Title of Invention	SYSTEM AND METHOD FOR PROVIDING MOBILITY AND SECURE TUNNEL USING MOBILE INTERNET PROTOCOL WITHIN INTERNET KEY EXCHANGE PROTOCOL VERSION 2
Abstract	The present invention is related to the scenario where a roaming Mobile Node (MN) needs to connect to Network Gateway (NGW) for establishing secure data path using IPsec procedure. Also Mobile IP (MIP) is used to support the mobility of the MN. However, when the Home Address of the MN is not known, a cyclic interdependency is observed between the IPsec procedures and MIP procedures. This happens as the IPsec procedure requires Home Address, and the MIP requires IPsec tunnel for transmitting the messages. The system for the invention comprises of a MN capable of IPsec and MIP procedures, NGW contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network. The method of the invention comprises of mechanisms which solve the problems associated with current art, as mentioned below: The initial request for any PS service is by initiating an IPsec tunnel establishment request (IKEv2 procedure) with the NGW. After the authentication procedure within the IKEv2 protocol is over (can be optional), the MN transmits the MIP registration messages within the IKEv2 message to the NGW. After the Mobile IP Registration is completed, the Home Address of the MN is known from the MIP registration Reply. MN forms a secured tunnel with the NGW. Thus the MN can be provided with both security as well as the Mobility related services.

Title of Invention

SYSTEM AND METHOD FOR PROVIDING MOBILITY AND SECURE TUNNEL USING MOBILE INTERNET PROTOCOL WITHIN INTERNET KEY EXCHANGE PROTOCOL VERSION 2

Abstract

The present invention is related to the scenario where a roaming Mobile Node (MN) needs to connect to Network Gateway (NGW) for establishing secure data path using IPsec procedure. Also Mobile IP (MIP) is used to support the mobility of the MN. However, when the Home Address of the MN is not known, a cyclic interdependency is observed between the IPsec procedures and MIP procedures. This happens as the IPsec procedure requires Home Address, and the MIP requires IPsec tunnel for transmitting the messages. The system for the invention comprises of a MN capable of IPsec and MIP procedures, NGW contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network. The method of the invention comprises of mechanisms which solve the problems associated with current art, as mentioned below: The initial request for any PS service is by initiating an IPsec tunnel establishment request (IKEv2 procedure) with the NGW. After the authentication procedure within the IKEv2 protocol is over (can be optional), the MN transmits the MIP registration messages within the IKEv2 message to the NGW. After the Mobile IP Registration is completed, the Home Address of the MN is known from the MIP registration Reply. MN forms a secured tunnel with the NGW. Thus the MN can be provided with both security as well as the Mobility related services.

Full Text	5 o ■o I i 4 4 r I t i I c c J FIELD OF TECHNOLOGY This invention relates in general to mobile communications technology. Specifically, it is related to Mobility and creation of secure tunnel between Mobile Node (MN) and Network Gateway {NGW), More particularly, this invention provides a system and method to support mobility and secure tunnel creation, when the Home Address of the MN is not known while MN request for the Packet Switched (PS) service in the foreign network. The scope of the invention also covers the case when Home address as well as Home Agent address and Home network prefix of the MN are not known. DESCRIPTION OF RELATED ART The Mobility and the secure tunnel establishment procedure for the scenario as depicted in Figure 1 works as below: 3 1. When the MN roams in a foreign network, the MN forms a tunnel with the NGW to obtain Packet Sen/ices provided by the network. This can be done for example, to provide secure access over an untrusted interface (e. g. air interface with inadequate security). 2. The foreign network can provide a Local IP address to the MN (Local IP Address is routable only upto NGW) while the Remote IP address through which the MN is accessible to outside world is to be provided by the external network to which MN is trying to reach for the sen/ice (in this case we assume home network obtains the IP address from the external network and sends it to the MN). MIP is used for providing mobility services when a mobile roams from one (sub) network to another (sub) network. MIP requires a node in the foreign network acting as a foreign agent, and a node in home network acting as a Home Agent. When an MN roams into a foreign network, it sends a registration request through the Foreign Agent to the Home Agent, indicating that it is available at the given IP address. When the MN requires a new service: 1. The IP address of the NGW which provides the service is obtained by DNS query or by some other means. IKEv2 messaging is carried out between the MN and NGW (with optional authentication) to establish the IPsec SAs. At the end of the IKEv2 signaling a tunnel is formed between the MN and the NGW which acts as a data path. 2. Once the tunnel is formed MIP Registration request is sent to the Home Agent through FA. HA sends the Registration reply. If successful, the UE can now securely receive packets destined to it even when it roams in different foreign network. Currently there is no mechanism for the following features: 1. To provide IPsec and mobility related scenario if the Home Address of the MN is unknown 2. Cyclic interdependency of IPsec tunnel formation and MIP Registration Signaling. SUMMARY OF THE INVENTION The primary object of the invention is to define an extension to the IKEv2 protocol to carry MIP messages to support mobility. It is another object of the invention to define a method to break the cyclic interdependency between requirement of Remote IP address for IPsec SA {which can be obtained from MIP Registration process) and the requirement of IPsec SA between the NGW and the MN for transporting the MIP Registration Request messages. It is another object of this invention to specify the IKEv2 message extensions to carry the MIP messages used during the procedure. This invention provides a system and method to perform Mobility using IKEv2 extensions to carry MIP messages. By incorporating MIP messages within IKEv2 protocol, this invention provides the ability to solve the cyclic interdependency between requirement of Remote IP address (Home Address) for IPsec SA and the requirement of IPsec SA between NGW and the MN for transporting the Mobile IP (MIP) Registration Request messages. Consider a scenario where the Mobile Node roams to a foreign network which does not provide adequate over the air security. Also consider that NGW is a trusted entity either in foreign network or in home network. NGW provides secure path to any node in the home network. Thus, to provide secure communication channel between MN and home network, we consider forming an IPsec tunnel between MN and NGW. The present invention enables the MN to: • Roam while keeping the sessions alive; • Provide security to MIP messages even when the Home Address of the MN is not known; The present invention relates to a system that needs to form an IPsec tunnel with a foreign entity NGW. The invention also relates to a system that requires performing the MIP registration for mobility services. Further, this invention provides mechanisms for the case where the Home Address of the MN is not known and the MN requests for the PS service in the foreign network. The system for the invention comprises of an MN capable of roaming in foreign networks. Network Gateway, Foreign Agent in the foreign network (might or might not be collocated with NGW) and a Home Agent (HA) in home network. The present invention comprises of system and method which would solve the problems associated with current art, as mentioned below. 1. The MN forms the tunnel with NGW. (Though we assume IKEv2 is used to establish the tunnel, any similar protocol may be used for the tunnel establishment). 2. The MIP messages are carried during the tunnel establishment within the IKEv2 messages and are passed to the Home Agent through the NGW and FA (if the FA is not co-located with the NGW). 3. If the MIP registration is successful, the HA sends the MIP Registration Reply containing the Home Address of the MN, which is relayed by the FA after registering the MN in its visitor's cache, to the NGW. The NGW fonwards it to the MN within the IKE_AUTH message of the IKEv2 protocol to the MN. The MN can extract the Home IP address and the Home Agent address from the MIP Registration reply message. 4. The MN and the NGW now established the tunnel by configuring the IPsec SA from the IKE_AUTH message (of IKEv2) using Home IP address of the MN. Accordingly, the present invention comprises a method for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the cyclic interdependency between requirement of Home Address for IPsec SA and the requirement of IPsec SA between NGW and MN for transporting the MIP Registration Request messages is broken. Accordingly, the present invention further comprises a system for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the said system comprises of a MN capable of IPsec and MIP procedures, Network Gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network. The other objects, features and advantages of the present invention will be apparent from the ensuing detailed description of the invention taken in conjunction with the accompanying drawings. BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS Figure 1 illustrates the different network elements of the system considered in the invention. Figure 2 illustrates the different network elements of a WLAN-3G interworking system, involved in establishing an End*To-End tunnel and Mobility support between UE and PDG. Figure 3 illustrates the sequence for establishing the IPsec tunnel and MIP registration, when the Home Address is not known and the FA and the NGW are co-located, DETAILED DESCRIPTION OF THE INVENTION A preferred embodiment of the present invention will now be explained with reference to the accompanying drawings. It should be understood however that the disclosed embodiment is merely exemplary of the invention, which may be embodied in various forms. The following description and drawings are not to be construed as limiting the invention and numerous specific details are described to provide a thorough understanding of the present invention, as the basis for the claims and as a basis for teaching one skilled in the art how to make and/or use the invention. However in certain instances, well-known or conventional details are not described in order not to unnecessarily obscure the present invention in detail. The present invention provides a system and method for providing mobility of the mobile node (MN) which requires the secured tunnel to communicate over using mobile internet protocol (MIP). The method of the invention comprises of the mechanisms to break the cyclic interdependency between requirement of Home IP address of the MN for IPsec SA and the requirement of IPsec SA between NGW and MN for transporting the MIP Registration. When the MN access foreign network initially, it has no Home address. But the Home IP Address of the MN is essential to establish IPsec tunnel between the MN and the NGW and to tunnel all the packets to and from the MN by the NGW. Therefore, the described method comprises a mechanism to allocating a Home Address to the MN during the IPsec tunnel setup. To obtain a Home IP address from the HA, the IKEv2 protocol is extended to carry the MIP messages from the MN to the NGW. The NGW extracts the MIP messages and forwards to the FA. The FA forwards the MIP message to the AAA server for authentication and to obtain the IP address of the MN from the HA and relays the tVliP Registration Reply to the NGW and the NGW lorwards it within the IKE_AUTH response message. Also the FA registers the UE in the visitor's cache according to the normal MIP protocol (According to IETF RFC). One assumption using Mobile-AAA Authentication extension is that the MN and the AAA server share AAA Security Association. In this document, it is assumed that the MN and the AAA server share at least one AAA Security Association. It is also assumed that an AAA Security Association between the MN and the AAA server is dynamically created or updated after the AAA server authenticates the MN using EAP method during the IPsec tunnel setup (According to IETF EAP Procedures). The shared secret of this AAA Security Association is any key derived from the Master Key after the IKEv2 authentication as a result Of EAP procedure with in the IKev2. Further, the MN to be capable of IPsec and MIP procedures, network gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network. The operation of the invention is detailed below: Establishment of Tunnel and MIP Registration between MN and NGW using MIP messages within the IKEv2 Messages 1. When an MN needs to access a service provided by the network, it needs to form a tunnel with an NGW which can provide the service. The IP address of the NGW can be found by DNS query or by some other means. 2. MN initiates a IPsec tunnel establishment request with the NGW. As a part of the tunnel establishment, the user can be authenticated and authorized for the service. 3. [Optional] After the EAP authentication procedure within an IKEv2, Mobile Agent Solicitation and Advertisement can be exchanged within the lKEv2 messages. 4. The MIP Registration message is passed within the IKEv2 messages from the MN to the NGW. The MIP registration message can include the NAI, MN_HA keygen nonce, MN_AAA authentication extensions (if the home agent address and home network prefix are not known). 5. The NGW extracts the MIP Registration message and forwards it to the FA, if the FA and the NGW are not co-located. Then the MIP Registration message is processed normally at FA and forwarded to AAA server. The AAA server process the MIP Registration request as like normal MIP protocol and forwards it to HA, which can serve the MN. 6. The HA sends the Mobile IP Registration Reply with the Home Address, if registration is successful, to the FA. The FA processes the registration reply message and registers the MN in its visitor's cache. The FA then fonwards the MIP registration replay to the NGW, if the FA and the NGW are not co- located. 7. The NGW relays the MIP Registration reply message within the IKE_AUTH reply message of IKEv2 to the MN, with the TS and SA payloads to form the IPsec SA between the MN and the NGW, with the Home IP address of the MN. 8. On receiving the Registration Reply within the IKE^AUTH reply message of IKev2, MN extracts the Hon:ie Address. Also it creates a new SA with the Home IP address. Thus the secured data path to the network is created. An illustrative Example for the operation of the invention: A 3G-WU\N interworking scenario is considered here. The 3GPP (http;//www.3QDp.orai specification TS23.234, which deals with the ongoing 3GPP work related to WI_AN-3G interworking, provides a system description for tunnel establishment mechanism between WLAN-3G UE and PDG over a WLAN-3G interworking system, as depicted in Figure 2. The different network elements of a WLAN-3G interworking system, involved in establishing an End-To-End tunnel and Mobility support between UE and PDG is shown in Figure 2 function as below: 1. WLAN UE - User Equipment, to initiate the tunnel for data path. 2. WU^N - to pass the EAP signaling and data packets towards the 3G-WLAN network. 3. WAG - Wireless Access Gateway, to enforce the policies and filers on WLAN AN. 4. PDG - Packet Data Gateway, A 3G-WI_AN Interworking, network entity that serves as the gateway between a WLAN AN and PDNs. The PDG allows 3G-WLAN users to access PDNs. 5. GGSN - Gateway GPRS Support Node. A GPRS network entity that serves as the mobile wireless gateway between an SGSN and PDNs. The GGSN allows mobile users to access PDNs. 6. SGSN - Serving GPRS Support Node. A GPRS network entity that sends data to and receives data from mobile stations, and maintains information about the location of an MS. The SGSN communicates between the MS and the GGSN; the GGSN provides access to the data network 7. UTRAN - UMTS Terrestrial Radio Access Network, air interface portion of UMTS networks as specified within 3GPP. 8. AAA Server - Authentication, Authorization, and Accounting server to intelligently controlling access, enforcing policies, auditing usage, and providing the information necessary to do billing for services available through the 3G-WU\N Interworking Network. 9. HSS and HLR - Home Subscriber Server and Home Location Register, to have subscriber credentials and details 10. GCF and OCS - Call Control function and Open Card Framework for billing and call control In comparison to the above mentioned invention, the PDG here acts as a Network Gateway which resides in the foreign network, i.e. the Foreign Agent is collocated with the PDG for the sake of simplicity, although it is not necessary for this invention to work. The Home Agent is assumed to be collocated with GGSN of 3G network for the sake of simplicity, although it is not necessary for this invention to work. The scenario considered here is when the WLAiN UE needs to access some PS service. The UE does not know Home Address and Home Agent Address. The example shows the FA to co-exist with PDG, though it is not mandatory. The following steps briefly explain the operation of the example for the system architecture shown in Figure 2. The message flows/sequence illustrated in Figure 3 is as below; 1 and 2. The UE and the PDG negotiate IKE_SA. 3. The UE sends IKE_AUTH request, without AUTH payload to initiate EAP procedure. The IDi payload in 1KE_AUTH request must contain the NAl of the UE. Optionally, the UE can attach CERTREQ payload to the IKE_AUTH request if it wants to authenticate the PDG using signature based authentication. The TSi, TSr payload contains 0.0.0.0/0 (indicating full range of IP address from 0.0.0.0 to 255.255.255.255). 4. PDG sends EAR Request/ID in IKE_AUTH message, initiates the EAP authentication procedure. 5. UE responds with EAP Response ID in IKE_AUTH, initiation of EAP is optional. The PDG sends an Access Request [NAI] to AAA server. The NAI is obtained from IDi field in IKE_AUTH message. The AAA server retrieves Authentication Data and User profile informations from HSS/HLR. AAA responds with Access Response [EAP-AKA/challenge]. PDG forwards the EAP-AKA/Challenge to UE in IKE_AUTH message. It's optional to include [CERT, AUTH] in the message. Normal EAP authentication is carried on between UE and AAA with PDG/FA acting as a relay agent. When all checks are successful, the AAA server sends an EAP success and the key material to the PDG. 6. The PDG forwards only the EAP success message within the IKEv2 message to the UE. 7 and 8. [Optional] Mobile Agent Solicitation and Advertisement can be exchanged within the IKEv2 messages. 9. The UE sends IKE_AUTH response that contains AUTH payload. The UE uses shared secret derived from EAP authentication procedure to make AUTH payload. UE also includes MIP REGISTRATION REQUEST with NAI, MN_HA keygen nonce and MN^AAA authentication extensions. 10. On receiving the MIP message, PDG forwards it to the FA (whose IP address is mentioned as CoA in MIP). The FA sends the MIP-Registration- Request to AAA in appropriate AAA messages. 11. AAA server, after authenticating the UE, generates keys as requested in registration message, and distributes to the respective agents. FA can then forward the Registration Request to the HA, it it has not relayed it earlier. 12. HA then sends the Registration Reply to the FA. The FA then registers the UE in its visitor's cache and forwards the registration reply to the PDG, if the PDG and the FA are not co-located. 13. The PDG sends IKE_AUTH response that contains AUTH payload. The PDG mal The UE obtains the Home Address from the M)P_REG__REPLY and completes the tunnel establishment procedure. As stated previously, the above procedure can be applied to the 3G-WLAN case, where the Network gateway is PDG, and HA is collocated with GGSN (or is in the same sub-network). The user authentication is carried out by RADIUS/Diameter messages between the PDG and AAA server in the home network. The PDG IP address can be discovered in the network by using DNS query over the W-APN. W-APN is the indicative of the service required by the WLAN-UE. The DNS reply contains the list of PDGs capable of providing the given service. It will also be obvious to those skilled in the art that other control methods and apparatuses can be derived from the combinations of the various methods and apparatuses of the present invention as taugtit by the description and the accompanying drawings and these shall also be considered within the scope of the present invention. Further, description of such combinations and variations is therefore omitted above. It should also be noted that the host for storing the applications include but not limited to a computer, mobile communication device, mobile server or a multi function device. Although the present invention has been fully described in connection with the preferred embodiments thereof with reference to the accompanying drawings, it is to be noted that various changes and modifications are possible and are apparent to those skilled in the art. Such changes and modifications are to be understood as included within the scope of the present invention as defined by the appended claims unless they depart there from. GLOSSARY OF TERMS AND DEFINITONS THEREOF 3GPP: 3'" Generation Partnership Project AAA: Authentication, Authorization and Accounting AP: Wireless Local Area Network (WLAN) Access Point APN: Access Point Name DNS: Domain Name Server FA: Foreign Agent HA: Home Agent, a router on a mobile node's home network that tunnels packets to the mobile node while it is away from home. Home IP Address: An IP address that is assigned for an extended time to a mobile node or for a particular PS service. It remains unchanged regardless of where the node is attached to the Access Network. H-PLMN; Home Public Land Mobile Network (PLMN) HSS: Home Subscription Server IPsec: Internet Protocol Security IKEv2: Internet Key Exchange Protocol version 2. L2: Layer 2 L3: Layer 3 Local IP Address: An address that is routable up to the NGW to deliver and receive the packet by the MN. MIP; Mobile Internet Protocol includes version 4 and version 6 MN: Mobile Node, the end User Equipment (UE) capable of changing its point of attachment from one network or subnet to another. NAI: Network Address Identifier; NGW: Network Gate Way is the gateway where the MN initiated IPsec tunnel ends. PDG: Packet Data Gateway SA: Security Association, a simplex (uni-directional) logical connection, created for security purposes. All traffic traversing an SA is provided the same security processing. In IPsec, an SA is an internet layer abstraction implemented through the use of AH or ESP. Remote IP Address: An address used in the data packet encapsulated by the MN initiated secure tunnel. It represents the identity of the MN in the network which the MN is accessing either in Home network or in foreign network. TS: Transport Selector payload of the IKE protocol. User terminal; the end user equipment e.g., the Mobile Station (MS) or User Equipment (UE). V-PLMN: Visited Public Land Mobile Network WAG: Wireless Access Gateway WLAN UE: The WLAN UE is the UE (equipped with UICC card including (U) SIM) utilized by a 3GPP subscriber to access the WLAN interworking. W-APN: WLAN APN WLAN AN: WU\N Access Network WE CLAIM 1. A method for providing mobility and secure tunnel using a mobile internet protocol (MIP) within the key establishment procedure (IKEv2) in connecting a roaming mobile node (MN) to a network gateway (NGW) comprising the steps of: the MN initiating an IPsec tunnel establishment request with the NGW; the MN transmitting a MIP registration messages to the NGW; obtaining a home address of the MN from a MIP registration reply; and forming a secured tunnel by the MN with the NGW. 2. The method as claimed in claim 1, further involves the MN performing an authentication procedure within an IKEv2 protocol. 3. The method as claimed in claim 1, wherein the MN transmits an MiP registration messages within the IKEv2 message to the NGW. 4. The method as claimed in claim 1, wherein the MN is capable of IPsec and MIP procedures, 5. The method as claimed in claim 1, wherein the NGW is contained in a foreign network or home network. 6. A system for providing mobility and secure tunnel using mobile internet protocol (MIP) in a mobile communication comprising: a mobile node MN capable of IPsec and the MIP procedures; a network gateway (NGW) contained in either foreign network or home network; a foreign agent collocated with NGW; and a home agent in the home network. 7. The method and system for providing mobility and secure tunnel using mobile internet protocol (MIR) such as herein substantially described particularly with reference to the accompanying drawings.

Full Text

5
o
■o
I
i
4 4
r
I
t
i
I c
c
J

FIELD OF TECHNOLOGY
This invention relates in general to mobile communications technology. Specifically, it is related to Mobility and creation of secure tunnel between Mobile Node (MN) and Network Gateway {NGW), More particularly, this invention provides a system and method to support mobility and secure tunnel creation, when the Home Address of the MN is not known while MN request for the Packet Switched (PS) service in the foreign network. The scope of the invention also covers the case when Home address as well as Home Agent address and Home network prefix of the MN are not known.

DESCRIPTION OF RELATED ART
The Mobility and the secure tunnel establishment procedure for the scenario as depicted in Figure 1 works as below:
3
1. When the MN roams in a foreign network, the MN forms a tunnel with the NGW to obtain Packet Sen/ices provided by the network. This can be done for example, to provide secure access over an untrusted interface (e. g. air interface with inadequate security).
2. The foreign network can provide a Local IP address to the MN (Local IP Address is routable only upto NGW) while the Remote IP address through which the MN is accessible to outside world is to be provided by the external network to which MN is trying to reach for the sen/ice (in this case we assume home network obtains the IP address from the external network and sends it to the MN).
MIP is used for providing mobility services when a mobile roams from one (sub) network to another (sub) network. MIP requires a node in the foreign network acting as a foreign agent, and a node in home network acting as a Home Agent.

When an MN roams into a foreign network, it sends a registration request through the Foreign Agent to the Home Agent, indicating that it is available at the given IP address.
When the MN requires a new service:
1. The IP address of the NGW which provides the service is obtained by DNS query or by some other means. IKEv2 messaging is carried out between the MN and NGW (with optional authentication) to establish the IPsec SAs. At the end of the IKEv2 signaling a tunnel is formed between the MN and the NGW which acts as a data path.
2. Once the tunnel is formed MIP Registration request is sent to the Home Agent through FA. HA sends the Registration reply. If successful, the UE can now securely receive packets destined to it even when it roams in different foreign network.
Currently there is no mechanism for the following features:
1. To provide IPsec and mobility related scenario if the Home Address of the MN is unknown
2. Cyclic interdependency of IPsec tunnel formation and MIP Registration Signaling.
SUMMARY OF THE INVENTION
The primary object of the invention is to define an extension to the IKEv2 protocol to carry MIP messages to support mobility.
It is another object of the invention to define a method to break the cyclic interdependency between requirement of Remote IP address for IPsec SA {which can be obtained from MIP Registration process) and the requirement of IPsec SA between the NGW and the MN for transporting the MIP Registration Request messages.

It is another object of this invention to specify the IKEv2 message extensions to carry the MIP messages used during the procedure.
This invention provides a system and method to perform Mobility using IKEv2 extensions to carry MIP messages. By incorporating MIP messages within IKEv2 protocol, this invention provides the ability to solve the cyclic interdependency between requirement of Remote IP address (Home Address) for IPsec SA and the requirement of IPsec SA between NGW and the MN for transporting the Mobile IP (MIP) Registration Request messages.
Consider a scenario where the Mobile Node roams to a foreign network which does not provide adequate over the air security. Also consider that NGW is a trusted entity either in foreign network or in home network. NGW provides secure path to any node in the home network. Thus, to provide secure communication channel between MN and home network, we consider forming an IPsec tunnel between MN and NGW.
The present invention enables the MN to:
• Roam while keeping the sessions alive;
• Provide security to MIP messages even when the Home Address of the MN is not known;
The present invention relates to a system that needs to form an IPsec tunnel with a foreign entity NGW. The invention also relates to a system that requires performing the MIP registration for mobility services. Further, this invention provides mechanisms for the case where the Home Address of the MN is not known and the MN requests for the PS service in the foreign network.
The system for the invention comprises of an MN capable of roaming in foreign networks. Network Gateway, Foreign Agent in the foreign network (might or might not be collocated with NGW) and a Home Agent (HA) in home network.

The present invention comprises of system and method which would solve the problems associated with current art, as mentioned below.
1. The MN forms the tunnel with NGW. (Though we assume IKEv2 is used to establish the tunnel, any similar protocol may be used for the tunnel establishment).
2. The MIP messages are carried during the tunnel establishment within the IKEv2 messages and are passed to the Home Agent through the NGW and FA (if the FA is not co-located with the NGW).
3. If the MIP registration is successful, the HA sends the MIP Registration Reply containing the Home Address of the MN, which is relayed by the FA after registering the MN in its visitor's cache, to the NGW. The NGW fonwards it to the MN within the IKE_AUTH message of the IKEv2 protocol to the MN. The MN can extract the Home IP address and the Home Agent address from the MIP Registration reply message.
4. The MN and the NGW now established the tunnel by configuring the IPsec SA from the IKE_AUTH message (of IKEv2) using Home IP address of the MN.
Accordingly, the present invention comprises a method for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the cyclic interdependency between requirement of Home Address for IPsec SA and the requirement of IPsec SA between NGW and MN for transporting the MIP Registration Request messages is broken.
Accordingly, the present invention further comprises a system for providing mobility and establishing a secure tunnel using IKEv2 messages and MIP messages between the Mobile Node (MN) or user equipment (UE) and the Network Gateway (NGW) wherein the said system comprises of a MN capable of

IPsec and MIP procedures, Network Gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network.
The other objects, features and advantages of the present invention will be apparent from the ensuing detailed description of the invention taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
Figure 1 illustrates the different network elements of the system considered in the invention.
Figure 2 illustrates the different network elements of a WLAN-3G interworking system, involved in establishing an End*To-End tunnel and Mobility support between UE and PDG.
Figure 3 illustrates the sequence for establishing the IPsec tunnel and MIP registration, when the Home Address is not known and the FA and the NGW are co-located,
DETAILED DESCRIPTION OF THE INVENTION
A preferred embodiment of the present invention will now be explained with reference to the accompanying drawings. It should be understood however that the disclosed embodiment is merely exemplary of the invention, which may be embodied in various forms. The following description and drawings are not to be construed as limiting the invention and numerous specific details are described to provide a thorough understanding of the present invention, as the basis for the claims and as a basis for teaching one skilled in the art how to make and/or use the invention. However in certain instances, well-known or conventional details

are not described in order not to unnecessarily obscure the present invention in detail.
The present invention provides a system and method for providing mobility of the mobile node (MN) which requires the secured tunnel to communicate over using mobile internet protocol (MIP).
The method of the invention comprises of the mechanisms to break the cyclic interdependency between requirement of Home IP address of the MN for IPsec SA and the requirement of IPsec SA between NGW and MN for transporting the MIP Registration. When the MN access foreign network initially, it has no Home address. But the Home IP Address of the MN is essential to establish IPsec tunnel between the MN and the NGW and to tunnel all the packets to and from the MN by the NGW. Therefore, the described method comprises a mechanism to allocating a Home Address to the MN during the IPsec tunnel setup.
To obtain a Home IP address from the HA, the IKEv2 protocol is extended to carry the MIP messages from the MN to the NGW. The NGW extracts the MIP messages and forwards to the FA. The FA forwards the MIP message to the AAA server for authentication and to obtain the IP address of the MN from the HA and relays the tVliP Registration Reply to the NGW and the NGW lorwards it within the IKE_AUTH response message. Also the FA registers the UE in the visitor's cache according to the normal MIP protocol (According to IETF RFC).
One assumption using Mobile-AAA Authentication extension is that the MN and the AAA server share AAA Security Association. In this document, it is assumed that the MN and the AAA server share at least one AAA Security Association. It is also assumed that an AAA Security Association between the MN and the AAA server is dynamically created or updated after the AAA server authenticates the MN using EAP method during the IPsec tunnel setup (According to IETF EAP Procedures). The shared secret of this AAA Security Association is any key derived from the Master Key after the IKEv2 authentication as a result Of EAP

procedure with in the IKev2. Further, the MN to be capable of IPsec and MIP procedures, network gateway contained in either foreign network or home network, foreign agent collocated with NGW, and a Home Agent in the home network.
The operation of the invention is detailed below:
Establishment of Tunnel and MIP Registration between MN and NGW using MIP messages within the IKEv2 Messages
1. When an MN needs to access a service provided by the network, it needs to form a tunnel with an NGW which can provide the service. The IP address of the NGW can be found by DNS query or by some other means.
2. MN initiates a IPsec tunnel establishment request with the NGW. As a part of the tunnel establishment, the user can be authenticated and authorized for the service.
3. [Optional] After the EAP authentication procedure within an IKEv2, Mobile Agent Solicitation and Advertisement can be exchanged within the lKEv2 messages.
4. The MIP Registration message is passed within the IKEv2 messages from the MN to the NGW. The MIP registration message can include the NAI, MN_HA keygen nonce, MN_AAA authentication extensions (if the home agent address and home network prefix are not known).
5. The NGW extracts the MIP Registration message and forwards it to the FA, if the FA and the NGW are not co-located. Then the MIP Registration message is processed normally at FA and forwarded to AAA server. The AAA server process the MIP Registration request as like normal MIP protocol and forwards it to HA, which can serve the MN.
6. The HA sends the Mobile IP Registration Reply with the Home Address, if registration is successful, to the FA. The FA processes the registration reply message and registers the MN in its visitor's cache. The FA then fonwards the MIP registration replay to the NGW, if the FA and the NGW are not co-

located.
7. The NGW relays the MIP Registration reply message within the IKE_AUTH reply message of IKEv2 to the MN, with the TS and SA payloads to form the IPsec SA between the MN and the NGW, with the Home IP address of the MN.
8. On receiving the Registration Reply within the IKE^AUTH reply message of IKev2, MN extracts the Hon:ie Address. Also it creates a new SA with the Home IP address. Thus the secured data path to the network is created.
An illustrative Example for the operation of the invention:
A 3G-WU\N interworking scenario is considered here. The 3GPP (http;//www.3QDp.orai specification TS23.234, which deals with the ongoing 3GPP work related to WI_AN-3G interworking, provides a system description for tunnel establishment mechanism between WLAN-3G UE and PDG over a WLAN-3G interworking system, as depicted in Figure 2. The different network elements of a WLAN-3G interworking system, involved in establishing an End-To-End tunnel and Mobility support between UE and PDG is shown in Figure 2 function as below:
1. WLAN UE - User Equipment, to initiate the tunnel for data path.
2. WU^N - to pass the EAP signaling and data packets towards the 3G-WLAN network.
3. WAG - Wireless Access Gateway, to enforce the policies and filers on WLAN AN.
4. PDG - Packet Data Gateway, A 3G-WI_AN Interworking, network entity that serves as the gateway between a WLAN AN and PDNs. The PDG allows 3G-WLAN users to access PDNs.
5. GGSN - Gateway GPRS Support Node. A GPRS network entity that serves as the mobile wireless gateway between an SGSN and PDNs. The GGSN allows mobile users to access PDNs.
6. SGSN - Serving GPRS Support Node. A GPRS network entity that

sends data to and receives data from mobile stations, and maintains information about the location of an MS. The SGSN communicates between the MS and the GGSN; the GGSN provides access to the data network
7. UTRAN - UMTS Terrestrial Radio Access Network, air interface portion of UMTS networks as specified within 3GPP.
8. AAA Server - Authentication, Authorization, and Accounting server to intelligently controlling access, enforcing policies, auditing usage, and providing the information necessary to do billing for services available through the 3G-WU\N Interworking Network.
9. HSS and HLR - Home Subscriber Server and Home Location Register, to have subscriber credentials and details
10. GCF and OCS - Call Control function and Open Card Framework for billing and call control
In comparison to the above mentioned invention, the PDG here acts as a Network Gateway which resides in the foreign network, i.e. the Foreign Agent is collocated with the PDG for the sake of simplicity, although it is not necessary for this invention to work. The Home Agent is assumed to be collocated with GGSN of 3G network for the sake of simplicity, although it is not necessary for this invention to work. The scenario considered here is when the WLAiN UE needs to access some PS service. The UE does not know Home Address and Home Agent Address.
The example shows the FA to co-exist with PDG, though it is not mandatory. The following steps briefly explain the operation of the example for the system architecture shown in Figure 2. The message flows/sequence illustrated in Figure 3 is as below;
1 and 2. The UE and the PDG negotiate IKE_SA.
3. The UE sends IKE_AUTH request, without AUTH payload to initiate EAP procedure. The IDi payload in 1KE_AUTH request must contain the NAl of the

UE. Optionally, the UE can attach CERTREQ payload to the IKE_AUTH request if it wants to authenticate the PDG using signature based authentication. The TSi, TSr payload contains 0.0.0.0/0 (indicating full range of IP address from 0.0.0.0 to 255.255.255.255).
4. PDG sends EAR Request/ID in IKE_AUTH message, initiates the EAP authentication procedure.
5. UE responds with EAP Response ID in IKE_AUTH, initiation of EAP is optional. The PDG sends an Access Request [NAI] to AAA server. The NAI is obtained from IDi field in IKE_AUTH message. The AAA server retrieves Authentication Data and User profile informations from HSS/HLR. AAA responds with Access Response [EAP-AKA/challenge]. PDG forwards the EAP-AKA/Challenge to UE in IKE_AUTH message. It's optional to include [CERT, AUTH] in the message. Normal EAP authentication is carried on between UE and AAA with PDG/FA acting as a relay agent. When all checks are successful, the AAA server sends an EAP success and the key material to the PDG.
6. The PDG forwards only the EAP success message within the IKEv2
message to the UE.
7 and 8. [Optional] Mobile Agent Solicitation and Advertisement can be exchanged within the IKEv2 messages.
9. The UE sends IKE_AUTH response that contains AUTH payload. The UE
uses shared secret derived from EAP authentication procedure to make AUTH
payload. UE also includes MIP REGISTRATION REQUEST with NAI, MN_HA
keygen nonce and MN^AAA authentication extensions.
10. On receiving the MIP message, PDG forwards it to the FA (whose IP
address is mentioned as CoA in MIP). The FA sends the MIP-Registration-

Request to AAA in appropriate AAA messages.
11. AAA server, after authenticating the UE, generates keys as requested in registration message, and distributes to the respective agents. FA can then forward the Registration Request to the HA, it it has not relayed it earlier.
12. HA then sends the Registration Reply to the FA. The FA then registers the UE in its visitor's cache and forwards the registration reply to the PDG, if the PDG and the FA are not co-located.
13. The PDG sends IKE_AUTH response that contains AUTH payload. The PDG mal The UE obtains the Home Address from the M)P_REG__REPLY and completes the tunnel establishment procedure.
As stated previously, the above procedure can be applied to the 3G-WLAN case, where the Network gateway is PDG, and HA is collocated with GGSN (or is in the same sub-network).
The user authentication is carried out by RADIUS/Diameter messages between the PDG and AAA server in the home network.
The PDG IP address can be discovered in the network by using DNS query over the W-APN. W-APN is the indicative of the service required by the WLAN-UE. The DNS reply contains the list of PDGs capable of providing the given service.

It will also be obvious to those skilled in the art that other control methods and apparatuses can be derived from the combinations of the various methods and apparatuses of the present invention as taugtit by the description and the accompanying drawings and these shall also be considered within the scope of the present invention. Further, description of such combinations and variations is therefore omitted above. It should also be noted that the host for storing the applications include but not limited to a computer, mobile communication device, mobile server or a multi function device.
Although the present invention has been fully described in connection with the preferred embodiments thereof with reference to the accompanying drawings, it is to be noted that various changes and modifications are possible and are apparent to those skilled in the art. Such changes and modifications are to be understood as included within the scope of the present invention as defined by the appended claims unless they depart there from.

GLOSSARY OF TERMS AND DEFINITONS THEREOF
3GPP: 3'" Generation Partnership Project
AAA: Authentication, Authorization and Accounting
AP: Wireless Local Area Network (WLAN) Access Point
APN: Access Point Name
DNS: Domain Name Server
FA: Foreign Agent
HA: Home Agent, a router on a mobile node's home network that tunnels packets to
the mobile node while it is away from home.
Home IP Address: An IP address that is assigned for an extended time to a mobile
node or for a particular PS service. It remains unchanged regardless of where the
node is attached to the Access Network.
H-PLMN; Home Public Land Mobile Network (PLMN)
HSS: Home Subscription Server
IPsec: Internet Protocol Security
IKEv2: Internet Key Exchange Protocol version 2.
L2: Layer 2
L3: Layer 3
Local IP Address: An address that is routable up to the NGW to deliver and receive
the packet by the MN.
MIP; Mobile Internet Protocol includes version 4 and version 6
MN: Mobile Node, the end User Equipment (UE) capable of changing its point of
attachment from one network or subnet to another.
NAI: Network Address Identifier;
NGW: Network Gate Way is the gateway where the MN initiated IPsec tunnel ends.
PDG: Packet Data Gateway
SA: Security Association, a simplex (uni-directional) logical connection, created for
security purposes. All traffic traversing an SA is provided the same security
processing. In IPsec, an SA is an internet layer abstraction implemented through the
use of AH or ESP.
Remote IP Address: An address used in the data packet encapsulated by the MN
initiated secure tunnel. It represents the identity of the MN in the network which the
MN is accessing either in Home network or in foreign network.

TS: Transport Selector payload of the IKE protocol.
User terminal; the end user equipment e.g., the Mobile Station (MS) or User
Equipment (UE).
V-PLMN: Visited Public Land Mobile Network
WAG: Wireless Access Gateway
WLAN UE: The WLAN UE is the UE (equipped with UICC card including (U) SIM)
utilized by a 3GPP subscriber to access the WLAN interworking.
W-APN: WLAN APN
WLAN AN: WU\N Access Network

WE CLAIM
1. A method for providing mobility and secure tunnel using a mobile internet
protocol (MIP) within the key establishment procedure (IKEv2) in connecting a
roaming mobile node (MN) to a network gateway (NGW) comprising the steps
of:
the MN initiating an IPsec tunnel establishment request with the NGW; the MN transmitting a MIP registration messages to the NGW; obtaining a home address of the MN from a MIP registration reply; and forming a secured tunnel by the MN with the NGW.
2. The method as claimed in claim 1, further involves the MN performing an
authentication procedure within an IKEv2 protocol.
3. The method as claimed in claim 1, wherein the MN transmits an MiP registration messages within the IKEv2 message to the NGW.
4. The method as claimed in claim 1, wherein the MN is capable of IPsec and
MIP procedures,
5. The method as claimed in claim 1, wherein the NGW is contained in a foreign
network or home network.
6. A system for providing mobility and secure tunnel using mobile internet
protocol (MIP) in a mobile communication comprising:

a mobile node MN capable of IPsec and the MIP procedures;
a network gateway (NGW) contained in either foreign network or home
network;
a foreign agent collocated with NGW; and
a home agent in the home network.
7. The method and system for providing mobility and secure tunnel using mobile internet protocol (MIR) such as herein substantially described particularly with reference to the accompanying drawings.

Documents:

1433-che-2004 abstract-duplicate.pdf

1433-che-2004 abstract.jpg

1433-che-2004 abstract.pdf

1433-che-2004 claims.pdf

1433-che-2004 correspondence-others.pdf

1433-che-2004 correspondence-po.pdf

1433-che-2004 description (complete)-duplicate.pdf

1433-che-2004 description (complete).pdf

1433-che-2004 drawings-duplicate.pdf

1433-che-2004 drawings.pdf

1433-che-2004 form-1.pdf

1433-che-2004 form-13.pdf

1433-che-2004 form-18.pdf

1433-che-2004 form-19.pdf

1433-che-2004 form-26.pdf

1433-che-2004 petition.pdf

« Previous Patent

Next Patent »

Patent Number

232208

Indian Patent Application Number

1433/CHE/2004

PG Journal Number

13/2009

Publication Date

27-Mar-2009

Grant Date

16-Mar-2009

Date of Filing

24-Dec-2004

Name of Patentee

SAMSUNG INDIA SOFTWARE OPERATIONS PRIVATE LIMITED

Applicant Address

BAGMANE LAKEVIEW, BLOCK 'B', NO. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR, BYRASANDRA, BANGALORE 560 093,

Inventors:

#	Inventor's Name	Inventor's Address
1	DR. OSOK SONG	SAMSUNG ELECTRONICS CO., LTD., TELECOMMUNICATION R&D CENTER, 416 MAETAN-3DONG, YEONGNG-GU, SUWON-SI, 442-742,
2	R. RAJAVELSAMY	BAGMANE LAKEVIEW, BLOCK 'B', NO. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR, BYRASANDRA, BANGALORE 560 093,
3	JEEDIGUNTA VENKATESWAR	BAGMANE LAKEVIEW, BLOCK 'B', NO. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR, BYRASANDRA, BANGALORE 560 093,
4	RAHUL VAIDYA	BAGMANE LAKEVIEW, BLOCK 'B', NO. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR, BYRASANDRA, BANGALORE 560 093,
5	BALAJI SRINIVAS HOLUR	BAGMANE LAKEVIEW, BLOCK 'B', NO. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR, BYRASANDRA, BANGALORE 560 093,

PCT International Classification Number

H04B7/26

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1			NA