Nowadays terminal devices are highly mobile and can change their point of attachment to the Internet at any time, also during active network connections. Mobile IP protocols, defined both for IP version 6 (IPv6) and for IP version 4 (IPv4), allow mobile nodes (MN) to change their access point to the Internet without changing their IP address. Mobile IP defines a system for routing data of a mobile node to the current location of the node. This is accomplished through the use of a home agent (HA) that monitors the permanent IP address and current location of the mobile node. The home agent allows the mobile node to have a permanent address that is translated by the home agent into the mobile node's current address.
Some access networks the mobile devices use to access services are considered “insecure” accesses, while some other access networks are considered “secure” accesses. An example of an insecure access network could be a public WLAN hot-spot providing access to operator services over a public network (e.g. Internet). An example of a secure access network could be a general packet radio service (GPRS) network with layer 2 encryption enabled. Internet protocol security architecture (IPSec) is specified in a set of Internet Engineering Task Force (IETF) requests for comments (RFC) and is widely used to provide secure transmission of IP packets in various configurations. IPSec may be applied between the MN and the HA to provide an encrypted Mobile IP tunnel.
When switching across secure and insecure access networks the MN should dynamically switch encryption on or off according to the security policies. The MN may be configured, upon detecting a change of an IP sub-network by the MN, detect security requirements of the new IP sub-network, and adapt security associations of the MN to the security requirements of the new IP sub-network.