Providing secure network access for short-range wireless computing devices
First Claim
1. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
- providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a packet from a selected one of the client devices to a selected one of the application servers;
receiving the transmitted packet at a Foreign Address Masquerader (FAM);
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace a client address and port in the transmitted packet with a masquerading address and port retrieved by the accessing step, thereby creating a modified packet; and
forwarding, by the FAM, the modified packet to the selected application server.
5 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides methods, systems, and computer program instructions for providing location-independent packet routing and secure access in a wireless networking environment (such as that encountered within a building), enabling client devices to travel seamlessly within the environment. Each client device uses a constant address. An address translation process that is transparent to the client and server is automatically performed as the device roams through the environment, enabling efficient client migration from one supporting access point to another. The secure access techniques provide user-centric authentication and allow policy-driven packet filtering, while taking advantage of encryption capabilities that are built in to the hardware at each endpoint.
117 Citations
65 Claims
-
1. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a packet from a selected one of the client devices to a selected one of the application servers;
receiving the transmitted packet at a Foreign Address Masquerader (FAM);
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace a client address and port in the transmitted packet with a masquerading address and port retrieved by the accessing step, thereby creating a modified packet; and
forwarding, by the FAM, the modified packet to the selected application server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a packet from a selected one of the application servers to a selected one of the client devices;
receiving the transmitted packet at a Home Address Masquerader (HAM);
accessing, by the HAM, a HAM translation record;
applying, by the HAM, a network address translation to replace a masquerading address and port in the transmitted packet with a Foreign Address Masquerader (FAM) address and port retrieved by the step of accessing the HAM translation record, thereby creating a first modified packet;
forwarding, by the HAM, the first modified packet to the FAM;
receiving the forwarded packet at the FAM;
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace the FAM address and port in the forwarded packet with a client address and port retrieved by the step of accessing the FAM translation record, thereby creating a second modified packet; and
forwarding, by the FAM, the second modified packet to the selected client device. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
26. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a first packet from a selected one of the client devices to a selected one of the application servers, further comprising the steps of;
transmitting the first packet from the selected client device using the constant client address and a client port as a packet source and an address and port of the selected application server as a packet destination;
receiving the transmitted first packet at a Foreign Address Masquerader (FAM);
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace the constant client address and client port in the transmitted first packet with a masquerading address and port retrieved by the accessing step, thereby creating a first modified packet; and
forwarding, by the FAM, the first modified packet to the selected application server; and
transmitting a second packet from the selected application server to the selected client device, further comprising the steps of;
transmitting the second packet from the selected application server using the address and port of the selected application server as the packet source and the masquerading address and port as the packet destination;
receiving the transmitted second packet at a Home Address Masquerader (HAM);
accessing, by the HAM, a HAM translation record;
applying, by the HAM, the network address translation to replace the masquerading address and port in the transmitted second packet with a FAM address and port retrieved by the step of accessing the HAM translation record, thereby creating a second modified packet;
forwarding, by the HAM, the second modified packet to either the FAM or a different dynamically-determined FAM which becomes the FAM;
receiving the forwarded second modified packet at the FAM;
again accessing, by the FAM, the FAM translation record;
again applying, by the FAM, the network address translation to replace the FAM address and port in the forwarded second modified packet with the constant client address and the client port retrieved by the step of again accessing the FAM translation record, thereby creating a third modified packet; and
forwarding, by the FAM, the third modified packet to the selected client device.
-
-
42. A method of enabling secure network access in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
receiving, by a network access point, a communication from a selected one of the client devices;
determining, by the network access point, that the selected client device does not have a valid session key for encryption;
obtaining, by the network access point, user credentials for a user of the selected client device;
authenticating, by the network access point, the user credentials by contacting an authentication server;
establishing the valid session key when the authenticating step completes successfully; and
using the established session key, by the selected client device and the network access point, to encrypt packets that are transmitted over a link between the selected client device and the network access point. - View Dependent Claims (43, 44, 45, 46, 49, 50, 51)
-
-
47. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
establishing, by a client device, a first connection to a first application server;
assigning the first connection to a first Home Address Masquerader (HAM);
establishing, by the client device, a second connection to a second application server; and
assigning the second connection to a second HAM, wherein the first HAM and the second HAM are distinct.
-
-
48. A system for enabling location-independent packet routing in a short-range wireless networking environment, comprising:
-
one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
means for transmitting a packet from a selected one of the client devices to a selected one of the application servers using a masquerading address and port for the selected client device instead of the constant client address by forwarding the packet through a Foreign Address Masquerader (FAM); and
means for transmitting a response packet from the selected application server to the selected client device using the masquerading address and port by forwarding the response packet through a Home Address Masquerader (HAM) and either the FAM or a dynamically-determined different FAM which then becomes the FAM.
-
-
52. A system for enabling secure network access in a short-range wireless networking environment, comprising:
-
one or more portable client devices, each of the client devices equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
means for receiving, by a network access point, a communication from a selected one of the client devices;
means for determining, by the network access point, that the selected client device does not have a valid session key for encryption;
means for obtaining, by the network access point, user credentials for a user of the selected client device;
means for authenticating, by the network access point, the user credentials by contacting an authentication server;
means for establishing the valid session key when the means for authenticating completes successfully; and
means for using the established session key, by the selected client device and the network access point, to encrypt packets that are transmitted over a link between the selected client device and the network access point. - View Dependent Claims (53, 54, 55, 56, 58, 59, 60)
-
-
57. Computer program instructions embodied on one or more computer readable media, the computer program instructions adapted for enabling location-independent packet routing in a short-range wireless networking environment and comprising:
-
computer program instructions for accessing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
computer program instructions for accessing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
computer program instructions for transmitting a packet from a selected one of the client devices to a selected one of the application servers using a masquerading address and port for the selected client device instead of the constant client address by forwarding the packet through a Foreign Address Masquerader (FAM); and
computer program instructions for transmitting a response packet from the selected application server to the selected client device using the masquerading address and port by forwarding the response packet through a Home Address Masquerader (HAM) and either the FAM or a different dynamically-determined FAM which then becomes the FAM.
-
-
61. Computer program instructions embodied on one or more computer readable media, the computer program instructions adapted for enabling secure network access in a short-range wireless networking environment, comprising:
-
computer program instructions for accessing one or more portable client devices, each of the client devices equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
computer program instructions for receiving, by a network access point, a communication from a selected one of the client devices;
computer program instructions for determining, by the network access point, that the selected client device does not have a valid session key for encryption;
computer program instructions for obtaining, by the network access point, user credentials for a user of the selected client device;
computer program instructions for authenticating, by the network access point, the user credentials by contacting an authentication server;
computer program instructions for establishing the valid session key when the computer program instructions for authenticating complete successfully; and
computer program instructions for using the established session key, by the selected client device and the network access point, to encrypt packets that are transmitted over a link between the selected client device and the network access point. - View Dependent Claims (62, 63, 64, 65)
-
Specification