Minimizing Re-Authentication Overheads in Infrastructure ... - CiteSeerX

Minimizing Re-Authentication Overheads in Infrastructure IEEE 802.11 WLAN Networks Anindo Mukherjee, Tarun Joshi, Dharma P. Agrawal, Center for Distributed and Mobile Computing, Department of ECECS, University of Cincinnati Cincinnati OH 45221-0030. USA. { mukherao, joshit, dpa }@ececs.uc.edu Abstract Authentication delays of the order of 1s are a severe bottleneck in maintaining QoS guarantees over WLANs. Pre-authentication schemes have been proposed to reduce these delays. However, most of these schemes suffer from an increased message overhead on the network. The primary reason for this is that mobility modeling is not on a per-user basis. In this paper, we exploit the notion of predictability in user mobility patterns and propose a set of novel proactive key distribution algorithms to achieve low latencies while minimizing the message overhead in the network. We further provide a model to measure the responsiveness of our schemes to randomness in user motion. Simulation results indicate up to 70% message reduction in comparison to existing schemes, while maintaining similar latency values.

I. INTRODUCTION The last decade has witnessed rapid deployment of wireless LANs based on the IEEE 802.11 standard. This speed in growth has been fuelled by the high capacity offered by these networks. Unlike 3G cellular networks, which offer a data rate of 2Mbps[1], Wi-Fi networks offer 11Mbps (802.11b) and 54Mbps(802.11a/g). It is envisioned that this growth would continue till the goals of 4G are met, offering ubiquitous WLAN services integrated with other wireless technologies like 802.15, 3G etc [2]. Although these data rates are very high, a roaming mobile device incurs handoff delays depending on its speed and the wireless coverage. Handoff can be defined as the process of reattachment of a mobile device to another network access point. Two primary contributors to the handoff delay are the probe phase [3] and the re-authentication phase. Previous studies on latencies for Wi-Fi networks have shown that authentication latencies are of the order of 1000 ms [3]. These delays are unacceptable if ubiquitous wireless computing has to manifest and QoS guarantees are to be met. In this paper, we take a deeper look into the mechanisms for authentication delay reduction. We then suggest four novel methods to reduce latencies while minimizing the message overhead involved in the process. Although latency reduction is achievable in practice by preauthentication and key pre-distribution ([4],[5],[6]), the prime challenge lies in achieving these at low costs to the network. All the existing schemes require an authentication server to predistribute the keys. It is obvious that, as the number of users increase, the message overhead in the pre-authentication process would become the primary bottleneck. Existing solutions have managed to reduce the authentication latencies from 1000 ms to 50 ms but have not addressed the problem of minimizing the

network overhead incurred in the process. In this paper, we minimize this network overhead while maintaining authentication values to around 50-70ms. Our results show a reduction by 55% to 70% in the authentication message overhead. Previous studies ([7], [8], and [9]) indicate that user movement is predictable. In our work, we exploit this predictability to characterize user mobility in a WLAN environment. A user typically moves between its hotspots. A user’s hotspots are the regions in the network between which his/her motion is primarily confined. In the course of moving between its hot spots, users frequently traverse a similar set of paths. By exploiting the similarities in a user’s mobility pattern, we judiciously pre-distribute keys to achieve both message and latency reduction. The remaining paper is organized as follows. Section II presents a brief background on the IEEE 802.11 handoff process. Section III discusses the related work in this area. In section IV, we introduce and analyze our schemes. We evaluate our proposed schemes against existing schemes and present the simulation results in Section V. The paper concludes in Section VI, suggesting some future research direction in this area. II. BACKGROUND In this section we overview the authentication procedure in IEEE 802.11 networks. According to the IEEE 802.1X standard, a Wi-Fi user that wishes to be authenticated is referred to as the Supplicant; the network port that authenticates it is termed as the Authenticator while the entity which helps the Authenticator to authenticate the Supplicant is the Authentication Server. For the rest of the paper, we refer to the supplicant as a mobile station (MS), the Authenticator as the Access Point (AP) and the Server as the Authentication, Authorization, and Access control (AAA) server. At several instances, the term user and MS are used interchangeably. We now briefly describe the process of authentication in IEEE 802.11 infrastructure networks. As shown in Fig. 1, during steps 1 and 2, the MS obtains an Extensible Authentication Protocol -Required (EAP-Required) message from the AP. In this message, the AP sends a Required-ID message to the MS. In step 3, the MS sends its ID to the AAA server. Upon receiving this message, the AAA server initiates a full EAP-TLS (EAP-Transport Level Security) with the MS in step 4. This step delays the authentication process significantly. The EAP-TLS protocol allows the MS to present an X.509 certificate to the AAA server. At the end of this step, the MS

and the AAA server have a Master Key (MK) and a set of Pseudo Random Functions (PRFs) in common.

MS 1

AP

AAA Server

Reassociation Req

PMK1=TLSPRF(MK,PMK0|MS.random|AAA.random) … PMKn = TLS-PRF(MK, PMKn-1| MS_MAC | AP_MAC) …

EAP-Req ID 2 EAP-Resp ID

3 4

Full EAP-TLS EAP-Success

5 6

relationship, indicating thereby that handoffs have previously occurred between APi and APj. This graph is dynamically learnt when the network comes up. When an MS attaches to a new AP (say APi), the AAA server distributes PMK to all APj which correspond to the edge eij. The new PMK is calculated as:

802.1X 4-way Handshake

Fig 1: MS re-association messages. The darker arrows represent more than one message exchange.

Using these PRFs and the MK, the MS and the AAA server generate the Pairwise Master Key (PMK) which is the primary key for all further communications between the MS and the AP. Note that this secret is known to the MS, AP as well as the AAA server. However, the calculation of this key can be carried out only by the AAA server or the MS. For more details, we refer the reader to [10],[11] and [12]. Once the PMK is known to the MS and the AP, a four-way handshake is carried out between them to authenticate each other. Both the EAP-TLS phase (between MS and AAA) and the four way handshake (between MS and AP) contribute to the authentication delay. While the former amounts to 800-900ms, the latter is of the order of around 50 ms [3]. III. RELATED WORK The idea of pre-authentication to reduce authentication delays was first introduced by Choi et al in [4]. The authors introduced the concept of a Frequent Handoff Region (FHR). An FHR for an AP is defined as a set of neighboring APs to which most of the handoffs occur. When an MS handoffs to a new AP, it is pre-authenticated to all the APs in this APs FHR based on certain parameters. The authors have assumed an independent identically distributed (i.i.d) mobility model for their evaluation. Using this, they have managed to obtain a latency reduction of more than 50% over the normal authentication process. However, a primary drawback of this work is that users do not follow an i.i.d. pattern; instead each MS has a characteristic mobility pattern. Mishra et al. propose dynamic data structures called Neighbor Graphs [6]. Neighbor Graphs capture the movement patterns of the users of the network. A Neighbor Graph is defined as a graph G = (V,E) where V={AP1, AP2, ....,APn} denotes the set of APs. Each edge eij = {APi, APj} denotes a re-association

(2a) (2b)

The recurrence in (2a) and (2b) implies that an MS can calculate the PMK for a new AP using the MK, the previous PMK and the MAC addresses of the AP and itself. Thus, an MS needs to perform only one full EAP-TLS authentication process. Subsequently, only the four way handshakes are required for every handoff. The primary drawback of both these schemes is that preauthentication/PMK pre-distribution is carried out with neighboring APs based on patterns that have been learnt by the combined mobility of all the MS. Thus, although the probability of a MS visiting a particular AP might be negligible, the preauthentication/PMK pre-distribution will still take place with that AP if any other MS had previously made a transition to that AP. Obviously, with an increase in the number of users/MS, this would lead to a significant message overhead (distribution of PMK to APs by AAA) in the authentication process. Hence we argue that by maintaining individual records of the mobility patterns of each user, message overheads can be considerably reduced. IV. PROPOSED SCHEMES A. Preliminaries We make the following assumptions about the network: 1. Users follow paths between their respective hot spots with well defined probabilities. 2. The AAA server has resources to maintain individual records of the mobility pattern of each user. This amounts to storing and updating a few KB of data for each user. Definition 1: We define an AP Transition Model (APTM) as a stationary stochastic process A = {Ai}. The value assumed by A is APi when the MS makes the ith handoff. Definition 1a : A Neighbor Graph Transition Model (NGTM) is defined as an APTM such that for all j, Pr[Ak = APk | Ak-1 = APk-1] = Pr[Ak+j = APk | Ak+j-1 = APk-1] and,

Pr[ Ak = APk

P ( k , k − 1) if any MS in the network  has made a transition | Ak −1 = APk −1 ] =  from APk −1 to APk   0 Otherwise

P(k, k-1) is defined as follows :

n ∑ NH i ( k , k −1) P(k, k-1) = i =1 (3) n | AP| ∑ ∑ NH i ( k , j ) i =1 j =1 Here, NHi (r,s) = Total number of handoffs for MSi between APr and APs . The Neighbor Graph scheme distributes a PMK to a node if Pr[Ak = APk | Ak-1 =APk-1] is non-zero. Definition 1b: We define a Single Node Transition Model (SNTM) as an APTM such that for all j, Pr[Ak = APk | Ak-1 = APk-1 ] = Pr[Ak+j = APk | Ak+j-1 = APk-1] and,

Pr[ Ak = APk | Ak −1

Pi ( k , k − 1) if any MS in the network   has made a transition = APk −1 ] =  from APk −1 to APk   0 Otherwise

q D = 1− qi

T /t

(6)

Obviously qN ≤ qD for any value of T. Since the probability of having zero transition probabilities for next state APs is higher for SNTM, it can be trivially calculated that the average number of choices would also be less and thus, D(i, i+1) ≤ N(i,i+1). According to Def. 1b, we assumed an order-1 Markov Model for SNTM. Here, an Order-n model implies that the last n handoffs of an MS would be considered for predicting the next AP the MS shall handoff to. As shown in [7], order-2 models provide greater accuracy in mobility prediction than order-1 models. Hence, all our proposed schemes assume an order-2 model. We refer the reader to [7] for a detailed discussion on the comparison of order-1 and order-2 models. Employing higher order models would result in more accurate prediction at the expense of higher storage overhead. We plan to explore this tradeoff in our future work. AAA server

where, NH i ( k , k − 1)

AP -1

P ( k , k − 1) = i | AP | ∑ NH ( k , j ) i j =1

A

Proof: In SNTM, keys are distributed if P(k, k-1) is non-zero. In both the schemes, a PMK distribution takes place if the probability P(k, k-1) is non-zero. This implies that the numerators of (3) and (4) must be non-zero. We first consider the numerator of (3). n ∑ NH i ( k , k − 1) is zero if and only if each individual term is i =1

zero. Let the individual probabilities of MS {1,2,….n} to handoff from APk-1 to APk in time t be {q1, q2, …… , qn}. Therefore, in time T, the probability of MSi not making a transition from APk-1 to APk is (1-qi)T/t Clearly in time T, the probability that no MS does a transition from APk-1 to APk is: n

T /t

B

AP -3

(4)

Lemma 1 : If at state Ai , the average number of choices for state Ai+1 is defined as D(i, i+1) for SNTM, and N(i, i+1) for NGTM, then the following always holds: D(i, i+1) ≤ N(i,i+1)

q N = ∏ (1 − q i

AP -2

)

i =1

n This is the probability of ∑ NH i ( k , k − 1) to be zero. i =1 We now consider the numerator of. (4) NH i ( k , k − 1) is zero with probability:

(5)

AP -5

E

AP -6

C

AP -4 AP -7

AP -8 AP -9

D Fig 2: Movement Scenario for an MS moving in a typical WLAN setup.

The idea behind the use of an order-2 model instead of an order-1 model can be highlighted with the help of an example. As shown in Fig. 2, let the paths A-E-C and D-E-B belong to a particular user’s set of most probable paths. Thus, after arriving at AP5, the probability of an MS moving to AP6 or to AP2 depends heavily on which AP the MS came from. If the MS arrived at AP5 from AP8, it is more probable that it would now move to AP2. Thus, the PMK should only be sent to AP2. However, if the MS arrived at AP5 from AP4, it is more probable that it would now move to AP6. An order-1 model would not be able to differentiate between these two cases and distribute the PMK to both the APs. In contrast, an order-2 model will successfully track both the paths, thereby distributing the PMK to just the required APs. B. Dual State Transition Predictability Algorithm (DSTPA) DSTPA pre-distributes PMKs based on the previous movement history of an MS. Since it is infeasible to keep track

of the entire history of an MS’s movement, DSTPA constantly updates a frequency matrix after every handoff of the MS. DSTPA effectively combines the concepts of order-2 models and per-user mobility prediction. When the MS first joins the network, it does a full EAP-TLS authentication with the AAA server. Each time an MS makes a transition of the form APi APj APk, a matrix is updated which reflects the frequency of handoffs from APj to APk if the previous AP was APi. If in the future, this MS arrives at APj from APi, the matrix would be scanned by the AAA server to search for non-zero frequencies of APk such that APi APj APk had occurred. The APs corresponding to the highest C such values are provided with the PMK by the AAA. Here C is a parameter which determines the class of service of the MS. Fig. 3. describes this algorithm. For this algorithm, we define the following:

learning the same state after another handoff is q/Q. However, by definition, q is p(h-1,1). Thus (7b) holds. To prove (7a), we consider two cases for the model to learn k states in h handoffs. The first is if k-1 states were learnt till the h-1h handoff and the model learns of a new state in the hth handoff. The second is if k states had already been learnt till the h-1th handoff and the model does not learn of a new state in the hth handoff. The probability for the first case is: p(h-1,k-1)(Q-k+1)/Q as there are Q-k+1 new states to be learnt. The probability for the second case is: p(h-1,k)(k)/Q as there are k old states that have already been learnt. The sum of these two terms is p(h,k). Thus, (7a) holds. Fig.4. depicts the various values for the average number of states learnt versus the handoffs.

Fijk = the number of times an MS moved from APi to APj and then on to APk. Tij = Total number of times an MS moved from APi to APj and then to any other AP. Pijk = Fijk / Tij 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.

Wait till handoff happens Increment Fijk and Tij and update Pijk If { ∀ r | Pjkr =0 } Do nothing Else { ∀ r | Pjkr ≠ 0, Sort Pjkr in decreasing order} Determine the value of C for this MS For the first C values of Pjkr obtained in step 6 { Calculate new PMK based on (1) Send PMK to APr }

Fig 3: Algorithm for DSTPA. The MS has made the transition

APi to APj to APk. The parameter C depends on the Class of service of the MS.

We now show that the performance of DSTPA degrades if the movement of an MS becomes increasingly random. To analyze the learning process (AAA learning the MS mobility pattern) let us define the following terms: Q = Total number of order-2 AP transitions possible. p(h,k) = Probability of learning k new AP transitions in h handoffs. Lemma 2: For DSTPA and a totally random mobility pattern, the value p(h,k) is given by the following recurrence: p(h,k)=p(h-1,k-1)(Q-k+1)/Q + p(h-1,k)(k/Q) (7a) p(h,1) = p(h-1,1)/Q for h>1 (7b) p(1,1) =1 (7c) p(h,k) = 0 for h DT) Employ NG for PMK distribution else Employ DSDPA for PMK distribution Fig 5: Algorithm for SWA

D. Localization Schemes In subsections IV.B and IV.C we introduced schemes that adaptively learn the movement of an MS based on its previous history. However in more realistic scenarios, users may frequently change their movement patterns. Users move between areas in such a manner that they are localized to one region for some time and then switch to some other region. This kind of a movement pattern implies that previous history needs to be ‘forgotten’ and the model should learn the new pattern as quickly as possible. This motivated us to suggest schemes which rapidly learn changes in mobility behavior. Most Recently Used (MRU): In this scheme, a table of the most recently visited APs is maintained by the AAA server for each MS corresponding to each pair of last visited APs. For instance, in Fig. 2, if the MS follows the path A-E-B and A-E-C in that order, the table for A-E would have C as the most recently added value followed by B. If we suppose that the size of the table is 2 and if in the future, the MS follows the path AE-D, the value of B would be replaced by D. Each time the MS arrives at E from A, the key is given to all the APs currently in the table for A-E. In this way, if the node changes its movement pattern, the table would quickly adapt to the new pattern and ‘forget’ the previous history, thereby saving on the number of messages and maintaining low latencies. Sweep Stake Algorithm (SSA) : The objective of SSA is to rapidly bias probability values in favor of APs that have been recently visited by an MS. The SSA algorithm for PMK

The primary idea here is that the frequency of the most recently visited AP is increased by an amount which is uniformly ‘swept’ out of the frequencies of the other APs. This leads to a bias in favor of the recently visited APs. We have not incorporated the results for the above two schemes due to lack of space. Analysis of these schemes will be done in our future work. V. SIMULATIONS A.. Simulation Model We have implemented a WLAN environment in ns-2 ([13]). This environment models most of the key aspects of a WLAN scenario including Access Points, Backbone AAA servers and mobile nodes. We have also developed a simple communication protocol to simulate EAP-TLS and the IEEE 802.1X handshake. Few nodes with fixed locations have been designed to be Access Points and others as Mobile Stations. We classify users in two categories, predictable and random. Predictable users move between their hot spots with defined probabilities. This leads to a specific movement pattern over a period of time. In contrast, random users follow the random waypoint mobility model. The simulations were carried out for a maximum of 10000 time units. The speeds of MSs were chosen randomly between 2m/s and 20 m/s. There were 25 APs and 50 MS uniformly distributed in a region of 5000mX5000m. We have carried our simulation for three sets of users. In the first category, all the users are predictable, in the second, 50% users are random and 50% are predictable while in the third category, all users are random. We compared our schemes to the Neighbor Graph (NG) scheme mentioned in section III. B. Simulation Results Fig. 7(a),7(b) and 7(c) plot the total number of messages sent out by the AAA server in each time interval. p is the probability of a user being random. Fig. 7(c) depicts the number of messages for p=100%, i.e., when all users are random. The number of messages sent out for DSTPA increases with time as the frequency matrices take some time to get populated. The values for SWA are between NG and

400

1000000

800000

Messages

700000 600000

DSTPA SWA NG

500000 400000 300000

Avg. Latency per handoff (ms)

DSTPA

900000

350

SWA NG

300 250 200 150 100 50

200000 0

100000

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Time (500 sec)

0 1

2

3

4

5

6

7

8

Fig. 8(a). Average Latency per Handoff for p=0

9 10 11 12 13 14 15 16 17 18

Time (500 sec)

Fig. 7(a). Number of messages with p=0

600

DSTPA

900000

600000 DSTPA SWA NG

500000 400000 300000

Avg. Latency/Handoff (ms)

700000

Messages

SWA

500

800000

NG 400

300

200

100

200000 100000

0 1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Time (500 sec)

0 1

2

3

4

5

6

7

8

9 10 11 12 13 14 15

Fig. 8(b). Average Latency per Handoff for p=50%

Time (500 sec)

Fig. 7(b). Number of messages with p=50%

700

800000

Messages

700000 600000

DSTPA SWA NG

500000 400000 300000 200000 100000

Average Latency Per Handoff (ms)

DSTPA 900000

SWA

600

NG 500 400 300 200 100 0 1

0 1

2

3

4

5

6

7

8

9

10 11 12 13 14 15

Time (500 sec)

2

3

4

5

6

7

8

9

10 11 12 13 14 15

Time (500 sec)

Fig. 8(c). Average Latency per Handoff for p=100%

Fig. 7(c): Number of messages with p=100%

DSTPA for some time and slowly converge to DSTPA. The reason for this is that SWA keeps switching between NG and DSTPA as explained in Fig.5. However, with time, the frequency matrices keep getting updated and SWA converges to DSTPA as the value of in Fig.5 is 1 more often than 0. The above argument also explains the behavior for p=50% and p=0. For p=0, SWA and DSTPA exhibit similar behavior as the predictions are accurate most of the time because of the α

predictability in MS movement. The values for p=50% is between those for p=0 and p=100%. Fig.8 (a), 8(b) and 8(c) depict the average latency experienced by the MS for each time interval. The overall latencies are least for NG. However, after the network has stabilized and the mobility patterns have been learnt, the extra latency in SWA and DSTPA are marginally more than NG. If compared to the full EAP-TLS delay of around 1 second, this is very insignificant. As seen in Fig 8, the difference in latency values for the various schemes increases with user randomness. If all users follow

predictable motion, NG, DSTPA and SWA converge to produce similar latency values, while incurring less message overhead on the AAA server as shown earlier. Another interesting result that can be derived from Fig. 8 is that SWA shows low latency values in comparison to DSPTA during the initial learning phase of the system as it switches back and forth between DSTPA and NG. Fig. 9 shows the average latency per handoff for m=20 and varying DT. As can be seen, the performance is best 140

Latency (ms)

120

100

80

D = 40% D=60% D=80%

60

40

20

0 1

2

3

4

5

6

7

8

9

250

Latency(ms)

200

m=5 m=10 m=15 m=20 m=25

150

100

50

0

2

3

4

5

6

7

8

9

VI. CONCLUSION AND FUTURE WORK We have shown through extensive simulations that our schemes drastically reduce the message overhead in the PMK distribution to APs by as much as 70%. This is a very substantial result as it would enable easy scalability of pre-authentication schemes which are still in their nascent stages. In the course of our work, we noted that simple adaptive schemes are highly suitable for WLANs if the parameters are suitably chosen. Although our work is based on the fact that users follow predictable motion patterns, we have shown through simulations that our schemes also perform well in cases with high randomness in user motion. In our future work, we plan to test our schemes by extensive experimentation over WLAN test beds. Further, we plan to use evolutionary algorithms like neural networks to allow the AAA server to learn a user’s behavior.

10

Time (1000 sec) Fig. 9: Average Latency/Handoff for m=20 and varying DT. In the figure, the value D stands for the threshold DT. The percentage value indicates the number of hits expected.

1

value is due to the fact that the system switches to DSTPA prematurely. This phenomenon is also true for m=5. However, in this case, the switchback to NG is also fast and thus latencies are lesser than m=10.

10

Time (1000 sec)

Fig. 10: Average Latency/Handoff for DT=80% and varying m.

for higher values of DT. The overhead is an increase in the number of messages as the algorithm stays in NG mode for a longer period of time. In Fig. 10, the behavior of SWA is analyzed by modifying the value of m and observing the latency values. The primary disadvantage with increasing m is the added complexity in the calculations. Also, a large value of m forces the scheme to take a lot of history into account which is not ideal for a rapidly changing mobility model. As can be seen, for m=5, the delays are large towards the beginning but fall very quickly. Plots for higher values of m show the opposite behavior. This reversal of behavior can be explained as follows. For large values of m, the algorithm stays in the NG mode for a longer time during the initial phase and thus, delays are less. For m=10, the high initial

REFERENCES [1] http://www.3gpp.org, http://www.3gpp2.org [2] B.G. Evans and K. Baughan, “Visions of 4G,” Electronics and Commun. Eng, J., vol 12, no. 6, pp 293-303, Dec 2000. [3] M. Yasuhiko ,Ana Sanz M., S. Manish , S. Takashi ,Randy H. Katz, “Secure authentication system for public WLAN roaming,” Proceedings of the 1st ACM /WMASH , San Diego, CA, USA, 2003. [4] S. Pack and Y. Choi, “Pre-Authenticated Fast Handoff in a Public Wireless LAN based on IEEE 802.1x Model,” IFIP TC6 Personal Wireless Communications, October 2002. [5] S. Pack and Y. Choi, “Fast Inter-AP Handoff using PredictiveAuthentication Scheme in a Public Wireless LAN,” IEEE Networks, August 2002. [6] A. Mishra, , Min Ho Shin, N. L. Petroni, T. C. Clancy and W. A. Arbaugh, “Proactive key distribution using neighbor graphs,” Wireless Communications, IEEE Feb. 2004. [7]Bhattacharya A., Das S. K., “LeZi-update: an information-theoretic approach to track mobile users in PCS networks,” Proceedings of the 5th annual ACM/IEEE MOBICOM. [8] Y. Birk and Y. Nachman, “Using direction and elapsed-time information to reduce the wireless cost of locating mobile units in cellular networks,” Wireless Networks, (4):403-412, December 1995. [9] A. Bar-Noy and I. Kessler, “Tracking mobile users in wireless communication networks,” IEEE Transactions on Information Theory, 39(6):1877-1886, November 1993. [10] B. Aboba and D. Simon, “PPP EAP-TLS authentication protocol,” RFC 2716, October 1999. [11] IEEE Standard 802.1x-2001 – Standard for Port based Network Access Control [12] IETF, RFC 2865 “Remote Authentication Dial In User Service (RADIUS)”, June 2000. [13] K. Fall and E. Varadhanm, The ns Manual (Formerly ns Notes and Documentation), 2000.