1. Field of the Invention
This invention relates to the field of mobile communication, and in particular, to providing mobility services and Internet Protocol related security services simultaneously to a mobile node, which is roaming outside the Home Network. More specifically, this invention provides a system and method to break the cyclic interdependency between Internet Protocol (IP) security messages and Mobile IP messages when the Home Address of the Mobile Node is not known.
2. Description of the Related Art
In a scenario where the Mobile Node roams into a foreign network that does not provide adequate over the air security, it is to be noted that the NGW is a trusted entity, either in the foreign network or in the home network, and hence provides secure path to any node in the home network. Thus, to provide a secure communication channel between the Mobile Node and the home network, it is possible to form an IP security tunnel between the Mobile Node and the NGW. The present invention makes the Mobile Node capable of roaming, while keeping the sessions alive, and also provides security to Mobile IP messages even when the Home Address of the Mobile Node is not known.
Currently in the above scenario, it is not possible to provide Internet Protocol Security (IPse) and mobility related scenarios if the Home Address of the Mobile Node is unknown. This is because the IP security tunnel formation requires the Remote IP Address (Home Address), which is obtained in successful Mobile IP Registration Reply from the Home Agent. There is a cyclic interdependency which prevents the network from providing the Mobile Node with Security and Mobility related services simultaneously. However, for Mobile IP (MIP) Registration Signaling, formation of the tunnel is necessary.
In the light of the foregoing, there is a need for a method and system for breaking the cyclic interdependency between Mobile IP and IP security.
The present invention is related to a system that needs to form an IP security tunnel with the foreign entity Network GateWay (NGW). The system for the invention present (as shown in FIG. 1) includes a Mobile Node (MN) capable of roaming in foreign networks, an NGW, a Foreign Agent (FA) in the foreign network, and a Home Agent (HA) in home network. In present invention, if is assumed that the NGW and the FA are collocated. The Mobile Node also requires performing the Mobile IP registration for mobility services with Foreign Agent and Home Agent. The present invention provides a mechanism for the case where a Home Address of the Mobile Node is not known when it is in the foreign network.
When the Mobile Node (MN) roams in a foreign network, the Mobile Node forms a tunnel with the Network GateWay (NGW) to obtain Packet Services provided by the network. This can be done for example, to provide secure access over an untrusted interface (e.g. an air interface with inadequate security). The local network can provide an IP address to the Mobile Node (Local IP Address routable only up to NGW) while the remote IP address, through which the Mobile Node is accessible to outside world, is to be provided by the external network to which the MN is trying to reach for the service (in this case we assume home network obtains the IP address from the external network and sends it to the Mobile Node). The scenario is depicted in FIG. 1.
Mobile IP is used for providing mobility services when a Mobile Node roams from one (sub) network to another (sub) network. Mobile IPv4 (Internet Protocol version 4) requires a node in the foreign network acting as a foreign agent, and a node in home agent acting as a Home Agent. When a mobile node roams into a foreign network, it sends a registration request through the Foreign Agent to the Home Agent, indicating that it is available at the given IP address.
When the Mobile Node requires a new service, the following procedure is carried out for the establishment of the tunnel between the MN and the Packet Data Gateway (PDG), as shown in the FIG. 3                1. The IP address of the NGW, which provides the service, is obtained. Then Internet Key Exchange Protocol version 2 (IKEv2) messaging is carried out between the Mobile Node and the NGW (with optional authentication). At the end of the IKEv2 signaling a tunnel is formed between the Mobile Node and the NGW that acts as a data path.        2. Once the tunnel is formed, a Mobile IP Registration request is sent to the Home Agent through FA (Foreign Agent). Then HA sends the Registration reply. If successful, the MN can now securely receive packets sent to it, even when the MN roams in different foreign networks. The message flow/sequence is shown in FIG. 3.        
The method of the present invention includes mechanisms for forming a dummy Security Association (SA) when the Home Address of the MN is not known such that only Mobile IP messages are allowed to pass through, making the MIP registration with the Home Agent, and creating the final SA with the NGW when the Home Address is obtained from the MIP Registration Reply, if successful, by creating a child SA.