The present invention relates to Mobile IP network technology. More specifically, this invention relates to mechanisms for achieving route optimization between a Mobile Node supporting Mobile IP and a Correspondent Node.
Mobile IP is a protocol which allows laptop computers or other mobile computer units (referred to as “Mobile Nodes” herein) to roam between various sub-networks at various locations—while maintaining internet and/or WAN connectivity. Without Mobile IP or a related protocol, a Mobile Node would be unable to stay connected while roaming through various sub-networks. This is because the IP address required for any node to communicate over the internet is location specific. Each IP address has a field that specifies the particular sub-network on which the node resides. If a user desires to take a computer which is normally attached to one node and roam with it so that it passes through different sub-networks, it cannot use its home base IP address. As a result, a business person traveling across the country cannot merely roam with his or her computer across geographically disparate network segments or wireless nodes while remaining connected over the internet. This is not an acceptable state-of-affairs in the age of portable computational devices.
To address this problem, the Mobile IP protocol has been developed and implemented. An implementation of Mobile IP is described in RFC 2002 of the Network Working Group, C. Perkins, Ed., October 1996. Mobile IP is also described in the text “Mobile IP Unplugged” by J. Solomon, Prentice Hall. Both of these references are incorporated herein by reference in their entireties and for all purposes.
The Mobile IP process in a Mobile Ipv4 environment are illustrated in FIG. 1. As shown there, a Mobile IP environment 2 includes the internet (or a WAN) 4 over which a Mobile Node 6 can communicate remotely via mediation by a Home Agent 8 and may also include a Foreign Agent 10. In the absence of a Foreign Agent, the Mobile Node 6 can obtain a topologically correct IP address (i.e., collocated IP address) and register this IP address with the Home Agent. Typically, the Home Agent and Foreign Agent are routers or other network connection devices performing appropriate Mobile IP functions as implemented by software, hardware, and/or firmware. A particular Mobile Node (e.g., a laptop computer) plugged into its home network segment connects with the internet through its designated Home Agent. When the Mobile Node roams, it communicates via the internet through an available Foreign Agent. Presumably, there are many Foreign Agents available at geographically disparate locations to allow wide spread internet connection via the Mobile IP protocol. Note that it is also possible for the Mobile Node to register directly with its Home Agent.
As shown in FIG. 1, Mobile Node 6 normally resides on (or is “based at”) a network segment 12 which allows its network entities to communicate over the internet 4 through Home Agent 8 (an appropriately configured router denoted R2). Note that Home Agent 8 need not directly connect to the internet. For example, as shown in FIG. 1, it may be connected through another router (a router R1 in this case). Router R1 may, in turn, connect one or more other routers (e.g., a router R3) with the internet.
Now, suppose that Mobile Node 6 is removed from its home base network segment 12 and roams to a remote network segment 14. Network segment 14 may include various other nodes such as a PC 16. The nodes on network segment 14 communicate with the internet through a router which doubles as Foreign Agent 10. Mobile Node 6 may identify Foreign Agent 10 through various solicitations and advertisements which form part of the Mobile IP protocol. When Mobile Node 6 engages with network segment 14, Foreign Agent 10 relays a registration request to Home Agent 8 (as indicated by the dotted line “Registration”). The Home and Foreign Agents may then negotiate the conditions of the Mobile Node's attachment to Foreign Agent 10. For example, the attachment may be limited to a period of time, such as two hours. When the negotiation is successfully completed, Home Agent 8 updates an internal “mobility binding table” which specifies the care-of address (e.g., a collocated care-of address or the Foreign Agent's IP address) in association with the identity of Mobile Node 6. Further, the Foreign Agent 10 updates an internal “visitor table” which specifies the Mobile Node address, Home Agent address, etc. In effect, the Mobile Node's home base IP address (associated with segment 12) has been shifted to the Foreign Agent's IP address (associated with segment 14).
Now, suppose that Mobile Node 6 wishes to send a message to a Correspondent Node 18 from its new location. In Mobile IPv4, a message from the Mobile Node is then packetized and forwarded through Foreign Agent 10 over the internet 4 and to Correspondent Node 18 (as indicated by the dotted line “packet from MN”) according to a standard internet protocol. If Correspondent Node 18 wishes to send a message to Mobile Node—whether in reply to a message from the Mobile Node or for any other reason—it addresses that message to the IP address of Mobile Node 6 on sub-network 12. The packets of that message are then forwarded over the internet 4 and to router R1 and ultimately to Home Agent 8 as indicated by the dotted line (“packet to MN(1)”). From its mobility binding table, Home Agent 8 recognizes that Mobile Node 6 is no longer attached to network segment 12. It then encapsulates the packets from Correspondent Node 18 (which are addressed to Mobile Node 6 on network segment 12) according to a Mobile IP protocol and forwards these encapsulated packets to a “care of” address for Mobile Node 6 as shown by the dotted line (“packet to MN(2)”). The care-of address may be, for example, the IP address of Foreign Agent 10. Foreign Agent 10 then strips the encapsulation and forwards the message to Mobile Node 6 on sub-network 14. The packet forwarding mechanism implemented by the Home and Foreign Agents is often referred to as “tunneling.” In the absence of a Foreign Agent, packets are tunneled directly to the Mobile Node 6 collocated care-of address.
The Mobile IP protocol for Ipv6 has been described in RFC 3775, entitled “Mobility Support in Ipv6,” published in June 2004, by Johnson et al. RFC 3775 discloses a protocol which allows nodes to remain reachable while roaming in IPv6. RFC 3775 is incorporated herein by reference for all purposes. As disclosed in “Mobility Support in IPv6,” the Home Agent generally advertises its address, which is obtained by a Mobile Node. In Mobile Ipv6, there is no Foreign Agent. However, an access router 10 is present to provide connectivity to the network. The Mobile Node then sends a Binding Update message to the Home Agent. The Home Agent then sends a Binding Acknowledgement message to the Mobile Node. The Binding Update and Binding Acknowledgement messages are protected in IPSec transport mode. The Home Agent creates a binding cache entry and a tunnel is established between the Mobile Node's care-of address and the Home Agent. When a Correspondent Node sends a packet to the Mobile Node, it is forwarded to the Mobile Node by the Home Agent via the tunnel that has been established.
Since the Correspondent Node is generally unaware of movement of the Mobile Node, packets continue to be forwarded from the Correspondent Node to the Mobile Node's care-of address via the Home Agent. As a result, packets are routed inefficiently. In order to optimize the route via which packets are routed from the Correspondent to the Mobile Node, it is desirable to enable the Correspondent Node to communicate directly with the Mobile Node. This is generally accomplished using a method termed “Route Optimization” as set forth in RFC 3775, which is incorporated herein by reference for all purposes.
The route optimization process set forth in RFC 3775 is a fairly elaborate process. First, through two sets of messages (Home Test (HOT), Home Test Init (HOTi), Care of Test (COT), and Care of Test Init (COTi)) generally referred to as “return routability signaling,” described in further detail below, the Mobile Node and the Correspondent Node generate a shared secret key. Second, the Mobile Node sends a Binding Update message to the Correspondent Node to enable the Correspondent Node to send packets directly to the Mobile Node at its care-of address, and the Correspondent Node sends a Binding Acknowledgement message to the Mobile Node at its care-of address.
Return routability signaling is based upon two key assumptions. The first assumption is that the routing infrastructure is secure. In other words, there needs to be an assumption that the return routability signaling messages are coming from the Mobile Node, rather than an impostor. The second assumption is that IPSec in tunnel mode is used to protect the HoT and HoTi messages that are typically transmitted between the Home Agent and the Mobile Node. The use of IPSec Encapsulating Security Payload (ESP) to secure Mobile IPv6 signaling between the Home Agent and the Mobile Node is disclosed in RFC 3776, which is incorporated herein by reference for all purposes. Specifically, a security association is used to secure transmissions in each direction. In other words, the security association is used to authenticate and protect the HoTi and HoT messages.
As indicated above, return routability signaling in accordance with RFC 3775 comprises two sets of messages. The first set of messages includes a HOT and HOTi message, while the second set of messages includes a COT and COTi message. Specifically, the Mobile Node sends a HOTi message including a source address equal to the Mobile Node's Home Address to the Home Agent. The Home Agent then forwards the HOTi message to the Correspondent Node. The Correspondent Node replies with a HOT message to the Home Agent, which is forwarded to the Mobile Node. In addition, the Mobile Node sends a COTi message including a source address equal to the Mobile Node's care-of address to the Correspondent Node. The Correspondent Node then transmits a COT message to the Mobile Node.
Through the return routability signaling messages, the Mobile Node and Correspondent Node derive tokens from which a shared secret key is derived. This shared secret key is then used by both the Mobile Node and the Correspondent Node to authenticate the Binding Update and Binding Acknowledgement between the Mobile Node and the Correspondent Node.
The route optimization process set forth above is dependent upon the assumption that the return routability messages cannot be intercepted, and therefore that the source address is correct. Similarly, the underlying assumption that the tunnel via which the HoTi and HoT messages are transmitted is protected.
IPSec is a framework for security that is used to protect the Binding Update and Acknowledgement messages. Specifically, IPSec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPSec supports two encryption modes: transport and tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.
IPSec in transport mode allows for lower processing overhead, but provides neither authentication nor encryption for the IP header, making it vulnerable to spoofing. IPSec in tunnel mode provides greater protection, but has a higher overhead. Moreover, IPSec in tunnel mode also provides the advantage of hiding the original source and destination addresses from users on the public network, defeating or at least reducing the power of traffic analysis attacks.
The Mobile IPv6 base specification, RFC 3775, requires that IPSec in tunnel mode be used to protect the return routability messages (e.g., HOT, HOTi) transmitted between the Mobile Node and Correspondent Node through the Home Agent. Since an IPSec tunnel is established between the Mobile Node's care-of address and the Home Agent, when the Mobile Node moves, it must establish a new tunnel between the Mobile Node and the Home Agent. Specifically, this requires re-registration on behalf of the Mobile Node via the return routability signaling messages. As a result, it is an expensive process to generate a new tunnel (and associated security association) between the Mobile Node's new location and the Home Agent.
In view of the above, it would be beneficial if route optimization could be enhanced between a Mobile Node and a Correspondent Node.