The present invention relates to techniques for accessing networks.
The invention was devised by paying specific attention to the possible application to scenarios where a mobile user is allowed to freely move between, say, a wide-area cellular network and so-called “hot spot” provided e.g. at an airport, a station, or the like.
Reference to those possible fields of application is of exemplary nature only and must not be construed in a limiting sense of the scope of the invention.
In order to gain access to a network, a user (fixed or mobile) must perform a set of authentication and authorization steps by providing his or her credentials to the network. The user terminal provides that information to an element of the access network (called the AAA client, where AAA is an acronym for Authentication, Authorization and Accounting). The AAA client checks the data received by interacting with a server (AAA server) in the network of the user provider.
In view of the different problems related to managing the two networks sections involved in the process, communication is based on two different protocols, namely:
Throughout this description, reference will be made to standards or norms of the rfc . . . , or draft- . . . type. The related information is publicly available at the filing date of the instant application on the IETF (Internet Engineering Task Force) website at http://www.ietf.org
The block diagram of
Specifically, in the diagram of the
When the scenario shown in
Specifically, the solution proposed by IETF in order to solve that problem is to use a Mobile IP protocol (MIP) or service which is available both for IPv4 (see rfc3344) and for IPv6 (see draft-ietf-mobileip-ipv6-24).
By adopting the Mobile IP protocol, two IP addresses are assigned to the user's Mobile Node MN: the former is the Home Address (HoA), which is never changed and is used to identify in an univocal manner the node identity; the latter is the Care-of Address (CoA), that is an address belonging to the visited sub-network and is used to identify the real position of the mobile terminal.
Any displacement leading to a change in the IP sub-network involved causes the mobile terminal to record a new Care-of Address with a server, designated Home Agent (HA), in the provider network UPN (see reference 106 in
Using the Mobile IP protocol requires the Mobile Node and the Home Agent to share a set of configuration parameters (the Home Address, the security parameters required in order to protect the signalling messages exchanged and so on). These must be set manually by the network administrator since the standards do not provide automatic mechanisms for initialising (or bootstrapping) the protocol when the Mobile Node is turned on. The manual intervention on the Home Agent and the Mobile Node also plays the role of an implicit authorization mechanism for using the service. Only those users that are explicitly enabled with the Home Agent may avail themselves of the Mobile IP service in order to maintain continuity of application sessions during displacements.
This approach is extremely cumbersome in terms of managing/administrative tasks in view of possible application within an operator network that may have millions of users and a correspondingly high number of Home Agents.
In order to solve that problem, a solution has been proposed within IETF known as the Mobile IPv6 Diameter Application (see draft-le-aaa-Diameter-mobileipv6-03). That solution defines a set of extensions of the Diameter protocol that may be used by an AAA server to exchange information concerning the Mobile IP service simultaneously with the authentication and authorization phase for network access. By using these extensions, the AAA server may control the Home Agent and dynamically send to the mobile node MN of the user U those parameters required for using the Mobile IP protocol (the Home Address, the Home Agent address, etc.). Interaction between the AAA server and the mobile node involves in any case the direct intervention of the AAA client: this one receives the information sent by the AAA server via the backbone protocol 104 (e.g. Diameter), and, after interpreting it, forwards it to the mobile node MN via new information fields defined in the access protocol 102. This arrangement is shown in
The arrangement shown in
Irrespective of these advantages, the arrangement shown of
First of all, the expected behaviour of the Mobile Node (user U) requires that, when entering a new network or at power-up, the Mobile Node MN listens to the router advertisements, computes the CoA, and creates messages with the CoA as the Source IP address and the AAA client address as the destination IP address (see for direct reference draft-le-aaa-Diameter-mobileipv6-03, page 12). In order to complete the procedure, the Mobile Node must therefore already have IP connectivity available. As a consequence, this prior art solution cannot be used in those access networks where interaction of the mobile terminal and the AAA client is via a level-2 authentication protocol (e.g. IEEE 802.1x). Level-2 authentication is widely diffused in view of the high security standard it provides. This means that the solution in question is not adapted for use in the majority of access network (both present and future).
Additionally, the AAA client, that is required to be the access router (that is it can not be a level-2 apparatus), actively takes part in the negotiation and configuration procedure of the Mobile IP service. Therefore it must support all the protocol extensions required. This significantly limits the platform flexibility, in that deploying new functions requires updating of all the access apparatuses in the network, which may be quite a few. This point is particularly critical in those cases where the Mobile Node is roaming within the network of a provider different from its Home Provider. Under these circumstances, it may be particularly difficult for the provider with whom the user has subscribed the service to ensure that the AAA client in the visited network actually supports all the functions requested for Mobile IPv6 protocol operation.
Finally, the backbone protocol used for exchanging information between the AAA client and the server must be essentially Diameter: in fact, the Radius protocol cannot be extended enough to permit implementing new messages and attributes required for communication between the client and the AAA server.
Essentially the same remarks apply to the solution disclosed in US-A-2003/0147537 (see also draft-ietf-aaa-Diameter-mobileip-15). There, a security key distribution and authentication protocol in AAA for Mobile IP is described. This protocol enhances the security, flexible, scalability of AAA, and aids in protecting the Diffie-Hellman algorithm from man-in-the-middle attacks. A secure registration path in AAA for Mobile IP is set up that provides a secretive and secure key distribution function for AAA.
The need therefore exists of defining arrangements (essentially in the form of architectures/protocols) adapted to integrate the authentication and authorization platform for accessing a network (AAA server and client) with the mobility management platform (HA) by overcoming the drawbacks highlighted in the foregoing while discussing the Mobile IPv6 Diameter application.
According to the present invention, that object is achieved by means of a method having the features said further in the claims that follow. The invention also relates to a corresponding system, a network arrangements based on such a system as well as a terminal, a server and a computer program product loadable in the memory of at least one computer and including software code portions for performing the method of the invention. As used herein, reference to such a computer program product is intended to be equivalent to reference to a computer-readable medium containing instructions for controlling a computer system to coordinate the performance of the method of the invention. Reference to “at least one computer” is evidently intended to highlight the possibility for the present invention to be implemented in a distributed/modular fashion.
A preferred embodiment of the invention is thus a method for negotiating the provision of a mobile IP service between a mobile node and a server in a network, wherein the method includes the steps of:
Specifically, the exemplary arrangement described herein includes provisions for:
The arrangement described herein is adapted for use in all access networks that use an EAP protocol (see for instance draft-ietf-eap-rfc2284bis-07) for authentication purposes and exploits the fact that certain EAP authentication methods (such as the method known as PEAPv2—see draft-josefsson-pppext-eap-tls-eap-07) create an encrypted communication channel between the Mobile Node and the AAA server, this channel being adapted both for exchanging authentication information and for transferring information fields that are not strictly related to the authentication process. The arrangement described herein exploits this communication channel in order to perform the exchange of information between the AAA server and the Mobile Node required for authorization purposes and for configuring the Mobile IP service. Upon mobile terminal power-up, all the messages required for activating the MIP service are transferred within RAP fields routed in a transparent way by the AAA client. Consequently, the AAA client simply performs a “pass through” function and does not play any active role in the negotiation process.
The arrangement described herein thus takes advantage of the possibility of exploiting an ZAP method (such as EAP-TLV) for transporting generic information. EAP and TLV are acronyms for Extensible Authentication Protocol and Type Length Value, respectively; see also documents such as draft-hiller-eap-tlv-01 (EAP-TLV) and draft-grayson-eap-authorization-01 (EAP Authorization).
Even if the invention has been described by taking as reference the EAP protocol, it will be apparent to those skilled in the art, that such a protocol can be replaced by any authentication protocol permitting the use of a backend authentication server (for example an AAA server) able to implement some or all authentication methods, with the access equipment (for example the AAA client) Acting as a pass-through for some or all authentication methods.
According to the present invention, the term authentication method refers in particular to the messages exchanged between the mobile node and the backend authentication server at least for authentication purposes.
The arrangement described herein retains all the advantages of prior art solution, while dispensing with the intrinsic limitations related thereto. Specifically, the arrangement described herein:
The invention will now be described, by way of example only, by referring to the enclosed figures of drawings, wherein:
The diagram of
A key difference between the arrangements shown in
Specifically, the arrangement described herein aims at integrating the authentication and authorization platform to access a network (that is AAA server and client) with the platform that manages mobility (i.e. Home Agent). The arrangement described hereby enables the administrator to control in an automatic way the configuration and activation of the Mobile IP service by acting only on the AAA server, where the service profiles of all users reside.
The objects that make up the architecture and participate in providing the related functions are the AAA server, the Home Agent HA, and the Mobile Node MN.
The AAA server has a residing module to control in a centralized way the initialisation of the Mobile IP (e.g. Mobile IPv6) service by providing comments and configuration information to the Mobile Node MN and the Home Agent HA.
The residing module of the AAA server can be stored on a memory device, removable or fixed, as for example a mass memory or disk, an internal memory of the server, as for example a ROM (Read Only Memory), a RAM (Random Access Memory) or a removable memory device as a CD.
The Home Agent has a residing module for managing a communication with the AAA server and keeping the configuration information required for using the Mobile IP service by the authorised users (e.g. home address, cryptographic material, privileges provided).
The Mobile Node MN (namely, the user U) has a residing module that, by interacting with the AAA server in an integrated manner with the authentication process, is in a position to collect automatically initialisation parameters required for starting the Mobile IP service on the terminal.
The residing module of the terminal can be stored on a memory device, removable or fixed, as for example a SIM card, a ROM (Read Only Memory), a CD, etc.
Conversely, the apparatus in the access network does not play any active role: specifically, the AAA client (Access Point, access router, and so on) only performs a pass-through function by routing in a transparent way the commands and informative contents exchange between the Mobile Node and the AAA server.
This represents a significant advantage in comparison with other architectures proposed at the IETF level. The configuration of the Mobile IP considered herein has the sole requirement that the access network visited uses the EAP protocol as the authentication protocol. Such a feature is particularly advantageous for deploying the architecture.
In fact, only very minor changes (at the software level) are required to be implemented with the AAA server and the mobile terminals, since the AAA client does not play an active role in the negotiation process of the service. This leads to a reduction in deployment costs and, more to the point, makes this arrangements adapted to be used easily even when the mobile terminal is roaming with a provider different from its Home Provider.
The arrangement described herein involves both the initial configuration of the Mobile Node and the Home Agent (namely the bootstrap phase of the Mobile Node) as well as a set of mechanisms adapted to manage user mobility and the subsequent re-authentication operations, closing of the sessions and the subsequent release of the network resources.
In the following, the exemplary case will be considered where the protocol used by the nodes comprising the AAA infrastructure is Diameter (rfc3588) and the information A related to authentication and authorization in communication between Mobile Node MN, AAA client and AAA server is transported by using the EAP protocol (draft-ietf-eap-rfc2284bis-07) and the authentication method PEAPv2 (protected EAP version 2, see draft-josefsson-pppext-eap-tls-eap-07). In the diagram of
For the sake of simplicity, it will be assumed that the access network is a Wireless LAN (WLAN) and the protocol used for communication between the Mobile Node MN and the AAA client is IEEE 802.1x.
As detailed in the following, an operation mode permitting application of the arrangement described herein to 2.5-3G radio mobile networks is also defined.
The bootstrap procedure described in the following is performed with the Mobile Node MN at power-up or upon a first connection to the network.
During that phase, the Mobile Node MN may request the use of the Mobile IP service and self-configure itself under the control of the AAA server, where the data concerning the respective subscription are stored.
The bootstrap procedure described herein has the following purposes:
configuring in a dynamic way the parameters required for using the Mobile IP service both on the Home Agent HA and the Mobile Node MN; specifically, the possibility exists of communicating to the Mobile Node MN the home address, the address of the Home Agent HA allotted thereto and the cryptographic material required for bootstrapping the IPsec Security Association with the Home Agent HA (that is the security relationship required for ensuring the authenticity of the signalling messages exchanged), and
For the sake of completeness, the general case is considered where the user is roaming within the network of a Visited Provider VP different from his or her own Home Provider HP. In the case the user is connected to the network of the Home Provider, the procedure is essentially the same or, more to the point, slightly simpler in that communication between the Access Point AP and the AAA server may take place without resorting to a AAA Proxy.
The procedure represented in
The first phase, designated I), marks the start of EAP communication. This is prompted by the Access Point AP requesting the Mobile Node MN, in a step 200, for its identity. This identity (e.g. the so-called Network Access Identifier or NAI) is sent by the Mobile Node MN to the Access Point AP in a step 202. The phase described is totally compliant with the standard documented in draft-ietf-eap-rfc2284bis-07, pages 7-8. The step 202 is followed by two further steps 204 and 206 wherein the Diameter EAP Request is sent from the Access Point to the AAA server via the AAA proxy (which is not present in the case the Mobile Node MN is connected to the Home Provider network).
In the subsequent phase, designated II), the Mobile Node MN and the AAA server set up a TLS (Transport Layer Security) tunnel with the purpose of protecting the authentication information. Also this phase is totally in compliance with the PEAPv2 protocol.
In a further PEAPv2 phase, designated III), in addition to performing in a step 210 the authentication procedure as described in draft-josefsson-pppext-eap-tls-eap-07, pages 16-19, the Mobile Node MN and the AAA server exchange a set of attributes (for instance, EAP-TLV—see draft-josefsson-pppext-eap-tls-eap-07, pages 29-35) defined herein in order to authorise, negotiate and configure the Mobile IP service. Additionally, in a step 218 the AAA server selects a Home Agent HA adapted to serve the Mobile Node and communicates to that Home Agent a set of configuration and authorization parameters related to the Mobile Node MN by using corresponding extensions defined for the Diameter protocol.
In the phase designated IV), once the user is authenticated and the Mobile IP service is negotiated, the EAP/PEAPv2 communication is closed as provided in draft-josefsson-pppext-eap-tls-eap-07 pages 16-19 and draft-ietf-eap-rfc2284bis-07, page 8. Specifically, the phase IV) shown in
Finally, the phase designated V) is comprised of a step 220 corresponding to the set-up of the Security Association SA IPsec between the Mobile Node MN and the Home Agent HA. Separately from the EAP communication, the Mobile Node MN and the Home Agent HA negotiate Security Association IPsec by using the procedure described in rfc2409 (IKE, Internet Key Exchange). The communication between the Mobile Node MN and the AAA server as well as between the AAA server and the Home Agent (HA) taking place during the phase III) provides the necessary cryptographic material for that negotiation (pre-shared key, digital certificates and so on).
The procedure outlined in the foregoing will now be detailed in connection with the figures that follow
The bootstrap procedure in the Mobile Node MN starts with a network access and authentication phase that is essentially as provided in the PEAPv2 protocol (see draft-josefsson-pppext-eap-tls-eap-07), for communication between the Mobile Node and the AAA server, and in the Diameter EAP Application (see draft-ietf-aaa-eap-03), for transporting EAP messages in Diameter.
First of all, EAP messages are exchanged with the purpose of setting up a TLS tunnel (that is an encrypted channel) between the Mobile Node MN and the AAA server. The corresponding sequence is highlighted in
For the sake of clarity, the conventions used to represent Diameter and EAP messages throughout this application are summarized here below:
to simplify the notation, the TLVs contained in the IPv6-Authorization-TLV are written omitting the “-TLV” suffix.
For a complete description of the messages exchanged and their contents reference may be once again to draft-josefsson-pppext-eap-tls-eap-07.
Once the TLS tunnel is set up, the authentication procedure takes place as detailed in
All the messages exchanged between the AAA server and the Mobile Node MN are encrypted by means of the TLS security relationship previously created. Authentication of the Mobile Node MN may take place by using any of the defined EAP methods (e.g. EAP-SIM or EAP-AKA for SIM-card based authentication). The choice for the method obviously affects the number of Round Trips required to complete the authentication procedure (that is the number of crossings of the network portion between the Mobile Node MN and the AAA server).
Again, a list is provided in the following of the meaning/contents of the steps designated by reference numbers 400 to 438 in
The steps represented in
In the standard case where PEAPv2 is used for user authentication only, the AAA server terminates the EAP communication with the Mobile Node by means of an EAP-Success message. In the present case, however, EAP communication is not terminated in that the procedure also foresees negotiation of the Mobile IP service. For that reason, as shown in
When the authentication phase is concluded, namely after the EAP response message containing the Intermediate-Result-TLV (see step 436 in
The AAA server inserts in such first message, within the MIP6-Authorization-TLV, a so-called Service-Status-TLV, used to communicate to the Mobile Node MN whether the Mobile IPv6 service is actually available, or unavailable, in the visited location; this might depend on characteristics of the visited domain, on the user service profile or on other administrative rules (for example, service accountability). Optionally the AAA server can insert also a Service-Options-TLV, used to specify other service options the MN can ask for (for example, possibility to register multiple CoAs).
This kind of operation is highlighted in
Again, in the sequence of the
Specifically, the Mobile Node MN responds to the message sent by the AAA server by indicating whether the Mobile IP service is to be activated and, possibly, the related options.
The message in question includes the following TLVS:
In the case the Mobile Node MN indicates by means of the Service-Selection-TLV that it does not wish to use the Mobile IP service, the AAA server terminates communication as better detailed in the following.
Conversely, when the Mobile Node MN wishes to negotiate the Mobile IP service, the AAA server determines a Home Agent HA adapted for that purpose by using a Home Agent selection algorithm. A detailed description of that algorithm is beyond the scope of this application. The variables to be taken into account for selecting an optimum Home Agent are: the position of the Mobile Node, the suggestions provided by the Mobile Node by means of the Home-Address-TLV and the Home-Agent-Address-TLV, the current number of users (load) served by each of available Home Agents, and so on.
As soon as a suitable HA has been identified, the AAA server interacts with it to dynamically configure all the state needed to enable subsequent Mobile IPv6 protocol operations. This kind of operation is highlighted in
For communication between the AAA server and the Home Agent HA, Diameter is preferably used by defining a new application. This means that the Home Agent must also support the Diameter protocol and, specifically, the Diameter Base Protocol (see rfc3588) and the application described herein.
Once the Home Agent has been selected, the AAA server sends a Diameter message called Home Address Request containing a User-Name AVP with the Network Access Identifier for the user (see the diagram of
The Home Agent chooses a Home Address for the Mobile Node by generating an interface identifier (for example based on rfc3041) or, possibly, by using the identifier indicated by the user in the Interface-Identifier-TLV. Then, the Duplicate Address Detection (DAD) procedure is performed for the selected Home Address as indicated in
If the DAD procedure is completed successfully, the Home Agent HA starts defending the address by means of the Proxy Neighbour Discovery protocol in a manner identical as provided in the Mobile IP specification (see draft-ietf-mobileip-ipv6-24, pages 72-73) and sends a Home Address Answer message by indicating the NAI of the user (within a User-Name AVP) and the address selected (within a Home-Address AVP). In the case the DAD procedure is not successful, the Home Agent HA repeats the whole procedure starting from the Home Address generation step. If the procedure fails for a number of times (for instance three times) the Home Agent HA sends the Home Address Answer message to the AAA server with Result-Code=FAILURE. Error management may be made more comprehensive by defining different Result-Codes depending on the type of error.
In this latter case, for instance, one may use Result-Code-FAILURE_DAD.
Specific attention must be devoted to the procedure used by the HA to defend the Home Address, in that the following situation may occur. The Home Agent HA communicates to the AAA server a Home Address and starts defending that address. Based on the Mobile IPv6 standard, when the Home Agent is reached by a Binding
Update (BU) message that is not an updating of an entry already existing within the Binding Cache (that is, the first MIPv6 registration message sent by the Mobile Node), it must perform the DAD procedure for the Home Address contained in the BU. Since the same Home Agent HA is already defending that address, it may happen that it considers the address in question as already taken, and therefore, rejects the MIPv6 registration request. In order to solve that problem, when the Home Agent sends the Home Address Answer message containing a Home Address, a dummy entry is inserted in the Binding Cache including the Home Address and an Unspecified Address (such as ::) as the Care-Of Address. In that way, the BU message reaching the Home Agent does not correspond to the creation of a new entry but just to an updating of an already existing entry, whereby the Home Agent does not performs the DAD procedure.
The arrangement described herein also provides for the AAA server to perform the role of Key Distribution Centre for the Mobile Node MN and the Home Agent HA by sending the cryptographic information to both nodes in such a way to permit bootstrapping of the security relationship mandated by the MIPv6 standard. The procedure provides for the AAA server to perform an IKE Configuration Selection 700 and send to the Home Agent HA a Home Agent Configuration Request message 701 containing the following Attribute Value Pairs or AVPs (see
in addition to that information, the AAA server may also send a Policy AVP indicating a set of policies (for example, filtering rules) to be enforced by the Home Agent on the Mobile Node traffic.
The need therefore arises for the Home Agent to store for each user a set of information items concerning the authorization to use the Mobile IP service and the cryptographic material required for activating the service itself.
For that purpose, a data structure, called Service Authorization Cache, is used. As shown in
Once these information items have been stored, the Home Agent HA sends to the AAA server (in a step 702) a Home Agent Configuration Answer message. This message is intended to confirm, by means of a Result-Code AVP, the success of registration.
After receiving the Home Agent Configuration Answer message, the AAA server re-starts EAP communication with the Mobile Node. Therefore, it sends an EAP message, where, within the MIPv6-Authorization-TLV, the information concerning the Mobile IPv6 configuration is inserted in corresponding TLVs: the Home Address, the Home Agent Address and the information needed for IKE bootstrap.
The diagram of
Once the configuration information is received, the Mobile Node MN responds by means of a MIPv6-Authorization-TLV including a Result-TLV to indicate that the activation of the service has been accepted (see step 806 in
Communication between the AAA server and the Mobile Node MN is completed as shown in
The AAA server sends a message with Result-Code equal to DIAMETER_SUCCESS and possible Authorization AVP for configuring filter policies on the access apparatus (in the instant case represented by the Access Point AP).
For the purposes of EAP communication between the AAA server and the Mobile Node, this latter has now all the information required for performing a Mobile IPv6 registration with the Home Agent allotted. In fact, the Mobile Node MN has now available its own Home Address, the Home Agent address, the cryptographic material for establishing a security relationship with the Home Agent. Additionally, as result of the procedure, the Mobile Node MN has also gained access to the visited link, and, therefore has obtained a Care-of Address via IPv6 auto-configuration (for example, rfc2462).
At this stage the Mobile Node MN undertakes all the steps necessary to activate Mobile IPv6 protocol operation (that is, the negotiation of the Security Association with IKE and the MIPv6 registration).
Setting up the Security Association between the Mobile Node MN and the Home Agent HA that protects (based on draft-ietf-mobileip-ipv6-24) the Mobile IPv6 signalling takes place as described in draft-ietf-mobileip-mipv6-ha-ipsec-04. Consequently, this part of the procedure is completely compliant with the standard.
In detail:
Once the Security Association has been negotiated, the Mobile Node MN sends to the Home Agent HA the Binding Update message 1004 to register its own Care-of Address, thereby activating the Mobile IPv6 service. At this point, after the Home Agent HA sends a corresponding acknowledgment message 1006, the bootstrap procedure is completed and the Mobile Node can start communicating.
It will be appreciated that the procedure shown in
The bootstrap procedure between the Mobile Node MN and the AAA server described in the foregoing requires 13.5 RTT units to be completed (9 RTTs for the negotiation phase, 3.5 RTTs for IKE and 1 RTT for MIPv6 registration).
A number of optimisation steps can be introduced in order to make the whole procedure faster, by saving one or more RTTs. However, since the whole procedure may be performed only at the Mobile Node bootstrap, the time requirements are not critical. The converse is true in the case the procedure is intended to be performed during Mobile Node handover.
In the first place, the bootstrap procedure can be improved by using the optimisation introduced in draft-josefsson-pppext-eap-tls-eap-07 as shown in
In brief, the AAA server may insert the first message (400 in
Additionally, the PEAPv2 protocol provides for the messages in the EAP communication being contained in TLVs called EAP-Payload-TLVs. In that way, several procedures can be performed simultaneously by using different TLVs for separating the different procedures.
Specifically, the negotiation procedure for the MIPv6 service can be performed in partial or complete superposition with the authentication procedure.
In detail, in the arrangement shown in
This kind of optimisation leads to saving two RTTs in comparison with the previous case. Both exchanges for negotiating the Mobile IP service are in fact absorbed in the authentication procedure. Consequently, by using the two optimisation steps considered, the procedure time occupation is decreased from 9 to 6 RTTs. Additionally, the time for the Home Agent to complete the DAD procedure is partially or totally absorbed within the authentication procedure.
The authentication and authorization steps to gain access to the network are repeated by the Mobile Node MN at certain time-outs and in the case of displacement involving a change of point of attachment (e.g. Access Point) into the network. In that case re-authentication procedure is performed leading to the user identity to be checked again along with his or her right to continue exploitation of the network resources. To that purpose the server may repeat a full authentication or, alternatively, decide to use optimisations in order to make the procedure faster. Once this phase is completed the AAA server starts the re-negotiation phase of the Mobile IP service. This may occur in different ways depending on the service state for the user involved.
If the service is not currently active for the user, the server behaves exactly as in the bootstrap phase described in the foregoing proposing activation of the service itself by means of the MIPv6-Authorization-TLV. The Mobile Node responds as previously described.
If the service is already active for the user, the server sends the MIPv6-Authorization-TLV with the Service-Status-TLV and Service-Options-TLV as shown in
More specifically, the steps/messages indicated by the reference numerals 1300 to 1338 in
In the re-authentication procedure shown in
The example shown in
Conversely, if the Mobile Node MN has indicated the willingness to change the current Mobile IPv6 service configuration the AAA server responds by providing the parameters possibly necessary for re-configuring the service using the MIPv6-Authorization-TLV and the procedure goes on as in the bootstrap phase.
Upon completion of the re-authentication phase, including a possible re-negotiation of the service, the Mobile Node MN may proceed directly by sending the Binding Update message 1336 toward the Home Agent HA by using the IPsec Security Association negotiated during the bootstrap phase.
As a whole, the re-authentication procedure described takes 10 RTT units, when considering a method requiring two RTTs (for instance EAP-AKA) as the authentication method and assuming the Mobile Node thus not require any changes in the service configuration. Consequently, 3.5 RTT units are saved in comparison with the bootstrap phase in that the node already shares with the Home Agent HA the IPsec Security Association, whereby no need exists of repeating the IKE phase.
The delay involved in completing the re-authentication procedure may be reduced by resorting to the optimisation steps already described in the foregoing with reference to the bootstrap phase and, possibly by exploiting some additional optimisations included in the PEAPV2 protocol: for instance the fast resume of the TLS tunnel (see draft-josefsson-pppext-eap-tls-eap-07, pages 14-15) and the fast reconnect options described at pages 44-45 of the same reference document.
When utilization of the negotiated service is discontinued the session needs to be closed and the allocated resources (Home Agent, Home Address, and so on) released.
The session may be closed in two different ways depending whether such action is prompted by the AAA server or the Mobile Node MN.
The diagrams of
The AAA server may decide to close the session at any moment, for instance due to credit exhaustion or as result of a specific indication by the Mobile Node MN during the re-authentication phase. Generally speaking, in order to discontinue provision of the service, the server sends an Abort Session Request message to the Diameter client providing the service. The Diameter client forcibly disconnects the user, releases the resources possibly allocated and confirms the service having being discontinued by means of an Abort Session Answer message.
If a plurality of clients are involved in the service provision that is discontinued, the Abort Session message is sent to all the Diameter clients involved. In the specific case of the Mobile IP service, the two Diameter clients involved are the Home Agent and the point of attachment, that is the apparatus providing access to the network (for example the Access Point).
In the diagram of
In the case the Mobile Node MN wishes to disconnect from the network, the Mobile Node MN sends an EAPOL-Logoff message (1500 in
At the reception of the Session Termination Request message 1504, the AAA server releases the resources allocated on the HA exchanging Abort Session Request and Answer messages with it (represented by the messages 1510 and 1512 in
The AAA server may possibly decide to adopt different policies for releasing the resources depending on the service involved and/or the user profile.
For instance, for the Mobile IPv6 service, the AAA server may decide not to release the resources on the Home Agent HA in order to allow the user to exploit the service even when he or she moves to a network for which no roaming agreements exist (this be the case of a corporate network, or a network providing free and cost-free access). In that case, Security Association negotiated between the Mobile Node MN and the Home Agent is still valid and respective authorization is managed by means of the Authorization Lifetime. Once this lifetime expires (however, such lifetime may be of infinite duration, in which case the resources are not released until they are possibly re-negotiated as described in the foregoing) the Home Agent HA asks the AAA server to indicate if the provisioned service may be continued and decides whether the resources are to be released or not depending on the response received.
The arrangement described in the foregoing is applicable also when the user accesses a radio mobile network, such as a cellular telephone network (e.g. 2.5-3G), where EAP is not used for user authentication.
In 2.5-3G networks access control and IP address assignment are managed by means of protocols that are specific of cellular networks (for instance, SS7/MAP) and therefore do not support the use for EAP.
Based on the procedure used in radio mobile networks, at the end of registration operations, the user is allotted an IP address by activating a PDP Context. This corresponds to establishing a direct level-3 communication channel between the Mobile Node and the Gateway Serving/Support Node (GGSN).
Those of skill in the art will promptly appreciate that, even though derived from GPRS terminology, the designation GGSN is used herein to apply also to—any—node performing similar or equivalent functions in a network based on a standard different from GPRS.
In order to negotiate the Mobile IPv6 service on cellular networks using the same procedure defined in the foregoing for Wireless LANs, a level-3 transport for EAP is required. This may be offered by the PANA protocol (see draft-ietf-pana-pana-02). This protocol was originally created for access control, but may be used also for the sole purpose of negotiating and configuring additional services. Adaptation to mobile radio networks within the context of the present invention provides for a PANA session being set up between the Mobile Node MN and the GGSN node. During that session, the Mobile Node may communicate with the AAA server and negotiate (or re-negotiate) the Mobile IP service.
Once again, the meaning/contents of the various steps/messages indicated by the reference numerals 1600 to 1630 in
The procedure shown in
Firstly, the GGSN node and the Mobile Node MN exchange two messages (1602 and 1604) to activate a PANA session within the PDP Context previously activated in a step 1600.
Subsequently, the GGSN node sends to the AAA server a Diameter EAP Request message 1606 containing the user identifier (NAI) and an empty EAP packet indicating to the server the need of starting an EAP exchange. The user identifier can be created starting from the data contained in the SIM/USIM of the user itself and does not require by way of necessity a domain insertion. In fact, the Mobile Node MN always activates a PDP context with a GGSN node managed by its Home Provider.
The NAI is constructed and inserted directly by the GGSN node and not by the Mobile Node MN. In this way the AAA server does not need to undertake a new authentication phase to verify the identity of the Mobile Node MN. This is because, the GGSN, which is a trusted node, communicates directly to the AAA server the identity with whom the user has activated the PDP Context and which was previously verified using protocols, other than EAP, specific of cellular networks (for instance, SS7/MAP).
At the reception of the Diameter FAP Request message 1606 from the GGSN, the AAA server understands that the user was already authenticated through SS7/MAP and starts directly the negotiation phase for the MIPv6 service, as defined in the foregoing, by means of an EAP-TLV message with the MIPv6-Authorization-TLV. This phase also includes a communication between the AAA server and the Home Agent HA which is repeated as described in the foregoing in the case of accessing WLAN.
Finally, an EAP Success message 1626 is sent by the AAA server to GGSN node, which forwards it to the Mobile Node (as a message 1628) via the PANA-Bind-Request. The Mobile Node MN confirms reception via the PANA-Bind-Answer message 1630.
The Mobile Node MN may request the termination of the PANA session, and consequently the release of the MIPv6 service, by means of a PANA-Termination-Request message sent to the GGSN node. Conversely, if delivery of the MIPv6 service is discontinued by the AAA server, the server sends a Diameter Abort Session Request message to the Home Agent HA.
Therefore, in comparison with the exemplary case considered in the foregoing (Wireless LAN), the user can just discontinue delivery of the Mobile IPv6 service while maintaining connection to the network. Instead, in the exemplary case considered in the foregoing, the user can discontinue the service only by re-negotiating it during re-authentication phase or by disconnecting from the network.
The main advantage of this procedure lies in the possibility of using again those messages and TLVs previously defined even when the user accesses a Radio Mobile Network. In that case, however, it is not generally possible to negotiate the Mobile IPv6 service while accessing the network as is the case when a WLAN network is accessed.
The final part of this description details the format of TLVs (Type Length Value) and AVPs (Attribute Value Pair) as defined previously.
The general format of an EAP TLV is shown in
For a communication between the Mobile Node MN and the AAA server the following TLVs are defined:
The field designated IKE phase 1 Mode identifies the mode to be used in IKE phase 1 (that is Main Mode or Aggressive Mode).
The field designated Authentication Information contains the cryptographic material for negotiating the Security Association. The content of this field depends of the value of the field designated Authentication Type.
In the arrangement described herein only the use of a Pre-Shared Key has been defined.
Key Length (and defines the length of the Pre-Shared Key),
Key Lifetime (indicating the lifetime of the Pre-Shared Key used; this can be set to an infinite value), and
Key Value (indicates the value of the key).
The AVPs defined herein and used in communication between the AAA client and the AAA server and between the Home Agent HA and AAA server are as follows (the description is based on the conventions and type definitions specified in rfc3588):
Furthermore other types of AVPs already defined in other documents where used namely:
It will be appreciated that the exemplary embodiments of the invention considered in the foregoing refer to a situation where:
Those of skill in the art will promptly appreciate that the choices indicated in the foregoing are of purely exemplary nature and are in no way mandatory, the same applying also to the general context considered in the foregoing. Specifically, it will be appreciated that the invention may be applied not only for negotiating a Mobile IPv6 service but also e.g. a Mobile IPv4 service.
Those of skill in the art will promptly appreciate that a cellular telephone network as referred to in the foregoing is just one, non limiting example of those networks wherein EAP can be applied in order to implement the arrangement described herein even if the network, per se, uses methods other than EAP for authentication purposes.
Additionally, the architecture disclosed can be easily extended to arrangements wherein:
The invention has been described by taking as reference the EAP protocol, but as will be apparent to those skilled in the art, such a protocol can be replaced by any authentication protocol permitting the use of a backend authentication server (for example an AAA server) able to implement some or all authentication methods, with the access equipment (for example the AAA client) acting as a pass-through for some or all authentication methods.
According to the present invention, the term authentication method refers in particular to the messages exchanged between the mobile node and the backend authentication server at least for authentication purposes.
It is thus evident that, without prejudice to the underlined principle of the invention, the details and the embodiments may vary, also significantly, with respect to what has been described by way of example only, without departing from the scope of the invention as defined by the claims that follow.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP04/01105 | 2/6/2004 | WO | 8/4/2006 |