Abstract: The invention relates to a method of arranging roaming in a telecommunications system comprising a local network, at least one public land mobile network, and a terminal equipment. In the telecommunications system, public land mobile network identifiers and network element identifiers linked therewith are defined. These public land mobile network identifiers and the network element identifiers linked therewith are transmitted to the terminal equipment. The terminal equipment selects a public land mobile network by means of a comparison of the received public land mobile network identifiers and public land mobile network identifiers stored in the terminal equipment. Access is arranged for the terminal equipment via the local network to the network element determined by the network element identifier linked with the identifier of the selected public land mobile network.

Abstract: A re-registration authorization is attached to a registration request or data packet sent from a mobile node roaming on a foreign network. The mobile node requests registration with its home network in order to maintain communication with the Internet and maintain identification of the mobile node by its individual home address. Such registration has a limited lifetime, and the re-registration authorization attached to the registration request or other data packet authorizes an intermediate communication entity in the foreign network to re-register the mobile node, on behalf of the mobile node, with the mobile node's home network, if the communication traffic of the mobile node indicates that the mobile node is still roaming on the foreign network. The rate of error is reduced by significantly reducing the amount of transmissions sent from the mobile node, and power consumption of the typically battery-powered mobile unit is reduced, as well.

Abstract: A system and method for three-party authentication and authorization. The system includes an authorizer that authorizes requestors, a client that makes a request, and a local attendant that provides a conduit through which messages between the client and the authorizer pass. The authorizer, the client, and a peer on which the requested resource may be accessed are each in separate domains. A domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities. A subscriber identity module (SIM) may be used to generate a copy of a key for the client to be used in accessing a requested resource.

Abstract: The invention relates to a method for distinguishing clients in a communication system comprising at least one wireless access network and at least one wired access network. The wireless access network comprise means for connecting wireless clients in communication to the wireless access network. Wired access network comprise means for connecting wired clients in communication to the wired access network. Communication system comprise means for communicating between the access network and the wired access network. In the method a resolution request message is transmitted to the communication system indicating a client to be examined, the message is received in at least one other node. A decision whether a resolution reply message is to be transmitted to the communication system is performed on the basis of a resolution reply message.

Abstract: The invention discloses a method transferring packets between a mobile host device (100) and a source node via a number of independent data networks while maintaining a secure connection. The independent networks may include, for example, the Internet (120), localized Access Zones (110, 140), a Corporate Intranets, a Home Network (130) etc. Problems may occur, for example, when the mobile node is using a co-located care-of address, in which case both IP-in-IP and IPsec tunneling transformations are performed, and the current IPsec and IP-in-IP implementations cannot perform the required tunneling operations on the mobile host. This is because the IP-in-IP and IPsec tunneling when the IP-in-IP tunnel is not the outermost transformation. In an embodiment of the invention, the security policy operated by the mobile host includes a primary security policy and a dynamic secondary security policy that selectively apply specified transformations to certain packets in the data transfer.

Abstract: A method of selecting the serving network element in a telecommunications network. Mobility agents or routers transmit attribute information on one or more network elements in advertising messages to at least one mobile node. This information is used in the mobile node for selecting the serving network element.

Abstract: Authentication method for authenticating a mobile node to a packet data network, in which a shared secret for both the mobile node and the packet data network is arranged by using a shared secret of the mobile node and a telecommunications network authentication center. In the method, the mobile node sends its subscriber identity to the packet data network together with a replay attack protector. The packet data network obtains authentication triplets, forms a session key using them, and sends back to the mobile node challenges and a cryptographic authenticator made by using the session key. The mobile node can then form the rest of the authentication triplets using the challenges and then form the session key. With the session key, the mobile node can check the validity of the cryptographic authenticator. If the authenticator is correct, the mobile node sends a cryptographic response formed using the session key to the packet data network for authenticating itself to the packet data network.

Abstract: A method for load balancing in a telecommunications system supporting Mobile IP, the system comprising at least one mobile node and at least one home agent. The home agent mainly supporting the mobility of the mobile node is defined as the primary home agent and one or more secondary home agents are added to the telecommunications system. Packets destined for the mobile node are transmitted, when needed, via one or more secondary home agents.