US007174018B1
`
`United States Patent
`US 7,174,018 B1
`(10) Patent No.:
`(12)
`Patil et al.
`(45) Date of Patent:
`Feb. 6, 2007
`
`
`(54) SECURITY FRAMEWORKFORAN IP
`MOBILITY SYSTEM USING
`VARIABLE-BASED SECURITY
`
`RECON ND BROKER
`
`(75)
`
`Inventors: Basavaraj B. Patil, Plano, TX (US);
`Raja P. Narayanan,
`Irving, TX (US);
`2
`3
`3
`Haseeb Akhtar, Garland, TX (US);
`Emad A. Qaddoura, Plano, TX (US)
`
`(73) Assignee: Nortel Networks Limited, St. Laurent
`(CA)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 789 days.
`
`6,253,326 BL*
`6,487,657 B1L*
`6,507,908 BL*
`
`6/2001 Lincke et al. oe. 713/201
`.. 713/154
`11/2002 Brockmann....
`
`1/2003 Caron«0.0... eee 713/153
`
`OTHER PUBLICATIONS
`
`Pat R. Calhoun, DIAMETER Mobile IP Extensions, Nov. 1998, Sun
`Laboratories, pp. 1-27."
`Pat R. Calhoun, Diameter Framework Document, Feb. 2001, Sun
`.
`*
`Laboratories, pp. 1-26.
`
`(Continued)
`
`Primary Examiner—Kambiz Zand
`Assistant Examiner—Benjamin E. Lanier
`(74) Attorney, Agent, or Firm—Hemingway & Hansen,
`LLP; D. Scott Hemingway; Malcolm W.Pipes
`
`(57)
`
`ABSTRACT
`
`(21) Appl. No.: 09/595,551
`
`(22)
`
`Filed:
`
`Jun. 16, 2000
`
`.
`
`(56)
`
`security
`
`attacks.
`
`In an IP-based mobile communications system, the Mobile
`Node changes its point of attachment to the network while
`maintaining network connectivity. Security concernsarise in
`the mobile system because authorized users are subject to
`the following forms of attack: (1) session stealing where a
`Related U.S. Application Data
`hostile node hijacks session from mobile node byredirecting
`.
`.
`packets, (2) spoofing where the identity of an authorized
`(60) aaal application No. 60/140,704,filed on Jun.
`user is utilized in an unauthorized manner to obtain access
`°
`to the network, and (3) eavesdropping andstealing of data
`(51)
`Int. Cl
`during session with authorized user. No separate secure
`(2006.01)
`HOAK 100
`network exists in the IP-based mobility communications
`(2006.01)
`HOAL 9/00
`system, and therefore, it is necessary to protect information
`:
`.
`,
`.
`(52) U.S. Ch wees 380/258; 380/270; ey transmitted in the mobile system from the above-identified
`(58) Field of Classification Search ................ 380/258,
`y
`.
`380/270, 713/154, 153
`The present invention improves the security of communi-
`See application file for complete search history.
`cations in a IP mobile communications system by creating
`References Cited
`variable-based Security Associations between various nodes
`on the system, a Virtual Private Network supported by an
`U.S. PATENT DOCUMENTS
`Service Level Agreement between various foreign networks
`and a home network, and an SLA Broker to promote
`large-scale roaming among different SLAs supported by the
`SLA Broker or agreements with other SLA Brokers.
`
`5,539,824 A *
`5,793,762 A
`5,883,890 A
`5,905,719 A
`6,170,057 B1*
`
`.......... 380/249
`
`7/1996 Bjorklund et al.
`8/1998 Pennerset al.
`3/1999 Okanoueetal.
`5/1999 Arnoldet al.
`1/2001 Inoue etal. ou... 713/153
`
`37 Claims, 2 Drawing Sheets
`
`
`
`
`
`564
`
`0001
`
`Ex. 1014
`Apple v. MPH Techs. Oy
`IPR2019-00820
`
`Ex. 1014
`Apple v. MPH Techs. Oy
`IPR2019-00820
`
`0001
`
`

`

`US 7,174,018 B1
`Page 2
`
`OTHER PUBLICATIONS
`
`Pat R. Calhoun, Diameter Base Protocol, Feb. 2001, Sun Labora-
`tories, pp. 1-57.*
`La Porta, Thomas F.; Salgarelli, Luca; Foster, Gerald T.; “Mobile IP
`and Wide Area Wireless Data;” 1998, IEEE.
`
`Perkins, Charles E.; “Tutorial: Mobile Networking Through Mobile
`IP;” Jan. 1998; IEEE Internet Computing.
`Perkins, CV; “RFC 2002: IP Mobility Support;” Oct. 1996, Network
`Working Group.
`
`* cited by examiner
`
`0002
`
`0002
`
`

`

`U.S. Patent
`
`Feb.6, 2007
`
`Sheet 1 of2
`
`US 7,174,018 B1
`
`
`
`
`MN
`FA
`AAA-FN
`AAA-HN
`HA
`
`100.
`
`104
`108.
`
`110
`112
`14
`116
`jog
`
`R_REQ
`
`.
`
`R_REQ
`
`
`R_REQ
`
`
`RRSP
`«__RRESP
`
`R_RESP
`<_LKE
`(A MODE)
`
`————_—_______—_—_
`
`R_RESP
`
`FIG. 2
`
`—
`
`122 aS/U)
`
`QUICK MODE
`
`(S/U
`
`0003
`
`0003
`
`

`

`U.S. Patent
`
`Feb.6, 2007
`
`Sheet 2 of2
`
`US 7,174,018 B1
`
`200
`510
`
`340
`
`0004
`
`0004
`
`

`

`US 7,174,018 B1
`
`1
`SECURITY FRAMEWORKFOR AN IP
`MOBILITY SYSTEM USING
`VARIABLE-BASED SECURITY
`ASSOCIATIONS AND BROKER
`REDIRECTION
`
`RELATED APPLICATION DATA
`
`This application is the utility patent application related to
`provisional application Ser. No. 60/140,704 filed Jun. 24,
`1999,
`
`TECHNICAL FIELD OF THE INVENTION
`
`A security framework for an IP-based mobile communi-
`cation system having a home network, foreign network and
`a mobile node.
`
`BACKGROUND OF THE INVENTION
`
`Present-day Internet communications represent the syn-
`thesis of technical developments begun in the 1960s—the
`development of a system to support communications
`between different United States military computer networks,
`and the subsequent development of a system to support the
`communication between research computer networks at
`United States universities. These technological develop-
`ments would subsequently revolutionize the world of com-
`puting.
`The Internet, like so many other high tech developments,
`grew from research originally performed by the United
`States Department of Defense.
`In the 1960s, Defense
`Department officials began to notice that the military was
`accumulating a large collection of computers—-some of
`which were connectedto large open computer networks and
`others that were connected to smaller closed computer
`networks. A network is a collection of computers or com-
`puter-like devices communicating across a commontrans-
`mission medium. Computers on the Defense Department’s
`open computer networks, however, could not communicate
`with the other military computers on the closed systems.
`Defense Departmentofficials requested that a system be
`built to permit communication between these different com-
`puter networks. The Defense Department recognized, how-
`ever, that a single centralized system would be vulnerable to
`missile attacks or sabotage. Accordingly,
`the Defense
`Department mandated that the system to be used for com-
`munication between these military computer networks be
`decentralized and that no critical services be concentrated in
`a few, vulnerable failure points. In order to achieve these
`goals, the Defense Department established a decentralized
`standard protocol for communication between network com-
`puters.
`A few years later, the National Science Foundation (NSF)
`wanted to connect network computers at various research
`institutions across the country. The NSF adopted the
`Defense Department’s protocol for communication, and this
`combination of research computer networks would eventu-
`ally evolve into the Internet.
`Internet Protocols
`
`The Defense Department’s communication protocol gov-
`erning data transmission between computers on different
`networks wascalled the Internet Protocol (IP) standard. The
`IP standard now supports communications between comput-
`ers and networks on the Internet. The IP standard identifies
`
`the types of services to be provided to users, and specifies
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`the mechanisms needed to support these services. The IP
`standard also describes the upper and lower system inter-
`faces, defines the services to be provided on these interfaces,
`and outlines the execution environment for services needed
`in the system.
`A transmission protocol, called the Transmission Control
`Protocol (TCP), was also developed to provide connection-
`oriented, end-to-end data transmission between packet-
`switched computer networks. The combination of TCP with
`IP (TCP/IP) forms a system or suite of protocols for data
`transfer and communication between computers on the
`Internet. The TCP/IP standard has become mandatory for
`use in all packet switching networks that connect or have the
`potential for utilizing connectivity across network or sub-
`network boundaries.
`
`The TCP/IP Protocol
`
`In a typical Internet-based communication scenario, data
`is transmitted from an applications program in a first com-
`puter, through the first computer’s network hardware, and
`across the transmission medium to the intended destination
`on the Internet. After receipt at a destination computer
`network,
`the data is transmitted through the destination
`network to a second computer. The second computer then
`interprets the communication using the identical protocols
`on a similar application program. Because of the standard
`protocols used in Internet communications,
`the TCP/IP
`protocol on the second computer decodes the transmitted
`information into the original information transmitted by the
`first computer.
`One of the rules in TCP/IP communications is that a
`
`computer user does not need to get involved with details of
`data communication. In order to accomplish this goal, the
`TCP/IP standard imposes a layered communications system
`structure. All the layers are located on each computer in the
`network, and each module or layer is a separate component
`that theoretically functions independentof the other layers.
`TCP/IP and its related protocols form a standardized
`system for defining how data should be processed, trans-
`mitted and received on the Internet. TCP/IP defines the
`
`network communication process, and more importantly,
`defines how a unit of data should look and what information
`the message should contain so that the receiving computer
`can interpret the message correctly. Because the standard-
`ized layer design of TCP/IP, a consistent conversion of base
`data is ensured regardless of the version or vendor of the
`TCP/IP conversion software.
`
`TCP/IP Addressing and Routing
`A computer operating on a network is assigned a unique
`physical address. On a Local Area Network (“LAN”), the
`physical address of the computer is a number given to
`computer’s network adapter card. Hardware LANprotocols
`use this physical address to deliver packets of data to
`computers on the LAN.
`On the Internet, the TCP/IP protocol routes information
`packets using logical addressing. The network software in
`the Network Layer generates logical addresses. Specifically,
`a logical address in the TCP/IP network is translated into a
`corresponding physical address using the ARP (Address
`Resolution Protocol) and RARP (Reverse Address Resolu-
`tion Protocol) protocols in the Network Layer.
`The TCP/TP’s logical address is also called an IP address.
`The IP address can include:
`(1) a network ID number
`identifying a network, (2) a sub-network ID number iden-
`tifying a sub-network on the network, and, (3) a host ID
`numberidentifying a particular computer on the sub-net-
`work. The header data in the information packet will include
`
`0005
`
`0005
`
`

`

`US 7,174,018 B1
`
`3
`source and destination addresses. The IP addressing scheme
`imposes a sensible addressing scheme that reflects the
`internal organization of the network or sub-network.
`A computer network is often subdivided into smaller
`sub-networks. The computer network is divided in this
`manner to increase data transmission efficiency and reduce
`overall network traffic. Routers are used to regulate the flow
`of data into and out of designated sub-networks of the
`computer network.
`A router interprets the logical address information of a
`data packet, such as an IP address, and directs the data
`packet across the network to its intended destination. Data
`addressed between computers on the sub-network does not
`pass through the router to the greater network, and therefore
`does notclutter the transmission lines of the greater network.
`If data is addressed to a computer outside the sub-network,
`however, the router forwards the data onto the larger net-
`work.
`
`The TCP/IP network includes protocols that define how
`routers will determine the path for data through the network.
`Routing decisions are based upon information in the IP
`packet header and entries in each router’s routing table. A
`routing table possesses sufficient information for a router to
`make a determination on whether to accept the communi-
`cated information on behalf of a destination computer, or
`pass the information onto anotherrouter in the network. The
`routing table also permits the router to determine where the
`information should be forwarded within the network or
`sub-network.
`
`The routing table can be configured manually with routing
`table entries or a dynamic routing protocol that can accom-
`modate changing network topologies—network architecture
`or network layouts, routers, and interconnections between
`hosts and routers. In a dynamic routing protocol, a router
`advertises reachability when it sends updated routing infor-
`mation to a second router claiming that the first router is
`capable of reaching one or more destination addresses.
`Advertising accessibility is important
`to the process of
`receiving, directing and re-directing data packets on the
`Internet.
`
`Confidential Communications Over a Public Network
`
`Because information packets are routed over the public
`networks that make up the Internet, cryptographic security
`systems are used to send communications in a confidential
`manner. These security systems maintain the confidentiality
`of the information packet by encoding, or encrypting, the
`information in the information packet. The encryption pro-
`cess can only be reversed, or decoded, by an authorized
`person. Other activities performed by the security system
`include authentication (you are who you say you are),
`integrity checking (the information packet was sent in the
`decoded form) and non-repudiation (identification of person
`sending the information packet).
`A cryptographic security system consists of two funda-
`mental components—a complicated mathematical algorithm
`for encrypting the information, and one or more values,
`called keys, known to parties authorized to transmit or
`receive the information packet. The greater the complexity
`of the algorithm, the stronger the cryptographic level of
`security in the cryptographic system. Because of its com-
`plexity, the algorithm can be kept secret or publicly dis-
`closed without undermining the strength of the security
`system.
`As an example of the encryption process, let’s examine
`the situation where Party A intends to communicate confi-
`dentially with Party B using the cryptographic security
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`system. First, Party A uses the algorithm and a key to
`transform the information in the transmitted information
`
`packet into encrypted information. In order to maintain the
`confidentiality of the transmitted information, the encrypted
`information does not resemble the information in the infor-
`
`mation packet, and the encrypted information cannot be
`easily decodedinto its original form without the use of the
`algorithm and a key.
`Assuch,the encrypted information is transmitted over the
`public networkson the Internet to Party B without disclosing
`the content of the original information packet. After receiv-
`ing the encrypted information packet, Party B decodes the
`encrypted information using the algorithm and a key. When
`the encrypted information is decoded, the original informa-
`tion should be disclosed in the decoded information packet.
`
`Key-Based Cryptographic Systems
`It is preferable that the key be known only to the appro-
`priate or authorized parties to the communication. This type
`of key is known as a “secret key”, and the sender and
`receiver of the information packet use the samesecret key to
`encrypt and decode information packets with the algorithm.
`Public key encryption is also supported by cryptographic
`security systems where the sender has a public key and a
`private key, and the receiver has a public key and a private
`key. Messages may be encoded by the sender using the
`receiver’s public key, and decoded bythe receiver using the
`receiver’s private key. Hybrid security systemsare also used
`to encrypt and decode information in information packets.
`Accordingly, key-based security systems rely on the use of
`some type of secret key to support confidential communi-
`cations.
`
`SUMMARY OF THE INVENTION
`
`Internet protocols were originally developed with an
`assumption that Internet users, which are assigned a unique
`IP address, would be connectedto a single, fixed network—
`that
`is, one physical fixed location. With the advent of
`portable computers and cellular wireless communication
`systems, however, the movementof Internet users within a
`network and across network boundaries has become quite
`common. Because of this highly mobile Internet usage, the
`implicit design assumptions for the Internet protocols have
`been violated.
`
`The IP-Based Mobile System
`The IP-based mobile system includes at least one Mobile
`Node in a wireless communication system. The term
`“Mobile Node” includes a mobile communication unit, and,
`in addition to the Mobile Node, the communication system
`has a home network and a foreign network. The Mobile
`Node may change its point of attachment to the Internet
`through these other networks, but the Mobile Node will
`always be associated with a single Mobile Node home
`network for IP addressing purposes.
`The home network has a Home Agent and the foreign
`network has a Foreign Agent—both of which control the
`routing of information packets into and out of their network.
`The terms Home Agent and Foreign Agent may be defined
`in the Mobile IP Protocol (RFC 2002), but these agents are
`notrestricted to a single protocol or system.In fact, the term
`Home Agent, as used in this application, can refer to a Home
`Mobility Manager, Home Location Register, Home Serving
`Entity, or any other agent at a home network having the
`responsibility to manage mobility-related functionality for a
`Mobile Node on a home network. Likewise,
`the term
`Foreign Agent, as used in this application, can refer to a
`
`0006
`
`0006
`
`

`

`US 7,174,018 B1
`
`5
`Serving Mobility Manager, Visited Location Register, Vis-
`iting Serving Entity, or any other agent on a foreign network
`having the responsibility to manage mobility-related func-
`tionality for a Mobile Node on a foreign network.
`
`Security System for the IP-Based Mobile System
`the
`In an IP-based mobile communications
`system,
`Mobile Node changesits point of attachment to the network
`while maintaining network connectivity. Security concerns
`arise in the mobile system because authorized users are
`subject to the following formsofattack: (1) session stealing
`where a hostile node hijacks the network session from
`mobile node by redirecting information packets, (2) spoof-
`ing where the identity of an authorized useris utilized in an
`unauthorized mannerto obtain access to the network, and (3)
`eavesdropping and stealing of information during a session
`with an authorized user. No separate secure network exists
`in the IP-based mobility communications system, and there-
`fore, it is necessary to protect information transmitted in the
`mobile system from the above-identified security attacks.
`The present invention improves the security of commu-
`nications in a IP-based mobile communications system by
`creating
`variable-based
`Security Associations
`(SAs)
`between various nodes on the system, a Virtual Private
`Network supported by a Service Level Agreement (SLA)
`between various foreign networks and a homenetwork, and
`an SLA Broker to promote large-scale roaming among
`different SLAs supported by the SLA Broker or agreements
`with other SLA Brokers. Any one of these aspects will
`improve the security of the system, and each aspect
`is
`independently covered by the present invention.
`
`Variable-Based Security Associations
`Security Associations, called SAs, are relationships
`between secure nodes, or routers, of the Internet. The present
`invention establishes SAs between various nodes and agents
`on the system to comprehensively, and flexibly, cover con-
`nections in the network.
`
`Service Level Agreements (SLAs) and Virtual Private Net-
`works (VPNs)
`Aservice level agreement (SLA) may be created between
`networks on the Internet to establish Security Associations
`between Authentication, Authorization, and Accounting
`(“AAA”) servers on various administrative domains or
`networks. The AAA servers on the SLAs can assist in the
`
`management of SAs and the uniform transfer of encrypted
`information packets between AAA servers using a well-
`defined security protocol.
`An SLA can be formed between the AAA servers on
`several foreign networks and a home network. By working
`cooperatively, the AAA servers form a secure network for
`communications. Essentially, this system forms a Virtual
`Private Network (or “VPN”?) between the foreign networks
`and the home network thereby supporting secure tunneling
`of information packets among the networks on the VPN.
`SLA Brokers
`To eliminate the need for each network to establish
`
`individual SLA’s with every other service provider and
`network on the Internet, SLA brokers can be assigned the
`responsibility of establishing and maintaining SLAs found
`on different networks (and reciprocal agreements with other
`SLAs and SLA Brokers). Accordingly,
`the SLA Broker
`becomes a consortium of agreements between various net-
`works and service providers.
`A homenetwork need only establish one relationship with
`the SLA Broker in order to gain access to the other SLAs
`supported by the SLA Broker. With the support of such an
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`SLA Broker, a mobile node from the home network can
`roam about any other network supported by the home
`network’s SLA Broker.
`
`While the present invention can operate under the Mobile
`IP (RFC 2002), IPSec, and/or Internet Key Exchange (IKE)
`protocols, the invention is not limited to these protocols and
`can be used with any IP-based mobile system and associated
`security protocols.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The objects and features of the invention will become
`more readily understood from the following detailed
`description and appended claims when read in conjunction
`with the accompanying drawings in which like numerals
`represent like elements and in which:
`FIG. 1 is a schematic diagram of the various SAs sup-
`ported in the security framework;
`FIG.2 is a message flow sequencefor establishing an SA;
`FIG. 3 is a schematic diagram of the Virtual Private
`Network created by a common Service Level Agreeement;
`and,
`FIG.4 is a schematic diagram showing the SLA Brokerin
`the network configuration.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`
`Mobile IP protocols support the routing of data commu-
`nications to Mobile Nodes on the Internet. For the mostpart,
`each Mobile Node in a mobile IP system is identified by a
`permanent IP address associated with a home network.
`While the Mobile Node is coupled to its home network, the
`Mobile Node functions as any other fixed node on that
`network. When the Mobile Node moves from its home
`network to a foreign network, however, the home network
`sends data communications to the Mobile Node through the
`foreign network. This transmission of the information
`packet from the home network to the foreign network is
`called “tunneling” the information packet to the foreign
`network and/or mobile foreign network where the mobile
`user is located.
`
`Variable-Based Security Associations
`In order to reduce the security concerns during the “tun-
`neling” of information packets to Mobile Nodes, different
`security associations can be formed between home and
`foreign networks. Security Associations, called SAs, are
`relationships between secure nodes, or routers, in the secu-
`rity framework of the Internet. The SA establishes the
`agreement between the two secure nodes on how the sender
`will cryptographically transform data before transmission.
`The SA agreement requires the sending node to share
`information with the receiving node about
`the type of
`cryptographic method, the algorithm, and the keys used in
`the encryption process. The agreement is formed and the
`information is shared prior to the transmission of an infor-
`mation packet on the secure connection. When the sending
`node transmits an encrypted information packet, the sending
`node will identify the pertinent information regarding the
`encryption methodto the receiving node. After receiving the
`encrypted information packet, the receiving node will use
`the shared information from the SA to decode the informa-
`
`tion packet.
`Authentication is the process of proving someone’s
`claimed identity, and security systems will often require
`authentication of the system user’s identity before authoriz-
`
`0007
`
`0007
`
`

`

`US 7,174,018 B1
`
`7
`ing a requested activity. The authentication and authoriza-
`tion processes are often performed by an AAA server. The
`AAA serverauthenticates the identity of an authorized user,
`and authorizes the requested activity. Additionally, the AAA
`server will provide the accounting function including track-
`ing usage and charges for use of secure transmissionslinks.
`Lookingat FIG.1, the overall architecture of the IP-based
`mobile system is shown with Mobile Node 64, homenet-
`work 10 and foreign network 40. The home network 10 has
`a central buss line 20 coupled to the home agent 28 via
`communication link 24, and the buss line 20 is coupled to the
`secure messaging gateway 15 via communication link 22.
`The secure messaging gateway 15 includes the AAA server
`17 andfirewall 19 for the home network. The home network
`
`10 is coupled to the public Internet 35 via communication
`link 30. A communications link is any connection between
`two or more nodes on a network or users on networks or
`administrative domains.
`The foreign network 40 has a central buss line 50 coupled
`to the foreign agent 58 via communication link 54, and the
`buss line 50 is coupled to the secure messaging gateway 45
`via communication link 52. The secure messaging gateway
`45 includes the AAA server 49 and firewall 47 for the
`
`foreign network. The foreign network 40 is coupled to the
`public Internet 35 via communication link 37.
`A Mobile Node 64 is shownelectronically coupled to the
`foreign network 40 via the communication link 66 of
`transceiver 60. Transceiver 60 is coupled to the foreign
`network via communication link 62. The Mobile Node 64
`can communicate with any transceiver or Access Network
`coupledto the foreign network 40. The system also includes
`a correspondent node CN 70, which is a node wishing to
`communicate with the Mobile Node 64. The correspondent
`node CN 70 is coupled to the public Internet 35 via com-
`munication link 72.
`
`The present invention includes the capability of forming
`five different SAs securely connecting various nodes and
`routers on the Internet. The following security associations
`will connect the following nodes androuters:
`(1) SA1—the SA1 80 securely connects the secure mes-
`saging gateway 15 in the home network 10 to the secure
`messaging gateway 45 in the foreign network 40,
`(2) SA2—the SA2 85 securely connects the Mobile Node
`64 to the Foreign Agent 58 in the foreign network 40,
`(3) SA3—the SA3 87 securely connects the Mobile Node
`64 to the Home Agent 28 in the home network 10,
`(4) SA4—the SA490 securely connects the Mobile Node
`64 to the correspondent node 70, and
`(5) SA5—the SA5 92 securely connects the correspon-
`dent node 70 to the Home Agent 28 in the home network.
`The security scheme in the present invention covers one
`or more portions of the public network as mandated by the
`needs of the user and the level of security desired. At the
`very least, SA1 80 is needed to traverse the public networks
`in the Internet. If SA1 80 and SA2 85 (or an equivalent) are
`available and the foreign network 40 can be trusted, SA3
`would be optional because it would cover redundant rela-
`tionships already covered by SA1 and SA2. Further, SA4is
`only neededif the policies at the Mobile Node 64 require its
`use. If SA1 80 is not available, the system should secure
`transmission of information packets by using SA3 87 and
`SA4 90 between the Mobile Node 64 and the Home Agent
`28 or correspondent node 70, respectively. SA2 connection
`may be unnecessary if the Mobile Node 64 communicates
`with the Foreign Agent 58 using a code-based communica-
`tion scheme,
`such as a CDMA-based communication
`scheme. Further,
`the security of the system could be
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`enhanced by SA5 92 between the correspondent node 70 and
`the Home Agent 28 if the correspondent node 70 is not
`associated with the home network.
`
`Many combinations of the SAs could be established to
`provide a comprehensive security framework. Of course,
`redundant SAs can be eliminated, such as the SA3 connec-
`tion where there is already SA1 and SA2 connections
`available for use. As a flexible solution, the SAs available in
`the present invention could be configured by the user or the
`networks to provide the desired level of security.
`
`Registration and AAA Redirection
`Foreign Agents and Home Agents periodically broadcast
`an agent advertisement to all nodes on the local network
`associated with that agent. An agent advertisement
`is a
`message from the agent on a network that may be issued
`under the Mobile IP protocol (RFC 2002) or any other type
`of communications protocol. This advertisement should
`include information that is required to uniquely identify a
`mobility agent (e.g. a Home Agent, a Foreign Agent,etc.) to
`a mobile node. Mobile nodes examine the agent advertise-
`ment and determine whether the mobile node is connected to
`
`its home network or a foreign network.
`If the mobile node is located on its home network, no
`additional actions need to be taken because information
`
`packets will be routed to the node according to the standard
`addressing and routing scheme. If the mobile node1s visiting
`a foreign network, however,
`the mobile node obtains a
`care-of address from the agent advertisement, and registers
`this care-of address with its Home Agent. The care-of
`address identifies the foreign network where the mobile
`node is located. The Home Agentuses this care-of address
`to tunnel data packets to the foreign network for subsequent
`transfer to the mobile node.
`
`To enhancesecurity using the present invention, mobility
`related messages, sometimes called control or control plane
`messages, transmitted between the foreign and home agents
`should be directed through the local AAA servers on the
`respective networks. This includes the AAA server 17 on the
`home network 10 and the AAA server 49 on the foreign
`network 48. Every time the Mobile Node 64 movesinto a
`new foreign network or powers up in the foreign network,
`the Mobile Node 64 must negotiate a new secure SA2 85
`connection with the Foreign Agent 58. While the control
`plane messages should be redirected through the AAA
`servers in the home and foreign networks,
`the SA2 85
`connection will only be initiated after the registration
`request and registration response have been initially sent
`outside a secure connection, also called “in the clear.” That
`is, the Mobile Node 64 will first successfully register with
`the Foreign Agent 58 and the Home Agent 28 without the
`use of a secure connection. In order to establish the SA2 85
`secure connection between the Mobile Node 64 and the
`Foreign Agent 58 thereafter, the registration request and
`response mustbe resent using the secure connection through
`the AAA servers on the home and foreign networks. Any
`subsequent registrations, after the initial registration, are
`done using the SAs established during the initial registra-
`tion.
`The establishment of the SA2 secure connection with the
`redirection of the registration request and response through
`the AAA servers can be seen in FIG. 2 in steps 100 to 106
`where the registration request from the Mobile Node 64 to
`the Foreign Agent 58 is shown in step 100, the registration
`request from the Foreign Agent 58 to the AAA server 49 at
`the foreign network 40 is shown in step 102, the registration
`request from the AAA server 49 at the foreign network 40 to
`
`0008
`
`0008
`
`

`

`US 7,174,018 B1
`
`9
`the AAA server 17 at the home network 10 in step 104, and
`the registration request from the AAAserver 17 on the home
`network 10 to the Home Agent 28 in step 106.
`The redirection of the registration response through the
`AAA servers is shown in steps 110 to 116 where the
`registration response from Home Agent 28 to AAA server 17
`on the home network 10 is shown in step 110, registration
`response from AAA server 17 on the home network 10 to
`AAA server 49 on the foreign network 40 is shown in step
`112, registration response from the AAA server 49 on the
`foreign network 40 to the Foreign Agent 58 is shownin step
`114, and registration response from the Foreign Agent 58 to
`the Mobile Node 64 is shown in step 116.
`If the Foreign Agent 58 is capable of establishing an SA
`relationship,
`then the agent advertisement issued by the
`Foreign Agent 58 should be expanded to indicate this
`capability to the Mobile Node 64. The Mobile Node 64 can
`then initiate establishment of the secure connection, andit is
`recommendedthat the Aggressive Modeofthe Internet Key
`Exchange protocol (IKE) can be used as shown in step 120
`of FIG. 2. The Quick Mode in step 122 can also be used to
`speed the SA set-up operation as shown in FIG.2. Lastly,