SUMMARY OF THE INVENTION

[0019] Methods and apparatus for providing an end node, e.g., a mobile node, with multiple concurrent services, corresponding to different service profiles, when outside the end node's home domain are described. The services may include a local access service and a remote access service. Various methods of the present invention involve messages and techniques associated with the retrieval of service profile information from servers, e.g., authentication, authorization and accounting servers, in one or more domains which are different from a mobile node's current domain are described.

[0020] MIP can be extended into Nested MIP to support both local and remote access connectivity, the details of which are outlined in the U.S. provisional patent application the text of which has been expressly incorporated by reference into the present application. Nested MIP implemented in accordance with one feature of the invention involves the use of novel local access MIP signals to obtain a local address from the visited network, an address that can then be used as a tunnel address for multiple remote access protocols back to a remote access gateway. The local access MIP signals maintain the reachability of the local IP address during hand-offs between access routers so that the remote access protocols that share that address as a tunnel address do not need to update the remote access gateways on each hand-off in the visited domain.

[0021] The present application addresses the need for an MN to be able to request local and/or remote access service from a local access router in such a way that multiple service profiles can be accessed to support multiple concurrent service being provided to a mobile node. In accordance the present invention information, including at least one service profile indicator, is transmitted by a mobile node to an access node. The information triggers the access node to access multiple service profiles identified by the transmitted information and to use the accessed service profiles to provide multiple concurrent services to the mobile node. In accordance with the present invention, the transmitted information includes at least one mobile IP (MIP) message that includes at least one service profile indicator. The service profile indicator corresponds to at least one service profile to be accessed. In some embodiments, multiple service profile indicators are transmitted in a single mobile IP message in which case, at least one service profile corresponding to each of the multiple service profile indicators is to be accessed.

[0022] In addition to the service profile indicator, one or more associated service selector flags may be included with the transmitted information. The selector flags are used to identify different ones of the identified service profiles associated with the particular service profile indicator. One or more service profiles may be set to correspond to a service profile as a default. In such a case, each selector flag indicates at least one additional service profile to be retrieved.

[0023] The information transmitted to an access router, e.g., service profile indicators and/or selectors, are normally communicated by the access router receiving the information via one or more messages, to one or more access routers which operate to retrieve and return the service profiles corresponding to the received information. The information may be transmitted in one message which results in the retrieval, loading and accessing of multiple service profiles at the access node as part of providing multiple concurrent services to the mobile node transmitting the information. Alternatively, the information used to access service profiles may be transmitted over a period of time, e.g., as multiple messages. In such an embodiment, the first message normally used to obtain access to a local service is normally transmitted as a mobile IP message. Subsequent messages, e.g., including one or more additional service profile indicators may be a mobile IP message or a message of a different type. In the case of sequential messages used to trigger access of multiple service profiles, the subsequent messages may cause additional service profiles to be retrieved and loaded into an access node which then updates the existing service profile information for the mobile node with the additional service profile information corresponding to an additional service.

[0024] In various embodiments, Network Access Identifiers (NAIs) are used as service profile indicators. In accordance with one feature of the present invention, a single NAI includes sufficient information to generate two or more distinct NAI's there from. In such a case, the single NAI may include multiple user parts and a common realm part. Alternatively, the single NAI may include part and/or multiple realm parts and a common user part. A device, e.g., access router, AAA server or other device receiving a message including the single NAI may split the single NAI into two distinct NAIs and transmit the NAls to the appropriate AAA server's to retrieve each of the desired service profiles. The service profiles may be returned separately to the access router needing to access the profiles to provide the requested services. Alternatively, the information in each of the profiles can be combined, e.g., by the server or device which split the single NAI into two NAIs, and returned to the access router needing the profiles as a single combined service profile corresponding to the multiple requested services.

[0025] In the case where multiple NAIs are used by a mobile node to obtain access to multiple services, the first of the utilized NAIs may be considered a connectivity NAI since it is used to obtain the initial network access. Additional NAIs used to obtain additional services beyond basic access may be considered service NAIs since they are used to trigger the accessing of service profiles used to provide additional services beyond those obtained through the use of the connectivity NAI.

[0026] Various scenarios for obtaining access to service profiles depending on whether the profile is located in a home domain, visited domain, or a third party domain are possible. Numerous examples of obtaining and using service profiles given the different domain possibilities are discussed below.

[0027] A network implemented in accordance with the present invention includes one or more access nodes of the present invention through which end nodes can establish and conduct communications sessions. End nodes may be, for example, mobile devices which include or are IP hosts. Various features of the present invention facilitate an access node obtaining access to multiple service profiles quickly and efficiently. Various messaging features including the use of novel service profile indicators, e.g., a single NAI including information corresponding to two NAIs, are intended to reduce the number of signals and/or messages that need to retrieve, load and access multiple service profiles used to provide multiple concurrent services to an end node, e.g., a mobile node.

[0028] The modules included in the access node, mobile node and servers of the invention are implemented using software, hardware or a combination of software and hardware. In the case of software implementations, the modules include different instructions or sets of instructions used to control hardware, e.g., circuitry, to implement each of the different operations performed by the module. It is to be understood that the messages generated and transmitted in accordance with the present invention are stored in memory and/or buffers at various nodes as part of the generation, transmission and reception process. Accordingly, in addition to novel methods and apparatus for implementing the methods of the present invention, the present invention is also directed to a machine readable medium including one or more of the novel messages of the present invention described herein.

[0029] Numerous additional embodiments, features, and advantages of the methods and apparatus of the present invention are discussed in the detailed description that follows.

DETAILED DESCRIPTION

[0030] FIG. 1 illustrates an exemplary system 100 in which the invention is implemented. In FIG. 1, system 100 includes a home domain 1 102, a visited domain 104, and a 3rd party domain 102′. Home domain 1 102 includes a home network 106. The home network 106 includes an access node (AN) 108 located within a cell 110, a home agent (HA) 112, and an authentication, authorization, accounting (AAA) server 114, and a network node 116. Network node 116 is coupled to AN 108, HA 112, and AAA server 114 via links 118, 120, 122, respectively. AAA server 114 provides authentication, authorization and accounting functionality.

[0031] To support authentication, the AAA server 114 stores authentication information, e.g., secrets, encryption keys, etc., which can be used to authentication one or more service users. Different authentication information may be stored for each user and/or mobile device for which the AAA server is responsible for providing authentication functionality. The authorization capabilities of the AAA server 114 are supported through the use of a set of service profiles 115. Normally, each of the plurality of service profiles corresponds to a different service to be provided. Multiple service profiles may be stored for a single user or mobile device. In the context of this invention, each service profile is associated with a distinct network service including the connectivity associated with that service and any IP addresses allocated to that service. Although shown as part of AAA server 114, service profiles 115 may, and in various are, stored in one or more separate profile servers which are accessible via the AAA server 114. The set of service profiles 115 includes a plurality of service profiles where each service profile corresponds to a different service, which may be provided, e.g., to a user or mobile device. After authentication of an entity requesting a service, the AAA server 115 accesses the set of service profiles 115. The appropriate service profile to be retrieved from the set 115 is determined using a received service profile indicator and, optionally, one or more service profile selectors. In the case where the service profile identifier uniquely identifies the service profile or profiles to be returned, the use of service profile selectors can be avoided. However, when multiple service profiles are associated with a service profile identifier and only some of the profiles are to be returned in response to an access and/or authorization request message, additional information, e.g., one or more service profile selectors are used in conjunction with a service profile identifier to identify the service profile or profiles to be returned. Thus, in the case where multiple service profiles are associated with the same service profile indicator, the profile selectors help identify the service profile or profiles to be returned. As will be discussed below, in various embodiments, Network Access Identifiers (NAIs) are used as service profile identifiers. In response to receiving an authorization message including multiple NAI's, or information from which multiple NAI's can be derived in a predetermined manner, the AAA server 115 will normally access and return the service profiles corresponding to each of the NAI's included in, or represented by information included in, a received authorization message. Similarly, in the case where a received authorization request message includes a single service profile identifier, e.g., NAI, having multiple service profile selectors associated therewith in the authorization request message, the AAA server 114 will normally respond by providing each of the service profiles which are identified by the combination of the included NAI and service profile selector.

[0032] Accounting functions are provided by AAA server 114 following authorization of a service, in conjunction with accounting records generated in the access node 108 and returned to the AAA server 114. Accounting functions include tracking of such things as service usage information, resource usage, time of usage, etc at the access router. so that the service can be properly billed. Accounting information may be stored in the same or, more commonly, in a different database from the service profile information and the service profile typically includes information on the accounting records to be generated by an access router 108, and the location of the accounting server that will receive such accounting records. Service profiles and accounting information can be stored inside AAA 114 or in one or more databases, e.g., profile servers, to which the AAA server 114 has access.

[0033] The visited domain 104 includes a visited network 124. The 3rd party domain 102′ includes third party network 106′. Elements within the 3rd party domain 106′ are similar or to equivalent to the elements within the home domain 102 and are represented in FIG. 1 with the same numbering designation followed by ′.

[0034] Visited network 124 includes a network node 126, a plurality of access nodes (ANs) 128, 128′, and an authentication, authorization, accounting (AAA) node 135. Each access node 128, 128′ is located within a cell 132, 132′ respectively. Each communication cell 132, 132′ represents the coverage area of corresponding access node 128, 128′, respectively. Network node 126 is coupled to AN 128, AN 128′, AAA server 135, and local home agent 140 via links 134, 134′, 131 and 141, respectively. Network node 126 is further coupled to node 116 of the home domain 102 by link 138 and node 116′ of the ₃rd. party domain 102′ by link 138′. Thus, link 138 couples home domain 1 102 to visited domain 104 while link 138′ couples the 3rd party domain 102′ to visited domain 104. Link 137 couples network node 116 to network node 116′, thereby connecting home domain 1 102 to 3rd party domain 102′. In this manner, the nodes of the three domains 102, 102′, 104 are interconnected.

[0035] AAA servers 114, 114′ and 135 in each of the home domain 102, 3rd party domain 102′ and visited domain 104 may be implemented to provide the same or similar functionality. In this way, the visited network may alternatively be the home network for one MNs, the home network may be the third party network for said MN, and the third party network may be the visited network for said MN.

[0036] FIG. 2 further illustrates the home and visited domains 102, 104 shown in FIG. 1. The home domain 102 is the same as shown in FIG. 1 and shall not be described further. FIG. 2 includes additional detail with regard to cells 132, 132′. The same physical and functional elements are depicted in each of the communication cells 132, 132′, thus the following description of the elements in the cell 132 surrounding access node 128 is equally applicable to each of the cells 132, 132′. As shown in FIG. 2, each access node 128, 128′ is coupled to a plurality of end nodes (202, 204), (202′, 204′) e.g., by links (206, 208), (206′, 208′) respectively. The communication links may be wireless links, e.g., radio links. Access nodes 128, 128′ serve as the point of network attachment for the end nodes connected thereto. Access node 128 includes a mobility agent module 302, a session signaling server module 304, an authentication module 308, and state information 310. A set of arrows 307 is used to represent the exchange of data, information, and signals between the depicted elements when they are executed. Connectivity between access node 128 and other network nodes is shown and is subsequently further described. Access nodes 128, 128′ may be implemented as, e.g., base stations while end nodes (202, 204), (202′, 204′) may be implemented as, e.g., mobile devices via access nodes 128, 128′, the end nodes coupled thereto can gain access to services corresponding to any of the three domains 102, 102′, 104. In addition, the MNs can move between access routers 128 and 128′, and to other access routers in other domains such as the access nodes 108 in the home domain 1 102.

[0037] FIG. 3 illustrates an exemplary access node 128 implemented in accordance with the present invention. The access node 128 illustrated in FIG. 3 may be used as an access node of the system shown in FIG. 1. In the FIG. 3 embodiment, the access node 128 includes an input/output interface 301, a processor 303 and memory 312, coupled together by bus 305. The elements 301, 303, 312, 305 of access node 128 are located inside a housing 311, e.g., a case of plastic and/or metal, represented by the rectangle surrounding the node's internal elements 301, 303, 312, 305. Accordingly, via bus 305 the various components of the access node 128 can exchange information, signals and data. The input/output interface 301 provides a mechanism by which the internal components of the access node 128 can send and receive signals to/from external devices and network nodes. The input/output interface 301 includes, e.g., a receiver circuit and transmitter circuit used for coupling the node 128 to other network nodes, e.g., via fiber optic lines, and to end nodes, e.g., via wireless communications channels.

[0038] The processor 303 under control of various modules, e.g., routines, included in memory 312 controls operation of the access node 128 to perform various signaling, session admission, resource allocation, authentication, and other operations as will be discussed below. The modules included in memory 312 are executed on startup or as called by other modules. Modules may exchange data, information, and signals when executed. Modules may also share data and information when executed. In the FIG. 3 embodiment, the memory 312 of access node 128 of the present invention includes a mobility agent module 302, a session signaling server module 304 and an authentication module 308 as well as resource information 306 and state information 310.

[0039] Resource information 306 includes, e.g., parameters, resource limits both internal to the access node 128 as well as on its interfaces 301, indication and/or accounting of active sessions and/or used resources and/or available resources both internal to the access node 128 as well as on its interfaces 301. State information 310 includes, e.g., parameters, communication session and/or end node status information, security information, and/or other information relating to end node interaction and/or communication with an access node and/or another device. State information 310 may include one or more user service profiles retrieved and loaded into memory in accordance with the methods of the present invention. The loaded user service profiles are accessed to provide services to a user. In some cases multiple services are provided concurrently to a single user or mobile device using, e.g., multiple service profiles or a composite profile generates from multiple service profiles.

[0040] The session signaling server module 304 allows the access node 128 to support session initiation operations, e.g., processing of received signals or messages used for the establishment of a data communication sessions and sending of subsequent signals or messaging as required. The session signaling server module 304 also supports session maintenance and termination services. During a session initiation operation as part of an admission control step the session signaling server may take into account and keep track of available resources. Thus, the session signaling server may access and update the resource information 306, which is kept in memory 312, e.g., information on available remaining bandwidth not allocated to active sessions.

[0041] The mobility agent module 302 allows the access node 128 to support end node mobility and connectivity management services. Thus, the access node 128 is capable of providing node mobility, session establishment, and session maintenance services to connected end nodes. The mobility agent module 302 may be implemented in a plurality of ways. In the FIG. 3 embodiment it is implemented with a collection of sub-modules. As illustrated, the mobility agent module 302 includes sub-modules 342, 343, 346, and 348 which operate as a Mobile IP Foreign Agent and Attendant, Nested MIP extensions, a Host Routing Agent, and a context transfer element respectively. The context transfer module 348 is responsible for the transfer of state information corresponding to an end node, e.g., as part of a handoff operation. By including sub-modules 342, 343, 346, and 348 the mobility agent module 302 is capable of handling handoffs, end node mobility and multiple versions of Mobile IP signaling including Mobile IPv4 and Mobile IPv6 signaling. The Nested MIP extension module 343 enables the MN to firstly acquire a local home agent in the visited network 124, and a local IP address from that local home agent as a MIP Home Address for the local access service. Module 343 then preserves the reachability of that local IP address as the MN moves within a portion of the visited network. Module 343 further enables the MN to employ a second layer of MIP signaling to configure any number of remote access tunnels with remote networks such as the third party network 106′, and to have the initialization of that tunnel be first checked against the authorization state for the MN via the Authentication Module. Further, the module 343 informs the MN when the local IP address is to become unreachable due to a change in local home agent so that the module 342 can obtain a replacement local IP address from a new local home agent, and so that the MN can then update the tunnel address for its remote access sessions. Finally, the Nested MIP extensions in module 343 enables one or more MIP signals to carry requests for specific services, and one or more novel service profile indicators and that can be used by the authentication module to acquire the service profiles for those services, and to enable the MN to concurrently utilize more than one such service at the access node 128.

[0042] As part of a handoff operation executed by the mobility agent module 302, when an end node changes its point of connection from the access node 128 to another access node, or vice versa, the context transfer sub-module 348 performs an operation to support the transfer of state information 310 regarding the end node from one access node to the next. The state information 310 that is transferred includes state information provided by other modules in memory 312. In particular, the state information 310 includes data communication session state and session establishment state provided by the session signaling server module 304, as well as authentication state and other security related state provided by the authentication module 308. In the present context, “state” is used to broadly refer to information about a state, e.g., of a device, node, or communications session. In alternative embodiments of the invention the mobility agent module 302 may also include additional sub-modules to support a number of mobility related functions that improve the performance of handoff and minimize service disruption. In another alternative embodiment equivalent context transfer functionality may be implemented as a separate module in memory 312, as opposed to a sub-module of the mobility agent module 302.

[0043] The authentication module 308 included in memory 312 of the access node 128 is capable of authenticating messages and signals from other network nodes and end nodes connecting to the access node 128 via the input/output interface 301. The authentication module 308 also provides authentication services to other modules and sub-modules included in the memory 312 of the access node 128. Thus, the authentication module 308 can check the validity of messages and signals received by other modules and sub-modules in memory 312, e.g., the session signaling server module 304. Authentication module functionality can be incorporated directly into other modules or sub-modules instead as a separate module 308.

[0044] While shown as software module in the FIG. 3 implementation, each of the modules 302, 304, 308, and sub-modules included therein, can be implemented using hardware, software or a combination of software and hardware. For purposes of the invention described herein, references to modules or sub-modules are to be understood as software, hardware or a combination of software and hardware that performs the functions of the described module or sub-module.

[0045] In accordance with one particular embodiment of the present invention, the session signaling server module 304 is a SIP (Session Initiation Protocol) server. In a particular embodiment, the access node 128 is implemented as a wireless access router that supports forwarding of IP (Internet Protocol) datagrams. In such an implementation input/output interface 301 includes circuitry, e.g., receiver/transmitter circuitry, that allows end nodes to connect to the access node 128 using wireless communications technology, e.g., via wireless communications channels. In one such implementation the coverage area of the access node is called a communication “cell”. In alternative embodiments, the session signaling server module 304 sends, receives and processes signal based on other protocols such as the Resource Reservation Protocol (RSVP). In some embodiments the session signaling server module 304 supports both SIP and RSVP signaling. In some embodiments the input/output interface 301 includes circuitry that allows end nodes to connect to it via wired, wireless or a combination of wired and wireless communications technologies.

[0046] FIG. 4 illustrates an exemplary end node, e.g., mobile node 202, implemented in accordance with an exemplary embodiment of the invention. The exemplary end node 202, is a detailed representation of an apparatus that may be used as any one of the end nodes 202, 204, 202′, 204′, depicted in FIG. 2. In the FIG. 4 embodiment, the end node 202 includes a processor 404, a wireless communication interface 430, a user input/output interface 440 and memory 410 coupled together by bus 406. Accordingly, via bus 406 the various components of the end node 202 can exchange information, signals and data. The components 404, 406, 410, 430, 440 of the end node 202 are located inside a housing represented by the outermost box shown in FIG. 4.

[0047] The wireless communication interface 430 provides a mechanism by which the internal components of the end node 202 can send and receive signals to/from external devices and network nodes, e.g., access nodes. The wireless communication interface 430 includes, e.g., a receiver circuit 432 with a corresponding receiving antenna 436 and a transmitter circuit 434 with a corresponding transmitting antenna 438 used for coupling the end node 202 to other network nodes, e.g., via wireless communications channels.

[0048] The exemplary end node 202 also includes a user input device 442, e.g., keypad, and a user output device 444, e.g., display, which are coupled to bus 406 via the user input/output interface 440. Thus, user input/output devices 442, 444 can exchange information, signals and data with other components of the end node 202 via user input/output interface 440 and bus 406. The user input/output interface 440 and associated devices 442, 444 provide a mechanism by which a user can operate the end node 202 to accomplish various tasks. In particular, the user input device 442 and user output device 444 provide the functionality that allows a user to control the end node 202 and applications, e.g., modules, programs, routines and/or functions, that execute in the memory 410 of the end node 202.

[0049] The processor 404 under control of various modules, e.g., routines, included in memory 410 controls operation of the end node 202 to perform various signaling and processing as discussed below. The modules included in memory 410 are executed on startup or as called by other modules. Modules may exchange data, information, and signals when executed. Modules may also share data and information when executed. In the FIG. 4 embodiment, the memory 410 of end node 202 of the present invention includes a signaling/control module 412 and signaling/control data 414.

[0050] The signaling/control module 412 controls processing relating to receiving and sending signals, e.g., messages, for management of state information storage, retrieval, and processing. Signaling/control data 414 includes state information, e.g., parameters, status and/or other information relating to operation of the end node. In particular, the signaling/control data 214 may include configuration information 416, e.g., end node identification information, and operational information 418, e.g., information about current processing state, status of pending responses, etc. The module 412 may access and/or modify the data 414, e.g., update the configuration information 416 and/or the operational information 418.

[0051] The signaling/control module 412 includes remote access software which can be used to signal a request for a remote access tunnel to be set-up to a remote access gateway in a network 106, 106′ or even 124. The remote access software uses the local IP address received as part of the MWP mobility module, as the MN tunnel address, and the remote access software is restarted for every new local IP address allocated to the MN. The remote access tunnel can be based on MIP, IPSEC or L2TP software for example. The MN 202 does not need to know the address of the remote access gateway in advance of initiating a MIP based remote access request because the AAA system can dynamically assigned a remote access gateway address via the access router.

[0052] FIGS. 5-11 are simplified representations of the system shown if FIG. 1 with various exemplary signal flows shown.

[0053] FIG. 5 shows an exemplary sequence of signals used to enable an end node 202, which may be for example a mobile node (MN) 202, to access a MN remote access only service profile whilst in the visited network 124. A MIP remote access message 550 is transmitted towards access node 128 to request access to a remote access service while in the visited domain 104. Access node 128 may be, for example, an access router that is used to support the requested service profile. The message 550 is directed towards the Remote Home Agent 112 of the MN 202, in home domain 1 102 but is first sent to the access router 128 as message 550a and is then sent on to the remote home agent 112 as message 550b. Message 550 includes a Network Access Identifier (NAI) having a user part and a realm part. The realm part of the NAI of the MN 202 in message 550a identifies the home AAA server 114 of the MN 202, in home domain 102. This causes the access router 128 to send an authentication and authorization request (AAR) message 551a towards the visited AAA server 135, which generates and sends a proxy AAR message 552a towards the home AAA server 114. In AAR message 552a, a username part of an NAI included therein identifies the MN (host OS and/or user of host OS) user service profile. The identified profile is returned in AAR messages 552b from home AAA server 114 to visited AAA server 135 and then from visited AAA server 135 to access router 128 in message 551b. The combination of messages received by access node 128 authenticates and authorizes the use by the MN 202 of a single remote access service in the visited network 124, that is controlled by the single MN remote access service profile returned by the home AAA server 114 to access node 128. The returned MN profile is stored and accessed by node 128 in order to provide end node 202 with the single authorized service.

[0054] FIG. 6 illustrates an exemplary embodiment of the invention whereby the roaming MN, end node 1 202 in this example, transmits information, used to obtain access to service profiles, towards a local home agent 140 in the visited network 124, via the access router 128. Access router 128 receives message 650a and forwards the message as message 650b to the local home agent 140. In this example, the information is communicated using MIP signaling and is included in a single MIP messages 650a. Messages 650a and 650b include user service profile identification information, e.g., at least one service profile indicator such as an NAI. Receipt of message 650a by the access router triggers request AAR message 651a from access router 128 toward visited AAA server 135. Message 651a includes the service profile indicator information obtained from message 650a. The receipt of message 651a by AAA server 135 triggers the AAA server to transmit AAR message 652a, which includes the service profile identification information, communicated by message 651a, toward home AAA server 114. The AAA server 114 returns the service profiles corresponding to the received service profile identification information to access node 128 via visited domain server 135 using messages 652b and 651b.

[0055] The access node 128 loads the returned profile information into memory and uses it to provide the requested service(s). The first MN service profile includes a local access MN service profile to control the local access service provided to the visiting MN 202 in the visited domain 104 employing an address from the local home agent 140 as the application address.

[0056] Message 650a can indicate, e.g., by including a second service profile indicator, in accordance with the invention, that the MN 202 wishes to employ a second user profile to control its remote access service. In such a case, AAR messages 652b, 651 b will return this profile from the home AAA server 114, in addition to returning the local access profile. The remote access MN service profile is used by access node 128 to control usage of the visited network 124 by application flows using a remote access address from the remote home agent 112 as a source/destination address. The returned remote access user profile, in some embodiments, includes the remote access address and/or the address of the allowed remote home agents 112 for end node 202.

[0057] In some implementations the MN NAI in message 650a corresponds to both a local and a remote access service profile. In such an implementation, inclusion of the MN NAI in messages 650a, 651 a, 652 a, is used to implicitly indicate that both the local and the remote access service profile should be returned from the home AAA server 114 to the access router 128 in the visited domain 104. When the MN 202 has multiple remote access services available from remote home agents 112 and 112′ in home domain 102 and third party domain 102′ then remote access profiles can and in various embodiments are, requested in AAR messages 651a and 652a and returned in AAR messages 652b and 651b to the access router 128, e.g., when the MN service profile for the third party remote access service is stored in the home AAA server 114.

[0058] The service profile indicator, e.g., MN NAI in message 650a can be accompanied by one or more profile selectors which indicate which of a plurality of MN service profiles associated with the MN NAI and stored in the home AAA server 114, are to be requested in AAR messages 651a and 652a and should be returned in the AAR messages 652b, and 651b. Consider the following example, where joe@networkA is the NAI and a local access service flag from the MIP local access message 650a is the profile selector associated with the NAI included in the messages 651a and 652a.

[0059] A profile selector can be, without loss of generality, e.g., a MIP signaling flag or a MIP extension in the MIP message 650a. A MIP signaling flag could be used for each type of requested service to indicate the required profile, with multiple such flags included in said message 650a. These flags could alternatively be included in a MIP extension. The MIP extension could include additional remote access service NAI(s). The remote access service NAI(s) may have the same realm (indicating home AAA server 114) such that the username part of said additional NAI indicates one or more additional user service profiles to the local access MN service profile. Note that these two NAIs could be sent by the MN 202 in message 650a in a single MIP NAI extension, formatted as a single NAI but including one realm part and two different username parts or, alternatively as a single NAI that includes one username and two different realm parts. An example of a single NAI of the present invention with two different user parts and one realm part is as follows:joeESCbob@networkA where the ESCape character delineates the two usernames. An example of a single NAI of the present invention with one user name and two realm parts is as follows: joeESC@network@networkB where the ESCape character indicates a first realm nested within a second realm. Combinations of selectors and NAIs can also be used to request multiple profiles in a controlled way from the home AAA server 114. This functionality enables the MN to request access to a subset of multiple available services corresponding to different service profiles in a single message and be given or refused access to said services corresponding by the home AAA server 114.

[0060] FIG. 7 shows an alternative exemplary embodiment of the invention whereby the MN 202 requests multiple MN service profiles as part of the MIP local access message 750 but at least one of the remote access profiles does not reside in the home AAA server 114 of the MN 202, said server being identified by the realm part of a first NAI in the message 750. The message 750 includes a second NAI with a different realm part identifying another AAA server 114′ in the third party domain, known as the third party AAA server. The access router 128 detects the two NAIs with different realms and responds by generating and transmitting two separate AAR messages 751a and 753a, each of which correspond to one NAI. The two messages are sent to, and proxied by, the visited AAA server 135. In response to receving messages 751a and 753a, AAA server 135 transmits AAR messages 752a and 754a, to the home AAA server 114 and the third party AAA server 114′, respectively. In response to receiving message 752a, the home AAA server 114 returns the local access profile to the visited AAA server 135 via message 752b. Subsequently the local access profile is returned via AAR message 751b from the visited AAA server 135 to the Access router 128 along with any requested remote access service profiles that also reside in home AAA server 114.

[0061] The third party AAA server 114′ returns at least one additional remote access profile to the access node 128 by way of return message 754b which is supplied to the visited AAA server 135. The server 135 forwards the information received in message 754b, to access router 128, in AAR message 753b. The MN service profiles returned in messages 751b and 753b are installed, e.g., loaded into the memory of access router 128 and then accessed. Accessing of the loaded service profiles may be, e.g., as part of a service control process, performed by the access node 128 to control consumption of visited network resources by the MN 202 while providing at least a portion of the services corresponding to the returned service profiles. For remote access service consumption, the MN issues a remote access service request which then matches a remote access service profile now residing in access node 128.

[0062] FIG. 8 shows another embodiment of the invention, which is a variation of the invention as described in FIG. 7, whereby the access router 128 issues a single AAR message 855 to the visited AAA server 135, in response to the message 850a from the MN 202. In the FIG. 8 embodiment messages 850 and 855a each include two NAIs. Each NAI includes a user part and a realm part. The two included NAI's have different realm parts, which identify at least two different user service profiles, e.g., at least one per NAI. The visited AAA server 135 detects the two NAIs and generates from the single AAR message 855a, two AAR messages 852a and 854a. Messages 852a and 854a are directed to the home and third party AAA servers 114, 114′, respectively. The NAI and any profile selectors included in message 854a is used by the third party AAA server 114′ to retrieve MN profile information which is then returned to visited AAA server 135 in message 854b. Home domain AAA server 114 responds to message 852a by using the NAI and any selectors included in message 852a to retrieve a service profile and to return it to the visited domain server 135 via message 852b.

[0063] The visited AAA server 135 then merges the profile information included in messages 852b and 854b into a single message 855b which is transmitted back to the access router 128. The message 855b includes the retrieved user service profiles along with any available error information.

[0064] In some embodiments of the invention, two NAIs are sent by the MN 202 in a message 750 or 850 in a single MIP NAI extension. In one such embodiment the two NAI's are formatted as a single NAI including at least two different realms and one or two usernames. An example of such an NAI is joeESCjoe@networkAESC@networkB where the ESCape character is used concatenate the two usernames and two@realms into each of a single username field and a single realm field, and hence to instruct the visited AAA server 135 to recreate the two original NAIs.

[0065] FIGS. 7 and 8 also illustrate embodiments of the invention in which a single remote access profile may be comprised of information stored in two different AAA servers, such as the home AAA server 114 and the third party AAA server 114′. As shown in FIG. 7, the access router 128 combines the two parts of the profile into a single user service profile, whereas as shown in FIG. 8 either the visited AAA server 135 or the access router 128 combines the two profiles.

[0066] FIG. 9 shows a further embodiment of the invention. In FIG. 9 the message 950 includes a single MIP NAI extension that includes two NAIs and at least one username. The format this time would be joeESC@networkA@networkB which indicates that the profile for joe is at networkA but is accessible via networkB. This is carried in message 951a from the access router 128 to the visited AAA server 135 which proxies the information to the home AAA server 114, in message 952a, using the first of the realm fields in the NAI extension (networkB). The home AAA server 114 can then retrieve any profiles associated with the first username plus first realm. The home AAA server 114 then removes networkB and the ESC character from the NAI (leaving joe@networkA which is a standard NAI) and further proxies the request into message 956a to the third party AAA server 114′ using the second realm in the NAI extension. The user profiles associated with the username(s) in that realm, and any included selectors are then retrieved from the third party AAA server 114′ and returned to the access router 128 via the home AAA server 114 and the visited AAA server 135 via AAR messages 956b, 952 b, and 951b respectively. The home AAA server combines the profiles returned from the third party AAA server 114′ with its own profiles as part of this return process. This enables the third party AAA server 114′ to hold the MN 202 local and remote access server profiles for the MN 202 and use the AAA connectivity and security associations of the home AAA server 114 to deliver those MN profiles to a large number of visited domains. It also enables the local access profile and the remote access profile to be distributed across the home AAA server 114 and the third party AAA server 114′, and be retrieved using a single message sequence.

[0067] FIG. 10 shows a further embodiment of the invention whereby the message 550 or 650 or 750 or 850 or 950 has previously retrieved one or more MN service profiles, from the home AAA home server 114 and optionally a third party AAA server 114′, said profiles including a local access profile to control initial service access of the MN 202 into the visited network 104. This can be achieved using any of the signaling options of FIGS. 5 through 9. At some later instance in time, the MN 202 seeks to request access to one of its configured remote access services by sending a remote access request message 1060 to a remote access gateway, which in FIG. 10 is remote home agent 112 in the home domain 102. The message 1060 may be forwarded through the access router 128 and addressed directly to the remote home agent 112, or as shown in FIG. 10 may be sent first to access router 128 and then onto the remote home agent 112. It could further be sent first to the access router 128 then to the local home agent 140 and next onto the remote home agent 112.

[0068] If the message 1060 includes information, such as an NAI and optional selector, which does match one of the existing MN service profiles in the access router 128, or indeed in any of the nodes through which message 1060 traverses, then the MN profile has previously been downloaded, and the profile should include information to indicate whether or not the target remote gateway, and the target remote access protocol is allowed by that profile, as well as information describing any associated facilities and limitations. Examples of remote access protocols are standard MIP remote access, standard (point to point tunneling protocol (PPTP) remote access and standard IP Security (IPSEC) remote access, all such protocols using the local home address as a tunnel address, said address having been assigned to the MN from the local home agent as part of message 550, 560, 750, 850, or 950 and the associated AAA signaling and processing.

[0069] The invention shall be further discussed using MIP remote access as an example. However, the invention is also applicable to other remote access protocols such as, for example, standard PPPTP remote access, standard IPSEC remote access, all such protocols using the local home address as a tunnel address, etc.

[0070] In another embodiment of the invention, if the MIP signaling message 1060 includes information, such as an NAI and optional selector, which does not match any existing MN service profiles in the access router 128, or indeed in any of the nodes through which message 1060 traverses, then the access router 128 and/or other such node can issue an AAR message 1055a , to its AAA server in its domain, for example AAA server 135 in visited domain 104 for access router 128, to retrieve that MN service profile via AAR message 155b using the information in message 1060. In an embodiment of the invention shown FIG. 10, the remote access profile may be retrieved from the home AAA server 114 via messages 1055a , 1052a, 1052b, 1055b or from some combination of the third party server 114′ and the home AAA server 114 using messages 1055a , 1052a 1056a, 1056b, 1052b, and 1055b . The NAI contents of the message 1060a from the MN will indicate which of the two messages sequences will be followed.

[0071] The remote access profile can be distributed between the third party 114′ and the home AAA server 114, can be stored in the home AAA server 114 and be checked by the third party AAA server 114′, or can be stored in the third party AAA server 114′ and checked by the home AAA server 114.

[0072] The home AAA server 114 is involved in this example of the invention because the remote access gateway is in the home domain 102 so that the home AAA server 114 is able to securely communicate the necessary MIP security and configuration information to the relevant MIP remote access nodes (a subset of the MN, access router, local home agent and remote home agent) according to the routing of the MEP message 1060.

[0073] FIG. 11 shows an alternate example of the invention wherein the remote access service request message 1170 is directed at the third party remote home agent 112′ which can traverse any of the following: access router 128, local home agent 140 and remote home agent 112. In FIG. 11 it is shown traversing the access router 128 on its way to the remote access router 112′ in the third party domain. The AAR messages therefore also visit the third party AAA server 114′ so that access to said home agent 112′ can be managed. This can be achieved by messages 1155a , 1155b and message 1154<