A Cross-Layer Key Management Scheme for MIPv 6 Fast Handover over IEEE 802 . 11 Wireless LAN

A new key management and security scheme is proposed to integrate Layer Two (L2) and Layer Three (L3) keys for secure and fast Mobile IPv6 handover over IEEE 802.11 Wireless Local Area Network (WLAN). Unlike the original IEEE 802.11-based Mobile IPv6 Fast Handover (FMIPv6) that requires time-consuming IEEE 802.1x-based Extensible Authentication Protocol (EAP) authentication on each L3 handover, the newly proposed key management and security scheme requires only one 802.1x-EAP regardless of how many L3 handovers occur. Therefore, the proposed scheme reduces the handover latency that results from a lengthy 802.1x-based EAP. The proposed key management and security scheme is extensively analyzed in terms of security and performance, and the proposed security scheme is shown to be more secure than those that were previously proposed.


Introduction
Mobile IPv6 Fast Handover (FMIPv6) [1] has been proposed in order to minimize the delay induced by handover operations of Mobile IPv6 [2].When a wireless Mobile Node (MN) changes its attachment point to a new Access Router (AR), it is possible to provide IP connectivity in advance of the actual registration of the mobile IP by tunneling data between the current and the target access routers.The basic idea behind FMIPv6, which is a kind of Layer Three (L3) handover, is to leverage information from Layer Two (L2) technologies, such as IEEE 802.11 [3], to either predict or rapidly respond to a handover event.On the other hand, a wireless MN attached to an AR via an Access Point (AP) can move to a new AP without changing its attachment to the AR.In this case an L2 handover occurs, and the MN must reassociate and authenticate with the new AP using IEEE 802.1x-basedExtensible Authentication Protocol (802.1x-EAP)[4].Given that an L2 handover is also induced when an L3 handover occurs, IEEE 802.11-basedFMIPv6 [5] has been proposed and has been analyzed in terms of its handover latency [6,7].
There are two security issues associated with IEEE 802.11basedFMIPv6.One issue is that of establishing an L3 key between an MN and a new AR on each L3 handover.Based on the L3 key, the L3 signaling messages used to establish the tunnel between the current AR and the target AR can be authenticated.in particular, a compromise of the current L3 key should not induce that of the future L3 key to suppress the domino effect.Several security mechanisms [8][9][10] have been previously proposed to establish the L3 key.However, they have several weaknesses in terms of security and efficiency.The other issue is to reduce the authentication delay caused by the L3 handover.The MN would perform a lengthy 802.1x-EAP authentication with AAA (Authentication, Authorization, and Auditing) server on each L3 handover inducing the L2 handover.As a result of successful 802.1x-EAP authentication, the L2 key is shared and used for mutual authentication between the MN and a new AP.Since both L2 and L3 keys are generated and managed independently, key management for IEEE 802.11-basedFMIPv6 becomes complex.A simplified key management scheme [10] to derive the L2 key from the L3 key has been proposed to reduce the authentication delay.However, it is still required for the MN to be interconnected with the AAA on each L3 handover, and it has a security problem in that a session hijacking attack is feasible, which will be shown in this paper.
A new key management and security scheme is proposed to secure IEEE 802.11-basedFMIPv6 signaling messages.A contribution of this paper is twofold: first, a new L3 key establishment scheme is proposed, which is secure against a variety of session hijacking and redirection attacks in case of an L3 key compromise.Second, unlike the original IEEE 802.11-basedFMIPv6 where the MN would perform a full IEEE 802.1x-EAP authentication with the AAA on each L3 handover, the newly proposed scheme requires only one IEEE 802.1x-EAP authentication regardless of how many L3 handovers occur.Therefore, the proposed scheme reduces the handover latency that results from the lengthy IEEE 802.1x-EAP authentication.In particular, the proposed key management scheme is of a cross-layer type in the sense that the L2 keys are derived from the L3 key.In Section 2, the background of FMIPv6 over IEEE 802.11WLAN is introduced along with related works.A new key management and security scheme is proposed in Section 3. The new scheme is analyzed and compared with previous schemes in terms of security and performance in Sections 4 and 5. Finally, concluding remarks are given in Section 6.

FMIPv6 over IEEE 802.11 WLAN and Related Works
2.1.FMIPv6 over IEEE 802.11WLAN.We consider a network environment of Figure 1(a), where each subnet of the AR is comprised of one or more APs.When the MN moves from AP 0 to AP 1 , then both L3 and L2 handovers occur.Namely, the MN's subnet changes from subnet 0 to subnet 1 .Suppose an L2 handover from AP 0 to AP 1 is anticipated as in Figure 1(b).By exchanging both the Router Solicitation for Proxy Advertisement (RtSolPr) and the Proxy Router Advertisement (PrRtAdv) messages, the MN configures a new care-of-address (CoA), CoA 1 , according to the subnet prefix, Prefix 1 , of AR 1 .Then, the MN sends a Fast Binding Update (FBU) message to request AR 0 to forward packets destined for the MN to AR 1 , (‚ in Figure 1(c)).A tunnel is established between AR 0 and AR 1 by exchanging Handover Initiate (HI) and Handover Acknowledgment (Hack) messages (ƒ in Figure 1(c)), where the HI message carries the current CoA of the MN, CoA 0 , and a new CoA, CoA 1 , to be used on a subnet of AR 1 .The packets for the MN start to flow to and are buffered at AR 1 .Then, a Fast Binding Acknowledgment (FBack) message is sent to the MN to notify of the completion of the tunnel establishment.
When finally disconnected from AP 0 , namely, when the L2 handover occurs, the MN reassociates with AP 1 (e in Figure 1(c)) and performs a full IEEE 802.1x-EAP authentication with the AAA (f in Figure 1(c)).If it is successful, L2 key distribution starts based on the MSK 1 shared between the MN and AAA.The PMK 1 truncated from the MSK 1 is securely distributed to AP 1 (g in Figure 1(c)).Subsequently, a 4-way Handshake (h in Figure 1(c)) based on PMK 1 is performed between the MN and AP 1 .At this point, the MN is successfully attached to a subnet of AR 1 (subnet 1 ) through AP 1 .Finally, the MN sends an Unsolicited Neighbor Advertisement (UNA) message to request AR 1 to deliver the buffered packets forwarded from AR 0 ( in Figure 1(c)).The fields inherent to the L3 signaling messages (e.g., RtSolPr) are intentionally omitted for the sake of providing a simple explanation.Instead, they will be padded with the securityrelated fields when discussing the mechanism used to secure them.

Threat Models and Problem Statements.
Without proper protection for L3 signaling messages in FMIPv6 (‚ and in Figure 1), an adversary can forge or modify them to mount a variety of redirection attacks.Unless the previous AR (AR 0 in Figure 1) can verify that the FBU message comes from an authorized MN, legitimate traffic for the MN might be redirected to the adversary.Furthermore, the packets for the MN can be redirected to any other host to execute a flooding attack against it or against the subnet to which it belongs.The adversary can also forge the UNA message to steal the traffic destined for the legitimate MN.In order to avoid the above attacks, security associations should be established between the MN and ARs.An L3 key shared between the MN and AR 0 is used to authenticate the L3 signaling messages of ‚ in Figure 1, while the L3 signaling messages of in Figure 1 can be authenticated based on another L3 key shared between the MN and AR 1 .Therefore, it is necessary to embed L3 key distribution protocol into the original 802.11-basedFMIPv6.In particular, the domino effect should be suppressed in case of the L3 key compromise.Namely, the compromise of the current L3 key should not induce that of the future L3 key.On the other hand, the 802.1x-EAP authentication (f in Figure 1) is for the MN to share a new L2 key with the new AP attached to the target AR through AAA.The L2 key is used for mutual authentication between the MN and the new AP.However, the authentication delay caused by the 802.1x-EAP is a major source of the handover delay, since 8 messages should be exchanged between the MN and AAA in case of using EAP-Transport Layer Security (TLS) method.Hence, if the 802.1x-EAP can be skipped on each L3 handover of the IEEE 802.11-basedFMIPv6, the overall handover delay can be greatly improved.

Previous Works.
Several security schemes [11][12][13] have been investigated for sharing the L2 key to protect L2 signaling messages, which are based on a concept of ticket, key hiding technique, and authentication server, respectively.On the other hand, a security scheme [8] based on Cryptographically Generated Address (CGA) has been proposed to secure L3 signaling messages (‚ in Figure 1).CGA is formed by taking the IPv6 subnet prefix for a node's subnet and combining it with an interface identifier suffix formed as the hash of the node's public key.The L3 key,  0 , generated by AR 0 is encrypted using the public encryption key of MN,  MN , and it is sent to the MN.Both RtSolPr and PrRtAdv messages are protected by the digital signature while the FBU message is protected by the symmetric key.The definition of the notations is shown in Notations section.Consider (1) However, the security scheme does not provide a method to establish a security association between the MN and the target router AR 1 , so that the UNA message cannot be protected and can be forged to steal the traffic destined for the legitimate MN.Furthermore, a variety of DoS (Denial of Service) attacks can be mounted using the unauthenticated UNA message, which has also been mentioned in [14].Another security scheme [9] has been proposed to protect L3 signaling messages including the UNA message.The security schemes proposed in [8,9] are only for protecting L3 signaling messages (‚ and in Figure 1).
Integrated handover authentication scheme [10] has been proposed to integrate the L3 key with the L2 key; namely, the L2 key can be derived directly from the L3 key.Before the MN handovers to the target AR, the MN transports a new L3 key,  1 , to AR 1 through the AAA as in (2), where MSK is a secret key shared between the MN and AAA.Subsequently, AR 1 distributes the L2 key (PMK 1 ) derived from the L3 key ( 1 ) to the new AP.A current L3 key,  0 , is used to secure the L3 signaling messages (‚ in Figure 1), while a new L3 key,  1 , is for securing the L3 signaling messages ( in Figure 1).Consider MN → AR 0 : As mentioned in Section 2.2, it is desirable for the interaction with the AAA to be skipped in order to speed up the handover process.However, it has not actually been skipped; instead, it has been placed on the L3 protocol.Furthermore, it is not secure against the L3 key compromise attack.Namely, the domino effect occurs in that if  0 is compromised, then  1 is also compromised.The security weakness will be more discussed in Section 4.4.

The Proposed Key Management and Security Scheme
A new cross-layer scheme for key management and associated security is proposed, where an L2 key is derived from an L3 key to speed up the L3 handover procedure accompanying the L2 handover, so that it is similar to the one in [10].However, there is much difference between them in terms of security and efficiency.It is assumed that preestablished security associations exist between AR 0 and AR 1 , AR and AP.A security association between the MN and AAA is also assumed to exist for the initial access of MN to the network.The notations used in this paper are shown in Notations section.
3.1.Design Principles.Suppose an MN handover from a subnet of AR 0 to that of AR 1 .Two L3 keys are required to protect the L3 signaling messages: the one ( 0 ) on the subnet of AR 0 and the other ( 1 ) on the subnet of AR 1 .Unlike the previous schemes [8][9][10] based on the interaction with AAA, the MN generates and distributes  1 proactively to AR 1 before it moves from AR 0 to AR 1 .Furthermore, the L2 key (PMK 1 ) can be derived from  1 on the subnet of AR 1 and pushed into new AP 1 attached to AR 1 , so that the IEEE 802.1x-EAP can be skipped.
Since a new L3 key ( 1 ) to be used after handover is predistributed to AR 1 by the MN, it is important to guarantee that a compromise of the current L3 key ( 0 ) does not induce that of the future L3 key ( 1 ); namely, the domino effect should be suppressed.For this purpose, double public-key encryptions are applied to  1 before distribution: the one with the public key of AR 1 and the other with that of AR 0 .In our proposed protocol, the authenticity of the public key of AR 1 is protected by  0 .However, if  0 is compromised,  1 can also be exposed to an adversary.Therefore, it is also protected by the public key of AR 0 which has been provided to the MN during the previous handover session.
An IPv6 address of the MN on the subnet of AR  is formed as   (=   ‖   ), where   is an 64-bit interface identifier.There are two ways of configuring IID: the typical one is based on the L2 address of the MN, and the other is using a random number as IID.In our proposed protocol, we also use the random number, but in a slightly different way.It is derived as follows:   = ℎ 64 (  ) based on a random number   selected by the MN.When moving from AR  to AR +1 , the MN should reveal the random number   to prove that   was generated and owned by the MN.So   plays a role of a commitment.A main reason to use this mechanism is to defend against a session hijacking attack when the current L3 key is compromised.

Initial Network Access Protocol.
When the MN initially associates with AP 0 to access the network service (e in Figure 2), it performs full IEEE 802.1x-EAP authentication with the AAA (f in Figure 2).As a result, the MSK 0 is shared between them, and the information (AR 0 and  AR 0 ) for the default router of the MN is passed to the MN.Subsequently, the AAA derives two L3 keys IK and  0 which are truncated from MSK 0 and transports them with  NAI securely to the default router, where  NAI is the Network Access Identifier (NAI) of the MN.IK is an initial L3 configuration key, while  0 is an L3 handover key, based on which an L2 key (PMK 0 ) is also derived.Then, AR 0 pushes  0 = ( 0 , ,  0 ) into AP 0 (g in Figure 2).
MN and AP 0 denote the L2 addresses of the MN and AP 0 , while AR 0 denotes the L3 addresses of AR 0 .The 4way Handshake based on the PMK 0 is executed between the MN and AP 0 in order for the MN to attach to a subnet of AR 0 (subnet 0 ) through AP 0 (h in Figure 2).Finally, the MN performs an L3 configuration to check whether its IPv6 careof-address, CoA 0 , is duplicate on the subnet of AR 0 : The MN sends an Router Solicitation (RtSol) message to AR 0 .Based on  NAI , AR 0 can retrieve IK and can respond to the RtSol message by sending a Router Advertisement (RtAdv) message.The RtAdv message contains the subnet prefix of AR 0 , Prefix 0 , from which the MN configures CoA 0 (=  0 ‖  0 ), and the MN then sends a Configuration (Conf ) message where the interface identifier  0 = ℎ 64 ( 0 ) is computed based on a random number  0 generated by the MN.If CoA 0 is verified to be unique on the subnet, the initial network access protocol is successfully terminated.Eventually, (CoA 0 ,  0 ) is stored into the neighbor cache of AR 0 .

3.3.
Proposed Secure Handover Procedure.Suppose an L2 handover accompanying an L3 handover occurs from AP 0 to AP 1 .A sequence of signaling messages is shown in Figure 3, where the L3 key,  0 , at the subnet 0 has already been shared between the MN and AR 0 as a result of a previous handover process or an initial network access.After receiving the RtSolPr message, AR 0 responds by sending a PrRtAdv message with a subnet prefix of AR 1 (Prefix 1 ) and the public key of AR 1 ( AR 1 ): MN → AR 0 :  { 0 ,  1 , After configuring CoA 1 (=  1 ‖

MN c Association/authentication
Traffic for MN to AR 0 (‚ in Figure 3).Since  1 is to be shared with AR 1 , it is first encrypted with the public key of AR 1 ,  AR 1 , subsequently encrypted with the public key of AR 0 ,  AR 0 .When receiving the FBU message, AR 0 first obtains { 0 , [ 1 ,  1 ] AR 1 } after decryption, in order to check if ℎ 64 ( 0 ) is equal to IID 0 of CoA 0 .If not, the message is proven to be not sent from the MN whose IPv6 address is CoA 0 and the handover protocol is aborted.Otherwise, the L3 key,  0 , is eventually passed to the target AR 1 for the purpose of sharing it with the MN at the subnet 1 .A reason to encrypt  1 twice is to defend against an L3 key compromise attack, which will be more discussed in Section 4.3.Consider A secure channel between AR 0 and AR 1 The target router AR 1 obtains  1 through the HI message after decryption, and  1 will be used to derive the L2 key  1 = ( 1 , ,  1 ) and to secure the future L3 handover.AR 1 pushes PMK 1 into AP 1 .
After reassociating with AP 1 (e in Figure 3), the MN performs a 4-way Handshake (f in Figure 3) based on PMK 1 without IEEE 802.1x-EAP authentication with the AAA.Subsequently, the MN sends an UNA message to request AR 1 to deliver the buffered packets forwarded from AR 0 ( in Figure 3).(CoA 1 ,  1 ) is finally stored into the neighbor cache of AR 1 .

Comparison of Key Management Schemes.
In this Section, three key management schemes are compared: securityenhanced IEEE 802.11-basedFMIPv6 [8,9], Integrated Scheme [10], and our proposed scheme, which are denoted as Schemes 1, 2, and 3, respectively.In case of Scheme 1, the security mechanisms [8,9] to secure the L3 signaling messages are added to the original IEEE 802.11-basedFMIPv6 [5].However, there are no key management in that both L3 and L2 keys are separately generated and maintained, meaning that IEEE 802.1x-EAP authentication (D in Figure 4(a)) should be performed on each L3 handover.A method to integrate the L3 key with the L2 key has been proposed in Scheme 2. Before the MN moves to a new AP attached to the target subnet AR 1 , it requests the AAA to transport a new L3 key ( 1 ) to AR 1 , and then a new L2 key (PMK 1 ) derived from it is pushed into AP 1 (‰ in Figure 4(b)).But the interaction with the AAA cannot be skipped either during the L3 handover.On the other hand, in the proposed scheme (Scheme 3) of Figure 4(c), IEEE 802.1x-EAP authentication is performed only once during the initial network access in Figure 1.During a handover from AR 0 to AR 1 , a new L3 key is sent to AR 1 via AR 0 .Therefore, both the MN and AR 1 share  1 , which can be used to secure L3 signaling messages and to derive a new L2 key (PMK 1 ) in the target subnet.Since  1 is proactively distributed to AR 1 before the MN moves from AR 0 to AR 1 , the MN can perform a 4-way Handshake immediately after reassociating with AP 1 (D in Figure 4(c)).

Replay and Redirection Attacks.
In order to guarantee the freshness of FMIPv6 signaling messages, to be precise, to protect from a replay attack, challenge-response authentication based on the random numbers ( MN and  0 ) is employed for our proposed scheme.A scenario to which the replay attack is applied is as follows: the MN is attached again to AR 0 at handover session , while it has been attached to the same AR 0 at handover session , ( > ).Suppose the MN has moved to AR 1 during the handover session  and plans now to move to AR 2 during the handover session .In this case, an adversary can try to replay the FMIPv6 signaling messages used during the handover session  to redirect the traffic for the MN.However, the replay attack is not successful due to both nonce values and the L3 key which is unique for each handover session.

Compromised L3 Key and Session Hijacking Attack.
A case of the L3 key compromise is considered in this section.We show that our proposed scheme is secure against a session hijacking attack through redirection even though the current L3 key,  0 , of ( 5) and ( 6) is exposed to an adversary.To protect the FBU message in Section 3.3, our proposed security scheme employs two public-key encryptions with  AR 0 and  AR 1 as in ( 5) and (6).
The MN obtains the public key of AR 0 ( AR 0 ) as a result of an initial network access or a previous L3 handover, while the public key of AR 1 ( AR 1 ) is passed to the MN by AR 0 .

Session Hijacking by Redirection Attack. Suppose an adversary A (MN) disguising a victim MN knows the current
L3 key  0 and starts an L3 handover as follows: * MN ,  * 1 , and  * 0 are generated by A (MN) that tries to hijack the current traffic for the MN (CoA 0 ) and forward it to A (MN) ( * 1 ).When receiving the FBU message, AR 0 obtains  * 0 after decryption and verifies if IID 0 of the source IPv6 address (CoA 0 ) is identical to ℎ 64 ( * 0 ).If the verification is not successful, the protocol stops.Since ℎ 64 (⋅) is based on a one-way hash function and the  0 used to derive IID 0 is known only to the MN, all the adversary can do is attempt to guess  0 (the probability of  0 =  * 0 is 2 −64 ).Since CoA 0 is valid only on the subnet 0 and keeps changing as the MN moves, the probability is negligible enough to defend against such an attack.

Session Hijacking by
Man-in-the-Middle Attack.Suppose an adversary A (MN) knows the current L3 key  0 and the victim MN starts an L3 handover to request AR 0 to forward its traffic to CoA 1 .To see why the public-key encryption with  AR 0 is required, ( 6) is modified into (13  ): Then, the adversary can mount a man-in-the-middle attack as follows: MN ← A (MN) : MN → A (MN) :  { 0 ,  1 ,  0 , Namely, A (MN) observing between the MN and AR 0 modifies  AR 1 of (9) into  * AR 1 of (10) generated by A (MN) , so that A (MN) can obtain a new L3 key  1 and hijack the traffic for CoA 1 for the purpose of forwarding it to  * 1 .Eventually, the connection with AR 1 is turned over to A (MN) .On the other hand, if ( 6) is used instead of (13  ), (11) and ( 12) are changed into (19  ) and (20  ), respectively: When intercepting (19  ), A (MN) cannot modify CoA 1 or obtain  1 since they are encrypted with  AR 0 .Therefore, when receiving [ 1 ,  1 ] * AR 1 through the  message, AR 1 aborts the current protocol since it cannot be decrypted with  AR 1 .Therefore, a compromise of the current L3 key does not induce that of the future L3 key.

Security Comparisons.
Table 1 shows security comparisons (Schemes 1, 2, and 3) including the key management comparisons discussed in Section 4.1.It has been shown that our proposed scheme is secure against the session hijacking attack in case of the L3 key compromise.Scheme 1 is also secure since the L3 key is always generated and shared as a result of 802.1x-EAP protocol.However, Scheme 2 ((2) in Section 2.3) is not secure when the L3 key is compromised.Suppose  0 is exposed to an adversary A (MN) and ( 13) can be observed from the previous handover session: current handover session with L3 key  0 (compromised) In this case, if the adversary replays a part of (13) as in (14) with the compromised L3 key  0 , then the adversary can share the same L3 key with a new AR, so that the adversary can hijack the current session.

AAA Issues for Security and Billing.
FMIPv6 can support handover across different administrative domains.As mentioned before, if the two ARs belong to two different administrative domains, there should be a prior roaming agreement between them for security and billing.Typically, the accounting data (information about MN's resource consumption) collected by the network devices in the visiting domain is carried by the accounting protocol to the home domain.FMIPv6 over IEEE 802.11 is followed by the MIPv6 BU (Binding Update) protocol whose role is to inform MN's HA (Home Agent) of the current AR.There are two service providers, Network Access Service Provider (NSP) and Mobility Service Provider (MSP), in MIPv6 bootstrapping environment [15].The IEEE 802.11-basedFMIPv6 service can be provided by the NSP offering a basic network access service to MN, while the MIPv6 BU service is provided by the MSP.So when the MIPv6 BU protocol is initiated, MSP's authorizer (AAA) will be interacted with the MN and AR, which is beyond the scope of this paper.

Performance Analysis and Comparison
In this section, the three handover latencies from the previous schemes (Schemes 1 and 2) and from the proposed scheme (Scheme 3) are compared.We first describe the analytical mobility model for the performance evaluation, and then we The handover procedure is performed by the MN between ARs and APs.Hence, the handover rate is closely related to the mobility pattern of MN.The Fluid Flow (FF) model is widely used to analyze issues related to cell boundary crossing, such as a handover [16].The FF model is suitable for MNs with a static speed and direction of motion.We adapt the FF model for use as the mobility model.Let  and  denote the perimeter of each AP and AR, while V and , respectively, denote the average velocity and density of MN.The MNs are uniformly distributed with a density , and they move at an average velocity of V in directions that are uniformly distributed over [0, 2].In the next analysis, V is varied from 0.1 m/s to 5 m/s and  is set to 0.0002 MNs/m 2 (200 MNs per Km 2 ).Let   and   be the crossing rates over the coverage of each AP and AR, respectively.They are then defined as follows:  order to provide results for the performance comparison.Let   be the average handover cost per MN in unit of time, and   and   are the L3 handover cost and the L2 handover cost for Scheme  (= 1, 2, 3), respectively.  and   are defined as the sum of the signaling cost   and the processing cost   for the L3 and L2 handovers, respectively.Based on (15), the average handover cost per MN,   , can be calculated as follows [16], where  AR is the area of an AR domain: The parameter descriptions and values for the performance comparison, referenced from [16], are defined in Table 2.
Note that the values other than , V, , and  are defined "relatively" for the purpose of this comparison, so the handover cost does not indicate the actual authentication delay for the corresponding scheme.
Using the parameters in Table 2, the L2 and L3 handover costs and the average handover cost can be calculated based on (17).The  MN ,  AP ,  AR 0 ,  AR 1 , and  AAA indicate the processing costs on MN, AP, AR 0 , AR 1 , and AAA, respectively, of Scheme , and each of them is also calculated from the cost of cryptographic operations such as  key and  hash .Let the number of hops between any two relatively close The handover cost of each scheme evaluated according to Table 2 is shown in Figure 6. Figure 6(a) compares the L3 handover costs of the three schemes.It can be observed that the main contributor to the handover cost is the signaling cost,   , and the handover cost of the previous schemes is larger than that of the proposed scheme as a result in the difference of when the interaction between the MN and AAA is required.Figure 6(b) shows the average handover cost per MN as the average velocity of the MN increases.The density of MN, , is set to 0.0002, the number of APs in an AR, , is set to 5, and the velocity of an MN varies from 0.1 m/s to 5 m/s.The average handover cost for three schemes increases as the velocity increases.Figure 6(c) shows the impact the number of APs in an AR has on the average handover cost per MN.The density of MN, , is set to 0.0002, and the velocity of an MN, V, is set to 5. The average handover cost decreases as the number of APs in an AR increases.
As we can see from Figures 6(a), 6(b), and 6(c), the proposed scheme is much more or slightly efficient than the previous schemes.Figure 6(d) shows the impacts that the velocity of MN and the number of APs in an AR have on the average handover cost for the proposed scheme.The average handover cost increases rapidly as the velocity of MN increases.However, the average handover cost decreases gradually as the number of APs in an AR increases.Therefore, the velocity of MN, rather than the number of APs in an AR, is a more important factor to consider in order to achieve an efficient handover.

Conclusions
We have designed a key management and security scheme to enhance L2/L3 handover security and to reduce the authentication delay induced by the L3 handover.The proposed scheme is based on the original IEEE 802.11-basedFMIPv6 where, first, based on the security assumptions, an initial network access protocol has been proposed to bootstrap the security associations among the network entities.Second, a cross-layer key management process has been introduced to integrate the L2 key with the L3 key.Namely, the L3 key can be judiciously employed to derive the L2 key, so that the timeconsuming IEEE 802.1x-EAP authentication with the AAA can be skipped.Third, a method for protecting the seven L3 signaling messages has been proposed, as well as a scheme to securely transport the L3 key to the target AR.In particular, the case of a compromised L3 key has been considered for which even though the L3 key at the subnet of the current AR is compromised, an adversary with the compromised L3 key cannot perform any kind of redirection attack.In other words, a domino effect can be suppressed.FMIPv6 over IEEE 802.11 is followed by the MIPv6 BU (Binding Update) protocol which involves an interaction with the AAA of the MSP.In the integrated scenario of MIPv6 bootstrapping, the MSP plays the role of the NSP, while the MSP and NSP are two distinct service providers in the split scenario.As a followup to the current research, the AAA issues for security and billing will be more investigated, considering both the split and integrated scenarios for MIPv6 bootstrapping.

Figure 4 :
Figure 4: Comparison of key management schemes.

Table 1 :
Security comparisons.For the sake of simplicity, a square-shaped network model is used to analyze and compare the performance of the protocol under the three different schemes.In the square-shaped network model, coverage of the entire administrative domain and that of each AP are all square-shaped, and  APs are uniformly distributed over the area of the administrative FMIPv6 domain.Figure5shows the square-shaped mobility model where the bold lines indicate the boundary of the subnet consisting of 4 APs (AP 01 , AP 02 , AP 03 , and AP 04 ) connected to AR 0 .

Table 2 :
Parameters for evaluation.