Network-based mobile workgroup system

US 20020069278A1
Filed: 12/05/2000
Published: 06/06/2002
Est. Priority Date: 12/05/2000
Status: Active Grant

First Claim

Patent Images

1. In an Internet, a mobile virtual private network (VPN) provides a mobile client secure data access to the VPN and secure data access to the mobile client from within the mobile VPN, when a point of attachment of the mobile client to the mobile VPN may change.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network-based mobile workgroup system has considerably wider appeal and application than normal virtual private networks in that it provides seamless mobility across a number of access technologies at the same time as it offers a granular security separation down to workgroup level. The mobile workgroup system is an access management system for mobile users with VPN and firewall functionality inbuilt. The mobile user can access the mobile workgroup system over a set of access technologies and select server resources and correspondent nodes to access pending their workgroup membership approvals. All workgroup policy rules are defined in a mobile service manager and pushed down to one or more mobile service routers for policy enforcement. The mobile service router closest to the mobile client, and being part of the mobile virtual private network, performs regular authentication checks of the mobile client during service execution. At the same time it performs traffic filtering based on the mobile user'"'"'s workgroup memberships. Together, these two components constitute an unprecedented security lock, effectively isolating a distributed workgroup into a mobile virtual private network.

Citations

103 Claims

1. In an Internet, a mobile virtual private network (VPN) provides a mobile client secure data access to the VPN and secure data access to the mobile client from within the mobile VPN, when a point of attachment of the mobile client to the mobile VPN may change.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103)
- - 2. The mobile VPN system of claim 1, further comprising:
    - plural mobile client nodes providing an interface for user interaction;
      
      plural mobile service router nodes providing a mobile VPN spanning multiple router hops and sites.
  - 3. The mobile VPN system of claim 2, further comprising:
    - a network address identifier (NAI) with which a user of a mobile client is uniquely identified in the mobile VPN system. a set of firewall filters and route policies with which a workgroup is protected.
  - 4. The mobile workgroup system of claim 3, wherein the network address identifier is used to authenticate the mobile user at start and during the continuation of a network login session and wherein the firewall filters and route policies are applied to the forwarding of packets based on the mobile user'"'"'s workgroup memberships.
  - 5. The mobile workgroup system of claim 4, wherein the IP address allocated to the mobile client is tied to the network address identifier of the mobile user.
  - 6. The mobile workgroup system of claim 5, wherein the allocated IP address for each mobile client is kept stable during the duration of a network login session and used in the mobile service router as a identifier of workgroup filters to apply to a packet.
  - 7. The mobile workgroup system of claim 6, wherein a specific IP address is an IPv6 address where one portion of the address indicates mobile VPN system and another mobile client identity.
  - 8. The mobile workgroup of claim 6, wherein a specific IP address is an IPv4 address where the IP address range from which the address is selected indicates mobile VPN system.
  - 9. The mobile workgroup system of claim 6, wherein the participating nodes can communicate using intra-domain, inter-domain or remote access routing.
  - 10. The mobile workgroup system of claim 9, wherein a node first attempts to establish intra-domain routing with the mobile workgroup data network;
    - wherein inter-domain routing is attempted in case intra-domain routing is not available;
      
      wherein remote access is seen as last resort.
  - 11. The mobile workgroup system of claim 10, wherein intra-domain routing between participating nodes in a mobile VPN home network is based on flat (non-hierarchical), mobile adhoc network (MANET) routing techniques.
  - 12. The intra-domain routing technique of claim 11, wherein one specific metric for route calculation is quality of service.
  - 13. The intra-domain routing technique of claim 11, wherein one specific mobile adhoc routing technique includes the Topology Broadcast based on Reverse-Path Forwarding (TBRPF) protocol.
  - 14. The intra-domain routing technique of claim 11, wherein one specific mobile adhoc routing technique includes the Core-Extraction Distributed Ad Hoc Routing (CEDAR) protocol.
  - 15. The intra-domain routing technique of claim 11, wherein one specific mobile adhoc routing protocol technique includes the Adhoc On-demand Distance Vector (AODV) protocol.
  - 16. The intra-domain routing technique of claim 11, wherein one specific mobile adhoc routing technique includes multicasting and groupcast (xcast) protocols for the purpose of sending messages to all or selected members of a workgroup.
  - 17. The multicasting routing protocol of claim 16, wherein the multicast address resolution protocol is used to discover a node for subsequent unicasting of packets to same node.
  - 18. The multicast routing protocol of claim 16, wherein one specific routing algorithm to obtain lowest cost to reach a set of destinations is based on a branch and cut algorithm for solving Steiner tree problems.
  - 19. The intra-domain routing technique of claim 11, further comprising routing between:
    - mobile client-mobile client;
      
      mobile client-mobile service router;
      
      mobile service router-mobile service router.
  - 20. The intra-domain routing technique of claim 19, wherein multiple paths are available for routing to and from a multi-homed node.
  - 21. The intra-domain routing technique of claim 20, wherein the selection of next-hop node for a route in the workgroup network is decided on;
    - a per destination basis;
      
      Quality of service preferences;
      
      Security preferences;
      
      Protocol/application type.
  - 22. The intra-domain routing technique of claim 21, wherein any node (mobile client and mobile service router) may change primary point of attachment to the workgroup home network without changing IP address.
  - 23. The intra-domain routing technique of claim 22, wherein changing point of attachment is treated as a routing update;
    - wherein a link-state routing update may be due to forced handoff initiated by the underlying link or IP tunneling layer technology; and
      
      wherein a change of point of attachment may be due to a volunteer handoff initiated by the intra-domain routing process when discovering a stable, new optimal route to all workgroup nodes across alternative links or IP tunnels;
      
      wherein either handoff style causes temporary replication of sent data packets from and towards the moving node over both old and new route in the mobile virtual private network.
  - 24. The intra-domain routing technique of claim 23, wherein forced handoff at the link layer initiates partitioning at the routing layer in case no route is discovered during a configured interval to a subset of the workgroup nodes;
    - and wherein the discovery of a new link initiates merging of partitions at the routing layer in case nodes from both partitioning are part of the same workgroup.
  - 25. The mobile workgroup system of claim 10, wherein inter-domain routing is performed through encapsulation of intra-domain packets in a tunneling protocol between foreign and home mobile service router following a handshake via any number of AAA proxies.
  - 26. The inter-domain routing technique of claim 25, further comprising:
    - authentication, authorization and accounting between foreign mobile service router and home mobile service router based on the DIAMETER protocol;
      
      authentication, authorization and accounting between foreign mobile service router and home mobile service router based on the RADIUS protocol;
      
      authentication and mobility management between the mobile client the foreign mobile service router and the home mobile service router based on the Mobile IP protocol. payload encryption, authentication and compression between mobile client and the foreign and home mobile service router respectively using the IPSec protocol.
  - 27. The inter-domain routing technique of claim 26, wherein the mobile user information data storage is separated from the home mobile service router.
  - 28. The inter-domain routing technique of claim 27, wherein multiple home mobile service routers may act as AAA servers for the same user through the use of a common data storage.
  - 29. The inter-domain routing technique of claim 28, wherein the selection of home mobile service router acting as DIAMETER server is based on routing information, further comprising:
    - Route preference of each mobile service router for IPv4 networks;
      
      Shared anycast address for all mobile service routers in IPv6 networks.
  - 30. The inter-domain routing technique of claim 28, wherein the geographic vicinity of the mobile client with regards to available home mobile service routers is determined by the use of a spatial location protocol.
  - 31. The inter-domain routing technique of claim 28, wherein the home mobile service router is kept the same at change of point of attachment in foreign domain.
  - 32. The inter-domain routing technique of claim 31, wherein the selection of mobile service router is re-computed when roaming into a new foreign domain.
  - 33. The mobile workgroup system of claim 10, wherein remote access from non-workgroup aware Internet environment is allowed for both mobile client and mobile service router.
  - 34. The remote access technique of claim 33, further comprising:
    - mobility service router discovery and security negotiation using the Security Policy Protocol (SPP);
      
      authentication and mobility management using the Mobile IP (MIP) protocol applied with the co-located care-of address option;
      
      payload authentication, encryption and compression using the IPSec protocol.
  - 35. The remote access technique of claim 34, wherein the policy server function is placed in the mobile client and the mobile service router.
  - 36. The remote access technique of claim 35, wherein the security gateway is placed in the mobile service router.
  - 37. The remote access technique of claim 36, wherein the node attempting mobile service router discovery sets the destination to a well-known name for the workgroup and can retrieve a set of IP addresses of available mobile service routers from the domain name system.
  - 38. The remote access technique of claim 37, wherein discovery of and negotiation with intermediate security gateways is performed during the security policy protocol exchange towards the discovered mobile service router.
  - 39. The remote access technique of claim 38, wherein the intra-domain routing protocol is applied on top of the remote access technique.
  - 40. The mobile workgroup system of claim 3, wherein the mobility workgroup service is provided independently of mobility services offered by a radio access technology specific network.
  - 41. The mobility workgroup service of claim 40, wherein the radio access technology specific network includes Wireless LAN and HiperLAN2.
  - 42. The mobility workgroup service of claim 40, wherein the cellular access technology specific network includes IMT-2000 based systems like UMTS and cdma2000.
  - 43. The mobility workgroup service of claim 40, wherein the data network is operated by an Internet Service Provider (ISP) utilizing a centralized mobile service manager.
  - 44. The mobility workgroup service of claim 43, wherein extranet workgroups are created through the aggregation of workgroups from different organizations in the same mobile service manager.
  - 45. The mobility workgroup service of claim 40, further comprising:
    - service access control to intranet and Internet services;
      
      secure access connectivity option to neighbor node;
      
      service provisioning based on physical location;
      
      quality of service differentiation based on workgroup membership;
      
      interactive real-time communication services between workgroup members.
  - 46. The service access control service of claim 45, wherein a firewall profile is downloaded from the mobile service manager to all nodes allocated to the workgroup.
  - 47. The service access control service of claim 46, wherein Internet access is provided via any of the nodes allocated to the workgroup using Internet routing protocols.
  - 48. The service access control of claim 47, wherein the Internet routing protocols include Open Shortest Path First (OSPF).
  - 49. The service access control of claim 47, wherein the Internet routing protocols include Border Gateway Protocol (BGP).
  - 50. The service access control of claim 47, wherein the route metrics from the Internet routing protocol is propagated into the workgroup intra-domain routing protocol.
  - 51. The service access control of claim 46, wherein threshold-based scanner protection is applied in all nodes allocated to the workgroup to protect against attacks towards the workgroup data network from the Internet.
  - 52. The secure access connectivity option of claim 45, wherein every packet is authenticated and/or encrypted using the IPSec protocol.
  - 53. The location-based service provisioning of claim 45, wherein wildcards are added in the service profile when downloaded from the mobile service manager to the workgroup nodes.
  - 54. The location-based service provisioning of claim 53, wherein the mobile service router acts as a directory agent using the Service Location Protocol to discover services from local service agents.
  - 55. The location-based service provisioning of claim 53, wherein the mobile service routers allocated to a workgroup provides consistent domain names for services in the profile.
  - 56. The location-based service provisioning of claim 53, wherein the mobile service routers update their domain name service resources records with the results of the local service discovery process and the mobile clients caches correspondent resource records for later use.
  - 57. The quality of service differentiation of claim 45, wherein all nodes allocated to a workgroup applies the same quality of service profile.
  - 58. The quality of service profile of claim 57, wherein all nodes allocated to a workgroup applies the same quality of service profile.
  - 59. The quality of service profile of claim 58, wherein the quality of service differs based on application type.
  - 60. The quality of service differentiation of claim 57, wherein a distributed weighted fair queuing scheme is applied among neighbor nodes.
  - 61. The quality of service differentiation of claim 60, wherein cause of packet loss due to random error on radio link is made known to the Transport Control Protocol (TCP) implementation running on the mobile client.
  - 62. The quality of service differentiation of claim 61, wherein the mobile client TCP implementation ignores packet loss due to random error when determining window size.
  - 63. The quality of service differentiation of claim 57, wherein quality of service statistics are collected from the workgroup nodes to the mobile service manager in order to follow-up service level agreements.
  - 64. The interactive real-time communication services of claim 45, wherein mobile service routers maintain stable domain name resource records for all members of a workgroup and mobile clients caches such resource records for later use.
  - 65. The interactive real-time communication services of claim 64, such as multimedia services wherein voice over IP is one service.
  - 66. The multimedia service of claim 65, wherein the technology specific protocols include the Session Initiation Protocol (SIP).
  - 67. The interactive real-time communication service of claim 66, wherein the nodes belonging to a workgroup applies a SIP filter downloaded from the mobile service manager applying encryption only to control communication.
  - 68. The multimedia service of claim 65, wherein the technology specific protocols include the xcast protocol suite for small group multicasting.
  - 69. The mobile workgroup system of claim 40, wherein the security solution is based on a separation of each site of the mobile virtual private network into two parts, further comprising:
    - an access network acting as a shared media for workgroup members and non-members to access the site;
      
      a service network acting as a safe repository for workgroup server resources at the site.
  - 70. The security solution of claim 69, wherein one or several mobile service routers perform user authentication, policy routing and packet filtering of traffic between the access and service network in a site based on a mobile user'"'"'s workgroup memberships.
  - 71. The security solution of claim 70, wherein mobile service routers placed at the border of the mobile virtual private network also provide firewall protected interfaces to the Internet and a de-militarized zone (DMZ).
  - 72. The security solution of claim 70, wherein the mobile IP home network for the mobile client is defined as a service network protected by one or more mobile service routers.
  - 73. The security solution of Claim 70, wherein the mobile home network for the mobile client is defined as a virtual home network hosted by one or several mobile service routers.
  - 74. The security solution of claim 71, wherein a three tier security architecture is defined, further comprising:
    - a mobile virtual private network tier encompassing service and access networks at each mobile VPN site as well as the tunnels connecting the sites;
      
      a workgroup network tier protecting the workgroup peer-to-peer and client-server traffic in the mobile VPN from attacks;
      
      a service network tier protecting workgroup servers at a single mobile VPN site against attacks as well as separating specific workgroup applications from each other using virtual local area networks.
  - 75. The security solution of claim 74, wherein the entry barrier to the mobile VPN Tier is a one-way network address translation (NAT) gateway for Internet traffic and an IPSec-based tunnel limited by at least protocol type and source IP addresses.
  - 76. The security solution of claim 74, wherein a mobile client is required to go through a user authentication and a per packet workgroup filtering in order to enter the workgroup network.
  - 77. The security solution of claim 76, wherein the workgroup filtering included functions like static packet filtering.
  - 78. The security solution of claim 76, wherein the workgroup filtering includes functions like dynamic packet filtering.
  - 79. The security solution of claim 76, wherein the workgroup filtering includes functions like application level proxy filtering.
  - 80. The security solution of claim 74, wherein a packet filter controls the entrance to the service network using site-local application restrictions and optional end-to-end secure socket layer (SSL) or similar cryptographic associations.
  - 81. The security solution of claim 69, wherein the closest mobile service router can push security policy information, extracted from an external source, to a mobile client.
  - 82. The security solution of claim 69, wherein the closest mobile service router extracts security policy information that is dynamically obtained during the registration of a mobile client, and thereafter enforce the security policy received.
  - 83. The mobile workgroup system of claim 40, wherein the closest mobile service router acts as DHCP server for the subsequent workgroup home network configuration of the node.
  - 84. The dynamic home network configuration system of claim 83, wherein the node is configured based on client id=network address identifier and user class =workgroup.
  - 85. The dynamic home network configuration system of claim 84, wherein the node can be configured with:
    - IP address(es) Subnet mask(s) Broadcast address(es) Host name Domain name Domain Name Server Time offset Servers (e.g. SMTP, POP, WWVV, DNS/NIS, LPR, syslog, WINS, NTP) Mobile Service Router(s) Router discovery options Service Location Protocol Directory Agent Static routes MTU Default TTL Source routing options IP Forwarding enable/disable PMTU options ARP cache timeout X Windows options NIS options NetBIOS options Vendor-specific options
  - 86. The dynamic home network configuration system of claim 85, wherein a set of mobile service routers allocated to a workgroup share DHCP schema tree, address pool and fail-over support.
  - 87. The mobile workgroup system of claim 40, wherein the reachability of the mobile client is ensured via the Dynamic DNS protocol.
  - 88. The mobile workgroup system of claim 40, further comprising a self-service management window for mobile users and workgroup administrators to control workgroup profiles and exchange information.
  - 89. The self-service management window of claim 88, wherein the mobile service router redirects a request for the browser default web page to said self-service management portal.
  - 90. The self-service management window of claim 89, wherein the workgroup administrator can define workgroup based on available service policies and mobile service routers.
  - 91. The self-service management window of claim 90, wherein the mobile user can request and the workgroup administrator can accept workgroup membership.
  - 92. The self-service management window of claim 91, wherein the workgroup administrator can import mobile user data of members from external user directory.
  - 93. The self-service management window of claim 92, wherein the workgroup administrator can provide further information in the form of links to downloadable scripts and SW packages applicable to the workgroup.
  - 94. The self-service management window of claim 93, wherein the mobile user can personalize his own profile.
  - 95. The mobile workgroup system of claim 40, wherein the mobile service manager imprints a physically secured security key for each mobile user and network administrator to use within the workgroup through the physical insertion into the mobile service manager management port.
  - 96. The security key system of claim 95, wherein the mobile service manager can reprint the physically secured security key.
  - 97. The security key system of claim 96, wherein the mobile service manager may imprint policies into the physically secured security key for delegating partial control for self-service management to mobile clients.
  - 98. The security key system of claim 97, wherein the physically secured security key includes shared secrets for authentication and encryption of control and payload traffic towards other nodes in the mobile workgroup system.
  - 99. The security key system of claim 97, wherein the physically secured security key includes certificates, private and public keys for authentication and encryption of control and payload traffic towards other nodes in or outside the mobile workgroup system.
  - 100. The security key system of claim 97, wherein the mobile user and network administrator also is given a PIN code for accessing the security key.
  - 101. The security key system of claim 100, wherein the mobile user plugs the security key into the management port of the node'"'"'s hardware and opens it up for use by entering the PIN code on the control panel.
  - 102. The security key solution of claim 101, wherein manual typing of security keys into mobile client control panel is available as fallback alternative.
  - 103. The security key system of claim 102, wherein a secure intra-domain link, inter-domain mobile IP tunnel or remote access tunnel can be established between the node and another node belonging to the same workgroup based solely on the information stored in the security keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Longhorn HD LLC (Alpha Alpha Intellectual Partners LLC)
Original Assignee
Interactive People Unplugged AB
Inventors
Forslöw, Jan

Granted Patent

US 6,954,790 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04W 80/04   Network layer protocols, e....

Network-based mobile workgroup system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

103 Claims

Specification

Solutions

Use Cases

Quick Links

Network-based mobile workgroup system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

103 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links