personal networks – a tutorial...personal networks introduction technology drivers • number and...

Personal Network Introduction

Personal Networks – a Tutorial

Connect All Your Electronic Devices with Personal Networks

Architectures, Technologies, Applications

Martin Jacobsson, TU Delft Ignas Niemegeers, TU Delft

Sonia Heemstra de Groot, TU Delft and TI-WMC

CCNC 2011, January 13, 2011, Las Vegas

Copyright 2011 All rights are reserved1


AcknowledgementsFor parts of this tutorial:• Sonia Heemstra de Groot (TI-WMC, NL)• Venkatesha Prasad (TU Delft, NL)• Ertan Onur (TU Delft, NL)• MAGNET Colleagues, in particular:

• Rasmus L Olesen (Aalborg, DK)• Martin Bauer, Erno Kovacs (NEC, DE)• Marc Girod Genet (ParisSud, FR)

• PNP2008 colleagues, in particular:• Frank den Hartog (TNO, NL)

Some of the material presented in these slides belong to these people and their copyright remains with them.

2


Tutorial Overview

• Introduction and PN applications• PN architecture• Local PN networking• Remote PN networking• PN Security• PN application support systems• PN Federations• Experimenting with PNs• Final bits

3

Personal Networks Introduction

Background and motivation

5


A bit of history and acknowledgements

• Concepts presented originated in 2000 at Ericsson Research and TU Delft, The Netherlands

• Inspired by the work of Robin Kravetz at University of Illinois: Moped project

• Concepts worked out and prototyped in several large research projects: EU FP6 MAGNET and MAGNET- Beyond, and Dutch Freeband PNP2008 project

• Many small projects• Parallel to Mobile VCE project in UK: Personal Distributed

Environments (Irvine and Dunlop)

6


Technology drivers

• Number and diversity of personal devices will be growing tremendously (vision of pervasive computing, driven by Moore’s law)

• Low cost air-interfaces covering a range of needs are becoming commonplace

• Infrastructure (Internet) access is becoming ubiquitous to fixed and mobile users, covering a wide range of user needs

• Growth of IP capable devices (e.g., IPv6 6LoWPAN)

7


The future wireless world: explosion at the edges

PANsensor network

Sensor network

BAN

home network

emergencynetwork

VAN

Access Networks

ad hocnetwork

corporatenetwork

meshnetwork

Global core


Even further: nanonetworks

Nano tube radio

Radio-controlled devices small enough to exist in a human's bloodstream

http://www.physics.berkeley.edu/research/zettl/projects/nanoradio/radio.html

Nano tube radio

Radio-controlled devices small enough to exist in a human's bloodstream

http://www.physics.berkeley.edu/research/zettl/projects/nanoradio/radio.html


Characteristics of future networks• The capillaries of the Internet, is where the “revolution”

takes place: the Internet of Things • Huge scale: orders of magnitude more communicating

devices• Huge number of “owners” involved (not operators)• Unplanned and ad-hoc connected• Heterogeneity:

• capabilities and characteristics of devices• access technologies• applications/services, including surge in embedded applications

• Dynamics

Bound for future network chaos:scale, competing entities, spectrum, etc.


New and some old concerns

• Manageability• Trustworthiness: security, dependability, robustness• Ease of use: end user (increasingly no direct end-user,

embedded applications)• Ease of developing applications/services• Spectrum usage• Energy concerns• Health (Radiation)


Societal drivers

• New lifestyles: the boundary between private and professional life is becoming blurred

• Market pull: the need for ubiquitous communication is strengthened by our new lifestyle

• More and more networked devices and appliances

12


Problems we are facing now

An increasing variety of • communication and security protocols, • complex configuration, and a • lack of integration between heterogeneous

technologies

is hampering ubiquitous communication using different devices

13


Personal Networks (PNs) and their potential

14


What do PNs offer?

• Devices belonging to a user self-organize to form a geographically distributed secure overlay network of personal devices

• A platform for a multitude of personal applications and services to support private and professional activities in a person-centric, unobtrusive, dependable and trustworthy way

• A tool to cooperate with others through federation and interact with non-PN systems (Federations of PNs)

15


What do PNs do?Connect personal devices near and far automatically and securely using any network infrastructure (3G, 4G, WIMAX, WLAN, Bluetooth, Zigbee etc…)

Network Infrastructure


PN architecture illustrated


Definitions

• Personal network (PN): Dynamic self-organizing secure overlay network of local and remote personal devices organized in clusters with support for personalized services

• PN Cluster: mostly referred as a set of colocated nodes in a PN, e.g. home cluster, office cluster, etc.

• Personal area network (PAN): is the (mobile) cluster colocated with the user


Definitions (continued)

• Personal device vs. foreign device: a personal device is owned by the user, i.e., has all the rights to install the PN software and include the device in her PN. Foreign devices have another or multiple owners.

• Overlay network: the routing, addressing scheme, secure tunnels, etc. are defined by an application on top of a full meshed IP connectivity between nodes.

• Interconnecting infrastructure: provided by ISPs, WLAN providers, 3G, 4G, IMS/NGN or PSTN network operators.

19


PN target characteristics

• Ease of use• No/minimal user training required• No system administrators

• Trustworthiness• Security, privacy and dependability

• Ubiquitous

• Should work everywhere a person and her/his devices are

• Low cost • Consumer technology• No installation costs


PN as a product

A platform that makes ubiquitous communication between personal devices over any network technology and any operating system a reality

21


Market potential

• All these devices are potential ingredients of a PN: • GSM: 3.5 billion• 3G: 500 million• Broadband: 350 million• Appliances : 5.5 million replaced in 2008 in

The Netherlands (TVs, PVRs, fridges, etc.)(numbers are for 2010)

• 1000 wireless devices per person on earth by 2017 (WWRF Book of Visions)

22


TU Delft PN Prototype

• Software platform(*) running on your devices providing:• Secure ubiquitous communication• Automatic configuration• Network technology independence• Integration with common operating systems (Linux,

Android, others under development)• Supports and enhances existing applications and enables

new applications(*) Developed at TU Delft over the past six years

23


PN Federations

24


What is a PN Federation?

Home network

Corporatenetwork

Interconnecting structure

Vehicular areanetwork

Home network

PN2PN1

PN3

Personal Networks

PN Federation

• Federation member


Key ideas of PN Federation

• Cooperation of multiple PNs

• Using selected resources and services of each other

• Driven by purpose or opportunity

• Temporary or long term for achieving a specific goal

• Ad hoc (neighbouring users and their devices) or mediated by a PN directory service (PNDS)

• Initiated via invitation, or announcements (push)


Research projects with PN-like goals• Universal Personal Networking (UPN): early 1990s at

Siemens, no breakthrough • Life-Works: more recent, Siemens• Moped: University of Illinois, Kravets (2001)• Personal Mobile Hub: IBM Research, Husemann et al.

(2004)• CoolTown: HP, Debaty and Caswell (2001)• Mobile People Architecture: Stanford, Maniatis et al.

(1999)• Personal Distributed Environment: Mobile VCE, UK,

Dunlop and Irvine (2003)• MyNet: Nokia and MIT, Arvind and Hicks (2006) • IST PACWOMAN and SHAMAN: EU FP7 (2002)

27


Commercial developments with a PN flavor

• Microsoft’s Personal Cloud (2010 announcement)• Apple’s MobileMe• Drop Box (product)• P2P Universal Computing Consortium (PUCC):

Japanese universities and companies, e.g. NTT Docomo, NEC, Toshiba, since 2004, demo at CCNP 2008 CES

• 3GPP: Personal Networks as part of AIPN (2009)• Ecma Technical Report on Personal Networks

(December 2010)

28


PN and PN Federation Applications

29


PN-enabled applications

• Access and share information on personal devices:calendar, contact list, photos, music, video, documents, YouTube downloads, etc.

• Access information from wearable sensors (e.g., health sensors)

• Access information from sensors in the home, around the home, car, etc.

• Control personal devices and appliances• Domotica, home security, energy management,

health, sports, well-being, etc.

30


PN-Federation-enabled Applications

• Sharing of data, including, e.g., photos, ring tones, calendar events, point of interests, YouTube downloads, and more…

• Collaborative work during meetings• Collaborative work anywhere • Assisted living for elderly or impaired people• Collaborative work anywhere• Gaming


32

Virtual Home Truck

Creating a virtual home environment in truck


File access

Access the latest version of your files anywhere anytime with any device


34

eHealth Scenario

eHomeCaresetting

Alarm center (ALA)

Relatives (RL)

Hospital (H)

Specialist (SPE) General practitioner (GP)

Interconnection structure

Nurse (N)

Personal Networks Introduction 35

PN Federation for sharing photos, videos, and printing services

PN2 PN3

PN1 PN4Jane

PN2 PN3

PN1 PN4Jane


PN Federation for emergency relief

FederationFederation


PN nodePersonal Network

Personal Network

Personal NetworkSensor Network Fednet

Fednet

Personal Network

FednetFederation manager

Non-professionalcare taker

Professionalcare taker

PN nodePersonal Network

Personal Network

Personal NetworkSensor Network Fednet

Fednet

Personal Network

FednetFederation manager

Non-professionalcare taker

Professionalcare taker

PN Federation for assisted living


Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org

ECMA Homecare Scenario

Ecma TC32 PN&F Editing Group, “Personal Networks and their Federations,” Ecma Technical Report, 2009.http://www.ecma-international.org/memento/TC32-PNF-M.htm


PN Federation for road safety?

locationspeed

ABS

stability controlproximity

locationspeed

ABS

stability controlproximity

Personal Network Architecture 1

Personal Network Architecture


Requirements• Easy cross-device applications support based on service

oriented architectures (SOA)• Context-awareness

• Secure Personal Communication• Automatic Addressing and Network Configuration• Routing, Broadcasting and Mobility

• Wireless Technology and Operating System Independent

2


Core Concept• Distinguish between:

• Personal Nodes – Devices owned/used/controlled by you• Foreign Nodes – All other devices

• One single and simple security system independent of link layer technologies• Compare this with Bluetooth, Wifi, VPN, etc.

Personal Network = The set of all your Personal Nodes

3


Three Layer View (1)

4

InterconnectingStructures

P-PANNetwork Level

Service Level

Public servicePrivate service

Personal nodePersonal deviceForeign nodeForeign deviceCluster

Cluster

Connectivity

LevelInterconnectingStructures

RCD1

RCD2

RCD3

RCD4

RCD5

RCD7

RCD6

PN

Air IF 1Air IF 2Air IF 3Dual Air IFRadio Controller


Three Layer View (2)Connectivity Level

• Works on top of available link layers• Network Level - Intra-cluster• How are Clusters formed?• How is the identification of gateways/border nodes done?

Network Level• Routing and addressing• Establishment of tunnels and their dynamic maintenance• How are nodes included in a PN? How to exclude nodes?• Naming within the PN

Service Level• Service Discovery• Context Discovery and Context-aware Service Discovery• Bridging heterogenous service platforms

5


Cluster and PN Formation• A security mechanism is used separate Personal from

Foreign Nodes. Clusters contain only Personal Nodes.• A PN is formed by constructing inter-Cluster tunnels

between Personal Clusters.

Personalisation• A new Node is included into the PN (or personalised) by

pairing it with a Node already personalised. It becomes a Personal Node.

• An intra-PN security mechanism makes sure that encryption keys are distributed to the new Node and that the PN is aware of the new Node.

• Configuration of the new Node can also take place (such as addressing).

Personalization of Nodes (1)


Mine Manual Pairing

Manual Pairing

Implicit Pairing

Personalization of Nodes (2)


Personalization of Nodes (3)• A new Node is included into the PN (or personalized) by

pairing it with a Node already personalized.• It becomes a Personal Node.

• An intra-PN security mechanism installs trust relationships between the new Node and the existing Nodes in the PN • Distribution of encryption keys

• Network-related configuration of a Node takes place after personalization• Such as addressing, awareness of PN Agent

8


The Network Architecture

Personal (Virtual) Network

Cluster

Cluster Cluster

Cluster

Cl.

EncryptedTunnel


The Big Picture


When a Node meets another Node

AB

{Hello, A}PID

{Hello, B}PID

{Mgmt Data}PID

{Data}PID


Personal Networks

Cluster 1

BA

12


Personal Networks

BA

Cluster 1

13


Personal Networks

Office ClusterP-PAN

Home Cluster

Car Cluster

Infrastructure Networks

Personal NodeGateway NodeAccess RouterInter-Cluster Tunnels

PN Agent

14


Personal Networks

P-PAN

Office Cluster

Home Cluster

Car Cluster



PN Agent

15


Personal Networks

P-PAN

Office Cluster

Home Cluster

Car Cluster



PN Agent

16


Personal Networks

Office Cluster

Home ClusterP-PAN

Car Cluster



PN Agent

17

PN Networking 1

Personal Network Networking

PN Networking

Three Layer View

2


P-PANNetwork Level

Service Level



Cluster

Connectivity


RCD1

RCD2

RCD3

RCD4

RCD5

RCD7

RCD6

PN


PN Networking

Addressing• Each PN Node has an IP address• Flat addressing within the PN• Unique within the PN• Assigned at Personalization• Never changes

• TCP / UDP sessions are unaffected by mobility

• We used IPv6, but IPv4 is no problem

3

PN Networking

Cluster Routing (1)

Cluster

PN Networking

Cluster Routing (2)Mobile Ad Hoc (MANET) Routing• Support Mobility / Dynamic Links• Support Wireless / Heterogenous LinksMANET protocols used in our prototypes:• OLSR – Optimized Link State Routing• WRP – Wireless Routing ProtocolProactive protocols work the best for clusters:• Small and dense networks• Many node-node flows• Many short-lived sessions

5

PN Networking

FloodingCluster-wide / PN-wide Broadcasting• Service discovery• Context information dissemination• Various network organization protocols• Multicast applications

Existing ad hoc flooding protocols:• Blind Flooding• CBB – Counter-based Broadcasting• SMF – Simplified Multicast Forwarding

6

PN Networking

MANET Routing Domain

Personal Node Recognition (1)

7

PN Networking

Personal Node Recognition (2)Personal Neighbour Node Authentication:• Based on personalization• Filter out the other neighbors• Encrypt packets between personal nodes

Introduce a ”layer” below networking:• Implements personal neighbour node discovery and

authentication• Expose higher layers (e.g. routing) only to authenticated

neighbours• MANET routing protocol can be unmodified

8

PN Networking


9

PN Networking


10

3000::9

3000::9

3000::12

16F3A66F…

316BE6FC…

18A562BC…

00:30:45:B6:89:BA

00:30:67:F5:EF:27

00:30:34:B2:F7:98

00:30:43:AB:65:83

00:30:27:87:3B:7A

wifi1

eth0

eth0

wifi1

wifi1

B93BE8F9…

278C8D16…

A767C8DE…

Node ID Unicast KeyMAC address IF Bcast Key

PN Networking

Remote PN Networking

PN Networking

Why Inter-Cluster Tunneling

Why tunnels?

Encrypt traffic over the Internet• Based on keys established via personalization

Support Mobility within PNs• End-to-end packets (IP and upwards) are transmitted

unchanged and tunnelled.

12

PN Networking

Inter-Cluster Tunneling (1)

13

Office ClusterP-PAN

Home Cluster

Car Cluster



PN Agent

3000::1 3000::9 ……130.11.40.7 109.7.45.3

Dst Addr Src Addr DataDst Addr Src Addr

Tunnel IP Header PN-internal IP Hdr

PN Networking

Inter-Cluster Tunneling (2)

14

3000::1 3000::9 ……130.11.40.7 109.7.45.3



Encrypted based on keys between 3000::1 and 3000::9

3000::1 3000::9 ……130.11.40.7 109.7.45.3



……

UDP

A UDP header is sometimes necessary for NAT-traversals, like this:

PN Networking

Inter-Cluster Routing

15

Office ClusterP-PAN

Home Cluster

Car Cluster



PN Agent

PN Networking

Ad HocRouting Domain




16

Flat Ad Hoc Routing across an entire PN is possible!

However, the tunnel links are special• Slow, usually the bottlenecks• Most topology changes in a Cluster only have local

consequences within that Cluster

PN Networking


17

• Each Cluster is its own ad hoc routing domain• The tunnel inter-connect acts as a network switch• Gateway Nodes keep track of which Node is in which

Cluster• Packets to Nodes in other Clusters are forwarded over

the tunnels by the Gateway Nodes




PN Networking

PN Agent (1)

18

Office ClusterP-PAN

Home Cluster

Car Cluster



PN Agent

Via the PN Agent, Gateway Nodes Exchange:• Care-of Addresses (CoA)• Which Nodes are in its Cluster• Link Quality Information

PN Networking

PN Agent (2)PN Agent:• Assists discovery and maintenance of tunnels wrt CoA

and mobility• Knows which Node is in which Cluster => Inter-Cluster

Routing

PN Agents are not strictly needed, pure P2P mechanismsare possible. However:• Bootstrap problem• Slowness in finding the latest CoA

19

PN Networking

Foreign PN Communication

PN to PN communication

PN Networking

Types of Foreign Communication (1)

21

PN Networking

Types of Foreign Communication (2)

22

PN Networking

Network Level Foreign Comm

23

PN Networking

Service Level Foreign Comm

24

PN Networking

Service vs. Network LevelService Level:• Using Service-Level Proxies• Two sessions instead of one (mainly problem for TCP)• Finer granularity access control

Network Level:• Using NAT/NAPT• End-to-end IP connectivity• Access control based on port numbers only

25

PN Networking

PN to PN Foreign Communication

26

PN Networking

Foreign Communication Mobility (1)

27

PN Networking

Foreign Communication Mobility (2)

28

Personal Network Security 1

Personal Network Security


Overview PN Security

• Device personalization• Imprinting• PN Formation Protocol• Eviction of nodes

• Establishment of secure communication• One-hop links• Inter-cluster


Personalization

Process of making a device member of a PN:• Under the control of the user• “Imprinting” the security credentials• Configuration of vital information


Imprinting

Based in the “resurrecting duckling” policy model• A new device (duckling) starts in the un-imprinted

state• The device becomes imprinted when the first master

device (mother) provides it with cryptographic material • Further imprinting attempts will fail if the device already

is imprinted• The master device can “kill” (remove the cryptographic

material of) the device and bring it back to the un- imprinted state


Imprinting in PNs

Using public key infrastructure PKI adapted to the PN:• PN certification authority (PNCA) signs the public key of

the duckling during imprinting• Generated certificate and PNCA certificate are stored in

duckling• PKI light weight solutions with elliptic curve

cryptography (ECC)Shared key:

• Pair-wise key with mother• Simple but with limited scalability


Certified PN Formation Protocol (PNFP)

From European Project Magnet BeyondTwo phases

• Imprinting• Establishment of pair-wise keys


Certified PNFP- Phase 1

• Form of authenticated Diffie-Hellman • Uses a location limited channel (LLC)

• Physical characteristics of channel provide security services• Examples of LLC: Cable, physical contact, NFC, audio, infrared,

user as a channel

• Public keys are exchanged between PNCA and new device using non-authenticated wireless channel

• Keys are later authenticated using a LLC• Two flavors:

• Using a private LLC• Using a public LLC


PNCA(mother)

Device A(duckling)

SKPNCA , PKPNCA

Computehm = hash (PKPNCA || PKA )

Continue only ifhm =hn

PKPNCA

PKA

hm

hn

CERT(PKA , PNCA), CERT(PKPNCA , PNCA)

non-authenticated channel

non-authenticated channel

Public LLC

SKA , PKA

Computehn = hash (PKPNCA || PKA )

Continue only ifhm =hn

Imprinting over a public LLC


Certified PNFP- Phase 2

• Two PN nodes use their certificates to authenticate each other and establish a pair-wise master key when they meet each other for the first time• Mainly optimization of computation

• Pair-wise master key used for further authentication and generation of pair-wise session keys• Less computationally demanding than asymmetric crypto

• Standard key agreement protocols can be used for establishment of pair-wise master keys


Eviction of Personal Nodes

• Certificates issued by PNCA have limited life time• Certificates need to be renewed

• For eviction before expiration of certificate: certificate revocation list (CRL) signed by the PNCA is sent to all nodes in the PN using PN-wide broadcasting


Secure Unicast PN Communication

• Pair-wise master key used for authentication and generation of session keys for encryption and integrity protection

• Use link layer encryption and session key types when available.• Often HW support

• Establishment of link layer session key depends on technology:• E.g. 4-way handshake protocol in IEEE802.11i

• If no link layer security is available, encryption has to be done at network layer


Secure Inter-Cluster Communication

• Gateways nodes are responsible for securing inter- cluster communication

• Encrypted tunnels (e.g., IPSec ESP)• Algorithm for key establishment similar to the second

phase of the CPFP• Gateway nodes exchange PNCA certificates• After successful authentication, session keys are generated


Personal Network Application Support Systems


Three Layer View

2


P-PANNetwork Level

Service Level



Cluster

Connectivity


RCD1

RCD2

RCD3

RCD4

RCD5

RCD7

RCD6

PN



Application Support SystemsService-Oriented Architectures (SOA)• Offers self-configuration at the service/application level• Service discovery• Service session management• Access control for PN-PN and Federations

Context Management Framework• Collect, process, store, distribute context information

Naming• Naming of devices, services, etc.

3


Service-Oriented Architectures


Service Discovery Domains/Tiers

5


Service Management Node (1)

6


Service Management Node (2)

7

MAGNET Service Management Platform (MSMP)

ServiceDiscovery

Module

INSInteraction

Module

Service Discovery Adaptation sub-Layer

ServiceRanker

SCMFClient

Modified UPnPDevice Module

Modified UPnPControl Point Module

P2PServiceOverlay

(INS/Twine)

INSName

Resolver(INR)

INRName-tree

ServiceRepository

UPnP Interface(SSDP, SOAP, GENA)

SecurityManagement

AAAModule

Police&

ProfileDB

PN-F Service Discovery via the PN Agent To the SCMF

Service Session Management Module


Context Management


Context Management Framework

9

Data Source(Sensors)

Data Source(PHY/MAC

Parameters)

Data Source(…)

Data SourceAbstraction Layer

(DSAL)

Query Subscription

Context Access Layer(CAL)

Secure Context Management Framework

Context Aware ComponentContext Aware

ComponentContext Aware Component

Context Aware Service

Context Aware ApplicationContext Aware

ServiceContext Aware Service

Context Aware ApplicationContext Aware

Application

Response Notification

Context Agent

Communicationwith other Nodes

Data Tier

Middleware Tier

Application Tier


Context Modeling

10

• Common, ontology-based context model, modeling entities

• XML-based representation adding meta information like accuracy or confidence

• Context Access Language• synchronous query• asynchronous

subscribe/notify• modifications


Context Management Architecture

11

Cluster View

InterconnectingInfrastructures

PN View

BCNBasic Context Node

ECN

Enhanced Context Node

CMN

Context Management Node

CMNBCN

BCN

ECN

ECN

Personal Network Federations 1

Personal Network Federations


Personal Network Federation (PN-F)

An agreed cooperation of independent PNs with the purpose of achieving a specific common goal


PN-F for Sharing Photos, Videos, and Printing Services

PN2 PN3

PN1 PN4Jane

PN2 PN3

PN1 PN4Jane


Other PNF Examples

• Disaster relief• Sharing content and services with friends/family• Sharing sensor information for road safety• Assisted living• Sharing access facilities to Internet• Sharing educational material during a class


5

Extended availableservices to C

Initial availableservices to C

Exported services

PN A

PN C

PN B

Initial availableservices to A

Initial availableservices to B

Extended availableservices to A

PN Federation Concept


PN-F Requirements

• Automatic set up, organization and maintenance• Management of memberships and resources• Mechanisms for joining a PN-F• Management of the resources committed to the PN• Service discovery within the scope of the PN-F• Identity management• Access control mechanisms• Security and privacy


PN-F Architecture

Components:• Per PN Federation:

• Federation Manager• PN-F Profile

• Per PN:• Federation Agent• PN-F Participation Profile


PNF managed by one of its members

PN1 PN2

Federation Agent GW GW Federation

Agent

PN-F participationProfile

PN-F profile


FederationManager

CreatorPN1 PN2

Federation Agent

Federation Agent GWGW GWGW Federation

AgentFederation

Agent


PN-F profile


FederationManager

FederationManager

Creator


PNF managed by a third party

PN1 PN2

GW GW Federation Agent


PN-F profile


Creator

FederationManager

Federation Agent

PN1 PN2

GWGW GWGW Federation Agent

Federation Agent


PN-F profile


Creator

FederationManager

FederationManager

Federation Agent

Federation Agent


Life Cycle of a PN-F

Initial

Definition PN-F profile by creator Discovery

Participation

Operation

Dissolution

PN-F Participation profile

Potential member

Joining

Access granted

Tear downEvolution

(Join, leave)


Access Control

Two levels of access control:• First level: When a new member wants to join the

Federation• Second level: When a member wants to access a

service in the Federation


First-Level Access Control

PN1

creator

PN2

Creating PN-F profileCreating PN-F Participation profile Initial phase

Discovery phase

Formation phase

AUTHENTICATION

AUTHORIZATIONPolicy evaluation

Credentials participant

Finding each other

Operation phase

First level access control

FederationAgent

FederationManager

PN-F services available for use

PN1

creator

PN2

Creating PN-F profileCreating PN-F Participation profile Initial phase

Discovery phase

Formation phase

AUTHENTICATION

AUTHORIZATIONPolicy evaluation

Credentials participant

Finding each other

Operation phase

First level access control

FederationAgent

FederationManager

PN-F services available for use


Second-Level Access ControlPN1

creatorPN2

FederationManager

FederationAgent

FederationAgent

PN3

Operation phaseDirectory look up

Service location (PN3)Service RequestMembership credentials

AUTHENTICATION

Authorization policies

Access granted/denied

Second levelAccess control

PN1creator

PN2

FederationManager

FederationManager

FederationAgent

FederationAgent

FederationAgent

FederationAgent

PN3

Operation phaseDirectory look up

Service location (PN3)Service RequestMembership credentials

AUTHENTICATION

Authorization policies

Access granted/denied

Second levelAccess control


Service Provisioning

Network Overlay• Virtual network with all the PN devices and services available in the

Federation

Service Proxy• Services are access at the gateway nodes by means of a service

proxy


Network Overlay

PN1 PN2

GW GW

PN1 PN2

GW GW


Service Proxy

PN1 PN2

client server

ServiceProxy 1

ServiceProxy 2

secure tunnel

GWGW

PN1 PN2

client server

ServiceProxy 1ServiceProxy 1ServiceProxy 1

ServiceProxy 2ServiceProxy 2ServiceProxy 2

secure tunnel

GWGW


Security in PN Federations

• Trust between PN-F Creator and a New Member• Involving the services of a trusted third party (TTP).

Example: Personal Network Directory Service (PNDS)

• Security association between the PN-F Creator and a New Member• Using well-established protocols, as e.g. TLS

• Security Association among Members of the Federation• Group key• PN-F manager as certification authority


Personal Network Directory Service

PN2PN1

Internet

Service operator network

PN directoryservice

PNDS APIPNDS API

PN2PN1

Internet

Service operator network

PN directoryservice

PNDS APIPNDS API


Demonstation of Personal Networks

A Three Cluster Demo


Demo Setup


PN Agent

2


Additional Notes

Personal Networks


Further ReadingEcma Internal TR-102http://www.ecma-

international.org/publications/techreports/E-TR-102.htm

http://www.pn-technology.com/

http://magnet.aau.dk/

7


BookPersonal Networks: Wireless Networking forPersonal DevicesMartin JacobssonIgnas NiemegeersSonia Heemstra de Groot

Wiley

http://www.pn-technology.com/

8

personal networks – a tutorial...personal networks introduction technology drivers • number and...

Documents