Design and Performance Analysis of Sensor Proxy-AAA Authentication Scheme Based on Fast Handover and Forwarding Mode for IP-based Internet of Things

Recen tly interest in Internet of Things(I oT) is increasing, and a variety of the security technol ogies tha t are suitable for Internet of Things has being studied. In order to main tain the trustw orth y connectivity and the accessibility of distributed IoT, it is importan t to establish secure links for endto-end comm unica tion with proper authen tica tion. AAA technol ogy is curren tly the best way of resol ving dela y issue when introd ucing authen tica tion process of mobile switching. How ever, there are still a number of issues among which the dela y time issue from authen tica tion and authoriza tion grea tly inf uences the process. AAA applica tion in mobile IP environmen t cannot f uen tly support continuous and fast handov er in both intra-domain and inter-domain. Mobile IPv6 (MIPv6) is a host -based protocol supporting gl obal mobility . On the other hand, Proxy Mobile IPv6 (PMIPv6) is a netw ork-based protocol supporting localized mobility . This paper , the additional cost from combina tion of PMIPv6, authen tica tion, authoriza tion and accoun ting (AAA) and the way of red ucing extended dela y time will be explained. First , a new authen tica tion scheme (Proxy -AAA) is proposed tha t supports forw arding mode and fast handov er mode betw een other local mobility anchors (LMAs). Second, configur cost anal ysis model based on Proxy -AAA. Based on theoretical anal ysis, it was confirme tha t the cost is affected by average arriv al rate and residence time. Receiv ed on 26 November 2016; accepted on 13 July 2017; published on 13 September 2017

suitable for Internet of Things has being studied. Especiall y sensor netw ork area of the device is an increased using and div ersifie for a low specific tion devices beca use of char acteristic of the Internet of Things. Man y entities sensor nodes may mov e around in a real world environmen t, thus making the IoT devices attached to them mobile. In order to main tain the trustw orth y connectivity and the accessibility of distributed IoT, it is importan t to establish secure links for end-toend comm unica tion with proper authen tica tion. In the internet of things environmen t, due to the open char acteristic of internet of things, the security issue rela ted to authen tica tion of user accessing wireless netw ork is extremel y importan t. AAA technol ogy is curren tl y the best way of resol ving dela y issue when introd ucing authen tica tion process of mobile switching [1,2]. Howev er, despite long dev el opmen t of AAA technol ogy, the mobility manag emen t in wireless netw ork environmen t has yet to be researched further . With the distribution of MIPv6 netw ork and dev el opmen t of new access technol ogies, the UDP-based Remote Authen tica tion Dial-In User Service (RADIUS) protocol can no long er satisfy requiremen ts. Diameter protocol, an improv ed version from RADIUS, provides extremel y improv ed functions in fail ure recov ery, security and reliability [3]. How ev er, the dela y from authen tica tion and authorization process grea tl y inf uences the process and AAA applica tion in mobile IP has a number of issues such as failing to support contin uous and fast handov er in both intra-domain and inter-domain [4][5][6][7]. Moreov er, another mobility manag emen t protocol called PMIPv6 is in the limelight. PMIPv6 is an enhancemen t of MIPv6 and provides a netw ork-based localized mobility manag emen t with support for leg acy mobile devices [8]. Due to its di fferen t char acteristics from MIPv6, PMIPv6 can be introd uced al ong with MIPv6. For exam ple, MIPv6 can be used for gl obal mobility while PIMPv6 can be used in intra-domain mobility [9]. To address the shortcomings of the abov e men tioned schemes, this paper presen ts a Proxy -Authen tica tion Authoriza tion Accoun ting (Proxy -AAA) authen tica tion scheme. In this proposed technique, the AAA serv er will be implemen ted on Local Mobility Anchor (LCA) to implemen t fast handov er authen tica tion and hier archical authentica tion as well as red uce intra-domain authen tica tion cost [10 , 11 ]. The perf ormance of Mobile IPv6 (MIPv6) and Proxy -AAA scheme to select the appropria te protocol was ev al ua ted. Netw ork sta tus and mobility par ameters can be better selected according to the protocol. For the proposed Proxy -AAA, signaling overhead is alw ays less than with the traditional AAA method. Also, in cases where the Mobile Node (MN) mov es farther away from the home domain, the proposed scheme is more efficien t than the traditional AAA scheme [12 , 13 ]. We firs describe and compare basic MIPv6 and PMIPv6 and describe 6LoWP AN netw ork in section 2. In section 3, we introd uce our proposed Proxy -AAA and protocol selection scheme. In section 4, the perf ormance of the traditional AAA scheme and proposed Proxy -AAA scheme is compared. Section 5 concl udes the paper with a summary of the key resul ts of this work.

Comparison of MIPv6 and PMIPv6
MIPv6 supports host -based mobility to MN and red uces high mobility signaling overhead while MN implemen ts frequen t handov er betw een subnets [14 , 15 ]. PMIPv6 was proposed to red uce signaling overhead using netw ork-based mobility manag emen t without the need of host -based mobility stack at MN. How ev er, PMIPv6 onl y supports intra-domain mobility and cannot support gl obal mobility betw een domains. Figure 1 shows the architectures of MIPv6 and PMIPv6 [16 ]. MIPv6 supports mobility for the MN by providing it with at least tw o addresses: A fixe address called Home Address (HoA) is provided to Home Agent (HA). Care-of Address (CoA) is gained from foreign access netw ork and is chang ed when MN mov es to a new subnet. Unlike MIPv6, PMIPv6 introd uces tw o major elemen ts incl uding Local Mobility Anchor (LMA) tha t manag es mobility -rela ted signaling of MN and Mobility Access Gatew ay (MAG). When MN hands over and chang es the access poin t from curren t MAG to another MAG, the MN can use the same address it gained from the previous MAG. Theref ore, PMIPv6 provides the netw ork-based sol ution for processing MNąŕs localized mobility within Local Mobility Domain (LMD). PMIPv6 empl oys the per-MN-prefi model. Home Netw ork Prefi (HMP), the unique code all ocated to each MN, is not shared with other MNs. When MN mov es within the PMIPv6 domain, the prefi foll ows MN and when MN mov es within PMIPv6 domain except the firs access of MN in PMIPv6 domain, it does not require netw ork layer mov emen t detection or address configu ation processes. Thus the handov er la tency and signaling overhead can be red uced significa tl y. Also, beca use MN does not get involved in mobility -rela ted signaling in PMIPv6 environmen t, the tw o-way tunnel is gener ated betw een LMA and MAG instead of with MN. As a resul t, this can assure the location priv acy of MN [17 ].

6loWPAN
The Internet Engineering Task Force (IETF) define IPv6 Low -pow er Personal Area Netw orks (6LoWP AN) which is an IPv6-based LoWPAN on the basis of IEEE 802.15.4 for comm unica tions with the Internet. 6LoWP AN (IPv6-based Low -pow er Wireless Personal Area Netw orks) is a IP sensor netw orking technol ogy to implemen t a low pow er and low cost , theref ore, It is a technol ogy for a wireless environmen t for IP-based applica tions. Conventional sensor netw ork technol ogy is less compa tible with IP Netw orks. On the other hand, 6LoWP AN (IPv6-based Low -pow er Wireless Personal Area Netw orks ) which is one of the IP-USN technol ogy has an adv antag e tha t may be directl y linked with the Internet infr astructure of the existing IPv4, IPv6, WiBro, WiFi, etc. With its vast address space, 6LoWP AN all ows gl obal connectivity betw een a larg e number of IPv6 intellig ent devices over larg e areas. The protocol also enables the nodes to be self -org anized i.e. can do self -detection, self -healing, and self -configuring without human interv ention [18 ]. Figure 2 shows the architectures of 6LoWP AN Netw ork.

Operation procedures of sensor Proxy-AAA
The adapta tion of authen tica tion in mobile IP handov er process can lead to excessiv e cost. Curren t sol utions cannot su fficien tl y meet these requiremen ts. To deal with these issues, this study proposes an adv anced AAA authen tica tion scheme based on mobile IPv6. This proposed technique supports quick authen tica tion and introd uces the concept of hier archical AAA to mobile IP combined with diameter protocol. In this proposed technique, AAA serv er will be implemen ted on Local Mobility Anchor (LMA) to implemen t sim ple and fast handov er authen tica tion and hier archical authen tica tion as well as red uce intradomain authen tica tion cost. Proxy -AAA technique improv es the previous authen tica tion schemes and binding upda ting methods in intra-domain handov er and authen tica tion as well as inter-domain process [19 ]. In the process of intra-domain handov er and authen tica tion, Proxy -AAA will reuse the session key based on LMA on HMIPv6. The proposed Proxy -AAA  scheme adapts direct transmission str ategy betw een LMAs in inter-domain handov er and authen tica tion process, and chooses the str ategy for reusing session key on AAA serv er [20 ]. As shown in Figure 3, beca use inf orma tion can be directl y deliv ered betw een LMAs in close vicinity , the control overhead of overall system can be saved compared to comm unica tion via HA.
When an MN mov es into a netw ork region, from the left to the right in the figure it passes by LMA1, LMA2 and final y reaches LMA3. When an MN reaches LMA2, it immedia tel y sends a BU messag e to LMA2. This will make LMA2 respond to LMA1. Upon receipt of the messag e, LMA1 compares the messag e with ones in the list of LMA, makes a request for inf orma tion on the MN, and upda tes the curren t LMA address of the MN. This will be foll owed by a direct transmission of packet da ta, from LMA1 to LMA2, without lev eraging HA fail over. Figure 4 shows the specifi f ow process of intradomain handov er. Let 's assume tha t da ta gener ated from sensor node within netw ork is being collected by adding the fixe da ta collection function called Resource Directory at MN. Also, beca use sensor node  registers node name, type and lif etime in RD, this RD can have the inf orma tion of all nodes. MN deliv ers the collected da ta to inf orma tion demander via internet working. On receiving notific tion from MN, nMAG sends authen tica tion request messag e to pMAG to reuse the session key [21 ]. On receiving the request messag e, the mPAG encrypts session keys S MN −MAG and S MAG−HA using K pMAG−LMA and then deliv ers it to the LMA. LMA saves the receiv ed session key and returns the response messag e on reusing session key to nMAG. nMAG deliv ers the receiv ed response messag e to pMAG and sends PBU messag e to LMA. On receiving PBU messag e, LMA deliv ers PBA incl uding the encrypted val ue of session keys S MN −MAG and S MAG−HA using K nMAG−LMA to nMAG. nMAG deliv ers the encrypted session key to MN. Here, a reliable binding upda te channel betw een MN and LMA is formed. In addition, Figure 5 giv es the specifi messag e f ow in inter-domain handov er.

Protocol selection
To select the most appropria te mobility manag emen t protocol, the mobility manag emen t protocol provided by netw ork and MN's mobility manag emen t protocol environmen t need to be taken into consider ation. In the authen tica tion process, MAG searches MN's profil for MN's pref erence. From the search, in case MN's pref erred protocol ma tches wha t was provided from access netw ork, the ma tching protocol will be selected [22 ]. Otherwise, the MN's pref erence has higher priority . In case MN does not have a pref erence, the netw ork is responsible to assess the perf ormance of basic MIPv6 and Proxy -AAA technique and select the appropria te protocol. To ev al ua te the perf ormance of basic MIPv6 and the Proxy -AAA scheme, the rela ted pa th la tency is probed by MAG. While searching for pa th, MAG sends tw o types of proving messag es to LMA sev eral times. One is sen t through nLMA and then redirected to pLMA and the rela ted round-trip time (RTT) is denoted as RT T proxy−AAA . The other probing messag e is sen t directl y to pLMA and the rela ted RTT is denoted as RT T mip . The averag e RTT of the MIPv6 pa th (z n ) after pa th probing for times can be cal cula ted as Where α reflect the significanc of past ev ents in the cal cula tion of the weighted averag e. For exam ple, we set α to 0.8 in this paper , and then the most recen t val ue z n−1 will contribute to the cal cula ted z n val ue with 20% weighting. This will avoid hysteresis if the val ue of α is carefull y selected [23 ]. The variable z is initialized with the foll owing val ue: In a similar manner , the averag e RTT for the Proxy -AAA scheme can be cal cula ted and denoted as t n . When pa th la tency of MIPv6 hands over to much smaller and lower frequency than pa th la tency and MN of Proxy -AAA technique, the perf ormance of MIPv6 will be improv ed. On the other hand, in case the la tency of MIPv6 is not much smaller than the la tency of Proxy -AAA technique and hands over at higher frequency of MN, the perf ormance of proposed Proxy -AAA technique will be improv ed. In appropria tel y selecting the better protocol according to netw ork condition and mobility par ameters, protocol selection can be used.
Here, N h is the handov er frequency and the val ue of t n − z n / N h is used as the quality indica tor to judg e which protocol can provide better perf ormance, and H t is the quality threshol d to determine which protocol shoul d be selected.

System Modeling
In this scheme, we construct an AAA serv er on the LMA residing in the visit domain (AAAV), and the AAA serv er is wholl y responsible for accoun ting, authen tica tion, and authoriza tion of the MAG in the LMA domain of LMA. In the proxy -AAA method, the overhead of the entire system is composed of tw o parts: signaling control overhead C signal and  da ta transmission overhead C packet . Signal control overhead is composed of authen tica tion signaling control overhead C auth and registr ation signaling control overhead C reg in gener al, and C reg is mainl y made of the da ta transmission overhead from CN to MN(C CN −MN ). Figure 6 shows the netw ork topol ogy of a specifi Proxy -AAA for a system overhead anal ysis. As shown in Figure 6, the proposed hospital contains three f oors, each with tw o wards. The hospital is considered as a one SPMIPv6 domain, in which sensor nodes are depl oyed on the pa tien t body as well as over the environmen t, ARs are used to control wards. Patien ts can get real-time care while moving betw een rooms, wards, and f oors, or when the pa tien t mov es to another branch of the hospital.
Here, α ref ers to the averag e vel ocity of packet da ta, transmitted from the CN to the MN (the averag e arriv al rate of packet da ta), and β is the averag e switching rate of an MN when it transf ers from a subnet to another , which is ref erred to as MN's switching rate per unit time [24 ]. When it is assumed tha t the number of packets transmitted from an MN to a CN remains constan t, we can express the packet to mobility ratio (PMR) of the packets receiv ed by the MN as p = α/β. Also, p = α/β ref ers to the averag e number of packets receiv ed by a peer CN. PMR is the ratio of packet arriv al rate and mobility rate, and it is a crucial indica tor for the presen t study . The larg er PMR is, the larg er the arriv al rate is than the mobility rate, meaning tha t the da ta transmission cost becomes larg er. When PMR becomes smaller , the arriv al rate becomes smaller than the mobility rate, meaning the binding upda te cost becomes larg er. Also, the averag e length of da ta packets is ref erred to as l d , and signaling packets as l s . The ratio of these is supposed to be l = l d /l s . For the convenience of cal cula tion, l d = 1024 B and l s = 100 B are set by lev eraging par ameters offered by [25 ]. The overhead of transmitting signaling packets is associa ted with the distance betw een entities, while the overhead required for a da ta packet transmission shoul d be l times of tha t for a signaling packet transmission.
The presen t study adopts Ethernet LAN of 10Mbit/s for the wired netw ork environmen t and single-hop WLAN of 2Mbit/s for the wireless environmen t. For the cal cula tion of time dela ys in wired and wireless links, we use an empirical formula respectiv el y expressed by T rt (h, k) and W rt (k): T rt (h, k) = 3.63 k + 3.21 (h − 1) , W rt (k) = 17 .1k (6) Where k is for the packet length, with the unit KB (kil obytes), and h is for the routing hops. The foll owing section will provide some assum ptions. η represen ts the cost of signaling packets in wired transmission per unit distance. The cost in wireless transmission is 10 η. In addition, σ represen ts the cost of da ta packets in wired transmission per unit distance. The cost in wireless transmission is 5σ .
MN's mobility is described by the sim ple equality f uid model. It is assumed tha t the area cov ered by the LMA is a 150 m × 150 m square. When the pedestrian walks at a speed of 3 miles/hour (mph), β = 0.01 ; when the vehicle travels at a speed of 60 mph, β = 0.2. Then, 5 EAI Design and Performance Analysis of Sensor Proxy-AAA Authentication Scheme Based on Fast Handover and Forwarding Mode for IPbased Internet of Things As the sug gested Proxy -AAA scheme aims to red uce the signaling overhead gener ated in authen tica tion and registr ation processes, this section compares Proxy -AAA with traditional AAA schemes. Note tha t the traditional AAA is define as a sim ple combina tion of HMIPv6 and AAA. The relev ant par ameters and definitio descriptions are shown in Table 1. Signaling processing cost of MAG P HA Signaling processing cost of HA P LMA Signaling processing cost of LMA P AAA Signaling processing cost of AAA Assuming tha t MN mov es out of the LMA region m times in a certain period of time, then the authen tica tion will be perf ormed m times. The ear lier m − 1 authen tica tions are intra-domain authen tica tions, and the last one is for inter-domain authen tica tion. Suppose tha t the authen tica tion process as a resul t of MN's mov emen t is in line with Poisson distribution with λ, then Assuming tha t the time for which MN is in the region of LMA accords with Gamma distribution, and the expecta tion and variance of density function f (t) can be expressed as 1/µ and v, the Laplace transf orm can be expressed as How ev er, f (t) can vary depending on the exponen tial distribution, if µ 2 ν = 1. In tha t case, the expected authen tica tion time (m) can be expressed as foll ows.
Through cost model anal yses based upon HMIPv6, the inter-domain and intra-domain signaling overhead for a binding upda te under PMIPv6 can be expressed as foll ows.
In addition, the authen tica tion dela y under traditional AAA methods can be expressed as foll ows.
Through this anal ysis, the entire signaling overhead in the LMA region under the traditional AAA scheme can be expressed as foll ows.
Through the anal ysis of the proposed Proxy -AAA scheme, the entire signaling overhead of its LMA region coul d be expressed as foll ows. It is assumed tha t under the proposed Proxy -AAA scheme, the binding upda te signaling cost incurred by MN mov emen ts betw een LMA domains is expressed as foll ows.
When using the Proxy -AAA scheme, LMA coexists with AAAV. Assuming l LMA−AAA = 0, then the authentica tion signaling overhead for inter and intra domain can be expressed as foll ows.
Assuming tha t the signaling overhead ratio of Proxy -AAA and traditional AAA schemes is R, R can be expressed as R = C signal−proposed / C signal−traditional . The

Numerical Results
This section will compare the system overhead. Specifi par ameters and val ues are shown in Table 2. First of all, we establish MNs as a vehicle and pedestrian, anal yzing their di fferen t da ta pocket transmission overheads individ uall y. Figure 7 shows the da ta packet transmission overhead under a condition tha t MNs are pedestrians (β = 0.01 ) and vehicles (β = 0.2). We can see tha t the da ta pocket transmission overhead C packet increases when the PMR p increases. Figure 8 shows how the da ta packet transmission overhead chang es when the val ue of PMR p = 10 , p = 50 or p = 100 . We can see tha t as the averag e switching rate increases when the MN mov es, the da ta packet transmission overhead C packet increases. Figure 9 anal yzes the averag e signaling overhead of Proxy -AAA. This implies tha t the signaling overhead C signal increases with the increases as the arriv al   rate of authen tica tion ev ents λ increases. Frequen t arriv al of MN brings increase in authen tica tion ev ents arriv al rate and indica tes an increase in intra-domain authen tica tion in LMA domain and signaling overhead in registr ation. Figure 10 anal yzes the averag e signaling overhead of Proxy -AAA. This shows tha t the increase of residence time leads to a red uced signaling overhead C signal . Figure 11 anal yzes the signaling overhead ratio R betw een Proxy -AAA and traditional AAA schemes. This shows tha t R must be less than 1 all times. In other words, the signaling overhead of the proposed Proxy -AAA scheme is alw ays smaller than signaling overhead val ue of traditional AAA schemes irrelev ant of whether MN mov es betw een domains or to the same LMA region. Figure 12 shows the chang es of the signaling overhead ratio betw een traditional AAA schemes and Proxy -AAA schemes, when the val ue of A AAAV −AAAH =  10 , A AAAV −AAAH = 50 and A AAAV −AAAH = 100 , respectiv el y. This shows tha t an increase in arriv al rate of authen tica tion ev ent red uces signaling overhead ratio betw een proposed Proxy -AAA schemes and traditional AAA schemes. Figure 13 shows anal ysis of the entire overhead based on PMR p increases (β = 0.01 , λ = 1). When the pedestrian (β = 0.01 ) mov es, we can see tha t as the val ue of p increases, entire overhead C total increases. Figure 14 shows anal ysis of the entire overhead based on β increases. When PMR fixed we can see tha t as the val ue of β increases, entire overhead C total increases.

Conclusions
In this paper we proposed a sensor Proxy -AAA Authen tica tion Scheme based on Fast Handov er and Forw arding Mode for IP-based Internet of Things. In this study , the way of red ucing the long dela y time and     Figure 13 Total overhead (p = 30 , λ = 1). additional overhead from mov emen t of mobile device in mobile IP environmen t by combining AAA and PMIPv6. This scheme has established a saf e handov er by efficien tl y red ucing signaling overhead gener ated by authen tica tion processes. Here we coul d confir tha t fast mobility mode and forw arding mode betw een various LMAs were supported. Moreov er, the overall signaling overhead also show ed tha t proposed Proxy -AAA scheme alw ays has smaller val ue than previous traditional AAA schemes, hence enabling efficien t mov emen t betw een domains by AAA Authen tica tion Scheme in forw arding mode at PMIPv6 supporting local mobility . Also, during mov emen t betw een LMA domains, it was confirme tha t the farther the distance betw een RAAAS (Root AAA Serv er) and home domain, the higher the perf ormance efficiency .