200828924 九、發明說明: 【發明所屬之技術領域】 本發明大體係關於通信系統,且更特定言之,係關於一 種用於雙堆璺操作互通授權的方法及裝置。 【先前技術】 無線通信技術在過去幾年中已經歷極大成長。已藉由無 線技術供給之移動自由及在無線媒體上之語音及資料通信 之大大改良的品質部分地推動此成長。經改良之語音服務 品質連同資料服務之添加已具有且將繼續具有對通信公眾 之顯著效應。額外服務包括在漫遊時使用行動設備來存取 網際網路。 在移動時維持資料會話的能力對於使用者與系統操作者 均為重要的。隨著更多的使用者利用行動網際網路協定操 作,使用者可能欲使用雙堆疊操作來同時存取相同封包資 料互通功能,此允許同時使用兩個版本的行動網際網路協 定。封包資料互通功能(PDIF)充當一保護蜂巢式網路的安 全閘道器。 圖1展示一用於無線區域網路(WLAN)的互通架構。網路 可為操作於3GPP2標準上的無線通信系統之部分,該 3GPP2標準由一命名為"第三代合作夥伴計劃2"(本文中稱 為3GPP2)的協會供給之標準界定,架構1〇〇包括一連接至 WLAN系統i 04之行動台(MS)102。WLAN系統i 〇4包括存取 點(AP)106及存取路由器(AR)108。WLAN系統連接至3〇本 籍網路11 〇。WLAN系統經由封包資料互通功能(pDiF)i22 123915.doc 200828924 而連接至3G本籍網路110。PDIF 114連接至本籍驗證、授 權及計費(Η-AAA)設備112。 MS以PDIF建立一在3G本籍網路中充當一安全閘道器之 安全IP隧道。H-AAA 112驗證並授權該隧道的建立。在該 、 隧道經建立後,MS可在3G本籍網路110中存取服務。圖1 中的虛線指示用於驗證、授權及計費資訊之路徑,並指示 在H-AAA 112與PDIF 114之間的資訊傳送。實線展示用於 使用者資料訊務之承載路徑且管線指示保護MS 102與 PDIF 114之間的使用者資料訊務之安全隧道。 MS經預組態而具有為IP位址或全合格領域名稱(FQDN) 之PDIF位址資訊。若MS經組態而具有PDIF的FQDN,則該 MS將繼續轉遞領域名稱系統(DNS)以解決與FQDN相關聯 之IP位址。MS使用網際網路密鑰交換版本2(IKEv2)以由 PIDF建立安全隧道(稱為用於資料傳送之IP-sec隧道)。建 立安全隧道之部分要求MS由圖1中之H-AAA 112來驗證並 • 授權。MS可使用用於相互驗證之多個程序。包括身份碼 及隨機查問之驗證資訊經輸送於在MS與Η-AAA之間交換 之擴展驗證協定(ΕΑΡ)訊息中。ΕΑΡ訊息經輸送於MS與 ^ PDIF之間的IKEv2訊息中,且亦輸送於在PDIF與Η-AAA之 、 間交換的RADIUS訊息中。 MS可能需要使用IPv4與IPv6兩者來同時存取同一 PDIF。此雙堆疊操作形成用於PDIF之授權問題,即, PDIF需要知道MS是否對於IPv4及/或IPv6經授權。另外, 在請求雙堆疊操作之MS未對於IPv4與IPv6兩者經授權的情 123915.doc 200828924 況下,PDIF需要向MS指示MS未對於IP版本之一經授權。 需要一種方法及裝置以向MS指示IP授權並亦向MS指示該 MS未對於兩IP版本經授權。 【發明内容】 . 一種在一通信系統中用於雙堆疊授權及操作之方法併 有·在該通信糸統中自一授權實體請求驗證;及若該驗證 成功,則接著自該授權實體接收一驗證訊息,其中該驗證 訊息含有一授權以使用至少一網際網路協定版本來建立用 於通信之至少一安全隧道。 另一實施例提供一種方法,其包含:使用一個以上網際 網路協定版本請求雙堆疊操作;使周一個以上網際網路協 定版本來接收用於雙堆疊操作之授權;對於每一網際網路 協定版本建立一獨立從屬安全授權,其中該從屬安全授權 從屬於網際網路密鑰交換安全授權;建立用於通信之至少 一安全隧道;並使用該用於通信之至少一安全隧道同時存 φ 取兩個網際網路協定版本。 又一實施例提供一種方法,其包含:使用一個以上網際 網路協定版本請求雙堆疊操作;在一訊息中接收對於一網 ' 際網路協定版本之授權,其中該訊息識別經授權之至少一 ^ 網際網路協定版本,且進一步其中該訊息識別未經授權之 至少一網際網路協定版本;對於經授權網際網路協定版本 建立一安全授權,其中用於經授權網際網路協定版本之安 全授權從屬於網際網路密鑰交換安全授權;建立一用於通 信之安全隧道;並使用該安全隧道來通信。 123915.doc 200828924 另一實施例提供一種裝置,該裝置由以下元件構成:一 傳輸器’其用於在一無線通信系統中自授權實體來請求驗 證;及一接收器,其用於在驗證成功時自驗證實體接收驗 證訊息’其中該驗證訊息含有一授權以使用至少一網際網 路協定版本來建立用於通信之至少一安全隨道。 一額外實施例提供一種裝置,該裝置由以下元件構成: 一傳輸器’其用於使用一個以上網際網路協定版本請求雙 堆璺操作;一接收器,其用於使用一個以上網際網路協定 版本接收對於雙堆疊操作之授權;一記憶體,其用於儲存 一用於每一網際網路協定版本之獨立從屬安全授權,其中 該從屬安全授權從屬於網際網路密鑰交換安全授權;一處 理器,其用於使用傳輸器建立用於通信之至少一安全隧 道;及一傳輸器,其用於使用該用於通信之至少一安全隧 道來同時存取一個以上網際網路協定版本。 又一實施例提供一種裝置,該裝置包括以下元件:一傳 輸器,其用於使用一個以上網際網路協定版本來請求雙堆 疊操作;一接收器,其用於在一訊息中接收對於一網際網 路協定版本之授權,其中該訊息識別經授權之至少一網際 網路協定版本且進一步其中該訊息識別未經授權之至少一 網際網路協定版本;-處理器,其用於對於經授權網際網 路協定版本建立-安全授權,其中用於經授權網際網路協 定版本之安全授權從屬於一網際網路密鑰交換安全授權; 一記憶體,其用於儲存用於經授權網際網路協定版本之安 全授權,一傳輸器,其用於建立一用於通信之安全隧道; 123915.doc 200828924 及一傳輸器,其用於使用該安全隧道來通信。 另一實施例提供一種由以下元件構成之裝置:用於在一 無線通信系統中自授權實體請求驗證之構件;及用於在驗 證成功時自授權實體接收驗證訊息之構件,其中該驗證訊 息含有一授權以使用至少一網際網路協定版本來建立用於 通信之至少一安全隧道。200828924 IX. INSTRUCTIONS: TECHNICAL FIELD OF THE INVENTION The present invention relates to communication systems and, more particularly, to a method and apparatus for dual stack operation interoperability. [Prior Art] Wireless communication technology has experienced tremendous growth in the past few years. This growth has been partially driven by the freedom of movement provided by wireless technology and the greatly improved quality of voice and data communications over wireless media. The improved voice service quality, along with the addition of data services, has and will continue to have a significant effect on the communications public. Additional services include using mobile devices to access the Internet while roaming. The ability to maintain a data session while on the move is important to both the user and the system operator. As more users take advantage of the Mobile Internet Protocol operation, users may want to use the dual stacking operation to simultaneously access the same packet data interworking function, which allows the use of both versions of the Mobile Internet Protocol. The Packet Data Interworking Function (PDIF) acts as a security gateway to protect the cellular network. Figure 1 shows an interworking architecture for a wireless local area network (WLAN). The network may be part of a wireless communication system operating on the 3GPP2 standard defined by a standard of associations named "3rd Generation Partnership Project 2" (herein referred to as 3GPP2), architecture 1〇 〇 includes a mobile station (MS) 102 connected to WLAN system i 04. The WLAN system i 〇 4 includes an access point (AP) 106 and an access router (AR) 108. The WLAN system is connected to the 3 〇 home network 11 〇. The WLAN system is connected to the 3G home network 110 via a packet data interworking function (pDiF) i22 123915.doc 200828924. The PDIF 114 is connected to a Home Authentication, Authorization and Accounting (Η-AAA) device 112. The MS uses PDIF to establish a secure IP tunnel that acts as a security gateway in the 3G home network. The H-AAA 112 verifies and authorizes the establishment of the tunnel. After the tunnel is established, the MS can access the service in the 3G home network 110. The dashed line in Figure 1 indicates the path for authentication, authorization, and accounting information and indicates the transfer of information between H-AAA 112 and PDIF 114. The solid line shows the bearer path for the user data traffic and the pipeline indicates a secure tunnel that protects the user data traffic between the MS 102 and the PDIF 114. The MS is preconfigured to have PDIF address information that is an IP address or a fully qualified domain name (FQDN). If the MS is configured to have the FQDN of the PDIF, the MS will continue to forward the Domain Name System (DNS) to resolve the IP address associated with the FQDN. The MS uses Internet Key Exchange Version 2 (IKEv2) to establish a secure tunnel (referred to as an IP-sec tunnel for data transfer) by the PIDF. Part of the establishment of a secure tunnel requires the MS to be verified and authorized by H-AAA 112 in Figure 1. The MS can use multiple programs for mutual authentication. The verification information including the identity code and the random challenge is transmitted to the extended authentication protocol (ΕΑΡ) message exchanged between the MS and the Η-AAA. The message is transmitted in the IKEv2 message between the MS and the PDIF, and is also transmitted in the RADIUS message exchanged between the PDIF and the Η-AAA. The MS may need to use both IPv4 and IPv6 to access the same PDIF at the same time. This dual stacking operation creates an authorization issue for the PDIF, ie, the PDIF needs to know if the MS is authorized for IPv4 and/or IPv6. In addition, in the case where the MS requesting the dual stack operation is not authorized for both IPv4 and IPv6, the PDIF needs to indicate to the MS that the MS is not authorized for one of the IP versions. There is a need for a method and apparatus for indicating an IP grant to an MS and also indicating to the MS that the MS is not authorized for both IP versions. SUMMARY OF THE INVENTION A method for dual stacking authorization and operation in a communication system and having requested authentication from an authorized entity in the communication system; and if the verification is successful, then receiving a request from the authorized entity A verification message, wherein the verification message includes an authorization to establish at least one secure tunnel for communication using at least one internet protocol version. Another embodiment provides a method comprising: requesting a dual stack operation using an internet protocol version; enabling one to receive an authorization for dual stack operation in an internet protocol version; for each internet protocol The version establishes an independent subordinate security authorization, wherein the subordinate security authorization is subordinate to the internet key exchange security authorization; establishing at least one secure tunnel for communication; and using the at least one secure tunnel for communication to simultaneously store φ An internet protocol version. Yet another embodiment provides a method comprising: requesting a dual stack operation using an internet protocol version; receiving an authorization for a network protocol version in a message, wherein the message identifies at least one authorized ^ an internet protocol version, and further wherein the message identifies an unauthorized version of at least one internet protocol; establishing a secure authorization for the authorized internet protocol version for security of the authorized internet protocol version The authorization is subordinate to the Internet Key Exchange Security Authorization; a secure tunnel for communication is established; and the secure tunnel is used for communication. 123915.doc 200828924 Another embodiment provides a device consisting of a transmitter 'for requesting authentication from an authorized entity in a wireless communication system; and a receiver for successful verification The self-verifying entity receives the verification message 'where the verification message contains an authorization to establish at least one secure channel for communication using at least one internet protocol version. An additional embodiment provides an apparatus consisting of: a transmitter 'for requesting a dual stack operation using an internet protocol version; and a receiver for using an internet protocol Version receiving authorization for dual stack operation; a memory for storing an independent slave security authorization for each Internet Protocol version, wherein the slave security authorization is subordinate to the Internet Key Exchange Security Authorization; a processor for establishing at least one secure tunnel for communication using a transmitter; and a transmitter for simultaneously accessing an Internet Protocol version using the at least one secure tunnel for communication. Yet another embodiment provides an apparatus comprising: a transmitter for requesting a dual stack operation using an internet protocol version; a receiver for receiving an internet for a message Authorization of a network protocol version, wherein the message identifies at least one version of the Internet Protocol that is authorized and further wherein the message identifies an unauthorized version of at least one Internet Protocol; - a processor for use with the authorized Internet Network Protocol Version Establishment - Security Authorization, where the security authorization for the authorized Internet Protocol version is subordinate to an Internet Key Exchange Security Authorization; a memory for storage for authorized Internet Protocol Version security authorization, a transmitter for establishing a secure tunnel for communication; 123915.doc 200828924 and a transmitter for communicating using the secure tunnel. Another embodiment provides a device consisting of: means for requesting authentication from an authorized entity in a wireless communication system; and means for receiving a verification message from an authorized entity upon successful authentication, wherein the verification message contains An authorization to establish at least one secure tunnel for communication using at least one internet protocol version.
一額外實施例提供一種由下元件構成之裝置:用於使用 一個以上網際網路協定版本請求雙堆疊操作的構件;用於 使用一個以上網際網路協定版本接收對於雙堆疊操作之授 權的構件;用於對於每一網際網路協定版本建立一獨立^ 屬安全授權的構件’其中該從屬安全授權從屬於網際網^ 密鑰交換安全授權;用於建立用於通信之至少一安全隧道 的構件;及用於使用該用於通信之至少—安全_^同= 存取兩個網際網路協定版本的構件。 另一實施例提供一種裝置,其包含:用於使用一個以上 網際網路協定版本請求雙堆疊操作的構件;用於在一訊息 中接收對於-網際網路協歧本之授權的構件,其中該: 息識別經授權之至少一網際網路協定版本且進一步其中λ該 訊息識別未經授權之至少—網際網路協定版本;用於對^ 經授權網際網路協定版本建立—安全授權的構件,其中用 於經授權網際網路協^版本之安全授權從屬於—網際網路 密餘交換安全授m建立—用於通信之安域道之構 件;及用於使用該安全隧道來通信的構件。 提供-種電腦程式產品實施例,其包含:一電腦可讀媒 123915.doc 200828924 體,其包含:用於使得一電腦在一無線通信系統中自授權 實體請求驗證的指令;及用於在驗證成功時使得一電腦自 該授權實體接收驗證訊息之指令,其中該驗證訊息含有一 授權以使用至少一網際網路協定版本來建立用於通信之至 、 少一安全隧道。 另貝加例麵^供一種電腦程式產品,其包含:一電腦可 讀媒體,其包含:用於使得一電腦使用一個以上網際網路 Φ 協定版本來請求雙堆疊操作的指令;用於使得-電腦使用 個以上網際網路協定版本來接收對於雙堆疊操作之授權 的指令;用於使得一電腦對於每一網際網路協定版本建立 一獨立從屬安全授權的指令;其中該從屬安全授權從屬於 網際網路密鑰交換安全授權;用於使得一電腦建立用於通 仏之至少女全隧道的指令;及用於使得一電腦使用該用 於通信之至少一安全隧道來同時存取兩個網際網路協定版 本的指令。 • 一額外實施例提供一種電腦程式產品,其包含··一電腦 可讀媒體,其包含··用於使得一電腦使用一個以上網際網 路協定版本來請求雙堆疊操作的指令;用於使得一電腦在 一訊息中接收對於一網際網路協定版本之授權的指令,其 中該訊息識別經授權之至少一網際網路協定版本且進一步 其中該訊息識別未經授權之至少一網際網路協定版本;用 於使付一電腦對於經授權網際網路協定版本建立一安全授 權的指令,其中用於經授權網際網路協定版本之該安全授 權從屬於一網際網路密鑰交換安全授權;用於使得一電腦 123915.doc 200828924 建立一用於通信之安全隧道的指令;及用於使得一電腦使 用該安全隧道來通信的指令。 【實施方式】 詞”例示性”在本文中用以意謂"用作一實例、例子或說 , 明”。本文中描述為”例示性的”任何實施例不必被理解為 _ 比其他實施例較佳或有利。 需要存取封包資料服務之MS需要存取IP存取網路。MS 起始隧道建立作為存取過程之部分。此等隧道經建立於 MS與PDIF之間且在一隧道經建立及可開始封包資料服務 之前要求若干步驟。 第一步,MS開始一驗證、授權及計費過程。驗證為最 常藉由使用者名稱及密碼識別的過程且其為個別的。驗證 過程假定使用者名稱及密碼唯一識別一用戶。 授權允許一使用者在驗證之後存取網路資源。可能有各 種等級之存取,且使用者可視授權之等級而被授予或拒絕 φ 存取網路資源。 計費為對一使用者在存取網路資源時之活動性的追蹤且 包括花費在網路上的時間量、在網路上時所使用的服務, ~ 及在網路會話期間所傳送之資料量。 ^ 在MS試圖存取封包資料服務時執行對存取網路資源之 驗證及授權。服務授權通常獨立於WLAN驗證及授權。H-AAA伺服器使用存取協定(諸如遠端驗證撥號使用者服務 (RADIUS)或DIAMETER)執行驗證及授權。RADIUS為被許 多網際網路服務提供者所使用之驗證及計費系統。 123915.doc -11 - 200828924 IP安全(IPsec)向IP資料報提供機密性、資料完整性、存 取控制及賓料源驗證。籍由在一 IP資料報之來源與儲华器 (sink)之間維持一共用狀態而提供此等服務。此狀態界定 經提供給資料報之特定服務及哪一個密螞演算法將用以提 供該等服務,及用作對密碼演算法之輸入的密鑰。一稱為 網際網路密鑰交換IKE的協定被用於建立此共用狀態。 IKE在雙方之間執行相互驗證且亦建立_ ike安全關聯 (SA),該IKE安全關聯(SA)包括可用於有致地建立用於囊 封安全有效負載(ESP)及/或驗證標頭(AH)之SA的共用秘密 賓訊與由S A用以保護其所載運之訊務的一密碼演算法集 合° 一啟動器提岀闬於保護SA之密碼演算法集合。ike SA被稱為"IKE-SA"。通過彼IKE一SA而建立之用於ESp及/ 或 AH的 SA稱為”CHILD—SA,,。 所有IKE通信由訊息對組成:一請求及一回應。該對稱 為一交換。建立IKE_SA之第一訊息為初始交換 "IKE-SA—INIT"與"IKE—AUTH”。建立一子SA之後續交換 稱為nCREATE-CHILD_SA”或資訊交換。在一通常情況 下,首先有使用總共四個訊息以建立IKE_S A及第一 CHILD一SA 的單一 IKE_SA—INIT 交換及單一 IKE—AUTH 交 換。在某些情況下,可能需要一個以上此交換。在所有情 況下,IKE_SAJNIT交換必須在任何其他交換類型之前完 成。接著,必須完成所有IKE_AUTH交換。接下來的任何 數目之 CREATE—CHILD_SA 交換及 INFORMATIONAL 交換 可遵循任何次序。後續的交換可在同一經驗證之端點對之 123915.doc -12- 200828924 間建立額外的CHILD_SA。 IKE訊息流由一被一回應跟隨的請求組成。確保可靠性 係請求者之責任。若在一逾時時間間隔内未接收到該回 應,則該請求者需要重新傳輸該請求或放棄連接。 IKE會話的第一請求/回應協商IKE_S A之安全參數,發 送臨時標諸,及Diffle-Hellman值。 IKE—AUTH傳輸識別碼,第二請求回應對應於該兩個識 別碼而證明秘密知識,並建立一用於第一 AH及/或ESP CHILD_SA的 SA。 後續交換可建立 CHILD_SA(CREATE_CHILD_SA)及 INFORMATIONAL,其可劑除〆SA,報告錯誤情況或其他 内務處理功能。每一請求需要一回應。直到初始交換完成 之後才發生後續交換。 CREATE_CHILD交換由一單一請求/回應對組成且在 完成初始交換之後其可由IKE_SA之任一端起始。在初 始交換之後所有訊息使用IKE交換的前兩個訊息之經協 商密碼集合而經密碼保護。任一端點可起始一 CREATE—CHILD—SA 交換。CHILD—SA 係藉由發送一 CREATE—CHILD—SA請求而建立。CREATE—CHILD—SA 請 求可含有一有效負載,該有效負載用於一額外Diffie-Heilman交換以致能用於CHILD_SA之前向秘密的更穩固保 證。用於CHILD_SA之按鍵材料為在IKE_SA之建立期間建 立之功能,在CREATE_CHILD_SA交換期間交換之臨時標 誌,及 Diffie-Hellman值(若在 CREATE_CHILD—SA 交換中 123915.doc -13- 200828924 包括密鑰交換有效負載)。 在初始交換期間建立之CHILD一S A中,一第二密鑰交換 有效負載及臨時標誌不可被發送。來自初始交換之臨時標 誌被用於計算用於CHILD_S A之密鑰。 圖2說明CREATE—CHILD—S A的内容。啟動器在sa有效 負載中發送SA供給。在Ni有效負載中發送一臨時標誌。此 臨時標誌及含於IKE一SA-INIT訊息中之其他標諸被用作對 密碼功能之輸入。在CREATE-CHILD—SA請求與回應中, 臨時標諸被用於向密錄導出技術添加新鮮度,該密錄導出 技術係用於獲得用於CHILD一S A的密鑰,並確保強偽隨機 1立元自Diffie-Hellman密錄的建立。在IKEv2中j吏羯的臨時 標誌經隨機地選擇且其大小至少為128個位元且其至少為 經協商偽隨機功能之密鑰大小的一半。Diffie-Hellman值 可經發送於KEi有效負載中。經提出之訊務選擇器經發送 於TSi有效負载及TSr有效負載中。若SA供給包括不同 Diffie-Hellman群,則KEi必須為啟動器期望回應器接受之 群的一元件。若推測錯誤,則CREATE-CHILD—SA交換將 失敗且其將需要以一不同KEi來再試。 跟隨標頭的訊息經加密且包括標頭的訊息係使用用於 IKE_S A之經協商密碼演算法而被完整地保護。 圖3說明CREATE—CHILD-SA回應的内容。若在請求中 包括KEi且經協商密碼集合包括彼群,則回應器使用在Sa 有效負載中具有已接受供給且在KEr有效負載中具有 Diffie-Hellman值的同一訊息識別碼來答覆。若回應器選 123915.doc -14- 200828924 擇一具有不同群之密碼集合,則其必須拒絕該請求。啟動 器應接著重複該請求,但是藉由來自經回應器選擇之群的 KEi有效負載。用於待發送於彼SA上之訊務的訊務選擇器 在訊務選擇器(TS)有效負載中經指定,其可為經提出之 CHILD—SA之啟動器的子集。若CREATE—CHILD—SA請求 用於改變IKE_SA之密鑰,則可省略訊務選擇器。 一旦建立CHILD_SA,則下一步驟為建立ipsec隧道。隧 道建立程序之細節如下。 MS可經預先供應有PDIF之IP位址或其應使用DNS機制 以擷取PDIF的IP位址。在建置用於DNS請求之FQDN時, M S應識別操作者的網路。為了有助於存取網路,M S可經 預先供應有多個PDIF的FQDN。一旦MS接收含有一或多個 PDIF IP位址之回應,則MS選擇與其區域IP位址具有相同 IP版本的PDIF IP位址,該位址為在成功關聯處由WLAN配 置之IP位址。此選擇可由使用者執行或可由MS自動地執 行。若干機制可被用於發現PDIF且為依賴於實施的。 訊息交換被用於在MS與PDIF之間建立IPsec隧道。圖4 展示此訊息交換。在步驟1中,MS對WLAN存取網路進行 驗證並存取網際網路。此可涉及以H-AAA檢查的WLAN以 用於授權。 在步驟2中,MS自該存取網路獲得一 IP位址。MS亦發現 預設路由器及DNS伺服器位址。 在步驟3中,MS開始與PDIF之IKEv2交換。經發送於此 交換中的第一訊息集合為指定為IKE_S A JNIT的初始交 123915.doc •15- 200828924 換。 在步驟4中,MS起始與PDIF的ΙΚΕ-AUTH交換。此等訊 息經加密且以在IKE_SA_INIT交換期間建立的密鑰而完整 地保護。 . 在步驟5中,MS藉由設定IKE_AUTH請求中之 CONFIGURATION有效負載來請求一隧道内部IP位址 (TIA)。MS包括其在有效負載中之網路存取識別碼(NAI)。 若MS想要使用擴展驗證協定(ΕΑΡ),則其在IKE AUTH訊 息中不包括授權(AUTH)有效負載。 在步驟6中,PDIF接收無AUTH有效負載之IKE_AUTH請 求5 其聯繫Η-AAA以藉击在RADIUS存取-請求訊息或 Diameter-EAP-請求(DER)命令中發送ΕΑΡ-回應/識別碼訊 息而請求服務授權及使用者驗證資訊。 在步驟7中,ΕΑΡ訊息經交換於MS與Η-AAA之間。Η-AAA在RADIUS存取-查問或Diameter-EAP-回答(DEA)命令 φ 中發送ΕΑΡ請求訊息至PDIF。PDIF發送包括ΕΑΡ請求訊息 之IKE—AUTH答覆訊息至MS。 在步驟8中,MS以包括ΕΑΡ回應訊息之IKE一AUTH請求 訊息來回應。PDIF在RADIUS存取-請求訊息中或在 • Diameter-EAP-請求命令中發送ΕΑΡ回應訊息至Η-AAA。步 驟7及8可多次發生。 若驗證成功,則在步驟9中,Η-AAA在RADIUS存取·接 受訊息中或在具有指示成功驗證之程式碼的DEA命令中發 送EAPSuccess 〇 123915.doc •16- 200828924 在步驟10中,在接收到RADIUS存取-接受訊息或具有指 示成功驗證之結果程式碼的DEA命令後,PDIF即發送包括 ΕΑΡ成功的IKE—AUTH回應訊息。若PDIF接收RADIUS-拒 絕訊息或具有指示授權失敗之結果程式碼的DEA命令,則 PDIF拒絕建立朝向MS的隧道並發送一具有經設定為 "AUTHENTICATION FAILED”之通報有效負載的 IKE—AUTH回應訊息。 在步驟11中,MS接著發送IKE__AUTH請求訊息,包括自 在成功ΕΑΡ驗證後即產生之主會話密鑰(MSK)計算出的 AUTH有效負載。 在步驟12中 ;PDIF以包括一經指派ΤΙA、AUTH有效負 載及安全授權的IKE_AUTH回應訊息來答覆。PDIF使用 MSK以計算AUTH有效負載。在如上之步驟9中,PDIF自 Η-AAA獲得 MSK。 在步驟13中,在完成IKE_AUTH交換時,在MS與PDIF 之間建立一 IPsec隨道。 圖4B說明在普通隧道建立流程中的步驟。此可經利用於 建立如下進一步論述的多個隧道時。 有可能建立至同一 PDIF的多個隧道。一旦IKE安全關聯 (SA)經驗證,則可在IKE SA内協商一個以上子SA。如上 所述,由於CREATE_CHILD_SA被保護且使用密碼演算法 及經協商於IKE交換之前兩個訊息中的密鑰,故已知交 換。結果,在MS與PDIF之間的額外CHILD—SA之建立未觸 發進一步的對Η-AAA之驗證訊息傳遞。 123915.doc -17- 200828924 MS可能欲同時具有對同一PDIF之IPv4及IPv6存取。雖 然IKEv2標準在相同的或獨立的ipsec隧道中允許此同時存 取,但是授權未經定址且PDIF需要知道請求雙堆疊授權之 MS是否對於IPv4及IPv6經授權。 在已知請求MS是否對於ιρν4及/或IPv6經授權的情況 下,第一實施例解決PDIF之問題。在如上所述之ipsec隧 道建立期間,若ΕΑΡ授權成功,則h-AAA傳回在RADIUS 存取-接受訊息中之IP版本授權VSA以指示IPv4及/或IPv6 是否經授權。若在RADIUS存取-接受訊息中不存在ip版本 授權VSA,則PDIF應應用其用於雙堆疊操作之授權的區域 政策。圖5展示IP版本授權RADIUS VSA的結構。 在MS欲同時使用IPv4及IPv6且其經授權使用兩者時,使 用另一實施例。圖6說明此實施例之方法。該方法600開始 於在步驟602中MS請求IPv4-IPv6雙堆疊操作時。此請求為 經由PDIF發送至AAA伺服器之訊息的形式。在步驟604 中,AAA伺服器判定MS是否經授權以使用IPv4及IPv6兩 者。在步驟606中,AAA伺服器通知PDIF請求MS經授權使 用IPv4及IPv6兩者。在步驟608中,PDIF通知MS對於IPv4-IPv6雙堆疊操作之請求經授權。在步驟610中,MS及PDIF 在用於IPv4及1卩¥6之同一11^_8八下建立獨立的 CHILD_SA。若MS未對於IPv4及IPv6兩者經授權,貝UAAA 伺服器在步驟612中通知PDIF。依次,在步驟614中, PDIF通知MS該未授權且亦通知MS哪一 IP版本未經授權。 在MS需要同時使用IPv4及IPv6兩者但僅可對於IPv4經授 123915.doc -18 - 200828924 權時,使用又一實施例。圖7說明此實施例的操作方法。 該方法700以MS請求IPv4-IPv6雙堆疊操作之步驟702開 始。在步驟704中,AAA伺服器檢查以查看MS是否已對於 IPv4及Pv6兩者經授權。若MS已對於IPv4及Pv6兩者經授 權,則該方法返回至圖6方法的步驟606。若MS僅對於 IPv4經授權,則AAA伺服器通知PDIF該MS僅對於IPv4經 授權。在步驟710中,PDIF發送一通報有效負載,該通報 有效負載具有經設定為指示僅IPv4經授權之特定訊息類型 的通報訊息類型。若無線通信系統使用3GPP2標準來操 作,則訊息類型在IKE—AUTH回應訊息中經設定為8193。 其他操作系統可使闬不同訊息類型,但不影響此實施例之 操作。在此情況下,在步驟712中僅建立用於IPv4的IPsec 隧道。為了防止MS與網路建立IPv6會話,MS在CFG請求 有效負載中設定 IINTERNAL __IP6_ADDRESS屬性 t 0····0。 PDIF在CFG答覆有效負載中將INTERNAL—IP6—ADDRESS 屬性長度設定為零。PDIF可藉由發送一具有指示錯誤之特 定訊息的通報有效負載來通報MS該MS未對於IPv6存取經 授權。若MS試圖自PDIF獲得一 IPv6前置項,則PDIF丟棄 該訊息而不通報MS。 圖8說明一在MS需要利用IPv4及IPv6雙堆疊操作但是僅 對於IPv6經授權時使用之實施例。方法800以MS請求IPv4 及IPv6雙堆疊操作的步驟802開始。在步驟804中,AAA伺 服器檢查以查看MS是否已對於IPv4及IPv6經授權。若ms 已對於IPv4及IPv6兩者經授權,則該方法返回至圖6之步 123915.doc •19- 200828924 驟606。若MS未對於IPv4及IPv6經授權且僅對於IPv6經授 權,則在步驟808中AAA伺服器通知PDIF該MS僅對於IPv6 經授權。在步驟8 1 0中,PDIF發送通報有效負載訊息, 該通報有效負載訊息具有經設定為指示在IKE_AUTH回 應訊息中MS僅對於IPv6經授權之特定訊息類型的通報 訊息類型。若無線通信系統使用3GPP2標準來操作,則 訊息類型設定為8194。在步驟812中,建立用於IPv6之 IPsec隧道。藉由使MS在CFG請求有效負載中將 INTERNAL_IP4_ADDRESS屬性設定為 0·0·0·0 來防止 MS與 網路建立一内部IPv4會話。同樣,PDIF在CFG答覆有效負 戟T羽· JLiN i 八L· ——AL/UKLiSS屬,r生長茂:設疋馬茶 ° PDIF可藉由發送一具有一特定訊息類型之通報有效負載來 通報MS該MS未對於IPv4存取經授權。若MS試圖自PDIF獲 得IPv4前置項,則PDIF丟棄該訊息而不通報MS。 在其他實施例中,熟習此項技術者應瞭解,可藉由執行 一具體化於一電腦可讀媒體(諸如一電腦平台之記憶體)上 的程式來實施前述方法。指令可常駐於各種類型之信號承 載或資料儲存一級、二級或三級媒體中。該媒體可包含 (例如)可由用戶端設備及/或伺服器存取或常駐於用戶端設 備及/或伺服器内的RAM。不論是含於RAM、磁碟還是其 他二級儲存媒體中,指令可被儲存於多種機器可讀資料儲 存媒體上,諸如DASD儲存器(例如,習知’’硬碟機”或RAID 陣列)、磁帶、電子唯讀記憶體(例如,ROM或EEPROM)、 快閃記憶卡、光學儲存設備(例如,CD-ROM、WORM、 123915.doc -20 - 200828924 DVD、數位光學帶)、紙質,,打孔"卡或其他適當資料儲存 媒體(包括數位及類比傳輪媒體)。 雖然A文之揭示内容展示本發明之說明性實施例,但應 /主思’在不脫離如由附加申請專利範圍所界定之本發明之 範騖的情況下,可在本文中進行各種改變及修正。不需要 以任何特定次序來執行根據本文所述之本發明的實施例之 方法請求項的活動性或步驟。此外,雖然可以單數形式描 述或主張本發明之元件,但除非明確規定限於單數形式, 否則亦可涵蓋複數形式。 因此展示且描述了本發明之較佳實施例。然而,一般熟 習此項技術者將易於瞭解,在不脱離本發明之精神或範疇 的h况下’可對所揭示之本文實施例進行眾多更改。因 此’本發明僅根據以下申請專利範圍而受限制。 【圖式簡單說明】 圖1為根據本發明之一實施例展示用於支援雙堆疊操作 之互通授權之互通架構的方塊圖。 圖2根據本發明之一實施例展示CREATE—CHILD—从請 求之内容。 圖3根據本發明之一實施例展示CREATE—cmLD_s a回 應之内容。 圖4 A根據本發明之一實施例展示ipsee隨道建立。 圖4B根據本發明之一實施例展示隧道建立流程。 圖5根據本發明之一實施例展示ip版本授權之RADIus VSA的結構。 123915.doc -21- 200828924 圖6根據本發明之一實施例說明經授權IPv4-IPv6雙堆疊 操作之流程圖。 圖7根據本發明之一實施例說明在僅授權IPv4時之操作 的流程圖。 圖8根據本發明之一實施例說明在僅授權IPv6時之操作 的流程圖。 【主要元件符號說明】An additional embodiment provides a device consisting of: a component for requesting a dual stack operation with an Internet Protocol version; for using a component that receives an authorization for a dual stack operation in an Internet Protocol version; Means for establishing an independent security authorization for each Internet Protocol version 'where the dependent security authorization is subordinate to the Internet ^ key exchange security authorization; means for establishing at least one secure tunnel for communication; And means for using at least one of the two Internet Protocol versions for communication - security_^ same = access. Another embodiment provides an apparatus comprising: means for requesting a dual stack operation using an internet protocol version; and means for receiving an authorization for an internet protocol in a message, wherein : identifying at least one version of the Internet Protocol that is authorized and further wherein λ the message identifies at least an unauthorized version of the Internet Protocol; means for establishing a secure authorization for the authorized Internet Protocol version, The security authorization for the authorized Internet protocol is subordinate to - the Internet secret exchange security establishment - the component of the security domain for communication; and the means for communicating using the secure tunnel. A computer program product embodiment is provided, comprising: a computer readable medium 123915.doc 200828924, comprising: an instruction for causing a computer to request verification from an authorized entity in a wireless communication system; and for verifying Upon successful, a computer receives an instruction to verify a message from the authorized entity, wherein the verification message includes an authorization to establish at least one secure tunnel for communication using at least one internet protocol version. Another example is a computer program product comprising: a computer readable medium comprising: instructions for causing a computer to request a dual stack operation using an Internet Protocol Φ protocol version; The computer uses an Internet Protocol version to receive instructions for authorization for dual stack operations; an instruction for causing a computer to establish an independent slave security authorization for each Internet Protocol version; wherein the slave security authorization is subordinate to the Internet a network key exchange security authorization; an instruction for causing a computer to establish at least a female full tunnel for overnight use; and for causing a computer to use the at least one secure tunnel for communication to simultaneously access two internet networks The instructions of the road agreement version. An additional embodiment provides a computer program product comprising: a computer readable medium comprising: - for causing a computer to use an instruction to request a dual stack operation in an internet protocol version; The computer receives, in a message, an instruction to authorize an Internet Protocol version, wherein the message identifies the at least one Internet Protocol version authorized and further wherein the message identifies the unauthorized at least one Internet Protocol version; An instruction for causing a computer to establish a secure authorization for an authorized Internet Protocol version, wherein the security authorization for the authorized Internet Protocol version is subordinate to an Internet Key Exchange Security Authorization; A computer 123915.doc 200828924 establishes an instruction for a secure tunnel for communication; and instructions for causing a computer to communicate using the secure tunnel. [Embodiment] The word "exemplary" is used herein to mean "serving as an example, instance, or claim." Any embodiment described herein as "exemplary" is not necessarily to be construed as The example is preferred or advantageous. The MS that needs to access the packet data service needs to access the IP access network. The MS originating tunnel is established as part of the access process. These tunnels are established between the MS and the PDIF and in a tunnel. Several steps are required before the establishment and start of the packet data service. In the first step, the MS starts a verification, authorization and accounting process. The verification is the process most often identified by the user name and password and is individual. Assume that the username and password uniquely identify a user. Authorization allows a user to access network resources after authentication. There may be various levels of access, and the user may be granted or denied access to the φ access network based on the level of authorization. Billing is the tracking of the activity of a user while accessing network resources and includes the amount of time spent on the network, the services used on the network, ~ and on the network. The amount of data transferred during the session. ^ Performs authentication and authorization of access network resources when the MS attempts to access the packet data service. Service authorization is usually independent of WLAN authentication and authorization. H-AAA servers use access protocols ( Authentication and authorization are performed, such as Remote Authentication Dial-In User Service (RADIUS) or DIAMETER. RADIUS is the authentication and accounting system used by many Internet service providers. 123915.doc -11 - 200828924 IP Security (IPsec) Provide confidentiality, data integrity, access control, and guest source verification to IP datagrams. This service is provided by maintaining a common state between the source of the IP datagram and the sink. The state defines the specific service provided to the datagram and which secret algorithm will be used to provide the service, and as a key to the input of the cryptographic algorithm. A protocol called Internet Key Exchange IKE is Used to establish this shared state. IKE performs mutual authentication between the two parties and also establishes a IKE Security Association (SA), which can be used to establish a secure and effective for encapsulation. The shared secret message of the SA (ESP) and/or the verification header (AH) and a set of cryptographic algorithms used by the SA to protect the traffic carried by the SA. A starter proposes to protect the password of the SA. The set of algorithms. The ike SA is called "IKE-SA". The SA for ESp and/or AH established by the IKE-SA is called "CHILD-SA,". All IKE communications consist of a message pair: a request and a response. This symmetry is an exchange. The first message of establishing IKE_SA is the initial exchange "IKE-SA-INIT" and "IKE-AUTH." Establishing a subsequent exchange of a child SA is called nCREATE-CHILD_SA" or information exchange. In a normal case, a total of four messages are first used to establish a single IKE_SA-INIT exchange and a single IKE-AUTH exchange for IKE_S A and the first CHILD-SA. In some cases, more than one of this exchange may be required. In all cases, the IKE_SAJNIT exchange must be completed before any other exchange type. Next, all IKE_AUTH exchanges must be completed. Any subsequent number of CREATE-CHILD_SA exchanges and INFORMATIONAL exchanges can follow any order. Subsequent exchanges can create additional CHILD_SAs between 123915.doc -12- 200828924 at the same verified endpoint. The IKE message stream consists of a request followed by a response. Ensuring reliability is the responsibility of the requester. If the response is not received within a timeout interval, the requestor needs to retransmit the request or abandon the connection. The first request/response of the IKE session negotiates the security parameters of IKE_S A, sends temporary labels, and Diffle-Hellman values. The IKE-AUTH transmits an identification code, the second request response proves secret knowledge corresponding to the two identification codes, and establishes an SA for the first AH and/or ESP CHILD_SA. Subsequent exchanges can establish CHILD_SA (CREATE_CHILD_SA) and INFORMATIONAL, which can be used to remove SAs, report error conditions or other housekeeping functions. Each request requires a response. Subsequent exchanges do not occur until the initial exchange is completed. The CREATE_CHILD exchange consists of a single request/response pair and it can be initiated by either end of the IKE_SA after the initial exchange is completed. After the initial exchange, all messages are password protected using the set of negotiated passwords for the first two messages of the IKE exchange. Either endpoint can initiate a CREATE-CHILD-SA exchange. CHILD-SA is established by sending a CREATE-CHILD-SA request. The CREATE-CHILD-SA request can contain a payload that is used for an additional Diffie-Heilman exchange to enable a more robust guarantee to the secret before CHILD_SA. The key material used for CHILD_SA is the function established during the establishment of IKE_SA, the temporary flag exchanged during the CREATE_CHILD_SA exchange, and the Diffie-Hellman value (if the key exchange is valid in the CREATE_CHILD-SA exchange 123915.doc -13- 200828924) load). In the CHILD-S A established during the initial exchange, a second key exchange payload and temporary flag cannot be transmitted. The temporary flag from the initial exchange is used to calculate the key for CHILD_S A. Figure 2 illustrates the contents of CREATE_CHILD_S A. The initiator sends the SA supply in the sa payload. A temporary flag is sent in the Ni payload. This temporary flag and other references contained in the IKE-SA-INIT message are used as input to the password function. In the CREATE-CHILD-SA request and response, the temporary label is used to add freshness to the secret record export technique, which is used to obtain the key for the CHILD-SA and to ensure strong pseudo-random 1 Li Yuan from the establishment of the Diffie-Hellman secret record. The temporary flag of j吏羯 in IKEv2 is randomly selected and has a size of at least 128 bits and is at least half the key size of the negotiated pseudo-random function. The Diffie-Hellman value can be sent to the KEI payload. The proposed traffic selector is sent to the TSi payload and the TSR payload. If the SA supply includes a different Diffie-Hellman group, then KEi must be a component of the group that the initiator expects the responder to accept. If a guess is wrong, the CREATE-CHILD-SA exchange will fail and it will need to be retried with a different KEi. The message following the header is encrypted and the message including the header is completely protected using the negotiated cryptographic algorithm for IKE_S A. Figure 3 illustrates the CREATE-CHILD-SA response. If KEi is included in the request and the negotiated cipher set includes the group, the responder replies with the same message ID that has accepted the offer in the Sa payload and has a Diffie-Hellman value in the KEr payload. If the responder chooses 123915.doc -14- 200828924 to choose a set of passwords with different groups, it must reject the request. The initiator should then repeat the request, but with the KEi payload from the group selected by the responder. The traffic selector for the traffic to be sent to the SA is specified in the Traffic Selector (TS) payload, which may be a subset of the proposed CHILD-SA initiator. If the CREATE_CHILD_SA request is used to change the key of IKE_SA, the traffic selector can be omitted. Once CHILD_SA is established, the next step is to establish an ipsec tunnel. The details of the tunnel establishment procedure are as follows. The MS may be pre-provisioned with the IP address of the PDIF or it shall use the DNS mechanism to retrieve the IP address of the PDIF. When constructing an FQDN for a DNS request, the M S should identify the operator's network. In order to facilitate access to the network, the M S may be pre-provisioned with an FQDN of a plurality of PDIFs. Once the MS receives a response containing one or more PDIF IP addresses, the MS selects the PDIF IP address with the same IP version as its regional IP address, which is the IP address configured by the WLAN at the successful association. This selection can be performed by the user or can be performed automatically by the MS. Several mechanisms can be used to discover PDIF and are implementation dependent. The message exchange is used to establish an IPsec tunnel between the MS and the PDIF. Figure 4 shows this message exchange. In step 1, the MS authenticates the WLAN access network and accesses the Internet. This may involve a WLAN checked with H-AAA for authorization. In step 2, the MS obtains an IP address from the access network. MS also found the default router and DNS server address. In step 3, the MS begins an IKEv2 exchange with the PDIF. The first set of messages sent in this exchange is the initial assignment designated as IKE_S A JNIT 123915.doc •15- 200828924. In step 4, the MS initiates a ΙΚΕ-AUTH exchange with the PDIF. These messages are encrypted and fully protected with the keys established during the IKE_SA_INIT exchange. In step 5, the MS requests a tunnel internal IP address (TIA) by setting the CONFIGURATION payload in the IKE_AUTH request. The MS includes its Network Access Identifier (NAI) in the payload. If the MS wants to use Extended Authentication Protocol (ΕΑΡ), it does not include an Authorization (AUTH) payload in the IKE AUTH message. In step 6, the PDIF receives the IKE_AUTH request without the AUTH payload, and its contact Η-AAA sends a ΕΑΡ-response/identification code message in the RADIUS Access-Request message or the Diameter-EAP-Request (DER) command. Request service authorization and user verification information. In step 7, the message is exchanged between the MS and the Η-AAA. Η-AAA sends a request message to the PDIF in the RADIUS Access-Inquiry or Diameter-EAP-Answer (DEA) command φ. The PDIF sends an IKE-AUTH reply message including the request message to the MS. In step 8, the MS responds with an IKE-AUTH request message including a ΕΑΡ response message. The PDIF sends a response message to Η-AAA in the RADIUS Access-Request message or in the • Diameter-EAP-Request command. Steps 7 and 8 can occur multiple times. If the verification is successful, then in step 9, Η-AAA sends EAPSuccess 〇123915.doc in the RADIUS access/receive message or in the DEA command with the code indicating successful verification. •16-200828924 In step 10, in Upon receiving the RADIUS Access-Accept message or the DEA command with the result code indicating the successful verification, the PDIF sends a successful IKE-AUTH response message. If the PDIF receives a RADIUS-Reject message or a DEA command with a result code indicating the failure of the authorization, the PDIF refuses to establish a tunnel towards the MS and sends an IKE-AUTH response message with a notification payload set to "AUTHENTICATION FAILED" In step 11, the MS then sends an IKE__AUTH request message including the AUTH payload calculated from the master session key (MSK) generated after the successful authentication. In step 12, the PDIF is validated by including the assigned ΤΙA, AUTH. The IKE_AUTH response message of the payload and security authorization is answered. The PDIF uses the MSK to calculate the AUTH payload. In step 9 above, the PDIF obtains the MSK from the AAA-AAA. In step 13, when the IKE_AUTH exchange is completed, the MS and the PDIF are completed. An IPsec pass is established between. Figure 4B illustrates the steps in the normal tunnel setup procedure. This can be utilized when establishing multiple tunnels as discussed further below. It is possible to establish multiple tunnels to the same PDIF. Once IKE security associations (SA) After verification, more than one sub-SA can be negotiated in the IKE SA. As described above, since CREATE_CHILD_SA is protected and The cryptographic algorithm and the key in the two messages before the IKE exchange are negotiated, so the exchange is known. As a result, the establishment of the additional CHILD-SA between the MS and the PDIF does not trigger a further authentication message for the Η-AAA. Passing. 123915.doc -17- 200828924 MS may want to have both IPv4 and IPv6 access to the same PDIF. Although the IKEv2 standard allows this simultaneous access in the same or separate ipsec tunnel, the authorization is not addressed and the PDIF needs It is known whether the MS requesting the dual stack grant is authorized for IPv4 and IPv6. The first embodiment solves the problem of PDIF in the case where it is known to request whether the MS is authorized for ιρν4 and/or IPv6. The ipsec tunnel is established as described above. During the period, if the authorization is successful, h-AAA returns the IP version authorization VSA in the RADIUS access-accept message to indicate whether IPv4 and/or IPv6 are authorized. If there is no ip version in the RADIUS access-accept message To authorize the VSA, the PDIF shall apply its regional policy for authorization for dual stack operation. Figure 5 shows the structure of the IP version authorized RADIUS VSA. The MS wants to use both IPv4 and IPv6 and its authorized use. Another embodiment is used. Figure 6 illustrates the method of this embodiment. The method 600 begins when the MS requests an IPv4-IPv6 dual stack operation in step 602. This request is for a message sent to the AAA server via the PDIF. form. In step 604, the AAA server determines if the MS is authorized to use both IPv4 and IPv6. In step 606, the AAA server notifies the PDIF that the MS is authorized to use both IPv4 and IPv6. In step 608, the PDIF notifies the MS that the request for the IPv4-IPv6 dual stack operation is authorized. In step 610, the MS and the PDIF establish an independent CHILD_SA under the same 11^_8 eight for IPv4 and 1卩¥6. If the MS is not authorized for both IPv4 and IPv6, the Bay UAAA server notifies the PDIF in step 612. In turn, in step 614, the PDIF notifies the MS that it is unauthorized and also informs the MS which IP version is unauthorized. Yet another embodiment is used when the MS needs to use both IPv4 and IPv6 simultaneously but only for IPv4 grants 123915.doc -18 - 200828924. Figure 7 illustrates the method of operation of this embodiment. The method 700 begins with a step 702 of the MS requesting an IPv4-IPv6 dual stack operation. In step 704, the AAA server checks to see if the MS is authorized for both IPv4 and Pv6. If the MS has been authorized for both IPv4 and Pv6, then the method returns to step 606 of the method of FIG. If the MS is only authorized for IPv4, the AAA server notifies the PDIF that the MS is only authorized for IPv4. In step 710, the PDIF sends a notification payload having a type of notification message set to indicate that only IPv4 is authorized for a particular message type. If the wireless communication system operates using the 3GPP2 standard, the message type is set to 8193 in the IKE-AUTH response message. Other operating systems can make different message types, but do not affect the operation of this embodiment. In this case, only the IPsec tunnel for IPv4 is established in step 712. In order to prevent the MS from establishing an IPv6 session with the network, the MS sets the IINTERNAL __IP6_ADDRESS attribute t 0····0 in the CFG request payload. The PDIF sets the INTERNAL_IP6_ADDRESS attribute length to zero in the CFG reply payload. The PDIF can inform the MS that the MS is not authorized for IPv6 access by sending a notification payload with a specific message indicating the error. If the MS attempts to obtain an IPv6 preamble from PDIF, the PDIF discards the message without notifying the MS. Figure 8 illustrates an embodiment used when the MS needs to utilize IPv4 and IPv6 dual stack operation but only for IPv6 grant. Method 800 begins with step 802 of the MS requesting IPv4 and IPv6 dual stack operations. In step 804, the AAA server checks to see if the MS is authorized for IPv4 and IPv6. If ms is already authorized for both IPv4 and IPv6, then the method returns to step 151 of Figure 6 123915.doc • 19-200828924 Step 606. If the MS is not authorized for IPv4 and IPv6 and is only authorized for IPv6, then in step 808 the AAA server notifies the PDIF that the MS is authorized only for IPv6. In step 81, the PDIF sends a notification payload message having a notification message type set to indicate that the MS is only authorized for IPv6 in the IKE_AUTH response message. If the wireless communication system operates using the 3GPP2 standard, the message type is set to 8194. In step 812, an IPsec tunnel for IPv6 is established. The MS is prevented from establishing an internal IPv4 session with the network by having the MS set the INTERNAL_IP4_ADDRESS attribute to 0·0·0·0 in the CFG request payload. Similarly, PDIF responds effectively to CFG in the CFG. 羽TJ·JLiN i 八 L· ——AL/UKLiSS genus, r growth Mao: set Hummer tea ° PDIF can be notified by sending a notification payload with a specific message type MS The MS is not authorized for IPv4 access. If the MS attempts to obtain an IPv4 preamble from PDIF, the PDIF discards the message without notifying the MS. In other embodiments, those skilled in the art will appreciate that the foregoing methods can be implemented by executing a program embodied on a computer readable medium, such as a computer platform. Instructions can reside in various types of signal bearing or data storage in primary, secondary or tertiary media. The media can include, for example, RAM that can be accessed by the client device and/or server or resident within the client device and/or server. Whether contained in RAM, diskette or other secondary storage medium, the instructions can be stored on a variety of machine readable material storage media, such as DASD storage (eg, conventional ''drivers' or RAID arrays), Magnetic tape, electronic read-only memory (for example, ROM or EEPROM), flash memory card, optical storage device (for example, CD-ROM, WORM, 123915.doc -20 - 200828924 DVD, digital optical tape), paper, play "Pocket" or other suitable data storage medium (including digital and analog transmission media). Although the disclosure of A text shows an illustrative embodiment of the present invention, it should be considered as Various changes and modifications can be made herein without departing from the scope of the invention. The activity or steps of the method claims according to the embodiments of the invention described herein are not necessarily performed in any particular order. In addition, although the elements of the invention may be described or claimed in the singular, the singular The preferred embodiment of the invention will be apparent to those skilled in the art, and many variations of the disclosed embodiments may be made without departing from the spirit or scope of the invention. FIG. 1 is a block diagram showing an interworking architecture for supporting interworking authorization for dual stack operation in accordance with an embodiment of the present invention. FIG. 2 is an implementation of the present invention. Example shows CREATE_CHILD - the content of the request. Figure 3 shows the content of the CREATE-cmLD_s a response in accordance with an embodiment of the present invention. Figure 4A shows an ipsee trajectory setup in accordance with an embodiment of the present invention. Figure 4B is in accordance with the present invention. One embodiment shows a tunnel establishment process.Figure 5 shows the structure of an RADIus VSA for ip version authorization in accordance with an embodiment of the present invention. 123915.doc -21- 200828924 Figure 6 illustrates an authorized IPv4-IPv6 according to an embodiment of the present invention. Flowchart of Dual Stacking Operation. Figure 7 is a flow chart illustrating the operation of granting only IPv4 in accordance with an embodiment of the present invention. Figure 8 is an illustration of an embodiment of the present invention. In the operation of the flowchart only authorized for IPv6. The main element REFERENCE NUMERALS
100 架構 102 行動台(MS) 104 WLAN系統 106 七 ov» 田 ι_ / λ τη\ ^ ) 108 存取路由器(AR) 110 3G本籍網路 112 Η-AAA設備 114 PDIF 116 服務 123915.doc -22 -100 Architecture 102 Mobile Station (MS) 104 WLAN System 106 Seven ov» 田 ι_ / λ τη\ ^ ) 108 Access Router (AR) 110 3G Home Network 112 Η-AAA Device 114 PDIF 116 Service 123915.doc -22 -