I. Field of the Invention
The present invention is directed to telecommunications. More particularly, the present invention is directed to methods and systems that dynamically establish Layer Two Tunneling Protocol (“L2TP”) sessions between a L2TP Access concentrator (“LAC”) and a L2TP Network Server (“LNS”). The invention is particularly useful in dynamically establishing L2TP sessions between a LAC and a LNS based on a triggered response. For example, such a triggered response could occur at the LAC. In one approach, the trigger can be an establishment of a tunneled mobile IP session at the LAC. Alternatively, the LAC may be a home agent. However, aspects of the invention may be equally applicable in other scenarios as well.
II. Description of Related Art
Virtual Private Network (“VPN”) services are generally prevalent in IP networks. One reason why VPN services are prevalent in IP networks is that VPN services offer secure remote access to corporate networks. Another reason for the prevalence of VPN services in IP networks is that VPN services offer secure trunking between offices and/or secure peer-to-peer communications. An emerging market for outsourced access technologies is currently planning on enhancing their offerings to include outbound VPN services.
For example, a nationwide cellular access provider may offer its access services to a corporation. In this manner, employees of the corporation that take advantage of these services may have wireless data access from virtually any location in the country. This provides certain advantages to both the nationwide cellular access provider as well as the corporation since the already established cellular infrastructure is generally cost prohibitive for a corporation to build out. Moreover, this scenario provides an advantage to the cellular access provider since the provider may now be able to sign on a group of users that could potentially turn out to be high-margin cellular access subscribers. Although it may be possible for a corporation to provide each employer a mobile device and then load each corporate employee mobile device with a VPN client and provision those mobile devices for secure VPN access over the cellular network to the corporation, this can turn out to be a significant operational expense. Such a scenario could also involve certain logistical and technical complications as well as corporate costs inefficiencies. For example, placing the VPN in the network removes a potentially expensive computational operation (e.g., encryption) from a mobile node, such as a mobile phone, a device that typically has a somewhat limited battery life.
As an alternative, and since the cellular service provider will have to provision the mobiles anyway, the cellular service provider can add VPN capabilities to a mobile device. However, if a mobile device establishes a VPN directly to the corporate VPN gateway, the cellular provider may be unable to provide additional value-added services on the user's data, since the data is encrypted. Additionally, the cellular provider may not be able to properly account and bill for the user's data if it is encrypted.
Moreover, there are a number of value-added services that a cellular provider may be able to provide corporate users. For example, a cellular access provider may be able to provide certain value-added services that include but are not necessarily limited to: content aware billing, application level compression, application aware quality of service, and per-user dynamic firewalls. Additionally, a service provider may not be able to easily adhere to legal requirements such as lawfully authorized electronic surveillance.
There is, therefore, a general need for a mobile IP home agent that can dynamically establish a tunneled session, such as an L2TP session, to a corporate enterprise. There is also a general need for a mobile IP home agent that can dynamically establish an L2TP session to corporate enterprises per user or per domain. There is also a general need for a method or system that establishes such an L2TP session based on certain policy considerations, such as a local policy or an authorization, authentication and accounting (“AAA”) server policy. In one approach, a table per mobile or per mobile domain (e.g., fedex.com) is established that indicates that when the mobile logs on to a Home Agent, a VPN should be automatically set up to an enterprise LNS.
In one aspect of the present invention, a method of establishing a tunnel between a home agent and a routing device includes the steps of receiving a Mobile IP request at the home agent from a foreign agent and authenticating the Mobile IP request. A tunnel is initiated between the home agent and the routing device. Call data is tunneled related to the Mobile IP request between the home agent and the routing device.
In another aspect, a system for establishing a tunnel between a home agent and a routing device includes a Mobile IP request transmitted from a foreign agent to the home agent. A server authenticates the Mobile IP request such that the tunnel is initiated between the home agent and the routing device. Call data related to the Mobile IP request is tunneled between the home agent and the routing device.
In yet another aspect, a method of tunneling a call between a first routing device and a second routing device includes the steps of receiving a tunneled packet on a first tunnel associated with a call at the first routing device. A local policy for the call is examined. The packet is then forwarded on a second tunnel to the second routing device.
Preferred embodiments of the present invention are described herein with reference to the drawings, in which:
a illustrates an incoming call establishment state diagram from the LAC illustrated in
b illustrates an incoming call establishment state diagram for the LNS illustrated in
L2TP is a mechanism that enables automatic tunneling between a dialup user and a private network. L2TP may also be used to establish a VPN between two distinct IP networks connected by a third public network, such as the Internet. L2TP may be used alone or in conjunction with a VPN protocol such as IPsec, in order to provide this VPN. Unlike IP-in-IP tunneling, L2TP offers a number of advantages. For example, L2TP can encapsulate an entire PPP session within an X/IP/UDP session, where “X” represents a data-link protocol. L2TP also allows for negotiation of session parameters via a virtual control channel and provides sequence numbers and retransmission mechanisms for reliability, flow control, and congestion control. L2TP is also extensible via user-defined extension headers.
A current L2TP protocol is discussed and detailed in the document entitled “Layer Two Tunneling Protocol “L2TP”“, Network Working Group, Request for Comments: 2661, August 1999 which is herein entirely incorporated by reference and to which the reader is directed to for further information.
Background-Mobile IP
The Internet Protocol (“IP”) is an addressing protocol designed to route traffic within a network or between networks. The Internet Protocol is used on computer networks including the Internet, intranets and other networks. Internet Protocol addresses are typically assigned to “immobile” nodes on a network, and the IP address of each node is used to route datagrams to the node through a server connected to the node. An immobile node may be transferred to a different server on the computer network, but is typically associated with a static physical location.
In contrast, mobile nodes may connect to various physical locations on a computer network from various physical connections. A mobile node has its own network address and a semi-permanent relationship with a home agent or server to which the mobile node may occasionally be connected to send and receive datagrams. However, the mobile node can also connect to a home agent by way of a foreign agent through which it sends and receives datagrams. An example of one protocol that facilitates communication with mobile nodes over the Internet is the Mobile Internet Protocol (Mobile IP), which allows “mobile” nodes to transparently move between different Internet Protocol sub-networks (“subnets”). Mobile IP is described in Request for Comment (RFC) 2002, IP Mobility Support, C. Perkins, October 1996, herein incorporated by reference, available from the Internet Engineering Task Force (IETF) at www.ietf.org.
One version of the Mobile IP, Mobile IPv4, allows a mobile node (“MN”) to dynamically change its network connectivity in a manner that is transparent to layers above IP and the user. Under Mobile IPv4, MNs are assigned an IPv4 address on their home subnet (“HS”). This is the default subnet that the MN assumes that it is on unless the MN is informed otherwise. The HS is connected to an external network (e.g., the Internet) via a home agent (“HA”) that acts as the subnet's gateway router.
Internet Protocol addresses are typically assigned to mobile nodes based on their home Internet Protocol subnet. The home subnet is connected to an external network (e.g., the Internet or an intranet) with a “home agent” that may serve as the subnet's gateway router. As is known in the art, the gateway connects computer networks using different networking protocols or operating at different transmission capacities. A router translates differences between network protocols and routes data packets to an appropriate network node or network device.
When a mobile node “roams,” (i.e., dynamically changes its physical location, thereby altering its point of connection to the network), it periodically transmits “agent solicitation” messages to other gateway routers. A mobile node also listens for “agent advertisement” messages from other gateway routers. When a mobile node receives an agent advertisement message indicating that it is now on a foreign subnet, it registers with the foreign gateway router or “foreign agent” and its home agent. The registration with the home agent indicates that the mobile node is away from “home” (i.e., away from its home subnet). The registration with the foreign agent allows the mobile node to receive data on the foreign subnet.
The foreign agent 16 is coupled to the IP network 8 via a communication link 7 and has a globally routable network address of 4.0.0.101 on the network 8. The foreign agent 16 is also coupled to a local area network (“LAN”) 18 that constitutes a foreign subnet to the MN 4. The subnet served by the foreign agent 16 is 2.0.0.0/24. Other nodes are also connected to the subnet 18, such as a node 12 with a globally routable network address 2.0.0.3.
As explained above, Mobile IP allows a mobile node to dynamically change its network connectivity in a manner that is transparent to layers above IP and the user. MNs are assigned an IP address on their home subnet, which is the default subnet for the MN unless the MN is informed otherwise. The home subnet is coupled to the IP network 8 via the home agent 6, which acts as the subnet's gateway router. When an MN 4 roams, e.g. moves to a service area or subnet 18 other than its home subnet 14 (as illustrated by arrow 18), MN 4 periodically transmits “agent solicitation” messages onto the subnet to which it is coupled and listens for an agent “advertisement message” from gateway routers. When the MN receives an agent advertisement message indicating that it is now on a different subnet, then it registers with the foreign gateway router.
For example, when the MN 4 connects to the LAN 14, it will transmit an agent solicitation message onto the LAN 14 that will be received by the foreign agent 16. Foreign agent 16 acts as a gateway router for the 2.0.0.0/24 subnet. The foreign agent 16 will respond by transmitting an agent advertisement message on the LAN 14 that will be received by the MN 4.
When the MN 4 receives the agent advertisement message from the foreign agent 16, MN 4 will register itself with foreign agent 16 and also with its home agent 6. When the MN 4 registers with the foreign agent 16, the foreign agent 16 will create a routing table entry for the network address 1.0.0.4 of the MN 4. The home agent 6 will also create a routing table entry for the MN 4 that includes the network address 4.0.0.101 for the foreign agent 16 to which the MN 4 is presently connected.
After registration has taken place, routing to the MN 4 is redirected from the home agent 6 to the foreign agent 16 identified in the registration, e.g. the redirect feature of Mobile IP. Round trip routing to and from MN 4 may be subsequently asymmetric. Routing between the MN and a server follows a triangular path between the server, the home agent 6 and the foreign agent 16. The architecture 20 of
In the network 8, the home agent 6 is advertising itself as a route to the 1.0.0.0/24 subnet. Therefore, the home agent 6 will receive all packets addressed to the MN 4 with an address of 1.0.0.4. However, the MN 4 has registered with its current foreign agent 16, with the home agent 6. Therefore, when the home agent 6 receives a packet for the MN 4, e.g. a packet represented by arrow 26 from the server 24 in
When the MN 4 transmits a packet, no tunneling or address translation is necessary. IP packets from the MN 4 are routed directly from the MN 4 through the foreign agent 16 to the external destination address on the IP network 8, as illustrated by arrows 208 and 209 for packets destined for the server 24. As will be explained, in Applicant's approach, traffic from a mobile node will be tunneled to a Home Agent for subsequent tunneling to a network enterprise.
In architecture 20, the MN 4, the foreign agent 16 and the home agent 6 maintain as little state information for the transaction as is possible. The MN 4 periodically transmits “keepalive” messages that inform the foreign agent 16 and the home agent 6 that it is still connected to the foreign agent's subnet. These updates are transmitted using Internet Control Message Protocol (ICMP) messages, see RFCs 792 and 2463 herein entirely incorporated by reference, some of which are standard ICMP messages and others that are unique to Mobile IP.
Standard Mobile IPv4 utilizes two messages for registration and various aspects of session maintenance. Other Mobile IPv4 messages may also be used. These two messages include a registration request message (“RRQ”) and a registration reply message (“RRP”). In one arrangement, an RRQ is sent from a MN to a FA and then on to a HA. The RRQ typically represents the MN asking the network to allow the MN to register (i.e., log on), or to extend an existing registration. For example, returning to the arrangement illustrated in
In reply to the RRQ, the HA creates a mobility binding record (MBR) for the mobile, which contains information that identifies the mobile (e.g., the mobile's assigned home address and network access identifier) and information that is associated with the mobile's session (e.g., the FA's care of address, GRE key, if applicable). The HA may also send an RRP to the FA to the MN. The RRP typically represents the network responding to the MN's RRQ, indicating that the MN is or is not allowed to register. Again, returning to the arrangement illustrated in
RRQ 50 also includes a “B” bit 56 which represents Broadcast datagrams. If the B bit 56 is set, the MN requests that the HA tunnel to it any broadcast datagrams that it receives on the home network. RRQ format 50 also includes a “D” bit 58 that represents Decapsulation by mobile node. That is, if the D bit 58 is set, the MN will itself decapsulate datagrams which are sent to the care-of address. That is, the MN is using a co-located care-of address. The mobile RRQ format 50 also includes an “M” bit 60 representing Minimal Encapsulation. If the ‘M’ bit 60 is set, the MN requests that the HA use minimal encapsulation for datagrams tunneled to the MN.
RRQ format 50 also includes a “G” bit 64 representing GRE encapsulation. GRE encapsulation provides a protocol for performing encapsulation of an arbitrary network layer protocol over another arbitrary network layer protocol. GRE encapsulation is described in Request for Comment (RFC) 1701, Generic Routing Encapsulation (GRE), S. Hanks, October 1994, herein incorporated by reference, available from the Internet Engineering Task Force (IETF) at www.ietf.org. If the G bit 64 is set, the MN requests that the HA use GRE encapsulation for datagrams tunneled to the MN. RRQ 50 also includes an “r” bit 66. The r bit 66 is sent as zero and is ignored upon reception. The r bit should not be allocated for any other uses.
RRQ 50 also includes a T bit 68. T bit 68 designates that Reverse Tunneling is requested. An x bit 70 is sent as zero and is ignored on reception. RRQ format 50 also includes a Lifetime data filed 72. Lifetime 72 represents the number of seconds remaining before the registration is considered expired. A value of zero indicates a request for deregistration. A Lifetime value of “0xffff” indicates infinity.
RRQ 50 also includes a Home Address field 74. Field 74 represents the IP address of the MN. RRQ 50 also includes a Home Agent field 76 that represents the IP address of the mobile node's home agent. The Care-of Address field 78 represents the IP address for the end of the tunnel. The Identification field 80 represents a 64-bit number that is constructed by the mobile node and is used for matching Registration Requests with Registration Replies. Identification field 80 is also used for protecting against replay attacks of registration messages.
And finally, the fixed portion 86 of Registration Request 50 is followed by one or more of Extensions 82. An authorization-enabling extension must be included in all Registration Requests since mobile IP traffic must be authenticated, otherwise a third party could disrupt a mobile IP call. Mobile IP has defined several authentication extensions in RFC 1701 such as, for example, MN-FA, FA-HA, and MN-HA. In addition, there is also the MN-AAA extension defined in Request for Comment 3012. Request for Comment (RFC) 3012, entitled Mobile IPv4 Challenge/Response Extensions, C. Perkins, November 2000, is herein entirely incorporated by reference and is available from the Internet Engineering Task Force (IETF) at www.ietf.org. The use of these extensions requires the provisioning of shared secrets between the two devices taking part in an authentication step.
RRP 90 includes a Lifetime field 96. If the Code field 94 designates that the registration was accepted, the Lifetime field 96 is set to the number of seconds remaining before the registration is considered expired. A Lifetime value of zero designates that the mobile node has been deregistered and a Lifetime value of “0xffff” designates infinity. If the Code field 94 designates that the registration was denied, the contents of the Lifetime field 96 will therefore be unspecified and therefore will be ignored on reception.
Home Address field 98 represents the IP address of the mobile node. The Home Agent field 100 represents the IP address of the mobile node's home agent. The Identification field 102 represents a 64-bit number that is used for matching Registration Requests with Registration Replies. Identification field 102 also is used to protect against replay attacks of registration messages. The value is based on the Identification field from the Registration Request message from the mobile node, and on the style of replay protection used in the security context between the mobile node and its home agent.
The fixed portion of the Registration Reply is followed by one or more extensions 104. An authorization-enabling extension must be included in all Registration Replies returned by the home agent.
LT2P
L2TP is a rapidly evolving mechanism that, among other features, enables automatic tunneling between dialup users and a private network. L2TP can also be used to establish a VPN between two distinct IP networks that are connected by a third public network.
L2TP offers a number of advantages over simple IP-in-IP tunneling. For example, L2TP encapsulates an entire PPP session within an X/IP/UDP session, where “X” is a data-link protocol. L2TP also allows for negotiation of session parameters via a virtual control channel. L2TP also provides sequence numbers and retransmission mechanisms for reliability, flow control, and congestion control. Alternatively, L2TP encapsulation can occur over a number of different packet-switched protocols that allow point-to-point delivery, such as ATM or Frame Relay virtual circuits. L2TP is also extensible via user-defined extension headers.
PPP/IP/TCP packet 118 is encapsulated by an IP/UDP packet with an L2TP shim header 121 at the beginning of a UDP payload 123. L2TP Shim header 121 provides tunnel and session identification. Shim header 121 also provides a version number, sequence numbers, and other control information.
The architecture of a set of networks that may provide L2TP support to the users of some of these networks is illustrated in the network architecture 120 illustrated in
In the first case, dialup user 122 dials into an Internet Service Provider (“ISP”) 124 over dialup link 128 via LAC router or (“Remote Access Server”) RAS 126. ISP access router 126 serves as an L2TP Access Concentrator (“LAC”). Router 126 establishes an L2TP tunnel on behalf of the user 122 to the L2TP Network Server (“LNS”) 134 at a private IP network 136. LAC 126 determines the endpoint of the tunnel from a number of sources including dialup or caller ID.
For example, LAC 126 may determine the endpoint of a tunnel from a dialup user's authentication profile. Alternatively, LAC 126 determines the endpoint of the tunnel from an E.164 phone number.
A first authentication occurs where user 122 tunnels over LAC 126 to ISP IP network 124. LAC 126 then tunnels a user's PPP session via router 130 over Internet 132 to the LNS router 134 where authentication occurs a second time. LNS router 134 removes the L2TP and serves as a virtual access concentrator, terminating the user's PPP session. LNS router 134 authenticates a second session authentication dialup user 122 and provides dialup user 122 with an IP address from the private IP network's address space.
To dialup user 122, it may seem as if the user 122 is connected directly to private IP network 136. The case where dialup user 122 connects to LNS router 134 demonstrates how an individual (e.g., such as an employee working at dialup user 122) might telecommute from a remote office into a private network, such as an organization or a corporate private network.
In contrast to the first case illustrated in
In both the first and second tunneling systems generally described with respect to
As will be understood by those of ordinary skill, more than one tunnel may be established between an L2TP Access Concentrator and an L2TP Network Server. L2TP tunnels may be controlled via a single control connection. Control connection for a given tunnel handles the setup, the modification, and the teardown of sessions (i.e., calls) within a given tunnel. Generally, a single L2TP Access Concentrator is associated with a particular call or session.
Alternatively, a dialup user, such as dialup user 122 shown in
Packet Format
As described in the protocol “Layer Two Tunneling Protocol “L2TP” A. Valencia et al. herein incorporated entirely by reference and to which the reader is directed for further information, L2TP utilizes an Attribute-Value Pair (“AVP”) format. An AVP defines an attribute and the attribute's associated value. A single control packet may contain one or more AVPs.
For example, the “M” field 152 of AVP format 150 designates a Mandatory bit (“M”). The Mandatory bit “M” determines the behavior of a call or a tunnel when an LAC or an LNS receives an AVP that the LAC or the LNS does not recognize. If M is set on an unrecognized AVP associated with an individual session (or call), the session is terminated.
If M is set to an unrecognized AVP associated with a tunnel, the entire tunnel will be terminated. If M is “0”, an LAC or LNS should ignore an unrecognized AVP. In general, a session, a call, or a tunnel is terminated with the M bit only if the unrecognized AVP is critical to the type of communication that will occur.
The AVP format 150 also includes an “H” field 154 which designates a Hidden bit. The Hidden bit controls the “hiding” of the value field. When an LAC and LNS have a shared secret, they may encrypt sensitive data, such as passwords, by performing a message digest (“MD”) hash function, such as an MD5 hash on the data. If such an MD5 hash is performed, the H bit is set. Further details of the MD5 hash are discussed in Valencia et al. previously incorporated entirely by reference and to which the reader id directed to for further information.
The Total Length field 158 designates the total number of bytes in the AVP. For AVPs defined by a private vendor, the vendor must place its IANA-assigned vendor ID code in the Vendor ID field 160. The Vendor ID field 160 allows extensibility and vendor-specific features.
The Attribute field 162 provides a code for the actual attribute, which must be unique with respect to the vendor ID. The Value field 164 encodes the value of the attribute. The length of Value field 164 is equal to the value of the total length field minus six.
In order to ensure flexibility and extensibility, L2TP utilizes an attribute-value pair (AVP) format within its control packets. An AVP defines an attribute and its associated value. A single control packet may contain one or more AVPs.
Control Packets
T field 172 designates a control packet. The L field 174 designates that the length field is present. The “F” field 172 designates that the sequence number fields are present. The version field 178 is preferably set to 2, the number 2 designating L2TP. The “Length” field 180 defines the total length of the control packet, including header and all AVPs. “Tunnel ID” field 182 defines the numeric tunnel identifier. “Tunnel ID” field 182 is set to zero if a tunnel is yet to be established. “Call ID” field 184 is a numeric call identifier. “Call ID” field 184 is set to zero if call is yet to be established.
The “Ns” or “Sequence Number” 186 field defines a packet's sequence number. The “Nr” or “Next Received Sequence Number” field 188 field defines the next sequence number that a sender expects to receive a packet with from a receiver. The “Message type AVP” field 190 is an AVP that describes the type of this message.
Control packets consist of a 12-byte fixed header followed by a Message Type AVP, which is then followed by zero or more AVPs 192.
Note that within the limits of the tunnel's MTU, as many AVPs as desired can be appended to control packets.
The “Tunnel ID” field 232 is a numeric tunnel identifier. The Tunnel ID field 232 is set to zero if tunnel is yet to be established. The “Call ID” field 234 is a numeric call identifier. The “Call ID” field 234 is set to zero if a call or tunnel is yet to be established.
The “Ns” field 236 is a packet's sequence number. The “Nr” field 238 is the next sequence number that a sender expects to receive a packet with from the receiver. The “Offset Size” field 24 is the number of bytes past the L2TP header at which the payload begins. The “Offset Pad” field 242 is preferably set to zeros.
Tunnel Establishment and Teardown
The illustrations in state diagram 250 may also be used to exchange operating parameter information of the LAC and LNS, as defined by standardized AVPs. These messages may contain extension functionality with the use of additional AVPs.
In a TCP/IP network, such as network 120 illustrated in
An L2TP tunnel may be torn down from either the data receiving or the data originating source with the transmission of a Stop-Control-Connection-Notification (StopCCN) message 260. The recipient of a StopCCN message terminates all calls within the tunnel and cleans up tunnel state. No acknowledgment of or response to the StopCCN is transmitted to the originator of a message.
As referred to herein, sessions within an L2TP tunnel are referred to as “calls.” In one arrangement, a single tunnel may contain up to 216-1 calls. Once an L2TP tunnel is established, L2TP control messages may be utilized by the LAC and LNS for the establishment and teardown of calls, as well as tunnel management and tunnel status.
Call Setup And Teardown
a illustrates an incoming call flow diagram 270 once an L2TP tunnel has been established. Flow diagram 270 establishes an incoming call between an LAC and an LNS, such as LAC 126, 142 and LNS 134 illustrated in
For example, LAC 272 transmits an Incoming-Call-Request (ICRQ) message 276 to LNS 274. LNS 274 receives the ICRQ and responds with an Incoming-Call-Reply (ICRP) message 278. LAC 272 receives ICRP 278 and completes the handshake with an Incoming-Call-Connected (ICCN) message 280. Aside from establishing the three-way handshake, messages 276, 278, and 280 may also be used to exchange information about caller identity and the capabilities of LAC 272 and LNS 274, as defined by standardized AVPs. Messages 276, 278, and 280 may also contain extension functionality with the use of additional AVPs.
b illustrates an outgoing call flow diagram 290 for establishing an outgoing call once a tunnel has been established. The outgoing call is established between an LAC and a LNS such as such as LAC 126, 142 and LNS 134 illustrated in
Once an outgoing call is established, a Set-Link-Info (SLI) message may be transmitted from the LNS to the LAC to re-negotiate call parameters. The SLI message may only re-negotiate PPP parameters as described in the L2TP RFC. However, by utilizing additional AVPs, an SLI message may be used to modify arbitrary call parameters.
Once a call has been established, the call may be torn down from either the LAC or LNS with the transmission of a Call-Disconnect-Notify (CDN) message. Upon receiving a CDN message, a party that receives the CDN message terminates the call and clean up call state. No acknowledgment of or response to the CDN message is sent to the originator of the message.
LT2P DIALOUT
By combining features of a mobility-based protocol with the L2TP architecture, the L2TP architecture may be modified to provide novel methods and systems for L2TP dialout and tunnel switching. In one embodiment, a mobile node places a call that is received by a foreign agent. Home agents are used to receive RRQ's from these foreign agents. The home agent optionally exchanges messages with an authorization, authentication and accounting (“AAA”) server to authenticate the call. A dialout policy may be used to facilitate this authentication step. According to an exemplary embodiment, the Mobile IP architecture is mapped onto a tunneling architecture, such as the standard L2TP architecture illustrated in
Due to the fact that many corporations and enterprises use L2TP for VPN remote access, wireless mobile IP services that are sold to enterprises by wireless service providers can add value by initiating L2TP tunnels to the enterprise from the home agent. Using the home agent for this service ensures that IP mobility will still take place, but the user data will not cross a public network unprotected.
A key component for such an L2TP dialout system for VPN remote access is shown in the network architecture 310 illustrated in
Mobile subscribers 312, 314, and 316 use a wireless service provider's cellular network to gain access to a foreign agent. For example, mobile subscribers 312 and 314 access FA 318 while mobile subscriber 316 accesses FA 320. Via mobile IP, FA 318 establishes a tunnel 322 to HA 326. Likewise, FA 320 establishes a tunnel 324 via mobile IP to HA 326. HA 326 then accesses AAA via Radius or Diameter 328 to authenticate a call or session.
RADIUS is an authentication, authorization and accounting protocol that is defined primarily in RFCs 2865 and 2866. When a client node logs on to a remote access server (such as an FA or and HA), the remote access server may access a Remote Authentication Dial In User Service (“RADIUS”) server to authenticate the node and furthermore may periodically send accounting records to the RADIUS server. These messages adhere to the RADIUS protocol. The RADIUS protocol for carrying authentication, authorization, and configuration information between a Network Access Server that desires to authenticate its links and a shared Authentication Server is described in Request for Comment (RFC) 2865, Remote Authentication Dial In User Server (RADIUS), C. Rigney, June 2000, herein entirely incorporated by reference and is available from the Internet Engineering Task Force (IETF) at www.ietf.org.
DIAMETER is another AAA protocol that largely accomplishes the same functions as RADIUS but has more robust behavior in the presence of network or device failure. The DIAMETER protocol herein entirely incorporated by reference and is available from the Internet Engineering Task Force (IETF) at www.ietf.org.
When HA 326 accesses AAA 330 in order to authenticate a session, AAA 330 may return an indicator that the user's session should be reflexively sent over and L2TP tunnel to a particular enterprise LNS. Alternatively, HA 326 may be statically configured to perform the tunneling based on a user's Network Access Identifier (“NAI”), user's domain, or an assigned IP address. The NAI comprises an identifier such as “server-a.xyz.com” and is a globally unique name.
Certain information can be configured either on the HA or on the AAA, per each enterprise. Such information may be used to configure a dialout policy. For example, such information should include an identification or listing of one or more Enterprise L2TP LNS's. Other information that can be configured includes the type of tunnel that can be established between the HA 326 and the Enterprise L2TP LNSs 336, 338. That is, specific information relating to L2TP, IPsec/L2TP, or other types of tunnel configurations may also be configured.
Other information could include the type of IP pool. Such an IP pool could belong to the enterprise rather than the service provider. Typically, the home agent assigns an IP address to a mobile node from one of its pools. These pools usually consist of IP addresses owned by the service provider. In a present approach, an IP pool used by an enterprise user can various forms. For example, the IP pool may be (1) owned by the service provider but dedicated to a particular enterprise, or (2) owned by the enterprise and used by the home agent to assign IP addresses to mobiles associated with that enterprise. Alternatively, the IP address may be assigned by an LNS rather than an HA. Taken either together, or in part, the enterprise configuration data and/or information may be generally referred to as a dialout policy.
These procedures are illustrated in two exemplary L2TP call flow diagrams. For example,
Call flow 350 begins when FA 353 sends a MIP RRQ message 360 to HA 354. MIP RRQ message could be similar to the RRQ message illustrated in
AAA server 356 then preferably sends a RADIUS access-accept message 364 to HA 354. After receiving RADIUS access-accept message 364, HA 354 examines a dialout policy 366. After examination of dialout policy 366, a L2TP tunnel is established between HA 354 and LNS 358. Subsequently, a L2TP session is established 370 between HA 354 and LNS 358. HA 354 and LNS 358 then commence PPP negotiation 372. After L2TP negotiation is complete 374, HA 354 enters the associated L2TP information (including the LNS IP address, call ID and session ID) into the mobile's MBR and sends an MIP RRP message 376 to FA 352. MIP RRP message could be similar to the RRP message illustrated in
After receiving RADIUS access-accept message 394, HA 384 examines dialout policy 396. After examination of dialout policy 396, a L2TP session is established 398 between HA 384 and LNS 388. HA 384 and LNS 388 then commence PPP negotiation 400. After L2TP negotiation is complete 402, HA 384 sends an MIP RRP message 404 to FA 382. MIP RRP message 404 may be returned earlier in call flow diagram 380 if an IP address is locally assigned.
User data is tunneled over the session once the session is established. In the forward (enterprise to mobile) direction, the outer IP header, L2TP and PPP headers are stripped off, and the remaining IP packet is encapsulated in GRE or IP to be sent down the Mobile IP tunnel. In the reverse (mobile to enterprise) direction, the outer IP and GRE (if present) headers are stripped off and the packet is placed in the appropriate L2TP session. Fast tunnel switching can occur by mapping the L2TP tunnel ID and session ID to the Mobile IP GRE key in the forward direction and performing the opposite mapping in the reverse direction.
Preferred embodiments of the present invention have been described herein. It will be understood, however, that changes may be made to the various features described without departing from the true spirit and scope of the invention, as defined by the following claims.