CN102088463B

CN102088463B - Method and system for controlling mobility of communication network, and related network and computer program product

Info

Publication number: CN102088463B
Application number: CN2011100282220A
Authority: CN
Inventors: 杰拉尔多·吉阿里塔; 伊万诺·古阿迪尼
Original assignee: Telecom Italia SpA
Current assignee: Telecom Italia SpA
Priority date: 2004-09-30
Filing date: 2004-09-30
Publication date: 2012-11-28
Anticipated expiration: 2024-09-30
Also published as: HK1158410A1; CN102088463A

Abstract

The invention relates to a method and a system for controlling the mobility of a communication network, and a related network and computer program product. A communication network, such as a mobile IP network (30), comprises at least one mobile terminal (10) and a plurality of home agents (70), wherein the home agents are suitable for providing communication service for the mobile terminal (10) during work session. An authentication, authorization and accounting (AAA) platform (90) is arranged in the network (30), and the platform is configured to recognize the home agent (70) serving for at least one mobile terminal (10) from the plurality of home agents (70) in a selective and changing manner in a single work session.

Description

Be used for controlling communication network mobility method and system, and network of relation and computer program

The application is that application number is 200480044311.2, the applying date be September 30 in 2004 day, be called the dividing an application of application for a patent for invention of " be used for controlling communication network mobility method and system, and network of relation and computer program ".

Technical field

The present invention relates to be used for the technology of managing telecommunications network traffic carrying capacity.

Exploitation the object of the invention mainly is promptly to say more accurately based on possibly use among the mobile network of IP (Internet protocol), possibly use in using the ambulant network in mobile IP protocol office terminal.

Under any circumstance, must not should limit the scope of the invention for the reference of this concrete application.

Background technology

The IP mobile network identifies following scene, and wherein the mobile subscriber moves and be created on the traffic carrying capacity that is routed in this network with the node (respective nodes) of this telex network in network.

In its moving process, the user possibly change the accesses network (sub-network) that allows its use IP service.This operation must be transparent for the user, so that he can continue under unbroken situation and the communicating by letter of respective nodes.

The legacy protocol of IP based network is because its attribute can not be managed the IP terminal of in network, moving.In order to overcome this shortcoming, IETF (the Internet engineering duty group) standardization has defined mobile IPv 6 protocol, and it allows the IPv6 portable terminal with respect to using the tie point that changes they and network pellucidly.

In document rfc3775, specified mobile IPv 6 protocol.This is to quote for the first time in this manual the difference of draft-or rfc-type standard or standard being quoted: the public can be in the relevant information that obtains them on the IETF website on the http://www.ietf.org of address or in online database http://www.watersprings.org before the application's date of application.

Under the situation that adopts mobile IPv 6 protocol, distribute two IP addresses to mobile node.First address is its address, ancestral home (HoA): this address never changes and is used for confirming the sign of ground recognition node (being also referred to as mobile node or terminal hereinafter).Second address is so-called Care-of Address (CoA): the actual mobile terminal locations of this address designation in institute's access subnetwork network changes over another sub-network from a child network subsequently at any time.

Change each that means the IP sub-network of visiting moved and forces portable terminal to make that said server is called origin agent (HA) by the Care-of Address of server record its oneself, and it can be found in its provider network (being also referred to as " ancestral home network ").Mobile node self is got in touch through using the address, ancestral home in any other IP terminal of attempting to communicate by letter with mobile node.Through conventional IP route, the traffic carrying capacity of being sent arrives at HA, and HA re-addresses the physical location by the mobile node of Care-of Address sign with it.Like this, be that all traffic carrying capacitys of this mobile node are distributed to active user address, i.e. Care-of Address by origin agent with purpose.Subsequently, traffic carrying capacity can constantly arrive at mobile node, and no matter it is connected to which point of network.

Fig. 1 illustrates the general scene of in comprising the IP network of mobile node, using mobile IPv 6 protocol.

Particularly; In Fig. 1; Mobile node 10 can use a series of access point 20; These access points allow these mobile nodes to set up and being connected of its supplier's network 30, and more specifically, allow this mobile node to open the communication session of representing with 40 through the particular server 50 that is called origin agent.In illustrated example, communication session 40 means reception from the data business volume of respective nodes with 15 expressions.Mobile node 10 is represented with arrow 60 by mobile in IP network.Origin agent 50 is guaranteed to arrive at mobile node 10 by the traffic carrying capacity that respective nodes 15 generates, and no matter which point the current tie point of this mobile node is.

The placement of origin agent 50 and load level greatly influence the performance of portable terminal experience, because they influence simultaneously that mobile node receives the delay of data business volume and in the length (switching stand-by period) of each connectivity casual loss that from an access point moves to another access point after, occurs.

According to [ref.draft-giaretta-mip6-authorization-eap-00]; Known for example when mobile terminal-opening; The origin agent of optimum performance can dynamically can be provided to its distribution, promptly have the origin agent that available enough processing resources also can be found in the as close as possible portable terminal tie point in IP jumping figure aspect.

Yet final, the origin agent that distributes according to these standards originally possibly no longer can provide the service with enough quality.For example, this possibly appear under the following situation:

-after continuous the moving of portable terminal, final, origin agent maybe be away from the current tie point of portable terminal self; This has caused increasing greatly the traffic carrying capacity propagation delay of switching the stand-by period and arriving its destination;

-when when network changes, having generated traffic carrying capacity by portable terminal, origin agent possibly stand congestion state, and the result can not manage all portable terminals that are connected to it.

In order to address this problem; Known a kind of configuration that is called agreement between origin agent (HAHA) [ref.draft-wakikawa-mip6-nemo-haha-01]; It allows mobile node to change employed origin agent at any time, is carried by the equipment that can guarantee optimum performance at every turn.

In Fig. 2 between illustrated origin agent the agreement solution based on framework provide by the one group of origin agent 70 that in operator's 30 networks, is provided with and served mobile node 10, rather than serve mobile node (like illustrated situation in Fig. 1) by single origin agent 50.Belong to same group all origin agents 70 termly exchange of signaling message with the relevant information of the positions of mobile nodes (being address, ancestral home and Care-of Address) that in network, can find synchronously.

Because this synchronizing process; Mobile node 10 will belong to same group origin agent and be regarded as single " virtual " origin agent 80; This means under the situation of not revising its oneself address, ancestral home; Promptly under the minimum situation of the influence of current communication, mobile node 10 can move to another origin agent from an origin agent.

Yet being limited in of this method possibly make it use generation difficulty, especially under the situation of catenet (the large-scale supplier/operator that for example has a large amount of origin agents);

-must make each origin agent manual configuration that the address [ref.draft-wakikawa-mip6-nemo-haha-01, the 17th page] of all other origin agents that belong to same group is arranged.This makes Service Management complicated with supply, especially when the quantity of the origin agent that in network, can find is very big;

-keep address, same ancestral home in order to make mobile node can be independent of the origin agent of each use; The origin agent that belongs to same group must exchange a large amount of signaling messages in ad-hoc mode, this is essential for the restriction table between synchronous origin agent and the Care-of Address.The upgradability that this has limited this configuration has increased the wasting of resources in network connects, the for example waste of bandwidth resources, and increased the computational load on origin agent.

Hereinafter, for integrality, comprise the background document that is cited as list of references.Their major parts are ietf standard and/or work document.

-for the mobility support (rfc3775) of IPv6;

-support (rfc3344) for the IP mobility of IPv4;

-IPv6 stateless address disposes (rfc2462) automatically;

-Diameter basic agreement (rfc3588);

-internet key exchange (rfc2409);

-internet key exchange (IKEv2) agreement (draft-ietf-ipsec-ikev2-15);

But-extended authentication agreement (rfc3748);

-EAP key management framework (draft-ietf-eap-keying-03);

-authorize and configuration (draft-giaretta-mip6-authorization-eap-00) based on the MIPv6 of EAP;

-be used for the authentication protocol (draft-ietf-mip6-auth-protocol-00) of mobile IP v 6.

Summary of the invention

To the description of present case, can find out needed a kind of real time modifying that allows of definition by the origin agent of portable terminal use and to the minimum technology of current communication influence according to before.

The objective of the invention is to satisfy above-mentioned needs; Particularly; The invention solves the problem that following solution is provided; This solution does not have the critical point of agreement between origin agent and can be used for making portable terminal by the origin agent that optimum performance can be provided service to be provided all the time, and any interruption that does not cause the user to serve.

According to the present invention, utilize method to realize this purpose with the characteristic that in claims subsequently, comprises.Except the computer program that can in the memory of at least one computer, load and comprise a plurality of software code parts of carrying out said method, the present invention also handles corresponding system, comprises the network of this system.As in this use, thereby alleged this computer program is meant to comprise and is used to control computer system and coordinates the equivalent of the instruction of performance according to the method for the invention in interior processor readable device.Alleged " at least one computer " is intended to point out to come with distributed and/or modular manner the possibility of embodiment of the present invention.

Current preferred inventive embodiment is applied to communication service is offered at least one portable terminal in comprising the communication network of a plurality of origin agents, and wherein said at least one portable terminal provides service by the origin agent that identifies in above-mentioned a plurality of origin agents.Under following situation, service is offered the portable terminal in the work session:

-in communication network, provide authentication, mandate and charging (AAA) platform; With

-in single work session to select and to shift gears in above-mentioned a plurality of origin agents, discerning the origin agent of serving this portable terminal through the AAA platform.

Wherein, above-mentioned preferred embodiment means following advantages:

-performance optimization: distribute the performance of more optimizing user's experience, reduce the transmission delay of switching the stand-by period and passing through the origin agent route traffic near the origin agent permission of mobile node;

-load balance: the chance of revising the origin agent that is used by certain user allows to participate in the load allocating between the origin agent that exists in the network in real time, so that make it be adapted to type and quantity that the user generates traffic carrying capacity.For example,, make one or more mobile nodes, can dynamically reduce the grade of load of certain origin agent by another origin agent service in order to prevent congestion state;

-best carrier network the resource of using: distribute origin agent to allow to reduce the traffic carrying capacity of crossing over carrier network (for example backbone network) near mobile node.Particularly, this best that has guaranteed Internet resources is used, and avoids the traffic carrying capacity relevant with mobile node invalidly to connect through the geography that constitutes provider backbone network and transmits.

Description of drawings

Now,, the present invention is described with the mode of nonrestrictive example with reference to accompanying drawing, in the accompanying drawings:

-Fig. 1 and Fig. 2 before described;

-Fig. 3 illustrates the possible network architecture of configuration described here;

-Fig. 4 illustrates network configured framework described here in more detail;

-Fig. 5 illustrates expression is started the process of redistributing with the origin agent of success end by mobile node functional flow diagram;

But-Fig. 6 illustrates expression by the mobile node request because its uncommitted and unaccepted functional flow diagram of redistributing the process of origin agent;

-Fig. 7 illustrates expression is started the process of redistributing origin agent that finishes with success by the origin agent of the current use of mobile node functional flow diagram;

-Fig. 8 illustrates expression is started the process of redistributing origin agent that finishes with success by aaa server functional flow diagram;

But-Fig. 9 illustrates expression and is started the functional flow diagram of the process of redistributing origin agent of failing owing to it is relevant with the mobile node of not supporting this process by aaa server;

-Figure 10 diagram is come terminal procedure through charging message;

-Figure 11 diagram marks off a plurality of subregions of carrier network possibly;

-Figure 12 illustrates the example of measuring among the subregion that carrier network can be divided into;

The possible format of the binding update messages that-Figure 13 diagram can be used under the situation of said configuration;

The common format of the mobility option that-Figure 14 diagram can be used under the situation of said configuration;

The possible form of the origin agent reorientation data mobility option that-Figure 15 diagram can be used under the situation of said configuration; With

The possible form of the origin agent reorientation prompting mobility option that-Figure 16 diagram can be used under the situation of said configuration.

Embodiment

Fig. 3 is directly with reference to illustrated accompanying drawing among figure 1 and Fig. 2, illustrate said configuration based on the example of the network architecture.

Structure in Fig. 3 provides the use to the supplier's of its subscription services authentication, mandate and charging (AAA) platform 90 for the user.In order to build the such platform that in supplier's 30 networks, has generally existed; Through configuration order and information are sent to the origin agent 70 and mobile node 10 that in network, exists, authorize, drive and keep watch on whole migration process towards new origin agent (being labeled as origin agent).Under the support that is currently serviced in the origin agent of mobile node (promptly serving origin agent); Through in Fig. 3, being labeled as in 100 the aaa protocol and in Fig. 3, being labeled as the suitable expansion in 102 the mobile IP v 6 signaling message, carry out communicating by letter between authentication, mandate and charging (AAA) platform 90 and mobile node 10.

Thereby its oneself address space is operated and managed to each origin agent 70 that in network, exists independently of each other.As a result, when each origin agent changed, mobile node 10 was all revised its oneself address, ancestral home.Through providing mobile node 10 therebetween can use old transient period to guarantee the existence of utility cession simultaneously, so that the application that before re-allocation process begins, begins can finish under unbroken situation with address, new ancestral home.

Operating simultaneously, need not to be provided for the exchange of any information of the origin agent coordinating in network, to exist with the mode (although having increased the complexity of mobile node 10) that old (service) communicates by letter with new (appointment) origin agent.Thereby, obtain the increase of system's retractility and the reduction of signaling consumption.

Mobile IP v 6 (MIPv6) agreement be in IETF (the Internet engineering duty group), propose in order to managing I Pv6 network in the ambulant solution of wide region [ref.rfc3775] at terminal.

Related protocol allows mobile node 10 both under the situation that keeps single sign, to visit the network from diverse location, under the situation that keeps existing connection activity, dynamically changes tie point again.

As stated, this consultative management mobile node mobility, introduce:

-for two different IP v6 addresses, i.e. address, ancestral home and Care-of Address of each mobile node; With

-be called the agency of origin agent (HA).

In these two different address:

I) first address, promptly address, ancestral home (HoA) is by the supplier addresses distributed of user to its subscription services; This address never changes (at least for whole work session length) and is used for discerning uniquely the mobile node sign;

Ii) second address, promptly Care-of Address (CoA) is the address that belongs to institute's accesses network, by mobile node through IPv6 configuration and dynamically obtain [ref.rfc2462] automatically.The current positions of mobile nodes of this address location, and thereby when each mobile node itself moves, change.

Origin agent resides in the user through (so-called " ancestral home network ") in the provider network of its subscription services, and its task is the current location (being Care-of Address or CoA) that the traffic carrying capacity (promptly being addressed to the traffic carrying capacity of address, ancestral home) of pointing to mobile node 10 is re-addressed mobile node self.

Although mobile IP v 6 has also been introduced the communication pattern that is called routing optimization; Promptly; Be provided for the direct communication between mobile node 10 and respective nodes 15; And do not make traffic carrying capacity pass through origin agent 50, yet the position of origin agent 50 is even more important for the performance of the proper operation of agreement and mobile node experience.

In fact, the round trip cycle (RTT) between mobile node 10 and origin agent 50 and thereby their distance influence widely and switch the stand-by period, promptly mobile node can not receive and send time interval of grouping after switching.

And; If communicating by letter between mobile node 10 and respective nodes 15 (for example appears in the bidirectional tunnel pattern; If respective nodes 15 is not supported the expansion that provided by mobile IP v 6); Then all data business volumes are essential through origin agent 50, therefore, depend on that the position of the origin agent 50 of mobile node 10 positions influences the transmission delay of data business volume experience greatly.

In case said configuration permission mobile terminal-opening just can provide the origin agent of optimum performance to its distribution, i.e. the origin agent of as close as possible portable terminal tie point aspect the IP jumping figure.This can obtain through using some configurations in document, can obtain, dynamically to dispose them, for example disclosed configuration in [ref.draft-giaretta-mip6-authorization-eap-00] when the mobile IP v 6 terminal entering network.

Because mobile node moves continuously; So when mobile node away from its oneself origin agent (service origin agent) and when experiencing the decline of mobile IPv 6 protocol performance, configuration described here allows to distribute the new origin agent (appointment origin agent) that can provide than the better performance of previous origin agent (service origin agent) to mobile node.

Must authorize origin agent to change under the situation of any interruption that does not cause ongoing application and in the process of under the user utilizes supplier's (ancestral home supplier) the control of its appointment business amount, carrying out anything.

Fig. 4 illustrates general scene and a plurality of unit of the framework that configuration depended on of proposition.

Particularly, point out following unit:

-mobile node ancestral home supplier's authentication, mandate and accounting server 110 (being the aaa server that the user utilizes the supplier of its subscription services).On server 110; In fact corresponding in Fig. 3 with 90 the indication platform; Have a module, its function is to authorize, control and keep watch on the origin agent re-allocation process, and configuration order and information are sent to the mobile node 10 and origin agent 70 that in network, exists;

-serve origin agent 120, promptly serve the origin agent of mobile node 10.On origin agent 120, there is a module, it and authentication, mandate and accounting server 110 are mutual, and as the intermediate of communicating by letter with mobile node 10;

-specify origin agent 130, promptly be designated as the origin agent of serving mobile node 10.On origin agent 130, resident have a module, and it can receive the configuration information (like address, ancestral home, encrypted data, authorization privileges) that is used for being used by authorized user the mobile IP v 6 service from authentication, mandate and accounting server 110;

-mobile node 10, promptly resident above that mobile node just like lower module, this module is mutual and in the origin agent re-allocation process, guarantee utility cession existence through service origin agent 120 and authentication, mandate and accounting server 110.

Move to the mechanism of specifying origin agent 130 according to following technical method management from service origin agent 120.

Use is at [ref.rfc3775; The 39-41 page or leaf] in one of the reservation bit that provides; Mobile node 10 sends in the binding update messages of its origin agent statement at it and supports origin agent to change and do not influence current communication (promptly with " seamless " mode) that which mobile node origin agent 120 can discern subsequently with server 110 can accomplish this process.

Can be from mobile node 10, perhaps from service origin agent 120, perhaps still supplier's aaa server 110 starts this process from the ancestral home.

Under preceding two kinds of situation, this process is authorized by ancestral home supplier 110 aaa server by any way.

Particularly:

I) (router that for example has a bit H=1 through reception is found the origin agent [ref.3775 in its own link if mobile node detects the existing of the origin agent that can guarantee best performance more; The 61-62 page or leaf]), then mobile node can ask to begin redistributing of origin agent;

Ii) serve origin agent 120 and can under the situation of overload, start this process;

Iii) authentication, mandate and accounting server 110 can start the origin agent re-allocation process; Thereby provide to mobile node 10 and to allow the more origin agent 130 of best performance; Usually be characterised in that in distance shorter apart from mobile node 10 aspect the IP jumping figure: in order to carry out this operation, authentication, mandate and accounting server 110 are followed the tracks of all origin agents that in network, exist, each in them is being served the position of which mobile node and mobile node self.

Through being defined in the new mobility option [ref.rfc3775 in Binding Update (BU) and binding acknowledgement (BA) message; The 46-47 page or leaf], obtain the transmission of new configuration parameter (i.e. the origin agent address of appointment, new origin agent address related with associated safety (Security Association)) to mobile node 10: the advantage of this method is not start the origin agent re-allocation process because of re-authenticating incident.Can carry out (being that it can at any time start) fully asynchronously with communicating by letter of mobile node 10.

Be similar to the address management mechanism of the mechanism [ref.rfc2462] that " stateless the disposes automatically " process for the IPv6 network provides through introducing, guarantee the existence of utility cession: each address, ancestral home with point out whether this address can be used for starting the state whether new traffic or it only can be used for finishing existing communication and be associated.

With which node start-up course irrespectively; A kind of mechanism is provided, and through this mechanism, mobile node 10 transmits it to network 30 and whether supports the origin agent re-allocation process; Particularly, whether it is supported in the change of the origin agent under the situation that does not influence current communication.In fact, the process of the configuration that is proposed stipulates that for certain time period, mobile node 10 uses address, two ancestral homes simultaneously, that is, and and two origin agents (120 and 130); Particularly, this means that mobile node 10 starts and keeps the IPsec security association with two different nodes.

Therefore, possibly not be that all mobile nodes are configured to support this new function.In addition, terminal (for example PDA) may not support this process, because the memory space that it has limited disposal ability or dwindles.

For this reason, each mobile node of supporting the origin agent re-allocation process sends its this function to network, for example sends to bit in its binding update messages of origin agent at it and is set to 1 (in Figure 13 with the 600 bit R that represent); By this way, service origin agent 120 knows that all the time which mobile node can change origin agent under the situation that does not influence current communication.If necessary, by service origin agent 120 these information are sent to authentication, mandate and accounting server 110.

As before observed, can start the origin agent re-allocation process by mobile node.

When mobile node receives when having router advertisement (RA) message that is set to 1 bit H, it can ask the startup of this process: in fact, this means in the link at its place to have origin agent.

Authentication, mandate and accounting server can confirm to authorize the request from mobile node 10 of still not authorizing according to current network state and user's service profile.

Under the situation of this request of mandate, whole process is described in Fig. 5:

-in step 200, mobile node 10 receives and has the router advertisement that is set to 1 bit H, and decision starts the origin agent re-allocation process;

-in step 202, mobile node 10 sends to its oneself service origin agent 120 with Binding Update (BU) message, and wherein it adds new mobility option, is called HA reorientation prompting mobility option.This option be origin agent redistribute the request and comprise:

A) address of the origin agent of transmission router advertisement;

B) mobile node 10 in institute's access link, dispose and can be the address of address, new ancestral home;

-in step 204, like what in [ref.rfc3775,88-92 page or leaf], describe, origin agent is handled binding update messages; Under the situation that has HA reorientation prompting mobility option, origin agent sends the Diameter message of origin agent reorientations to authentication, mandate and accounting server 110, and this message comprises following A VP (property value to) attribute:

A) comprise the user's name AVP (User-Name-AVP) of the user's that request process starts Network Access Identifier symbol.This Network Access Identifier symbol is the identifier that in authentication process, is used by the user; Usually, it is the userdomain type.Service origin agent 120 knows that requirement starts the Network Access Identifier symbol of the mobile node of origin agent re-allocation process; Because it and this mobile node share I Psec security association [ref. draft-giaretta-mip6-authorization-eap-00, the 19th page];

B) comprise the current service ancestral home address AVP (Serving-Home-Address-AVP) that distributes to the address, ancestral home of mobile node;

C) comprise in the address of specifying origin agent and the HA reorientation formerly prompting mobility option appointment origin agent address AVP (Designated-Home-Agent-Address-AVP) and appointment address, ancestral home AVP respectively by the address, new ancestral home (HoA) of mobile node suggestion;

-in step 206, whether authentication, mandate and accounting server 110 inspections authorize mobile node 10 to carry out the origin agent re-allocation process; Under answer is sure situation; It selects to specify origin agent 130; Possibly be (will be interpreted as simple suggestion in HA reorientation prompting mobility option by the indication that mobile node provides by the origin agent that mobile node 10 is pointed out; This means that authentication, mandate and accounting server 110 can distribute to mobile node 10 be different from desired appointment origin agent and specify the address, ancestral home), and dynamically it is configured (for example using the process that in [ref.draft-giaretta-mip6-authorization-eap-00], defines) in step 208.When this sign off, specify origin agent 130 to be assigned management mobile node 10 necessary resources;

-when the sign off between server 110 and appointment origin agent 130, in step 210, the Diameter message that server 110 is replied the origin agent reorientation sends to service origin agent 120, and wherein it is inserted with following A VP attribute:

A) comprise the user's name AVP of the Network Access Identifier symbol of mobile node 10;

B) comprise the appointment origin agent address AVP of the address of the appointment origin agent 130 of distributing to mobile node 10;

C) comprise the appointment ancestral home address AVP of the address, new ancestral home of mobile node 10;

D) comprise mandate AVP life cycle of the life cycle (possibly equal infinitely great) of address, previous ancestral home (service address, ancestral home).This value representation mobile node 10 can continue to use the remaining time of service origin agent and appointment origin agent, to guarantee the existence of movable utility cession before starting the origin agent re-allocation process.In other words, this origin agent re-allocation process is essential among how long being illustrated in this life cycle is thoroughly accomplished;

-service origin agent 120 receives these information, and in step 212, in binding acknowledgement (BA) message, sends them to mobile node 10 together with HA reorientation data mobility option.This option shows through code (Code) field whether this process is successful, and comprises the life cycle of address, previous ancestral home, appointment origin agent address and new address, ancestral home;

-mobile node 10 receives these information, and in step 214, consults the IPsec security association with specifying origin agent 130.Then, mobile node 10 can be through specifying origin agent 130 with the Binding Update and the binding acknowledgement message of

reference marker

216 and 218 expressions with himself registering to respectively in Fig. 5.In this brief period, mobile node 10 is through use service address, ancestral home and specify the address, ancestral home to communicate simultaneously.

Can be implemented in communicating by letter between authentication, mandate and accounting server and the appointment origin agent according to content of definition in [ref.draft-giaretta-mip6-authorization-eap-00,9-12 page or leaf].

As described in [ref.rfc3775,18-19 page or leaf], mobile node 10 with specify origin agent 130 essential share I Psec security associations 214 with protection mobile IP v 6 signaling traffic amount.

As preferably; Be different from described in [ref.draft-giaretta-mip6-authorization-eap-00], authentication, mandate and accounting server 110 do not send to mobile node 10 shares key (PSK) in advance to guide this IPsec security association [ref.rfc2409] through IKE (internet key exchange).

Shared " secret " in order to set up security association in fact can draw from the authentication process derivation, and particularly, the encrypted data of the EAP that adopts from passing through (but extended authentication agreement) method output is derived and drawn.This hypothesis mobile node uses EAP agreement [ref.rfc3748] to visit network and authentication, mandate and accounting server can send PSK to the appointment origin agent safely: in [ref.draft-giaretta-mip6-authorization-eap-00,11-12 page or leaf], described the example that how can carry out this communication.

And unauthorized redistribute from the origin agent of mobile node 10 under the situation of request, whole process is described in Fig. 6:

-in step 220, mobile node 10 receives and has the router advertisement that is set to 1 bit H, and decision starts the origin agent re-allocation process;

-in step 222, mobile node 10 sends to its service origin agent 120 with Binding Update (BU) message, and wherein it is added with new mobility option, is called HA reorientation prompting mobility option;

-in step 224, origin agent 120 is handled binding update messages, like what in [ref.rfc3775,88-92 page or leaf], describe;

-in step 226, this request is not authorized in authentication, mandate and accounting server 110 decisions;

-in step 228; Authentication, mandate and accounting server 110 have through transmission and equal the origin agent reorientation response message [ref.rfc3588] that DIAMETER authorizes the object code AVP (Result_Code_AVP) of refusal (DIAMETER_AUTHORISATION_REJECTED), reply the Diameter message from the origin agent re-positioning request of service origin agent 120;

-in step 230, and then service origin agent 120 sends procedure failure to mobile node 10 through the HA reorientation data mobility option that in code field, comprises failure (FAILURE) value.

Also can be by request of service origin agent and the re-allocation process of startup origin agent; Particularly, the service origin agent begins to transship and subsequently under the situation that management has difficulties during to all mobile nodes of its registration, can begin process for the mobile node request at it.

Fig. 7 is shown in and has been authorized termly from the stream of the process under the situation of the request of serving origin agent by authentication, mandate and accounting server.The step following steps of forming this process:

-service the origin agent 120 in step 240 is carried out the trigger process of this process of startup: as described, the most significant situation is under the situation of origin agent overload;

-in step 242; The Diameter message (wherein comprise it possibly with stop to it provide the Network Access Identifier of the mobile node of service accord with and corresponding ancestral home address) of service origin agent 120 through send the HA re-positioning request to authentication, mandate and accounting server 110 starts the origin agent re-allocation process.In the mobile node of supporting the origin agent re-allocation process, promptly in sending the mobile node that has the Binding Update that equals 1 bit R, select this mobile node.

-authentication, mandate and accounting server 110 are checked the origin agent re-allocation process of authorizing this service origin agent to be used for selected mobile node with startup in step 244.If answer is sure, then server 110 selects to be used for the appointment origin agent 130 of this mobile node through suitable algorithm.

-in step 246, server 110 and the respective resources of specifying origin agent 130 negotiating mobile IP v6 service and will distribute.This can realize through using the process of for example in [draft-giaretta-mip6-authorization-eap-00], describing.

-in step 248, in case on appointment origin agent 130, accomplish resource allocation process, then server 110 sends HA reorientation response messages to service origin agent 120, and wherein its inserts following A VP attribute:

B) have the appointment origin agent address AVP that specifies the origin agent address;

C) have the appointment ancestral home address AVP of address, new ancestral home;

D) comprise mandate AVP life cycle of the life cycle of address, previous ancestral home;

-as long as service origin agent 120 receives binding update messages from the user (in order to quicken this process in step 250; The service origin agent can send the binding refresh requests BRR message that request mobile node 10 sends new Binding Update immediately); In step 252, it uses the binding acknowledgement message that comprises HA reorientation data mobility option to reply.This option comprises address, previous ancestral home, specifies the life cycle of address, ancestral home and new address, ancestral home (configuration data that is promptly provided in the previous Diameter message that the HA reorientation is replied by server 110).And in this case, draw the PSK that is used to guide the IPsec security association between mobile node and origin agent from the EAP derivation;

-at that time, in step 254, mobile node 10 starts and the IPsec security association of specifying origin agent, and carry out to its registration mobile IP v 6 (Binding Update of promptly in Fig. 7, indicating by reference marker 256 and the 258 respectively and transmission of binding acknowledgement message).

And in this case, authentication, mandate and accounting server 110 can determine not authorize the origin agent re-allocation process by the request of service origin agent; This is to carry out through the Diameter message that the origin agent reorientation that has the object code AVP (Result_Code_AVP) that equals DIAMETER mandate refusal (DIAMETER_AUTHORISATION_REJECTED) to the transmission of service origin agent is replied.

Fig. 8 is shown in the origin agent re-allocation process under the situation about being started by authentication, mandate and accounting server 110.

At least performed so far according to applicant experiment, this situation possibly be the most significant among disclosed multiple situation.

Usually during re-authenticating process, authentication, mandate and accounting server 110 detection mobile nodes away from the service origin agent, therefore will be benefited from the distribution of new origin agent aspect the IP jumping figure.The IP address of carrying out the network access server of the process that re-authenticates from the user begins, and can obtain the relevant information of positions of mobile nodes easily.

This process comprises the steps:

-in step 260, server 110 passes through to select suitable appointment origin agent 130 according to the method for for example in [ref.draft-giaretta-mip6-authorization-eap-00], describing, and Resources allocation;

-in case in step 262, server 110 has disposed appointment origin agent 130, and then it sends to service origin agent 120 with the Diameter message of HA reorientation startup request in step 264, and this message is inserted with following A VP attribute:

A) comprise the user's name AVP of user's Network Access Identifier symbol;

B) comprise the current service ancestral home address AVP that distributes to the address, ancestral home of mobile node;

C) comprise the appointment origin agent address AVP that specifies the origin agent address;

D) comprise the appointment ancestral home address AVP of the address, new ancestral home of distributing to mobile node 10;

E) comprise mandate AVP life cycle (Authorisation-Lifetime-AVP) of the life cycle (possibly equal infinitely great) of address, previous ancestral home (service address, ancestral home);

-in step 266, service origin agent 120 will retrain refresh requests (BRR) message immediately and send to mobile node 10, thus Binding Update is sent in request.The transmission of BRR allows to avoid at service origin agent 120 timeout issue of communicating by letter with Diameter between the server 110, because, otherwise when can not provide to certainty will be from the next Binding Update of mobile node 10 receptions;

-in step 268 after mobile node 10 receives Binding Update; Wherein said mobile node 10 essential execution origin agent re-allocation processes; In binding acknowledgement step 270 subsequently, service origin agent 120 inserts the HA reorientation data mobility option that comprises address, previous ancestral home, specifies origin agent address and new address, ancestral home;

-in step 272, service origin agent 120 uses the origin agent reorientation to start response message and replys server 110, and it points out that mobile node 10 has received the information that is used to accomplish this process in said message;

-then, mobile node 10 can be consulted the IPsec security associations with appointment origin agent 130 and in

step

276 and 278, carry out the mobile IP v 6 registration of specifying origin agent 130 to this in step 274.

As previous pointed, mobile node utilizes binding update messages to notify it whether to support the origin agent re-allocation process and at the mobility option of this definition to the service origin agent.These information arrive at the service origin agent but not authentication, mandate and accounting server: for this reason, authentication, mandate and accounting server can start the origin agent re-allocation process for the mobile node of in fact not supporting this function.

In this case, in the step 280 in Fig. 9, service origin agent 120 becomes and knows that mobile node 10 do not support the function of being asked.In step 282, service origin agent 120 can not equal this process of HA reorientation activation response message execution that DIAMETER can not defer to the object code AVP of (DIAMETER_UNABLE_TO_COMPLY) through having to server 110 notices.

Process according to previous definition; In the Binding Update that comprises new mobility option with service origin agent exchange and binding acknowledgement message with subsequently after the appointment origin agent is registered, mobile node has the address, two ancestral homes that is associated with one or more origin agents.

Have the mode of managing when will describe mobile node to these two registrations and standard now, based on said standard, mobile node is fully deleted the registration from the service origin agent.

In this case, hope that the origin agent re-allocation process does not influence ongoing communication.

For example; If mobile node is in case accomplish to the registration of specifying origin agent; Carry out the registration of deletion to the service origin agent, then possible ongoing session can not the maintenance activity, because this session is identified by the address, ancestral home (promptly serving the address, ancestral home) relevant with the service origin agent.

The method that is proposed in the said configuration is similar to the method for using at the IPv6 network that is used for the stateless host configuration [ref.2462].

The state machine that the use of address, ancestral home is managed is inserted in said configuration, particularly, points out that the address, ancestral home is only can be used for movable communication or also can be used for starting new traffic.

Can be by the state that the address, ancestral home appears:

-the first state is referred to herein as address, preferred ancestral home: it is not exist the upper strata to use the address of restriction.This means that this address can be used for starting new traffic; In the said process, from when this address, ancestral home being distributed to mobile node up to when through till distributing address, new ancestral home (specifying the address, ancestral home) when having accomplished the origin agent re-allocation process, this address, ancestral home is in preferred condition.

-the second state is referred to herein as not preferred (deprecated) address, ancestral home: it is the address that only allows for the communication use that has started; Therefore, it cannot be used to start new traffic.That it is own when specifying the origin agent registration when accomplishing origin agent re-allocation process and mobile node, the address, ancestral home gets into not preferred state from preferred condition.

-the third state is referred to herein as address, invalid ancestral home: the address in this state can not be used for new traffic by mobile node can not be used for existing communication.When mobile node had finished before to have used all communications of this address start, the address, ancestral home got into disarmed state from not preferred state; Remain on not preferred state long-time excessively (for example under the situation with very long duration communication) for fear of the address, ancestral home; Also can be after overtime (promptly being authorized the life cycle of appointment among AVP life cycle by authentication, mandate and accounting server) to be expired, the address gets into disarmed state.Must point out, overtime when expired at this, in any case all should it be characterized by very high numerical value, to stop to be linked to possibly communicating by letter of this address.

Proper operation in order to ensure this process; Authentication, mandate and accounting server 110 know that it itself is very important when accomplishing this process: particularly, must regulation inform about when when mobile node being deleted its registration to the service origin agent to the registration of appointment origin agent and this mobile node to authentication, mandate and accounting server 110.Because following two reasons, these information can be obtained by authentication, mandate and accounting server 110:

-use of the affirmation of these information as follows as this process proper operation, that is, authentication, mandate and accounting server 110 are known the origin agent of serving specific mobile node all the time;

-can use these information to determine whether to authorize new origin agent re-allocation process by authentication, mandate and accounting server 110; For example, do not accomplish as yet under the situation that previous origin agent redistributes at mobile node self, authentication, mandate and accounting server 110 can determine not authorize mobile node or the request of service origin agent.

The configuration regulation of being recommended uses charging Diameter message that these information are offered authentication, mandate and accounting server 110; This process is included in the following steps of using among Figure 10:

-in step 300, mobile node 10 sends to binding update messages and specifies origin agent 130;

-in step 302, specify origin agent 130 to use binding acknowledgement to reply this mobile node 10;

-at mobile node 10 after specifying origin agent 130 registrations, in step 304, specify origin agent 130 self to send of the registrations of charging initiation message to confirm to be occurred to server 110; According to this message, server 110 comprises that mobile node 10 has begun actual origin agent re-allocation process, and to two different origin agents (promptly serve origin agent and specify origin agent) registration mobile node self;

-in time period, mobile node 10 possibly occur and use service origin agent 120 simultaneously and specify origin agent 130 with 306 marks;

-in step 308, mobile node 10 sends null binding update messages life cycle to service origin agent 120, thus delete its oneself registration clearly, and in step 310, it receives corresponding binding acknowledgement message.Selectively, mobile node 10 can make its own registration to service origin agent 120 expired naturally, stops to confirm termly its validity through sending binding update messages to service origin agent 120;

-after deleting the state relevant with mobile node 10, in step 312, service origin agent 120 sends the Diameter message of chargeing and stopping to authentication, mandate and accounting server 110, as for any network access server occurred.Server 110 is understood the no longer registration on service origin agent 120 of this mobile node according to this message, and therefore, the origin agent re-allocation process finishes fully.

Like what in [ref.rfc3775,18-19 page or leaf], describe, before any Binding Update of exchange or binding acknowledgement message, mobile node and origin agent must for example be set up the IPsec security association through internet usage key change [ref.rfc2409].

Be different from described in [ref.draft-giaretta-mip6-authorization-eap-00]; In the configuration of this recommendation; Regulation is not will send to mobile node for starting the necessary key of sharing in advance of internet key exchange clearly, draws from mobile node self derivation and be based on the layering of EAP key.

The process of deriving and using this key is described hereinafter.

When the EAP sign off; Mobile node 10 is shared two keys of deriving and drawing from employed authority test method with authentication, mandate and accounting server 110: they are master session key (MSK) and extended master session key (EMSK) [ref.draft-ietf-eap-keying-03,13-17 page or leaf].And then can use back one key derivation to go out to be defined as other key of using master session key (AMSK), these keys are directly used by this and are used [ref.draft-ietf-eap-keying-03,13-17 page or leaf]; Particularly, can derive the application master session key that is exclusively used in mobile IP v 6 that can be used as PSK in the IKE stage 1.

Derive this key by mobile node 10 and authentication, mandate and accounting server 110 according to EMSK; Mobile node 10 must be notified to origin agent by secret key with authentication, mandate and accounting server 10 subsequently.For example be utilized in the method for definition in [ref.draft-giaretta-mip6-authorization-eap-00], can carry out through Diameter should notice.

Be used for mobile IP v 6 to derive the possible function of AMSK according to EMSK following:

-KDF(K，L，D，O)＝T1|T2|T3|T3|T4|...

-T1＝prf(K，S|0x01)

-T2＝prf(K，T1|S|0x02)

-T3＝prf(K，T2|S|0x03)

Wherein

-prf＝HMAC-SHA1

-K＝EMSK

-L=key-label=" MIPv6 key "

-D=application data=origin agent address

-O=exports length (2 byte)

-S＝L|″\0″|D|O

Be described in during the origin agent re-allocation process process that can be used to select to distribute to the appointment origin agent 130 of mobile node hereinafter by authentication, mandate and accounting server 110.

This method is based on being divided into different partition areas with operator's accesses network, and each subregion is characterised in that and has one or more origin agents, and is shown in figure 11.

Usually the mobile node 10 that exists in this subregion by origin agent 410 management corresponding to subregion 400; After meaning that subregion changes 420 or 440 move, whether the subregion that network must confirmed to be influenced the condition with the re-allocation process of satisfied startup origin agent enough far away.

Except the subregion that accesses network is divided into, it possibly be useful defining one or more roaming subregions 460, and said roaming subregion comprises the origin agent 470 that is exclusively used in the user that management roams in other supplier's 480 network.Figure 11 illustrates this origin agent 470, and it is placed in the backbone network 490 that closes on the interconnection point of other network.

In order to pass through this management by methods origin agent re-allocation process, the server 110 that possibly be called central database 500 (for example ldap database) is preferably preserved following data structure:

-subregion form: in this form, the tabulation of subregion that authentication, mandate and accounting server 110 these accesses network of preservation have been divided into and possible roaming subregion;

-network access server form: in this form; Authentication, mandate and accounting server 110 be kept at each network access server 510 (for example router, access point) that exists in the network identifier and with its information list that links; Particularly, comprising IP address and the subregion under it;

-origin agent form: the out of Memory of preserving identifier (for example IP address, Network Access Identifier symbol) and being correlated with the present node grade of load (be the quantity of institute's service-user, it can upgrade according to charge information) for each origin agent with node characteristic (type, heap(ed) capacity or the like).And in this form, authentication, mandate and accounting server 110 are preserved the relevant information by the subregion of each origin agent service.

According to the information that in these data structures, comprises, authentication, mandate and accounting server 110 can in time be informed in can find specific mobile node, affiliated subregion and the global network state of its service origin agent in which subregion.Yet these information can not be enough to determine when the perhaps convenient even essential origin agent re-allocation process of carrying out; For this purpose, confirm to allow to provide measuring of distance indication between the subregion, and measure according to this and to determine whether to start this process.

Diagram is used for the example that the static state of Figure 11 network measures and uses it for about carrying out the purpose of the relevant final decision of this process in Figure 12.The row representative of this form and the relevant possible subregion (400,420,440,460) of service origin agent, and row are represented the subregion that in the mobile node moving process, can find this mobile node similarly.Each square frame comprises the value that the distance of line correlation subregion and row relevant partitions is cut apart in expression.Through with reference to this form, authentication, mandate and accounting server 110 obtain to measure with distance from the relevant subregion of service origin agent to the subregion that can find mobile node is associated at any time.According to this value of measuring, server 110 can determine whether to start the origin agent re-allocation process.For instance, can suppose measuring of Three Estate (1,2 and 3) with following implication:

-1=does not need origin agent re-allocation process (that is, the subregion relevant with the service origin agent is consistent with the subregion that can find mobile node, and perhaps these two subregions are very approaching aspect the IP jumping figure by any way);

The re-allocation process of-2=origin agent be optional (promptly with the relevant subregion of service origin agent with can find that the subregion of mobile node is inconsistent, but by any way these two by stages at a distance from not far so that not strictly need the re-allocation process of use origin agent);

The re-allocation process of-3=origin agent be compulsory (promptly with the relevant subregion of service origin agent away from the subregion that can find mobile node, thereby advise by means of the origin agent re-allocation process strongly).

A kind of alternative arrangements regulation is dynamically upgraded according to the instant network load and is measured, and said instant network load can be through assessing at the round trip cycle between the different origin agents (RTT) estimation, the mobile node that in each subregion, exists and the RTT between the respective service origin agent.

Hereinafter, the form that comprises mobility option and AVP (property value to) attribute of previous definition.

Figure 13 diagram is by the binding update messages form of configuration definition described here, and wherein specified bit 600: if mobile node is supported the origin agent re-allocation process then by mobile node 6-bit 600 (R) is set to 1.

Figure 14 diagram is like the form of the universal mobility option of description in [ref.rfc3775,46-47 page or leaf]; As can find out, it is the form that has TLV (type, length, the numerical value) type of type 610, length 620 and data 630 fields.

Figure 15 illustrates origin agent reorientation data mobility option.Defined field is following:

-field 640 (code): it representes the process result.This field can present following numerical value:

I) 0=success;

Ii) 128=failure.

-field 642 (reservation): use the field of reserving for future;

-field 644 (life cycle): this field point out the current address, ancestral home of distributing to mobile node (, promptly serving the address, ancestral home) with the relevant address, ancestral home of service origin agent life cycle be the value of unit with four seconds.This value also can be infinitely great;

-field 646 (address, ancestral home): it comprises the address, new ancestral home (promptly specifying the address, ancestral home) of distributing to the user;

-field 648 (origin agent address): it comprises specifies the origin agent address.

Figure 16 illustrates the form of origin agent reorientation prompting mobility option.

Can notice address, ancestral home 646 and origin agent address 648 fields that its diagram has been introduced for origin agent reorientation data mobility option.In the re-allocation process of mobile node request origin agent, and do not receive under the situation of any router advertisement that has a bit H=1, these fields can comprise null value.

The Diameter message of in the configuration of this recommendation, using is following:

-origin agent re-positioning request.This message sends to authentication, mandate and accounting server by the service origin agent, is used to ask the startup of origin agent re-allocation process; It comprises following A VP attribute:

-user's name AVP;

-service address, ancestral home AVP;

-appointment address, ancestral home AVP (optional);

-appointment origin agent address AVP (optional).

The reorientation of-origin agent is replied.This message sends to the service origin agent by authentication, mandate and accounting server and transmits the new configuration parameter that must will pass to mobile node with the part as the origin agent re-allocation process; It comprises following A VP attribute:

-user's name AVP;

-appointment address, ancestral home AVP;

-appointment origin agent address AVP

-mandate AVP life cycle.

The reorientation of-origin agent starts request.Be proposed to be used under the situation of origin agent re-allocation process of specific mobile node to the service origin agent at authentication, mandate and accounting server, send this message by this authentication, mandate and accounting server; It comprises following A VP attribute:

-user's name AVP;

-service address, ancestral home AVP;

-appointment address, ancestral home AVP;

-appointment origin agent address AVP;

-mandate AVP life cycle.

The reorientation of-origin agent starts replys.Sending this message by the service origin agent has warned mobile node need carry out the origin agent re-allocation process with notice authentication, mandate and accounting server; It comprises following A VP attribute:

-user's name AVP;

-AVP as a result.

The AVP attribute that uses in this document and/or define as follows (this description based on convention and in [ref.rfc3588] the predetermined data type):

-user's name AVP (AVP code 1).This AVP comprises the user's name with the user of the formal representation of Network Access Identifier symbol.AVP is the UTF8String type.

-service address, ancestral home AVP.The AVP data field of this AVP be the IPAddress type and comprise and service origin agent relevant address, ancestral home.

-appointment address, ancestral home AVP.The AVP data field of this AVP be the IPAddress type and comprise and specify the relevant address, ancestral home of origin agent.

-appointment origin agent address AVP.The AVP data field of this AVP be the IPAddress type and comprise and specify the origin agent address.

-mandate AVP life cycle (AVP code 291).This AVP is the Unsigned32 type; Certain user of value representation mandate who in the AVP data field, comprises use service with the life cycle of second as unit.Under the situation of origin agent re-allocation process; This value points out that mobile node can continue the remaining time of using the service origin agent and specifying origin agent, to guarantee the existence of movable utility cession before the re-allocation process of beginning origin agent.

Considered that the following concrete scene of characteristic has specified described origin agent re-allocation process:

-to visit with authorisation network through EAP method (for example EAP-SIM, EAP-AKA) realization mobile node authentication, said method can be exported and can use the key that uses by other;

-the mobile node managed between the different IP sub-network through mobile IPv 6 protocol moves, and guarantees the existence of utility cession in the mobility event process;

-the signaling message that between mobile node and origin agent, exchanges through IPsec security association protection (being authentication, integrality and confidentiality);

-through the IKE protocol dynamic be based upon the IPsec security association between mobile node and the origin agent;

-be implemented in communicating by letter between authentication, mandate and accounting server and the origin agent that in network, exists (promptly serve origin agent and specify origin agent) through Diameter.

Yet, for example can the process of describe configuration be expanded to following situation, but be not limited to following situation:

-realize the mobile node authentication through the method except EAP, in any case but can both generate (on the mobile node and on authentication, mandate and accounting server) can be used the encrypted data that (for example moving IP) uses by other;

-according to similar architecture principle, move through using mobile IPv 4 agreement [ref.rfc3344] or other mobility management protocol to manage mobile node;

-mechanism (configuration of for example in [ref.draft-ietf-mip6-auth-protocol-00], describing) through being different from IPsec; In any case but be based on the existence of shared key between mobile node and the origin agent (for example sharing key in advance), protect the signaling message that between mobile node and origin agent, exchanges;

-through IKEv2 agreement [ref.draft-ietf-ipsec-ikev2-15]; Perhaps allow to carry out other mechanism that starts from the IPsec security association of sharing key (for example sharing key in advance), dynamically be based upon the IPsec security association between mobile node and the origin agent (service or authorized agency);

-use any other agreement of the transmission can manage general information content (RADIUS, SNMP or the like), be implemented in communicating by letter between authentication, mandate and accounting server and the origin agent.

Therefore; Under the situation that does not break away from inventive principle; Thereby under not breaking away from like situation by the defined scope of the present invention of claims; With respect to describing with illustrated, can change, even greatly change component parts and embodiment as just the example of nonrestrictive the present invention's possibility embodiment.

Claims

1. one kind is used in the communication network that comprises a plurality of origin agents (70) (30); To be re-assigned to the method for another origin agent (130) to first origin agent (120) that at least one portable terminal (10) provide the operation of communication service from said a plurality of origin agents (70), to identify; Wherein said at least one portable terminal (10) uses and will be the method is characterized in that may further comprise the steps by at least one address of an origin agent (70) service:

-in said communication network (30), authentication, mandate and charging AAA platform (90) are provided;

-when said at least one portable terminal (10) is served by said first origin agent (120), select to be suitable for serving second origin agent (130) of said at least one portable terminal through said AAA platform (90); With

-will provide the operation of said communication service to redistribute to said second origin agent (130) to said at least one portable terminal (10) from said first origin agent (120); The said step of redistributing comprises: through said first origin agent (120) configuration information is sent to said at least one portable terminal (10) from said AAA platform (90), said configuration information is suitable for disposing said at least one portable terminal (10) to visit said communication service through said second origin agent (130).

2. according to the method for claim 1; Be characterised in that it may further comprise the steps: send configuration information to said second origin agent (130) from said AAA platform (90); This configuration information is suitable for disposing said second origin agent (130), thereby allows said communication service is offered said at least one portable terminal (10).

3. according to the method for claim 1; Be characterised in that it may further comprise the steps: will provide first origin agent (120) of operation from said a plurality of origin agents (70) of said communication service to redistribute to second origin agent (130) to said at least one portable terminal (10), this be redistributed by said AAA platform (90) and starts.

4. according to the method for claim 1; Be characterised in that and may further comprise the steps: during at least one state of in appearing at the group that comprises following state, selecting; To provide first origin agent (120) of operation from said a plurality of origin agents (70) of said communication service to redistribute to second origin agent (130) to said at least one portable terminal (10), said state be:

-said at least one portable terminal (10) detects said second origin agent (130) and is suitable for with respect to said first origin agent (120) and the performance of Yan Gengjia provides said communication service; And

-said first origin agent (120) detects the appearance of overload.

5. according to the method for claim 1; Be characterised in that it may further comprise the steps: will provide first origin agent (120) of operation from said a plurality of origin agents (70) of said communication service to redistribute to said at least one portable terminal (10) to second origin agent (130), said redistribute step said AAA platform (90) detect said second origin agent (130) be suitable for to said at least one portable terminal (10) with respect to said first origin agent (120) and the performance of Yan Gengjia take place when said communication service is provided.

6. according to the method for claim 2, be characterised in that the said configuration information that sends to said second origin agent (130) comprises the parameter of in the group of being made up of following parameters, selecting:

The identifier of-said at least one portable terminal (10);

-distribute to the new address of said at least one portable terminal (10) to be used for communicating by letter with said second origin agent (130); With

-be used for starting the required argument of the security association that can communicating by letter between said at least one portable terminal (10) and said second origin agent (130) uses.

7. according to the method for claim 1, be characterised in that the said configuration information that sends to said at least one portable terminal (10) via said first origin agent (120) comprises the parameter of in the group that following parameters is formed, selecting:

The address of-said second origin agent (130);

-use life cycle by said at least one portable terminal (10) with the address of communicating by letter with said first origin agent (120), can equal infinitely great wherein said life cycle.

8. according to the method for claim 2, be characterised in that it may further comprise the steps:, set up and to be used for the security association of communicating by letter (214) of protection between said at least one portable terminal (10) and said second origin agent (130) through following step:

-send at least one key to set up said security association from said AAA platform (90) to said second origin agent (130); With

-derive said key from said at least one portable terminal (10) according to the authentication process that utilizes said AAA platform (90) to carry out.

9. according to the method for claim 1, be characterised in that it may further comprise the steps: with said network configuration for utilizing the ambulant network in mobile IP protocol office terminal.

10. one kind is used in the communication network that comprises a plurality of origin agents (70) (30); To be re-assigned to the device of another origin agent (130) to first origin agent (120) that at least one portable terminal (10) provide the operation of communication service from said a plurality of origin agents (70), to identify; Wherein said at least one portable terminal (10) uses will be by at least one address of an origin agent (70) service, and this device characteristic is to comprise:

-be used at said at least one portable terminal (10) during by the service of first origin agent (120) of said a plurality of origin agents (70), select to be suitable for to serve the device of second origin agent (130) of said at least one portable terminal; With

-be used for configuration information being sent to said at least one portable terminal (10) through said first origin agent (120); To provide the operation of said service to redistribute the device to said second origin agent (130) from said first origin agent (120) to said at least one portable terminal (10), said configuration information be suitable for disposing said at least one portable terminal (10) to visit said service through said second origin agent (130).

11. device according to claim 10; Be characterised in that said device further comprises the device that is used for sending to said second origin agent (130) configuration information; This configuration information is suitable for disposing said second origin agent (130), thereby allows said communication service is offered said at least one portable terminal (10).

12. device according to claim 10; Be characterised in that when appearing at following state; Can the operation that said at least one portable terminal (10) is provided said communication service be redistributed to said second origin agent (130) from said first origin agent (120), said state is:

-said device detects said second origin agent (130) and is suitable for with respect to said first origin agent (120) and the performance of Yan Gengjia comes to said at least one portable terminal (10) said communication service to be provided.

13., be characterised in that the said configuration information that sends to said second origin agent (130) comprises the parameter of in the group of being made up of following parameters, selecting according to the device of claim 11:

The identifier of-said at least one portable terminal (10);

14., be characterised in that the said configuration information that sends to said at least one portable terminal (10) via said first origin agent (120) comprises the parameter of in the group that following parameters is formed, selecting according to the device of claim 10:

The address of-said second origin agent (130);

15. device according to claim 11; Be characterised in that: between said at least one portable terminal (10) and said second origin agent (130), set up and be used to protect the security association (214) of communicating by letter; Said device further comprises and is used for sending at least one key setting up the device of said security association to said second origin agent (130), and derives said key from said at least one portable terminal (10) according to the authentication process that utilizes said device to carry out.