1. Field of the Invention
The present invention relates to mobile communication networks, and in particular to a key distribution system for protection of route-update notifications, this system facilitating appropriate processing, at network nodes, of route-update notifications from user terminals.
2. Description of Related Art
The conventional mobility-supporting system network that the present invention is designed to improve is defined in proposed standards such as Cellular IP (see A. G. Valko, “Cellular IP—A New Approach to Internet Host Mobility”, ACM Computer Communication Review, January 1999).
As shown in FIG. 4, in a mobility-supporting system network in which this conventional technology is applied, the fixed nodes are connected by transmission devices in a tree hierarchy. Base stations are connected to the nodes at the base of the tree, and communicate with mobile terminals over radio channels.
The root node of the tree is connected to an external network. All packets that mobile terminals exchange with the external network are sent and delivered via this node. While a mobile terminal is connected to a base station of this mobility-supporting system network, its accessibility from the external network using the same address is guaranteed irrespective of the base station to which it is connected.
The route to a mobile terminal is held separately by each router, and routing responds to movement of a mobile terminal in the following way. Namely, a mobile terminal transmits a route-update notification every time it moves. The route-update notification is relayed from the lowest-level base station to which the mobile terminal is connected, progressively upwards through the hierarchy to the highest-level router. As a result, the route is updated at those routers through which the update notification has passed.
In order to increase network fault resistance and expandability, soft-state route information is employed. Namely, a route automatically expires when a predetermined time interval elapses since its formation. Mobile terminals are configured to hold a route independently. That is to say, when a mobile terminal remains at one location, it intermittently transmits a route-update notification in order to maintain the existing route.
Delivery of packets from the external network to a mobile terminal is performed by routers as follows. When a packet arrives from a higher-level network interface, a route information retrieval unit retrieves route information on the basis of the packet destination address, determines the destination network interface to which to output the packet, and sends the packet from that interface. If the forwarding address cannot be determined from the route information retrieved on the basis of the packet destination address, the packet is dropped. This procedure is repeated at each router and the packet eventually reaches the mobile terminal from the lowest-level router, via a base station.
Packets transmitted by a mobile terminal are processed by routers as follows. When a packet arrives from a lower-level network interface, the route information retrieval unit retrieves route information on the basis of the packet source address. If route information corresponding to the packet source address is thereby found, this route information is updated using the method to be described below, and the packet is forwarded from the higher-level network interface. If the route information retrieval unit fails to retrieve route information on the basis of the packet source address, the packet is dropped.
If a packet that has arrived from a lower-level network interface is a route-update notification packet, the route is updated in accordance with information contained in the update notification. The arrival of packets other than route-update notification packets serves to extend the expiry time of the route information corresponding to the packet source address. A packet sent by a mobile terminal reaches the top level of the network by repetitions of this procedure. If the packet is a route-update notification, it is dropped there. Other packets are forwarded into the external network.
Updating of a route when a mobile terminal has moved is performed as follows. Base stations intermittently transmit a beacon signal giving notification of base station location, identification number, etc. A mobile terminal receives the beacon signal from the base station to which it is connected, and detects when the connected base station changes. A mobile terminal sends a route-update notification packet whenever the connected base station changes. The route-update notification is forwarded by the method described above, thereby updating the route to the mobile terminal. Route information in the routers automatically expires after the elapse of a predetermined time from the update. As long as a mobile terminal continues to send data, the route information in the routers continues to be updated by the passing of the data. When no data is sent, the mobile terminal transmits a route-update notification within a shorter time interval than the expiry time, thereby guaranteeing its accessibility from the external network.
However, the following kinds of problems have been encountered in a conventional system of the sort described above.
Namely, a problem of a conventional system is that forgery and transmission of route-update notifications by a malicious user can result in abnormal functioning of the route control performed in the mobility-supporting network, and in service disturbances.
Although a conventional mobility-supporting network has a hash function based mechanism for protecting update notifications, there are no stipulations regarding how the authentication information (i.e., the key) is distributed. The following problems arise in a system where each router holds in advance all the authentication information, or in other words, where each router holds a different key for each mobile terminal. Namely, management operations such as addition and deletion of authentication information have to be performed more or less simultaneously at all routers; a large number of keys have to be held, which uses a large amount of router memory; and scalability becomes problematic.
Although the aforementioned management problems do not occur in a system where update notifications are authenticated only at the highest-level router, such a system is still problematic in that it takes time to confirm the legitimacy of the update notifications.