CN101288273A - Framework of media-independent pre-authentication improvements - Google Patents

Abstract

The preferred embodiments herein relate to methods and systems for controlling a handoff decision related to switch back of a mobile node between a first network and a second network in a media independent pre-authentication framework and/or to methods and systems for mitigating effects of undesired switch back of a mobile node between a first network and a second network in a media independent pre-authentication framework.

Description

Be independent of the improved framework of pre-authentication of medium

Technical field

The application relates in particular to the method for pre-authentication, for example, is used to be independent of the method etc. of the pre-authentication of medium.

Background technology

The computer network that has a lot of types, wherein the internet is the most famous.The internet is mondial computer network.Today, the internet is public and self-holding network, is being used by millions of users.The internet has used a group communication protocol that is called TCP/IP (that is transmission control protocol/Internet Protocol) to connect main frame.The internet has the communications infrastructure that is called the Internet backbone.Mainly control visit to the Internet backbone by ISP (ISP), described ISP resells access right to company or individual.

IP (Internet Protocol) is such agreement, by this agreement, can be on network from an equipment (for example, phone, PDA[personal digital assistant], computer etc.) to another equipment sending data.The IP of a plurality of versions is arranged now, comprise, for example, IPv4, IPv6 etc.Each main process equipment on the network has at least one IP address, as himself unique identifier.IP is a kind of connectionless protocol.In the connection of communication period between end points is discontinuous.When the user sent or receive data or message, described data or message were divided into the component that is called packet.Each packet is taken as independently data cell.

For with the transmission standardization between the point on internet or the similar network, set up OSI (open system interconnection) model.Osi model is divided into seven layers with the communication process between 2 on the network, every layer of function collection that has added himself.Each device processes message, thus exist by downstream at each layer that sends end points, and by the upstream at the described layer that receives end points.The program and/or the normally combination of device operating system, application software, TCP/IP and/or other transport and network protocol and other software and hardware of hardware of described seven layer functions are provided.

Usually, when message is sent out or when the user transmits, used top four layers from the user, and, use beneath three layers when message during by equipment (for example, the IP main process equipment).The IP main frame is any equipment that can send and receive the IP packet on the network, such as, server, router or work station.The destination is that the message of some other main frames is not upwards passed through the upper strata, but is forwarded to other main frame.Below list each layer of osi model.The 7th layer (that is, application layer), therein, for example, identification communication partner, identification service quality, consideration user rs authentication and privacy, the phraseological restrictive condition of recognition data, etc.The 6th layer (that is, presentation layer) therein, for example, is converted to another kind etc. with the input and output data from a kind of presentation format.Session therein, for example, is set up, adjusts and stopped to the 5th layer (that is, session layer), and between using, exchange and talk with, etc.The 4th layer (that is, transport layer), therein, for example, management is control and error checking end to end, etc.The 3rd layer (that is, network layer) therein, for example, handles route and forwarding, etc.The 2nd layer (that is, data link layer) therein, for example, for physical level provides synchronously, carries out vbr buffer and transmission control knowledge and management is provided, etc.Institute of Electrical and Electric Engineers (IEEE) is divided into two further sublayers once more with described data link layer, MAC (medium access control) layer, it is used to control the transfer of data with physical layer, and LLC (logic link control) layer, it is connected with network layer by interface, and interpreted command and carry out mistake and recover.The 1st layer (that is, physical layer) therein, for example, transmits bit stream at physical level by network.IEEE is divided into PLCP (Physical layer convergence protocol) sublayer and PMD (physical medium is relevant) sublayer once more with physical layer.

Wireless network:

Wireless network can be in conjunction with various types of mobile devices, such as, honeycomb and radio telephone, PC (personal computer), laptop computer, wearable computers, cordless telephone, beeper, headphone, printer, PDA etc.For example, mobile device can comprise the digital system in order to the fast wireless transmission of guaranteeing voice and/or data.Typical mobile device can comprise in the following assembly some or all: transceiver (that is, transmitter and receiver comprise, for example, have integrated transmitter, receiver and, if necessary, the single-chip transceiver of other function); Antenna; Processor; The one or more audio converters loud speaker or the microphone of audio communication device (for example, as); The electromagnetic data memory (for example, the ROM in the equipment that data processing is provided, RAM, digital data memory, etc.); Internal memory; Flash memory; Full chipset or integrated circuit; Interface (for example, USB, CODEC, UART, PCM, etc.); And/or other similar device.

WLAN (WLAN) can be used for radio communication, therein, the wireless user can be connected to Local Area Network by wireless connections.Radio communication can comprise, for example, and via communication such as the electromagnetic wave propagation of light, infrared, radio frequency, microwave.Currently exist various wlan standards, for example, bluetooth, IEEE 802.11 and family expenses radio frequency (homeRF).

As an example, use blue tooth products be provided between mobile computer, mobile phone, portable handheld device, PDA(Personal Digital Assistant) and other mobile device link and to the connectivity of internet.Bluetooth is a kind of calculating and telecommunications industry standard, its specified in more detail mobile device how can utilize short-distance radio ease of connection ground to interconnect and be connected with non-mobile device.Bluetooth generates digital wireless protocols, to solve because terminal use's problem that the dispersion of various mobile devices causes, as, need maintenance data sync and equipment compatible, can seamlessly work together thereby make from the equipment of different manufacturers.Can name bluetooth equipment according to name notion commonly used.For example, the bluetooth equipment title that can have bluetooth device name (BDN) or be associated with unique bluetooth device address (BDA).Bluetooth equipment also can participate in Internet Protocol (IP) network.If bluetooth equipment is worked, can provide IP address and IP (network) title for it on IP network.Therefore, the bluetooth equipment that is configured to participate in IP network can comprise, for example, and BDN, BDA, IP address and IP title.Term " IP title " refers to the title corresponding to the IP address of interface.

Ieee standard IEEE 802.11 standards be used for the technology of WLAN and equipment.Utilize 802.11, can utilize and support the single base station of several equipment to realize wireless network.In some instances, can be equipped with radio hardware in advance for equipment, perhaps the user can install the discrete hardware such as card that may comprise antenna.As an example, the equipment that uses in 802.11 generally includes three noticeable elements, and whether described equipment is access point (AP), mobile radio station (STA), bridge, pcmcia card or another kind of equipment: radio transceiver; Antenna; And MAC (medium access control) layer that is used for data between nodes bag stream on the Control Network.

In addition, in some wireless networks, can use many interface equipments (MID).MID can comprise two independently network interfaces, such as blue tooth interface and 802.11 interfaces, thereby makes MID can participate in the network of two separation, and carries out interface with bluetooth equipment and be connected.General purpose I P (network) title that MID can have the IP address and be associated with described IP address.

Wireless Communication Equipment can comprise, but be not limited to, bluetooth equipment, many interface equipments (MID), and 802.11x equipment (IEEE 802.11 equipment, this comprises, for example, 802.11a, 802.11b and 802.11g equipment), HomeRF (family expenses radio frequency) equipment, Wi-Fi (Wireless Fidelity) equipment, GPRS (GPRS) equipment, the 3G mobile device, 2.5G mobile device, GSM (Global Systems for Mobile communications) equipment, EDGE (GSM evolution strengthens data) equipment, TDMA type (time division multiplexing) equipment, perhaps CDMA type (code division multiplexing) equipment comprises CDMA 2000.Each network equipment can comprise the address of change type, and this includes but not limited to the IP address, bluetooth device address, bluetooth common name, bluetooth IP address, bluetooth IP adopted name, 802.11IP address, 802.11 IP adopted names, perhaps IEEE MAC Address.

Wireless network also relates to method and the agreement of finding in mobile IP (Internet Protocol) system, pcs system and other mobile network system.About mobile IP, this relates to the standard communication protocol of being created by internet engineering task group (IETF).Utilize mobile IP, mobile device user can move between network, keeps its assigned IP address once simultaneously.Normative reference draft (RFC) 3344.Attention: RFC is the official document of internet engineering task group (IETF).When connecting outside internal network, mobile IP has strengthened Internet Protocol (IP), and has increased means from the Internet traffic to mobile device that transmit.Mobile IP has distributed the home address on portion's network within it for each mobile node and has been used for identifying described society and has been equipped with Care-of Address (CoA) in the current location of network and its subnet.When equipment moved to heterogeneous networks, it received new Care-of Address.Mobile agent on the internal network can be associated each home address with its Care-of Address.Utilize for example ICMP (ICMP), mobile node can send Binding Update to home agent at every turn when changing its Care-of Address.

In basic I P route (for example, outside mobile IP), routing mechanism depends on such hypothesis, promptly, each network node always has for for example, the constant attachment point of internet (attachment point), and each IP addresses of nodes identifies its accompanying network link.In this file, term " node " comprises tie point, and it can comprise, for example, is used for the reallocation point or the end points of transfer of data, and it can be discerned, handle and/or communicate by letter to other node forwarding.For example, Internet Router can be watched, for example, and IP address prefix or similarly be used for the sign of the network of marking equipment.Then, at network layer, router can be watched, and for example, is used to identify one group of byte of particular subnet.Then, at hierarchy of subnet, router can be watched, and for example, is used to identify one group of byte of particular device.Utilize common mobile IP communication, if the user with mobile device from, for example, the internet disconnects, and attempts it is reconnected to new subnet, then described equipment must be reconfigured new IP address, suitable netmask and default router.Otherwise Routing Protocol can not suitably send packet.

Fig. 4 has described some illustrative structure assemblies that can adopt in some illustratives that comprise WAP (wireless access point) and non-limiting enforcement, wherein client device and described WAP (wireless access point) communicate.About this, Fig. 4 shows an illustrative cable network 20, and it is connected to and is labeled as 21 wireless lan (wlan) usually.WLAN 21 comprises access point (AP) 22 and some subscriber stations 23,24.For example, cable network 20 can comprise internet or business data processing network.For example, access point 22 can be a wireless router, and subscriber station 23,24 can be, for example, and portable computer, personal desktop computer, PDA, portable ip voice phone and/or miscellaneous equipment.Access point 22 has network interface 25, and it is connected to cable network 21, and the wireless transceiver that communicates with subscriber station 23,24.For example, wireless transceiver 26 can comprise antenna 27, is used for carrying out communicating by letter of radio or microwave frequency with subscriber station 23,24.Access point 22 also has processor 28, program storage 29 and random access storage device 31.Subscriber station 23 has wireless transceiver 35, and it comprises and is used for the antenna 36 that communicates with access point station 22.In similar fashion, subscriber station 24 has wireless transceiver 38 and antenna 39, is used for communicating with access point 22.

Herein in some preferred embodiments of Miao Shuing, descriptive system and method, thus set up the high level and the low layer linguistic context of different medium on one's own initiative.At this, medium comprises, for example, the addressable network of mobile device (for example, wired, wireless through permitting, wireless without approval, etc.)。Referring to, for example, the medium of discussing among the IEEE 802 (comprising IEEE 802.21).Medium can comprise, for example, WLAN (for example, IEEE 802.11), IEEE 802.16, and IEEE 802.20, bluetooth, etc.Some illustrative example comprise: the 1) exchange of the mobile device from cellular network to wireless or WIFI network, for example, mobile device with cellular interface and wave point attempt by obtain on the mobile network initial information (for example, key, Deng) carry out the WIFI visit, rather than set up wave point simultaneously; 2) have wireless or WIFI when connecting when mobile device is current, when being in WLAN potentially during situation such as quick closedown, as an example, mobile device can be on one's own initiative carries out pre-authentication (that is, if desired, can quick exchange) via cellular network.Under some illustrative situations, the mobile node with single IEEE 802.xx interface can be roamed in a plurality of subnets and a plurality of management domain.Though keep a plurality of interfaces always to open is a kind of option, and mobile node may wish to make untapped interface stop using (for example, in order to save electric power, etc.) in some cases.In addition, MPA especially can provide safety seamless mobility optimization, and it is used for switching between switching, technology between switching, territory between subnet, etc., and the use of many interfaces.

PANA：

For ease of reference, will be from P.Jayaraman, " PANA Framework, " Internet-draft, draft-ietf-pana-framework-01.txt, work in progress, the information that the PANA of July2004 is relevant is quoted at this.About this, PANA is the unknowable network insertion indentification protocol of link layer, and it runs between the server of the node of wishing to be linked into network and network side.PANA has defined new EAP[referring to B.Aboba, et al, " Extensible AuthenticationProtocol (EAP); " RFC 3748, and June 2004] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J.and H.Levkowetz, Extensible Authentication Protocol (EAP), June 2004. and the low layer that between protocol end, uses IP.

At the Protocol of Yegin.A and Y.Ohba for Carrying Authentication forNetwork Access (PANA) Requirements, draft-ietf-pana-requirements-08 (work in progress), among the June 2004, the motivation and the demand that define this agreement have been described.Forsberg, D., Ohba, Y., Patil, B., Tschofenig, Protocolfor Carrying Authentication for Network Access (Forsberg, the D. of H. and A.Yegin, Ohba, Y., Patil, B., Tschofenig, H. and A.Yegin, Protocol for C arryingAuthentication for Network Access (PANA), draft-ietf-pana-pana-04 (workin progress), May 2004) in write down the detailed content of agreement.Parthasarathy, M., PANA Enabling IPsec Based Access Control, draft-ietf-pana-ipsec-03 (work in progress), May 2004, described the conduct interviews use of IPsec of control of the checking of following based on PANA.IPsec can be used to the access control of every packet, but it is not to realize this functional unique channel.Other method comprises and depends on physical protection and link layer encryption.The PANA server separated with the entity of carrying out access control be considered to a kind of optional implementation method.SNMP[is referring to Mghazli, Y., Ohba, Y.and J.Bournelle, SNMP Usage forPAA-2-EP Interface, draft-ietf-pana-snmp-00 (work in progress), April2004] be chosen as the agreement of between the node that separates, carrying relevant information.

PANA is designed to various types of enforcements support is provided.Based on the selection of the placement of the availability of low layer safety, PANA entity, client IP configuration and verification method etc., access network can be different.

Irrelevant with the fail safe of low layer, PANA can be used to any access network.For example, can carry out physical protection, perhaps, after successfully carrying out the customer network checking, protect by cipher mechanism to described network.

PANA client, PANA checking agency, authentication server and execution point are the functional entitys in this design.Can with PANA checking agency and carry out point be placed on the various elements in the described access network (such as, access point, couple in router, private host).

IP address configuration mechanism also changes thereupon.Also can select the configuration automatically from static configuration, DHCP, stateless address.If client configuration is used to guarantee the IPsec passage of every security data packet, the IP address that then disposes this channel interior also becomes relevant, because the extra selection such as IKE is arranged.

The PANA agreement is designed to help the authentication vs. authorization of the client in access network.PANA is a kind of EAP[Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.Levkowetz, Extensible Authentication Protocol (EAP), June 2004], referring to Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.Levkowetz, Extensible Authentication Protocol (EAP), RFC 3748, and June 2004, and the low layer of carrying eap authentication method is encapsulated in the client host and the EAP between the agency in the access network.Though PANA allows the checking between two entities to handle, it only is the part in whole AAA and the access control framework.Utilize AAA and the access control framework of PANA to comprise four functional entitys, see that following discussion and Fig. 1 (A) are to shown in 1 (C).

First functional entity is PANA client (PaC), and it is the client realization of PANA agreement.This entity is positioned on the end main frame of request access to netwoks.Described end main frame comprises, for example, and kneetop computer, PDA, mobile phone, Desktop PC and/or be connected to the similar devices of network via wired or wireless interface.PaC is responsible for asking access to netwoks and utilizes the PANA agreement to verify processing.

Second functional entity is PANA checking agency (PAA), and it is the server realization of PANA agreement.PAA is responsible for carrying out interface with PaC and is connected, at network access service they are carried out authentication vs. authorization.PAA inquires authentication server, with qualification and the right of authentication PaC.If authentication server is positioned at the main frame identical with PAA, application programming interfaces (API) carry out enough that this is mutual.When they are separated (common situation in the public access network), agreement be used with between two LDAP the operation [referring to Hodges, J.and R.Morgan, Lightweight DirectoryAccess Protocol (v3): Technical Specification, September 2002, Hodges, J.and R.Morgan, Lightweight Directory Access Protocol (v3): TechnicalSpecification, RFC 3377, September 2002], and similar RADIUS[is referring to Rigney, C., Willens, S., Rubens, A., and W.Simpson, RemoteAuthentication Dial In User Service (RADIUS), June 2000.Rigney, C., Willens, S., Rubens, A., and W.Simpson, Remote Authentication DialIn User Service (RADIUS), RFC 2865, June 2000] and Diameter[referring to Calhoun, P., Loughney, J., Guttman, E., Zorn, G.and J.Arkko, Diameter Base Protocol, September 2003, Calhoun, P., Loughney, J., Guttman, E., Zorn, G.and J.Arkko, Diameter Base Protocol, RFC 3588, September 2003] aaa protocol generally be used for this purpose.

The also responsible upgrading of described PAA depends on the access control state (that is filter) according to the generation and the deletion of proofing state.The execution point of described PAA in network sends the state that has upgraded.If PAA is positioned at identical main frame with EP, API enough carries out this communication.Otherwise agreement is used to deliver the client terminal attribute of this mandate to EP from PAA.Though do not forbid other agreement, advised SNMP[at present referring to Mghazli, Y., Ohba, Y.and J.Bournelle, SNMP Usagefor PAA-2-EP Interface, draft-ietf-pana-snmp-00 (work in progress), April2004] be used for this task.

PAA is arranged on the node that local area network (LAN) is commonly referred to network access server (NAS).PAA can be positioned on the node of any IP of enabling on the IP subnet identical with PaC.For example, on the BAS in the DSL network (BAS Broadband Access Server), or on the PDSN in the 3GPP2 network.

The 3rd functional entity is authentication server (AS), and it is realized as server, is responsible for the qualification of the PaC of authentication request network access service.Described AS is that PaC receives the request since PAA, and utilizes authentication result and certificate parameter (for example, the bandwidth of permission, IP configuration etc.) to respond.Described AS can be positioned on the main frame identical with PAA, is positioned on the private host of described access network, perhaps is positioned on the internet on other local central server.

The 4th functional entity is to carry out point (EP), and it realizes that as access control the client of being responsible for allowing to have authorized conducts interviews, and prevents other people's visit simultaneously.EP learns the attribute of authorized client from PAA.EP utilizes non-password or password filter optionally to allow or packet discard.These filters are applied to link layer or IP layer.When accessing to your password access control, need be between PaC and EP security of operation associated protocol (secure association protocol).Set up needed security association with after enabling integrity protection, data origin authentication, playback protection (replay protection) and optional Confidentiality protection in described security association agreement; use link or network layer protection (for example, TKIP, IPsec ESP).EP can be positioned on the local area network (LAN) strategicly, to minimize the visit of unauthorized client to this network.For example, EP can be arranged on the switch of the client that is directly connected to cable network.Like this, EP can abandon this undelegated packet before the unauthorized data bag arrives other client host or exceeds beyond the local area network (LAN).

Depend on the enforcement scene, some entities can be placed a place.For example, PAA and EP can be on the same node point in the DSL network (BAS).In this case, it is just enough to have a simple API between PAA and EP.In small enterprise used, PAA can be positioned on the identical node (for example, couple in router) with AS, and it has eliminated the needs that move agreement between the two described.The decision of whether placing these entities jointly, and their accurate positions in network topology structure all belong to the configuration decision.

Need use the IKE or 4 that is used for security association to Handshake Protocol when only before operation PANA, lacking any low layer safety.Physical protection network (physically secured network) (such as, DSL) or the network that before PANA operation, has carried out cryptoguard (for example, cdma2000) do not need extra security association and every packet to encrypt.These networks can be tied to the PANA authentication vs. authorization available low layer safe lane.

EP on the access network allows the conventional data flow from any mandate PaC, yet, for undelegated PaC, its only allow limited type flow (as, PANA, DHCP, router are found).This has guaranteed that new additional client has the access services of the minimum that participates in PANA, and can obtain the not mandate of limited service.

PaC need the operation PANA before configuration of IP address.After the PANA of success checking, depend on application scenarios, PaC need reconfigure its IP address, perhaps disposes other IP address.A part that can be used as the operation of security association agreement is carried out described other address configuration.

Initial undelegated PaC begins the PANA checking by finding the PAA on the access network, is the EAP exchange on the PANA afterwards.PAA carries out with AS in this process alternately.After the authentication vs. authorization result who receives from AS, PAA informs the result of relevant its network access request to PaC.

If PaC is authorized to visit described network, PAA also utilizes SNMP to send specific PaC attribute (for example, IP address, encryption key, etc.) to EP.EP utilizes this information to change its filter, so that can pass through from PaC with to the data traffic that PaC sends.

After the PANA checking, need to enable under the situation of cryptographic acess control security of operation associated protocol between PaC and EP.As the result of the PANA of success exchange, PaC should have the input parameter to this processing.Similarly, EP should obtain them via SNMP from PAA.The security association exchange produces needed security association between PaC and EP, to enable the code data traffic protection.Extra every overhead data packet is introduced in every cipher data packet data traffic protection, but this expense exists only between PaC and the EP, can not influence the communication outside the EP.Given this, it is extremely important EP to be placed on as much as possible the edge of described network.

At last, data traffic can begin to flow to recently the PaC that authorizes and from its inflow.

To introduction of the present invention

Because be extensive use of the wireless technology that comprises honeycomb and WLAN, support terminal switches between dissimilar access networks, such as, from the WLAN to CDMA, perhaps arriving GPRS, this is considered to a significantly challenge.On the other hand, support terminal switches between the access network of same type and still has more challenge, especially when IP subnet or management domain are crossed in described switching.For solving above-mentioned challenge, the very important point is, optimizing and the mode of safety provides terminal mobility for link-layer technologies the unknown, and need not to introduce irrational complexity.In this file, we have discussed terminal mobility, and it provides low latent time and low-loss seamless switching.Seamless switching is characterised in that the performance requirement that next part is described, and performance requirement below is described.

The essential part of terminal mobility is attended by mobility management protocol, and described mobility management protocol is kept the identifier of portable terminal and the binding between the finger URL, and wherein, described binding is called as mobility binding.When motion of mobile terminals, the finger URL of mobile node dynamically changes.The motion that causes described finger URL to change not only can be physically, can also be logically.At the remaining part of presents, term " mobility management protocol " refers to the mobility management protocol in network layer or more high-rise work.

Have several mobility management protocols at different layers.Mobile IP[RFC 3344] and mobile IP v 6 [RFC 3775] be mobility management protocol in network layer work.In IETF, carrying out several work, with more high-rise definition mobility management protocol in network layer.For example, MOBIKE (IKEv2 mobility and many caves (Multihoming)) [I-D.ietf-mobike-design] is the expansion to IKEv2, and it provides the ability of the IP address change of handling the IKEv2 end points.HIP (main frame identification agreement) [I-D.ietf-hip-base] has defined new protocol layer between network layer and transport layer, to provide terminal mobility for network layer and transport layer transparent way.And SIP-Mobility is the expansion to SIP, to keep the mobility binding of sip user agent [SIPMM].

Although mobility management protocol keeps mobility binding, only use them to be not enough to provide seamless switching with their current form.The significant data packet loss of the extra optimization mechanism that need in the visited network of described portable terminal, work to prevent from when upgrading described mobility binding, to send, thus realize seamless switching.Such mechanism is called as the mobility optimization mechanism.For example, by the information that allows contiguous couple in router to communicate and carry relevant portable terminal, be respectively mobile IPv 4 and mobile v6 definition mobility optimization mechanism [I-D.ietf-mobileip-lowlatency-handoffs-v4] and [I-D.ietf-mipshop-fast-mipv6].

Some agreements are taken as mobility optimization mechanism " assistant ".CARD (candidate access router discovery mechanism) agreement [I-D.ietf-seamoby-card-protocol] is designed to find contiguous couple in router.Delivery and the service associated state or the context that provide for described portable terminal between couple in router are provided CTP (context transfer protocol) [I-D.ietf-seamoby-ctp].

There are several problems in the present existing mobility optimization mechanism.The first, existing mobility optimization mechanism and specific mobility management protocol are closely related.For example, can not use mobility optimization mechanism for MOBIKE as the design of mobile IPv 4 or mobile IP v 6.Strong what wish is single unified mobility optimization mechanism, its can with any mobility management protocol co-operation.The second, if do not suppose pre-established security association between the management domain, then existing mobility optimization mechanism can not easily be supported in the switching between the management domain.Only based on the trusting relationship between mobile node and each management domain, the mobility optimization mechanism should be crossed over management domain with secured fashion and be carried out work.The 3rd, the mobility optimization mechanism not only needs to support to occur a plurality of many interface terminations that connect simultaneously by a plurality of interfaces, also needs to support single interface termination.

Presents has been described the framework of the pre-authentication (MPA) that is independent of medium, a kind of new handover optimization mechanism, and it has the possibility that solves all the problems referred to above.MPA moves auxiliary safe handover optimization scheme, and it can be operated in any link layer, and can work with any mobility management protocol, and these agreements comprise mobile IPv 4, mobile IP v 6, MOBIKE, HIP, SIP mobility etc.In MPA, the notion of IEEE 802.11i pre-authentication is expanded in more high-rise work, utilizes extra mechanism that the IP address of the network that may move to from portable terminal is obtained in early days, and switches to this network on one's own initiative, simultaneously, described portable terminal still is connected to current network.Presents is concentrated and is paid close attention to described MPA framework.When using such framework, based on the disclosure, those skilled in the art may be embodied as actual agreements collection and the detail operations that MPA selects.Below Biao Shi file [I-D.ohba-mobopts-mpa-implementation] provides a kind of method, has described use between existing protocol and mutual, thereby has realized that MPA is functional.

Performance requirement

For for interactive VoIP and streaming flow (streaming traffic) provide desired service quality, the value of end-to-end delay, shake and data-bag lost need be limited under certain threshold level.Acceptable value that ITU-T and ITU-E standard have been these parameter-definitions.For example, for one-way latency, ITU-T G.114 advise with 150 milliseconds as most upper limits of using, and with 400 milliseconds as common unacceptable delay.The one-way latency tolerance limit of video conference is 200 to 300 milliseconds scope.And,, think that then it is lost if after certain threshold value, receive unordered packet.Some measuring techniques that are used for delay and jitter have been described in the list of references of below listing [RFC 2679], [RFC 2680] and [RFC 2681].

End-to-end delay generally includes several sections, such as, network delay, operating system (OS) postpone, and CODEC postpones and application delay (application delay).Network delay comprises transmission delay, propagation delay and the queueing delay in intermediate router.The operating system correlation delay is made of the scheduling behavior of transmit leg and recipient's operating system.The CODEC delay normally causes owing to the subpackage reconciliation packet at transmit leg and reception square end.

Application delay is mainly owing to playback delay (playout delay), and this delay helps the delay in the compensating network to change.Can utilize the appropriate value of playback buffer to adjust end-to-end delay and jitter value at receiver end.For example, under the situation of interactive voip traffic, end-to-end delay influences jitter value, and is the major issue that needs are considered.Between the frequent transfer period of mobile device (mobile), instantaneous delivery can not arrive mobile device, and this has also caused shake.

If terminal system has playback buffer, then this shake is included into playback buffer and postpones, otherwise, it is added to the delay of interactive flow.Data-bag lost normally by congested, route unsteadiness, link failure, causes such as the diminishing link of Radio Link.Between the transfer period of mobile device, because the change of its accompanying network, mobile device suffers data-bag lost.Therefore, for streaming flow and the interactive flow of VoIP, data-bag lost will influence the service quality of using in real time.

The number of data-bag lost is proportional to the speed of the flow that delay between transfer period and mobile device receive.Owing to retransmit, under the situation of TCP flow, the packet of losing causes congested, but under the situation based on the streaming flow of RTP/UDP, can not increase any congested.Therefore, in any mobile management scheme, the influence that reduces data-bag lost and switching delay is main points.In following part 2, illustrated that existing work switches (work fast-handover) fast, we have described some and have attempted reducing the quick handover scheme that switches.

According to following reference [ETSI] ETSI TR 101, normal voice conversation can be allowed maximum 2% data-bag lost.If mobile device frequently switches during session, then each switching all will influence the data-bag lost between transfer period.Therefore, the maximum during the session need be lost the acceptable level that is reduced to.

Data-bag lost in using for streaming does not also have clear and definite threshold value, but need reduce this data-bag lost as much as possible, thereby provides better service quality for concrete application.

Existing work is switched fast

Although basic mobility management protocol, such as, mobile IP (referring to below with reference to data [RFC3344]), mobile IP v 6 (referring to below with reference to data [RFC 3775]), and SIP mobility (referring to below with reference to data [SIPMM]) provides solution, think that TCP and rtp streaming amount provide continuity, but the optimization of the switching latent time when not carrying out for the frequent motion that reduces the mobile device between subnet and territory to these.Generally speaking, these mobility management protocols are subjected to the influence of the switching delay that takes place in several layer, and for example, described layer is the 2nd layer, the 3rd layer and the application layer that is used to upgrade the mobility binding of mobile device.

In present mobile management scheme, several optimisation techniques have been used, switching delay and data-bag lost when attempting reducing mobile device and between sub-district, subnet and territory, moving.(for example there are several little mobile management schemes, referring to following reference [CELLIP] and reference [HAWAII]), and the mobile management scheme is (for example in the territory, referring to following reference [IDMP] and [I-D.ietf-mobileip-reg-tunnel]), it provides quick switching by signaling update is limited in territory.The fast moving IP agreement (referring to following reference [I-D.ietf-mobileip-lowlatency-handoffs-v4] and [I-D.ietf-mipshop-fast-mipv6]) that is used for IPv4 and IPv6 network provides quick handoff technique, and it has utilized the mobility information that can obtain by the link layer triggers device.Yokota etc. (referring to following reference [YOKOTA]) have proposed to unite and have used access point and special-purpose MAC bridge, can not provide quick switching thereby do not change the MIPv4 standard.MACD scheme (referring to following reference [MACD]) has reduced because the MAC layer switches the delay that brings by the algorithm based on high-speed cache is provided.

Some mobile management schemes have been used double nip, therefore, provide the situation (referring to following reference [SUM]) of make-before-break (make-before-break).In the make-before-break situation, communication utilizes an interface to continue usually, and second interface is in the state of being connected.IEEE 802.21 working groups are going through these situations.

Compare client, utilize single interface to provide quick switching to need more careful designing technique with many interfaces.Following reference [SIPFAST] provides the handover scheme of optimizing for the mobile management based on SIP, wherein by utilizing application layer to transmit scheme instantaneous delivery is forwarded to new subnet from old subnet.Following reference [MITH] provides quick handover scheme for single interface case, and it has used the mobile device initialization tunnel effect (mobile initiated tunneling) between old Foreign Agent and new Foreign Agent.Following reference [MITH] has defined two types handover scheme, such as Pre-MIT and Post-MIT.

From some aspect, the MPA scheme that is proposed usually and the prediction scheme of MITH similar, in the MITH prediction scheme, actual move to new network before, mobile device and Foreign Agent communicate.Yet in particular, the MPA scheme that is proposed that presents is described is not restricted to the mobility protocol of MIP type.In addition, this scheme also focuses on moving between the territory, and, except initiatively switching, also carry out pre-authentication.Therefore, in particular, the scheme that is proposed can reduce bulk delay, makes it approach the link layer switching delay.

Technology

In presents, adopted following technology:

Mobility binding:

In the identifier of portable terminal and the binding between the finger URL.

Mobility management protocol (MMP):

In the agreement of network layer or more high-rise work, it maintains the identifier of portable terminal and the binding between the finger URL.

Binding Update:

Upgrade the process of mobility binding.

Be independent of the pre-authentication mobile node (MN) of medium:

Be independent of the portable terminal of the pre-authentication (MPA) of medium, described MPA moves auxiliary safe handover optimization scheme, and it works in any link layer, and utilizes any mobility management protocol.The MPA mobile node is the IP node.In presents, there are not term " mobile node " or " MN " of modifier to refer to " MPA mobile node ".The MPA mobile node also has mobile node functional of mobility management protocol usually.

The candidate target network (candidate target network, CTN):

Mobile device is about to move to network wherein.

Objective network (TN):

The mobile device decision moves to network wherein.From one or more candidate target networks, select described objective network.

The active handover tunnel (Proactive Handover Tunnel, PHT):

Two-way IP tunnel, it is based upon between the couple in router of MPA mobile node and candidate target network.In presents, there is not the term " tunnel " of modifier to refer to " initiatively handover tunnel ".

Attachment point (PoA)

Link layer device (for example, switch, access point or base station, etc.) it is as the link layer attachment point of MPA mobile node to network.

Care-of Address (CoA)

The employed IP of mobility management protocol address, it is as the finger URL of MPA mobile node.

The MPA framework

Following subdivision discussion is independent of the illustrative and the non-limiting aspect of pre-authentication (MPA) framework of medium.

1. general introduction

The pre-authentication (MPA) that is independent of medium is to move auxiliary safe handover optimization scheme, and it works in any link layer, and can utilize any mobility management protocol.Utilize MPA, mobile node not only can obtain IP address and other configuration parameter of candidate target network (CTN) safely, and can also utilize the IP address that is obtained to send and receive the IP packet before it is physically connected to described CTN.This makes described mobile node can finish the Binding Update of any mobility management protocol, and uses new CoA before the switching of carrying out at link layer.

By allowing mobile node to carry out the security association of (i) foundation and CTN; to protect follow-up protocol signaling; (ii) carry out configuration protocol then safely; to obtain IP address and other parameter from CTN; and carry out the tunnel management agreement; between the couple in router of described mobile node and CTN, to set up initiatively handover tunnel (PHT); then (iii) utilize the IP address that is obtained as tunnel inner address; on PHT, send and receive the IP packet; the packet that this packet comprises the signaling message of the Binding Update that is used for mobility management protocol (MMP) and sends after finishing Binding Update; and at last (iv) when described CTN becomes objective network; deletion or forbid described PHT before being connected to this CTN; and the home address in the tunnel of immediately institute being deleted or forbidding after by interface mobile node being connected to this objective network is redistributed to its physical interface then; thereby provide described functional; wherein; described mobile node is connected to current network, but is not connected with CTN.Be substituted in to be connected to and delete or forbid described tunnel before the described objective network, can after being connected to described objective network, delete or forbid described tunnel immediately.

Especially, the 3rd step made mobile device can finish the higher level switching before the beginning link layer switches.This means that mobile device can send and be received in the packet that is transmitted after the Binding Update of finishing on the tunnel, it still can send and be received in the packet that is transmitted before the Binding Update of finishing outside the tunnel simultaneously.

In above four MPA basic handling, the first step is also referred to as " pre-authentication ", and second step was called as " pre-configured ", being collectively referred to as of third and fourth step " safety is initiatively switched ".To be called " MPA-SA " by the security association that pre-authentication is set up.As noted before, will be called " initiatively handover tunnel " by the tunnel of pre-configured foundation (PHT).

2. function element

In described MPA framework, in a preferred embodiment, following function element is arranged in each CTN, to communicate with mobile node: checking agency (AA), Configuration Agent (CA) and couple in router (AR).In these elements some or all can be placed on single network equipment or the discrete network equipment in.

The checking agency is responsible for pre-authentication.Between mobile node and checking agency, carry out indentification protocol, to set up MPA-SA.Described indentification protocol needs to draw the key between mobile node and checking agency, and mutual checking can be provided.Described indentification protocol should be able to be carried out with the aaa protocol such as RADIUS and Diameter alternately, thereby the suitable authentication server in AAA infrastructure transports authentication certificate.Resulting key is used for further obtaining being used to protect the key of message, and described message is used to pre-configured and safety is initiatively switched.The key of other be used to boot link layer and/or network layer password also can obtain from MPA-SA.Can carry EAP (referring to, for example, below with reference to data [RFC 3748]) agreement be suitable for use in the indentification protocol of MPA.

Configuration Agent is responsible for the part of pre-authentication,, carries out configuration protocol safely that is, thereby safely IP address and other configuration parameter is passed to described mobile node.Need to utilize from protect the signaling message of described configuration protocol corresponding to the resulting key of the key of MPA-SA.

Couple in router is a router of being responsible for pre-configured other parts,, carries out the tunnel management agreement safely that is, leads to the active handover tunnel of described mobile node with foundation, and utilizes described active handover tunnel to protect initiatively switching.Need to utilize from protect the signaling message of described configuration protocol corresponding to the resulting key of the key of MPA-SA.Should utilize from protect the IP packet that transmits in the active handover tunnel corresponding to the resulting key of the key of MPA-SA.

3. basic communication flows

Suppose that described mobile node has been connected to attachment point, i.e. oPoA (old attachment point), and distributed Care-of Address, i.e. oCoA (old Care-of Address).The communication stream of MPA is below described.Run through described communication stream, during the exchange process except step 5, will data-bag lost can not occur, and the data-bag lost that minimizes during this is the responsibility that link layer switches.

Step 1 (pre-authentication stage):

Mobile node find to be handled by some and is found CTN, and obtains described IP address, checking agency, Configuration Agent and couple in router among the CTN by certain methods.Described mobile node utilizes described checking agency to carry out pre-authentication.If described pre-authentication success then generates MPA-SA between mobile node and checking agency.Obtain two keys from MPA-SA, that is, MN-CA key and MN-AR key, it is respectively applied for the follow-up signaling message of protection configuration protocol and tunnel management agreement.Then, respectively with described MN-CA key and MN-AR secret key safety be sent to described Configuration Agent and described couple in router.

Step 2 (pre-configured stage):

Described mobile node recognizes that its attachment point may become new one from oPoA, that is, and and nPoA (new attachment point).It carries out pre-configured then, Configuration Agent by having used configuration protocol to be to obtain the IP address, that is, and and nCoA (new Care-of Address), and obtain other configuration parameter, and set up initiatively handover tunnel by the couple in router that has used the tunnel management agreement from described CTN.In described tunnel management agreement, described mobile node is registered oCoA and nCoA as tunnel external address and tunnel inner address respectively.Utilize the described pre-configured protocol signaling message of MN-CA key and MN-AR cryptographic key protection.When described Configuration Agent is arranged in identical equipment jointly with described couple in router, described two agreements can be combined into the single agreement of similar IKEv2.After finishing the foundation of described tunnel, described mobile node can utilize oCoA and nCoA to communicate before step 4 finishes.

Step 3 (safety is initiatively switched the main stage)

Described mobile node switches to described new attachment point by the certain methods decision.Before described mobile node switches to new attachment point, its by carrying out mobility management protocol Binding Update and on described tunnel transmission follow-up data flow begin safety and initiatively switch (main stage).In some cases, can a plurality of nCoA of high-speed cache address, and utilize opposite end main frame (correspondenthost, CH) or home agent (HA) bind simultaneously (in mobile IP v 6 standard RFC3775 for example, when mobile node roams into external network, will be for it distributes Care-of Address (CoA), and described mobile node will handle to its home agent (HA) and peer node (CN) by Binding Update notify its new CoA).

Step 4 (safety is initiatively switched the pre-exchange stage):

Described mobile node is finished Binding Update and is ready to exchange to new attachment point.Described mobile node can be carried out the tunnel management agreement, with deletion or forbid described active handover tunnel, and after deletion or forbidding described tunnel, high-speed cache nCoA.Switchover policy is depended in the decision when relevant described mobile node is ready to exchange to new attachment point.

Step 5 (exchange):

The switching of expectation link layer appears in this step.

Step 6 (safety is initiatively switched the back switching phase):

Described mobile node is carried out this exchange and is handled.After completing successfully described hand-off process, described mobile node recovers immediately by the nCoA of high-speed cache, and it is distributed to the physical interface that is connected to new attachment point.If do not have in step 4, to delete or forbid described active handover tunnel, then can or forbid this tunnel yet in this deletion.After this, need not to utilize initiatively handover tunnel, can utilize the direct transmits data packets of nCoA.

Couple in router is a router of being responsible for pre-configured other parts,, carries out the tunnel management agreement safely that is, leads to the active handover tunnel of described mobile node with foundation, and utilizes this active handover tunnel to guarantee initiatively to switch.Must utilize from protect the signaling message of described configuration protocol corresponding to the resulting key of the key of MPA-SA.Should utilize from protect the IP packet that transmits in the active handover tunnel corresponding to the resulting key of the key of MPA-SA.

Reference

In particular, the present invention provides various raisings and improvement for the system and method for describing in below with reference to data, and the whole of described reference are disclosed as a reference.

1.Bradner, S., " The Internet Standards Process-Revision 3 ", BCP 9, and RFC 2026, and October 1996. is called [RFC2026] at this.

2.Bradher, S., " IETF Rights in Contributions ", BCP 78, and RFC 3978, and March 2005. is called [RFC3978] at this.

3.Perkins, C., " IP Mobility Support for IPv4 ", RFC 3344, and August2002. is called [RFC3344] at this.

4.Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.Levkowetz, " Extensible Authentication Protocol (EAP) ", and RFC 3748, and June 2004. is called [RFC3748] at this.

5.Johnson, D., Perkins, C., and J.Arkko, " Mobility Support in IPv6 ", and RFC 3775, and June 2004. is called [RFC3775] at this.

6.Maiki, K., " Low latency Handoffs in Mobile IPv4 ", draft-ietf-mobileip-lowlatency-handoffs-v4-09 (work in progress), June2004. is called [I-D.ietf-mobileip-lowlatency-handoffs-v4] at this.

7.Koodii, R., " Fast Handovers for Mobile IPv6 ", draft-ietf-mipshop-fast-mipv6-03 (work in progress), October 2004. is called [I-D.ietf-mipshop-fast-mipv6] at this.

8.Liebsch, M., " Candidate Access Router Discovery, " draft-ietf-seamoby-card-protocol-O8 (work in progress), September 2004. is called [I-D.ietf-seamoby-card-protocol] at this.

9.Loughney, J., " Context Transfer Protocol, " draft-ietf-seamoby-ctp-11 (work in progress), August 2004. is called [I-D.ietf-seamoby-ctp] at this.

10.Aboba, B., " Extensible Authentication Protocol (EAP) KeyManagement Framework ", draft-ietf-eap-keying-06 (work in progress), April 2005. is called [I-D.ietf-eap-keying] at this.

11.Forsberg, D., " Protocol for Carrying Authentication for NetworkAccess (PANA) ", draft-ietf-pana-pana-08 (work in progress) .May 2005. is called [I-D.ietf-pana-pana] at this.

12.ITU-T, G.114, " General Characteristics of International TelephoneConnections and International Telephone Circuits:One-WayTransmission Time ", ITU-T Recommendation 1998. are called [RG98] at this.

13.ITU-T G.107 " The E-Model, a computational model for use intransmission planning ", ITU-T Recommendation 1998. are called [ITU98] at this.

14.ETSI, " Telecommunications and Internet Protocol HarmonizationOver Networks (TIPHON) Release 3:End-to-end Quality of Service inTIPHON systems; Part 1:General Aspects of Quality of Service. ", ETSITR 101 329-6V2.1.1. are called [ETSI] at this.

15.Kivinen, T.and H.Tschofenig, " Design of the MOBIKE protocol ", draft-ietf-mobike-design-02 (work in progress), February 2005. is called [I-D.ietf-mobike-design] at this.

16.Moskowitz, R., " Host Identity Protocol ", draft-ietf-hip-base-03 (work in progress), June 2005. is called [I-D.ietf-hip-base] at this.

17.Almes, G., Kalidindi, S., and M.Zekauskas, " A One-way DelayMetric for IPPM ", and RFC 2679, and September 1999. is called [RFC2679] at this.

18.Almes, G., Kalidindi, S., and M.Zekauskas, " A One-way PacketLoss Metric for IPPM ", and RFC 2680, and September 1999. is called [RFC2680] at this.

19.Almes, G., Kalidindi, S., and M.Zekauskas, " A Round-trip DelayMetric for IPPM ", and RFC 2681, and September 1999. is called [RFC2681] at this.

20.Simpson, W., " IP in IP Tunneling ", RFC 1853, and October 1995. is called [RFC1853] at this.

21.Patrick, M., " DHCP Relay Agent Information Option ", RFC 3046, and January 2001. is called [RFC3046] at this.

22.Kirn,, P., Volz, B., and S.Park, " Rapid Commit Option forDHCPv4 ", draft-ietf-dhc-rapid-commit-opt-05 (work in progress), June2004. is called [I-D.ietf-dhc-rapid-commit-opt] at this.

23.Ohba, Y., " Media-Independent Pre-Authentication (MPA) Implementation Results ", draft-ohba-mobopts-mpa-implementation-00 (work in progress), June 2005. is called [I-D.ohba-mobopts-mpa-implementation] at this.

24.Schuizrine, H., " Application Layer Mobility Using SIP ", MC2R. is called [SIPMM] at this.

25.Cambell, A., Gomez, J., Kim, S., Valko, A., and C.Wan, " Design, Implementation, and Evaluation of Cellular IP ", IEEE Personalcommunication August 2000. are called [CELLIP] at this.

26.Ramjee, R., Porta, T., Thuel, S., Varadhan, K., and S.Wang, " HAWAII; A Domain-based Approach for Supporting Mobility inWide-area Wireless networks ", International Conference on NetworkProtocols ICNP ' 99. is called [HAWAII] at this.

27.Das, S., Dutta, A., Misra, A., and S.Das, " IDMP:AnIntra-Domain Mobility Management Protocol for Next GenerationWireless Networks ", IEEE Wireless Communication Magazine October2000. is called [IDMP] at this.

28.Calhoun, P., Montenegro, G., Perkins, C., and E.Gustafsson, " Mobile IPv4 Regional Registration ", draft-ietf-mobileip-reg-tunnel-09 (work in progress), July 2004. is called [I-D.ietf-mobileip-reg-tunnel] at this.

29.Yokota, H., Idoue, A., and T.Hasegawa, " Link Layer AssistedMobile IP Fast Handoff Method over Wireless LAN Networks ", Proceedings of ACM Mobicom 2002. are called [YOKOTA] at this.

30.Shin, S., " Reducing MAC Layer Handoff Latency in IEEE 802.11Wireless LANs ", MOBIWAC Workshop. is called [MACD] at this.

31.Dutta, A., Zhang, T., Madhani, S., Taniuchi, K., Ohba, Y., and H.Schulzrinne, " Secured Universal Mobility ", WMASH 2004. is called [SUM] at this.

32.Dutta, A., Madhani, S., and H.Schulzrinne, " Fast handoffSchemes for Application Layer Mobility Management ", PIMRC 2004. is called [SIPFAST] at this.

33.Gwon, Y., Fu, G., and R.Jain, " Fast Handoffs in Wireless LANNetworks using Mobile initiated Tunneling Handoff Protocol for IPv4 (MITHv4) ", Wireless Communications and Networking 2003, January2005. is called [MITH] at this.

34.Anjum, F., Das, S., Dutta, A., Fajardo, V., Madhani, S., Ohba, Y., Taniuchi, K., Yaqub, R., and T.Zhang, " A proposal for MIH function andInformation Service ", A contribution to IEEE 802.21 WG, January 2005. is called [NETDISC] at this.

35. " IEEE Wireless LAN Edition A compilation based on IEEE Std802.11-1999 (R2003) ", Institute of Electrical and Electronics EngineersSeptember 2003. are called [802.11] at this.

36.Dutta, A., " GPS-IP based fast-handoff for Mobiles ", NYMAN2003. is called [GPSIP] at this.

37.Vain, J.and G.Maguire, " The effect of using co-locatedcare-of-address on macro handover latency ", 14th Nordic TeletrafficSeminar 1998. are called [MAGUIRE] at this.

Summary of the invention

The present invention improves on above-mentioned and/or other background technology and/or problem.

A kind of in being independent of the pre-authentication framework of medium the reset method of (switch back) relevant switching determination of control and the exchange of mobile node between first network and second network, it comprises: a) for described mobile node provides position determination module, it is configured to provide the position about the access point in the adjacent network to determine; B), utilize location-based algorithm to avoid vibration between described first and second networks to the output of small part based on described position determination module.

In some instances, described method further comprises, wherein, described location-based algorithm is based, at least in part, on the position and relevant with the previous change action of this mobile node relevant by between the data of high-speed cache of mobile node.In some instances, described method further comprises: wherein, described data by high-speed cache are stored in the digital data storage unit on the described mobile node.In some instances, described method further comprises: wherein, described location-based algorithm comprises based on another the exchange that is provided to about the data of example in the past in described first network and described second network, wherein, described mobile node is exchanged in described first network and described second network another.In some instances, described method further comprises: described location-based algorithm comprises based on another the exchange that is not provided to about the data of example in the past in described first network and described second network, wherein, described mobile node is not exchanged in described first network and described second network another.In some instances, described method further comprises: described position determination module comprises gps receiver.In some instances, described method further comprises: utilize location-based algorithm to avoid vibration between described first network and second network, it comprises having to the algorithm of small part based at least one non-position instruction value.In some instances, described at least one non-position instruction value comprises the indicated value of signal to noise ratio.In some instances, described method comprises: described first network is at first medium, and described second network is at different media, wherein, described first medium is a cellular network, and described different medium is a WLAN, and perhaps described first medium is a WLAN, and described different medium is a cellular network.

According to some other embodiment, the method of the influence that a kind of undesirable exchange that alleviates the mobile node between first network and second network in being independent of the pre-authentication framework of medium resets, it comprises: a) keep context (context) a period of time relevant with first network, thereby make when mobile node is got back to described first network described context of quick-recovery soon; B) make described mobile node after returning described first network, use described context.In some instances, described method further comprises: wherein, described context is stored in the digital data storage unit on the mobile node, and comprises and security association, IP address or the relevant data in tunnel set up.In some instances, described first network is at first medium, and described second network is at different media, wherein, described first medium is a cellular network, and described different medium is a WLAN, perhaps described first medium is a WLAN, and described different medium is a cellular network.

According to some other embodiment, a kind of in being independent of the pre-authentication framework of medium, alleviate formerly network and the method for the influence that resets of undesirable exchange of the mobile node between the new network, it comprises: send packet to described previous network and described new network in a period of time, thereby avoid when the data-bag lost of described mobile node when described new network is got back to described previous network.In some instances, the step of described transmission packet comprises the described packet of multicast (bicasting).In some instances, described previous network is at first medium, and described new network is at different media, wherein, described first medium is a cellular network, and described different medium is a WLAN, perhaps described first medium is a WLAN, and described different medium is a cellular network.

With reference to the accompanying drawings, will further explain above-mentioned and/or others, feature and/or the advantage of various embodiment according to following description.Various embodiment can comprise and/or get rid of different applicable aspect, feature and/or advantage.In addition, various embodiment can be in conjunction with one or more aspects or the feature of applicable other embodiment.The description that should not be considered as aspect, feature and/or advantage to specific embodiment is used for limiting other embodiment or claim.

Description of drawings

Fig. 1 is a flow chart, and it has described the basic communication flow process according to some illustrative embodiment, and Fig. 2 continues this flow chart;

Fig. 2 is a flow chart, and it has described the follow-up basic communication flow process of flow chart shown in Figure 1;

Fig. 3 is a block diagram, and it has described the bootstrapping according to the link layer security of some illustrative embodiment; And

Fig. 4 is an Organization Chart, and it shows the exemplary sub-components according to illustrative access point and the illustrative client device or the subscriber station of illustrative embodiment more of the present invention.

Embodiment

Show the preferred embodiments of the present invention in the accompanying drawings by way of example, this is not as restriction.

Though with a lot of multi-form the present invention that implemented, at this some illustrative embodiment have been described, it will be appreciated that, purpose of the present disclosure is to principle of the present invention provides example, and these examples are not to be used for limiting the invention to described here and/or at the preferred embodiment of this explanation.

Go through

In order to be that the switching that optimization is provided is switched in mobile experience quick subnet (mobile experiencing rapid subnet) and territory, we solve several problems.These problems comprise finds contiguous network element, select correct network to connect based on some strategy, change the 2nd layer of attachment point, obtain the IP address from DHCP or PPP server, confirm the uniqueness of this IP address, the checking of utilization such as the aaa server in special domain agency carries out pre-authentication, sends Binding Update and obtains for the streaming flow, the ping-pong that are redirected of new attachment point and the possibility that moves to a more than network to the opposite end main frame.Below discuss and under the linguistic context of initiatively switching based on the safety of MPA, solve or optimize problem and method aspect these.

1. find

During rapid movement, find to help to accelerate described hand-off process between network at mobile device such as the adjacent network element of access point, couple in router, authentication server.Find described People Near Me by utilizing desired coordinate set, ability (capability) and parameter, when in described previous network, described mobile device can carry out many operations, such as pre-authentication, initiatively the IP address obtain, initiatively address resolution, and Binding Update.

Mobile device has several method to find described adjacent network.Candidate access router discovery agreement (referring to above reference [I-D.ietf-seamoby-card-protocol]) helps to find described candidate access router in adjacent networks.Given certain network domains, positioning service agreement (SLP) and domain name service (DNS) help to provide for the given services set in the described specified domain address of networking component.In some cases, when mobile device near near the described adjacent network time, can send network layer and higher level parameters more by link layer management frames such as beacon.IEEE 802.11u is considering to find such as the information of utilizing link layer to comprise neighbours' item.Yet if encrypt described link layer management frames by some link layer security mechanisms, described mobile node then can not obtain needed information before the link layer that is established to access point connects.In addition, this will increase burden to the wireless medium of limited bandwidth.In this case, preferentially use upper-layer protocol more to obtain the information of relevant neighbouring element.In above-mentioned reference [NETDISC] some of the recommendations are arranged, it helps to obtain from the mobility service device information of these relevant adjacent networks.When the motion of mobile device was about to take place, it begins described discovery by the inquiry particular server handled, and obtains required parameter, such as the sip server or the authentication server of the IP address of access point, its feature, router, adjacent network.Under the situation of a plurality of networks, it can obtain the parameter of described needs from a more than adjacent network, and these are kept in the high-speed cache.At certain a bit, described mobile device finds several CTN from many possible networks, and by with CTN in needed entity communicate and begin described pre-authentication and handle.To further illustrate the details of this situation in following part 2.

2. the pre-authentication in many CTN environment

In some cases, although mobile device decision with certain particular network as objective network because some exceed the factor of described mobile device control, it may in fact finally move to the adjacent network outside the described objective network.Therefore, utilizing some possible candidate target networks to carry out pre-authentication, and utilize each destination router in those networks to establish the tunnel in time limit, may be useful.Therefore, under the situation of the objective network of determining before mobile device does not move to, because it finally moves to different objective networks, it can not be subjected to owing to afterwards checking and IP address obtain the adverse effect that postpones to cause data-bag lost.Can see that by utilizing some candidate target networks to carry out pre-authentication and keeping described IP address, mobile device can be supplied the resource that can use in addition.But because this occurs over just in the finite time, this is not a big problem.Described mobile device uses the pre-authentication flow process to obtain the IP address on one's own initiative, and utilizes the target couple in router to establish the tunnel in time limit.

Under normal conditions, mobile device is that virtual interface distributes new IP address.But obtaining from adjacent network under the situation of a plurality of IP address, it can do two things.Its IP address that can be used to the network that self-moving device decision goes generates a virtual interface, and perhaps, it can utilize from each IP address that adjacent network obtains and generate a plurality of virtual interfaces.Mobile device can be selected one as the Binding Update address from these addresses, and sends it to opposite end main frame (CH), and therefore, when in the network formerly, will receive tunnel traffic (tunneledtraffic) via objective network.But in some instances, mobile device finally moves to the network outside the described objective network.Therefore, when mobile device moves to new network, because mobile device need will occur interruption through new IP address of over-allocation and the process that sends Binding Update once more on the flow.Can propose two kinds of solutions and handle this problem.Mobile device can utilize mobility binding simultaneously and send a plurality of Binding Updates to the main frame of correspondence.Therefore, described respective hosts in the period of determining to a plurality of IP address transmitted traffic of distributing to virtual interface.After mobile device moved to described new network, this Binding Update was refreshed at CH, thereby stopped the data flow to other candidate network.Under the situation that specific mobility scheme is not supported to bind simultaneously, will help to handle described instantaneous delivery from previous objective network converting flow, up to new Binding Update occurring from described new network.

3. initiatively the IP address obtains

Generally speaking, mobility management protocol is worked with Foreign Agent (FA), perhaps is in co-located address pattern (co-located address mode).Our MPA method can be used co-located address pattern and these two kinds of patterns of foreign agent address pattern.We discuss the address assignment assembly that is used for the co-located address pattern here.Exist and severally obtain the IP address and dispose the method for himself by mobile node.Prevailing, without any under the situation such as the configuration component of server or router, mobile device can dispose himself statically in described network.IETF Zeroconf working group has defined automatic IP mechanism, disposes mobile device in ad hoc mode therein, and from choosing unique address such as the particular range of 169.254.x.x.In lan environment, described mobile device can obtain the IP address from DHCP (DHCP) server.Under the situation of IPv6 network, mobile device has the stateless utilized, and automatically configuration or DHCPv6 obtain the selection of IP address.In the Wide Area Network environment, mobile device uses PPP to obtain described IP address by communicating with network access server (NAS).

Each cost hundreds of millisecond of these processing is to the time of several second-times, and this depends on that the IP address obtains the type of processing and the operating system of client and server.

Because the part of hand-off process when the IP address obtains, it has increased switching delay, and therefore, expectation reduces this time as far as possible.Can use several optimisation techniques, such as, DHCP (for example confirms fast, referring to above reference [I-D.ietf-dhc-rapid-commit-opt]) and based on the IP address of gps coordinate (for example, referring to above reference [GPSIP]), it attempts to reduce because the switching time that IP address acquisition time causes.Yet in all these situations, after mobile device moved to new subnet, it also obtained described IP address, and, because the signaling between mobile node and Dynamic Host Configuration Protocol server is shaken hands, also some delays can take place.

In following paragraph, we will describe mobile node can obtain the certain methods of IP address and the tunnel that is associated is set up and handled on one's own initiative from CTN.These can be broadly defined as four classifications, such as, the auxiliary initiatively IP address of PANA obtains, the auxiliary initiatively IP address of IKE obtains, only utilizes the active IP address of DHCP to obtain and utilize stateless to obtain the active IP address of configuration automatically.

3.1 the auxiliary initiatively IP address of PANA obtains

Under the auxiliary initiatively situation that the IP address obtains of PANA, described mobile node obtains the IP address on one's own initiative from CTN.Described mobile node uses PANA message to trigger the address on dhcp relay agent and obtains processing, and described dhcp relay agent and PANA checking agency are arranged in the couple in router of CTN jointly.After described mobile node receives PANA message, dhcp relay agent carries out normal dhcp message exchange, obtains the IP address with the Dynamic Host Configuration Protocol server from CTN.This address is carried in the PANA message, and is sent to client.Under the situation of the MIPv6 with the automatic configuration of stateless, the part that the router advertisement of the objective network of making a fresh start is used as PANA message passes to described client.Mobile device uses this prefix and MAC Address to construct unique IPv6 address, just as it will be carried out in new network.The working method of the mobile IP v 6 in state model and DHCPv4 are very similar.

3.2 the auxiliary initiatively IP address of IKEv2 obtains

When IPsec gateway and dhcp relay agent were arranged in each couple in router of CTN, the auxiliary initiatively IP address of IKEv2 obtains carried out work.In this case, IPsec gateway among the CTN and the Dynamic Host Configuration Protocol server of dhcp relay agent auxiliary moving node from CTN obtain the IP address.The MN-AR key of setting up in the pre-authentication stage is used as the shared in advance secret of the needed IKEv2 of operation IKEv2 between mobile node and couple in router.By utilizing the colocated dhcp relay agent to obtain the IP address from CTN, as the part that standard I KEv2 handles, the Dynamic Host Configuration Protocol server of wherein said dhcp relay agent from the objective network that has used standard DHCP obtains the IP address.The IP address that is obtained is sent out back IKEv2 and disposes client in the quiet lotus exchange (IKEv2Configuration Payload Exchange).In this case, IKEv2 also is used as the initiatively tunnel management agreement (referring to the 5th following part) of handover tunnel.

3.3 only utilize the active IP address of DHCP to obtain

Substitute as another kind, by allowing to carry out direct DHCP data between DHCP relay in mobile node and CTN or the Dynamic Host Configuration Protocol server, need not to rely on the method based on PANA or IKEv2, DHCP can be used to obtain the IP address from CTN on one's own initiative.In this case, dhcp relay agent or the Dynamic Host Configuration Protocol server of mobile node in CTN sends the clean culture dhcp message, with request address, utilizes the address that is associated with current physical interface as the source address of asking simultaneously.

When described message is sent to dhcp relay agent, described dhcp relay agent described dhcp message of relaying back and forth between mobile node and Dynamic Host Configuration Protocol server.Do not having under the situation of dhcp relay agent, mobile device also can be directly and the Dynamic Host Configuration Protocol server in the objective network communicate.Clean culture that should client finds that the broadcast option in the message is set to 0, directly sends it back described mobile device thereby described relay agent or Dynamic Host Configuration Protocol server can utilize the source address of mobile node to reply.Utilize state configuration, this mechanism also can be used in the IPv6 node.

In order to prevent that malicious node from obtaining the IP address from Dynamic Host Configuration Protocol server, should use DHCP checking or described couple in router that filter should be installed, sent to described long-range Dynamic Host Configuration Protocol server from mobile node to stop the clean culture dhcp message without pre-authentication.When using the DHCP checking, the MPA-SA that can set up between the agency of the checking mobile node and described candidate target network obtains the DHCP authentication secret.

The physical interface of mobile node is not given in the IP address assignment that described active is obtained, and does not move to new network up to described mobile device.Therefore, should not give described physical interface, and should distribute to the virtual interface of client the described IP address assignment that initiatively obtains from described objective network.Therefore, can carry extra information, be used for it is distinguished mutually with other address of distributing to described physical interface via the IP address that the active of DHCP relay in described mobile node and CTN or the direct DHCP data between the Dynamic Host Configuration Protocol server gets access to.

3.4 utilizing stateless obtains the active IP address of configuration automatically

Under the situation of IPv6, utilize DHCPv6 or stateless to dispose automatically and carry out network address configuration.In order to obtain new IP address on one's own initiative, can on the tunnel of being set up, send the router advertisement of next hop router, and generate new IPv6 address based on the prefix and the MAC Address of mobile device.This address is assigned to the virtual address of client, and sends to home agent or peer node as Binding Update.Described router advertisement can easily be sent to the oCoA of mobile device, wherein usually the described router advertisement of transmission on the multicast address of scope is being arranged.To avoid like this obtaining the IP address and carrying out the needed time of duplicate address detection.

After mobile device entered new network, mobile node can carry out DHCP on the physical interface of the network new to this, thereby DHCP INFORM obtains such as other configuration parameters such as sip server, dns servers by for example utilizing.These will can not influence ongoing communication between mobile device and opposite end main frame.And described mobile node can carry out DHCP to the physical interface of described new network, the rental period of the address that initiatively obtained before entering this new network with expansion.

In order to keep DHCP binding for mobile node, and remember institute's IP address allocated after before safety is initiatively switched, reaching, for be used for DHCP that IP address initiatively obtains and the DHCP that is carried out described mobile node target approach network after, needs be used for described mobile node with identical dhcp client identifier.The MAC Address that described dhcp client identifier can be a mobile node or some other identifiers.In stateless automatically under the situation of configuration, described mobile device checks watching the prefix of the router advertisement in the new network, and the prefix of the IP address of itself and late allocation is complementary.If these are identical really, then described mobile device need not experience described IP address once more and obtain the stage.

4. address resolution item

4.1 active duplicate address detection

When Dynamic Host Configuration Protocol server distributing IP address, it upgrades its occupancy chart, thereby no longer that this is identical address is given and another client in special time.Simultaneously, described client is also local to keep an occupancy chart, thereby it can upgrade when needed.In some cases, network is made up of the client that DHCP and non-DHCP enable, and might be used to have from the IP of dhcp address pool address configuration another client of LAN.

In this case, described server carries out duplicate address detection based on ARP (address resolution protocol) or carried out IPv6 neighbours and find before distributing described IP address.This testing process may expend 4 to 15 seconds time (referring to, Yi Shang reference [MAGUIRE] for example) and will cause more switching delay.Obtain under the situation of processing in active IP address, carry out this detection in advance, thereby, described switching delay do not influenced fully.By carrying out described duplicate address detection in advance, we have reduced the switching delay factor.

4.2 initiatively address resolution is upgraded

In pre-configured process, also can know after being connected to described objective network, needed address resolution mapping when the node in described mobile node and the objective network communicates, wherein said node may be couple in router, checking agency, Configuration Agent, and peer node.Multiple mode of carrying out this active address resolution is arranged.

1. use information service mechanism (for example, referring to above reference [NETDISC]) to resolve the MAC Address of described node.May require each node in the objective network to relate to described information service like this, thereby make the server of described information service can construct the initiatively database of address resolution.

2. expansion is used for the indentification protocol of pre-authentication or is used for pre-configured configuration protocol, to support initiatively address resolution.For example, if use the indentification protocol of PANA as pre-authentication, PANA message can be carried and is used for the initiatively AVP of address resolution.In this case, on behalf of mobile node, the checking of the PANA in objective network agency can carry out address resolution.

3. also can use DNS to shine upon the MAC Address of the specified interface that is associated with the assigned ip address of network element in the objective network.Can define new DNS source record (RR), to resolve the MAC Address of the node in the objective network on one's own initiative.But because MAC Address is the source that is tied to the IP address rather than is directly bound to domain name, this method has the limitation of himself.

When mobile node is connected to objective network, need not to the node in the objective network carries out the address resolution inquiry, it can install the address resolution mapping that described active obtains.

On the other hand, as long as described mobile node is connected to described objective network, be arranged in objective network and the described node of communicating by letter with described mobile node also should be the address resolution mapping that described mobile node upgrades them.Above active address resolution method also can be used to those nodes, thereby resolves the MAC Address of described mobile node before described mobile node is connected to objective network on one's own initiative.Yet, because before the address resolution mapping of adopting described active to resolve, those nodes need detect the connection of described mobile node to described objective network, do not use like this.A kind of better method is in conjunction with joint detection and address resolution map updating.This is based on carry out address resolution (referring to above reference [RFC 3344] and reference [RFC 3775]) free of chargely, wherein after described mobile node is connected to new network, described mobile node sends ARP(Address Resolution Protocol) ARP request or ARP immediately and answers under the situation of IPv4, perhaps under the situation of IPv6, send neighbor advertisement, thereby the described node in the objective network can upgrade described address resolution mapping for mobile node fast.

5. tunnel management

After the Dynamic Host Configuration Protocol server from CTN initiatively obtains the IP address, set up initiatively handover tunnel between the couple in router in described mobile node and described CTN.Described mobile node uses the IP address that is obtained as tunnel inner address, and most probably, it gives virtual interface with described address assignment.

Utilize the tunnel management agreement to set up described active handover tunnel.When IKEv2 being used for initiatively the IP address obtains, IKEv2 also is used as described tunnel management agreement.

Alternatively, when PANA being used for initiatively the IP address obtains, PANA can be used as described secure tunnel management agreement.

In case set up described active handover tunnel between the couple in router in mobile node and candidate target network, described couple in router also needs to represent described mobile node to carry out the agent address parsing, thereby it can catch any packet that the destination is the new address of described mobile node.

Because in the time of in the network formerly, mobile device needs and can communicate with peer node, need Binding Update and section data that will be from the peer node to the mobile node or all send it back described mobile node by the active handover tunnel.When session initiation protocol (SIP) when mobility is used to mobility management protocol, utilize SIP Re-INVITE, new address is reported to peer node as the contact address.In case the sip user agent of described peer node has obtained described new contact address, it sends OK to new contact address, and wherein, in fact described new contact address belongs to described objective network.Because described OK signal points to described new contact address, the couple in router in the described objective network extracts described OK signal, and sends it to the mobile device in the previous network.The last ACK message of reception from the mobile device to the peer node.When lacking the access filtration, can not need to send data to described peer node from described mobile device.Finishing after SIP Re-INVITE signaling shakes hands, will send to described mobile device from the data of peer node via the active handover tunnel.

After described mobile node is connected to described objective network, point to described mobile node in order to make flow, need deletion or forbid described active handover tunnel.The described tunnel management agreement that is used to set up the tunnel promptly is used for this purpose.

Alternatively, as long as described mobile device moves to objective network, when using PANA, can trigger deletion or forbidding by the PANA update mechanism in the tunnel of couple in router as described indentification protocol.The link layer triggers device guarantee described mobile node be connected to really described objective network and, also can be used as for deletion or forbid the trigger in described tunnel.

6. Binding Update

For different mobile management schemes, there is the Binding Update mechanism of several types.In some cases,, only Binding Update is sent to described home agent (HA), and under the situation of mobile IP v 6, Binding Update is sent to described home agent and corresponding main frame such as the mobile IPv 4 that does not have RO.Under the situation based on the terminal mobility of SIP, mobile device utilizes Re-INVITE to send Binding Update to peer node, sends registration message to Register.Based on the distance between described mobile device and the peer node, Binding Update may cause switching delay.SIP-fast switches (for example, referring to [SIPFAST]) provides the several method that is used to reduce the switching delay that causes owing to Binding Update.Under the situation that utilization is initiatively switched based on the safety of the mobile management of SIP, we get rid of the delay that causes owing to Binding Update fully, because it betides in the previous network.Therefore, when described peer node during away from described communication mobile node, this scheme is more attractive.

7. prevent data-bag lost

Under the MPA situation, we do not observe owing to any data-bag lost that the IP address obtains, safety verification and Binding Update cause.Yet, before described mobile node can be connected to objective network, may have some transient data bags (transient packet) when the link layer that points to described mobile node switches.May lose these transient data bags.

Can use multicast or cushion described transient data bag and minimize or eliminate data-bag lost at couple in router.Yet, not switch if seamlessly carry out link layer, multicast can not be eliminated data-bag lost.On the other hand, buffering does not reduce the packet delay.Although can come the offset data packet delay by carrying out playback buffer, use not too big help of playback buffer for the interactive VoIP that is impatient at big delay jitter at the receiver-side that is used for the streaming application.Therefore, in any case, optimize link layer and switch still extremely important.

In addition, described MN also can guarantee can arrive described new attachment point before exchanging from old attachment point.This can be undertaken by utilizing new attachment point exchange link layer-management frame.Should carry out this reachability check as early as possible.For the data-bag lost during the anti-reachability check here, during this reachability check, should delay data packet transmission on the link between described MN and the old attachment point by cushion described packet at the two ends of described link.Can carry out this buffering in every way, can understand it based on presents.

8. consider the exchange of failure and gain

Ping-pong is to switch one of FAQs of finding in the situation.When mobile device was in the border of sub-district or decision-point and frequently carries out hand-off process, such ping-pong appearred.

Especially be that this has caused higher call drop possibility, lower quality of connection, the signaling traffic and the wasting of resources of increase.All these has influenced mobility optimization.Handoff algorithms is the decisive factor of switching between described network.Usually, the value that these algorithms use threshold value to come the comparison difference to measure, thus determine described switching.Described measuring comprises signal strength signal intensity, path loss, Carrier interference ratio (CIR), signal-to-jamming ratio (SIR), bit error rate (BER) (BER), power budget etc.

For fear of ping-pong, described decision making algorithm has been used some other parameters, such as hysteresis margin (hysteresis margin), stop timer and average window.For the high-speed mobile vehicle, can consider that also other parameter is to reduce described ping-pong, such as speed, mobile device position, flow and the bandwidth feature etc. of the distance between mobile host (MH) and attachment point, mobile device.

Recently, some other handoff algorithms is arranged, it helps to reduce described ping-pong in the environment of heterogeneous network, and it is based on such as technology such as hypothesis testing, Dynamic Programming and mode identification technologys.Though realize that handoff algorithms is very important to reduce described ping-pong, and realize that the method for recovering in the effect from then on is also very important.

Under the situation of MPA framework, ping-pong will cause mobile device moving back and forth between current network and the objective network and between the candidate target network.Because the foundation of various tunnels, the number of Binding Update and relevant switching latent time, the MPA of current form will be affected.Because ping-pong is relevant with switching rate, it also will cause postponing and data-bag lost.

In certain embodiments, proposed several algorithms now, its execution has been helped to reduce the possibility of ping-pong.In addition, also gone out the method for several MPA of being used for frameworks now, it can recover the data-bag lost that ping-pong causes.

In certain embodiments, the MPA framework can use global positioning system (GPS) to utilize the geographical position of described mobile device with respect to the AP in the adjacent network.In this, illustrative gps system comprises the constellation of the satellite that rotates around the earth, and allows gps receiver accurately to measure its geographical position.For fear of the vibration between the network, utilize customer location and the data of the high-speed cache attempted from previous switching between correlation, can obtain location-based intelligent algorithm.In some cases, the position may not be the unique designator that is used to be switched and determined.For example, in the network of Manhattan (Manhattan) type, although mobile device near AP, it may not have enough signal noise ratios (SNR) to carry out good connection yet.Therefore, mobility pattern and Path Recognition might help avoid described ping-pong.

When shortage can be avoided the good handoff algorithms of ping-pong, may need to propose good Restoration Mechanism, thereby alleviate described ping-pong.The context set up may be in a period of time in current network, kept, thereby when mobile device is got back in this contextual network of use last time, fast quick-recovery can be carried out.Tunnel that these contexts can comprise security association, employed IP address, set up etc.Under situation about moving back and forth between the network, in the predefined period, data are multicasted to previous network and new network also will help to handle the packet of losing at mobile device.Mobile device should be able to determine with respect to the table tennis situation, whether it is in stable state.

9. link layer security and mobility

The MPA-SA that sets up between the checking agency of utilization in mobile node and CTN, in the pre-authentication stage, when described mobile node is as follows in current network, the link layer security among the CTN that can boot.

1.CTN in checking agency and described mobile node utilize described MPA-SA to obtain PMK (pairwise master key) (referring to above reference [I-D.ietf-eap-keying]), the foundation of wherein said MPA-SA is successfully the result of pre-authentication.During pre-authentication, may relate to and carry out EAP and aaa protocol, to set up described MPA-SA.From described PMK, obtain being used for the different TSK (instantaneous session key) (referring to above reference [I-D.ietf-eap-keying]) of mobile node directly or indirectly for each attachment point of CTN.

2. described checking agency can install the key that obtains from PMK, and is used for the security association of attachment point.Resulting key can be TSK or be intermediate key, obtain TSK by described intermediate key again.

3. select CTN as objective network and after exchanging to attachment point in the objective network (it has become new network now for mobile node) at described mobile node; it utilizes described PMK to carry out such as the security association agreement of IEEE 802.11i 4 to shake hands [802.11i]; to set up PTK (paired instantaneous key) and GTK (the instantaneous key of group) (referring to above reference [I-D.ietf-eap-keying]), it is used to protect the link layer packet between mobile node and attachment point.Do not need to carry out in addition eap authentication at this.

4. when described mobile node was roamed in described new network, described mobile node only needed to carry out the security association agreement with its attachment point, and does not need to carry out in addition eap authentication.Can utilize in this way such as the link layer handover optimization mechanism of 802.11r and come integrated MPA.

Described mobile node may need to know the link-layer identification of attachment point among the CTN, to obtain TSK.If use the indentification protocol of PANA as pre-authentication, this can realize (referring to above reference [I-D.ietf-pana-pana]) by carry device id AVP the PANA bind-request message that sends from PAA, and wherein each property value comprises the BSSID (BSSID) of different access points to (AVP).

With reference to figure 3, the bootstrapping link layer security according to some illustrative embodiment has been described its diagrammatic.

10. the checking during initial network connects

When described mobile node is initially connected to network, network access authentication will take place, and irrelevant with the use of MPA.When MPA was used for handover optimization, the agreement that is used for network access authentication can be a link layer network access authentication agreement, and such as IEEE 802.1X, perhaps more upper layer network is visited indentification protocol, such as PANA.

11. security consideration

Presents has been described based on the framework that switches the safe handover optimization mechanism of relevant signaling between one or more candidate target networks that may move in the future at mobile node and this mobile node.This framework related to before described mobile node physically is connected among those CTN one, obtained resource from described CTN, and carried out packet from the mobile node of CTN to current network and be redirected.

In order to prevent that undelegated mobile node from obtaining described resource, obtain resource from described candidate target network and must be attended by suitable authentication vs. authorization process.For this reason, it is extremely important that the MPA framework can carry out pre-authentication between described mobile node and candidate target network.As the result of the pre-authentication of success and the MN-CA key and the MN-AR key that generate can be protected follow-up hand off signaling bag and the packet that exchanges between the MPA functional element in described mobile node and CTN.

Described MPA framework has also solved between fail safe when crossing over a plurality of management domains and carry out described the switching and has inscribed.Utilize MPA, can carry out hand off signaling based on router in described mobile node and candidate target network or the direct communication between the mobility agent.This has eliminated the needs to context transfer protocol, owing to there is known restriction (referring to above reference [I-D.ietf-eap-keying]) in the reason of this agreement aspect the fail safe.For this reason, described MPA framework does not require the trusting relationship between management domain or couple in router, makes described framework in easier utilization on the internet like this, and can not damage the fail safe in the mobile environment.

Broad scope of the present invention:

Though described illustrative embodiment of the present invention at this, the invention is not restricted to various preferred embodiment described here, also comprise any and all (for example have the element that is equal to, modification, omission, combination, cross over the various aspects of various embodiment), adjust and/or change, those skilled in the art are appreciated that these aspects based on the disclosure.Based on the restriction in the language interpreted in its broadest sense, ie claim of using in the described claim (for example, comprise afterwards to increase), its be not limited to this explanation or during application is carried out described example, these examples can be interpreted as right and wrong are exclusive.For example, in the disclosure, term " preferably " right and wrong are exclusive, and it means " preferably, but be not limited to ".In this is open and during this application carries out, for concrete claim restriction, when only in described restriction, having following all conditions, will be only operative installations add function or step adds the function restriction: a) clearly narrated " be used for ... device " or " be used for ... step "; B) clearly narrated function corresponding; And c) supports structure, material or the action of the structure do not narrate out.In this is open and during this application carries out, term " the present invention " or " invention " are used in reference to for the one or more aspects in the disclosure.Should or not invent the sign that this term is interpreted as description inadequately with the present invention, it should be interpreted as yet and be applied to all aspects or embodiment (promptly, it should be interpreted as that the present invention has some aspects and embodiment), and it should be interpreted as inadequately the scope that limits the application or claim.In this is open and during this application carries out, term " embodiment " can be used to describe any aspect, feature, process or step, any combination wherein, and/or wherein any part etc.In some instances, various embodiment can comprise overlapping feature.In the disclosure, can use following abbreviated term: " e.g. " expression " for example ".

Claims (20)

1. reset method of relevant switching determination of control and the exchange of mobile node between first network and second network in being independent of the pre-authentication framework of medium may further comprise the steps:

A) for described mobile node provides position determination module, it is configured to provide the position about the access point in the adjacent network to determine;

B), utilize location-based algorithm to avoid vibration between described first and second networks to the output of small part based on described position determination module.

2. method according to claim 1, wherein, described location-based algorithm is based, at least in part, on the position and relevant with the previous change action of this mobile node relevant by between the data of high-speed cache of mobile node.

3. method according to claim 2, wherein, described data by high-speed cache are stored in the digital data storage unit on the described mobile node.

4. method according to claim 2, wherein, described location-based algorithm comprises based on the data about in the past example and is provided to another exchange in described first network and described second network, wherein, described mobile node is exchanged in described first network and described second network described another.

5. method according to claim 2, wherein, described location-based algorithm comprises based on the data about in the past example and is not provided to another exchange in described first network and described second network, wherein, described mobile node is not exchanged in described first network and described second network described another.

6. method according to claim 1, wherein, described position determination module comprises gps receiver.

7. method according to claim 1 wherein, describedly utilizes location-based algorithm to avoid vibration between described first network and second network, comprising: have to the described algorithm of small part based at least one non-position instruction value.

8. method according to claim 7, wherein, described at least one non-position instruction value comprises the indicated value of signal noise ratio.

9. method according to claim 1 wherein, is carried out described algorithm by programming in described mobile node.

10. method according to claim 1 wherein, is carried out described algorithm by programming in the outside of described mobile node at least in part.

11. method according to claim 1 further comprises: utilize the link layer diagnostic network visit indentification protocol between the agency of the checking on described mobile node and described second network to carry out pre-authentication.

12. method according to claim 1 further comprises: cross over a plurality of management domains and carry out pre-authentication.

13. method according to claim 1, wherein, described first network is at first medium, and described second network is at different media, wherein, described first medium is a cellular network, and described different medium is a WLAN, perhaps described first medium is a WLAN, and described different medium is a cellular network.

14. method according to claim 2 further adopts PANA to test as access to netwoks and levies agreement.

15. the method for the influence that a undesirable exchange that alleviates the mobile node between first network and second network in being independent of the pre-authentication framework of medium resets may further comprise the steps:

A) keep context a period of time relevant, thereby make when described mobile node is got back to this first network the described context of quick-recovery soon with first network;

B) make described mobile node after returning described first network, use described context.

16. method according to claim 15, wherein, described context is stored in the digital data storage unit on the described mobile node, and comprises and security association, IP address or the relevant data in tunnel set up.

17. method according to claim 15, wherein, described first network is at first medium, and described second network is at different media, wherein, described first medium is a cellular network, and described different medium is a WLAN, perhaps described first medium is a WLAN, and described different medium is a cellular network.

18. one kind in being independent of the pre-authentication framework of medium, alleviate formerly network and the method for the influence that resets of undesirable exchange of the mobile node between the new network, comprise step: in a period of time, send packet, thereby avoid when the data-bag lost of described mobile node when described new network is got back to described previous network to described previous network and described new network.

19. method according to claim 18, wherein, the step of described transmission packet comprises the described packet of multicast.

20. method according to claim 18, wherein, described previous network is at first medium, and described new network is at different media, wherein, described first medium is a cellular network, and described different medium is a WLAN, perhaps described first medium is a WLAN, and described different medium is a cellular network.

Images