The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, the military had accumulated a large collection of incompatible computer networks. Because of their incompatible data structures and transmission protocols, many of these computers could not communicate with other computers across network boundaries.
In the 1960s, the Defense Department wanted to develop a communication system that would permit communication between these different computer networks. Recognizing that a single, centralized communication system would be vulnerable to attacks or sabotage, the Defense Department required that the communication system be decentralized with no critical services concentrated in vulnerable failure points. In order to achieve this goal, the Defense Department established a decentralized communication protocol for communication between their computer networks.
A few years later, the National Science Foundation (NSF) wanted to facilitate communication between incompatible network computers at various research institutions across the country. The NSF adopted the Defense Department's protocol for communication, and this combination of research computer networks would eventually evolve into the Internet.
Internet Protocols
The Defense Department's communication protocol governing data transmission between different networks was called the Internet Protocol (IP) standard. The IP standard has been widely adopted for the transmission of discrete information packets across network boundaries. In fact, the IP standard is the standard protocol governing communications between computers and networks on the Internet.
The IP standard identifies the types of services to be provided to users and specifies the mechanisms needed to support these services. The IP standard also specifies the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in the system.
A transmission protocol, called the Transmission Control Protocol (TCP), was developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a suite of protocols for information packet transmissions between computers on the Internet. The TCP/IP standard has also become a standard protocol for use in all packet switching networks that provide connectivity across network boundaries.
In a typical Internet-based communication scenario, data is transmitted from an originating communication device on a first network across a transmission medium to a destination communication device on a second network. After receipt at the second network, the packet is routed through the network to a destination communication device. Because standard protocols are used in Internet communications, the IP protocol on the destination communication device decodes the transmitted information into the original information transmitted by the originating device.
TCP/IP Addressing and Routing
A computer operating on a network is assigned a unique physical address under the TCP/IP protocols. This is called an IP address. The IP address can include: (1) a network ID and number identifying a network, (2) a sub-network ID number identifying a substructure on the network, and (3) a host ID number identifying a particular computer on the sub-network. A header data field in the information packet will include source and destination addresses. The IP addressing scheme imposes a consistent addressing scheme that reflects the internal organization of the network or sub-network.
A router is used to regulate the transmission of information packets into and out of the computer network. Routers interpret the logical address contained in information packet headers and direct the information packets to the intended destination. Information packets addressed between computers on the same network do not pass through the router to the greater network, and as such, these information packets will not clutter the transmission lines of the greater network. If data is addressed to a computer outside the network, the router forwards the data onto the greater network.
TCP/IP network protocols define how routers determine the transmission path through a network and across network boundaries. Routing decisions are based upon information in the IP header and corresponding entries in a routing table maintained on the router. A routing table contains the information for a router to determine whether to accept an information packet on behalf of a device or pass the information packet onto another router.
Routing tables can be configured manually with routing table entries or with a dynamic routing protocol. A manual routing table can be configured upon initialization. In a dynamic routing protocol, routers update routing information with periodic information packet transmissions to other routers on the network. The dynamic routing protocol accommodates changing network topologies, network architecture, network structure, layout of routers, and interconnection between hosts and routers.
The IP-Based Mobility System
The Internet protocols were originally developed with an assumption that Internet users would be connected to a single, fixed network. With the advent of cellular wireless communication systems, such as mobile communication devices, the movement of Internet users within a network and across network boundaries has become common. Because of this highly mobile Internet usage, the implicit design assumption of the Internet protocols (e.g. a fixed user location) is violated by the mobility of the user.
In an IP-based mobile communication system, the mobile communication device (e.g. cellular phone, pager, computer, etc.) can be called a Mobile Node. Typically, a Mobile Node maintains connectivity to its home network through a foreign network. The Mobile Node will always be associated with its home network for IP addressing purposes and will have information routed to it by routers located on the home and foreign networks. The routers can be referred to by a number of names including Home Agent, Home Mobility Manager, Home Location Register, Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity.
While coupled to a foreign network, the Mobile Node will be assigned a care-of address. This is a temporary IP address assigned by the foreign network. The care-of address is used by routers on the foreign network to route information packets addressed to the Mobile Node. While residing on a foreign network, a Mobile Node may move from one location to another, changing its connectivity to the network. This movement changes the physical location of the Mobile Node and requires updating routing tables and/or care-of addressing to keep up with the movement of the Mobile Node.
The Mobile Node keeps the Home Agent informed of its current location by registering a care-of address with the Home Agent. Essentially, the care-of address represents the current foreign network address where the Mobile Node is located. If the Home Agent receives an information packet addressed to the Mobile Node while the Mobile Node is located on a foreign network, the Home Agent will “tunnel” the information packet to the Mobile Node's current location on the foreign network via the applicable care-of address. In some system architectures and protocols, Foreign Agents also participate in transmission of information packets to a resident Mobile Node. Foreign Agents will receive information packets forwarded from the Home Agent to de-tunnel and forward to the Mobile Node. Further, the Foreign Agent serves as a default router for out-going information packets generated by the mobile node while connected to the foreign network. Foreign Agents and Home Agents can route information packets using successive transmission hops to route information packets from router-to-router to and from a Mobile Node. The registered care-of address identifies the location on a foreign network of the Mobile Node, and the Home Agent and Foreign Agent use this care-of address for routing information packets to and from the foreign network.
Virtual Private Networks
A Virtual Private Network (VPN) emulates a private network over a shared physical infrastructure. By way of example, a VPN can reside within a local area network (LAN) system or on several different networks. A VPN can also span multiple computer systems.
A VPN can be used to extend the communication capabilities of a corporate network to remote offices, which will support the use of the Internet, extranet, or dial-up services. In this way, connectivity to the VPN network is provided in the same manner as a dedicated private network, but there is no need to provide all the equipment and support infrastructure at a remote location.
A service provider, or other network structure, provides the remote physical system and computer infrastructure within which the “virtual” VPN network resides. In this manner, the VPN can function much the same as a single, physical network even though there are intervening host infrastructures and communications traverse network boundaries. A number of different types of VPNs are suggested in RFC 2764, but this is by no means an exhaustive list of possible VPN constructs. The distinguishing hallmark of a VPN is a single, logical network found on a public or private computer infrastructure with the VPN residing upon one or more autonomous systems. Typically, VPN communication over the public infrastructure uses secured information packet transmission.
Tunneling and Secured Information Packet Transmission
Tunneling is the basic methodology in IP communication by which an information packet is routed to the appropriate Internet node through an intermediate Internet address. To emulate the point-to-point connections of a private network, VPN methodology uses secure tunnels to handle information packet transmission across the public infrastructure.
Typically, an information packet with network routing can be encapsulated with IP address information. Encapsulation involves adding an outer IP header to the original IP header fields. In this manner, a “tunnel” can be constructed. The outer IP header contains a source and destination IP address—the “endpoints” of the tunnel. The inner IP header source and destination addresses identify the original sender and destination addresses.
The original sender and recipient addresses for the information packet remain unchanged after encapsulation, while the new “tunnel” endpoint addresses are appended onto the original information packet. This appended address information alters the original IP routing by delivering the information packet to an intermediate destination node (in mobile IP network, typically a foreign agent router), where the encapsulated information packet is “decapsulated” or “de-tunneled” yielding the original information packet. The packet is then delivered to the destination address found in the original IP address based on the associated routing table entries on network routers.
The “tunnel” is established by encapsulating an information packet containing the original IP address of the mobile node (and payload data) and an IP source address with the intermediate routing IP address (i.e. care-of address) of the foreign network. In the more specialized application of VPNs, the tunnels can be secured by encryption and authentication protocols. These security protocols ensure integrity and confidentiality of information packet data transmission during a communication session. Encrypted information packet payloads are generally identified with an Encapsulated Security Payload Header (ESP), which contains data to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality services.
By encapsulating the data with an IP header, an encrypted information packet can be routed securely over the public communication infrastructure between the foreign network, the mobile node, and the home network. During transit through the tunnel over the public communication infrastructure, the information packet data payload being transmitted is encrypted, and the encrypted data can only be deciphered using private encryption keys that permit the encryption algorithms at the mobile node and the correspondence node it is communicating with to decode the data as well as encrypt the data. A VPN gateway on the home network will usually perform encryption and decryption services at the boundary of the VPN or at the Correspondence Node. The foreign network or Mobile Node will decrypt or encrypt the information packet for communication with the home network.
For Mobile IP to function in a VPN communication session, the methodology embodied by communication protocols must maintain communication connections. Implementation scenarios require a mobile host (e.g. Mobile Node) on a foreign network to maintain a secure communication link to a secured domain (e.g. a VPN). This emerging Mobile IP application within a VPN environment does not have an established communication protocol for maintaining secured information packet transmission between a roaming mobile node and its home VPN using a public infrastructure. There is a need for a communication protocol to transmit information packets between a Mobile Node and a VPN that offers flexibility. The invention simplifies and enhances the efficiency of communication between a MN and a VPN compared to other suggested methods.