1. Field of the Invention
The invention relates to a method and a system for protecting a first network node (e.g., a correspondent node CN) by an access blocking function (e.g., a firewall).
2. Description of the Prior Art
The invention relates in particular to mobile IP (Internet Protocol), wherein a second node having a connection to a first node is a mobile node (MN).
Mobile IPv6 (MIP) will be needed to support roaming across different access technologies, e.g. to augment 3G (third generation) networks with Wireless Local Area Network (WLAN) hot spots. On the other hand, a firewall (FW) is needed to protect a node against malicious packets. However, existing stateful FWs will interfere with MIP route optimization.
Namely, a mobile node is able to change its address. The firewall protects the correspondent node (CN) such that it allows only a link between the mobile node and the correspondent node wherein the link is identified by the addresses of the mobile node and the correspondent node (the link is referred to in the following a so-called “pinhole”). That is, in case the mobile node changes its address from an old CoA (care-of address) to a new CoA, the pinhole is no longer valid. Hence, it is necessary to newly set up the whole connection between the mobile node and the correspondent node again.
This causes an interruption in the traffic between the two nodes, which is annoying for the users. That is, current firewalls do not support mobile IP.
If the FW ignores Binding Updates (BUs) (i.e., avoiding changes in the CoA), MIP route optimization won't work. Many packets coming from the new CoA will be dropped, because they have no matching pinhole. All sessions have to be re-initiated from the new address. Smooth handovers are possible only if all packets are routed via the Home Agent (HA). This, however, means that no route optimization is possible.