Method and system for securing mobile IPV6 home address option using ingress filtering

US 20030142673A1
Filed: 06/28/2002
Published: 07/31/2003
Est. Priority Date: 01/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method for securely communicating packets that include the home address destination option in a mobile IPv6 protocol network, comprising:

(a) providing a care of address to a mobile node that employs an access router to communicate with at least one resource over a visited network;

(b) enabling a binding update message from the mobile node to be forwarded by the access router to another node for authentication, wherein the other node sends a binding acknowledgement message to the mobile node if a home IP address included in the binding update message is authentic; and

(c) if the binding acknowledgement message from the other node is determined by the access router to verify the home IP address for the mobile node, enabling the mobile node to communicate another type of data through the access router with at least one resource over the visited network, wherein until the home IP address is verified by the access router, the mobile node is unable to communicate the other type of data through the access router.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides for disabling communication at the access router on a visited network that supports mobile IP v6 and the home address destination option. Until a home agent or a correspondent node authenticates the home IP address of the mobile node and the access router verifies this address, the mobile node is unable to communicate with other resources over the visited network. If the home IP address included in a binding acknowledgement message is verified by the access router and affirmatively compared to the state of a corresponding binding update message from the mobile node, the access router enables subsequent messages to be communicated over the visited network between the mobile node and other resources.

136 Citations

20 Claims

1. A method for securely communicating packets that include the home address destination option in a mobile IPv6 protocol network, comprising:
- (a) providing a care of address to a mobile node that employs an access router to communicate with at least one resource over a visited network;
  
  (b) enabling a binding update message from the mobile node to be forwarded by the access router to another node for authentication, wherein the other node sends a binding acknowledgement message to the mobile node if a home IP address included in the binding update message is authentic; and
  
  (c) if the binding acknowledgement message from the other node is determined by the access router to verify the home IP address for the mobile node, enabling the mobile node to communicate another type of data through the access router with at least one resource over the visited network, wherein until the home IP address is verified by the access router, the mobile node is unable to communicate the other type of data through the access router.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising including at least one authentication object in the binding acknowledgement message to enable the access router to verify the home IP address of the mobile node.
  - 3. The method of claim 2, wherein the authentication object includes at least one of an x.509 certificate, public key, private key or security token.
  - 4. The method of claim 1, further comprising comparing the binding acknowledgement message to a state of the binding update message that was previously forwarded to the home agent by the access router, wherein if the comparison is affirmative and the home IP address is verified, enabling the mobile node to communicate other data through the access router with at least one resource over the visited network.
  - 5. The method of claim 1, further comprising employing an ingress filter with the access router to determine whether to forward other data communicated by the mobile node towards at least one resource over the visited network.
  - 6. The method of claim 1, further comprising employing an access list with the access router to determine whether to forward other data communicated by the mobile node towards at least one resource over the visited network.
  - 7. The method of claim 1, wherein the other node is at least one of a home agent or a correspondent node.
  - 8. The method of claim 1, wherein each packet for the binding update message, binding acknowledgement message and other type of data include the home address destination option.
  - 9. The method of claim 1, wherein the other type of data includes at least one of Short Message Service (SMS), signaling, text, code and voice.

10. A system for securely communicating packets that include the home address destination option in a mobile IPv6 protocol network, comprising:
- (a) a destination for packets sent over a network; and
  
  (b) a mobile node that performs actions, including;
  
  (i) receiving a care of address that employs an access router to communicate with at least one resource over a visited network;
  
  (ii) enabling a binding update message from the mobile node to be forwarded by the access router to another node for authentication, wherein the other node sends a binding acknowledgement message to the mobile node if a home IP address included in the binding update message is authentic; and
  
  (iii) if the binding acknowledgement message from the other node is determined by the access router to verify the home IP address for the mobile node, enabling the mobile node to communicate another type of data through the access router with at least one resource over the visited network, wherein until the home IP address is verified by the access router, the mobile node is unable to communicate the other type of data through the access router.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, wherein each packet for the binding update message, binding acknowledgement message and other type of data include the home address destination option.
  - 12. The system of claim 10, wherein the other type of data includes at least one of Short Message Service (SMS), signaling, text, code and voice.
  - 13. The system of claim 10, further comprising comparing the binding acknowledgement message to a state of the binding update message that was previously forwarded to the home agent by the access router, wherein if the comparison is affirmative, enabling the mobile node to communicate through the access router with at least one resource over the visited network.

14. An apparatus for securely communicating packets using the home address destination option in a mobile IPv6 protocol network, comprising:
- (a) a network interface that sends and receives packetized messages; and
  
  (b) a transcoder that performs actions, including;
  
  (i) enabling a care of address to be provided to a mobile node that employs an access router to communicate with at least one resource over a visited network;
  
  (ii) enabling a binding update message from the mobile node to be forwarded by the access router to another node for authentication, wherein the other node sends a binding acknowledgement message to the mobile node if a home IP address included in the binding update message is authentic; and
  
  (iii) if the binding acknowledgement message from the other node is determined by the access router to verify the home IP address for the mobile node, enabling the mobile node to communicate another type of data through the access router with at least one resource over the visited network, wherein until the home IP address is verified by the access router, the mobile node is unable to communicate the other type of data through the access router.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The apparatus of claim 14, wherein the access router is operative as at least one of a default router, first hop router, and wireless base station.
  - 16. The apparatus of claim 14, wherein the mobile node includes at least one of a wireless telephone, pager, radio frequency (RF) devices, Personal Digital Assistant, handheld computer, personal computer, multiprocessor system, network PC, and wearable computer.
  - 17. The apparatus of claim 14, further comprising including at least one authentication object in the binding acknowledgement message to enable the access router to verify the home IP address of the mobile node.
  - 18. The apparatus of claim 14, further comprising comparing the binding acknowledgement message to a state of the binding update message that was previously forwarded to the home agent by the access router, wherein if the comparison is affirmative, enabling the mobile node to communicate through the access router with at least one resource over the visited network.

19. A computer-readable medium that includes instructions for performing actions, including:
- (a) providing a care of address to a mobile node that employs an access router to communicate with at least one resource over a visited network;
  
  (b) enabling a binding update message from the mobile node to be forwarded by the access router to another node for authentication, wherein the other node sends a binding acknowledgement message to the mobile node if a home IP address included in the binding update message is authentic; and
  
  (c) if the binding acknowledgement message from the other node is determined by the access router to verify the home IP address for the mobile node, enabling the mobile node to communicate through the access router with at least one resource over the visited network, wherein until the home IP address is verified by the access router, the mobile node is unable to communicate with any resource through the access router.

20. A method for securely communicating packets using the home address destination option in a mobile IPv6 protocol network, comprising:
- (a) means for providing a care of address to a mobile node that employs an access router to communicate with at least one resource over a visited network;
  
  (b) means for enabling a binding update message from the mobile node to be forwarded by the access router to another node for authentication, wherein the other node sends a binding acknowledgement message to the mobile node if a home IP address included in the binding update message is authentic; and
  
  (c) if the binding acknowledgement message from the other node is determined by the access router to verify the home IP address for the mobile node, means for enabling the mobile node to communicate through the access router with at least one resource over the visited network, wherein until the home IP address is verified by the access router, the mobile node is unable to communicate with any resource through the access router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Solutions and Networks US LLC (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Patil, Basavaraj, Perkins, Charles E.

Granted Patent

US 6,973,086 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/164   at the network layer

H04W 80/04   Network layer protocols, e....

Method and system for securing mobile IPV6 home address option using ingress filtering

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for securing mobile IPV6 home address option using ingress filtering

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links