROC, in June 2006 and the M.S. degree in Graduate In-
stitute of Communication Engineering from National Taipei University, Taiwan,
ROC, in July 2008. His research interest includes secure issues for mobility man-
agement.

A Secure Relay-Assisted Handover Protocol For Proxy Mobile Ipv6 in 3Gpp Lte Systems

Uploaded by

Copyright:

Available Formats

A Secure Relay-Assisted Handover Protocol For Proxy Mobile Ipv6 in 3Gpp Lte Systems

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Secure Relay-Assisted Handover Protocol For Proxy Mobile Ipv6 in 3Gpp Lte Systems

Uploaded by

Copyright:

Available Formats

Wireless Pers Commun manuscript No.

(will be inserted by the editor)

A Secure Relay-Assisted Handover Protocol

Yuh-Shyan Chen*, Tong-Ying Juang, Yao-Tsu Lin

the date of receipt and acceptance should be inserted later

*Correspondence to: Yuh-Shyan Chen

E-UTRAN S10 Serving-GW PDN-GW

Fig. 1 The LTE architecture.

2.1 IPv6-based mobility protocol

Chen et al. [8][9] recently proposed a cross-layer partner-assisted handover mechanism

Proxy Care of Address (Proxy-CoA)

MN-HNP MN Home Address (MN-HoA)

Fig. 2 Seamless proxy mobile IPv6.

2.2 Proxy mobile IPv6 protocol in LTE system

Fig. 3 Partner-assisted mechanism based on HMIPv6.

3.1 Mobility in 3GPP LTE system

Fig. 4 System architecture.

3.2 System architecture

Fig. 5 Access network discovery and selection function+ .

A UE who wants to become a RN needs to satisfy the following conditions:

MAC MAC MAC L2 L2 L2 L2 L2

WiFi LTE-Uu S1-U S5/S8 SGi

Fig. 6 The LTE protocol stack.

Fig. 7 The LTE key hierarchy.

3.3 Motivation and basic idea

Table I: The comparison of existing results with our approach.

4 Secure relay-assisted handover protocol for PMIPv6

Internet IMS UE Infomation

2 < RSSIth Yes RN1 E Info.

Fig. 8 The relay node registers to ANDSF+ .

4.1 Relay node discovery phase

NAME eNB Ad hoc

Fig. 9 The UE requests relay node information.

NAME eNB Ad hoc

Fig. 10 The UE negotiates with relay nodes.

4.2 Secure handover phase

1. Derive KeNB* from KeNB 3.HO request (KeNB*) +

1a. Derive new KeNB*+ from KeNB*

4. HO request (KeNB*+) + Allowed RRC/UP algorithms

Fig. 11 Message flow of the secure LTE handover protocol.

Fig. 12 The LTE handover procedure with security.

Fig. 13 The message flow of a secure relay-assisted handover protocol.

KAS: KASint, KASenc

Fig. 14 The relay-assisted handover operation with security.

Example is given in Fig 14 for a scenario of relay-assisted handover with consideration of

4.3 Secure relay-assisted handover phase

UE Source eNB Target eNB

UE and RN perform security operation and create temp connection

Radio and Access Bearer PMIP tunnel

Detach from old cell and synchronize Handover Completion

Path Switch Request

Update Bearer Request

Radio and Access Bearer PMIP tunnel

Table II: System parameters.

5.1 Mathematical analysis

5.1.1 Handover latency

THO,P MIP = DL2 + DL3 + DHO Security

THO,P MIP = DL2 + tP BU + 4tUE S GW + DHO Security

1a. Derive new KeNB+ from KeNB