WiMAX is a telecommunications technology aimed at providing wireless data communication over relatively long distances. WiMAX is based on the IEEE 802.16e standard.
FIG. 1 illustrates a portion of a conventional WiMAX system or network according to the current IEEE 802.16e standard (the WiMAX Forum Network Architecture—Stage 2, Part 1—Release 1.1.1). The system or network in FIG. 1 provides wireless services such as communication sessions (e.g., data sessions, voice sessions, multimedia sessions, etc.) to endpoints such as the plurality of mobiles or mobile nodes M1, M2, M3, . . . , MN using a mobile Internet Protocol (IP) framework, which is well-known in the art. A communication session refers to an active communication between two or more endpoints such as mobile nodes.
As discussed herein, the term “mobile” or “mobile node” refers to electronic devices having wireless communication capabilities, such as, a cellular phone, personal digital assistant (PDA), smartphone, laptop computer, etc. More generally, mobile node refers to any electronic device capable of changing its point of attachment from one network or subnetwork to another.
Referring to FIG. 1, the system includes a plurality of access service networks (ASNs) ASN1 and ASN2, a visited connectivity service network V-CSN and a home connectivity service network H-CSN. In conjunction with one another, access service networks ASN1 and ASN2, the visited connectivity service network V-CSN and the home connectivity service network H-CSN provide communications services to one or more mobile nodes M1-MN.
Each of ASN1 and ASN2 represents a communication network that provides mobile nodes with wireless access to a wired network. The access service networks ASN1 and ASN2 may be provided by a network access provider (NAP). An example access service network is a WiMAX access service network, which provides a WiMAX radio access infrastructure to WiMAX network service providers (NSPs). Although only two access service networks are shown in FIG. 1, it is well-known in the art that a WiMAX system may include any number of access service networks.
The access service network ASN1 includes one or more base stations 32-1. As discussed herein, a base station 32-1 represents any suitable device or system that provides wireless services to one or more mobiles M1 and M2 present in the coverage area or cell of the base station 32-1. As is well-known in the art, a base station comprises suitable devices operable to provide wireless services to mobile nodes located in its corresponding coverage area or cell. The base station 32-1 communicates with an ASN gateway (ASN-GW) 36-1, which is also included in access service network ASN1.
As is well-known, the ASN-GW 36-1 is a logical entity that represents an aggregation of control plane functional entities that are either paired with a corresponding function in the access service network ASN1 (e.g., an instance of a base station), a resident function in a CSN (e.g., V-CSN or H-CSN) or a function in another ASN. The ASN-GW 36-1 may also perform bearer plane routing or bridging functions.
As is well-known, each mobile node is associated with a base station, which is typically associated with a single default ASN-GW. However, ASN-GW functions for every mobile node may be distributed among multiple ASN-GWs located in one or more ASN(s).
Still referring to FIG. 1, the ASN-GW 36-1 includes a foreign agent (FA) 44-1 and an authenticator 52-1. As is well-known, the foreign agent 44-1 is a network entity (e.g., a router) that provides routing services to mobile nodes registered with the access service network ASN1. The foreign agent 44-1 routes data to and from mobile nodes currently registered with the access service network ASN1. The foreign agent 44-1 receives data intended for mobile nodes in the access service network ASN1 from the mobile nodes' assigned home agent (e.g., home agent 48 located in the visited connectivity service network V-CSN).
The well-known authenticator 52-1 is a network entity that authenticates requests for access from mobile nodes upon entering the access service network ASN1. Although authenticator 52-1 is shown as separate from foreign agent 44-1 within the ASN-GW 36-1, the authenticator 52-1 may be co-located with the foreign agent 44-1 at any suitable location.
As noted above, the system in FIG. 1 also includes access service network ASN2, which includes one or more base stations 32-2 and an ASN-GW 36-2. The ASN-GW 36-2 includes a foreign agent 44-2 and an authenticator 52-2. Each of these components and functions performed therein are the same as the corresponding components described above with regard to access service network ASN1. Thus, a description of these components is omitted.
The system in FIG. 1 further includes a visited connectivity service network V-CSN and a home connectivity service network H-CSN. Generally, a connectivity service network (CSN) is a set of network functions that provide Internet Protocol (IP) connectivity services to WiMAX subscriber(s) (mobile nodes). A CSN may provide, for example, IP addresses and endpoint parameter allocations to mobile nodes for user sessions, Internet access, AAA server, policy and admission control based on user subscription profiles, ASN-CSN tunneling support, WiMAX subscriber billing and inter-operator settlement, inter-CSN tunneling for roaming, inter-ASN mobility, WiMAX services such as location based services, and connectivity for peer-to-peer services, provisioning, authorization and/or connectivity to IP multimedia services.
As is well-known, a CSN may comprise network elements such as routers, AAA servers, user databases, interworking gateway mobile nodes. A CSN may be deployed as part of, for example, a WiMAX service provider network.
More specifically, the visited connectivity service network V-CSN represents a communication network that provides mobility management for mobiles served by access service networks ASN1 and ASN2 and also provides other operations, for example, authorization operations, host configuration management operations, etc. The visited connectivity service network V-CSN is normally provided by a network service provider (NSP).
Although the visited connectivity service network V-CSN includes all of the above-mentioned components and functionality, only a single home agent 48 and an authentication, authorization, and/or accounting (AAA) function 40 are shown for the sake of clarity. As is well-known, home agent 48 is a network entity (e.g., router) that tunnels datagrams to a mobile node when the mobile node is away from its home network. A tunnel is a path followed by a datagram while encapsulated. The home agent 48 also maintains the current location of mobile nodes to which it is assigned.
The home agent 48 is selected and assigned to serve a communication session of a particular mobile by the AAA server 42 in the home connectivity service network H-CSN and/or the AAA function 40 in the visited connectivity service network V-CSN based on policies and configurations set by the network service provider.
Within the home connectivity service network H-CSN and the visited connectivity service network V-CSN, respectively, the AAA server 42 and the AAA server 40 are network entities (e.g., servers) that provide AAA-related services (e.g., authentication, authorization, accounting, or any combination thereof) associated with a mobile node's subscription. The AAA server 42 and the AAA server 40 differ in that the AAA server 40 is located in the visited connectivity service network (V-CSN) and the AAA server 42 is located in the home connectivity service network H-CSN. Moreover, as will be described in more detail below, the AAA server 40 also differs from the AAA server 42 in that the AAA server 40 may be subordinate to the AAA server 42 in selecting and assigning a home agent to a communication session of a particular mobile. For example, the AAA server 42 may delegate the selection and assignment of the home agent to the AAA server 40 in the visited connectivity service network V-CSN. For example, if main AAA functionality is expected from the H-CSN, then the AAA server 40 in the connectivity service network V-CSN acts as the proxy transporting information to the AAA server 42 in the connectivity service network H-CSN. For the sake of clarity, the AAA server acting as a proxy will be referred to as AAA function.
As is well-known in the art, authentication refers to validating the identity of a mobile node, authorization refers to authorizing a level of service for a mobile node, and accounting refers to tracking resource usage for the mobile node.
Referring to FIG. 1, mobile nodes Ml and M2 located in access service network ASN1 are authenticated by AAA server 42 via the authenticator 52-1. Mobile node M3 located in access service network ASN2 authenticates with AAA server 42 via authenticator 52-2. Both access service networks ASN1 and ASN2 are served by the same local AAA function 40, and as such, all authentication transactions are routed via the AAA function 40.
Authentication may be conducted according to an extensible authentication protocol (EAP), which is an authentication protocol that provides an infrastructure that enables clients (mobiles) to authenticate with a central authentication server. An EAP authentication may be executed between the mobile node M1, the authenticator 52-1 implemented in an Access Serving Network Gateway (ASN-GW) ASN-1, and Authentication, Authorization, and Accounting server(AAA) 42 that handles various functions associated with authenticating and authorizing wireless communications, as well as providing billing services associated with a wireless communications. Techniques for performing the initial EAP authentication are known in the art and in the interest of clarity will not be discussed herein.
As the result of a successful EAP-based subscription authentication procedure, both the EAP client (e.g., the mobile node M1) and the EAP server (the AAA server 42) generate a master session key (MSK). The AAA server 42 assigns the lifetime for this MSK based on its policy. The lifetime (or life expiration time) of the MSK specifies for how long this security association will be valid before re-authentication. Both MSK and MSK lifetime are subsequently delivered to the authenticator 52-1 at the end of the EAP authentication procedure.
The MSK is further processed to produce the intermediate Pairwise Master Key (PMK) and subsequently the access key (AK) unique for each base station 32 that serves the mobile node. The AK is used by the base station and mobile node to generate a set of session keys specifically for the communication session while the mobile node operates though this base station. One of these keys is the key encryption key (KEK), which is generated with the purpose of protecting the traffic encryption key (TEK). The TEK is randomly created by the base station, encrypted with the KEK by using an encryption algorithm (AES), and is sent through the air interface (in the encrypted form) to the mobile node. The mobile node decrypts the TEK and uses the TEK for air traffic encryption and integrity protection.
To validate the process of establishing security association, a 3-step TEK verification transaction is optionally conducted between the mobile node and the base station, which exchange nonces and signatures with each-other, thus verifying correctness and livelihood of their AK. Transmission of encrypted TEK to the mobile node followed by the optional 3-step TEK verification is lengthy and involves heavy messaging on the air interface in the handover region, while air link quality is bad and reliability is limited.