Some existing communication systems for providing a mobile telecommunication service utilize a communication network which is configured to transmit messages on the basis of at least one Internet protocol. However, it has been usual hitherto to use Internet protocol-based communication only within a core network, so that it continues to be necessary to use dedicated communication protocols to provide mobile communication services. A communication network which operates on the basis of an Internet protocol permits internetworking packet-oriented data exchange between terminal systems of the communication system. Thus, a communication protocol is provided which makes possible internetworking transmission of messages between geographically dispersed computers of different networks.
A specification which makes possible mobile telecommunication services on the Internet has been presented by the Internet Engineering Task Force (IETF). The main starting point in specifying the “Mobile IP” concept presented was the shortcomings of a conventional Internet protocol (IP) with regard to mobility. “Mobile IP” makes available a solution for mobility on the Internet which is scalable, robust and secure. In particular, mechanisms for the routing of IP packets to mobile computers are made available which can reside in a foreign network while retaining their permanent IP address. A problem of “Mobile IP” is that the basic concept is not suited to supporting automatic tracking of an existing useful data connection, the so-called “seamless handover”.
An architecture for a communication system called “MOMBASA” which operates on the basis of the Internet protocol is presented, in particular, in A. Festag, L. Westerhoff and A. Wolisz, The MOMBASA Software Environment—a Toolkit for Performance Evaluation of Multicast-based Mobility Support, in Proc. of Performance Tools 2002, pages 212-219, London, GB, April 2002. In this communication system an access network for a mobile computer operates by using a multicast process to transfer the individual messages. In point-to-multipoint communication, multicasting is a process in which a message is transmitted with a group address to a fixed group or class of recipients in one transmission process.
An infrastructure of the MOMBASA communication system provides the following components as communication elements: in the access network for the mobile computer a plurality of access points each having a respective access point connection computer (called mobility-enabling proxies) and being connected to one another via multicast-capable routers are provided. A network connection computer, for example, in the form of the gateway, serves to connect the access network to the public or private fixed Internet network. The so-called mobile agents or mobility agents, which represent a network authority used to support the mobility of the mobile computers in individual subnetworks, are implemented by the mobile computers.
A mobile computer must be able to communicate with other computers even after changing of the access point to the Internet. For this purpose a globally reachable IP address located within the address area of the access network is allocated to mobile computers, at least for the duration of their visit to an access network. Consequently, all message packets from the public Internet network which are addressed to the mobile computer are sent via normal Internet routing to the network connection computer for connection to the access network. A block of unicast addresses of a plurality of mobile computers is allocated to a block of multicast groups within the access network. If a mobile computer registers at an access point connection computer, this access point connection computer becomes part of an allocated multicast group. At the network connection computer for connecting the access network to the Internet network a message packet for a mobile computer is transmitted to a defined group of access points, and from the allocated access point to the mobile computer.
The use of a multicast process within the access network simplifies the process of predictive tracking of an existing useful data connection between two access points. Starting from the access point connection computer at which the mobile computer is directly registered, adjacent access point connection computers become part of a multicast group. These computers store data in a ring buffer; in the tracking of an existing useful data connection, called the handover, the messages received downstream are transmitted onwards in the ring buffer to the mobile computer in order to compensate for a loss of messages during the handover.
In the event that a mobile computer neither receives nor transmits data for a certain length of time, the mobile computer switches to idle mode. This is an operating state in which the mobile computer, although switched on, has not yet logged on and therefore cannot yet be reached from the access network. In this case a multicast group concerned is dismantled and the position of a mobile computer is known in only a rudimentary fashion as a paging area, represented by a permanent multicast group which is independent of the mobile computer. If messages for a mobile computer which is in the idle state are received at the network connection computer, a paging request is transmitted to a defined multicast group of the last known paging area of the mobile computer and transferred to the last-addressed access point connection computers of this paging area, whereby the mobile computer is switched to the active state and logs on to the access network.
Such a communication system is exposed to a considerable number of security threats which endanger the operation of the mobile telecommunication service. Firstly, the internal exchange of messages within the access network can be endangered by external attacks from external links. Furthermore, the internal exchange of messages within the access network can be used by an attacker, who can gain access to the access network in various ways. In addition, messages or information can be tapped of manipulated by an attacker during their transmission, if the attacker purports to be a legitimate user of the access network. The attacker could additionally use this to utilize a telecommunication service at the expense of a personified mobile computer.
In general, a mobile computer does not know in advance which of the access points in the access network is responsible for it. For this reason falsified so-called advertisements, i.e. messages with which mobility agents offer their services to the mobile computer and which are produced via the access point last used, can cause the mobile computer to erroneously register itself with an attacker. Here the problem is as follows: the so-called MEP advertisements (Mobility-Enabling Proxies advertisements) are not designed for a single mobile computer but for a group of mobile computers. In the event of use of symmetrical encryption, it would be possible for each mobile computer involved to produce falsified advertisements. However, if an asymmetrical cryptographic method were used, this would mean that checking values of, at present, several hundred to 2048 bits would have to be used. Nevertheless, a false access point could potentially still be unmasked later during the registration process if the mobile computer and the access point communicated directly with one another.
So-called denial of service attacks are a further threat which should be mentioned. Here, denial of service means the same thing as functional failure or denial of function. This includes a large number of different possible attacks which all have the aim of causing certain computers to crash or to be disabled in certain functions. Such attacks can be directed, from the access point last used, against an authentication process itself, at a time in which authentication of the identity of the data transfer point (called the peer node) cannot be guaranteed. Furthermore, denial of service attacks can be executed from the Internet by the use of data packets. If data packets are sent to a plurality of mobile computers in the idle state (for example, with varying sources and protocols) they are addressed simultaneously by a paging request and caused to switch to the active mode. This leads to a signal overload within the access network and at an authentication verification computer for executing authentication, authorization and accounting (an AAA server).