1. Field of the Invention
The present invention relates generally to a network system using Mobile Internet Protocol (IP), and in particular, to an apparatus and method for filtering packets in a network system using Mobile IP.
2. Description of the Related Art
Due to the progress of the Internet technology, there has been a rapid increase in the development of IP communication networks. In these IP communication networks, users and a particular server operate with their fixed addresses, or IP addresses, and routing is achieved based on the addresses.
Similarly, in the mobile communication system, several schemes have been proposed to provide more data to mobile terminals. The so-called Mobile IP concept of allocating IP addresses to mobile terminals has now been introduced as one of the proposed schemes. In Internet Engineering Task Force (IETF) concerned with Mobile IP, many discussions are being held and have now reached a stage of Mobile IPv6 (MIPv6). Mobile IP is classified into Mobile IP version 4 (MIPv4) and Mobile IP version 6 (MIPv6) technologies according to the version of the IP.
The IP communication network, though it started based on MIPv4, is developing into an MIPv6-based network. The MIPv6 network is an advanced network, designed to handle the limitation of available IP resources, an increase in the number of users, and provisioning of various services. The most noticeable characteristic of MIPv6 is that a length of IP address is extended from 32 bits to 128 bits, in preparation for a possible depletion of network addresses due to the rapid growth of the Internet industry.
MIPv6, as its header region is extended, is designed to designate a mechanism for source authentication of packets, and guarantee of data integrity and security.
In data transmission, this Mobile IP communication network can provide data without a change in the existing IP and/or disconnection of the access. However, since the standard for Mobile IP technology has been completed and applied to commercial products, the use of the conventional packet filter rule cannot guarantee smooth data communication.
FIG. 1 illustrates a configuration of a general network system using Mobile IP, in which a Correspondent Node (CN) transmits data to a Mobile Node (MN).
A mobile node 170 is a device such as a portable computer. A correspondent node 110 indicates a counterpart node that performs data communication with the mobile node 170.
A packet filtering apparatus 120, or FireWall (FW), prevents a comprise of the security of networks on the Internet and isolates the networks. That is, the packet filtering apparatus 120 prevents unauthorized traffic influx from the exterior and permits only the authorized and authenticated traffic in order to protect an internal network from unreliable external networks. The packet filtering apparatus 120, in which a packet filter rule is stored, can be an access router.
In MIPv6, even though the mobile node 170 having a home address (also known as a Home of Address (HoA)) assigned in a home link region leaves the home link region and moves to a remote link region, the mobile node 170 can communicate with the desired correspondent node 110 using a Care-of Address (CoA) assigned in the remote link region.
There are two possible methods in which a mobile node performs data communication with a correspondent node in a Mobile IP communication network.
A first method is a tunneling method in which the mobile node passes through a Home Agent (HA) between the mobile node and the correspondent node.
In FIG. 1, the correspondent node 110 is protected by a network to which the packet filter rule of the packet filtering apparatus 120 is applied. For communication with the correspondent node 110, the mobile node 170 initially performs communication via an HA 160, and in this communication process, the packet filter rule is stored in the packet filtering apparatus 120. When the correspondent node 110 communicates with the mobile node 170, the packet filtering apparatus 120 sets an address of a correspondent node as a source IP address and sets a home address of a mobile node as a destination IP address by means of an uplink packet filter. The term ‘uplink’ herein indicates a communication route from the correspondent node to the mobile node. The term ‘downlink’ as used herein indicates a communication route from the mobile node to the correspondent node.
A second method is a direct communication method in which for the optimization of a route, the mobile node 170 and the correspondent node 110 directly communicate with each other without passing through the HA 160.
In order for the mobile node 170 and the correspondent node 110 to directly communicate with each other without passing through the HA 160, the mobile node 170 attempts to authenticate the correspondent node 110 through a return routability process. After the authentication attempt process is successfully completed, a registration process is performed through a binding update. Even for the mobile node 170 that has completed both the authentication and registration processes, in the current standard, the uplink data that the correspondent node 110 in the protected network transmits to the mobile node 170 that has undergone authentication/registration, because its destination address is a CoA of the mobile node, is discarded (or dropped) by the packet filter rule before being transmitted to the mobile node 170. That is, in the case where the correspondent node 110 is located in a network 100 protected by the packet filter rule, because a destination address of the packet is set as a CoA by the uplink packet filter, the route-optimized data transmission from the correspondent node 110 to the mobile node 170 is impossible. In this case, if there is a change in the packet filter rule, the corresponding network can be exposed to a hacker or an attacker because of its low security level.
FIG. 2 illustrates a configuration of a general network system using Mobile IP, in which a mobile node transmits data to a correspondent node.
In the Mobile IP communication network, for communication with a correspondent node 110, a mobile node 170 initially performs communication via an HA 160, and in this communication process, the packet filter rule is stored in a packet filtering apparatus 120. When the mobile node 170 communicates with the correspondent node 110, the packet filtering apparatus 120 sets a home address of the mobile node 170 as a source IP address and sets an address of the correspondent node 110 as a destination IP address by means of a packet filter.
However, to further simplify the route, the mobile node 170 and the correspondent node 110 directly communicate with each other without passing through the HA 160. When the mobile node 170 transmits data to the correspondent node 110 in the protected network 100, the corresponding data, because its source address 135 is a CoA of the mobile node 170, is discarded by the packet filter rule.