Present-day Internet communications represent the synthesis of technical developments begun in the 1960s—the development of a system to support communications between different United States military computer networks, and the subsequent development of a system to support the communication between research computer networks at United States universities. These technological developments would subsequently revolutionize the world of computing.
The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, Defense Department officials began to notice that the military was accumulating a large collection of computers—some of which were connected to large open computer networks and others that were connected to smaller closed computer networks. A network is a collection of computers or computer-like devices communicating across a common transmission medium. Computers on the Defense Department's open computer networks, however, could not communicate with the other military computers on the closed systems.
Defense Department officials requested that a system be built to permit communication between these different computer networks. The Defense Department recognized, however, that a single centralized system would be vulnerable to missile attacks or sabotage. Accordingly, the Defense Department required that the system to be used for communication between these military computer networks be decentralized and that no critical services be concentrated in vulnerable failure points. In order to achieve these goals, the Defense Department established a decentralized standard protocol for communication between network computers.
A few years later, the National Science Foundation (NSF) wanted to connect network computers at various research institutions across the country. The NSF adopted the Defense Department's protocol for communication, and this combination of research computer networks would eventually evolve into the Internet.
Internet Protocols
The Defense Department's communication protocol governing data transmission between computers on different networks was called the Internet Protocol (IP) standard. The IP standard now supports communications between computers and networks on the Internet. The IP standard identifies the types of services to be provided to users, and specifies the mechanisms needed to support these services. The IP standard also describes the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in the system.
A transmission protocol, called the Transmission Control Protocol (TCP), was also developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a system or suite of protocols for data transfer and communication between computers on the Internet. The TCP/IP standard has become mandatory for use in all packet switching networks that connect or have the potential for utilizing connectivity across network or sub-network boundaries.
The TCP/IP Protocol
In a typical Internet-based communication scenario, data is transmitted from an applications program in a first computer, through the first computer's network hardware, and across the transmission medium to the intended destination on the Internet. After receipt at a destination computer network, the data is transmitted through the destination network to a second computer. The second computer then interprets the communication using the same protocols on a similar application program—only in reverse order. Because standard protocols are used in Internet communications, the TCP/IP protocol on the second computer decodes the transmitted information into the original information transmitted by the first computer.
One of the rules in TCP/IP communications is that a computer user does not need to get involved with details of data communication. In order to accomplish this goal, the TCP/IP standard imposes a layered communications system structure. All the layers are located on each computer in the network, and each module or layer is a separate component that theoretically functions independent of the other layers. As an alternative, User Datagram Protocol (“UDP”) supports the same type of layered protocol communication system, but with less accuracy checking on message content than the TCP/IP protocol.
TCP/IP and its related protocols form a standardized system for defining how data should be processed, transmitted and received on the Internet. TCP/IP defines the network communication process, and more importantly, defines how a unit of data should look and what information the message should contain so that the receiving computer can interpret the message correctly. Because the standardized layer design of TCP/IP, a consistent conversion of base data is ensured regardless of the version or vendor of the TCP/IP conversion software.
TCP/IP Addressing and Routing
A computer operating on a network is assigned a unique physical address. On a Local Area Network (“LAN”), the physical address of the computer is a number given to computer's network adapter card. Hardware LAN protocols use this physical address to deliver packets of data, sometimes called information packets, to computers on the LAN.
On the Internet, the TCP/IP protocol routes information packets using logical addressing. The network software in the Network Layer generates logical addresses. Specifically, a logical address in the TCP/IP network is translated into a corresponding physical address using the ARP (Address Resolution Protocol) and RARP (Reverse Address Resolution Protocol) protocols in the Network Layer.
The TCP/IP's logical address is also called an IP address. The IP address can include: (1) a network ID number identifying a network, (2) a sub-network ID number identifying a sub-network on the network, and, (3) a host ID number identifying a particular computer on the sub-network. The header data in the information packet will include source and destination addresses. The IP addressing scheme imposes a sensible addressing scheme that reflects the internal organization of the network or sub-network.
A computer network is often subdivided into smaller sub-networks. The computer network is divided in this manner to increase data transmission efficiency and reduce overall network traffic. Routers are used to regulate the flow of data into and out of designated sub-networks of the computer network.
A router interprets the logical address of a information packet, such as an IP address, and directs the information packet across the network to its intended destination. Information packets addressed between computers on the sub-network do not pass through the router to the greater network, and therefore does not clutter the transmission lines of the greater network. If data is addressed to a computer outside the sub-network, however, the router forwards the data onto the larger network.
The TCP/IP network includes protocols that define how routers will determine the path for data through the network. Routing decisions are based upon information in the IP packet header and entries in each router's routing table. A routing table possesses sufficient information for a router to make a determination on whether to accept the communicated information on behalf of a destination computer, or pass the information onto another router in the network. The routing table also permits the router to determine where the information should be forwarded within the network or sub-network.
The routing table can be configured manually with routing table entries or a dynamic routing protocol that can accommodate changing network topologies—network architecture, network structure, layout of routers, and interconnections between hosts and routers. In a dynamic routing protocol, a router advertises reachability when it sends updated routing information to a second router claiming that the first router is capable of reaching one or more destination addresses. Advertising accessibility is important to the process of receiving, directing and re-directing information packets on the Internet.
The IP-Based Mobility System
Internet protocols were originally developed with an assumption that Internet users, which are assigned a unique IP address, would be connected to a single, fixed network—that is, one physical fixed location. With the advent of portable computers and cellular wireless communication systems, however, the movement of Internet users within a network and across network boundaries has become quite common. Because of this highly mobile Internet usage, the implicit design assumptions for the Internet protocols have been violated.
The IP-based mobile system includes at least one Mobile Node in a wireless communication system. The term “Mobile Node” includes a mobile communication unit, and, in addition to the Mobile Node, the communication system has a home network and a foreign network. The Mobile Node may change its point of attachment to the Internet through these other networks, but the Mobile Node will always be associated with a single Mobile Node home network for IP addressing purposes.
The home network has a Home Agent and the foreign network has a Foreign Agent—both of which control the routing of information packets into and out of their network. The terms Home Agent and Foreign Agent may be defined in the Mobile IP Protocol (RFC 2002), but these agents are not restricted to a single protocol or system. In fact, the term Home Agent, as used in this application, can refer to a Home Mobility Manager, Home Location Register, Home Serving Entity, or any other agent at a home network having the responsibility to manage mobility-related functionality for a Mobile Node on a home network. Likewise, the term Foreign Agent, as used in this application, can refer to a Serving Mobility Manager, Visited Location Register, Visiting Serving Entity, or any other agent on a foreign network having the responsibility to manage mobility-related functionality for a Mobile Node on a foreign network.
Registration of a Mobile Node
The Mobile Node keeps the Home Agent informed of its current location by registering a care-of address with the Home Agent. Essentially, the care-of address represents the current foreign network where the Mobile Node is located. If the Home Agent receives an information packet addressed to the Mobile Node while the Mobile Node is located on a foreign network, the Home Agent will “tunnel” the information packet to the Mobile Node's current location on the foreign network via the applicable care-of address.
The Foreign Agent participates in informing the Home Agent of the Mobile Node's current care-of address. The Foreign Agent also de-tunnels information packets for the mobile node after the information packets have been forwarded to the Foreign Agent by the Home Agent. Further, the Foreign Agent serves as a default router for out-going information packets generated by the mobile node while connected to the foreign network.
Foreign Agents and Home Agents periodically broadcast an agent advertisement to all nodes on the local network associated with that agent. An agent advertisement is a message from the agent on a network that may be issued under the Mobile IP protocol (RFC 2002) or any other type of communications protocol. This advertisement should include information that is required to uniquely identify a mobility agent (e.g. a Home Agent, a Foreign Agent, etc.) to a mobile node. Mobile Nodes examine the agent advertisement and determine whether they are connected to the home network or a foreign network.
If the Mobile Node is located on its home network, no additional actions need to be taken because information packets will be routed to the Mobile Node according to the standard addressing and routing scheme. If the Mobile Node is visiting a foreign network, however, the mobile node obtains a care-of address from the agent advertisement, and registers this care-of address with its Home Agent. The registered care-of address identifies the foreign network where the mobile node is located, and the Home Agent uses this registered care-of address to tunnel information packets to the foreign network for subsequent transfer to the mobile node.
Confidential Communications Over a Public Network
Because information packets are routed over the public networks that make up the Internet, cryptographic security systems are used to send communications in a confidential manner. These security systems maintain the confidentiality of the information packet by encoding, or encrypting, the information in the information packet. The encryption process can only be reversed, or decoded, by an authorized person. Other activities performed by the security system include authentication (you are who you say you are), integrity checking (the information packet was sent in the decoded form) and non-repudiation (identification of person sending the information packet).
A cryptographic security system consists of two fundamental components—a complicated mathematical algorithm for encrypting the information, and one or more values, called keys, known to parties authorized to transmit or receive the information packet. The greater the complexity of the algorithm, the stronger the cryptographic level of security in the cryptographic system. Because of its complexity, the algorithm can be kept secret or publicly disclosed without undermining the strength of the security system.
As an example of the encryption process, let's examine the situation where Party A intends to communicate confidentially with Party B using the cryptographic security system. First, Party A uses the algorithm and a key to transform the information in the transmitted information packet into encrypted information. In order to maintain the confidentiality of the transmitted information, the encrypted information does not resemble the information in the information packet, and the encrypted information cannot be easily decoded into its original form without the use of the algorithm and a key.
As such, the encrypted information is transmitted over the public networks on the Internet to Party B without disclosing the content of the original information packet. After receiving the encrypted information packet, Party B decodes the encrypted information using the algorithm and a key. When the encrypted information is decoded, the original information should be disclosed in the decoded information packet.
Key-Based Cryptographic Systems
It is preferable that the key be known only to the appropriate or authorized parties to the communication. This type of key is known as a “secret key”, and the sender and receiver of the information packet use the same secret key to encrypt and decode information packets with the algorithm. Public key encryption is also supported by cryptographic security systems where the sender has a public key and a private key, and the receiver has a public key and a private key. Messages may be encoded by the sender using the receiver's public key, and decoded by the receiver using the receiver's private key. Hybrid security systems are also used to encrypt and decode information in information packets. Accordingly, key-based security systems rely on the use of some type of secret key to support confidential communications.
Authenticate, Authorize and Accounting (“AAA”)
In an IP-based mobile communications system, the Mobile Node changes its point of attachment to the network while maintaining network connectivity. The Mobile IP Protocol (RFC 2002) assumes that mobile IP communications with a Mobile Node will be performed on a single administrative domain or a single network controlled by one administrator.
When a Mobile Node travels outside its home administrative domain, however, the Mobile Node must communicate through multiple domains in order to maintain network connectivity with its home network. While connected to a foreign network controlled by another administrative domain, network servers must authenticate, authorize and collect accounting information for services rendered to the Mobile Node. This authentication, authorization, and accounting activity is called “AAA”.
AAA servers on the home and foreign network will perform the AAA activities. Security concerns arise in the mobile communications systems with multiple administrative domains because authorized users are subject to the following forms of attack: (1) session stealing where a hostile node hijacks the network session from mobile node by redirecting information packets, (2) spoofing where the identity of an authorized user is utilized in an unauthorized manner to obtain access to the network, and (3) eavesdropping and stealing of information during a session with an authorized user. Authentication is the process of proving someone's claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. The AAA server authenticates the identity of an authorized user, and authorizes the Mobile Node's requested activity. Additionally, the AAA server will also provide the accounting function including tracking usage and charges for use of transmissions links between administrative domains.
The Diameter base protocol supports a first basic message routing methods, called Diameter proxy. A simple Diameter proxy is a server that simply forwards the request based on a decision process such as NAI parsing or other decision. A Diameter proxy is a server that provides message forwarding functions to other Diameter Servers. Proxies are typically used when a hierarchical Diameter network is deployed, where each Diameter servers can only authenticate and authorize a given set of users. An example may be a large corporation, where the user base is maintained within individual divisions or campuses.