A CDMA2000 network, including CDMA2000 1x and a High Rate Packet Data (HRPD) system, requires its packet domain to support Mobile IP technologies, such as Mobile IPv6 technologies.
In the Mobile IPV6 technologies, a Mobile Node (MN) is provided with two IP addresses, one referred to as a Home Address (HoA), and the other referred to as a Care-of Address (CoA). During mobile communication, the HoA keeps unchanged all the time, and is used for maintaining continuity and reachability of the communication in the case that the MN moves to a foreign network. The CoA is assigned by the foreign network to the MN. When the MN is given a new CoA, this address shall be bound with the HoA on a Home Agent (HA), so that the HA can forward packets transmitted to the MN from another entity to the MN through a tunnel between the MN and the HA, and forward packets transmitted to the another entity from the MN to the another entity. Messages used in binding is Binding Update (BU) transmitted from the MN to the HA, and Binding Acknowledgement (BA) transmitted back from the HA. Here, binding of the MN is enforced directly with the HA. Further, in order to ensure security during binding, the Mobile IPv6 requires that a Security Association (SA) of IP security (IPsec) firstly be established between the MN and the HA, and the BU and the BA messages be protected using this security association. Typically, the MN needs to know an IP address of the HA for communicating with the HA.
Referring to FIG. 1, in the Mobile IPv6 of the conventional CDMA2000 network, a Mobile Station (MS) is the MN in the Mobile IPv6 technology, and in the case that the MS is not configured with information such as a home agent and a home address HoA or a Home Link (HL) prefix, the MS can obtain the information through a stateless Dynamic Host Configuration Protocol (DHCPv6). The detailed procedure is as follows.
a. The MS establishes a Point to Point Protocol (PPP) connection with a Packet Data Serving Node (PDSN), and performs PPP Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) authentication, i.e. initiating an access authentication process.
b. The PDSN transmits Access-Request message of Remote Authentication Dial In User Service (RADIUS) to a home RADIUS server, which includes authentication information of the MS.
c. The home RADIUS server checks configuration information of a user to determine whether the user can be provided with Mobile IPv6 service and to verify the authentication information of the user. If the authentication information is correct, then the user is assigned an HA and a HoA.
d. The home RADIUS server transmits to the PDSN an Access-Accept message of RADIUS, which includes an address of the HA in an MIP6-Home Agent attribute and the HoA in an MIP6-Home Address attribute.
e. The PDSN receives the HA and the HoA from the home RADIUS server, and stores the information locally.
f. The PDSN transmits to the MS a message to indicate completion of the access authentication process.
g. The MS requests the MIP6-related information from the PDSN though an Information-request message of DHCPv6. A client identify option of the message further includes a Network Access Identifier (NAI) which the MS uses in access authentication procedure.
h. The PDSN searches for an appropriate record according to the NAI, and if it is found, then the PDSN transmits back to the MS a reply message, an 3GPP2 Vender option extension of which includes the address of the HA and the HoA.
Referring to FIG. 2, if the RADIUS server does not assign the HoA to the MS, then it can also inform the PDSN of a home link prefix. After obtaining the prefix from the PDSN, the MS can configure a HoA automatically. After obtaining the address of the HA and the HoA from the network through the above procedure, the MS can perform directly Mobile IP binding with the HA. This binding does not comply with requirement of the primary standard RFC3775 of MIP6 entirely, i.e. an IPsec SA being firstly established between the MS and the HA, and the messages BU and BA being protected by the SA, but instead adopts an authentication protocol as defined in the RFC4285. The detailed procedure is as follows.
a. The MS performs a process of establishing a link layer, and obtains MIP-related bootstrapping information (such as a home link prefix or an HA or a HoA) from the RADIUS server by way of the PDSN.
b. If the MS obtains a new HoA, then the MS may use the HoA, otherwise the MS may generate automatically a global uni-cast address as a HoA according to a home line prefix obtained from the RADIUS server.
c. The MS transmits Binding Update message to the HA, which includes an MN-AAA mobility message authentication option for the HA to check integrity of the message.
d. The HA obtains parameters such as an NAI of the MS and the MN-AAA mobility message authentication option from the Binding Update message, and also transmits these parameters to the RADIUS server of a home network through an Access Request message of RADIUS.
e. The RADIUS server of the home network uses a key shared between the MS and the server to verify the MN-AAA mobility message authentication option, and if the verification is successful, then it indicates that the message has not been forged or modified, i.e. the MS is a legal user, and thus a binding operation is performed. Thereafter, the RADIUS server calculates an Internet Key (IK) for protecting subsequent binding between the MS and the HA, and the MS can also compute IK in the same way as the RADIUS server.
f. The RADIUS server transmits to the HA an Access Accept message, an MIP6-Session Key extension of which includes the key IK.
g. The HA stores the received key IK, and performs a replay attack check according to an Mesg-ID mobile option in the Binding Update message.
h. The HA transmits to the MS an Binding Acknowledgment message including an MN-HA mobility message authentication option calculated with the IK, an MN-NAI mobile option, and the Mesg-ID mobile option. Upon reception of the BA, the MS may use the IK to check integrity of the message.
Referring to FIG. 3, an existing method, which can assign an HA to an MS in a visited network, uses an MIP6 bootstrapping technology to obtain dynamically an IP address of the HA. In this method, the MS and the HA negotiate an IPsec SA through IKEv2 (Internet Key Exchange version 2), so that the HA assigns a HoA to the MS according to an IKEv2-based address assignment function. The detailed procedure is as follows.
1. As in current specifications, the MS and a PDSN perform a PPP establishment process, and an HAAA authenticates the MS.
2. The PDSN acting as a default router transmits an IPv6 Router Advertisement message to the MS, and the MS obtains a unique prefix with a length of 64 bits.
3. The MS configures automatically a globally unique uni-cast IPv6 address using stateless address auto-configuration mechanism according to the obtained prefix.
4. The MS performs an MIP6 HA address bootstrapping process. If an Access Service Provider (ASP) and a Mobility Service Provider (MSP) are one provider, then the MS can obtain the address of the HA by stateless DHCPv6. If the access service provider and the mobility service provider are not same, then the MS can obtain the address of the HA through a DNS.
5. The MS and the HA exchange IKE_SA_INT messages, negotiate about IKE SA security parameters, and perform exchange of random numbers, and of DH parameters.
6. The MS transmits an IKE_AUTH message, which does not include AUTH payload, indicating that the MS expects authentication based an Extensible Authentication Protocol (EAP). The MS sets an INTERNAL_IP6_ADDRESS attribute in a CFG_REQUEST payload as 0, indicating a request for dynamic assignment of a HoA. The MS includes also in the message IDi and SAi payloads identifying respectively its own identity and the IPsec SA. The message is encrypted and integrity-protected using the IKE SA negotiated previously.
7. With an exchange of EAP messages, the MS and the HAAA accomplish mutual authentication via the HA. The EAP messages between the MS and the HA are encapsulated into an IKE_AUTH message. The EAP messages between the HA and the HAAA are encapsulated into a RADIUS message.
8. After EAP authentication has been performed successfully, the HA transmits to the MS the IKE_AUTH message, a CFG_REPLY payload of which includes the INTERNAL_IP6_ADDRESS attribute. This attribute is the HoA assigned by the HA to the MS. Also the message includes IDr and SAr as well as an AUTH payload. Authentication information in the AUTH payload is calculated using a Master Session Key (MSK) generated from EAP procedure in the step 7.
9. The MS and the HA exchange the MIP6 Binding Update and Binding Acknowledgement messages, and the CoA obtained in the step 3 and the HoA obtained in the step 7 by the MS are bound. These messages are protected by the previously IKEv2-negotiated IPsec SA.
10. The MS and the HA establish a bidirectional tunnel through which the MS transmits and receives IPv6 data packages.