1. Field of the Invention
The invention relates to communications technology, such as wireless communication systems. In particular, the invention relates to a novel method and system for configuring and managing security associations of Internet Protocol Security.
2. Description of the Related Art
A communication system may be seen as a facility that enables communication between two or more entities such as user equipment and/or other nodes or devices associated with the system. The communication may include, for example, the transfer of voice, data, multimedia and other types of information. A communication system may be circuit switched or packet switched. In addition, a communication system may be configured to provide wireless communication. Communication systems able to support mobility of communications devices across a large geographic area are generally called mobile communications system. Furthermore, there are a number of formats available for transmitting data or providing communication between devices.
Internet Protocol (IP) Security, also referred to as IPsec, is a set of protocols which support the secure exchange of packets in a communication system at the network or IP layer. Additionally, IPsec may be considered a framework for providing security in IP networks. The set of security services offered by IPsec may include access control, connectionless integrity, data origin authentication, detection and rejection of replays, confidentiality (via encryption), and limited traffic flow confidentiality.
IPsec has been deployed widely to implement Virtual Private Networks (VPN). VPNs are networks that are constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and security mechanisms, such as IPsec, to ensure that only authorized users can access the network and that the data cannot be intercepted.
Therefore, IPsec provides confidentiality and authentication services to IP traffic. These services are provided by protocols called Authentication Header (AH), which allows for authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data.
IPsec supports Transport and Tunnel encryption modes. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.
Authentication Header and Encapsulating Security Payload require session keys in order to operate. The session keys are typically generated by key management protocols, such as Internet Key Exchange (IKE). A key management protocol called Authentication and Key Agreement (AKA) may also be used, especially in communication networks based in 3rd Generation Partnership Project (3GPP) systems. Other key management protocols may also be used.
IKE performs mutual authentication between two parties and establishes an IKE security association (SA). The IKE SA includes shared secret information that can be used to efficiently establish SAs for ESP or AH, and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.
As mentioned above, IPsec uses security associations to provide its services. An IPsec security association includes information such as traffic selectors, cryptographic transforms, session keys, and session key lifetimes. A key management application is responsible for negotiating the creation and deletion of an IPsec security association. Generally, IPsec services and key management protocols may be found in, for example, dedicated security gateways, servers, desktop computers, and handheld terminals.
FIG. 1 is a block diagram illustrating an example of how IPsec provides confidentiality and authentication services. Specifically, IPsec provides a boundary between unprotected interfaces and protected interfaces. Traffic which crosses the IPsec boundary 1 is subject to access controls that may be specified by an operator (not shown). The access controls serve to indicate whether packets should be allowed to cross the IPsec boundary 1 unimpeded, whether they are provided with security services by AH/ESP 2, or whether they are discarded 3. A bypass facility 5 may be provided to allow the traffic to traverse the IPsec boundary 1 without cryptographic protection. In addition, an IKE module 4 may be provided as a protected-side key and security management function.
As discussed above, IPsec uses two protocols for providing traffic security services: AH and ESP. The IP AH provides integrity and data origin authentication, with optional anti-replay features. The ESP protocol offers the same set of services, and also offers confidentiality. Both AH and ESP provide access control, enforced through the distribution of cryptographic keys and the management of traffic flows. Each protocol supports a transport mode and a tunnel mode. Transport mode provides protection for next layer protocols. In tunnel mode, AH and ESP are applied to tunneled IP packets. Tunnel refers to an IPsec SA used to protect the communications from the user equipment. (UE) to the network.
IPsec allows the user or operator to control the granularity at which a security service is offered. However, according to prior art solutions, operators can only have course granularity control over the number of IPsec SA tunnels between the UE and the Packet Data Gateway (PDG) for all users. When operators set the maximum value for the number of IPsec SAs per IKE SA at PDG, the value will be effective for all subscribers. Operators cannot distinguish between different subscribers who may subscribe to different classes of services. Therefore, a method and system is required for dynamically establishing the number of IPsec SA tunnels per IKE SA thereby providing fine granularity control to the operators.