Mobile IP is a protocol designed to allow mobile units, e.g. laptop computers, to roam between various sub-networks at various locations, while still maintaining Internet and/or WAN connectivity. This protocol was suggested by the IETF (Internet Engineering Task Force) and is described in a series of RFC (Request for Comment) documents. In order to further discuss this type of operation, let us first explain the three basic functional entities associated with Mobile IP networks.
Mobile Terminal. A host (e.g. a laptop computer) or router that changes its point of connection from one network or subnet, to another. A mobile terminal may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its (fixed) IP address, as long as the link-layer connectivity to a point of connection is available.Home Agent. A router located at the mobile terminal's native network, which tunnels datagrams for delivery to the mobile terminal while roaming from its primary location (e.g. when away from home), and maintains information about the roaming mobile terminal current location.Foreign Agent. A router located at a network (or sub-network) currently visited by the roaming mobile terminal (foreign network), and which provides, upon registration of the mobile terminal at the foreign network, routing services to the mobile terminal. The foreign agent is capable of tunneling and delivering datagrams to the mobile terminal that were tunneled by the mobile terminal's home agent. In case of datagrams sent by a mobile terminal, the foreign agent may serve as a default router for forwarding such datagrams to any registered mobile terminal, as required.
Such Mobile IP or related protocol, is directed to allow mobile terminals to stay connected while roaming through various networks and sub-networks. An implementation of Mobile IP is described for example in RFC 3344 of the IP Routing for Wireless/Mobile Hosts (Mobile IP) by which a mobile terminal is given a long-term IP address on its native (home) network. This native address is administered in the same way as a “permanent” IP address would be provided to a stationary host. When away from its native network, a “care-of address” is associated with the mobile node and reflects the mobile terminal's current point of connection. The mobile terminal uses its native address as the source address for all IP datagrams that are sent thereby, except for datagrams that are sent for the purpose of maintaining certain mobility management functions.
The following procedure is used to provide some brief demonstration of operation in accordance with the basic Mobile IP protocol.
Mobility agents (both foreign agents and home agents) advertise their presence via pre-defined Agent Advertisement messages. A mobile node may optionally solicit generation of an Agent Advertisement message from any locally connected mobility agent through an Agent Solicitation message. The mobile node receiving these Agent Advertisements determines therefrom whether it is currently located at its native network or at a foreign network. If the mobile node detects that it is located at its native network, it will operate without requiring receipt of the network mobility services.
Upon returning of the mobile node to its native network after being registered elsewhere, the mobile node will re-register with its home agent through exchanging of a Registration Request and Registration Reply messages with its home agent. Such Registration Messages must carry Mobile-Home Authentication extensions and may also carry Mobile-Foreign Authentication extensions.
However, when a mobile node detects that it has moved to a foreign network, it obtains a care-of address associated with the foreign network. The care-of address can either be determined from a foreign agent's advertisements (a foreign agent care-of address), or by some external assignment mechanism such as DHCP (a co-located care-of address).
The mobile node operating away from its native network would then register its new care-of address with its home agent through exchange of a Registration Request and Registration Reply messages therewith, possibly via a foreign agent. Datagrams that are thereafter sent to the mobile node's native address would be intercepted by its home agent and tunneled to the mobile node's care-of address. They will then be received at the tunnel endpoint (either at a foreign agent or at the mobile node itself), and delivered to the mobile node. In the reverse direction, datagrams sent by the mobile node are generally delivered to their destination using standard IP routing mechanisms, not necessarily passing through the home agent.
Another problem associated with the use of such mobile IP protocol, is the problem of securing transmissions to/from the mobile node.
RFC 2977 describes an Access Authentication and Authorization (“AAA”) scheme, which might be used in case of a node currently located in a foreign network. In this RFC, the notion of the Local AAA Server has been introduced which relates to a server that is part of the network currently visited by that node, as opposed to the home AAA server, which is part of the node's native network. As shown in FIG. 1, the AAA process is partially carried out at the visited network, where the foreign agent is responsible to authenticate and authorize the user, and partially at the node's native network, where the home agent is responsible to carry out the AAA process. As will be understood by those skilled in the art, these two parts of the AAA process cannot be carried independently of each other, and there is also some exchange of information involved between these two AAA servers. However, the solution provided by this RFC does not disclose how to implement an AAA process when the node is a mobile IP node.
A number of attempts were made in the past in order to improve the options provided for users of the Mobile IP protocol.
U.S. Pat. No. 6,621,810 describes methods and apparatus for enabling intra-agent mobility by a mobile node, which permit a mobile node to register with a Home Agent via a Foreign Agent where the Home Agent and the Foreign Agent are provided in the same router.
U.S. Pat. No. 6,636,498 describes certain methods for implementing a mobile router are provided. By this patent, the Home Agent receives a registration request packet that includes a care-of address for the mobile router. Networks associated with the mobile router are then identified and the Home Agent then updates a routing table to associate the identified networks with the care-of address. In addition, the Home Agent updates a mobility binding table with the care-of address for the mobile router.
U.S. Pat. No. 6,501,746 describes methods for assigning an IP address to a mobile node during registration. The registration request is sent by a mobile node and the mobile node ID associated with the mobile node is obtained. A registration request packet which comprises the mobile node ID is then composed and sent to a Home Agent associated with the mobile node.
U.S. Pat. No. 6,760,444 relates to methods for authenticating a mobile node, by configuring a server to provide a number of security associations associated with a number of mobile nodes. A packet identifying a mobile node is sent to the server from a network device such as a Home Agent and a security association for the mobile node identified in the packet is then obtained from the server. The security association is sent to the network device to permit authentication of the mobile node. Alternatively, authentication of the mobile node may be performed at the server by applying the security association.
U.S. Pat. Nos. 6,466,964 and 6,795,857 disclose methods and devices to enable a node that does not support Mobile IP to roam to various Foreign Agents, thus allowing such node to receive packets that are sent thereto by another node. This is functionality is accomplished, in part, through enabling a Foreign Agent to independently perform registration on behalf of that node. In addition, a Home Agent associated with the node, independently performs de-registration on behalf of the node when the node roams to a Foreign Agent from the Home Agent or from a Foreign Agent to another Foreign Agent. This is achieved without any communication from the node to indicate its wish to register or de-register. Moreover, because the node is not capable of implementing the Mobile IP protocol, the solution provided is to implement a virtual Foreign Agent that will allow the node to appear as if it sends a packet to only one Foreign Agent rather than to different Foreign Agents each time the node roams to a new Foreign Agent, and that the node is sending and receiving packets through only one router (e.g., Foreign Agent) that is the default gateway. The method disclosed by U.S. Pat. Nos. 6,466,964 and 6,795,857 teaches the use of a virtual Foreign Agent in a network having a plurality of Foreign Agents. By this method, a single dummy interface IP address is associated with an interface of each one of the Foreign Agents, thereby facilitating communication between the node and one of the Foreign Agents via the dummy interface IP address.
US 20050025091 discloses methods and apparatus for providing a centralized source of session keys to be shared by a Home Agent and a Mobile Node. By this application, a mobile node registers with a Home Agent supporting mobile IP by sending a registration request to the Home Agent. The Home Agent sends a request message to a AAA server identifying the mobile node. The AAA server then derives key information from a key or password associated with the mobile node and sends a reply message to the Home Agent, the reply message including the key information associated with the mobile node, which in return enables the Home Agent to derive a shared key to be shared between the Mobile Node and the Home Agent from the key information. The Home Agent derives a key from the key information, and the key is a shared key between the mobile node and the Home Agent. A registration reply is then sent to the mobile node, which in indicates that the mobile node may derive a key to be shared between the mobile node and the Home Agent. The mobile node then derives a key to be shared between the mobile node and the Home Agent from key information stored at the mobile node.
US 20040213260 describes methods that enable proxy mobile IP registration to be performed in a secured manner. By this disclosure, various security mechanisms are used independently, or in combination with one another, to authenticate the identity of a node during the registration process.
US 20040202126 describes methods for distributing a Mobile IP registration request to one of a number of Home Agents received from a Foreign Agent to which the mobile node has roamed. The source IP address of the registration request is the IP address of the Foreign Agent to which the mobile node has roamed, so that the selected Home Agent sends a mobile IP registration reply directly to the Foreign Agent without interception by the network device.
However, none of the methods disclosed in the prior art has proposed a solution to the problem of how to enable IP mobility in a multi-operator environment, in a properly secured way.
The disclosure of the references mentioned throughout the present specification are hereby incorporated herein by reference in their entireties and for all purposes.