Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
HK1136123A - Method and apparatus for interworking authorization of dual stack operation - Google Patents
[go: Go Back, main page]

HK1136123A - Method and apparatus for interworking authorization of dual stack operation - Google Patents

Method and apparatus for interworking authorization of dual stack operation Download PDF

Info

Publication number
HK1136123A
HK1136123A HK10102730.9A HK10102730A HK1136123A HK 1136123 A HK1136123 A HK 1136123A HK 10102730 A HK10102730 A HK 10102730A HK 1136123 A HK1136123 A HK 1136123A
Authority
HK
Hong Kong
Prior art keywords
internet protocol
protocol version
authorization
authorized
message
Prior art date
Application number
HK10102730.9A
Other languages
Chinese (zh)
Inventor
徐大生
Original Assignee
高通股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 高通股份有限公司 filed Critical 高通股份有限公司
Publication of HK1136123A publication Critical patent/HK1136123A/en

Links

Description

Method and device for performing intercommunication authorization on dual-stack operation
Requesting priority based on 35 U.S.C.S.119
The present application claims the benefit OF U.S. provisional patent application No. 60/839,212 entitled "WLAN-CDMA 2000 intermediate autothermation OF IPV4-IPV6 DUAL-STACKOPERATION", filed on 21.8.2006. The entire contents of the above application are incorporated herein by reference.
Technical Field
The present invention relates generally to communication systems, and more particularly, to a method and apparatus for interworking authorization for dual stack operation.
Background
In recent years, wireless communication technology has rapidly advanced. This development is driven in part by: the freedom of movement provided by wireless technology, and the significantly improved quality of voice and data communications over the wireless medium. The quality of voice services, along with additional data services, has improved and will still have a significant impact on the public in communication. Additional services include accessing the internet using the mobile device while roaming.
The ability to guarantee data sessions while mobile is important to both users and system operators. Since more users operate using the mobile internet protocol, users desire to access the same packet data interworking function simultaneously using a dual stack operation, thereby allowing 2 versions of the mobile internet protocol to be used simultaneously. A Packet Data Interworking Function (PDIF) serves as a security gateway that protects the cellular network.
Fig. 1 illustrates an interworking architecture for a Wireless Local Area Network (WLAN). The network may be according to the third generation partnership project 2 (3) by the namerdGeneration Partnership Project 2) "(denoted herein as 3GPP2) operates as part of a wireless communication system in accordance with the 3GPP2 standard defined by the standards provided by the Association. Architecture 100 includes a Mobile Station (MS)102 coupled to a WLAN system 104. The WLAN system 104 includes an Access Point (AP)106 and an Access Router (AR) 108. The WLAN system is connected to the 3G home network 110. The WLAN system is connected to the 3G home network 110 via a Packet Data Interworking Function (PDIF) 122. PDIF 114 is connected to home authentication, authorization, and accounting (H-AAA) device 112.
The MS establishes a secure IP tunnel through the PDIF, which serves as a security gateway in the 3G home network. The H-AAA 112 authenticates and authorizes the tunnel establishment. After establishing the tunnel, the MS can access the traffic in the 3G home network 110. The dashed lines in FIG. 1 represent the path of authentication, authorization, and accounting information and represent the transfer of information between H-AAA 112 and PDIF 114. The solid lines illustrate the bearer path of user data traffic and the pipes represent the secure tunnels used to protect user data traffic between MS 102 and PDIF 114.
The MS is pre-configured with PDIF address information (IP address or fully qualified domain name). If the MS is configured with the FQDN of the PDIF, the MS will relay through a Domain Name System (DNS) to resolve the IP address associated with the FQDN. The MS uses internet key exchange version 2(IKEv2) to establish a secure tunnel with the PIDF (known as an IP-sec tunnel for data transfer). Establishing a portion of the secure tunnel requires the MS to be authenticated and authorized by the H-AAA 112 of fig. 1. The MS may use a number of procedures for mutual authentication. Authentication information, including credentials and a random challenge, is conveyed in Extensible Authentication Protocol (EAP) messages exchanged between the MS and the H-AAA. EAP messages are transported via IKEv2 messages between the MS and PDIF, and also via RADIUS messages exchanged between PDIF and H-AAA.
The MS desires to access the same PDIF simultaneously using both IPv4 and IPv 6. This dual stack operation poses an authentication problem for the PDIF, i.e., the PDIF needs to know whether the MS is authorized for IPv4 and/or IPv 6. Further, the PDIF needs to indicate to the MS that the MS is not authorized for one of the IP versions described above in the case where the MS requesting dual stack operation is not authorized for both IPv4 and IPv 6. There is a need for a method and apparatus for indicating to an MS that is IP authorized and also for indicating to the MS that the MS is not authorized for both IP versions.
Disclosure of Invention
A method for dual stack authorization and operation in a communication system, comprising: requesting authentication by an authorized entity in the communication system; then, if the authentication is successful, an authentication message is received from the authorizing entity, wherein the authentication message includes authorization to establish at least one secure tunnel for communication using at least one internet protocol version.
Another embodiment provides a method comprising: requesting a dual stack operation, the dual stack operation using more than one internet protocol version; receiving authorization for a dual stack operation, the dual stack operation using more than one internet protocol version; establishing independent subordinate security authorities for each internet protocol version, wherein the subordinate security authorities are subordinate to internet key exchange security authorities; establishing at least one secure tunnel for communication; and simultaneously accessing both internet protocol versions using the at least one secure tunnel for communication.
Another embodiment provides a method comprising: requesting a dual stack operation, the dual stack operation using more than one internet protocol version; receiving an authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized; establishing a security authorization of an authorized internet protocol version, wherein the security authorization of the authorized internet protocol version is subordinate to an internet key exchange security authorization; establishing a secure tunnel for communication; and communicating using the secure tunnel.
Another embodiment provides an apparatus comprising the following elements: a transmitter for requesting authentication by an authorizing entity in a wireless communication system; a receiver to receive an authentication message from the authorizing entity when the authentication is successful, wherein the authentication message contains authorization to establish at least one secure tunnel for communication using at least one Internet protocol version.
Further embodiments provide an apparatus comprising the following elements: a transmitter for requesting dual stack operation, the dual stack operation using more than one internet protocol version; a receiver for receiving authorization for dual stack operation, the dual stack operation using more than one internet protocol version; a memory for storing an independent slave security authority for each internet protocol version, wherein the slave security authority is subordinate to an internet key exchange security authority; a processor that establishes at least one secure tunnel for communication using the transmitter; and a transmitter for accessing internet protocol versions, simultaneously accessing more than one internet protocol version using the at least one secure tunnel for communication.
Another embodiment provides an apparatus comprising the following elements: a transmitter to request dual stack operation, the dual stack operation using more than one internet protocol version; a receiver for receiving authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized; a processor configured to establish a security authorization for an authorized internet protocol version, wherein the security authorization for the authorized internet protocol version is subordinate to an internet key exchange security authorization; a memory for storing security authorizations for the authorized internet protocol versions; a transmitter that establishes a secure tunnel for communication; a transmitter to communicate using the secure tunnel.
Another embodiment provides an apparatus comprising the following elements: means for requesting authentication by an authorizing entity in a wireless communication system; and means for receiving an authentication message from the authorizing entity when the authentication is successful, wherein the authentication message contains authorization to establish at least one secure tunnel for communication using at least one internet protocol version.
Further embodiments provide a method comprising the steps of: a module that requests dual stack operation that uses more than one internet protocol version; a module that receives authorization for dual stack operation that uses more than one internet protocol version; a module for establishing an independent subordinate security authority for each internet protocol version, wherein the subordinate security authority is subordinate to an internet key exchange security authority; means for establishing at least one secure tunnel for communications; and means for simultaneously accessing two internet protocol versions using the at least one secure tunnel for communication.
Another embodiment provides an apparatus comprising: a module that requests dual stack operation that uses more than one internet protocol version; a module that receives authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized; a module for establishing a security authorization of an authorized internet protocol version, wherein the security authorization of the authorized internet protocol version is subordinate to an internet key exchange security authorization; a module for establishing a secure tunnel for communications; and a module for communicating using the secure tunnel.
There is provided a computer program product embodiment comprising: a computer-readable medium, comprising: instructions that cause a computer to request authentication by an authorizing entity in a wireless communication system; and instructions that cause a computer to receive an authentication message from the authorizing entity when the authentication is successful, wherein the authentication message contains authorization to establish at least one secure tunnel for communication using at least one internet protocol version.
Another embodiment provides a computer program product embodiment comprising: a computer-readable medium, comprising: instructions that cause a computer to request a dual stack operation that uses more than one internet protocol version; instructions that cause a computer to receive authorization for a dual stack operation that uses more than one internet protocol version; instructions that cause a computer to establish an independent subordinate security authority for each internet protocol version, wherein the subordinate security authority is subordinate to an internet key exchange security authority; instructions that cause a computer to establish at least one secure tunnel for communications; and instructions that cause a computer to access both internet protocol versions simultaneously using the at least one secure tunnel for communication.
Further embodiments provide a computer program product comprising: a computer-readable medium, comprising: instructions that cause a computer to request a dual stack operation that uses more than one internet protocol version; instructions that cause a computer to receive authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized; instructions that cause a computer to establish a security authorization for an authorized internet protocol version, wherein the security authorization for the authorized internet protocol version is subordinate to an internet key exchange security authorization; instructions that cause a computer to establish a secure tunnel for communications; and instructions that cause a computer to communicate using the secure tunnel.
Drawings
Fig. 1 is a block diagram illustrating an interworking architecture for supporting interworking authorization for dual stack operation according to an embodiment of the present invention.
Fig. 2 shows the contents of a CREATE CHILD SA request according to an embodiment of the present invention.
Fig. 3 shows the contents of the CREATE CHILD SA response according to an embodiment of the present invention.
Fig. 4A illustrates IPsec tunnel establishment in accordance with an embodiment of the present invention.
Fig. 4B illustrates a tunnel establishment procedure according to an embodiment of the present invention.
Figure 5 illustrates the structure of an IP version authorization RADIUS VSA according to an embodiment of the invention.
FIG. 6 illustrates a flow diagram of authorized IPv4-IPv6 dual stack operation, according to an embodiment of the present invention.
Fig. 7 illustrates a flow diagram of operations when only IPv4 is authorized, according to an embodiment of the present invention.
Fig. 8 illustrates a flow diagram of operations when only IPv6 is authorized, according to an embodiment of the present invention.
Detailed Description
The word "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
An MS desiring access to packet data services needs to gain access to the IP access network. The MS initiates tunnel establishment as part of the access procedure. These tunnels are established between the MS and the PDIF and require several steps before establishing the tunnel and starting packet data traffic.
The first step performed by the MS is to initiate authentication, authorization and accounting. Authentication is the process of identifying an individual, typically by a username and password. The authentication process assumes that the username and password uniquely identify the user.
After authentication, the authorization process allows the user to access network resources. The level of access may be varied and the user granted or denied access to the network resource depending on the level of authorization.
Billing is the tracking of user behavior as a user accesses network resources, including the amount of time spent on the network, the traffic used on the network, and the amount of data transferred during a network session.
Authentication and authorization for access to network resources is performed when the MS attempts to access packet data services. Service authorization is typically independent of WLAN authentication and authorization. The H-AAA server uses an access protocol such as Remote Authentication Dial In User Service (RADIUS) or DIAMETER for authentication and authorization. RADIUS is an authentication and accounting system used by many internet service providers.
IP security (IPsec) provides confidentiality, data integrity, access control, and data source authentication for IP datagrams. These services are provided by maintaining a shared state between the IP datagram source and the IP datagram sink. This state defines the specific service provided to the datagram, where the service will be provided using an encryption algorithm and the key is used as input to the encryption algorithm. A protocol known as Internet Key Exchange (IKE) is used to establish this shared state.
IKE performs mutual authentication between the two parties, and also establishes an IKE Security Association (SA) that includes shared secret information that can be used to efficiently establish the SA for the Encapsulating Security Payload (ESP) and/or Authentication Header (AH), as well as a set of cryptographic algorithms used by the SA to protect the information flows they carry. The initiator proposes a set of cryptographic algorithms for protecting the SA. The IKE SA is referred to as "IKE _ SA". The SA of ESP and/or AH established by the IKE _ SA is known as "CHILD _ SA".
All IKE communications include the following message pairs: a request and a response. Such a pair of messages is known as an exchange. The first messages to establish the IKE _ SA are the initial exchanges "IKE _ SA _ INIT" and "IKE _ AUTH". The subsequent exchange to establish a sub-SA is known as "CREATE CHILD SA" or information exchange. Typically, there is first a single IKE SA INIT exchange and a single IKE AUTH exchange, using a total of 4 messages to establish the IKE SA and the first CHILD SA. In some cases, more than one exchange may be required. In all cases, the IKE SA INIT exchange must be completed before any other exchange type. Next, all IKE AUTH exchanges must be completed. Any number of CREATE CHILD SA exchanges and information (INFORMATIONAL) exchanges may then occur in any order. Subsequent exchanges may establish additional CHILD SAs between the endpoints of the same authentication pair.
The IKE message flow includes a request followed by a response. It is the responsibility of the requestor to ensure reliability. If no response is received within a time-out interval, the requester needs to resend the request or abandon the connection.
The first request/response of the IKE session negotiates the security parameters of the IKE _ SA, sending random numbers (nonces) and Diffie-Hellman values.
The second request sends an identity in response to IKE AUTH, proving knowledge of the secrets corresponding to the 2 identities, and establishes the SA and/or ESP CHILD SA for the first AH.
Subsequent exchanges may CREATE a CHILD SA (CREATE CHILD SA) and information (INFORMATIONAL) that may delete the SA, report error status, or other ancillary functions. One response is required for each request. Subsequent exchanges are not performed until after the initial exchange is completed.
The CREATE CHILD exchange includes a single request/response pair and may be initiated by either IKE SA end after the initial exchange is completed. All messages after the initial exchange are cryptographically protected using a negotiated encrypted set of the first 2 messages of the IKE exchange. Either endpoint may initiate a CREATE CHILD SA exchange. The CHILD SA is created by sending a CREATE CHILD SA request. The CREATE CHILD SA request may contain a payload for additional Diffie-Hellman exchanges in order to robustly guarantee the forward confidentiality of the CHILD SA. The keying material of the CHILD SA is a function established during the establishment of the IKE SA, the nonce exchanged during the CREATE CHILD SA exchange, and the Diffie-Hellman value (if the key exchange payload is included in the CREATE CHILD SA exchange).
In the CHILD SA created during the initial exchange, the second key exchange payload and the random number must not be transmitted. The random number from the initial exchange is used to calculate the key for the CHILD SA.
Fig. 2 shows the contents of CREATE CHILD SA. The initiator sends an SA offer (offer) in the SA payload. The random number is sent in the Ni payload. This random number, as well as other random numbers contained in the IKE SA INIT message, are used as inputs to the encryption function. In the CREATE CHILD SA request and response, the nonce is used to add freshness to the key derivation technique to obtain the key for CHILD SA and to ensure that strong pseudo-random bits are created from the Diffie-Hellman key. The random number used in IKEv2 is randomly selected and has a size of at least 128 bits, which is at least half the key size of the negotiated pseudorandom function. The Diffie-Hellman value may be sent in the KEi payload. The proposed traffic selector is transmitted in TSi and TSr payload. If the SA offer includes different Diffie-Hellman groups, the KEi must be an element of the group that the initiator expects the responder to accept. If the guess is wrong, the CREAATE CHILD SA exchange fails and needs to retry with a different KEi.
The messages following the header are encrypted and the messages including the header are integrity protected using the negotiated encryption algorithm of IKE SA.
Fig. 3 shows the contents of the CREATE CHILD SA response. If KEi is included in the request and the negotiated password set includes the group, the responder replies with the same message identifier with the offer accepted in the SA payload and the Diffie-Hellman value in KEr. If the responder chooses a cipher set with a different group, it must reject the request. The initiator should then repeat the request but with the KEi payload from the group selected by the responder. The traffic selector for traffic to be sent on this SA is specified in the Traffic Selector (TS) payload, which may be a subset of the originator of the proposed CHILD SA. If the CREATE CHILD SA request is being used to change the key of the IKE SA, the traffic selector may ignore it.
Once the CHILD SA is created, the next step is to establish an IPsec tunnel. The tunnel establishment procedure is described in detail below.
The MS may be pre-provisioned with the IP address of the PDIF or may use a DNS mechanism to retrieve the IP address of the PDIF. The MS should identify the operator's network when establishing the FQDN for the DNS request. To facilitate access to the network, the MS may be provisioned with FQDNs of multiple PDIFs. Once the MS receives the response including one or more PDIF IP addresses, the MS selects a pdiffip address having the same IP version as its local IP address (which is the IP address assigned over the WLAN upon successful association). This selection may be performed by the user, or may be performed automatically by the MS. Several mechanisms can be used to discover PDIFs, depending on the implementation.
The message exchange is used to establish an IPsec tunnel between the MS and the PDIF. Fig. 4 illustrates this information exchange. In step 1, the MS authenticates to the WLAN access network and gains access to the Internet. This may involve the WLAN checking with the H-AAA for authorization.
In step 2, the MS obtains an IP address from the access network. The MS also discovers default router and DNS server addresses.
At step 3, the MS starts an IKEv2 exchange with the PDIF. The first set of messages sent in this exchange is the initial exchange, designated IKE _ SA _ INIT.
In step 4, the MS initiates an IKE _ AUTH exchange with the PDIF. These messages are encrypted and integrity is protected by a key established during the IKE SA INIT exchange.
In step 5, the MS requests a tunnel internal IP address (TIA) by setting a CONFIGURATION (CONFIGURATION) payload in the IKE _ AUTH request. The MS adds a Network Access Identifier (NAI) to the payload. If the MS wishes to use Extensible Authentication Protocol (EAP), it does not add an Authentication (AUTH) payload in the IKE _ AUTH message.
At step 6, the PDIF receives an IKE _ AUTH request without AUTH payload, which contacts the H-AAA by sending an EAP-response/identity message in a RADIUS access request message or a Diameter-EAP request (DER) command in order to request service authorization and user authentication information.
At step 7, EAP messages are exchanged between the MS and the H-AAA. The H-AAA sends an EAP request message in a RADIUS access-challenge or in a Diameter-EAP answer (DEA) command to the PDIF. The PDIF sends an IKE AUTH reply message including an EAP request message to the MS.
In step 8, the MS responds with an IKE _ AUTH request message including an EAP response message. The PDIF sends a RADIUS access-request message or an EAP response message in a Diameter-EAP request command to the H-AAA. Steps 7 and 8 may occur multiple times.
If the authentication is successful, the H-AAA sends, in step 9, an EAPSucprocesses (EAP success) in a RADIUS Access-Accept message, or a DEA command with a code indicating a successful authentication.
In step 10, upon receiving a RADIUS access-accept message or a DEA command with a result code indicating successful authentication, the PDIF sends an IKE _ AUTH response message including EAP success. If the PDIF receives a RADIUS-reject message or a DEA command with a result code indicating an authorization failure, the PDIF rejects tunnel establishment to the MS and transmits an IKE _ AUTH response message with a notification payload set to "AUTHENTICATION failure".
Then, in step 11, the MS sends an IKE AUTH request message including an AUTH payload calculated from a Master Session Key (MSK) generated upon successful EAP authentication.
At step 12, the PDIF replies with an IKE AUTH response message, which includes the assigned TIA, AUTH payload, and security authorization. PDIF uses MSK to calculate AUTH load. PDIF obtains MSK from H-AAA in step 9 above.
At step 13, upon completion of the IKE AUTH exchange, an IPsec tunnel is established between the MS and the PDIF.
Fig. 4B shows the steps in the normal tunnel establishment flow. This can be used when multiple tunnels are established as described later.
Multiple tunnels may be established for the same PDIF. Once an IKE Security Association (SA) is authenticated, more than one sub-SA may be negotiated in the IKE SA. The exchange is known because the CREATE CHILD SA is protected and uses the encryption algorithm and keys negotiated in the first 2 messages of the IKE exchange, as described above. Thus, the creation of an additional CHILD SA between the MS and the PDIF no longer triggers the transfer of an authentication message to the H-AAA.
The MS expects to have IPv4 and IPv6 access the same PDIF at the same time. Although the IKEv2 standard allows such simultaneous access in the same or separate IPsec tunnels, the authorization is not addressed and the PDIF needs to know whether the MS requesting dual stack authorization is authorized for IPv4 and IPv 6.
The first embodiment addresses the problem that the PDIF needs to know whether the requesting MS is authorized for IPv4 and/or IPv 6. During the above IPsec tunnel establishment, if EAP authorization is successful, the H-AAA returns an IP-version-authorization VSA in a RADIUS access-accept message to indicate whether IPv4 and/or IPv6 are authorized. If the IP-version-authorization VSA is not present in the RADIUS Access-Accept message, the PDIF uses its local policy for authorization of dual stack operation. Fig. 5 shows the structure of IP-version-authorized RADIUSVSA.
Another embodiment is used when the MS desires to use both IPv4 and IPv6 and is authorized to use both. Fig. 6 illustrates the method of this embodiment. The method 600 begins at step 602 when the MS requests IPv4-IPv6 dual stack operation. This request is sent in a message to the AAA server via the PDIF. At step 604, the AAA server determines whether the MS is authorized to use both IPv4 and IPv 6. At step 606, the AAA server informs the PDIF to authorize the requesting MS to use both IPv4 and IPv 6. At step 608, the PDIF notifies the MS that the request for IPv4-IPv6 dual stack operation is authorized. At step 610, the MS and PDIF establish independent CHILD SA for IPv4 and IPv6 under the same IKE SA. If the MS is not authorized for IPv4 and IPv6, the AAA server notifies the PDIF at step 612. The PDIF then informs the MS that it is not authorized, and also informs the MS which IP version is not authorized, at step 614.
Another embodiment is used when the MS desires to use both IPv4 and IPv6 simultaneously but is only authorized for IPv 4. Fig. 7 illustrates a method of operation of this embodiment. The method 700 begins at step 702 when the MS requests IPv4-IPv6 dual stack operation. At step 704, the AAA server checks to see if the MS is authorized for both IPv4 and IPv 6. If the MS is authorized for both IPv4 and IPv6, the method returns to step 606 of the method of FIG. 6. If the MS is authorized only for IPv4, the AAA server informs the PDIF that the MS is authorized only for IPv 4. In step 710, the PDIF sends a notification payload with the notification message type set to a specific message type indicating that only IPv4 is authorized. If the wireless communication system is operating using the 3GPP2 standard, the message type is set to 8193 in the IKE AUTH response message. Other operating systems may use different message types but do not affect the operation of the present embodiment. In this case, at step 712, only an IPsec tunnel for IPv4 is established. To prevent the MS from establishing an IPv6 session with the network, the MS CFG sets the IINTERNAL _ IP6_ ADDRESS attribute t to 0: 0in the request payload. The PDIF CFG sets the length of the interval _ IP6_ ADDRESS attribute to 0in the reply payload. The PDIF may inform the MS that the MS is not authorized for IPv6 access by sending a notification payload with a specific message type indicating an error. If the MS attempts to obtain the IPv6 prefix from the PDIF, the PDIF discards the message without notifying the MS.
Fig. 8 illustrates an embodiment used when the MS desires dual stack operation with IPv4 and IPv6, but is authorized only for IPv 6. The method 800 begins at step 802 when the MS requests IPv4-IPv6 dual stack operation. At step 804, the AAA server checks to see if the MS is authorized for IPv4 and IPv 6. If the MS is authorized for both IPv4 and IPv6, the method returns to step 606 of the method of FIG. 6. If the MS is not authorized for IPv4 and IPv6 but is authorized only for IPv6, the AAA server notifies the PDIF and authorizes the MS only for IPv6 in step 808. In step 810, the PDIF sends a notify payload message with the notify message type set to a specific message type indicating that the MS is authorized only for IPv6 in the IKE AUTH response message. If the wireless communication system is operating using the 3GPP2 standard, the message type is set to 8194. At step 812, an IPsec tunnel for IPv6 is established. By having the MS set the INTERNAL IP4 ADDRESS attribute to 0.0.0.0 in the CFG request payload, the MS is prevented from establishing an INTERNAL IPv4 session with the network. Likewise, the PDIF sets the length of the interval _ IP4_ ADDRESS attribute to 0in the CFG reply payload. The PDIF may inform the MS that access is not authorized for IPv4 by sending a notification payload with a specific message type. If the MS attempts to obtain the IPv4 prefix from the PDIF, the PDIF discards the message without notifying the MS.
In other embodiments, one of ordinary skill in the art will appreciate that the above methods may be implemented by a program executing on a computer readable medium (e.g., the memory of a computer platform). The instructions may be stored in various types of signal-bearing or data storage primary, secondary, or tertiary media. For example, the media may comprise RAM accessible by, or located in, the client device and/or the server. Whether contained in RAM, a diskette, or other secondary storage media, the instructions may be stored on a variety of machine-readable data storage media, such as DASD storage (e.g., a conventional "hard drive" or a RAID array), magnetic tape, electronic read-only memory (e.g., ROM or EEPROM), flash memory cards, an optical storage device (e.g., CD-ROM, WORM, DVD, digital optical tape), paper "punch" cards, or other suitable data storage media including digital and analog transmission media.
While the foregoing is directed to exemplary embodiments of the present invention, it should be noted that various changes and modifications could be made herein without departing from the scope of the invention as defined by the appended claims. The acts or steps of the method claims in accordance with the embodiments of the invention described herein need not be performed in any particular order. Furthermore, although elements of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
Thus, the preferred embodiments of the present invention have been shown and described. However, it will be apparent to those of ordinary skill in the art that various changes can be made to the embodiments disclosed herein without departing from the spirit or scope of the invention. Accordingly, the invention is not limited except as by the appended claims.

Claims (24)

1. A method, comprising:
requesting authentication by an authorizing entity in the wireless communication system;
receiving an authentication message from the authorizing entity if the authentication is successful, wherein the authentication message includes authorization to establish at least one secure tunnel for communications using at least one internet protocol version.
2. The method of claim 1, wherein the authorization to use at least one internet protocol is an IP-version-authorization VSA sent in a RADIUS access-accept message.
3. The method of claim 2, wherein if the IP-version-authorized VSA is not present in the RADIUS access-accept message, a packet data interworking function in the wireless communications network applies local policy to authorize dual stack operation.
4. A method, comprising:
requesting a dual stack operation, the dual stack operation using more than one internet protocol version;
receiving authorization for a dual stack operation, the dual stack operation using more than one internet protocol version;
establishing an independent subordinate security authorization for each Internet protocol version, wherein the subordinate security authorization is subordinate to an Internet key exchange security authorization;
establishing at least one secure tunnel for communication;
simultaneously accessing two Internet protocol versions using the at least one secure tunnel for communication.
5. The method of claim 4, wherein the more than one Internet protocol versions are accessed simultaneously using the same secure tunnel.
6. The method of claim 4, wherein the more than one Internet protocol versions are accessed simultaneously in multiple independent secure tunnels.
7. A method, comprising:
requesting a dual stack operation, the dual stack operation using more than one internet protocol version;
receiving an authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized;
establishing a security authorization of an authorized internet protocol version, wherein the security authorization of the authorized internet protocol version is subordinate to an internet key exchange security authorization;
establishing a secure tunnel for communication;
and performing communication by using the safety tunnel.
8. An apparatus, comprising:
a transmitter for requesting authentication by an authorizing entity in a wireless communication system;
a receiver to receive an authentication message from the authorizing entity when the authentication is successful, wherein the authentication message includes authorization to establish at least one secure tunnel for communication using at least one Internet protocol version.
9. The apparatus of claim 8, wherein the authorization to use the at least one internet protocol is an IP-version-authorization VSA sent in a RADIUS access-accept message.
10. The apparatus of claim 9, further comprising:
a processor for storing a local policy authorizing dual stack operation, wherein if the IP-version-authorization VSA is not present in the RADIUS Access-Accept message, a packet data interworking function in a wireless communication network authorizes dual stack operation using the local policy.
11. An apparatus, comprising:
a transmitter for requesting dual stack operation, the dual stack operation using more than one internet protocol version;
a receiver for receiving authorization for dual stack operation, the dual stack operation using more than one internet protocol version;
a memory for storing an independent slave security authority for each internet protocol version, wherein the slave security authority is subordinate to an internet key exchange security authority;
a processor that establishes at least one secure tunnel for communication using the transmitter; and
a transmitter for accessing internet protocol versions, using the at least one secure tunnel for communication to access more than one internet protocol version simultaneously.
12. The apparatus of claim 11, wherein the more than one internet protocol versions are accessed simultaneously using the same secure tunnel.
13. The apparatus of claim 11, wherein the more than one internet protocol versions are accessed simultaneously in a plurality of independent secure tunnels.
14. An apparatus, comprising:
a transmitter for requesting dual stack operation, the dual stack operation using more than one internet protocol version;
a receiver for receiving authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized;
a processor configured to establish a security authorization for an authorized internet protocol version, wherein the security authorization for the authorized internet protocol version is subordinate to an internet key exchange security authorization;
a memory for storing security authorizations for the authorized internet protocol versions;
a transmitter to establish a secure tunnel for communications;
a transmitter for communicating using the secure tunnel.
15. An apparatus, comprising:
means for requesting authentication by an authorizing entity in a wireless communication system;
means for receiving an authentication message from the authorizing entity when the authentication is successful, wherein the authentication message includes authorization to establish at least one secure tunnel for communication using at least one Internet protocol version.
16. The apparatus of claim 15, wherein the authorization to use the at least one internet protocol is an IP-version-authorization VSA sent in a RADIUS access-accept message.
17. The apparatus of claim 16, wherein a packet data interworking function in the wireless communication network applies local policy to authorize dual stack operation if the IP-version-authorized VSA is not present in the RADIUS access-accept message.
18. A method, comprising:
means for requesting dual stack operation using more than one internet protocol version;
means for receiving authorization for a dual stack operation, the dual stack operation using more than one internet protocol version;
means for establishing an independent subordinate security authority for each internet protocol version, wherein the subordinate security authority is subordinate to an internet key exchange security authority;
means for establishing at least one secure tunnel for communications;
simultaneously accessing two Internet protocol version modules using the at least one secure tunnel for communication.
19. The apparatus of claim 18, wherein the more than one internet protocol versions are accessed simultaneously using the same secure tunnel.
20. The method of claim 4, wherein the more than one Internet protocol versions are accessed simultaneously in separate secure tunnels.
21. An apparatus, comprising:
means for requesting dual stack operation using more than one internet protocol version;
means for receiving authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized;
means for establishing a security authorization for an authorized internet protocol version, wherein the security authorization for the authorized internet protocol version is subordinate to an internet key exchange security authorization;
a module for establishing a secure tunnel for communications;
a module for communicating using the secure tunnel.
22. A computer program product, comprising:
a computer-readable medium comprising:
instructions that cause a computer to request authentication by an authorizing entity in a wireless communication system;
instructions that cause a computer to receive an authentication message from the authorizing entity when the authentication is successful, wherein the authentication message includes authorization to establish at least one secure tunnel for communication using at least one internet protocol version.
23. A computer program product, comprising:
a computer-readable medium comprising:
instructions that cause a computer to request a dual stack operation that uses more than one internet protocol version;
instructions that cause a computer to receive authorization for a dual stack operation that uses more than one internet protocol version;
instructions that cause a computer to establish an independent subordinate security authority for each internet protocol version, wherein the subordinate security authority is subordinate to an internet key exchange security authority;
instructions that cause a computer to establish at least one secure tunnel for communications;
instructions that cause a computer to simultaneously access two Internet protocol versions using the at least one secure tunnel for communication.
24. A computer program product, comprising:
a computer-readable medium comprising:
instructions that cause a computer to request a dual stack operation that uses more than one internet protocol version;
instructions that cause a computer to receive authorization of an internet protocol version via a message, wherein the message identifies at least one internet protocol version that is authorized, and wherein the message further identifies at least one internet protocol version that is not authorized;
instructions that cause a computer to establish a security authorization for an authorized internet protocol version, wherein the security authorization for the authorized internet protocol version is subordinate to an internet key exchange security authorization;
instructions that cause a computer to establish a secure tunnel for communications;
instructions that cause a computer to communicate using the secure tunnel.
HK10102730.9A 2006-08-21 2007-08-21 Method and apparatus for interworking authorization of dual stack operation HK1136123A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US60/839,212 2006-08-21
US11/840,735 2007-08-17

Publications (1)

Publication Number Publication Date
HK1136123A true HK1136123A (en) 2010-06-18

Family

ID=

Similar Documents

Publication Publication Date Title
US8978103B2 (en) Method and apparatus for interworking authorization of dual stack operation
US9548967B2 (en) Method and apparatus for interworking authorization of dual stack operation
EP1875707B1 (en) Utilizing generic authentication architecture for mobile internet protocol key distribution
CA2546553C (en) System and method for provisioning and authenticating via a network
JP5069320B2 (en) Support for calls without UICC
CN101194529B (en) Method for agreeing on a security key between at least one first and one second communications station for securing a communications link
JP4643657B2 (en) User authentication and authorization in communication systems
US8433286B2 (en) Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
US20090100262A1 (en) Apparatus and method for detecting duplication of portable subscriber station in portable internet system
US8296558B1 (en) Method and apparatus for securing communication between a mobile node and a network
Sharma et al. Improved IP multimedia subsystem authentication mechanism for 3G-WLAN networks
TWI448128B (en) Method and apparatus for interworking authorization of dual stack operation
HK1136123A (en) Method and apparatus for interworking authorization of dual stack operation
EP4625885A1 (en) Terminal authentication method and apparatus, access device and medium
Asokan et al. Man-in-the-middle in tunnelled authentication
KR20250161379A (en) Method for secure connection to application server through simultaneous transmission over heterogeneous networks and storage medium therefor
Mizikovsky et al. CDMA 1x EV-DO security
Latze Towards a secure and user friendly authentication method for public wireless networks