The present invention generally relates to network mobility support and access control, and more particularly to access control for movable networks, also commonly referred to as mobile networks.
Mobile IP is an example of how to provide basic node mobility support, allowing nodes to move within the Internet topology while maintaining reachability and on-going connections with correspondent nodes. In this context, each mobile node is generally identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home network, a mobile node is also associated with a care-of address (CoA), which provides information about the mobile node's current location. Mobile IP introduces an entity referred to as a Home Agent (HA), which anchors the node mobility by intercepting packets addressed to the mobile node and more or less transparently forwarding them to the mobile node's care-of address. The mobile node establishes an address binding between the care-of address and the home address, and sends so-called binding updates to its Home Agent (HA) and the correspondent nodes with which it is communicating.
Reference [1] discloses a Mobile IP version 4 (MIPv4) compliant Home Agent, which allows a mobile station with mobile IP client functionality to access the IPv4 Internet using Mobile IP-based service access.
The Mobile IP version 6 (MIPv6) protocol [2] allows nodes to remain reachable while moving around in the IPv6 Internet.
The Host Identity Protocol (HIP) described in reference [3] addresses mobility in a slightly different way compared to Mobile IP. In the current Internet, nodes or hosts are identified using IP addresses that depend on the topological location of the hosts. The IP address name space is easily overloaded since IP addresses identify both hosts and topological locations. The HIP protocol suggests a way of separating the location and host identity information based on the introduction of a new name space for host identities. Each host will have at least one Host Identity and a corresponding Host Identifier. The host identifier is cryptographic in nature; it is the public key of an asymmetric key-pair. A HIP-based host may change the point of attachment to the Internet. When the connection point is changed, the IP address also changes. This changed location information is sent to the peer nodes. The same address is also sent to a so-called Forwarding Agent (FA) of the host so that the host can be reached also via a more stable point provided by the FA. The HIP mobility defines a re-address parameter that contains the current IP address of the host. When the host changes location and IP address, it generates an update packet with a re-address parameter, signs the packet with the private key matching the used host identity and sends the packet to the peer node and to the FA. The peer node performs an address verification of the IP addresses in the re-address parameter.
Although the above protocols may be suitable for handling node mobility, they do not explicitly address the need for network mobility, where a so-called movable or mobile network, comprising one or more mobile routers and associated nodes, moves within the Internet topology. The formation of a movable or mobile network may involve various levels of complexity. In a simple case, the mobile network includes just a mobile router and an attached node. In more complex scenarios, the mobile network may be a set of subnets interconnected by local routers forming an aggregate able to move as a unit, and interconnected to the backbone through one or more mobile routers. Examples of movable or mobile networks include:                A laptop with cellular and/or WLAN (Wireless Local Area Network) hotspot connections acting as a mobile router for a set of other IP devices (e.g. mobile phones, personal digital assistants, communicators, handheld computers and so forth) of a user, and providing connectivity to the external network as the user moves between different networks.        A vehicle such as a car, bus or train deploying a vehicular network for its equipment and its passenger's laptops and other communication devices, with one or more mobile routers providing connectivity to the external network as the vehicle moves between different networks.        
Network mobility generally introduces far more complex mobility scenarios than the node mobility concept. A movable or mobile network, at home or in a visited network, may itself be visited by mobile nodes and/or other movable or mobile networks.
The NEMO (Network Mobility) working group of the Internet Engineering Task Force (IETF) proposes a solution based on the Mobile IP tunneling mechanism, thus providing high interoperability with the mobility aspects of the existing Mobile IP protocols.
The NEMO Basic Support Protocol described in reference [4] enables so-called movable or mobile networks to attach to different points in the Internet. The protocol is an extension of Mobile IPv6 and allows for session continuity for every node in the mobile network as the network moves. It also ensures connectivity and reachability for every node in the mobile network as the network moves. The Mobile Router, which connects the mobile network to the Internet, runs the NEMO Basic Support protocol with its Home Agent. The protocol is designed in such a way that network mobility is transparent to the nodes inside the mobile network. In order to tunnel packets to the Mobile Router, the Home Agent needs to be able to associate the home addresses of the nodes inside the mobile network with the home address of the Mobile Router. To recognize the nodes inside a movable or mobile network, it is sufficient to know the prefix of the IP address owned by the Mobile Router. This information is then typically configured in the Home Agent.
A possible approach towards more advanced Network Mobility is the Prefix Scope Binding Update concept described in reference [5]. It basically suggests that a mobile router advertises its mobility not only with a MIPv6 Binding Update but also with a Prefix Scope Binding Update for binding the movable network prefix with the mobile router's care-of address.
Access control is a critical aspect for any large-scale deployment of network mobility support. Large-scale deployments of network mobility are usually found in commercial applications, for example where Internet Service Providers (ISP) provide fixed and mobile access routers and allow subscribers to attach devices to the access routers for Internet connection. Examples of such applications include, but are not limited to, providing Internet access in vehicles such as trains, ships and aircrafts.
The need for access control exists in all networks that allow unknown devices to connect to the network and identify themselves in order to gain access to services and/or resources provided in the considered network. Access control may for example be required in these networks in order to protect the interests of paying subscribers. If there is no access control, significant portions of the network resources may be used by unauthorized users, thereby affecting the quality of service provided to the legitimate subscribers.
Reference [6] describes a basic AAA (Authentication, Authorization, and Accounting) model for NEMO, as well as various usage scenarios. Regarding client access authentication for nodes in NEMO-based mobile networks, the draft proposes an AAA solution between Visiting Mobile Node and Mobile Router that essentially has the Mobile Router performing/behaving as a Network Access Server. The Visiting Mobile Node will first initiate an access request by sending relevant messages to the Mobile Router it attached to using a “link-local” AAA protocol. The Mobile Router contacts an external AAA server (for example in the Visiting Mobile Node's home network) to perform the actual authentication and authorization by employing one of the “global” AAA protocols. However, this means that a heavyweight protocol such as Radius or Diameter is going to be used over the air, which does not make up for good use of scarce radio resources.
There is a general need for improved network mobility support and more specifically improved access control for movable or mobile networks.