1. Field of the Invention
The present invention relates to an apparatus of dynamically assigning external home agent (x-HA) for mobile virtual private networks (VPNs) and method for the same; especially to an apparatus of dynamically assigning x-HA for IPsec-based mobile VPNs and method for the same.
2. Description of Prior Art
The virtual private network (VPN) is developed to provide a dedicated channel between a remote computer and a local server through a wide area network such as Internet. The VPN also provides measure to ensure the security of communication, just like the trusted internal network (Intranet).
More particularly, VPN provides following measures to ensure security:
1. User authentication: VPN has rigorous authentication upon user and allow the log in for authenticated user only.
2. Address administration: VPN provides dedicated address for authenticated user with ensured security.
3. Data encryption: The data transmitted through Internet is encrypted to prevent from peeping by unauthenticated user.
4. Key management: VPN generates and frequently updates the key between user computer and server.
5. Protocol compatibility: VPN supports popular Internet protocols such as Point-to-Point Tunneling Protocol (PPTP), Layer2 Tunneling Protocol (L2TP) and IPsec.
Internet protocol (IP) is the most popular communication protocol for computer network. However, IP does not take security issue into account and therefore the IPsec protocol is defined by Internet Engineering Task Force (IETF) in Request for Comments (RFC) 2401. The IPsec protocol is used to encrypt the IP data flow and prevent data from modifying and inspection by third party and prevent data from simulation, fetching and playback.
Considering mobility for VPN users, Mobile IPv4 (IETF RFC 3344) is adopted in mobile VPN architecture. However, there are some technical issues needed to be resolved when incorporating Mobile IP (MIP) into IPsec-based VPN gateway.
When a mobile node (MN), such as a notebook computer with wireless communication equipment, roams in an Intranet, a Mobile IP (MIP) is assigned to the MN by a Home Agent (HA). When the MN moves out of Intranet, i.e. roams in an external network such as Internet, it must establish the IPsec tunnel with an IPsec-based VPN gateway before registering with the Home Agent (HA).
During movement, the MN would get a new care-of address (CoA) from the external network. It requires the VPN gateway refresh IPsec tunnel endpoints after MN's each movement into a new IP subnet. However, all packets including MIP messages are encrypted by IPsec protocol. Therefore, FA cannot decrypt MIP messages. Thus, FA is unable to relay MIP messages.
In order to overcome these problems, the IETF MIP4 Working Group (WG) is proposing a mechanism to support international seamless roaming (ISR) for VPN users.
In above-motioned mechanism, there are two HAs for internal and external networks respectively. Namely, an internal HA (i-HA) is provided for MN's mobility management inside Intranet, and an external HA (x-HA) is provided for the MN's mobility management in the external network when the MN moves out of Intranet and roams in the external network.
The x-HA is augmented to encapsulate the IPsec tunnel with the x-MIP tunnel. Therefore, the IPsec tunnel will not break when MN gets a new CoA. The FA will also be able to understand the MIP messages. By the IETF solution, there is no modification to Mobile IPv4 and IPsec standards. Only some changes are necessary for MN.
FIG. 1 is a schematic diagram of mobile VPN architecture defined by IETF. In this figure, an MN 1 roams in Intranet 10 through an i-HA 11. The MN 1 requires registering to an x-HA 21 for obtaining a new CoA when the MN moves from Intranet 10 to Internet 20. Afterward the MN 1 then uses its external home address (x-HoA) to build an IPsec channel with the home VPN gateway 22 through Internet Key Exchange (IKE). The VPN-TIA (VPN Tunnel Inner Address) is also assigned after IKE negotiation accomplishes. Lasting, the MN 1 then registers the VPN-TIA to the i-HA 11 as its internal co-located CoA. These i-MIP registration messages will be encrypted by IPsec ESP (Encapsulating Security Payload) between MN and the VPN gateway. Therefore, the VPN for MN is established when roaming in Intranet 10 and Internet 20.
FIG. 2 shows the message structure of the mobile VPN as MN moves from Intranet 10 to Internet 20. The message contains an original packet 31, an i-MIP channel message 32 encapsulating the original packet 31 and used for the i-HA 11 and the VPN gateway 22, an IPsec channel massage 33 encapsulating the i-MIP channel message 32 and used for the VPN gateway 22 and the x-HA 21, and an x-MIP channel massage 34 encapsulating the IPsec channel massage 33 and used for the x-HA 21 and MN 1.
The solution, however, leads to two questions: where should we put the x-HA and how should we trust the x-HA?
In conventional approach of IETF, a static x-HA 21 is provided in Internet 20. The placement of x-HA will impact the handoff latency between the FA and the x-HA 21 and end-to-end latency when the Internet 20 has a plurality of subnets. In addition, the x-HA is outside VPN and might not be under the control of the VPN. Therefore, there should be a trusted mechanism to assign the x-HA.
The present invention is intended to assign the x-HA dynamically so the handoff latency and end-to-end latency could be minimized. Moreover, AAA (Authentication, Authorization and Accounting) technique is also adopted so that the x-HA can be associated with the VPN securely.