WO2006068450A1 - System and method for providing mobility and secure tunnel using mobile internet protocol within internet key exchange protocol version 2 - Google Patents

System and method for providing mobility and secure tunnel using mobile internet protocol within internet key exchange protocol version 2 Download PDF

Info

Publication number
WO2006068450A1
WO2006068450A1 PCT/KR2005/004503 KR2005004503W WO2006068450A1 WO 2006068450 A1 WO2006068450 A1 WO 2006068450A1 KR 2005004503 W KR2005004503 W KR 2005004503W WO 2006068450 A1 WO2006068450 A1 WO 2006068450A1
Authority
WO
WIPO (PCT)
Prior art keywords
mip
ngw
messages
message
ikev2
Prior art date
Application number
PCT/KR2005/004503
Other languages
French (fr)
Inventor
Holur Balaji
Vaidya Rahul
R Rajavelsamy
J Venkateswar
O-Sok Song
Original Assignee
Samsung Electronics Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co., Ltd. filed Critical Samsung Electronics Co., Ltd.
Publication of WO2006068450A1 publication Critical patent/WO2006068450A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/02Inter-networking arrangements

Definitions

  • This invention relates in general to mobile communications technology. Specifically, it is related to Mobility and creation of secure tunnel between
  • MN Mobile Node
  • NGW Network Gateway
  • this invention provides a system and method to support mobility and secure tunnel creation, when the Home Address of the MN is not known while MN request for the Packet Switched (PS) service in the foreign network.
  • PS Packet Switched
  • the scope of the invention also covers the case when Home address as well as Home Agent address and Home network prefix of the MN are not known.
  • the MN When the MN roams in a foreign network, the MN forms a tunnel with the NGW to obtain Packet Services provided by the network. This can be done for example, to provide secure access over an untrusted interface (e. g. air interface with inadequate security).
  • an untrusted interface e. g. air interface with inadequate security.
  • the foreign network can provide a Local IP address to the MN (Local IP
  • MIP is used for providing mobility services when a mobile roams from one (sub) network to another (sub) network.
  • MIP requires a node in the foreign network acting as a foreign agent, and a node in home network acting as a Home Agent.
  • MN roams into a foreign network, it sends a registration request through the Foreign Agent to the Home Agent, indicating that it is available at the given IP address.
  • MN requires a new service:
  • the IP address of the NGW which provides the service is obtained by DNS query or by some other means.
  • IKEv2 messaging is carried out between the MN and NGW (with optional authentication) to establish the IPsec SAs.
  • a tunnel is formed between the MN and the NGW which acts as a data path.
  • MIP Registration request is sent to the Home Agent through FA.
  • HA sends the Registration reply. If successful, the UE can now securely receive packets destined to it even when it roams in different foreign network.
  • MN is unknown Cyclic interdependency of IPsec tunnel formation and MIP Registration
  • the primary object of the invention is to define an extension to the IKEv2 protocol to carry MIP messages to support mobility.
  • This invention provides a system and method to perform Mobility using IKEv2 extensions to carry MIP messages.
  • this invention provides the ability to solve the cyclic interdependency between requirement of Remote IP address (Home Address) for
  • IPsec SA and the requirement of IPsec SA between NGW and the MN for transporting the Mobile IP (MIP) Registration Request messages.
  • NGW is a trusted entity either in foreign network or in home network. NGW provides secure path to any node in the home network. Thus, to provide secure communication channel between MN and home network, we consider forming an IPsec tunnel between MN and NGW.
  • the present invention enables the MN to:
  • the present invention relates to a system that needs to form an IPsec tunnel with a foreign entity NGW.
  • the invention also relates to a system that requires performing the MIP registration for mobility services. Further, this invention provides mechanisms for the case where the Home Address of the MN is not known and the MN requests for the PS service in the foreign network.
  • the system for the invention comprises of an MN capable of roaming in foreign networks, Network Gateway, Foreign Agent in the foreign network (might or might not be collocated with NGW) and a Home Agent (HA) in home network.
  • MN Mobility Management Entity
  • the present invention comprises of system and method which would solve the problems associated with current art, as mentioned below.
  • the MN forms the tunnel with NGW. (Though we assume IKEv2 is used to establish the tunnel, any similar protocol may be used for the tunnel establishment).
  • the MIP messages are carried during the tunnel establishment within the IKEv2 messages and are passed to the Home Agent through the NGW and FA (if the FA is not co-located with the NGW).
  • the HA sends the MIP Registration Reply containing the Home Address of the MN, which is relayed by the FA after registering the MN in its visitor's cache, to the NGW.
  • the NGW forwards it to the MN within the IKE_AUTH message of the IKEv2 protocol to the MN.
  • the MN can extract the Home IP address and the Home Agent address from the MIP
  • the present invention comprises a method for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW).
  • MN Mobile Node
  • UE user equipment
  • NGW Network Gateway
  • the present invention further comprises a system for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the said system comprises of a MN capable of IPsec and MIP procedures, Network Gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network.
  • MN Mobile Node
  • UE user equipment
  • NGW Network Gateway
  • FIG 1 illustrates the different network elements of the system considered in the invention.
  • Figure 2 illustrates the different network elements of a WLAN-3G interworking system, involved in establishing an End-To-End tunnel and Mobility support between UE and PDG.
  • Figure 3 illustrates the sequence for establishing the IPsec tunnel and MIP registration, when the Home Address is not known and the FA and the NGW are co-located.
  • the present invention provides a system and method for supporting mobility of the MN which requires the secured tunnel to communicate over and uses MIP protocol to support the mobility.
  • the method of the invention comprises of the mechanisms to break the cyclic interdependency between requirement of Home IP address of the MN for IPsec
  • the described method comprises a mechanism to allocating a Home Address to the MN during the IPsec tunnel setup.
  • the IKEv2 protocol is extended to carry the MIP messages from the MN to the NGW.
  • the NGW extracts the MIP messages and forwards to the FA.
  • the FA forwards the MIP message to the AAA server for authentication and to obtain the IP address of the MN from the HA and relays the MIP Registration Reply to the NGW and the NGW forwards it within the IKE_AUTH response message. Also the FA registers the UE in the visitor's cache according to the normal MIP protocol (According to IETF RFC).
  • AAA Security Association One assumption using Mobile- AAA Authentication extension is that the MN and the AAA server share AAA Security Association. In this document, it is assumed that the MN and the AAA server share at least one AAA Security Association. It is also assumed that an AAA Security Association between the MN and the AAA server is dynamically created or updated after the AAA server authenticates the MN using EAP method during the IPsec tunnel setup (According to IETF EAP Procedures).
  • the shared secret of this AAA Security Association is any key derived from the Master Key after the IKEv2 authentication as a result of EAP procedure with in the IKEv2.
  • MN initiates a tunnel establishment request with the NGW.
  • the user can be authenticated and authorized for the service.
  • the MIP Registration message is passed within the IKEv2 messages from the MN to the NGW.
  • the MIP registration message can include the NAI, MN_HA keygen nonce, MN_AAA authentication extensions (if the home agent address and home network prefix are not known).
  • the NGW extracts the MIP Registration message and forwards it to the FA, if the FA and the NGW are not co-located. Then the MIP Registration message is processed normally at FA and forwarded to AAA server.
  • the AAA server process the MIP Registration request as like normal MIP protocol and forwards it to HA, which can serve the MN.
  • the HA sends the Mobile IP Registration Reply with the Home Address, if registration is successful, to the FA.
  • the FA processes the registration reply message and registers the MN in its visitor's cache. The FA then forwards the
  • the NGW relays the MIP Registration reply message within the IKE_AUTH reply message of IKEv2 to the MN, with the TS and SA payloads to form the IPsec SA between the MN and the NGW, with the Home IP address of the MN.
  • IKEv2 MN extracts the Home Address. Also it creates a new SA with the Home IP address. Thus the data path to the network is created.
  • a 3 G-WLAN interworking scenario is considered here.
  • the 3GPP (http://www.3 gpp.org) specification TS23.234 which deals with the ongoing 3GPP work related to WLAN-3G interworking, provides a system description for tunnel establishment mechanism between WLAN-3G UE and PDG over a WLAN-3G interworking system, as depicted in Figure 2.
  • the different network elements of a WLAN-3G interworking system, involved in establishing an End- To-End tunnel and Mobility support between UE and PDG is shown in Figure 2 function as below: WLAN UE - User Equipment, to initiate the tunnel for data path.
  • WLAN - to pass the EAP signaling and data packets towards the 3G- WLAN network.
  • WAG - Wireless Access Gateway to enforce the policies and filers on WLAN AN.
  • PDG Packet Data Gateway
  • a 3 G-WLAN Interworking network entity that serves as the gateway between a WLAN AN and PDNs.
  • the PDG allows 3G- WLAN users to access PDNs.
  • GGSN Gateway GPRS Support Node.
  • a GPRS network entity that serves as the mobile wireless gateway between an SGSN and PDNs.
  • the GGSN allows mobile users to access PDNs.
  • a GPRS network entity that sends data to and receives data from mobile stations, and maintains information about the location of an MS.
  • the SGSN communicates between the MS and the GGSN; the GGSN provides access to the data network
  • UTRAN - UMTS Terrestrial Radio Access Network air interface portion of UMTS networks as specified within 3GPP.
  • AAA Server - Authentication, Authorization, and Accounting server to intelligently controlling access, enforcing policies, auditing usage, and providing the information necessary to do billing for services available through the 3G-
  • HSS and HLR Home Subscriber Server and Home Location Register, to have subscriber credentials and details
  • the PDG acts as a Network Gateway which resides in the foreign network, i.e. the Foreign Agent is collocated with the PDG for the sake of simplicity, although it is not necessary for this invention to work.
  • the Home Agent is assumed to be collocated with GGSN of 3 G network for the sake of simplicity, although it is not necessary for this invention to work.
  • the scenario considered here is when the WLAN UE needs to access some PS service. The UE does not know Home Address and Home Agent Address.
  • the example shows the FA to co-exist with PDG, though it is not mandatory.
  • the message flows/sequence illustrated in Figure 3 is as below: 1 and 2.
  • the UE and the PDG negotiate IKE_SA.
  • the UE sends IKE_AUTH request, without AUTH payload to initiate EAP procedure.
  • the IDi payload in IKE_AUTH request must contain the NAI of the UE.
  • the UE can attach CERTREQ payload to the IKE_AUTH request if it wants to authenticate the PDG using signature based authentication.
  • the TSi, TSr payload contains 0.0.0.0/0 (indicating full range of IP address from 0.0.0.0 to 255.255.255.255).
  • PDG sends EAP Request/ID in IKE_AUTH message, initiates the EAP authentication procedure.
  • UE responds with EAP Response ID in IKE_AUTH, initiation of EAP is optional.
  • the PDG sends an Access Request [NAI] to AAA server.
  • NAI is obtained from IDi field in IKE_AUTH message.
  • the AAA server retrieves
  • AAA responds with Access Response [EAP- AKA/challenge].
  • PDG forwards the EAP- AKA/Challenge to UE in IKE_AUTH message. It's optional to include [CERT, AUTH] in the message.
  • Normal EAP authentication is carried on between UE and AAA with PDG/FA acting as a relay agent. When all checks are successful, the
  • AAA server sends an EAP success and the key material to the PDG.
  • the PDG forwards only the EAP success message within the IKEv2 message to the UE.
  • the UE sends IKE_AUTH response that contains AUTH payload.
  • the UE uses shared secret derived from EAP authentication procedure to make AUTH payload.
  • UE also includes MIP REGISTRATION REQUEST with NAI, MN_HA keygen nonce and MN_AAA authentication extensions.
  • PDG On receiving the MIP message, PDG forwards it to the FA (whose IP address is mentioned as CoA in MIP).
  • the FA sends the MIP-Registration-
  • AAA server after authenticating the UE, generates keys as requested in registration message, and distributes to the respective agents. FA can then forward the Registration Request to the HA, if it has not relayed it earlier.
  • HA then sends the Registration Reply to the FA.
  • the FA then registers the UE in its visitor's cache and forwards the registration reply to the PDG, if the PDG and the FA are not co-located.
  • the PDG sends IKE_AUTH response that contains AUTH payload.
  • the PDG makes AUTH payload with the shared secret derived from EAP authentication procedure. It also includes the MIP REGISTRATION REPLY.
  • the TSi in the IKE_AUTH message contains the Home Address of the UE as the
  • the UE obtains the Home Address from the MIP_REG_REPLY and completes the tunnel establishment procedure.
  • the above procedure can be applied to the 3 G-WLAN case, where the Network gateway is PDG, and HA is collocated with GGSN (or is in the same sub-network).
  • the user authentication is carried out by RADIUS/Diameter messages between the PDG and AAA server in the home network.
  • the PDG IP address can be discovered in the network by using DNS query over the W-APN.
  • W-APN is the indicative of the service required by the WLAN-
  • the DNS reply contains the list of PDGs capable of providing the given service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention is related to the scenario where a roaming MN needs to connect to NGW for establishing secure data path using IPsec procedure. Also MIP is used to support the mobility of the MN. However, when the Home Address of the MN is not known, a cyclic interdependency is observed between the IPsec procedures and MIP procedures. This happens as the IPsec procedure requires Home Address, and the MIP requires IPsec tunnel for transmitting the messages. The initial request for any PS service is by initiating an IPsec tunnel establishment request (IKEv2 procedure) with the NGW. After the authentication procedure within the IKEv2 protocol is over, the MN transmits the MIP registration messages within the IKEv2 message to the NGW. After the Mobile IP Registration is completed, the Home Address of the MN is known from the MIP registration Reply. MN forms a secured tunnel with the NGW.

Description

SYSTEM AND METHOD FOR PROVIDING MOBILITY AND SECURE TUNNEL USING MOBILE INTERNET PROTOCOL WITHIN INTERNET KEY EXCHANGE PROTOCOL VERSION 2
BACKGROUND OF THE INVENTION
FIELD OF THE INVENTION
This invention relates in general to mobile communications technology. Specifically, it is related to Mobility and creation of secure tunnel between
Mobile Node (MN) and Network Gateway (NGW). More particularly, this invention provides a system and method to support mobility and secure tunnel creation, when the Home Address of the MN is not known while MN request for the Packet Switched (PS) service in the foreign network. The scope of the invention also covers the case when Home address as well as Home Agent address and Home network prefix of the MN are not known.
DESCRIPTION OF THE RELATED ART
The Mobility and the secure tunnel establishment procedure for the scenario as depicted in Figure 1 works as below:
When the MN roams in a foreign network, the MN forms a tunnel with the NGW to obtain Packet Services provided by the network. This can be done for example, to provide secure access over an untrusted interface (e. g. air interface with inadequate security).
The foreign network can provide a Local IP address to the MN (Local IP
Address is routable only upto NGW) while the Remote IP address through which the MN is accessible to outside world is to be provided by the external network to which MN is';trying to reach for the service (in this case we assume home network obtains the IP address from the external network and sends it to the MN).
MIP is used for providing mobility services when a mobile roams from one (sub) network to another (sub) network. MIP requires a node in the foreign network acting as a foreign agent, and a node in home network acting as a Home Agent. When an MN roams into a foreign network, it sends a registration request through the Foreign Agent to the Home Agent, indicating that it is available at the given IP address. When the MN requires a new service:
1. The IP address of the NGW which provides the service is obtained by DNS query or by some other means. IKEv2 messaging is carried out between the MN and NGW (with optional authentication) to establish the IPsec SAs. At the end of the IKEv2 signaling a tunnel is formed between the MN and the NGW which acts as a data path.
2. Once the tunnel is formed MIP Registration request is sent to the Home Agent through FA. HA sends the Registration reply. If successful, the UE can now securely receive packets destined to it even when it roams in different foreign network.
Currently there is no mechanism for the following features:
To provide IPsec and mobility related scenario if the Home Address of the
MN is unknown Cyclic interdependency of IPsec tunnel formation and MIP Registration
Signaling.
SUMMARY OF THE INVENTION
The primary object of the invention is to define an extension to the IKEv2 protocol to carry MIP messages to support mobility.
It is another object of the invention to define a method to break the cyclic interdependency between requirement of Remote IP address for IPsec SA (which can be obtained from MIP Registration process) and the requirement of IPsec SA between the NGW and the MN for transporting the MIP Registration Request messages.
It is another object of this invention to specify the IKEv2 message extensions to cany the MIP messages used during the procedure.
This invention provides a system and method to perform Mobility using IKEv2 extensions to carry MIP messages. By incorporating MIP messages within IKEv2 protocol, this invention provides the ability to solve the cyclic interdependency between requirement of Remote IP address (Home Address) for
IPsec SA and the requirement of IPsec SA between NGW and the MN for transporting the Mobile IP (MIP) Registration Request messages.
Consider a scenario where the Mobile Node roams to a foreign network which does not provide adequate over the air security. Also consider that NGW is a trusted entity either in foreign network or in home network. NGW provides secure path to any node in the home network. Thus, to provide secure communication channel between MN and home network, we consider forming an IPsec tunnel between MN and NGW.
The present invention enables the MN to:
• Roam while keeping the sessions alive;
• Provide security to MIP messages even when the Home Address of the MN is not known;
The present invention relates to a system that needs to form an IPsec tunnel with a foreign entity NGW. The invention also relates to a system that requires performing the MIP registration for mobility services. Further, this invention provides mechanisms for the case where the Home Address of the MN is not known and the MN requests for the PS service in the foreign network.
The system for the invention comprises of an MN capable of roaming in foreign networks, Network Gateway, Foreign Agent in the foreign network (might or might not be collocated with NGW) and a Home Agent (HA) in home network.
The present invention comprises of system and method which would solve the problems associated with current art, as mentioned below.
The MN forms the tunnel with NGW. (Though we assume IKEv2 is used to establish the tunnel, any similar protocol may be used for the tunnel establishment).
The MIP messages are carried during the tunnel establishment within the IKEv2 messages and are passed to the Home Agent through the NGW and FA (if the FA is not co-located with the NGW).
If the MIP registration is successful, the HA sends the MIP Registration Reply containing the Home Address of the MN, which is relayed by the FA after registering the MN in its visitor's cache, to the NGW. The NGW forwards it to the MN within the IKE_AUTH message of the IKEv2 protocol to the MN. The MN can extract the Home IP address and the Home Agent address from the MIP
Registration reply message.
The MN and the NGW now established the tunnel by configuring the IPsec SA from the IKE_AUTH message (of IKEv2) using Home IP address of the MN. Accordingly, the present invention comprises a method for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW).
Accordingly, the present invention further comprises a system for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the said system comprises of a MN capable of IPsec and MIP procedures, Network Gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network.
The other objects, features and advantages of the present invention will be apparent from the ensuing detailed description of the invention taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates the different network elements of the system considered in the invention.
Figure 2 illustrates the different network elements of a WLAN-3G interworking system, involved in establishing an End-To-End tunnel and Mobility support between UE and PDG.
Figure 3 illustrates the sequence for establishing the IPsec tunnel and MIP registration, when the Home Address is not known and the FA and the NGW are co-located.
DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
A preferred embodiment of the present invention will now be explained with reference to the accompanying drawings. It should be understood however that the disclosed embodiment is merely exemplary of the invention, which may be embodied in various forms. The following description and drawings are not to be construed as limiting the invention and numerous specific details are described to provide a thorough understanding of the present invention, as the basis for the claims and as a basis for teaching one skilled in the art how to make and/or use the invention. However in certain instances, well-known or conventional details are not described in order not to unnecessarily obscure the present invention in detail.
The present invention provides a system and method for supporting mobility of the MN which requires the secured tunnel to communicate over and uses MIP protocol to support the mobility.
The method of the invention comprises of the mechanisms to break the cyclic interdependency between requirement of Home IP address of the MN for IPsec
SA and the requirement of IPsec SA between NGW and MN for transporting the
MIP Registration. When the MN access foreign network initially, it has no Home address. But the Home IP Address of the MN is essential to establish IPsec tunnel between the MN and the NGW and to tunnel all the packets to and from the MN by the NGW. Therefore the described method comprises a mechanism to allocating a Home Address to the MN during the IPsec tunnel setup.
To obtain a Home IP address from the HA, the IKEv2 protocol is extended to carry the MIP messages from the MN to the NGW. The NGW extracts the MIP messages and forwards to the FA. The FA forwards the MIP message to the AAA server for authentication and to obtain the IP address of the MN from the HA and relays the MIP Registration Reply to the NGW and the NGW forwards it within the IKE_AUTH response message. Also the FA registers the UE in the visitor's cache according to the normal MIP protocol (According to IETF RFC).
One assumption using Mobile- AAA Authentication extension is that the MN and the AAA server share AAA Security Association. In this document, it is assumed that the MN and the AAA server share at least one AAA Security Association. It is also assumed that an AAA Security Association between the MN and the AAA server is dynamically created or updated after the AAA server authenticates the MN using EAP method during the IPsec tunnel setup (According to IETF EAP Procedures). The shared secret of this AAA Security Association is any key derived from the Master Key after the IKEv2 authentication as a result of EAP procedure with in the IKEv2.
The operation of the invention is detailed below:
Establishment of Tunnel and MIP Registration between MN and NGW using MIP messages within the IKEv2 Messages When an MN needs to access a service provided by the network, it needs to form a tunnel with an NGW which can provide the service. The IP address of the NGW can be found by DNS query or by some other means.
MN initiates a tunnel establishment request with the NGW. As a part of the tunnel establishment, the user can be authenticated and authorized for the service.
[Optional] After the EAP authentication procedure within IKEv2, Mobile Agent Solicitation and Advertisement can be exchanged within the IKEv2 messages.
The MIP Registration message is passed within the IKEv2 messages from the MN to the NGW. The MIP registration message can include the NAI, MN_HA keygen nonce, MN_AAA authentication extensions (if the home agent address and home network prefix are not known).
The NGW extracts the MIP Registration message and forwards it to the FA, if the FA and the NGW are not co-located. Then the MIP Registration message is processed normally at FA and forwarded to AAA server. The AAA server process the MIP Registration request as like normal MIP protocol and forwards it to HA, which can serve the MN.
The HA sends the Mobile IP Registration Reply with the Home Address, if registration is successful, to the FA. The FA processes the registration reply message and registers the MN in its visitor's cache. The FA then forwards the
MIP registration replay to the NGW, if the FA and the NGW are not co-located.
The NGW relays the MIP Registration reply message within the IKE_AUTH reply message of IKEv2 to the MN, with the TS and SA payloads to form the IPsec SA between the MN and the NGW, with the Home IP address of the MN. On receiving the Registration Reply within the IKE_AUTH reply message of
IKEv2, MN extracts the Home Address. Also it creates a new SA with the Home IP address. Thus the data path to the network is created.
An illustrative Example for the operation of the invention:
A 3 G-WLAN interworking scenario is considered here. The 3GPP (http://www.3 gpp.org) specification TS23.234, which deals with the ongoing 3GPP work related to WLAN-3G interworking, provides a system description for tunnel establishment mechanism between WLAN-3G UE and PDG over a WLAN-3G interworking system, as depicted in Figure 2. The different network elements of a WLAN-3G interworking system, involved in establishing an End- To-End tunnel and Mobility support between UE and PDG is shown in Figure 2 function as below: WLAN UE - User Equipment, to initiate the tunnel for data path.
WLAN - to pass the EAP signaling and data packets towards the 3G- WLAN network.
WAG - Wireless Access Gateway, to enforce the policies and filers on WLAN AN.
PDG - Packet Data Gateway, A 3 G-WLAN Interworking, network entity that serves as the gateway between a WLAN AN and PDNs. The PDG allows 3G- WLAN users to access PDNs.
GGSN - Gateway GPRS Support Node. A GPRS network entity that serves as the mobile wireless gateway between an SGSN and PDNs. The GGSN allows mobile users to access PDNs.
SGSN - Serving GPRS Support Node. A GPRS network entity that sends data to and receives data from mobile stations, and maintains information about the location of an MS. The SGSN communicates between the MS and the GGSN; the GGSN provides access to the data network
UTRAN - UMTS Terrestrial Radio Access Network, air interface portion of UMTS networks as specified within 3GPP.
AAA Server - Authentication, Authorization, and Accounting server to intelligently controlling access, enforcing policies, auditing usage, and providing the information necessary to do billing for services available through the 3G-
WLAN Interworking Network.
HSS and HLR - Home Subscriber Server and Home Location Register, to have subscriber credentials and details
CCF and OCS - Call Control function and Open Card Framework for billing and call control
In comparison to the above mentioned invention, the PDG here acts as a Network Gateway which resides in the foreign network, i.e. the Foreign Agent is collocated with the PDG for the sake of simplicity, although it is not necessary for this invention to work. The Home Agent is assumed to be collocated with GGSN of 3 G network for the sake of simplicity, although it is not necessary for this invention to work. The scenario considered here is when the WLAN UE needs to access some PS service. The UE does not know Home Address and Home Agent Address. The example shows the FA to co-exist with PDG, though it is not mandatory.
The following steps briefly explain the operation of the example for the system architecture shown in Figure 2. The message flows/sequence illustrated in Figure 3 is as below: 1 and 2. The UE and the PDG negotiate IKE_SA.
3. The UE sends IKE_AUTH request, without AUTH payload to initiate EAP procedure. The IDi payload in IKE_AUTH request must contain the NAI of the UE. Optionally, the UE can attach CERTREQ payload to the IKE_AUTH request if it wants to authenticate the PDG using signature based authentication. The TSi, TSr payload contains 0.0.0.0/0 (indicating full range of IP address from 0.0.0.0 to 255.255.255.255).
4. PDG sends EAP Request/ID in IKE_AUTH message, initiates the EAP authentication procedure.
5. UE responds with EAP Response ID in IKE_AUTH, initiation of EAP is optional. The PDG sends an Access Request [NAI] to AAA server. The NAI is obtained from IDi field in IKE_AUTH message. The AAA server retrieves
Authentication Data and User profile informations from HSS/HLR. AAA responds with Access Response [EAP- AKA/challenge]. PDG forwards the EAP- AKA/Challenge to UE in IKE_AUTH message. It's optional to include [CERT, AUTH] in the message. Normal EAP authentication is carried on between UE and AAA with PDG/FA acting as a relay agent. When all checks are successful, the
AAA server sends an EAP success and the key material to the PDG.
6. The PDG forwards only the EAP success message within the IKEv2 message to the UE.
7 and 8. [Optional] Mobile Agent Solicitation and Advertisement can be exchanged within the IKEv2 messages.
9. The UE sends IKE_AUTH response that contains AUTH payload. The UE uses shared secret derived from EAP authentication procedure to make AUTH payload. UE also includes MIP REGISTRATION REQUEST with NAI, MN_HA keygen nonce and MN_AAA authentication extensions.
10. On receiving the MIP message, PDG forwards it to the FA (whose IP address is mentioned as CoA in MIP). The FA sends the MIP-Registration-
Request to AAA in appropriate AAA messages. 11. AAA server, after authenticating the UE, generates keys as requested in registration message, and distributes to the respective agents. FA can then forward the Registration Request to the HA, if it has not relayed it earlier.
12. HA then sends the Registration Reply to the FA. The FA then registers the UE in its visitor's cache and forwards the registration reply to the PDG, if the PDG and the FA are not co-located.
13. The PDG sends IKE_AUTH response that contains AUTH payload. The PDG makes AUTH payload with the shared secret derived from EAP authentication procedure. It also includes the MIP REGISTRATION REPLY.
The TSi in the IKE_AUTH message contains the Home Address of the UE as the
IP parameter.
The UE obtains the Home Address from the MIP_REG_REPLY and completes the tunnel establishment procedure.
As stated previously, the above procedure can be applied to the 3 G-WLAN case, where the Network gateway is PDG, and HA is collocated with GGSN (or is in the same sub-network).
The user authentication is carried out by RADIUS/Diameter messages between the PDG and AAA server in the home network.
The PDG IP address can be discovered in the network by using DNS query over the W-APN. W-APN is the indicative of the service required by the WLAN-
UE. The DNS reply contains the list of PDGs capable of providing the given service.
It will also be obvious to those skilled in the art that other control methods and apparatuses can be derived from the combinations of the various methods and apparatuses of the present invention as taught by the description and the accompanying drawings and these shall also be considered within the scope of the present invention. Further, description of such combinations and variations is therefore omitted above. It should also be noted that the host for storing the applications include but not limited to a computer, mobile communication device, mobile server or a multi function device. Although the present invention has been fully described in connection with the preferred embodiments thereof with reference to the accompanying drawings, it is to be noted that various changes and modifications are possible and are apparent to those skilled in the art. Such changes and modifications are to be understood as included within the scope of the present invention as defined by the appended claims unless they depart there from.

Claims

WHAT IS CLAIMED IS:
1. A method for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW).
2. A method as claimed in claim 1 wherein the said method break the cyclic interdependency between requirement of Home Address for IPsec SA and the requirement of IPsec SA between NGW and MN for transporting the MIP Registration Request messages.
3. A method as claimed in claim 2 wherein the Home IP Address of the MN essential to establish IPsec tunnel between the MN and the NGW is obtained comprising the steps of: the IKEv2 protocol extending to carry the MIP messages from the MN to the
NGW; extracting the MIP messages and forwards to the FA by NGW; forwarding the MIP message to the AAA server for authentication by FA; obtaining the IP address of the MN from the HA and relaying the MIP Registration Reply to the NGW ; forwarding within the IKE_AUTH response message by NGW; and registering the UE in the visitor's cache according to the normal MIP protocol by FA .
4. A method as claimed in claim 1 wherein the said method defines an extension to the IKEv2 protocol to carry MIP messages to support mobility while establishing the tunnel.
5. A method as claimed in claim 1 wherein for establishment of Tunnel and MIP Registration, MN needs to access a service provided by the network where it needs to form a tunnel with a NGW which can provide the service and the IP address of the NGW can be found by DNS query or by some other means.
6. A method as claimed in claim 5 wherein MN initiates a tunnel establishment request with the NGW and the user is authenticated and authorized for the service.
7. A method as claimed in claim 6 wherein after the authentication procedure within IKEv2, Mobile Agent Solicitation and Advertisement is exchanged within the IKEv2 messages.
8. A method as claimed in claim 7 wherein the MIP Registration message is passed within the IKEv2 messages from the MN to the NGW and the MIP registration message include the NAI, MN__HA keygen nonce, MN_AAA authentication extensions if the home agent address and home network prefix are not known.
9. A method as claimed in claim 8 wherein the NGW extracts the MIP Registration message and forwards it to the FA, if the FA and the NGW are not co-located then the MIP Registration message is processed normally at FA and forwarded to AAA server where AAA server process the MIP Registration request as like normal MIP protocol and forwards it to HA, which can serve the
MN.
10. A method as claimed in claim 9 wherein the HA sends the Mobile IP Registration Reply with the Home Address, if registration is successful, to the FA where the FA process the registration reply message and registers the MN in its visitor's cache and the FA then forwards the MIP registration reply to the NGW, if the FA and the NGW are not co-located.
11. A method as claimed in claim 10 wherein the NGW relays the MIP Registration reply message within the IKE_AUTH reply message of IKEv2 to the
MN, with the TS and SA payloads to form the IPsec SA between the MN and the NGW, with the Home IP address of the MN.
12. A method as claimed in claim 11 wherein on receiving the Registration Reply within the IKE_AUTH reply message of IKEv2, MN extracts the Home
Address and creates a new SA with the Home IP address thus creating the data path to the network.
13. A method as claimed in claim 1 wherein the said method is utilized for tunnel establishment mechanism between WLAN-3G UE and PDG over a WLAN
3 G interworking system comprising the steps of: negotiating IKE_SA by UE and the PDG; sending IKE_AUTH request, without AUTH payload to initiate EAP procedure by UE; PDG sending EAP Request/ID in IKE_AUTH message whereby initiates the EAP authentication procedure;
UE responding with EAP Response ID in IKE_AUTH;
PDG forwarding the EAP success message within the IKEv2 message to the UE;
Mobile Agent Solicitation and Advertisement exchanging within the IKEv2 messages;
UE sending IKE_AUTH response that contains AUTH payload;
On receiving the MIP message, PDG forwarding it to the FA; FA sending the MIP-Registration-Request to AAA in appropriate AAA messages;
AAA server, after authenticating the UE, generating keys as requested in registration message, and distributes to the respective agents;
FA forwarding the Registration Request to the HA, if it has not relayed it earlier;
HA sending the Registration Reply to the FA;
FA then registering the UE in its visitor's cache and forwarding the registration reply to the PDG, if the PDG and the FA are not co-located;
PDG sending IKE_AUTH response that contains AUTH payload; PDG making AUTH payload with the shared secret derived from EAP authentication procedure and includes the MIP REGISTRATION REPLY;
TSi in the IKE_AUTH message containing the Home Address of the UE as the IP parameter; and
UE obtaining the Home Address from the MIP REG REPLY and completes the tunnel establishment procedure.
14. A system for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the said system comprises of a MN capable of IPsec and MIP procedures, Network Gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network.
15. A method for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) such as herein substantially described particularly with reference to the accompanying drawings.
16. A system for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) such as herein substantially described particularly with reference to the accompanying drawings.
PCT/KR2005/004503 2004-12-24 2005-12-23 System and method for providing mobility and secure tunnel using mobile internet protocol within internet key exchange protocol version 2 WO2006068450A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN1433CH2004 2004-12-24
IN1433/CHE/2004 2004-12-24

Publications (1)

Publication Number Publication Date
WO2006068450A1 true WO2006068450A1 (en) 2006-06-29

Family

ID=36602001

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/004503 WO2006068450A1 (en) 2004-12-24 2005-12-23 System and method for providing mobility and secure tunnel using mobile internet protocol within internet key exchange protocol version 2

Country Status (1)

Country Link
WO (1) WO2006068450A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7370197B2 (en) 2002-07-12 2008-05-06 Microsoft Corporation Method and system for authenticating messages
US7409544B2 (en) 2003-03-27 2008-08-05 Microsoft Corporation Methods and systems for authenticating messages
WO2008147323A3 (en) * 2007-05-30 2009-01-29 Ericsson Telefon Ab L M Method and apparatus for combining internet protocol authentication and mobility signaling
US7500102B2 (en) 2002-01-25 2009-03-03 Microsoft Corporation Method and apparatus for fragmenting and reassembling internet key exchange data packets
WO2009076821A1 (en) * 2007-11-21 2009-06-25 Huawei Technologies Co., Ltd. A method, system and device for establishing data path in wireless network
US7610487B2 (en) 2003-03-27 2009-10-27 Microsoft Corporation Human input security codes
US7624264B2 (en) 2003-03-27 2009-11-24 Microsoft Corporation Using time to determine a hash extension
US7929689B2 (en) 2004-06-30 2011-04-19 Microsoft Corporation Call signs
US8086842B2 (en) 2006-04-21 2011-12-27 Microsoft Corporation Peer-to-peer contact exchange
WO2011162481A2 (en) * 2010-06-21 2011-12-29 Lg Electronics Inc. Method of communicating between a wireless terminal and a packet data network
CN109428852A (en) * 2017-07-18 2019-03-05 中兴通讯股份有限公司 Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium
US10609008B2 (en) 2017-06-08 2020-03-31 Nxp Usa, Inc. Securing an electronically transmitted communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020091921A1 (en) * 2001-01-05 2002-07-11 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US20020143993A1 (en) * 2000-11-21 2002-10-03 Samsung Electronics Co., Ltd Regional tunnel management method in a mobile communication system using mobile IP
US20040252653A1 (en) * 2002-09-13 2004-12-16 Keiichi Shimizu Movement management method using distributed mobile ip

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020143993A1 (en) * 2000-11-21 2002-10-03 Samsung Electronics Co., Ltd Regional tunnel management method in a mobile communication system using mobile IP
US20020091921A1 (en) * 2001-01-05 2002-07-11 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US20040252653A1 (en) * 2002-09-13 2004-12-16 Keiichi Shimizu Movement management method using distributed mobile ip

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7500102B2 (en) 2002-01-25 2009-03-03 Microsoft Corporation Method and apparatus for fragmenting and reassembling internet key exchange data packets
US7370197B2 (en) 2002-07-12 2008-05-06 Microsoft Corporation Method and system for authenticating messages
US7409544B2 (en) 2003-03-27 2008-08-05 Microsoft Corporation Methods and systems for authenticating messages
US7610487B2 (en) 2003-03-27 2009-10-27 Microsoft Corporation Human input security codes
US7624264B2 (en) 2003-03-27 2009-11-24 Microsoft Corporation Using time to determine a hash extension
US7929689B2 (en) 2004-06-30 2011-04-19 Microsoft Corporation Call signs
US8086842B2 (en) 2006-04-21 2011-12-27 Microsoft Corporation Peer-to-peer contact exchange
US8533455B2 (en) 2007-05-30 2013-09-10 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for combining internet protocol authentication and mobility signaling
JP2010528559A (en) * 2007-05-30 2010-08-19 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Method and apparatus for combining internet protocol authentication and mobility signaling
WO2008147323A3 (en) * 2007-05-30 2009-01-29 Ericsson Telefon Ab L M Method and apparatus for combining internet protocol authentication and mobility signaling
WO2009076821A1 (en) * 2007-11-21 2009-06-25 Huawei Technologies Co., Ltd. A method, system and device for establishing data path in wireless network
WO2011162481A2 (en) * 2010-06-21 2011-12-29 Lg Electronics Inc. Method of communicating between a wireless terminal and a packet data network
WO2011162481A3 (en) * 2010-06-21 2012-03-29 Lg Electronics Inc. Method of communicating between a wireless terminal and a packet data network
US10609008B2 (en) 2017-06-08 2020-03-31 Nxp Usa, Inc. Securing an electronically transmitted communication
CN109428852A (en) * 2017-07-18 2019-03-05 中兴通讯股份有限公司 Communication tunnel end-point addresses separation method, terminal, ePDG and storage medium
CN109428852B (en) * 2017-07-18 2023-09-15 中兴通讯股份有限公司 Communication tunnel endpoint address separation method, terminal, ePDG and storage medium

Similar Documents

Publication Publication Date Title
KR101221539B1 (en) Methods and apparatuses for cdma2000/gprs roaming
WO2006068450A1 (en) System and method for providing mobility and secure tunnel using mobile internet protocol within internet key exchange protocol version 2
US8031672B2 (en) System and method for providing secure mobility and internet protocol security related services to a mobile node roaming in a foreign network
US8910271B2 (en) System and method for handover between interworking WLAN and EUTRAN access systems
EP2338264B1 (en) Optimization of handovers to untrusted non-3gpp networks
KR101401605B1 (en) Method and system for providing an access-specific key
US8249021B2 (en) Methods and apparatuses for CDMA2000/GPRS roaming
JP4681656B2 (en) Subscriber-specific enforcement of Proxy Mobile IP (PMP) instead of Client Mobile IP (CMIP)
EP1770940A1 (en) Method and apparatus for establishing a communication between a mobile device and a network
US20060294363A1 (en) System and method for tunnel management over a 3G-WLAN interworking system
KR101613895B1 (en) Allowing access to services delivered by a service delivery platform in a 3gpp hplmn, to an user equipment connected over a trusted non-3gpp access network
KR20060031813A (en) Method, system and apparatus to support mobile ip version 6 services in cdma systems
EP3275149B1 (en) Configuration of liveness check timeout using ike messages
US20110271117A1 (en) User equipment (ue), home agent node (ha), methods, and telecommunications system for home network prefix (hnp) assignment
US20100118774A1 (en) Method for changing radio channels, composed network and access router
Abbas et al. A review of mobility supporting tunneling protocols in wireless cellular networks
Georgiades et al. Enhancing mobility management protocols to minimise AAA impact on handoff performance
Kwon et al. Consideration of UMTS-WLAN seamless handover
GB2417856A (en) Wireless LAN Cellular Gateways
Yogi et al. A Systematic Review of Security Protocols for Ubiquitous Wireless Networks
WG et al. Internet-Draft Kudelski Security Intended status: Informational S. Gundavelli, Ed. Expires: September 14, 2016 Cisco March 13, 2016
Interworking 1 Over All Description
Wang Authentication for Inter-Domain Roaming in Wireless IP Networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05818975

Country of ref document: EP

Kind code of ref document: A1