A mobile node may use the Mobile Internet Protocol (“Mobile IP”) to roam away from its home network, and the mobile node may establish a connection with a foreign network. The mobile node may securely communicate with its home network using a protocol such as Internet Protocol security (“IPsec”). IPsec may be used communicate between a Foreign Agent (“FA”) and a Home Agent (“HA”). The FA can receive packets from the mobile node. The FA can then use IPsec, for example, to encrypt the packets from the mobile node and forward them through the virtual tunnel to the HA. The HA may then receive the packets and decrypt them to retrieve the original message. A similar process may be used to send packets from the HA to the FA, which can ultimately be routed to the mobile node.
In IPsec, a policy may be defined for a mobile node corresponding to a particular FA-HA pair. The policy generally specifies parameters for IPsec communication between the FA and the HA when the mobile node roams to the FA's network. The policy may be defined and stored by the HA, and a corresponding policy may be defined and stored by the FA. When a packet travels through the virtual tunnel, the FA and HA can use their respective policies to apply the appropriate IPsec parameters in processing that packet.
In order to allow the mobile node to roam to different foreign networks and to continue to communicate with its HA using IPsec, a policy can be configured for each possible FA-HA pair that the mobile node can use. The policies created for the FA-HA pairs should be stored by the HA and also by the corresponding FA. Adding additional FAs that can be accessed by the mobile node increases the number of FA-HA pairs that need to be created. Additionally, when the policies are created, the IP address, or other identifier, of the FA and HA needs to be known. This method for defining FA-HA pairs is not easily scalable, and can require a large amount of time to create and store all the possible FA-HA pairs.
In addition to storing a policy for each FA-HA pair, the FA and the HA both store a filter corresponding to each possible FA-HA pair. The filters can be stored in a filter list, and they can be used to determine if a packet should receive IPsec processing. For example, when the FA or HA receives a packet, the FA or HA can search its filter list to determine if there is a filter corresponding to that packet. If there is a filter, then the FA or HA can apply IPsec processing to the packet, for example by using a policy defined for that FA-HA pair and mobile node.
A FA or HA may each store a large number of filters corresponding to many FA-HA pairs, and therefore its filter list may also be large. When a packet arrives at a FA or HA, the FA or HA searches through its filter list to determine whether to apply policy service to the packet. Searching through a large filter list can be a time-consuming and computationally intensive process, and it may slow the speed with which the FA or HA can process the packet.
Therefore, there exists a need for a new and improved way to provide policy service in an IPsec environment.