CN100539586C - Support method, system and the equipment of hierarchical mobile IP services - Google Patents

Support method, system and the equipment of hierarchical mobile IP services Download PDF

Info

Publication number
CN100539586C
CN100539586C CNB2004800234028A CN200480023402A CN100539586C CN 100539586 C CN100539586 C CN 100539586C CN B2004800234028 A CNB2004800234028 A CN B2004800234028A CN 200480023402 A CN200480023402 A CN 200480023402A CN 100539586 C CN100539586 C CN 100539586C
Authority
CN
China
Prior art keywords
hmipv6
map
aaa
mobile node
eap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004800234028A
Other languages
Chinese (zh)
Other versions
CN1836420A (en
Inventor
J·王山
加藤良司
J·鲁内
T·拉松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of CN1836420A publication Critical patent/CN1836420A/en
Application granted granted Critical
Publication of CN100539586C publication Critical patent/CN100539586C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

Essential characteristic of the present invention is the HMIPv6 business that relies on AAA foundation structure next " guiding " mobile node (130) of " roaming " in visited network or in the home network.According to first-selected embodiment of the present invention, it is that the HMIPv6 business is to mobile node (130) authentication and mandate that guiding HMIPv6 business relates to based on AAA foundation structure.In important occasion, mobile node is roamed in visited network, and AAA foundation structure (110,120,122) links the home network of visited network with mobile node.The present invention also supports MAP (125) is located at possibility in other networks of home network or non-visited network.The dependence of AAA foundation structure preferably related to by AAA foundation structure be transmitted as the HMIPv6 business to the mobile node authentication with authorize required HMIPv6 relevant information.

Description

Support method, system and the equipment of hierarchical mobile IP services
Technical field
The present invention relates generally to mobile communication, and relate more specifically to professional support mobile IP (Internet Protocol), and hierarchical mobile IP the 6th version 6 services especially.
Background technology
Mobile IP (MIP) makes mobile node (MN) change its tie point to the internet with minimum service disruption.It is any to striding the ambulant specific support of different management domains that MIP itself does not provide, and this has limited the applicability of MIP in large-scale commercial applications is disposed.
The 6th edition (MIPv6) agreement of mobile IP [1] can move node in the Internet topology, keep simultaneously accessibility with just being connected of communication node.In this case, always each mobile node identify by its home address, and no matter it is to the current tie point of IPv6 internet.When away from its home network, mobile node also is associated with Care-of Address (CoA), and Care-of Address provides the information of the current location of relevant this mobile node.The IPv6 grouping that is addressed to the home address of mobile node more or less is routed to pellucidly its Care-of Address.The MIPv6 agreement makes the home address that the IPv6 node can the high-speed cache mobile node and the binding of its Care-of Address, and any grouping that will mail to mobile node then sends to Care-of Address.For this reason, each when mobile, mobile node sends home agent (HA) and its communication node of communicating by letter of said Binding Update to it.The authentication Binding Update needs some coming and going between mobile node and each communication node.In addition, one of needs come and go and upgrade home agent, although this can more carry out in the new communications nodes.When carrying out the switching of new couple in router, these round-trip delaies will be interrupted effectively connecting at every turn.
For this reason and other reasons, hierarchical mobile IPv 6 (HMIPv6) agreement [2] has been proposed, to support the mobile management of this locality or hierarchical form.The Hierarchical Mobility Management of mobile IP v 6 reduces MN, its communication node (CN) and the signaling quantity between its HA by introducing the said mobile anchor point (MAP) that is positioned at visited network.The introducing of MAP can also be used to improve the performance of mobile IP v 6 aspect switch speed.
Fig. 1 schematically illustrates the example in the HMIPv6 territory of MAP in visited network of prior art.The whole system view comprises the home network 10 with common home agent (HA) 15, the visited network 20 with MAP25 and couple in router (AR) 27.The mobile node (MN) 30 that enters the MAP territory will receive the said router advertisement that contains relevant for the information of one or more local MAP.MN 30 can it is current position (link associated care-of address or LCoA) and the subnet of MAP that is called regional care-of address (RCoA) on address binding.As local HA, the MN 30 that on behalf of it, MAP 25 will just serving receives all groupings, and will encapsulate the LCoA that they also directly are forwarded to MN.
When mobile node when communicating by letter with communication node (CN) 40 when couple in router 1 (AR1) 27-1 moves to couple in router 2 (AR2) 27-2, MAP can help to move for mobile node provides seamless.When arriving visited network, mobile node 30 will be found the global address of MAP25.This address is stored in the couple in router, and is sent to mobile node via router advertisement.This process is called MAP to be found, and needs this process of execution to notify mobile node to have MAP.The MAP territory is limited by the couple in router to the mobile node bulletin MAP information that connects usually.The MAP discovery procedure continues when a subnet moves to next subnet at mobile node.As long as mobile node is roamed in the MAP territory, then couple in router is configured to announce identical MAP address.Change if receive in the address of MAP of bulletin, then mobile node must be carried out to move and detect, and sends necessary Binding Update to its home agent and communication node.
If mobile node is not known HMIPv6, then will not carry out MAP and find, and mobile IP v 6 will be used for mobile management.On the other hand, if mobile node is known HMIPv6, then it should select to use HMIPv6.If like this, mobile node comes 25 registrations to MAP by the Binding Update that transmission contains its home address and LCoA address.Used home address is the RCoA address in the Binding Update, and MAP 25 with this information stores in its binding high-speed cache, can when receiving grouping, they being forwarded to their final destination from communication node 40 or HA 15.
As MIP, it is any to striding the ambulant specific support of different management domains that HMIPv6 itself does not provide, and this has limited the applicability of HMIPv6 in large-scale commercial applications is disposed.
Usually can expect that MN needed at first to pass through authentication before being authorized to use the business of HMIPv6.Importantly, the security relationship between mobile node and the MAP has strong character; It should preferably relate to mutual authentication, integrity protection and anti-replay-attack protection.For this reason, the distribution as the certificate related data of the safe key between MN and the MAP need depend on Public Key Infrastructure (PKI) and other complicated agreements at present.Present HMIPv6 draft [2] also with the position limit of MAP in visited network.
Summary of the invention
The present invention has overcome these and other shortcomings that prior art is arranged.
General objects of the present invention provides the improvement support to the HMIPv6 business of mobile node.Solution should preferably include the mechanism of being convenient to dispose HMIPv6.
Particularly, be desirable to provide the streamline of a kind of authentication of HMIPv6 business and mandate but healthy and strong solution, it does not need to depend on Public Key Infrastructure (PKI) and other complicated agreements.
Another object of the present invention is to allow the whole HMIPv6 of shortening settling time.
A further object of the present invention provides a kind of method and system that is used to support the HMIPv6 business.
Another purpose of the present invention provides the streamline authentication of support HMIPv6 business and/or the independent networking component of mandate.
Limit as appended Patent right requirement, satisfy these and other purposes by the present invention.
Essential characteristic of the present invention is to rely on the HMIPv6 business that AAA foundation structure is come " guiding " mobile node.According to first-selected embodiment of the present invention, it is that the HMIPv6 business is to mobile node authentication and mandate that guiding HMIPv6 business relates to based on AAA foundation structure.In important occasion, mobile node is roamed in visited network, and AAA foundation structure links the home network of visited network with mobile node.But, the occasion when the present invention supports also that mobile node is physically located in home network.In this case, the AAA infrastructure component of home network can provide necessity support to the HMIPv6 business with the MAP in the home network.
The dependence of AAA foundation structure preferably related to by AAA foundation structure be transmitted as the HMIPv6 business HMIPv6 relevant information required the mobile node mandate.
The HMIPv6 guiding is usually based on setting up security association, so that relevant communication security for example allows the HMIPv6MAP binding of authentication between suitable MAP and mobile node.
In first-selected embodiment of the present invention, in identical with the HMIPv6 secure association procedure coming and going, incidentally transmit the HMIPv6 mobile process and make and to shorten whole settling time by in public procedure, optimizing authentication, mandate and mobility.
Authorization stages comprises explicit mandate naturally, but can also comprise the configuration of related node.The HMIPv6 relevant configuration as the configuration of mobile node and/or the configuration of MAP, therefore can be considered as the part of whole licensing process usually.This often means that the HMIPv6 relevant information can be HMIPv6 authentication, mandate and/or configuration information.
The MAP discovery procedure that replacement is conventional responds the MAP specified request (the MAP appointment that mobile node is initiated) from the mobile node initiation or as reassigning that network is initiated, AAA foundation structure is preferably used for suitable MAP is assigned to mobile node.
Also recognize, have such situation, make MAP be arranged in home network or other networks are useful, for example the situation that does not provide MAP to support for visited network.The MAP that is arranged in home network can be used to solve the HA scalability issues, unloads HA by the quantity of going to the Binding Update of HA during moving in the minimizing MAP territory.By being chosen in the MAP of close MN position on the landform, can realize quick switching.
Situation when MAP is arranged in home network can be suitable with AAA home network server (AAAh) as the AAA infrastructure component that is suitable for the MAP appointment.On the other hand, when MAP was positioned at visited network, it can be suitable that AAA visited network server (AAAv) is used for the MAP appointment.In fact, the position of MAP can be in home network, visited network or other networks.In predetermined MAP territory, no longer the router advertisement that contains about the information of MAP there is any pressure dependence.
With respect to using PKI foundation structure, the dependence of AAA foundation structure is provided for guiding the different possibilities of HMIPv6 business.For example, it is possible providing the expansion of the common authentication protocol by AAA foundation structure carrying and/or strengthening that the AAA framework agreement uses.
For example, verified, it is very useful transmitting the HMIPv6 relevant information in authentication protocol between mobile node and AAA home network server in end-to-end procedure.Authentication protocol can be based on the extended authentication agreement or the New Deal of existing protocol.
But a kind of possible authentication protocol as the basis that guides HMIPv6 is extended authentication agreement (EAP), creates the EAP expansion and preferably keeps the EAP lower level complete simultaneously.This often means that the HMIPv6 relevant information is combined in the EAP protocol stack as additional data, for example as transmitting in EAP attribute in the EAP method layer of EAP protocol stack or the universal container on EAP layer or EAP method layer.
With do to the EAP expansion replenish or alternative another kind of mode is, strengthen EAP " lower level ", as create AAA framework agreement new or expansion and use, the diameter that for example is suitable for HMIPv6 is used or based on the application of radius protocol.
When MAP was arranged in home network, it was possible for example using the authentication protocol of the expansion of carrying by AAA foundation structure or the AAA framework agreement application of enhancing.But, when MAP is arranged in visited network, preferably should be used for using the EAP agreement of expansion in conjunction with the AAA framework agreement that strengthens, perhaps alternatively under the situation of not supporting any EAP expansion, use the AAA framework agreement that strengthens to use.
For example, between the AAA client in mobile node and visited network, the EAP agreement of expansion can by PANA (agreement that is used for the bearer network access authentication), PPP (peer-peer protocol), IEEE 802.1X or even carry by the GPRS/UMTS interface, and in AAA foundation structure, should be used for carrying by diameter or RADIUS.
Particularly, rely on the EAP expansion a kind of streamline solution is provided, it is easy to management and first-class, and backward compatibility issues is minimum.The use of EAP make AAA client (and AAAv) can be at least when MAP is arranged in home network to HMIPv6 process unknowable (agnostic) (, this removes the dependence that the HMIPv6 to visited network supports), and only serve as straight-through (pass-through) agency.This is to use one of major advantage of EAP.
By also in the authentication protocol stack of expansion or in the AAA framework agreement that strengthens is used, comprising the MIPv6 relevant information, by AAA foundation structure simultaneously with HMIPv6 with the MIPv6 authentication with authorize that to be contained in identical be possible in round.It is of course possible to use such network of enabling MIPv6/HMIPv6 and under the situation that does not have MIPv6 authentication and/or mandate, only carry out HMIPv6 authentication and/or mandate, and vice versa, depends on the real needs of MN under the particular case.This makes the authentication protocol of single expansion and/or the AAA framework agreement of enhancing use and can use in various use-case occasions neatly.
The invention provides following advantage:
Guide the HMIPv6 business effectively;
Transmit the HMIPv6 relevant information that is used to authorize the HMIPv6 business effectively;
The streamline solution that the HMIPv6 that expands based on EAP supports, it is easy to management and first-class, and backward compatibility issues is minimum;
Shorten whole HMIPv6 settling time;
In public procedure, optimize authentication, mandate and mobility;
MAP based on AAA specifies;
The MAP position is not limited to visited network;
MAP can be arranged in home network, to solve the HA scalability issues, unloads HA by the quantity of going to the Binding Update of HA during moving in the minimizing MAP territory; And
Simultaneously with HMIPv6 and MIPv6 authentication with authorize and be contained in identical the coming and going.
Below reading, during to the description of the embodiment of the invention, will understand other advantages provided by the invention.
Brief description
By with reference to the description of carrying out below in conjunction with accompanying drawing, can very well understand the present invention and other purposes and advantage, among the figure:
Fig. 1 is the schematic diagram of example that the HMIPv6 territory of MAP in visited network of prior art is shown;
Fig. 2 is the schematic diagram that the innovation system structure that the HMIPv6 of the mobile node of roaming in visited network of example embodiment according to the present invention supports is shown;
Fig. 3 is the schematic diagram that the innovation system structure that the HMIPv6 of the mobile node of roaming in visited network of another example embodiment according to the present invention supports is shown;
Fig. 4 is the schematic diagram that the innovation system structure that the HMIPv6 of the mobile node of operating in its oneself home network of according to the present invention example embodiment supports is shown;
Fig. 5 is the schematic block diagram of the AAA home network server of first-selected example embodiment according to the present invention;
Fig. 6 is the schematic block diagram of the MAP node of first-selected example embodiment according to the present invention;
The home network of situation when Fig. 7 illustrates and is positioned at to(for) MAP, use the demonstration signaling flow of the HMIPv6AAA of diameter/EAP/HMIPv6;
The visited network of situation when Fig. 8 illustrates and is positioned at to(for) MAP, use, use the demonstration signaling flow of the HMIPv6AAA of diameter/EAP/HMIPv6 in conjunction with diameter HMIPv6;
The home network of situation when Fig. 9 illustrates and is positioned at to(for) MAP, use the demonstration signaling flow of the HMIPv6AAA that diameter HMIPv6 uses;
The visited network of situation when Figure 10 illustrates and is positioned at to(for) MAP, use the demonstration signaling flow of the HMIPv6AAA that diameter HMIPv6 uses; And
Figure 11 is the schematic flow diagram of illustrated examples of method that is used to support the HMIPv6 business of mobile node.
Embodiment
In institute's drawings attached, will use identical quotation mark for correspondence or similar parts.
Basic thought according to the present invention is, for HMIPv6 authentication and mandate, based on AAA foundation structure rather than depend on the HMIPv6 business that complicated PKI foundation structure is come " guiding " mobile node.HMIPv6 guiding all is effective for mobile node of operating in home network and the mobile node roamed in visited network, in the previous case, adopt home network AAA foundation structure, and adopt the whole AAA foundation structure that visited network and home network are linked in the later case.
Replace by adopting Public Key Infrastructure (PKI) between MN and MAP, to set up security association and distributing security keys, preferably carry out the authentication and the mandate of HMIPv6 business, for example be transmitted as the HMIPv6 business to mobile node authentication and the required HMIPv6 relevant information of mandate by AAA foundation structure based on AAA foundation structure.
Replace conventional MAP discovery procedure, MAP specified request that response is initiated from mobile node (the MAP appointment that mobile node is initiated) or reassigning as the network initiation, also preferably AAA foundation structure is used for suitable MAP is assigned to mobile node, will be explained in more detail after a while.In predetermined MAP territory, no longer the router advertisement that contains about the information of MAP there is any pressure dependence.
AAA HMIPv6 guiding normally based on by AAA foundation structure be the foundation of security relationship at suitable MAP and the security association between the mobile node so that related communication safety for example allows the HMIPv6MAP binding of authentication.
In first-selected execution mode, incidentally transmission comprises and the HMIPv6 mobile process of Binding Update makes and may shorten whole settling time by optimize authentication, mandate and mobility in public procedure thus in identical with the HMIPv6 secure association procedure coming and going.
The general sense in its Internet-Draft, RFC and other standardization document should be got in term " AAA ".Usually, the authentication of AAA (mandate, authentication, charging) foundation structure and safe key are agreed based on symmetric cryptography, mean to have the initial secret of sharing between mobile node and home network operator or trusted party.In some occasions with in using, for example can forbid or not implement the charging feature of AAA foundation structure.AAA foundation structure generally comprises one or more aaa servers in home network, go-between (if any) and/or visited network, but also can comprise one or more AAA clients.
In general, exactly make the mobile subscriber can be as the aaa protocol of diameter protocol in not necessarily roaming and obtain service in all network by their home service provider.Therefore in order to dispose mobile IP in commercial network, the AAA that needs this agreement supports.Special circumstances for the mobile IP v 6 (MIPv6) of no any Hierarchical Mobility Management have proposed Internet-Draft [3], and it stipulates a kind of new application of diameter, and it enables the MIPv6 that roams in the network of network of home operator management not being.The interim patent of submitting on June 18th, 2003 at us of the U.S. is stretched and is asked 60/479156 and in Internet-Draft [4] afterwards, advises a kind of architecture and related protocol that is used for carrying out based on AAA foundation structure mobile IP v 6 mandate and configuration.Realizing for necessity of MIPv6 is to use EAP (but extended authentication agreement) alternately between the aaa server of ownership provider and the mobile node, the information that it will be used for the mobile IP v 6 negotiation transmits with authorization data.
Fig. 2 is the schematic diagram that a kind of innovation system structure that the HMIPv6 of example embodiment supports according to the present invention is shown.Mobile node 130 is roamed in visited network, and carries out HMIPv6 authentication and mandate by the AAA foundation structure that the home network that uses visited network and mobile node links.In this example, AAA foundation structure relates to AAA visited network server 120 and the AAA client 122 in AAA home network server 110, the visited network basically.
Preferably, can be with AAA visited network server (AAAv) 120 as the AAA infrastructure component that is suitable for the MAP appointment, the operator's that when selecting MAP, considers to be interviewed strategy.The selection of MAP can be for example based on the position of the present load of available MAP, mobile node and/or the preference that may provide by mobile node.
The primary clustering of AAA foundation structure is an AAAh server 110, it preferably will be forwarded to AAAv server 120 from mobile node to any request of MAP appointment, and also generate safe key immediately or security association in the future or the similar certificate that is used between the MAP 125 of given mobile node 130 and appointment.Usually safe key is sent to MAP 125 via AAAv 120 from AAAh 110 then, and MAP 125 preferably via AAAv 120 to be used to finish the AAAh of information response 110 of security association.At last, that will generate and the HMIPv6 authorization message that collect of AAAh server 110 sends to mobile node 130 by AAA foundation structure.Suppose that the secure tunnel that adopts AAA foundation structure or other safety measures are as encrypting and the source integrity protection transmits sensitive information as safe key.
The dependence of AAA foundation structure is provided for guiding the different possibilities of HMIPv6 business.For example, new authentication protocol is provided or provides the expansion of the authentication protocol by AAA foundation structure carrying and/or strengthen the AAA framework agreement to use with carrying HMIPv6 relevant information be possible, shown in Fig. 2 signal.
Preferably, utilize the authentication protocol of expansion, as be suitable for expansion EAP (but the extended authentication agreement) agreement of HMIPv6, the AAA framework agreement that also have to strengthen is in addition used, as is used for HMIPv6 diameter or RADIUS application via the interface of AAAv server between AAAh server and the visited network MAP.
For example, between the AAA client in mobile node and visited network, a kind of authentication protocol new or expansion can by PANA (agreement that is used for the bearer network access authentication), PPP (peer-peer protocol), IEEE 802.1X or even carry by the GPRS/UMTS interface, and in AAA foundation structure by diameter or similarly AAA framework or carrier agreement are carried.
Alternatively, under the situation of not supporting any EAP expansion, use the AAA framework agreement that strengthens to use, use as a kind of diameter new or expansion or RADIUS.For the path between mobile node and the AAA client, can for example carry diameter or RADIUS application by ICMP (Internet Control Message Protocol).
Also recognize, have such situation, make MAP be arranged in home network or other networks are useful, for example the situation that does not provide MAP to support for visited network.The exemplary architecture that HMIPv6 supported when Fig. 3 illustrated MAP and is positioned at home network.
It is useful AAA home network server (AAAh) 110 being used for the MAP appointment herein.Preferably, AAA home network server (AAAh) 110 also generates safe key or similar security parameter or the certificate that is used for the security association between the MAP 125 of mobile node and appointment, and described safe key is sent to MAP 125.MAP 125 is being used to finish the AAAh of information response 110 of security association, and AAAh 110 sends to mobile node 130 by AAA foundation structure with the MIPv6 authorization message subsequently.
Because MAP125 is positioned at home network, so AAAv120 need not to check these affairs, and have " end-to-end procedure " that be used for HMIPv6 authentication and mandate from but possible.This preferably realizes by the authentication protocol that uses expansion, as is suitable for expansion EAP (but the extended authentication agreement) agreement of HMIPv6.Alternatively, can utilize the AAA framework agreement of enhancing to use, use as HMIPv6 diameter or RADIUS.The MAP125 that is positioned at home network can also be used to solve the HA scalability issues, unloads HA by the quantity of going to the Binding Update of HA 115 during moving in the minimizing MAP territory.By being chosen in the MAP of close MN position on the landform, can realize quick switching.
Should be appreciated that the present invention has removed the restriction that MAP 125 need be positioned at the prior art of visited network.Now, the position of MAP can be in home network, visited network or other networks.Technically, MN and any MAP binding all is possible, as long as utilize AAA to support to obtain RCoA on the MAP, if the operator allows like this.
Reassigning of MAP can be taken place during following exemplary scenario:
Safe key between MN and the MAP expires-and for this situation, MN initiates HMIPv6 and re-authenticates/authorizes, and network can be based on the different more suitable MAP of current topology location appointment of for example MN.
(MN initiates)-for this situation, MN initiates HMIPv6 and re-authenticates/authorize when the mobile node request, and MAP is reassigned in request.
(network is initiated)-for this situation, AAAh or AAAv initiate reassigning of MAP when network requests, and when this demand occurs, for example when MN moves to the AR that is covered better by new MAP it " are pushed away " to MN.
With reference to figure 2 and 3, summarize the some possible example of the different agreement combination between section AAA client-AAAh and AAAh-(the AAAv)-MAP below again:
AAA client<-AAAh AAAh<-(AAAv)<-MAP
(i) AAA HMIPv6 uses AAA HMIPv6 application
(ii) the authentication protocol AAA HMIPv6 of expansion uses
The authentication protocol of the authentication protocol expansion of (iii) expanding
Combination (iii) is particularly useful for the situation that MAP is positioned at home network.When MAP is positioned at visited network, based on visited network policy selection MAP the time, may relate to AAAv.
In another occasion that Fig. 4 schematically illustrates, mobile node 130 is physically located in home network, and the AAA infrastructure component of home network such as AAAh server 110 utilize MAP125 in the home network that necessity support to the HMIPv6 business is provided.This means that the relevant portion that only the authentication HMIPv6 agreement and the AAA HMIPv6 of expansion need be used is used to exchange necessary authentication and authorization message.
Fig. 5 is the schematic block diagram according to this AAA home network server of sending out example embodiment first-selected.In this example, AAAh server 110 consists essentially of optional MAP designated module 111, security association module 112, authorization message manager 113 and I/O (I/O) interface 114.For the situation of MAP in home network, AAAh server 110 comprises MAP designated module 111, and it can be operated and be used to specify and/or reassign suitable MAP to mobile node.For the situation of MAP in visited network, AAAh server 110 receives necessary MAP appointed information usually on its I/O interface 114.The AAAh server also receives key seed and Binding Update (BU) from mobile node usually.Alternatively, AAAh server itself generates key seed and sends it to mobile node.Security association module 112 preferably generates required safe key responding this seed, and with this secret key safety send to MAP (directly the MAP in the home network or via the MAP of AAAv server in the visited network).Binding Update (BU) also is forwarded to MAP.AAAh server 110 from MAP receive the RCoA address and with these data together with other associated authorization (and/or configuration) information stores authorization message manager 113.The AAAh server can also receive the information such as ipsec information that is used to finish security association from MAP.At last, mandate (and/or configuration) information of collecting is sent to mobile node.
The AAAh server can also be responsible for home address and specify (unless home address is by MN configuration itself) and/or home agent to specify.
Fig. 6 is the schematic block diagram of the MAP node of first-selected example embodiment according to the present invention.In this example, MAP125 consists essentially of RCoA designated module 126, security association module 127 and I/O (I/O) interface 128.MAP is preferably mutual with the AAA home network server, to support the security association of foundation and mobile node.MAP receives safe key by I/O interface 128 from the AAA home network server, to be stored in safely in the security association module 127.MAP also prepares to be used to finish the security association information necessary with mobile node, and it is sent it back the AAA home network server, by AAA foundation structure it is forwarded to mobile node again.For in MAP, binding, RCoA module 126 preferably specifies the RCoA address to give mobile node, and the LCoA address of this address together with mobile node be stored in the binding high-speed cache (not shown) of MAP, and the RCoA address of appointment sent to the AAA home network server, to be forwarded to mobile node subsequently.
In order to understand the present invention better, will the extended authentication agreement of HMIPv6 and the more detailed example of the AAA framework agreement application that is suitable for HMIPv6 be described at once.
The extended authentication agreement of HMIPv6
In first-selected example embodiment, defined the extended authentication agreement of a kind of HMIPv6, this paper be example with new or expansion EAP authentication protocol (being called " HMIPv6 method for authenticating " or " EAP/HMIPv6 "), and its carries and is convenient to for example find distributing security keys and/or the possible HMIPv6 relevant information of incidentally transmitting the HMIPv6 mobile process between MAP, dynamic assignment MAP, dynamic assignment RCoA, MN and the MAP.
If wish, HMIPv6 can be integrated in the identical agreement with MIPv6 authentication and/or mandate, for example EAP/HMIPv6 is defined as the superset of EAP/MIPv6 agreement, except the specific type-length-value of MIPv6 (TLV), it also defines the specific TLV attribute of new HMIP.By the part of EAP/MIPv6TLV attribute as EAP/HMIPv6 comprised, carry out in the time of with MIPv6 and HMIPv6 authentication and/or mandate that to be contained in the single traversal be possible, this allows shorter settling time.Also possible is only to carry out HMIPv6 authentication and/or mandate under the situation that does not have MIPv6 authentication and/or mandate, and vice versa, depends on the real needs of MN under the particular case.This can use single EAP authentication protocol EAP/HMIPv6 neatly in various use-case occasions.
Particularly, rely on the EAP expansion a kind of streamline solution is provided, it is easy to management and first-class, and backward compatibility issues is minimum.The use of EAP make AAA client (and AAAv) can be at least when MAP is positioned at home network to HMIPv6 process unknowable (this removes the dependence that the HMIPv6 to visited network supports), and only serve as cut-through proxy.This is to use one of major advantage of EAP.
As noted earlier, between the AAA client in mobile node and visited network, EAP/HMIPv6 can be for example by PANA, PPP, ICMP, IEEE 802.1X or even carry by the GPRS/UMTS interface.Though PANA may be first-selected in some cases, as PPP[6] and IEEE 802.1X[7] other carrier agreements that satisfy the EAP demand that ordering guarantees to lower level can be used to carry EAP/MIPv6 between MN and the AAA client.Specifically, between MN and AAA client, use for EAP[6 for the situation of 3GPP2 CDMA2000] the protocol field value PPP information link layer protocol that is made as C227 (Hex) encapsulates that to carry EAP/HMIPv6 be possible.
First-selected embodiment is with diameter, RADIUS or similarly AAA framework or carrier agreement are used for communicating by letter between AAA client and the AAAh server.For example, towards AAA foundation structure with in AAA foundation structure, diameter EAP uses [5] and can be used for EAP/HMIPv6 is encapsulated in the diameter, promptly between PAA/AAA client and the AAAh beyond AAA client.Diameter protocol can also be used for randomly the MIP packet filter being assigned to PAA/EP and HA via the MIP filter rules by AAAh, and they strengthen a little corresponding to filter.Be PAA safety, diameter protocol can also be used for safe key is distributed to PAA by AAAh, and randomly sends the qos parameter signal.
Although it is first-selected should be noted that diameter, it can be suitable changing into sometimes and use the another kind of aaa protocol as RADIUS with the modification that it will be apparent to those skilled in the art.
Moreover, in EAP/HMIPv6, incidentally transmit the HMIPv6 mobile process and make and may shorten whole settling time by in public procedure, optimizing authentication, mandate and mobility.
The details of demonstration EAP/HMIPv6 agreement
Hereinafter, provide demonstration EAP/HMIPv6 the details of agreement, with the example of explanation overall flow and the feasibility (viability of concept) of notion.
EAP TLV attribute
In first realization example, define one group of new EAP TLV attribute according to EAP/HMIPv6.Rely on these attributes, except main IPv6 authentication information, the EAP agreement can also be carried the HMIPv6 relevant information and randomly can also be carried the MIPv6 relevant information.
For EAP/HMIPv6, different authentication protocols is possible.In first-selected embodiment, the present invention proposes the execution mode by MD5 inquiry authentication, but other agreements also belong to scope of the present invention.
Matrix is summarized in the demonstration that provides EAP/HMIPv6 TLV in the following table 1:
The EAP/HMIPv6 type-length-value The source The destination Purpose Note
The specific TLV:RCoA request of HMIPv6 EAP-TLV attribute RCoA response EAP-TLV attribute RCoA EAP-TLV attribute MAP Address requests EAP-TLV attribute MAP address response EAP-TLV attribute MAP-MN wildcard generation active value EAP-TLV attribute MAP-MN wildcard EAP-TLV attribute MAP IKE KeyID EAP-TLV attribute MAP-MNIPScc SPI EAP-TLV attribute MAP-MNIPSec agreement EAP-TLV attribute MAP-MN IPSec password EAP-TLV attribute MAP-MN ipsec key term of validity EAP-TLV attribute HMIP-binds-upgrades EAP-TLV attribute HMIP-and binds-confirm the EAP-TLV attribute MN AAAh AAAh AAAh MN AAAh AAAh MN AAAh AAAh MAP AAAh MAP AAAh MAP AAAh MAP AAAh MN MN MAP AAAh AAAh MN MN MAP AAAh MN MN AAAh MAP MN MN through AAAh MN MN through AAAh MN MN through AAAh MN MN through AAAh MN MAP through AAAh AAAh MN through AAAh MN Request RCoA specifies RCoA to transmit seed that RCoA specifies RCoA request MAP address to specify the MAP address to transmit MAP address MN-MAP key from AAAv from AAAv and specifies MN-MAP key assigned I KEKeyID to specify SPI to transmit from MAP to specify ipsec protocol to transmit assigned ip Sec password from MAP to transmit the assigned ip sec key term of validity from MAP and transmit from MAP and incidentally transmit the HMIP Binding Update and incidentally transmit the HMIP Binding Update and incidentally transmit the HMIP binding acknowledgement and transmit from MAP MAP is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at home network MAP and is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at visited network
The specific TLV of MIPv6 (choosing wantonly): MIPv6 home address EAP-TLV attribute HA-MN wildcard EAP-TLV attribute HA-MNIPSec agreement EAP-TLV attribute HA-MNIPSec password EAP-TLV attribute MIP-binds-upgrades EAP-TLV attribute MIP-and binds-confirm the EAP-TLV attribute AAAh AAAh HA HA MN HA HA HA MN through AAAh MN through AAAh HA through AAAh MN through AAAh Specify the MN home address to specify the HA-MN key to specify ipsec protocol assigned ip Sec password incidentally to transmit the MIP Binding Update and incidentally transmit the MIP binding acknowledgement
Basic MIPv6TLV (choosing wantonly): MD5 inquiry EAP-TLV attribute AAAh MN The issue inquiry
The EAP/HMIPv6 type-length-value The source The destination Purpose Note
MD5 response EAP-TLV attribute MIPv6 home address request EAP-TLV attribute MIPv6 home address response EAP-TLV attribute MIPv6 home agent Address requests EAP-TLV attribute MIPv6 home agent address response EAP-TLV attribute HA-MN wildcard generates active value EAP-TLV attribute IKE KeyID EAP-TLV attribute HA-MN IPSec SPI EAP-TLV attribute HA-MN ipsec key term of validity EAP-TLV attribute PAC-PAA wildcard and generates active value EAP-TLV attribute MN MN AAAh MN AAAh MN AAAh HA HA MN AAAh AAAh MN AAAh MN AAAh MN MN through AAAh MN through AAAh AAAh Provide and specify MN home address request HA address to specify the seed of HA address HA-MN key to be used for specifying SPI to specify the seed of ipsec key term of validity PAC-PAA key from the information of AAAh acquisition HA-MN wildcard to the response request MN home address of inquiry
Attention: IKE KeyID comprises some eight hytes, and it informs that how HA/MAP is from AAA retrieval (or generation) HA-MN wildcard/MAP-MN wildcard.
Can be following the one or more of EAP-TLV attribute that demonstrate of HMIPv6 definition:
RCoA request EAP-TLV attribute:
This expression is to the request of the RCoA address of the dynamic assignment of the MN of authentication.When MN asks by authentication and is given the HMIPv6 business, ask it to AAAH by MN.
RCoA response EAP-TLV attribute:
The RCoA address of the dynamic assignment of the MN of this expression authentication.To the MN that for example asked success authentication the time, it is notified to MN from AAAh.
RCoA EAP-TLV attribute:
The RCoA address of the dynamic assignment of the MN of this expression authentication.To the MN that for example asked success authentication the time, from AAAh it is notified to MAP, in MAP, to specify the RCoA address.
MAP Address requests EAP-TLV attribute:
This expression when successful authentication to the request of the address of the MAP of the dynamic assignment of MN.When MN asks by authentication and is given the HMIPv6 business, ask it to AAAH by MN.Because having dynamic MAP discover method, the HMIPv6 agreement distributes MAP, so this attribute is chosen wantonly.
MAP address response EAP-TLV attribute:
The MAP address of the dynamic assignment of the MN of this expression authentication.When MN asks by authentication and is given the HMIPv6 business, it is notified to MN from AAAh.Because having dynamic MAP discover method, the HMIPv6 agreement distributes MAP, so this attribute is chosen wantonly.
The MAP-MN wildcard generates existing with value EAP-TLV attribute:
The conduct that this expression MN generates at random is used to generate eight hyte strings of the seed of the wildcard between the MAP-MN.By this is now used suitable hashing algorithm with the shared combination of keys between value and MN and the AAAh, MN can innerly generate the MAP-MN wildcard.When having effective MAP-MN wildcard, this attribute is chosen wantonly.
MAP-MN wildcard EAP-TLV attribute:
The wildcard that dynamically generates between this expression MAP--MN.When MN asks by authentication and is given the HMIPv6 business, it is notified to MAP from AAAh.By the existing suitable hashing algorithm of using between value and MN and the AAAh of shared combination of keys use to now being provided with value EAP-TLV attribute by the generation of MAP-MN wildcard, AAAh can inner generation MAP-MN wildcard.When having effective MAP-MN wildcard, this attribute is chosen wantonly.
MAP IKE KeyID EAP-TLV attribute:
The ID Payload of definition in this expression [8].KeyID is generated by AAAh, and is sent to MN when successful authentication.KeyID comprises some eight hytes, and it informs that how MAP is from AAAh retrieval (or generation) MAP-MN wildcard.This attribute is chosen wantonly, and not submit to the MAP-MN wildcard to generate existing when promptly having had effective MAP-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.Situation when being sent to MAP for the MAP-MN wildcard by AAAh does not need this attribute yet.
MAP-MN IPSec SPI EAP-TLV attribute:
The Security Parameter Index of IPSec between this expression MAP-MN.Situation when being sent to MAP for the MAP-MN wildcard by AAAh, this is preferably generated by MAP, and is notified to MN.This attribute is chosen wantonly, and when MN did not submit to MAP-MN to share in advance close generation now promptly to have had effective MAP--MN wildcard with value, for example MIPv6 did not generally need this attribute between transfer period.
MAP-MN ipsec protocol EAP-TLV attribute:
Ipsec protocol (for example ESP or AH) between this expression MAP-MN.Situation when being sent to MAP for the MAP-MN wildcard by AAAh, this is notified to MN.This attribute is chosen wantonly, and not submit to the MAP-MN wildcard to generate existing when promptly having had effective MAP-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.
MAP-MN IPSec password EAP-TLV attribute:
The cryptographic algorithm of IPSec between this expression MAP-MN.Situation when being sent to MAP for the MAP-MN wildcard by AAAh, this is notified to MN.This attribute is chosen wantonly, and not submit to the MAP-MN wildcard to generate existing when promptly having had effective MAP-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.
MAP--MN ipsec key term of validity EAP-TLV attribute:
The key term of validity of IPSec between this expression MAP-MN.Situation when being sent to MAP for the MAP-MN wildcard by AAAh, this is notified to MN.This attribute is chosen wantonly, and not submit to the MAP--MN wildcard to generate existing when promptly having had effective MAP-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.
HMIP-binding-renewal EAP-TLV attribute:
The MAP Binding Update grouping that this expression MN generates.This is forwarded to MAP via AAAh from MN in authentication and authorization exchange.This attribute is chosen wantonly, and when MN directly sends to MAP with the grouping of MAP Binding Update, does not generally need this attribute.
HMIP-binding-affirmation EAP-TLV attribute:
The MAP binding acknowledgement grouping that this expression MAP generates.This is forwarded to MN via AAAh from MAP in authentication and authorization exchange.This attribute is chosen wantonly, and when MAP directly sends to MN with MAP binding acknowledgement update packet, does not generally need this attribute.
For special MIPv6, can define following optional EAP-TLV attribute:
MIPv6 home address EAP-TLV attribute:
The MIPv6 home address of the dynamic assignment of the MN of this expression authentication.To the MN that for example asked success authentication the time, it is notified to HA, in HA, to specify the MIPv6 home address from AAAh.
HA-MN wildcard EAP-TLV attribute:
The wildcard of the dynamic generation between this expression HA-MN.When MN asks by authentication and is given the MIPv6 business, it is notified to HA from AAAh.By the existing suitable hashing algorithm of using between value and MN and the AAAh of shared combination of keys use to now being provided with value EAP-TLV attribute by the generation of HA-MN wildcard, AAAh can inner generation HA-MN wildcard.When having effective HA-MN wildcard, this attribute is chosen wantonly.
HA-MN ipsec protocol EAP-TLV attribute:
Ipsec protocol (for example ESP or AH) between this expression HA--MN.Situation when being sent to HA for the HA-MN wildcard by AAAh, this is notified to MN.This attribute is chosen wantonly, and not submit to the HA-MN wildcard to generate existing when promptly having had effective HA-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.
HA-MN IPSec password EAP-TLV attribute:
The cryptographic algorithm of IPSec between this expression HA-MN.Situation when being sent to HA for the HA-MN wildcard by AAAh, this is notified to MN.This attribute is chosen wantonly, and not submit to the HA-MN wildcard to generate existing when promptly having had effective HA-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.
MIP-binding-renewal EAP-TLV attribute:
The Binding Update grouping that this expression MN generates.This is forwarded to HA via AAAh from MN in authentication and authorization exchange.This attribute is chosen wantonly, and when MN directly sends to HA with the Binding Update grouping, does not generally need this attribute.
MIP-binding-affirmation EAP-TLV attribute:
The binding acknowledgement grouping that this expression HA generates.This is forwarded to MN via AAAh from HA in authentication and authorization exchange.This attribute is chosen wantonly, and when HA directly sends to MN with the binding acknowledgement grouping, does not generally need this attribute.
The EAP-TLV attribute that is used for the HMIPv6/MIPv6 authentication below can defining:
MD5 inquiry EAP-TLV attribute:
This expression AAAh generates and sends MN at random to realize eight hyte strings of MD5 inquiry.
MD5 response EAP-TLV attribute:
This expression is as eight hyte strings together with the pre-shared secret key between AAAh and the MN of result's generation of MD5 hash function.
For dynamic MN home address assignment, can define following optional EAP-TLV attribute:
MIPv6 home address request EAP-TLV attribute:
This expression is to the request of the MIPv6 home address of the dynamic assignment of the MN of authentication.By authentication be given MIPv6 when professional, ask it to AAAh in the MN initial request by MN.When MN had had the home address of previous appointment, for example MIPv6 was between transfer period, and this attribute is chosen wantonly.
MIPv6 home address response EAP-TLV attribute:
The MIPv6 home address of the dynamic assignment of the MN of this expression authentication.To the MN that for example asked success authentication the time, it is notified to MN from AAAh.When MN had had the home address of previous appointment, for example MIPv6 was between transfer period, and this attribute is chosen wantonly.
Distribute for dynamic HA, can define following optional EAP-TLV attribute:
MIPv6 home agent Address requests EAP-TLV attribute:
This expression when successful authentication to the request of the address of the HA of the dynamic assignment of MN.By authentication be given MIPv6 when professional, ask it to AAAH in the MN initial request by MN.When the MIPv6 agreement had dynamic HA discover method with distribution HA, this attribute was chosen wantonly.When MN had had the HA of previous appointment, for example MIPv6 was between transfer period, and this attribute is also chosen wantonly.
MIPv6 home agent address response EAP-TLV attribute:
The HA address of the dynamic assignment of the MN of this expression authentication.When the MN initial request by authentication be given MIPv6 when professional, from AAAh it is notified to MN.Because the MIPv6 agreement has dynamic home agent discover method with allocation for home agents, so this attribute is chosen wantonly.When MN had had the HA of previous appointment, for example MIPv6 was between transfer period, and this attribute is also chosen wantonly.
Can define following optional EAP-TLV attribute with distributing security keys between HA and MN:
The HA-MN wildcard generates existing with value EAP-TLV attribute:
The conduct that this expression MN generates at random is used to generate eight hyte strings of the seed of wildcard between the HA-MN.By this is now used suitable hashing algorithm with the shared combination of keys between value and MN and the AAAh, MN can innerly generate the HA-MN wildcard.When having effective HA-MN wildcard, for example MIPv6 is between transfer period, and this attribute is often chosen wantonly.
IKE KeyID EAP-TLV attribute:
The ID Payload of definition in this expression [8].KeyID is generated by AAAh, and is sent to MN when successful authentication.KeyID comprises some eight hytes, and it informs that how HA is from AAAh retrieval (or generation) HA-MN wildcard.This attribute is chosen wantonly, and not submit to the HA-MN wildcard to generate existing when promptly having had effective HA-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.In AAAh-HA interface the situation when being sent to HA of definition do not need this attribute by AAAh in via [9] at the HA-MN wildcard yet.
HA-MN IPSec SPI EAP-TLV attribute:
The Security Parameter Index of IPSec between this expression HA and the MN.The AAAh-HA interface that defines in [9] of situation when being sent to HA by AAAh via to(for) the HA-MN wildcard, this generates and is notified to MN by HA.This attribute is chosen wantonly, and not submit to the HA-MN wildcard to generate existing when promptly having had effective HA-MN wildcard with value as MN, and for example MIPv6 does not generally need it between transfer period.When not using the AAAh--HA interface of definition in [9], do not need it yet.
HA-MN ipsec key term of validity EAP-TLV attribute:
The key term of validity of IPSec between this expression HA and the MN.The AAAh-HA interface that defines in [9] of situation when being sent to HA by AAAh via to(for) the HA-MN wildcard, this generates and is notified to MN by HA.This attribute is chosen wantonly, and not submit to the HA-MN wildcard to generate existing when promptly having had effective HA-MN wildcard with value as MN, and for example MIPv6 does not generally need this attribute between transfer period.When not using the AAAh-HA interface of [9] middle definition, do not need it yet.
At last, can define following optional EAP-TLV attribute with distributing security keys between PAC and PAA to realize PANA safety:
The PAC-PAA wildcard generates existing with value EAP-TLV attribute:
The conduct that this expression MN/PAC generates at random is used to generate eight hyte strings of the seed of the wildcard between the PAC-PAA.By this is now used suitable hashing algorithm with the shared combination of keys between value and MN and the AAAh, MN/PAC can innerly generate the PAC-PAA wildcard.Need this attribute to realize PANA safety.
Alternatively, the AAAh server can dispose and be used for not only generating the MN-MAP safe key, also generates the required information of security association of finishing.
From above-mentioned example as can be seen, the HMIPv6 relevant configuration is regarded as the part of whole licensing process usually.
EAP universal container attribute (EAP GCA)
In alternative EAP realizes, EAP is used as the carrier (randomly also having MIPv6 information) of HMIPv6 relevant information, wherein do not create new said EAP method, but by can in the universal container EAP attribute that any EAP method is used, implementing by beared information.
At this during demonstration of supporting of AAA realizes in based on Access Network, EAP augments with the universal container attribute, data that the universal container attribute can be used to carry is any (perhaps non-EAP is relevant), for example specific data of HMIPv6 and randomly also have the specific data of MIPv6 (guiding) if also wish MIPv6.This make MN and AAAh can be at least for MAP in the situation of home network so that the visited domain transparent way is communicated by letter, visited domain comprises Access Network, AAA client and AAAv.Between AAA client and AAA, EAP preferably carries in aaa protocol, and for example diameter EAP uses or even RADIUS[10], [11].
This new attribute should preferably can be used for all EAP methods, and can be included in any EAP message, comprises EAP success/failed message.In this solution, this new universal container attribute is used for transmitting the specific data of HMIPv6 (randomly also having the MIPv6 data) between MN and AAAh.This solution can also comprise diameter or the RADIUS application that is used for exchanging AAA and related data between AAAh and HA.
The possible execution mode of universal container attribute (GCA) hereinafter, is discussed according to present EAP agreement [12].As described, the universal container attribute should preferably can be used for all methods, and should comprise in any EAP message, comprises EAP success/failed message.This means that it should be EAP layer but not the part [12] of EAP method layer.Important problem is that (this is meant the back compatible with regard to MN and EAP authentication person (being usually located at NAS) in back compatible.MN and EAP authentication server (being AAA) are assumed to always compatible).In these given examples, the use of GCA is generally supposed, introduces this new attribute with back compatible with to EAP authentication person transparent way in EAP.The GCA that introducing contains these characteristics needs some special considerations, is discussed below.
For example, the form of GCA can be the GCA length indicator of two bytes, heel GCA reciever designator and GCA Payload.GCA reciever designator indication EAP module should send to what internal entity (promptly this designator is corresponding to the port numbers in the agreement in the IP header/next header fields or UDP and the TCP header) with the Payload of the GCA that receives.The GCA Payload then is to can't help the generic data block that the EAP layer explains.There is not GCA preferably can indicate by the GCA length indicator being made as zero.
In order to realize back compatible, GCA should be preferably to be comprised in the EAP grouping straight-through EAP authentication person transparent way.Straight-through EAP authentication person is that the EAP authentication person of relaying (nearly all) EAP grouping between MN and rear end EAP authentication server (aaa server) (resides among the NAS; Normally WLAN AP or couple in router).Described in [12], EAP authentication person's straight-through behavior is based on EAP layer header and comes relaying EAP grouping, i.e. code, identifier and length field in the starting position of EAP grouping.This means,, then may realize the desired transparency (with realizing back compatible thus) if GCA is placed (promptly after code, identifier and length field) after the EAP layer header.
But EAP authentication person generally also needs to check the type field (after EAP layer header) of EAP respond packet, with the grouping of identification EAP identity response, extracts the required NAI of AAA Route Selection in view of the above.When EAP authentication person discerned the grouping of EAP identity response, its type-data field after type field extracted NAI.Therefore, GCA is placed follow that (with to EAP authentication person transparent way) only may in EAP request grouping after the EAP layer header closely.Therefore, general first-selection be GCA is arranged in after the type field or even (may emptyly stop) type-data field after.
GCA placed follow all EAP respond packet that allow after the type field except that the grouping of EAP identity response closely and use GCA.Use GCA to be under an embargo in EAP identity response grouping, because from these groupings, EAP authentication person need extract NAI from type-data field, is expected at and searches it after following type field closely and leave over EAP authentication person.Consider that EAP generally has quite few coming and going, this may limit the use of GCA.May, GCA can be placed in after empty termination type-data field in the EAP identity response grouping, and keeps its position after type field in other EAP groupings.
Can frequent hope can be in all EAP groupings consistent GCA position of using.Seem that from above-mentioned discussion can GCA be placed the position of all EAP groupings in the mode of back compatible is at the end that divides into groups, more or less as afterbody.But the length field in the EAP layer header of those EAP groupings this GCA position depends on to(for) the explicit length designator that does not have type-data parameters may cause problem.In these groupings, GCA and type-data field can not be distinguished.
For head it off, the order of the GCA length indicator that should reverse, GCA reciever designator and GCA Payload makes the GCA length indicator occur at last.Thereby when GCA being placed EAP grouping terminal, latter two eight hytes (its length is by the indication of the length field in the EAP layer header) of EAP grouping can be the GCA length indicator all the time.Unless the GCA length indicator is zero, GCA reciever designator can appear at before the GCA length indicator and GCA Payload (its size is determined by the GCA length indicator) is positioned at before the GCA reciever designator.By this principle, the GCA in the identification EAP grouping also distinguishes GCA and type-data field always possible.The use of GCA is still straight-through EAP authentication person transparent.
With the also requirement of back compatible of this GCA solution, EAP authentication person does not attempt from EAP request grouping information extraction (except EAP layer header and NAI), and it accepts successfully/length field in the failed packet indicates the value greater than 4.
The alternate ways of handling backward compatibility issues is to use EAP GCA test request/respond packet (the new EAP grouping that promptly has the redetermination value of type field) to judge whether MN supports GCA.
Before or after initial EAP identity request/respond packet exchange, support the EAP authentication person of GCA that EAP GCA test request grouping (the EAP request grouping that promptly has the dedicated classes offset) is sent to MN.(the two kinds of alternative transmitting times of EAP peering state machine indication in [13] all are feasible).If MN supports GCA, then it is with EAP GCA test response grouping response.Otherwise MN is with the request of EAP GCA test request packet interpretation for the unknown EAP method of use, and MN responds with EAP Nak grouping thus.Based on the response from MN, EAP authentication person can judge whether MN supports GCA.
Support the MN of GCA to judge whether EAP authentication person supports GCA according to having or not of EAP GCA test request grouping.If (before or after EAP identity request/response exchange) receives the grouping of EAP GCA test request when expectation, then EAP authentication person supports GCA.Otherwise EAP authentication person does not support GCA.
If MN and EAP authentication person support GCA, then can be placed on (the GCA component is an original order) after the EAP layer header in all EAP groupings subsequently.Otherwise GCA can still be comprised in the EAP grouping, and these EAP groupings make it can be with back compatible mode involved (as mentioned above).
The alternate ways of described processing backward compatibility issues has some limitations.At first, having wasted a MN-EAP authentication person comes and goes.Moreover if exchange EAP GCA test request/respond packet after initial EAP identity request/respond packet exchange, then GCA can't use in the grouping of EAP identity response.This embodiment can also require the revision of EAP authentication person (may be NAS) use EAP, for example EAPv2.Therefore, though other alternate ways are possible, with GCA be arranged in preferred manner in the EAP grouping can be usually at minute group end as afterbody, the GCA length indicator in the end, after GCA Payload and GCA reciever designator.
If for the data that exchange in GCA, the quantity that EAP comes and goes is not enough, and then in order to transmit GCA, AAAh can increase the quantity that EAP comes and goes by EAP notice request/response exchange.
Another kind of variant is actual to be to introduce GCA in the EAP method on the method layer of EAP protocol stack.If it is specific that GCA is made as method, then GCA can not introduce any backward compatibility issues, because it incites somebody to action the normally part of type-data field.
The demonstration signaling flow of EAP/HMIPv6
Demonstration EAP/HMIPv6 (diameter) signaling flow of the situation when Fig. 7 illustrates and is positioned at home network at MAP.
AAA client uses EAP (request identity) request MN authentication, and MN responds with EAP (response identity).
The MN response sends to AAAh via AAA foundation structure.AAAh determines that according to the identity of MN with based on operator's strategy the EAP/HMIPv6 method is suitable for authentication and the mandate (being the ability that AAAh knows MN) of MN.AAAh sends the indication of the EAP method (for example EAP/HMIPv6) of advising together with inquiry via AAA foundation structure to MN.The indication of EAP method or scheme can be implemented by specifying new EAP type number for the EAP scheme (for example EAP/HMIPv6) of expansion.Which kind of EAP scheme what like this, mobile node will be known the AAAh proposition is.Alternatively, send special formative inquiry to mobile node, mobile node is discerned the given EAP scheme of this inquiry indication.
MN wishes to guide HMIPv6, and answers AAAh suggestion and inquiry with query-response and suitable EAP attribute (TLV), and suitable EAP attribute (TLV) transmits the request of specifying suitable MAP together with the necessary information that is used for the MAP security association of appointment.In this process, MN can also guide MIPv6, if before do not carry out as yet.The MN response sends to AAAh via AAA foundation structure.Can imply though the MAP specified request is actual, general recommendation utilizes explicit MAP specified request.Known the MAP address and for example can only upgrade situation with the security association of MAP for mobile node, will not have the MAP specified request, and only re-authenticate and/or authorize again.
The query-response of AAAh checking MN, and if success, this means that then MN is believable, and AAAh continues to handle other requests of MN then.
At first, AAAh selects MAP in home network, and comprise for example EAP of safe key (noticing that this is the EAP session that is different from the EAP session of just having carried out between MN and AAAh) message to what MAP send to strengthen, and MAP preferably comes AAAh is responded by being provided for finishing with the information of the security association of MN (if that need or be suitable in other respects).For example,, may need to utilize the EAP attribute, as above ipsec protocol, IPSec password, the ipsec key term of validity EAP TLV attribute of definition in the table 1 for ipsec security association.
In this illustrated examples and following illustrative example, suppose that mobile node (MN) and AAAh have public shared secret.For example this may be the symmetric key of sharing between the identity module installed in the mobile node and the home network operator.Identity module can be any anti-tamper identity module known in the art, comprises the standard SIM card that uses in GSM (global system for mobile communications) mobile phone, general SIM (USIM), also is called WAP (WAP (wireless application protocol)) SIM, the ISIM (IP Multimedia System identity module) of WIM and more general UICC (Universal Integrated Circuit Card) module.For MN-MAP (MN-HA) security association, can by MN to AAA transmit seed or existing with value (or the other way around, promptly by AAAh start seed and be sent to MN), AAAh can create MN-MAP (MN-HA) safe key based on shared secret in view of the above.Mobile node can generate identical safe key alone, the seed because it starts/now also also have shared secret with value (or from AAAh reception seed).Alternatively, AAAh can oneself generate security information, and it is sent to interdependent node safely.
Secondly, if ask the MIPv6 guiding, then AAAh selects HA to continue as this MIPv6 boot request service by using another to strengthen the EAP session, and HA responds AAAh by the required information of establishment and the security association of MN is provided.Randomly, it is possible incidentally transmitting " MAP Binding Update " and " HA Binding Update " in authentication and authorization exchange.This means that HMIPv6 binding is integrated in identical with the MN-MAP security association the coming and going (only needing LCoA in from the Binding Update of mobile node).For this situation, the HMIPv6RCoA that AAAh obtains in operating with the first time of MAP is the MIPv6 binding of upgrading in operating with the second time of HA automatically.
With after HA communicates by letter, AAAh will authorize (and/or configuration) information such as MAP address, RCoA, HA address, MN home address and security association information and authentication successfully to indicate via the EAP of expansion and send it back MN at AAAh as mentioned above and MAP.Exchange among Fig. 7 extra last to come and go be smoothly to realize the EAP agreement for guaranteeing according to present EAP protocol specification.
Demonstration EAP/HMIPv6 (diameter) signaling flow of the situation when Fig. 8 illustrates and is positioned at visited network at MAP.
AAA client uses EAP (request identity) request MN authentication, and MN responds with EAP (response identity).
The MN response sends to AAAh via AAA foundation structure.AAAh determines that according to the identity of MN with based on operator's strategy the EAP/HMIPv6 method is suitable for authentication and the mandate (being the ability that AAAh knows MN) of MN.AAAh sends the indication of the EAP method (being EAP/HMIPv6) of advising together with inquiry via AAA foundation structure to MN.
MN wishes to guide HMIPv6, and answers AAAh suggestion and inquiry with query-response and suitable EAP attribute (for example TLV), and suitable EAP attribute transmits the request of specifying suitable MAP together with the necessary information that is used for the MAP security association of appointment.In this process, MN can also guide MIPv6, if before do not carry out as yet.The MN response sends to AAAh via AAA foundation structure.
The query-response of AAAh checking MN, and if success, this means that then MN is believable, and AAAh continues to handle other requests of MN.
At first, AAAh will be forwarded to suitable AAAv to the request of MAP in the visited network, and this preferably uses (using for simply being known as diameter HMIPv6) via diameter and carries out.The reason of doing like this is, the operator's that need consider when in visited network, selecting MAP to be interviewed strategy, and AAAv needs to check these affairs (these exchanges are end to end under the EAP situation, so this is impossible) thus.AAAv selects MAP in visited network, and for example will contain that the diameter HMIPv6 application message of safe key is forwarded to MAP.MAP preferably comes AAAh is responded by being provided for finishing with the information of the security association of MN (if that need or be suitable in other respects).Next, if such request exists, then AAAh selects HA to continue as this MIPv6 boot request service by using another to strengthen the EAP session, and HA responds AAAh by the required information of establishment and the security association of MN is provided.Notice that incidentally transmission " MAP Binding Update " and " HA Binding Update " is possible in authentication and authorization exchange.For this situation, the HMIPv6RCoA that AAAh obtains in operating with the first time of MAP is the MIPv6 binding of upgrading in operating with the second time of HA automatically.
With after HA communicates by letter, AAAh will authorize (and/or configuration) information such as MAP address, RCoA, HA address, MN home address and security association information and authentication successfully to indicate via the EAP of expansion and send it back MN at AAAh as mentioned above and MAP.Exchange among Fig. 8 extra last to come and go be smoothly to realize the EAP agreement for guaranteeing according to present EAP protocol specification.
Though some detailed example embodiment mainly are to discuss with reference to present EAP version, should be appreciated that the present invention is highly suitable for other EAP versions, as EAPv2, and other authentication protocols of expanding or dispose in this way.EAP only is the example of possible execution mode, and the present invention generally is not limited to this, but can alternatively relate to non-EAP scheme.
The AAA framework agreement of HMIPv6 is used
In another example embodiment, creating a kind of new AAA framework agreement uses, it is example that this paper uses (being called " diameter HMIPv6 application ") with the diameter that is fit to HMIPv6, and its carrying is convenient to for example find distributing security keys and/or the possible HMIPv6 relevant information of incidentally transmitting the HMIPv6 mobile process between MAP, dynamic assignment MAP, dynamic assignment RCoA, MN and the MAP.Though what hereinafter relate to is diameter, should be appreciated that, can also use RADIUS or other similar AAA framework agreements to be used as the basis that HMIPv6 new or expansion uses.
If desired, HMIPv6 can be integrated in the identical AAA framework agreement application with MIPv6 authentication and/or mandate.This can realize by adopting the diameter MIPv6 described in [3] to use and also defining the specific command code of new HMIP, AVP and/or sign in addition.Comprise as the part that diameter HMIPv6 uses by command code, AVP and the sign that diameter MIPv6 is used, carry out being contained in the single traversal that allows shorter settling time in the time of with MIPv6 and HMIPv6 authentication and/or mandate.It also is possible only carrying out the HMIPv6 authentication and/or authorize under the situation that does not have MIPv6 authentication and/or mandate, and vice versa, specifically depends on the real needs of MN under the particular case.This can use single application (diameter HMIPv6 application) neatly in various use-case occasions.
Moreover, in diameter HMIPv6 uses, incidentally transmit the HMIPv6 mobile process and make and may shorten whole settling time by in public procedure, optimizing authentication, mandate and mobility.
The details that diameter HMIPv6 uses
Hereinafter, provide the demonstration diameter details that HMIPv6 uses, with the example of explanation overall flow and the feasibility of notion.Preferably, define new HMIP specific command code, AVP and/or sign, their carryings are convenient to for example find distributing security keys and/or the possible information of incidentally transmitting the HMIPv6 mobile process between MAP, dynamic assignment MAP, dynamic assignment RCoA, MN and the MAP.The part that command code, AVP and the sign of diameter MIPv6 application [3] can randomly be used as diameter HMIPv6 comprises.
Matrix is summarized in the demonstration that provides diameter HMIPv6 utility command code and AVP in the following table 2:
Diameter HMIPv6 utility command code and AVP The source The destination Purpose Note
The command code that HMIPv6 is specific:
MAP-HMIPv6-request command (MAR) MAP-HMIPv6-acknowledgement command (MAA) AAAh AAAh MAP MAP MAP MAP through AAAv AAAh AAAh through AAAv The exchange of the exchange HMIP AVP of the exchange HMIP AVP of the exchange HMIP AVP of HMIP AVP MAP is positioned at home network MAP and is positioned at visited network MAP and is positioned at home network MAP and is positioned at visited network
The specific AVP:HMIP-of HMIPv6 binds-upgrades the sign MAP-MN wildcard generation active value AVP MAP-MN wildcard AVP MAP IKE KeyID AVP MAP-MNIPSec SPI AVP MAP-MN ipsec protocol AVP MAP-MN IPSec password AVP MAP-MN ipsec key term of validity AVP that AVP HMIP-bound-confirmed AVP RCoAAVP MAP address AVP HMIPv6-feature-vector AVP MAP-request The HMIP binding update messages that is sent to MAP by MN is sent to the HMIP binding acknowledgement RCoA MAP address of MN to the seed appointment MN-MAP key assigned I KEKeyID appointment SP1 appointment ipsec protocol assigned ip Sec password appointment ipsec key term of validity of the request MN-MAP key of dynamic MAP appointment by MAP
Existing diameter MIPv6 utility command code: AA-registration-request command (ARR) AA-registration-acknowledgement command (ARA) ownership-agency-MIPv6-request command (HOR) ownership-agency-MIPv6 acknowledgement command (HOA) AAA client AAAh AAAh HA AAAh (through AAAv) AAA client (through AAAv) HA AAAh
Existing diameter MIPv6 uses AVP:MIP-binding-renewal AVP MIP binding-affirmation-AVP MIPv6-and moves-sign of node-address AVP MIPv6-ownership-agency-address AVP MIPv6-feature-vector AVP ownership-agency-request The mobile IP binding update messages that is sent to HA by MN is sent to the home agent address of home address mobile node of mobile IP binding acknowledgement mobile node of MN to the request of dynamic home appointment by HA
For additional information, Internet-Draft [5] has defined required command code and the AVP of carrying EAP grouping between network access server (NAS) and rear end authentication server.
The demonstration signaling flow that diameter HMIPv6 uses
The demonstration diameter HMIPv6 of the situation when Fig. 9 illustrates and is positioned at home network at MAP uses signaling flow.
AAA client inquires to the MN issue of wanting authentication via the agreement of for example Internet Control Message Protocol (ICMP), PANA etc.MN may also have the MIPv6 boot request to respond with query-response and HMIPv6.
AAA client understands HMIPv6 and MIPv6 boot request, and uses diameter HMIPv6 utility command code (ARR) via AAA foundation structure the MN response to be forwarded to AAAh.In this process, AAA client also comprises the inquiry that makes AAAh can check the credibility of MN.
The query-response of AAAh checking MN, and if success, this means that then MN is believable, and AAAh continues to handle other requests of MN then.
At first, AAAh selects MAP in home network, and for example will contain that the appropriate diameter HMIPv6 utility command code (MAR) of safe key sends to MAP, and MAP preferably comes AAAh is responded by being provided for finishing with the information of the security association of MN (if that need or be suitable in other respects) via command code (MAA).Secondly, if request MIPv6 guiding, then AAAh selects HA to continue as this MIPv6 boot request service by using diameter HMIPv6 utility command code ((HOR)), and HA responds AAAh via command code (HOA) by the required information of establishment and the security association of MN is provided.Notice that incidentally transmission " MAP Binding Update " and " HA Binding Update " is possible in authentication and authorization exchange.For this situation, the HMIPv6RCoA that AAAh obtains in operating with the first time of MAP is the MIPv6 binding of upgrading in operating with the second time of HA automatically.
With after HA communicates by letter, AAAh will authorize (and/or configuration) information such as MAP address, RCoA, HA address, MN home address and security association information and authentication successfully to indicate via diameter HMIPv6 utility command code (ARA) and for example ICMP, PANA etc. and send it back MN at AAAh as mentioned above and MAP.
The demonstration diameter HMIPv6 of the situation when Figure 10 illustrates and is positioned at visited network at MAP uses signaling flow.
AAA client inquires to the MN issue of wanting authentication via for example ICMP or PANA.MN may also have the MIPv6 boot request to respond with query-response and HMIPv6.
AAA client understands HMIPv6 and MIPv6 boot request, and uses diameter HMIPv6 utility command code (ARR) via AAA foundation structure the MN response to be forwarded to AAAh.In this process, AAA client also comprises the inquiry that makes AAAh can check the credibility of MN.
The query-response of AAAh checking MN, and if success, this means that then MN is believable, and AAAh continues to handle other requests of MN then.
At first, AAAh will be forwarded to suitable AAAv to the request of MAP in the visited network, and this preferably carries out via diameter HMIPv6 utility command code (MAR).AAAv selects MAP in visited network, and will comprise that for example the command code of safe key (MAR) is forwarded to MAP, and MAP preferably utility command code (MAA) AAAh is responded via AAAv by being provided for finishing with the information of the security association of MN (if that need or be suitable in other respects).Secondly, if be requested, then AAAh selects HA to continue as this MIPv6 boot request service by using diameter HMIPv6 utility command code (HOR), and HA responds AAAh via command code (HOA) by the required information of establishment and the security association of MN is provided.Notice that incidentally transmission " MAP Binding Update " and " HA Binding Update " is possible in authentication and authorization exchange.For this situation, the HMIPv6RCoA that AAAh obtains in operating with the first time of MAP is the MIPv6 binding of upgrading in operating with the second time of HA automatically.
With after HA communicates by letter, AAAh will authorize (and/or configuration) information such as MAP address, RCoA, HA address, MN home address and security association information and authentication successfully to indicate via the agreement of diameter HMIPv6 utility command code (ARA) and for example ICMP or PANA and send it back MN at AAAh as mentioned above and MAP.
Summarize more above-mentioned aspects, as can be seen, provide the some possibilities that are used to guide the HMIPv6 business the dependence of AAA foundation structure.For example, possible is, provide to the common authentication protocol by the carrying of AAA foundation structure (as at present or EAP version in the future) expansion and/or strengthen the AAA framework agreement and use, use as diameter and RADIUS.
Figure 11 is the schematic flow diagram of basic example of method that is used to support the HMIPv6 business of mobile node.In this example, the information shown in the step S1-S4 transmits and operates the authentication (S1) that relates to mobile node, foundation (S2), HMIPv6 configuration (S3) and the HMIPv6 binding (S4) of MN-MAP security association.Step S2-S3 is commonly referred to as authorization stages.If desired, can be more or less with parallel mode execution in step S1-S4, for example in identical with the HMIPv6 secure association procedure coming and going, incidentally transmit the HMIPv6 binding, can shorten whole settling time.At step S1, transmit information by AAA foundation structure, with at the home network end to the mobile node authentication.At step S2, transmit the HMIPv6 relevant information, to set up or to allow to set up in the future the security association between MN and the MAP immediately.In step S3, carry out additional HMIPv6 configuration, for example by transmitting the storage of configuration parameter to be fit to therein to mobile node.At step S4, mobile node sends Binding Update, and sets up the HMIPv6 binding in MAP.
In other applications, the present invention can be applicable to all Access Networks such as WLAN, CDMA2000, WCDMA etc., wherein can use HMIPv6 and randomly also have MIPv6, comprise such as AAA and the ambulant technology of IPv6, such as the system of CMS11, WCDMA and gsm system, such as the subsystem of service/application subsystem and terminal and such as the product of aaa server, home agent server and terminal node.
As the alternate ways of the instantiation procedure of above-mentioned MN-HA key distribution, with present 3GPP2 solution similarly mechanism combine the dynamic wildcard that the IKE framework can be used to distribute MN and HA.
The foregoing description only is to provide as example, and should be appreciated that the present invention is not limited thereto.And other modifications, change and the improvement that keep disclosed herein and claimed basic basic principle all belong to scope of the present invention.
List of references
[1] " the mobility support among the IPv6 (Mobility Support in IPv6) ", D.Johnson, C.Perkins, J.Arkko, on June 30th, 2003,<draft-ietf-mobileip-ipv6-24.txt 〉.
[2] " hierarchical mobile IPv 6 mobile management (Hierarchical Mobile IPv6 mobilitymanagement) (HMIPv6) ", Hesham Soliman, Claude Castelluccia, Karim El-Malki, Ludovic Bellier, in June, 2003,<draft-ietf-mobileip-hmipv6-08.txt 〉.
[3] " diameter moves Ipv6 and uses (Diameter Mobile IPv6 Application) ", Stefano M.Faccin, Franck Le, Basavaraj Patil, Charles E.Perkins, in April, 2003,<draft-le-aaa-diameter-mobileipv6-03.txt 〉.
[4] " MIPv6 based on EAP authorizes and configuration (MIPv6 Authorization andConfiguration based on EAP) ", G.Giaretta, I.Guardini, E.Demaria, in February, 2004,<draft-giaretta-mip6-authorization-eap-00.txt 〉.
[5] " but diameter extended authentication agreement (Diameter Extensible AuthenticationProtocol) (EAP) is used ", P.Eronen, T.Hiller, G.Zorn, on February 16th, 2004,<draft-ietf-aaa-eap-04.txt 〉.
[6] " but PPP extended authentication agreement (PPP Extensible AuthenticationProtocol) is (EAP) ", RFC2284, L.Blunk, J.Vollbrecht, in March, 1998.
[7] ieee standard 802.1X, local area network (LAN) and metropolitan area network-control based on the network insertion of port.
[8] " internet security association and IKMP (Internet SecurityASSociation and Key Management Protocol) are (ISAKMP) ", RFC2408, D.Maughan, M.Schertler, M.Schneider, J.Turner, in November, 1998.
[9] " the diameter mobile IPv 4 is used (Diameter Mobile IPv4 Application) ", P.Calhoun, T.Johansson, C.Perkins, 2003,<draft-ietf-aaa-diameter-mobileip-14.txt 〉.
[10] " remote authentication dial-in user service (Remote Authentication Dial In UserService) is (RADIUS) "-RFC2865, C.Rigney, S.Willens, A.Rubens, W.Simpson, in June, 2000.
[11] " RADIUS expands (RADIUS Extensions) "-RFC2869, C.Rigney, W.Willats, P.Calhoun, in June, 2000.
[12] " but extended authentication agreement (Extensible Authentication Protocol) is (EAP) "-RFC2284, L.Blunk, J.Vollbrecht, B.Aboba, J.Carlson, H.Levkowetz, in September, 2003,<draft-ietf-eap-rfc2284bis-06.txt 〉.
[13] " EAP equity and authentication person's state machine (State Machines for EAP Peerand Authenticator) ", J.Vollbrecht, P.Eronen, N.Petroni, Y.Ohba, in October, 2003<draft-ietf-eap-statemachine-01.pdf 〉.

Claims (20)

1. the 6th edition (HMIPv6) professional method of hierarchical mobile IP of supporting mobile node is characterized in that, uses AAA foundation structure to guide described HMIPv6 business, comprising:
Be described HMIPv6 business, described AAA foundation structure is assigned to described mobile node with suitable mobile anchor point (MAP); And
Be transmitted as described HMIPv6 business to described mobile node authentication and the required HMIPv6 relevant information of mandate by described AAA foundation structure with specified MAP,
It is characterized in that, the AAA infrastructure component of home network generates the certificate related data of the security association between described mobile node and the specified MAP, and described certificate related data sent to described MAP, described AAA foundation structure home network assembly generates the information that is used to finish described security association or described MAP to be used to finish information response's described AAA foundation structure home network assembly of described security association, and wherein said AAA foundation structure home network assembly sends to described mobile node with the HMIPv6 authorization message by described AAA foundation structure.
2. the method for claim 1 is characterized in that, is described HMIPv6 business, and the aaa server of described AAA foundation structure is assigned to described mobile node with suitable MAP.
3. method as claimed in claim 2 is characterized in that described mobile node is roamed in visited network, and AAA visited network server (AAAv) specifies MAP to give described mobile node in described visited network based on visited network operator's strategy.
4. the method for claim 1, it is characterized in that, transmit by described AAA foundation structure and to be used between described mobile node and specified MAP, setting up the HMIPv6 security association and being used to described mobile node to set up the HMIPv6 relevant information of HMIPv6 binding, and transmit in come and go identical and to be used for the HMIPv6 relevant information that HMIPv6 binds with the HMIPv6 relevant information that is used for the HMIPv6 security association.
5. the method for claim 1, it is characterized in that, described mobile node is roamed in visited network, and transmits HMIPv6 relevant authentication and authorization message between described mobile node and AAA home network server (AAAh) in the end-to-end procedure transparent to described visited network in authentication protocol.
6. method as claimed in claim 5 is characterized in that, but described authentication protocol is the extended authentication agreement (EAP) of expansion, and described HMIPv6 relevant information is combined in the described EAP protocol stack as additional data.
7. method as claimed in claim 6 is characterized in that, transmits in the universal container of described HMIPv6 relevant information in described EAP protocol stack.
8. method as claimed in claim 5, it is characterized in that, specified MAP is arranged in described visited network, and between described mobile node and described AAA home network server (AAAh), in described authentication protocol, transmit the HMIPv6 relevant information, and in described AAAh and described visited network between the specified MAP in the AAA framework agreement is used transmission HMIPv6 relevant information.
9. the 6th edition (HMIPv6) professional system of hierarchical mobile IP that is used to support mobile node is characterized in that:
Can operate and be used to the professional AAA infrastructure component that suitable mobile anchor point (MAP) is assigned to described mobile node of described HMIPv6; And
Be used for being transmitted as the HMIPv6 business to described mobile node authentication and the device of authorizing required HMIPv6 relevant information with specified MAP by described AAA foundation structure,
Wherein the AAA infrastructure component of home network comprises:
Be used to generate the device of the certificate related data of the security association between described mobile node and the specified MAP; And
Be used for described certificate related data is sent to the device of specified MAP;
Be used for receiving the device of the information that is used to finish described security association from described MAP; And
Be used for the HMIPv6 authorization message is sent to by described AAA foundation structure the device of described mobile node.
10. system as claimed in claim 9 is characterized in that, described AAA infrastructure component is can operate to be used to the professional aaa server that suitable MAP is assigned to described mobile node of described HMIPv6.
11. system as claimed in claim 10, it is characterized in that, described mobile node is roamed in visited network, and AAA visited network server (AAAv) can be operated and is used for specifying MAP to give described mobile node based on visited network operator's strategy at described visited network.
12. system as claimed in claim 9, it is characterized in that, be used for transmitting and be used between described mobile node and specified MAP, setting up the HMIPv6 security association and being used to described mobile node to set up the device of the HMIPv6 relevant information of HMIPv6 binding, and transmit in come and go identical and to be used for the HMIPv6 relevant information that HMIPv6 binds with the HMIPv6 relevant information that is used for the HMIPv6 security association by described AAA foundation structure.
13. system as claimed in claim 9, it is characterized in that, described mobile node is roamed in visited network, and transmits HMIPv6 relevant authentication and authorization message between described mobile node and AAA home network server (AAAh) in the end-to-end procedure transparent to described visited network in authentication protocol.
14. system as claimed in claim 13 is characterized in that, but described authentication protocol is the extended authentication agreement (EAP) of expansion, and described HMIPv6 relevant information is combined in the described EAP protocol stack as additional data.
15. system as claimed in claim 14 is characterized in that, transmits in the universal container of described HMIPv6 relevant information in described EAP protocol stack.
16. system as claimed in claim 13, it is characterized in that, specified MAP is arranged in described visited network, and between described mobile node and AAA home network server (AAAh), in described authentication protocol, transmit the HMIPv6 relevant information, and in described AAAh and described visited network between the specified MAP in the AAA framework agreement is used transmission HMIPv6 relevant information.
17. the 6th edition (HMIPv6) professional AAA home network server (AAAh) of hierarchical mobile IP that is used to support mobile node is characterized in that:
Be used to generate the device of the certificate related data of the security association between the specified mobile anchor point (MAP) of described mobile node and AAA infrastructure component; And
Be used for described certificate related data is sent to the device of specified MAP;
Be used for receiving the device of the information that is used to finish described security association from described MAP; And
The HMIPv6 authorization message that is used for containing security association information sends to the device of described mobile node.
18. AAA home network server as claimed in claim 17, it is characterized in that, described mobile node is roamed in visited network, and the described device that is used to send the HMIPv6 authorization message can be operated the AAA foundation structure that is used for by the home network with described visited network and described mobile node links and sends described HMIPv6 authorization message.
19. AAA home network server as claimed in claim 18, it is characterized in that, the configuration of described AAA home network server is used for receiving information and the bind address information that is used to finish described security association from specified MAP, and describedly is used for sending the HMIPv6 authorization message that the device configuration of HMIPv6 authorization message is used for containing MAP appointed information, bind address information and security association information by described AAA foundation structure and sends to described mobile node.
20. the 6th edition (HMIPv6) professional system of hierarchical mobile IP that is used to support mobile node, it is characterized in that, but being used for by AAA foundation structure is the device of HMIPv6 business to described mobile node authentication and mandate transmitting with extended authentication agreement (EAP) that the relevant authentication of HMIPv6 and authorization message come between described mobile node and the AAA home network server, and described HMIPv6 relevant information is combined in the EAP protocol stack as additional data.
CNB2004800234028A 2003-06-18 2004-06-15 Support method, system and the equipment of hierarchical mobile IP services Expired - Fee Related CN100539586C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US47915603P 2003-06-18 2003-06-18
US60/479,156 2003-06-18
US60/551,039 2004-03-09

Publications (2)

Publication Number Publication Date
CN1836420A CN1836420A (en) 2006-09-20
CN100539586C true CN100539586C (en) 2009-09-09

Family

ID=37003349

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004800234028A Expired - Fee Related CN100539586C (en) 2003-06-18 2004-06-15 Support method, system and the equipment of hierarchical mobile IP services

Country Status (2)

Country Link
CN (1) CN100539586C (en)
ZA (1) ZA200510088B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5238029B2 (en) * 2007-09-20 2013-07-17 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Method and apparatus for roaming between communication networks
KR102057269B1 (en) * 2016-01-15 2020-01-22 구글 엘엘씨 Manage delivery of code and dependent data using application containers

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Hierarchical Mobile IPv6 and Fast Handoffs. H.soliman,摘要、第10部分. 2000
Hierarchical Mobile IPv6 and Fast Handoffs. H.soliman,摘要、第10部分. 2000 *

Also Published As

Publication number Publication date
CN1836420A (en) 2006-09-20
ZA200510088B (en) 2007-03-28

Similar Documents

Publication Publication Date Title
EP1634422B1 (en) Method, system and apparatus to support hierarchical mobile ip services
CN1836419B (en) Method, system and apparatus to support mobile IP version 6 services in CDMA system
US20060185013A1 (en) Method, system and apparatus to support hierarchical mobile ip services
US7983418B2 (en) AAA support for DHCP
KR100918440B1 (en) Method and apparatus for communicating of mobile node in virtual private network vpn using ip address of vpn gateway
US9357374B2 (en) Method and system for controlling mobility in a communication network, related network and computer program product therefor
US7079499B1 (en) Internet protocol mobility architecture framework
US8165290B2 (en) Methods and apparatus for bootstrapping mobile-foreign and foreign-home authentication keys in mobile IP
US6769000B1 (en) Unified directory services architecture for an IP mobility architecture framework
JP5118055B2 (en) Internet protocol tunneling over mobile networks
US7496057B2 (en) Methods and apparatus for optimizations in 3GPP2 networks using mobile IPv6
US20070230453A1 (en) Method and System for the Secure and Transparent Provision of Mobile Ip Services in an Aaa Environment
US20020145993A1 (en) Discovering an address of a name server
JP2009524275A (en) Combination of IP and cellular mobility
US7409549B1 (en) Methods and apparatus for dynamic home agent assignment in mobile IP
US7668174B1 (en) Methods and apparatus for home address management at home agent for NAI based mobile nodes
CN101313627A (en) Method for distributing homeplace agent
CN100539586C (en) Support method, system and the equipment of hierarchical mobile IP services
EP1380150A2 (en) Method and system for discovering an adress of a name server
CN101198157A (en) Method for modifying local proxy of mobile node
EP1443712B1 (en) A method and a system for controlling handoff of a terminal
Ganchev et al. Integrated Mobility and Third-Party AAA Management for 4GWW1

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CI02 Correction of invention patent application

Correction item: Priority

Correct: 2004.03.09 US 60/551,039

False: Lack of priority second

Number: 38

Page: The title page

Volume: 22

COR Change of bibliographic data

Free format text: CORRECT: PRIORITY; FROM: MISSING THE SECOND ARTICLE OF PRIORITY TO: 2004.3.9 US 60/551,039

REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1094844

Country of ref document: HK

C14 Grant of patent or utility model
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: WD

Ref document number: 1094844

Country of ref document: HK

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090909

Termination date: 20170615