IP security and mobile networking

US 20020161905A1
Filed: 04/09/2002
Published: 10/31/2002
Est. Priority Date: 04/26/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of sending and receiving packets in a secure connection between a first network node and a second network node, wherein said packets may be transferred through a plurality of independent data networks in the path between the first network node and second network node, and that the first network node and each of the data networks may operate under different security policies for specifying certain transformations that are applied to the packets, said method is wherein the first network node is able to dynamically change its security policy such that the suitable transformations are applied to the packets in order to maintain the secure connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention discloses a method transferring packets between a mobile host device (100) and a source node via a number of independent data networks while maintaining a secure connection. The independent networks may include, for example, the Internet (120), localized Access Zones (110, 140), a Corporate Intranets, a Home Network (130) etc. Problems may occur, for example, when the mobile node is using a co-located care-of address, in which case both IP-in-IP and IPsec tunneling transformations are performed, and the current IPsec and IP-in-IP implementations cannot perform the required tunneling operations on the mobile host. This is because the IP-in-IP and IPsec tunneling when the IP-in-IP tunnel is not the outermost transformation. In an embodiment of the invention, the security policy operated by the mobile host includes a primary security policy and a dynamic secondary security policy that selectively apply specified transformations to certain packets in the data transfer.

141 Citations

18 Claims

1. A method of sending and receiving packets in a secure connection between a first network node and a second network node, wherein said packets may be transferred through a plurality of independent data networks in the path between the first network node and second network node, and that the first network node and each of the data networks may operate under different security policies for specifying certain transformations that are applied to the packets, said method is wherein the first network node is able to dynamically change its security policy such that the suitable transformations are applied to the packets in order to maintain the secure connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18)
- - 2. A method according to claim 1, wherein the first network node is a mobile network node and the second network node is a source node, wherein the mobile network node includes a Security Policy Database (SPD) that comprises a plurality of security policies that can be dynamically applied to the packets in the connection.
  - 3. A method according to claim 1, wherein first network node'"'"'s security policy comprises a primary SPD and a secondary SPD, wherein the primary SPD includes entries for transformations of a primary security policy and the secondary SPD includes entries for transformations of a secondary security policy
  - 4. A method according to claim 1, wherein the entries in the primary SPD are augmented with an attribute that indicates that the secondary security policy must be applied, may be applied, or must not be applied to the packets.
  - 5. A method according to claim 1, wherein the primary SPD includes entries for “
    - inner”
      
      transformations (inner headers) and the secondary SPD includes entries for “
      
      outer”
      
      transformations, and for outbound packets, inner transformations are performed before outer transformations and for inbound traffic and vice versa.
  - 6. A method according to claim 1, wherein the secondary policy specifies additional transformations after all primary policy transformations have been applied for outbound traffic.
  - 7. A method wherein inbound traffic is processed in a reverse order to that specified in claim 6.
  - 8. A method according to claim 1, wherein the primary and secondary policies may be configured independently and simultaneously, wherein modification of the policies can be restricted to one or the other or both.
  - 9. A method according to claim 1, wherein the primary security policy remains unchanged and the secondary security policy is configured to be selectively applied to certain packets.
  - 10. A method according to claim 1, wherein the operations of the transformations include modifications to the packet such as adding and removing protocol headers or options, encapsulating and decapsulating packets within new packets, encrypting and decrypting the packet or part of the packet or compressing and decompressing the packet or part of the packet.
  - 11. A method according to claim 10 wherein the operations of the transformations include the transport mode transformations using the Authentication Header (AH) and the Encapsulating Security Payload (ESP), and the encapsulation and decapsulations of IP-in-IP tunnels, Authentication Header (AH) tunnels, and Encapsulating Security Payload (ESP) tunnels.
  - 12. A method according claim 2 wherein the mobile network node establishes a network connection using, for example, Mobile IP via connection with a locally defined Access Zone which supports roaming by handing over the connection to another Access Zone.
  - 13. A method according to claim 1, wherein the independent networks include the Internet, local Intranets, Home Networks, localized Access Zones, and telecommunication networks such as wireless and non-wireless networks.
  - 14. A method according to claim 1 wherein the security policies of the networks (or nodes) apply particular transformations to the packets as the packets are transmitted through the networks (or nodes), and wherein the suitable transformations applied to the packets are based on the particular transformations applied such that the particular transformations are effectively reversed in order to recover the packet payload data.
  - 16. A mobile device according to claim 15 wherein the primary security policy is a security policy that specifies processing for certain packets and the secondary security policy is a security policy that specifies processing for certain other packets.
  - 17. A mobile device according to claim 15 wherein the transformation entries in the primary security policy includes a attribute such as, but not limited to, a flag bit for indicating whether the secondary security policy should be applied, not applied, or may not be applied to the packets.
  - 18. A mobile device according to claim 15 wherein the mobile device connection to the Internet transfers packets over a transport layer such as TCP or UDP.

15. A mobile device capable of establishing a connection with a network and having a data transfer security policy governing the transfer of packets to and from the mobile device, wherein the data transfer security policy comprises:
- a first set of transformations associated with a primary security policy for application to the transferred packets; and
  
  a second set of transformations associated with a secondary security policy for suitable for selective application to certain packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Kuikka, Antti J., Haverinen, Henry, Honkanen, Jukka-Pekka

Application Number

US10/119,509
Publication Number

US 20020161905A1
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

H04W 80/04   Network layer protocols, e....

IP security and mobile networking

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

141 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

IP security and mobile networking

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links