The invention relates generally to an association between a mobile node and an access router, and more particularly to enabling the secure transfer of context information from a previous access router to a new access router that is currently associated with a mobile node.
The Internet is arranged so that a computing device such as a mobile node can have a unique address by which it can be identified. When data is transmitted over the Internet from the mobile node to a correspondent node, it is generally broken down into smaller groupings called xe2x80x9cpacketsxe2x80x9d. In addition to the data which is being transmitted, the packets will normally include important transmission information such as the sender""s identity as source IP Address, the addressee or intended recipient""s IP Address as destination address, the actual data (or data request), and so on.
Each packet transmitted from a mobile node to a correspondent node may travel through several network devices such as base stations, hubs, switches, bridge-routers (brouter), and routers/gateways. If a mobile node is part of a wireless network, the access point/base station will generally operate as a bridge to which the mobile node is connected. The bridge is a layer 2 device and relays all traffic to/from wireless to wireline network. The access point may either be directly attached to the access router or through series other network nodes. The access router on receiving the packets, determines the best way to forward them towards their final destination, i.e., the correspondent node.
Once the access router has determined how a particular packet is to be sent based on its routing tables, it selects another router suited to send the packet towards its final destination and transmits/forwards the message to this other router.
When the packet is near to its destination, it is typically passed to a local hub, which retransmits the message to its intended recipient computing device, such as the correspondent node. The recipient correspondent node then reassembles the packet along with the other parts (packets) of the original message to create the complete set of data originally transmitted by the mobile node. However, when a particular network device reaches maximum capacity due to some overload condition, packets are typically dropped by the network device, i.e., the packets are discarded and not forwarded to their destination. Depending upon the protocol used to forward a packet toward its destination, a dropped packet may be retransmitted until the complete message is received by the destination.
In a mobile IP network, when a mobile node changes its point of attachment to the network, a handover may occur between the previous access router (PR) and a new access router (NR). The association of a mobile node with a PR may be handed over to an NR for a variety of reasons. For example, the mobile node may have physically moved to another location where the PR is no longer able to provide IP connectivity to the mobile node. Therefore, the mobile node re-associates with an NR for IP connectivity. Similarly, changes in network traffic demands may cause the PR associated with a mobile node to become overloaded. In this case, the association of the mobile node can be changed to an NR that is less loaded.
In any case, the result of a IP level handover between points of attachment causes a mobile node to reconnect to the IP network through a NR instead of a PR. Such a handover may occur between access routers disposed within the same administrative (or routing) domain or across administrative domains.
The ARs may also store mobile specific data or context. An example of such a context is that pertaining to security associations that the mobile node maintains with PR. To enable seamless mobility, a method that enabled the transfer of this security context from PR to NR would alleviate the need for performing elaborate authentication processes during a handover to re-establish a secure relationship between the mobile node and the NR.
It is with respect to these considerations and others that the present invention has been made, and will be understood by reading and studying the following specification.
In accordance with the invention, a method is provided for enabling the transfer of each context associated with a mobile node (MN) from a previous access router (PR) and a new access router (NR). A security association exists between the PR and the MN that enables the MN to communicate over an IP network. When the MN is subsequently associated with the NR instead of the PR, the PR securely transfers each context associated with the MN to the NR. Due to some reasons if NR is not able to use some of the context and requires to modify some of the fields, then the NR securely provides an update to the MN indicating the changes made to the transferred context. The existing security association between the PR and the MN is used to communicate the changes in the context to the MN. The recreated security association is based on the context transferred by the PR to the NR and any update to the context. This recreated security association is subsequently indicated by the NR to the MN.
In accordance with another aspect of the invention, a secure channel of communication is provided between the NR and the PR. Also, the transferred context includes at least one of security, header compression, Quality of Service, and buffers. Additionally, the IPsec and or Transport Layer Security (TLS) protocol may be employed to provide secure communication between the MN and the NR.
In accordance with yet another aspect of the invention, if the MN moves to another point of attachment to the IP network, the MN can be subsequently associated with the NR instead of the PR. Also, if a load on the PR is relatively large and another load on the NR is relatively small, the MN may be caused to be subsequently associated with the NR.
In accordance with still another aspect of the invention, if the MN is to be associated with the NR, the PR securely transfers each context associated with the MN to the NR prior to the subsequent association of the MN with the NR. In accordance with further aspect of the invention, the NR generates a update message which is authenticated by PR. MN validates and updates the received authenticated packet. Additionally, the PR can cause the authenticated update to be tunneled through the NR to the MN using IP encapsulation. Furthermore, the MN can verify the authenticated update.
In accordance with yet another aspect of the invention, an apparatus, system and computer readable medium may be employed to practice substantially the same actions discussed above for the method.