A wireless communication network typically only permits authorized users to access resources and services within the network. The process of determining whether a user is authorized to access a network involves authentication to determine the identity of the user. A well known authentication technique is to use a removable Subscriber Identification Module (SIM) card. Many cellular systems such as those supporting General Packet radio Service (GPRS) and Third Generation Partnership Project (3GPP) standards use SIM cards for authentication. Once a user is authenticated, it can then be determined whether or not the user is authorized to access the services provided by the network. For example, it may be determined that the identified user is the user of a second network that has executed a roaming agreement so that its users can utilize the network and relevant services.
The Mobile Internet Protocol (Mobile IP) provides mobility to enable interworking between two networks with disparate authentication techniques so that e.g. resources and services within one network may be accessed by users of the other network and vice versa. As part of this interworking, service and session continuity is provided, particularly during handover between a Wireless LAN and a 3GPP system.
Mobile IP is an extension to the Internet Protocol (IP) aimed to provide mobility support in IP networks. Mobile IPv4 is specified by IETF RFC 3344. It allows a terminal device to move from one link to another without changing its IP address (as seen by the layers above IP) and yet be reachable by other terminal devices. Mobile IP requires the following three subscriber-specific parameters to be provisioned to a Mobile terminal: 1) a Home Address (or Mobile Node Network Access Identifier); 2) a symmetric key which is shared by the Mobile terminal and its Home Agent, and 3) a Security Parameter Index identifying one or more security association contexts of the Mobile terminal.
Processes have developed for distributing the necessary Mobile IP keys. However, these processes will not work in Mobile IP networks which support the use of Proxy Mobile Nodes (PMN). A Proxy Mobile Node is a Node that is responsible to securely register with the home network of an authenticated Mobile Node on its behalf. This is done to protect the privacy of the authenticated Mobile Node and to support its local mobility with minimum message overhead.
A 3GPP network with Radius support can distribute the Mobile IP relevant keys. But Radius requires explicit provision of Mobile IP specific keys as well as SIM relevant keys. Also, keys are provisioned specifically between mobile terminal and Home Agent (HA) or mobile terminal and Foreign Agent (FA). Hence, Radius is limited in its effectiveness to HA and FA only, and is not effective for networks using Proxy Mobile Nodes.
The Generic Authentication Architecture (GAA) included in Release 6 of the 3GPP standards specifies a general authentication and key distribution process. Using GAA, a shared symmetric key, identified with a bootstrapping transaction identifiers (B-TID), can be provisioned to a mobile terminal using USIM authentication. A Generic Bootstrapping Architecture (GBA) allows the mobile terminal to perform bootstrapping procedure with Bootstrapping Server Function (BSF) and a bootstrapping key or shared secret generated by both the mobile terminal and the bootstrapping server function. The bootstrapping server function also generates the bootstrapping transaction identifier and a lifetime of the Ks and delivers them to corresponding mobile terminal as a part of bootstrapping procedure. See 3GPP TS 33.220 v6.0.0 (March 2004).
Originally, GAA and GBA could not be used directly with Mobile IP since Mobile IP requires the three subscriber-specific parameters identified above to be provisioned to a Mobile terminal. However, methods have been developed for adapting GAA and GBA so that they can be used for Mobile IP key distribution in 3GPP networks. See commonly assigned U.S. patent application Ser. No. 11/179,607 filed on Jul. 13, 2005 and 3GPP TR 33.922 v0.0.3 (2006-11).
Some methods utilize the GAA with Mobile IP with only minor enhancements in the Home Agent. But these methods are based on the fact that the Mobile terminal functionally limits the applicability of such methods to those networks in which the Mobile terminals support Mobile EP. It also requires frequent registration requests in an environment of high mobility. The frequent registration requests may overwhelm the HA, and such a situation may eventually increase the signaling overheads and delays in the network.
A proxy mobile node can be used which generates the registration requests on behalf of mobile terminal. A proxy mobile node may be used regardless of whether or not the mobile terminal is enabled with Mobile IP functionality. However, unlike the mobile terminal itself, such proxy mobile node does not have any trust relationship with the home agent of the mobile terminal. Also, Proxy Mobile IP signaling across administrative domains/operators may expose unacceptable security relationships between a visited access network and a Home agent. Manual configuration of security association between domains with different security infrastructure may be problematic and not practical also.
There is therefore a need for a solution to provision the Mobile IP specific keys between the proxy mobile node and the home agent.