1. Field of the Invention
The present invention relates to Mobile IP network technology. More particularly, the present invention relates to performing layer 2 authentication in SSG based networks.
2. Description of the Related Art
Mobile IP is a protocol which allows laptop computers or other mobile computer units (referred to as “Mobile Nodes” herein) to roam between various sub-networks at various locations—while maintaining internet and/or WAN connectivity. Without Mobile IP or related protocol, a Mobile Node would be unable to stay connected while roaming through various sub-networks. This is because the IP address required for any node to communicate over the internet is location specific. Each IP address has a field that specifies the particular sub-network on which the node resides. If a user desires to take a computer which is normally attached to one node and roam with it so that it passes through different sub-networks, it cannot use its home base IP address. As a result, a business person traveling across the country cannot merely roam with his or her computer across geographically disparate network segments or wireless nodes while remaining connected over the internet. This is not an acceptable state-of-affairs in the age of portable computational devices.
To address this problem, the Mobile IP protocol has been developed and implemented. An implementation of Mobile IP is described in RFC 2002 of the Network Working Group, C. Perkins, Ed., October 1996. Mobile IP is also described in the text “Mobile IP Unplugged” by J. Solomon, Prentice Hall. Both of these references are incorporated herein by reference in their entireties and for all purposes.
The Mobile IP process and environment are illustrated in FIG. 1. As shown there, a Mobile IP environment 2 includes the internet (or a WAN) 4 over which a Mobile Node 6 can communicate remotely via mediation by a Home Agent 8 and a Foreign Agent 10. Typically, the Home Agent and Foreign Agent are routers or other network connection devices performing appropriate Mobile IP functions as implemented by software, hardware, and/or firmware. A particular Mobile Node (e.g., a laptop computer) plugged into its home network segment connects with the internet. When the Mobile Node roams, it communicates via the internet through an available Foreign Agent. Presumably, there are many Foreign Agents available at geographically disparate locations to allow wide spread internet connection via the Mobile IP protocol. Note that it is also possible for the Mobile Node to register directly with its Home Agent.
As shown in FIG. 1, Mobile Node 6 normally resides on (or is “based at”) a network segment 12 which allows its network entities to communicate over the internet 4. Note that Home Agent 8 need not directly connect to the internet. For example, as shown in FIG. 1, it may be connected through another router (a router R1 in this case). Router R1 may, in turn, connect one or more other routers (e.g., a router R3) with the internet.
Now, suppose that Mobile Node 6 is removed from its home base network segment 12 and roams to a remote network segment 14. Network segment 14 may include various other nodes such as a PC 16. The nodes on network segment 14 communicate with the internet through a router which doubles as Foreign Agent 10. Mobile Node 6 may identify Foreign Agent 10 through various solicitations and advertisements which form part of the Mobile IP protocol. When Mobile Node 6 engages with network segment 14, Foreign Agent 10 relays a registration request to Home Agent 8 (as indicated by the dotted line “Registration”). The Home and Foreign Agents may then negotiate the conditions of the Mobile Node's attachment to Foreign Agent 10. For example, the attachment may be limited to a period of time, such as two hours. When the negotiation is successfully completed, Home Agent 8 updates an internal “mobility binding table” which specifies the care-of address (e.g., a collocated care-of address or the Foreign Agent's IP address) in association with the identity of Mobile Node 6. Further, the Foreign Agent 10 updates an internal “visitor table” which specifies the Mobile Node address, Home Agent address, etc. In effect, the Mobile Node's home base IP address (associated with segment 12) has been shifted to the Foreign Agent's IP address (associated with segment 14).
Now, suppose that Mobile Node 6 wishes to send a message to a corresponding node 18 from its new location. An output message from the Mobile Node is then packetized and forwarded through Foreign Agent 10 over the internet 4 and to corresponding node 18 (as indicated by the dotted line “packet from MN”) according to a standard internet protocol. If corresponding node 18 wishes to send a message to Mobile Node—whether in reply to a message from the Mobile Node or for any other reason—it addresses that message to the IP address of Mobile Node 6 on sub-network 12. The packets of that message are then forwarded over the internet 4 and to router R1 and ultimately to Home Agent 8 as indicated by the dotted line (“packet to MN(1)”). From its mobility binding table, Home Agent 8 recognizes that Mobile Node 6 is no longer attached to network segment 12. It then encapsulates the packets from corresponding node 18 (which are addressed to Mobile Node 6 on network segment 12) according to a Mobile IP protocol and forwards these encapsulated packets to a “care of” address for Mobile Node 6 as shown by the dotted line (“packet to MN(2)”). The care-of address may be, for example, the IP address of Foreign Agent 10. Foreign Agent 10 then strips the encapsulation and forwards the message to Mobile Node 6 on sub-network 14. The packet forwarding mechanism implemented by the Home and Foreign Agents is often referred to as “tunneling.”
Various systems may be used for authentication of the Mobile Node. For instance, a service selection gateway (SSG) such as that available from Cisco Systems, located in San Jose, Calif., may perform authentication and service connection tasks on behalf of a Subscriber Engine Services Manager (SESM). SESM solutions interact with and apply policy control to gateway components for subscriber service based solutions at the edge of a network. An SSG based network typically includes two components. First, an SSG router enables a user to connect to the SSG based service provider network by providing authentication, service connection, connection management, and SESM session capabilities. Second, a SESM performs authentication of the user, policy enforcement, service selection and enforcement of services (e-mail, VPN, etc.), and billing. In this manner, a Mobile Node may be provided access to different services and can be billed for the services accessed.
In an SSG based system, the user identity and access to services is based upon the IP address of the user. This IP address-based system worked well for HTTP based authentication, since HTTP packets include the IP address of the sender and receiver of the HTTP packets in the HTTP header. In addition, this type of IP address-based system also worked well in systems in which the IP address is known during authentication (i.e., layer 3 authentication). However, in systems (e.g., EAP-SIM, LEAP) in which the IP address is unknown during the process of layer 2 authentication, another type of authentication (e.g., layer 3 authentication) needs to occur. Unfortunately, the SSG based network cannot correlate the layer 2 information with the layer 3 information. As a result, this second layer of authentication requires the user to enter identifying information such as a password to enable the SSG based network to correlate this layer 2 and layer 3 information.
FIG. 2 is a diagram illustrating conventional layer 3 authentication resulting in presentation of a SESM login screen to the user in SSG based networks. When a Mobile Node 202 connects to an SSG-based network 204, the user connects to the WLAN and opens a Web browser. The user is then redirected to a SESM login screen 208 by a SSG router 206. Thus, in order to access various services 210, such as the Internet, e-mail, or the virtual private network (VPN), the user must typically login to the service by entering a username and password. The user may then be billed for various services accessed via a AAA server 212. Since the additional web page is generally provided to the user to obtain the user's username and password, the conventional method of authentication in a SSG network is not user friendly. For instance, this type of access would be undesirable in a situation in which a user is using a cell-phone.
In view of the above, it would be beneficial if double authentication could be eliminated in a network such as a SSG based network. It would also be desirable to enable layer 3 policies to be enforced based upon layer 2 authentication.