DMM-SEP: Secure and Efficient Protocol for Distributed Mobility Management Based on 5G Networks

In the 5G era, network mobility management is recognized as a very important factor for user service availability. Especially, due to fast speed and shrinking cell coverage, frequent handover is expected than before. Hence, efficient handover procedure is essential to guarantee seamless service to users. Distributed IP Mobility Management (DMM), a major mobility management solution, is a flat architecture that achieves efficiency and fault tolerance by excluding a centralized anchor and minimizing the distance between a mobile device and its serving network. However, DMM, which has no dominant security scheme specified to itself, is excessively dependent on the security of Layer 2 and is vulnerable to various threats. Especially, the existing security schemes are still venerable to redirection attacks launched by malicious Mobile Access Gateways (MAGs) or Control Mobility Database (CMD). Motivated by this, we proposed a DMM-based handover security protocol that can support privacy and defend against redirection attacks in addition to providing essential security properties such as confidentiality, integrity, mutual authentication, and key exchange. The proposed protocol was formally verified to be correct through AVISPA and BAN logic. Moreover, the comparison analysis showed that the proposed protocol is better than the previous studies and standards.


I. INTRODUCTION
The pervasion of fifth generation (5G) wireless communication technologies is inevitable in the next 4 to 6 years. The design of 5G architecture is expected to leverage heterogeneous network [1] coupled with ultra-dense wireless network [2] to provide a close to ''zero'' communication latency along with consistent reliability. In such wireless network ecosystem, mobility management (MM) is critical as it should guarantee a sustainable provision of cellular network services while a mobile equipment moves from one service coverage to another. Its main functions include location management and route management. The former focuses on authentication of a user equipment (UE) as well as location tracking as to which access point the UE is connected, whereas the latter manages network route reconfiguration when the UE changes The associate editor coordinating the review of this manuscript and approving it for publication was Antonio Skarmeta Gómez . point of attachment. Thus, an effective mobility management protocol should be able to efficiently deliver various network services even though users move at a high rate and their handover events frequently occur, which is expected in 5G network.
Various IP-based mobility management standards have been introduced and they are classified into two categories: host-based and network-based mobility management schemes. First, the host-based mobility management scheme that includes Mobile Internet Protocol version 6 (MIPv6) [3] and its enhanced versions such as Fast Handover MIPv6 (F-MIPv6) [4], Hierarchical MIPv6 (HMIPv6) [5], and Fast Handover for HMIPv6 (F-HMIPv6) [6] requires a mobile node (MN) to be actively involved in the mobility-related signaling process. This approach was not successful as it needs to modify and upgrade MN's network protocol stack, hence increasing cost and complexity as well as hindering to support legacy devices. Additionally, operators cannot fully control a MN's point of attachment because it handles its own mobility service [7]. On the other hand, the network-based approach such as Proxy Mobile Internet Protocol version 6 (PMIPv6) [8] and Fast Handover PMIPv6 (FPMIPv6) [9] was developed and standardized in order to address the weakness of the host-based one. That is, it does not require participation from a MN for managing IIP mobility. All mobility-related signaling are handled by the mobility entities in the network. It is also worth noting that this approach reduces the handoff latency of MNs [10].
The MIPv6 and PMIPv6 schemes are currently the representation of a centralized mobility management protocol (CMM) as show in Figure 1. They are dependent to a certain degree on a centralized mobility anchor, such as Home Agent (HA) and Local Mobility Anchor (LMA), to handle not only the mobility control but also routing of data from a MN to its corresponding node (CN) and vice-versa. In other words, all data traffic goes to the centralized agent (HA and LMA), which then forwards the data to the destination node. The dependency of current mobility solutions to a centralized node are faced with several problems and limitations as enumerated in [11]. The major issues have triggered the Network Working Group of the Internet Engineering Task Force (IETF) to develop and invest effort to standardize a mobility solution that is distributed in nature, now known as Distributed Mobility Management protocol (DMM) [12]. The main concept of the DMM solution to move the mobility functions to the edge of the network bringing it closer to the users. Its ultimate goal is to allow mobility anchor called Mobile Access Gateway (MAG), which is located at the edge of the network, and handles the mobility signaling and data routing through tunnel creation without any centralized node's assistance.
In the 5G network infrastructure where access network points are very densely deployed, the DMM protocol is a promising candidate for mobility management because of its flat and flexible mobility architecture [13]. However, in spite of its clear advantage for efficient traffic delivery in 5G network [14], this solution must be equipped with a dedicated security protocol that can defend various threats such as impersonation, denial-of-service, man-in-the-middle attacks.
With just a few of researches [15]- [18], the DMM solution still has no major security protocol, thereby heavily counting on the layer 2 security which cannot address well the specified attacks listed in Table 1. Consequently, implementing an effective security countermeasure is essential considering that attackers are becoming more innovative. Motivated by this, we propose a secure and efficient protocol for DMM networks that supports mutual authentication, key agreement, confidentiality, integrity, and privacy while defending against DMM-specified attacks. The main contributions of this paper are as follows: • We design a security protocol for the DMM networks based on the 5G network entities.
• We thoroughly verify the correctness of the proposed protocol in a formal way using the two popular security analysis tools, BAN-logic [19] and Automated Validation of Internet Security Protocol and Application (AVISPA) [20].
• We conduct a comparison analysis between our proposed protocol against contemporary security protocol standards including EAP-AKA [21], EAP-TLS [22], EAP-IKEv2 [23] and other proposed works.
The remainder of this paper is organized as follow. We first discuss the basic concept of the DMM protocol and its related attacks in Section II, followed existing security schemes and the Extensible Authentication Protocol (EAP) framework [24], which is a major network security scheme. Then, Section III discusses in detail our proposed protocol, which is formally verified in Section IV. The comparison result of our VOLUME 8, 2020 approach against some security standards and existing works is presented in Section V. Finally, we summarize our work and present our future works in Section VI.

II. RELATED WORKS
This section discusses related works which is divided into four parts: the concepts of DMM and solutions, the vulnerabilities of PMIPv6-based DMM variants, DMM security, and EAP framework.

A. DISTRIBUTED IP MOBILITY MANAGEMENT
DMM is based on flat architecture aiming to push the location management functions and traffic routing to the network access level as illustrated in Figure 3.
As mentioned above, a MAG 1 serves as access router that supports address allocation function and location management. Once MN moves to another serving network, a new MAG (MAG2) not only allocates a network prefix to that MN but also disseminate MN's location information to the old MAG (MAG1) by sending location update signaling message. Such a handover leads to an establishment of a bi-directional tunnel, over which a data traffic intended for MN is forwarded from the old MAG to the new MAG. This configuration clearly enables the separation of the data plane and the control plane Furthermore, a better traffic load balance is achieved through the decentralization of the data plane.
In DMM networks, there are two suggested deployment options; partially distributed or fully distributed model [25]. In the former, there exists a centralized controller which is responsible for all control plane functions while relieving itself from route management and data forwarding, whereas the latter implements both functions at a customized network access hardware. To support distributed management, two 1 The MAG can also be called Mobile Anchor and Access Router (MAAR) notable DMM protocols were proposed in [13] and [14], which inherits several attributes from the conventional IP mobility protocol known as PMIPv6. Both protocols adopt the partially distributed model where the centralized LMA is replaced with Control Mobility Database (CMD). The two variants differ in message exchange but both end-up establishing bi-directional tunnel between MAGs as illustrated in Figure 2. Even though both protocols can create tunnel for data security, they still face security threats like impersonation attack, denial-of-service, and attacks initiated by compromised MAG and CMD.

B. VULNERABILITES OF PMIPV6-BASED DMM
An illustration of attack scenario corresponding to the PMIPv6-based DMM variants is presented in Figure 4. A MAG starts an attachment procedure when it receives a Router Solicitation (RS) message from a MN. As show in Figure 4a, if the RS message is not protected, a manin-the middle attacker can capture the message and use it to impersonate the victim MN. As a result, the attacker can hijack the session established between the victim MN and the serving MAG. Furthermore, after a MAG finishes the attachment procedure, it finally transmits a Router Advertisement (RA) message to a MN. As depicted in Figure 4b, if an attacker somehow manipulates this RA message to include malicious network information, the victim MN can be deceived into configuring itself wrongly, thereby hindered from enjoying any service from the network. Additionally, the protocol of [13] and [14] are also vulnerable to attacks launched by malicious MAGs as shown in Figure 4c and 4d. A malicious MAG can deceive CMD or MAG with fake binding update messages of MN. 4c's attack scenario corresponds to the protocol in Figure 3a. In this scenario, the malicious MAG can mislead the CMD by sending a bogus Proxy Binding Update (PBU) message. Once the messaged is approved, the CMD then derives new PBU messages from the bogus  one, which are then transmitted to the involved MAGs. As a result, the victim's data traffics are unintentionally transmitted. On the other hand, in case of Figure 4d, an attacker succeeds in deceiving CMD by sending and receiving the Mobility Context Request (MCReq) and Response (MCRes) messages, he or she can trick the involved MAGs by sending the malicious Binding Update (BU) messages to them. Hence, if these BU messages are accepted by the involved MAGs, all data traffic will be redirected to the attacker or victims. The summary of the threat implication for PMIPv6-based DMM solutions is shown in Table 1 where a countermeasure to its corresponding threat is also suggested.

C. PMIPv6-BASED DMM SECURITY
In order to secure DMM protocols, several researches have been conducted as follows. Shin et al. [15] proposed a secure route optimization (RO) protocol for DMM-based smart home systems, which includes RO initialization and handover phase. Since the proposed protocol only considered route optimization security, it cannot be viewed as a general solution for other DMM network services. In [16], Lee introduced a secure authentication protocol based on his previously proposed PMIPv6-based DMM protocol [14]. The security protocol utilizes the ID-based mutual authentication between a MN and a MAG with key agreement on elliptic curve. The security association among the MN and MAG is successfully established with the assistance of an Authentication Server (AS). However, a malicious MAG can still deceive the involved MAGs about the mobility context of the victim MN since the message exchange sequence in this security protocol is simply patterned from the previous one. It still fails to confirm the willingness of MN for handover, hence, making the traffic redirection attack launched by compromised MAG feasible. Additionally, privacy of MN can be compromised since MN's long-term ID is send in plaintext. Moreover, the scheme still needs improvement as it adopts the conventional server-client model to authenticate the MN. All security contexts are derived in the AS and are then forwarded to the corresponding network entity. The author suggested a distributed peer-to-peer authentication approach. It is also worth noting that this work introduced a dynamic tunneling based on session-to-mobility ratio, hence reducing tunneling overhead among MAGs. Kim et al. [17] proposed the same authentication model as in [16] where the MN is authentication by an AS. The effectiveness of the proposed security proposed is also dependent on the assumption that all MAGs and CMD are honest. This assumption is too heavy as these network entities are also susceptible to attackers in VOLUME 8, 2020 numerous situations. Along with these issues, the proposed protocol suffers the same problem in [16]. Moreover, both proposed security protocols were not formally verified by any verification tools. The proposed security protocol in [16] and [17] adopts a partially distributed management model where mobility signaling is managed by centralized node. To meet the requirements in a fully distributed management model under PMIPv6 domain, Vishal et al. [18] proposed a blockchain-based DMM scheme that uses three different blockchains namely PoW-wise, region-wise, and user-wise ledgers to overcome the security issues of the existing DMM solutions. However, the use of multiple ledgers may consume huge memory, considering also that frequent handovers are expected in the 5G networks. Additionally, the scheme could also affect the network performance. Moreover, it is not clear in this paper as to how the blockchains are completely managed by the different network nodes. In spite of the above security protocols, there is still no major security one DMM solutions. Accordingly, network operators tend to excessively rely on the layer network security which cannot adequately overcome the attacks listed in Table 2.

D. EAP FRAMEWORK
Alternatively, the EAP can be considered to protect DMM networks. The EAP has been known to be one of the most widely applied security frameworks for network security. It can provide high stability and scalability at authentication stage. Each entity can specify a supported EAP function and proceed with the agreed authentication procedures. The EAP framework is especially adopted as standard on the 5G network environment. Among its sub-security protocols, we focus on EAP method for 3 rd Generation Authentication and Key Agreement (EAP-AKA) [21], EAP Transport Layer Security (EAP-TLS) [22], EAP Internet Key Exchange version 2 (EAP-IKEv2) [23] for comparison with our design.

III. ENVIRONMENT AND PROPOSED PROTOCOL
This section describes the target environment and the details of the proposed security protocol. Table 2 gives abbreviations and notations which are used in the rest of this paper.

A. TARGET ENVIRONMENT
The target environment, which is depicted in Figure 5, is based on 5G stand-alone networks whose serving network is composed of three core functions: AMF, SMF, and UPF. To apply DMM to 5G stand-alone networks, each MAG can be divided into these three functions, where AMF, SMF, and UPF are responsible for access and mobility management, session management, and data transfer respectively. Moreover, a new network function CMDF is employed to play the role of CMD. In our scenario, the target 5G network is composed of a home network including AUSF, ARPF, and CMDF and three serving networks where two 3GPP networks and one non-3GPP network exist. Note that N3IWF handles the mobility management operation in non-3GPP networks as AMF does so in 3GPP networks. In such environment, MNs can move freely from one access network to another.

B. PROPOSED PROTOCOL
A secure and efficient protocol, depicted in Figure 6, is proposed for distributed mobility management based on 5G networks.
The assumptions made on the proposed protocol are as follows: • It is assumed that the Non-Access Stratum (NAS) and Radio Resource Control (RRC) setups were performed during the initial authentication.
• It is assumed that the involved entities MN, AMFs, and CMDF are time-synchronized.
• It is assumed that the two values AID 0 and K AMF , generated by CMDF, are distributed to the MN and the AMFs in advance through a secure channel. The target security requirements of the proposed protocol are as follows: • Mutual authentication: During the handover process, the MN and the target AMF, i.e. AMF(i+1) should mutually authenticate each other.
• Confidentiality: Any unauthorized entity should not be able to read the content of the data transmitted over the open channel.
• Integrity: Any unauthorized entity should not be able to make any changes on the data transmitted over the open channel.
• Key exchange: The two parties, MN and AMF(i+1) should successfully negotiate session keys without any leakage.
• Privacy: The real identity of MN must not be revealed in the exchanged messages.
• Defense against attacks by malicious AMF or CMDF:The attack launched by any malicious AMF or CMDF should be addressed. The proposed protocol shown in Figure 6 aims to achieve secure and efficient handover procedure as the MN moves from the AMF(i) to the AMF(i+1) with the help of the CMDF while satisfying the target security properties.
The detailed description of the proposed protocol is as follows: (i) Before the handover is executed, the AMF(i) is assumed to possess the AID i and the K AMF obtained during the i-th handover. Note that the AID 0 and the K AMF are security distributed to the MN and the AMF(0) during the initial attachment. (1) Once the MN' movement is detected through a layer 2 trigger, the AMF(i) initiates the handover by sending the HI message that includes the parameters ID MN , AID i , and K AMF to the target AMF(i+1) over a secure channel. Upon receipt of this message, the AMF(i+1) utilizes the given ID MN , AIDi, and K AMF to obtain AID(i+1) by computing AID(i+1) = ID MN ⊕ h(K AMF || AID i ). (2) With the help layer 2, the MN obtains the ID AMF and then prepares for the AccAuthReq message, which includes the two IDs AID i+1 and ID AMF(i+1) , a randomly generated nonce n 1 , timestamp ts 1 , and the two HMAC values HM 1 and HM 2 . The HM1 and HM2 values are computed based on HMAC(K CMDF , ID MN ||ID AMF(i+1) ||n 1 ||ts 1 ) and VOLUME 8, 2020 HMAC(HK, AccAuthReq), respectively, where the handover key HK is computed as HMAC(KCMDF, ID MN ||ID AMF(i+1) ||'' Handover Key''||ts 1 ). The AccAuthReq message is then transmitted to the AMF (i+1) . Note that including the timestamp ts 1 in the calculation of HK ensures its freshness. It is also worth to note that the MN's privacy is maintained because only the temporary ID is shared in plaintext over the insecure channel. On receiving the AccAuthReq message, the AMF(i+1) first verifies the received ts 1 is within its accepted pre-defined time window. If the verification is positive, it retrieves the ID MN , computes the HK, and verifies the AccAu-thReq message by computing the HM 2 with the HK and comparing it with the received HM 2 . The positive result indicates that the MN is reliable and consequently the AMF(i+1) can build trust with the MN. With such a trust, the AMF(i+1) proceeds to the step (3). (3) In this step, the AMF(i+1) first makes the MCReq message with the MN's ID ID MN and the received values ID AMF(i+1) , n 1 , ts 1 , and HM 1 , and in turn transmits that message to the CMDF through a secure channel. Upon receiving this message, the CMDF checks if the received timestamp ts 1 is within its time window and then proceeds to verifying the HM 1 through a pre-shared key K CDMF . The positive verification of the HMAC value allows the CMDF to trust that the MN really intends to move to the AMF(i+1) because the K CMDF is shared between only the MN and itself. In this way, if the AMF(i+1) is malicious, the CMDF can defend against the attacks by it. (4)-(5) To proceed, the CMDF generates a random nonce n 2 and the timestamp ts 2 , prior to computing the session key SK and the digital signature SIG CMDF based on HMAC(K CMDF , ID MN ||ID AMF(i+1) || ''Session Key''||n 1 ||n 2 ) and E(PR(CMDF)), H(ID||ADD AMF(i+1) ||ts 2 ), respectively. The CMDF then prepares for the MCRes message, which includes the values n 1 , n 2 , ts 2 , SK, a list of the AMFs, and SIG CMDF . Here, the list contains the information of AMFs in the networks that were previously visited by the MN. Once the MCRes message arrives, the AMF(i+1) verifies the SIG CMDF with the CMDF's public key after confirming if its handover request is correctly reflected on that signature. If the above verification is valid, the AMF(i+1) makes the Binding Update (BU) messages, each of which corresponds to each of the AMFs included in the received list of AMFs. Each BU message contains the received timestamp ts 2 and digital signature SIG CMDF . Finally, the BU message are sent to their corresponding AMF.

IV. FORMAL VERIFICATION
This section presents the format verification of the proposed protocol under the two widely applied tools: BAN-logic [19] and AVISPA [20]. Applying these tools together can achieve more robust and thorough verification as they are considered to complement the weaknesses of each other.

A. FORMAL VERIFICATION WITH AVISPA
In AVISPA, target security protocols are verified by exploring their possible attacks, and can be regarded to be valid if no attack is found. For such a verification, a target protocol should be first modelled through the AVISPA's native script language High Level Protocol Specification Language (HLPSL), which as a role-based language configures each role independently as well as communications data between roles through channel. The structure of AVISPA is shown in figure 7. In other words, the protocol needs to be written in a form of HLPSL code. The written code is automatically

1) HLPSL MODEL
At first, each role is modeled in HLPSL code. The basic roles include the MN's role, the AMF1's role, the AMF2's role, and the CMDF's role as shown in Figures 8, 9, 10 and 11, respectively. Here, role_AMF1 and role_AMF2 corresponds to the model of previous and new AMF, respectively.

2) VERIFICATION RESULT
The obtained formal verification results, shown in Figure 12, are based on two back-end modules such as (a) OFMC and (b) CL-AtSe. The protocol's simulation diagram is illustrated in Figure 13. According to the results, the designed protocol is safe against known attacks. 76036 VOLUME 8, 2020

B. FORMAL VERIFICATION WITH BAN-LOGIC
BAN logic, first introduced by Burrows et al. [19], has been widely adopted by security researchers and experts to formally verify security protocols. In this logic, to be formally verified, a target security protocol first needs to be translated into an idealized version, followed by defining its assumptions and goals. Afterwards, inference rules are applied repeatedly until the intended beliefs satisfying the goals are obtained. Tables 3 and 4 show the symbol, along with its meaning, and inference rules of BAN Logic, respectively.
In the first step, the protocol is expressed in an idealized form and the assumptions are made as shown in Figures 14 and 15, respectively. We skip the BU message because the AMF(i+1)'s belief derived from (I3), i.e., the belief on the SIG CMDF , is semantically identical to what other involved AMFs can obtain from the SIG CMDF in the same way as the AMF(i+1) does.
From (I1), we derive:  From (I3), we derive:  Based on the derived beliefs, we establish the following lemmas.
Lemma 1: The proposed protocol supports mutual authentication between the MN and the AMF(i+1).
Proof: The derived beliefs (D4) and (D15) show that the MN and the AMF(i+1) mutually authenticate each other. Thus, we can conclude that the lemma 1 is valid.
Lemma 2: The proposed protocol can defend against the redirection attacks launched the malicious CMDF and AMF(i+1).
Proof: Based on (D8), the CMDF can confirm that the MN really intends to move to the AMF(i+1). That makes it possible for the CMDF to prevent any malicious AMF from launching redirection attacks by sending fake MCReq messages. On the other hand, based on (D11), the AMF(i+1) can confirm that the CMDF reflects the meaning of its MCReq message on the MN's binding update procedure and returns the MCRep message. Thus, the AMF(i+1) can detect the attempt for the malicious CMDF's redirection attack prior to sending the BU messages. Even though the BU message is   not reasoned about, as the AMF(i+1) does, the AMFs in the MN's visiting networks can obtain the belief that the CMDF approves the MN's handover. Through this belief indirectly obtained from (D11), they can prevent the redirection attacks by the malicious AMF(i+1). As a result, it can be shown that the lemma 2 holds.
Lemma 3: The MN and the AMF(i+1) has securely exchanged the session key SK.  Proof: From the AMF(i+1)'s point of view, in spite of no derived belief, it has an intuitive and direct belief on the authenticity of the session key SK since it securely receives that key from its trusted function CMDF over a pre-established secure channel. On the other hand, the MN has direct belief on the secure negotiation of the SK through (D17). This belief is intensified through (D16), which indicates that the MN enhances its belief on the SK by believing that the AMF(i+1) trusts the SK as well. Therefore, we can conclude that the lemma 3 is valid.
Lemma 4: The protocol protects the MN's privacy. Proof: Note that the path between the MN and the AMF(i+1) is not protected whereas other paths between the AMF(i) and the AMF(i+1) or between the AMF and the CDMF are protected through pre-established secure channel. Therefore, we focus on the MN-AMF(i+1) path to check if the proposed protocol keeps the MN's privacy. Here, keeping the MN's privacy means that it is unable for outsiders to identify the MN. In the proposed protocol, for each handover, a new anonymous ID, i.e., AID i , is generated and assigned to the MN. Moreover, such an anonymous ID can be computed by only the MN and its visiting AMFs with their shared secret key K AMF . Consequently, without knowing the K AMF , it is almost impossible to extract the MN's ID ID MN from the anonymous ID as well as trace the MN because its anonymous ID is changed in every handover. As a result, considering that in the MN-AMF(i+1) path, the MN's ID is hidden by replacing it with the anonymous ID, the proposed protocol can preserve the MN's privacy.
Lemma 5: The proposed protocol support confidentiality and integrity Proof: To support confidentiality, the session key SK must be securely negotiated between the involved entities.
Notably, the lemma 3 shows that it is securely exchanged between the MN and the AMF(i+1). On the other hand, providing integrity can be proved by the beliefs derived from the HMAC values HM 1 to HM 3 and the signature SIG CDMF . Accordingly, through the established beliefs (D3), (D7), (D11), and (D14), it shows that the integrity for the AccAuthReq, MCReq, MCRep, and AccAuthRep messages is achieved. As a result, we conclude that the lemma 4 is valid.
Theorem 1: The proposed protocol is correct as well as satisfy the security requirements including confidentiality, integrity, mutual authentication, key exchange, privacy, and defense against redirection attacks by malicious node.
Proof: From the above derived beliefs (D1)-(D17), it can be shown that the proposed protocol is correct. Moreover, the obtained lemmas demonstrate that the proposed protocol satisfies the security requirements including confidentiality, integrity, mutual authentication, key exchange, privacy, and defense against redirection attacks by malicious node.

V. COMPARATIVE ANALYSIS
This section presents the comparative evaluation results in terms of the following three aspects: security analysis, handover latency analysis, computation overhead. For comparison, we consider not only the DMM security protocols (Lee's protocol [16] and Kim et al.'s protocol [17]), but also the EAP based protocols including EAP-AKA [21], EAP-TLS [22], and EAP-IKEv2 [23], which are widely adopted security protocols in mobile and wireless networks.

A. SECURITY ANALYSIS
The proposed protocol is compared with other existing protocols in terms of the six security requirements. As shown in Table 5, the proposed protocol unlike others satisfies all the security requirements while in particular showing that it is specialized to DMM networks by supporting e and f .

B. HANDOVER LATENCY ANALYSIS
In the different EAP authentication types considered in this paper, the full EAP exchange is required whenever the MN changes its point of attachment. Accordingly, the handover latency in EAP is derived as: (1) where L L2 , which is dependent on the wireless chipset used, is the average latency at the link-layer. The D nAMF−CMDF and the D nAMF−pAMF are the average delay for a message to arrive from the AMF to the CMDF, and between AMFs, respectively. The n refers to the number of AMFs that the MN has visited previously. L HO−AU is the average time required to finish the EAP protocol. This value is expressed as: In [16] and [17], whenever the MN moves to the target AMF, mutual authentication is executed in the same as how it was during the initial attachment. Consequently, their handover latency is expressed as:  For comparative analysis, we adopt the following parameters: the latency of one hop t HOP = 10 ms [26], D MN−nAMF = t HOP , D nAMF−CMDF = D nAMF−AS = pt HOP where p is the number of hops between the AMF and the CMDF/AS. We use p = 3 [27], and L L2 = 2.2 ms [26]. Additionally, m is set as 2, 4, and 4 for EAP-AKA [21], EAP-TLS [22], and EAP-IKEv2 [23], respectively. Figure 16 shows the handover latency of the three EAP protocols, LEE's protocol, KIM et al.'s protocol, and our proposed protocol. As presented, the handover latency of the EAP protocols are higher than those of the other ones. This is because it requires to perform authentication procedure in the same way during the initial attachment, which results in high signaling overhead. On the other hand, the LEE's and KIM et al.'s protocols have similar handover latency because they follow the same authentication signaling sequence but slightly differ on the message content. Meanwhile, the proposed protocol has the smallest handover latency. This result is due to the customization of authentication procedure for the handover event.

C. COMPUTATION OVERHEAD
In this subsection, Table 6 presents the comparison of our proposed protocol against the schemes of Lee [16] and Kim and Shin [17] as well as three security standards under EAP framework [21]- [23] with respect to computation cost. Compared to EAP-TLS and EAP-IKEv2, the proposed protocol is more efficient because it allows MN to avoid asymmetric key operations. On the other hand, the protocol has higher computation cost than those of EAP-AKA, Lee's scheme, and Kim et. al.'s scheme. That is why it sacrifices efficiency to gain strong security enough to keep a reasonable trade-off between computational efficiency and handover security robustness. As a result, the proposed protocol achieves the strongest security with good computational efficiency.

VI. CONCLUSION
In 5G networks, it is very important to provide a secure and efficient handover because handover can happen frequently. For this reason, the DMM protocol was introduced, but current researches on DMM mostly concentrate on developing solutions for handover and data routing efficiency. Consequently, there has been lack of addressing security aspects, resulting in several security threats including the redirection attacks launched by malicious AMF or CMDF. Motivated by this, we proposed a secure and efficient handover protocol based on DMM architecture for 5G standalone network. For the proposed protocol, a mapping of the 5G standalone network entities to the DMM entities was first introduced. Moreover, the correctness of the proposed protocol was thoroughly proven by using formal verification tools BAN-logic and AVISPA. Based on the derived lemmas, it can be concluded that the proposed protocol supports mutual authentication, secure key exchange, integrity, confidentiality, and privacy in addition to defending against the redirection attacks by malicious AMF or CMDF. Finally, we showed in our comparative analysis that the proposed protocol is better in terms of security, handover latency, and computation overhead. In the future, we wish to implement the protocol in a real testbed but not limited to 5G architecture.