Nevertheless, the security task group has developed security extensions and mechanisms under the IEEE 802.21a amendment in order to provide confidentiality for MIH messages and authentication to the neighboring network before handover initiation. The next challenge that rises here is how to reduce the impact of such operations (which are based on asymmetric cryptography), especially that of the latency of media access authentication and key establishment during handover. Indeed, considering the stringent latencies and availabilities of the RCPs discussed in Chapter 2, a trade-off between security and QoS has to be found.

Figure 3.4 illustrates a potential protocol stack of a node employing the MIH framework in the scope of the FCI. The MIHF provides services to MIH users through a single MIH_SAP and obtains services from the lower layers through three MIH_LINK_SAPs, where each one is dedicated to a data link system. The exchanges between the local MIHF and a remote MIHF occur using the MIH_NET_SAP interface, which provides transport services over the data plane on the local node. For all transport services over layer 2, the MIH_NET_SAP uses the primitives specified by the MIH_LINK_SAP.

Figure 3.4. MIHF architecture model and MIH services for the FCI

3.3.1. IP mobility requirements for the FCI

IP mobility protocol candidates for a future usage in the future aeronautical network should be compliant with several requirements. The first one is the service or session continuity. This property implies a smooth and transparent handover delivered to high layer protocols and final users.

As IP mobility protocols have been designed with mobility needs in mind, most of them fulfill this requirement. At first glance, the existing IP mobility protocols are suitable to any wireless communication environment, but there are prominent differences between terrestrial commercial mobile networks (e.g. GSM) and aeronautical mobile networks.

Indeed, an aircraft has to be considered as a moving mobile subnetwork, in the sense that there will be several network entities (e.g. routers and end systems) attached to it. Then, the IP mobility protocols should provide several network prefixes for a complete set of systems inside the same onboard network. Scalability is also a prerequisite, meaning that the protocol itself should induce the lowest overhead and end-to-end delay as possible.

The latter property implies that route establishment and packet forwarding operations after a handover must keep the convergence time at a minimum.

Security and safety are strongly related, especially in the aeronautical context. From a malicious behavior point of view, protocol operations, such as IP allocation, IP addresses and prefixes claim, and handover management, should be secured using cryptography, for instance. Safety is relevant to reliability and availability of operational services, thus IP mobility protocols should integrate fault-tolerant techniques. Redundancy could be complemented physically or logically. For instance, in order to provide a network level safety, Hot Standby Router Protocol (HSRP) [LI 98] or Virtual Router Redundancy Protocol (VRRP) [NAD 10] can be an interesting alternative to be implemented at the default gateway. Load balancing is also another way to reach the required QoS and high availability for operational services. Consequently, IP mobility protocols that provide these services are strongly preferred for the FCI.

3.3.2. IP mobility candidate solutions

In this section, protocols are investigated according to their suitability to the FCI. Rather than discussing each IP mobility protocol one by one, a

classification is provided. For a complete and recent survey on solutions for mobility support over the Internet discussed in this section, [ZHU 11] is a recommended reading.

Existing IP mobility protocols can be classified into routing-based approaches and mapping-based approaches. Routing-based approaches state that each node has a fixed IP address during the mobility procedure regardless of its geographical position. In order to do so, the protocol has to provide a continuous monitoring of mobile movement and frequently update the routing tables. This will help a packet that carries the fixed IP address to be delivered accurately to the destination according to its location. The mobile location information can be exchanged and maintained either using a proactive broadcast message (all nodes in the network are informed of a change of the location) or a host-based path mechanism like in Terminal Independent Mobility for IP (TIMIP) or HAWAII protocols.

While routing-based approaches always provide a route to the destination, high availability and a good level of safety for operational services, they are not scalable to large networks, which is the case of the FCI where a countless number of aircrafts have to be maintained. Instead of keeping track of each mobile position, mapping-based approaches provide a dynamic IP address that is mapped to a unique identifier for each node.

Well-known IP mobility protocols that belong to this category are Mobile IP, Network Mobility (NEMO) and Proxy Mobile IP (PMIP). Wide-area IP Network Mobility (WINMO) is a hybrid IP mobility protocol as it combines both routing-based and mapping-based approaches. In order to prevent frequent routing updates coming from Interior Border Gateway Protocol (iBGP), especially when a handover occurs between two subnetworks, a central Designated BGP-speaking Router (DBR) is designated and acts pretty much like a Home Agent (HA) in MIP. Each packet is forwarded to the DBR whenever it enters the Autonomous System (AS), and then tunneled to the final destination without any need for a routing update message.

3.3.3. IP mobility: open issues

Despite the good applicability of existing IP mobility protocols with regard to the FCI, there are still issues which need to be addressed. The first issue concerns the deployment difficulty that might be faced in operational

environments. Indeed, most of existing IP mobility protocols are still not deployed in any commercial network; they only exist on papers but are never used in a real context. Thus, the maturity of these mobile solutions still needs to be proven before being reused in an operational environment. Besides, coverage and high availability are very important requirements for data link communications, meaning that a massive implementation of ground stations supporting mobility has to be done.

The second issue concerns the transport layer. Service continuity is more or less supported by existing IP mobility protocols, since they have been designed to keep the Transport Control Protocol (TCP) sessions up during movement. However, routing-based and mapping-based protocols do not have the same complexity with regard to session continuity: while routing- based approaches do not need any further modification on the transport layer because of the use of fixed IP addresses, mobility has to be “hidden” somehow to the transport layer in mapping-based protocols by using a Home Address (HoA). Another possibility is to modify the used TCP protocol version on both ends so that end entities can switch from one IP address to another (when a handover occurs) to keep the session active.

Needless to say that this alternative is too expensive and in, some cases, could be unfeasible as not all existing systems (especially the ones on the ground) are approved for modification. Last but not least, security is not a built-in feature in IP mobility protocols. Authorization, Authentication, and Accounting (AAA) servers, such as Remote Authentication Dial In User Service (RADIUS) [DEK 13], can be interesting alternatives to start with as they have been designed to provide pillar services, such as entity authentication, data integrity and confidentiality.

3.4. Traffic segregation