There has been growing interest in communication networks of the kind that will permit a mobile user to engage in an Internet Protocol (IP) communication session, even while changing from one wireless access network to another. In known mobile IP networks, the transfer of an active session from one access network to another will typically involve a re-registration carried out between the mobile terminal and the target access network. One outcome of the re-registration is that the mobile terminal registers a care-of address with its home agent, and the home agent creates a binding between the mobile terminal's home address and its care-of address. (A binding is an established association between network nodes for the duration of a session.) As a consequence, when packets addressed to the home address arrive at the home network, the home agent can redirect them to a foreign agent that is currently serving the mobile terminal.
If the mobile terminal is configured for Simple IP, the transfer of the active session will be effectuated through lower layer inter-network signaling. Regardless of whether the mobile terminal is configured for Simple IP or for Mobile IP, the transfer will incur overhead in the form of signaling over the air interface and in the network backhaul, typically including interrogations directed to an authentication server or the like.
In mobile IP networks that have a hierarchical network architecture, it is typical for relatively many cells to connect to a wireline packet switched network through a single packet data serving node (PDSN). Under such conditions, it may be tolerable for handoffs to incur signaling overhead of the kind discussed above.
However, other mobile IP networks are envisaged, in which the architecture is flat. That is, access nodes may include the functions not only of a base station transceiver, but also those of a Radio Network Controller (RNC) and even those of an Access Gateway to the packet switched network. Handoffs of a mobile user terminal will typically be much more frequent for such an architecture, because the geographical coverage of each Access Gateway (or the equivalent) is typically much smaller than for the hierarchical architecture. As a consequence, signaling overhead associated with handoffs will be relatively high. One result is that the ability of the network to perform fast handoffs may be impaired.
There have been proposals to solve this problem by applying the principles of Proxy Mobile IP. Proxy Mobile IP is an approach in which the re-registration of the mobile user terminal with the target access network is not performed directly by the mobile user terminal, but instead is performed by a proxy located in a serving access network, and acting on the terminal's behalf. Such an approach may reduce the signaling overhead that is required.
The use of a proxy, however, raises concerns related to network security. That is, an entity claiming to be a proxy may in fact be an interloper, or a legitimate proxy may be opening the door to a fraudulent transaction. To remove such concerns, it is advantageous to establish security associations among the mobile terminal's home agent and the access gateway associated with each access network that serves the mobile terminal. There has been a need for practical methods of establishing, distributing, and maintaining such security associations.