The Internet, like so many other high tech developments, grew from research originally performed by the United States Department of Defense. In the 1960s, the military had accumulated a large collection of incompatible computer networks. Computers on these different networks could not communicate with other computers across their network boundaries.
In the 1960s, the Defense Department wanted to develop a communication system that would permit communication between these different computer networks. Recognizing that a single, centralized communication system would be vulnerable to attacks or sabotage, the Defense Department required that the communication system be decentralized with no critical services concentrated in vulnerable failure points. In order to achieve this goal, the Defense Department established a decentralized standard communication protocol for communication between their computer networks.
A few years later, the National Science Foundation (NSF) wanted to facilitate communication between incompatible network computers at various research institutions across the country. The NSF adopted the Defense Department's protocol for communication, and this combination of research computer networks would eventually evolve into the Internet.
Internet Protocols
The Defense Department's communication protocol governing data transmission between different networks was called the Internet Protocol (IP) standard. The IP standard has been widely adopted for the transmission of discrete information packets across network boundaries. In fact, the IP standard is the standard protocol governing communications between computers and networks on the Internet.
The IP standard identifies the types of services to be provided to users and specifies the mechanisms needed to support these services. The IP standard also specifies the upper and lower system interfaces, defines the services to be provided on these interfaces, and outlines the execution environment for services needed in the system.
A transmission protocol, called the Transmission Control Protocol (TCP), was developed to provide connection-oriented, end-to-end data transmission between packet-switched computer networks. The combination of TCP with IP (TCP/IP) forms a suite of protocols for information packet transmissions between computers on the Internet. The TCP/IP standard has also become a standard protocol for use in all packet switching networks that provide connectivity across network boundaries.
Computer networks communicate with each other according to the protocol hierarchy of the Open System Interconnection (OSI) reference. Each protocol possesses its own set of rules and procedures independent of other protocols. Each piece of software or hardware implementing a protocol is referred to as a protocol entity. A protocol entity is classified by various positions on a layered protocol stack.
Protocol entities operate by interpreting the header on the data they receive from a higher layer, processing the packet as specified by the header and the associated protocol, and transmitting information packets. The information packet header will identify the applicable protocol and operation to which it pertains. For example, a TCP header identifies the packet as containing information for a TCP protocol, while an IP header identifies the information as containing information for an IP protocol.
The operations and hierarchy of operations performed by an entity can be graphically represented by a layered protocol stack. As the entities perform operations based on the header, the packet payload data is processed and examined for the next logical operation on the information packet.
The protocol standards are configured on a layered communication system structure. All the layers are located on each computer in the network, and each layer is a separate component that theoretically functions independent of the other layers. IP and related protocols form a standardized system for defining how packets should be processed, transmitted and received on the Internet. TCP/IP defines the network communication process and specifies the information packet format so the transmitted data is interpreted correctly. Because of the standardized layer design of the protocols, a consistent conversion of base payload data occurs regardless of the version or vendor of the communication software.
In a typical Internet-based communication scenario, data is transmitted from an originating communication device on a first network across a transmission medium to a destination communication device on a second network. After receipt at the second network, the packet is routed through the network to a destination communication device. Because standard protocols are used in Internet communications, the IP protocol on the destination communication device decodes the transmitted information into the original information transmitted by the originating device.
TCP/IP Addressing and Routing
A computer operating on a network is assigned a unique physical address under the TCP/IP protocols. This is called an IP address. The IP address can include: (1) a network ID and number identifying a network, (2) a sub-network ID number identifying a substructure on the network, and (3) a host ID number identifying a particular computer on the subnetwork. A header data field in the information packet will include source and destination addresses. The IP addressing scheme imposes a consistent addressing scheme that reflects the internal organization of the network or sub-network.
A router is used to regulate the transmission of information packets into and out of the computer network. Routers interpret the logical address contained in information packet headers and direct the information packets to the intended destination. Information packets addressed between computers on the same network do not pass through the router to the greater network, and as such, these information packets will not clutter the transmission lines of the greater network. If data is addressed to a computer outside the network, the router forwards the data onto the greater network.
TCP/IP network protocols define how routers determine the trans-mission path through a network and across network boundaries. Routing decisions are based upon information in the IP header and corresponding entries in a routing table maintained on the router. A routing table contains the information for a router to determine whether to accept an information packet on behalf of a device or pass the information packet on to another router.
Routing tables can be configured manually with routing table entries or with a dynamic routing protocol. A manual routing table can be configured upon initialization. In a dynamic routing protocol, routers update routing information with periodic information packet transmissions to other routers on the network. The dynamic routing protocol accommodates changing network topologies, network architecture, network structure, layout of routers, and interconnection between hosts and routers.
The IP-Based Mobility System
The Internet protocols were originally developed with an assumption that Internet users would be connected to a single, fixed network. With the advent of cellular wireless communication systems, such as mobile communication devices, the movement of Internet users within a network and across network boundaries has become common. Because of this highly mobile Internet usage, the implicit design assumption of the Internet protocols (e.g. a fixed user location) is violated by the mobility of the user.
In an IP-based mobile communication system, the mobile communication device (e.g. cellular phone, pager, computer, etc.) can be called a mobile node. Typically, a mobile node maintains connectivity to its home network through a foreign network. The mobile node will always be associated with its home network for IP addressing purposes and will have information routed to it by routers located on the home and foreign networks. The routers can be referred to by a number of names including Home Agent, Home Mobility Manager, Home Location Register, Foreign Agent, Serving Mobility Manager, Visited Location Register, and Visiting Serving Entity.
While coupled to a foreign network, the mobile node will be assigned a care-of address. This is a temporary IP address assigned by the foreign network. The care-of address is used by routers on the foreign network to route information packets addressed to the mobile node. While residing on a foreign network, a mobile node may move from one location to another, changing its connectivity to the network. This movement changes the physical location of the mobile node and requires updating routing tables and/or care-of addressing to keep up with this movement.
When a mobile node is operating on a foreign network, specialized servers are used to authenticate, authorize, and collect accounting information for services rendered to the mobile node. This authentication, authorization, and accounting activity is called “AAA,” and AAA computer servers on the home and foreign network perform the AAA activities.
Authentication is the process of proving one's claimed identity, and security systems on a mobile IP network will often require authentication of the system user's identity before authorizing a requested activity. The AAA server authenticates the identity of an authorized user and authorizes the mobile node's requested activity. Additionally, the AAA server performs the accounting functions by tracking usage on the network.
Virtual Private Networks
A Virtual Private Network (VPN) emulates a private network over a shared physical infrastructure. By way of example, a VPN can reside within a local area network (LAN) system or on several different networks. A VPN can also span multiple computer systems.
A VPN can be used to extend the communication capabilities of a corporate network to remote offices or users, all of which will support or use Internet, extranet, or dial-up services. In this way, connectivity to the VPN network is provided in the same manner as a dedicated private network, but there is no need to provide all the equipment and support infrastructure at a remote location.
A service provider, or other network structure, provides the remote physical system and computer infrastructure within which the “virtual” VPN network resides. In this manner, the VPN can function much the same as a single, physical network even though there are intervening host infrastructures and communications traverse network boundaries. A number of different types of VPNs are suggested in RFC 2764, but this is by no means an exhaustive list of possible VPN constructs. The distinguishing hallmark of a VPN is a single, logical network found on a public or private computer infrastructure with the VPN residing upon one or more autonomous systems.
Tunneling
Tunneling is the basic methodology in IP communication by which an information packet is routed to the appropriate Internet node through an intermediate Internet address. To emulate the point-to-point connections of a private network, VPN methodology uses secure tunnels to handle information packet transmission across the public infrastructure.
Typically, an information packet with network routing can be encapsulated with IP address information. Encapsulation involves adding an outer IP header to the original IP header fields. In this manner, a “tunnel” can be constructed. The outer IP header contains a source and destination IP address—the “endpoints” of the tunnel. The inner IP header source and destination addresses identify the original sender and destination addresses.
The original sender and recipient addresses for the information packet remain unchanged after encapsulation, while the new “tunnel” endpoint addresses are appended onto the original information packet. This appended address information alters the original IP routing by delivering the information packet to an intermediate destination node (in mobile IP typically a foreign router), where the encapsulated information packet is “decapsulated” or “de-tunneled” yielding the original information packet. The packet is then delivered to the destination address found in the original IP address based on the associated routing table entries on network routers.
The “tunnel” is established by encapsulating an information packet containing the original IP address of the mobile node (and payload data) and an IP source address with the intermediate routing IP address (i.e. care-of address) of the foreign network. In the more specialized application of VPNs, the tunnels can be secured by encryption and authentication protocols. These security protocols ensure integrity and confidentiality of information packet data transmission during a communication session. These security protocols, however, operate predominantly on and between the home network and the foreign network.
By encapsulating the data with an IP header, an encrypted information packet can be routed securely over the public communication infrastructure between the foreign network and the home network. During transit through the tunnel over the public communication infrastructure, the information packet data payload being transmitted is encrypted, and the encrypted data can only be deciphered using the private encryption keys that permit the encryption algorithm to decode the data as well as encrypt the data. The foreign network will decrypt the information packet and send the decrypted packet to the mobile node. Obviously, the wireless transmission of a decrypted information packet to the mobile node is subject to interception and unauthorized use.
In prior implementations of a VPN, two software applications are usually required. These applications include a mobile IP client and a VPN client. Because no single integrated client can implement the two software applications, two clients are required to work in tandem to setup and maintain a VPN tunnel and communication connection to the mobile node.
Present VPN solutions in a wireless environment are not satisfactory. There are a number of unresolved challenges to encrypting an information packet for transmission to mobile nodes that move across network boundaries, especially in the VPN environment. Full encryption of information packets from the mobile node across the wireless link to the home network has proven very difficult to implement. Whenever the mobile node changes its connectivity to a network, the routing address changes requiring resetting the clients and performing new authentication and session encryption keys exchange. Changing routing addresses requires both time and system resources for transmitting administrative information. These increased overhead requirements result in latency in session information transmission, loss of data, and sometimes session termination. There is a present need to improve securing the wireless link from the mobile node to the foreign network and ensure secure communication over the wireless link.