Such services can be terminal IP mobility management services, for example. The Mobile IP protocol is used to manage the mobility of a mobile terminal, also known as a Mobile IP Node (MN), from a home IP subnetwork to another IP subnetwork, referred to as the visited network, during movement of the node.
A visited network can offer roaming visitor nodes acquisition of an IP address that is valid at the topology level. To this end a Foreign Agent (FA) function can be provided on a given equipment in the visited network to register visitor mobile nodes and to offer functions for retransmission of packets to them. When a node moves to a visited network comprising a foreign agent FA, it acquires from the foreign agent FA a temporary address in that visited network, commonly referred to as a Care-of Address (CoA). A single temporary address can be used for all visitor nodes. The mobile node MN roaming in the visited network is then registered with a referent equipment of its home IP network, whose function is IP mobility management, and sends it the temporary address in the visited network. This kind of referent equipment is commonly called a Home Agent (HA). All IP nodes have or obtain, upon registering with their home agent, a Home Address (HoA) in their home IP network. The home agent stores the correspondence between the address HoA in the home network and the temporary address CoA in the visited network. The mobile node MN roaming in the visited network can therefore receive at the temporary address CoA packets sent to the address HoA in the home network. It can also send packets from the temporary address CoA so that they seem to have been sent from the address HoA in the home network.
In a visited network that does not include a foreign agent FA, the mobile node acquires a personal temporary address in the visited network known as the Co-Located Care of Address (CCoA) and registration with the home agent is carried out as described above.
To prevent packets transmitted from the visited network by the roaming node being rejected because of a source IP address considered to be incorrect in the visited network, a tunnel can be established between the foreign agent FA and the home agent HA or between the roaming node and the home agent if the visited network has no foreign agent FA. Packets transmitted by the mobile node MN are then transmitted to the home agent HA in the tunnel. The home agent HA is then responsible for transmitting them to the addressee.
The referent equipment or home agent is conventionally protected by a firewall. The firewall applies predefined filtering rules to block at least some undesirable incoming traffic. These rules are generic and aim to filter in particular incoming traffic from a given communication network. They allow the selective passage of certain streams of data. The following rules may be cited by way of illustrative example:
a first rule accepts registration requests from a valid IP network going to the home agent;
a second rule accepts traffic corresponding to packets transmitted in a tunnel from a valid IP address to the home agent;
a third rule accepts traffic going to an address in the home network that is one of a set of addresses managed by the referent equipment.
It is nevertheless possible for a malicious equipment to circumvent these rules and to use valid parameters, in particular to attack the home agent.