System and method for integrating mobile networking with security-based VPNs

US 20040120295A1
Filed: 12/19/2002
Published: 06/24/2004
Est. Priority Date: 12/19/2002
Status: Active Grant

First Claim

Patent Images

1. A method for providing a secure network path between network nodes, the method comprising:

receiving a first registration request from a mobile node, said registration request including a permanent network address for the mobile node;

sending a second registration request to a home agent specifying the permanent network address and a proxy care-of address;

processing network data received from the mobile node as a surrogate home agent; and

processing network data received from the home agent as a surrogate mobile node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide a secure network path through an inner and outer firewall pair between a mobile node on a foreign network and a corresponding node on a home network. One aspect of the systems and methods includes providing a mobile IP proxy between the mobile node and a VPN gateway inside the firewalls. The mobile IP proxy acts as a surrogate home agent to the mobile node, and acts as a surrogate mobile node to a home agent residing on the home network.

63 Citations

View as Search Results

30 Claims

1. A method for providing a secure network path between network nodes, the method comprising:
- receiving a first registration request from a mobile node, said registration request including a permanent network address for the mobile node;
  
  sending a second registration request to a home agent specifying the permanent network address and a proxy care-of address;
  
  processing network data received from the mobile node as a surrogate home agent; and
  
  processing network data received from the home agent as a surrogate mobile node.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising sending a home agent reply code received from the home agent to the mobile node.
  - 3. The method of claim 1, wherein processing network data received from the home agent includes sending the network data to a Virtual Private Network (VPN) gateway for encapsulating in a security layer.
  - 4. The method of claim 3, wherein encapsulating in a security layer comprises encapsulating in an IP Security (IPSec) layer and using the permanent network address for the mobile node as a source or destination address.
  - 5. The method of claim 3, further comprising:
    - receiving network data destined for the mobile node from the VPN gateway; and
      
      sending the network data to the mobile node.

6. A method for securely communicating between nodes in a network, the method comprising:
- creating a network data tunnel between a mobile node and a mobile IP proxy;
  
  creating a first security association between the mobile node and a VPN gateway using a permanent network address associated with the mobile node;
  
  creating a second security association between a home agent and the VPN gateway; and
  
  utilizing, by a home agent, a mobile IP proxy IP address as the care-of address for the VPN gateway.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, further comprising:
    - receiving by the home agent a packet of data from a corresponding node;
      
      routing the packet of data to the MIP proxy;
      
      routing the packet of data by the MIP proxy to the VPN gateway;
      
      encapsulating the packet of data in a security layer by the VPN gateway;
      
      receiving the encapsulated data by the MIP proxy from the VPN gateway; and
      
      routing the encapsulated data from the MIP proxy to the mobile node.
  - 8. The method of claim 6, wherein the security association is an IPSec security association.

9. A method for a home agent to securely route data between nodes in a network, the method comprising:
- receiving a registration request from a MIP proxy specifying a permanent network address associated with a mobile node and a care-of address associated with the MIP proxy;
  
  establishing a security association between the home agent and a VPN gateway; and
  
  establishing a binding specifying the care-of address associated with the MIP proxy as a care-of address for the VPN gateway.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein the security association is an IPSec security association.
  - 11. The method of claim 9, further comprising tunneling the data in a mobile IP layer.

12. A computerized system comprising:
- a first home agent; and
  
  a MIP proxy operable to perform the tasks of;
  
  emulating a second home agent to a mobile node, emulating the mobile node to the first home agent.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computerized system of claim 12, further comprising a Virtual Private Network gateway.
  - 14. The computerized system of claim 13, wherein at least a portion of the MIP proxy and the VPN gateway are integrated in a single unit.
  - 15. The computerized system of claim 14, wherein the MIP proxy comprises a home agent module and a mobile node module.
  - 16. The computerized system of claim 15, further comprising a router on a network, and wherein the VPN gateway includes a mobile node module and wherein the router includes a home agent module.
  - 17. The computerized system of claim 12, further comprising a router on a network, and wherein the MIP proxy comprises a home agent module, a mobile node module, and a foreign agent module, and further wherein the router includes the home agent module and the MIP proxy includes the mobile node module and the foreign agent module.
  - 18. The computerized system of claim 12, wherein the MIP proxy is operable to communicate over a plurality of subnets.
  - 19. The computerized system of claim 12, wherein the MIP proxy is located in a DMZ formed by at least two firewall systems.

20. A machine-readable medium having machine executable instructions to perform a method for providing a secure network path between nodes in a network, the method comprising:
- receiving a first registration request from a mobile node, said registration request including a permanent network address for the mobile node;
  
  sending a second registration request to a home agent specifying the permanent network address and a proxy care-of address;
  
  processing network data received from the mobile node as a surrogate home agent; and
  
  processing network data received from the home agent as a surrogate mobile node.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The machine-readable medium of claim 20, further comprising sending a home agent reply code received from the home agent to the mobile node.
  - 22. The machine-readable medium of claim 20, wherein processing network data received from the home agent includes sending the network data to a Virtual Private Network (VPN) gateway for encapsulating in a security layer.
  - 23. The machine-readable medium of claim 22, wherein encapsulating in a security layer comprises encapsulating in an IP Security (IPSec) layer and using the permanent network address for the mobile node as a source or destination address.
  - 24. The machine-readable medium of claim 22, further comprising:
    - receiving network data destined for the mobile node from the VPN gateway; and
      
      sending the network data to the mobile node.

25. A machine-readable medium have machine executable instructions for performing a method for securely communicating between nodes in a network, the method comprising:
- creating a network data tunnel between a mobile node and a mobile IP proxy;
  
  creating a first security association between the mobile node and a VPN gateway using a permanent network address associated with the mobile node;
  
  creating a second security association between a home agent and the VPN gateway; and
  
  utilizing by a home agent a mobile IP proxy IP address as the care-of address for the VPN gateway.
- View Dependent Claims (26, 27)
- - 26. The machine-readable medium of claim 25, further comprising:
    - receiving by the home agent a packet of data from a corresponding node;
      
      routing the packet of data to the MIP proxy;
      
      routing the packet of data by the MIP proxy to the VPN gateway;
      
      encapsulating the packet of data in a security layer by the VPN gateway;
      
      receiving the encapsulated data by the MIP proxy from the VPN gateway; and
      
      routing the encapsulated data from the MIP proxy to the mobile node.
  - 27. The machine-readable medium of claim 25, wherein the security association is an IPSec security association.

28. A machine-readable medium having machine executable instructions for performing a method for a home agent to securely route data from a corresponding node to a mobile node, the method comprising:
- receiving a registration request from a MIP proxy specifying a permanent network address associated with the mobile node and a care-of address associated with the MIP proxy;
  
  establishing a security association between the home agent and a VPN gateway; and
  
  establishing a binding specifying the care-of address associated with the MIP proxy as a care-of address for the VPN gateway.
- View Dependent Claims (29, 30)
- - 29. The machine-readable medium of claim 28, wherein the security association is an IPSec security association.
  - 30. The machine-readable medium of claim 28, further comprising tunneling the data in a mobile IP layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Liu, Changwen, Andrews, Michael B., Iyer, Prakash

Granted Patent

US 7,616,597 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/338
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/164   at the network layer

H04W 12/033   of the user plane, e.g. use...

H04W 60/00   Affiliation to network, e.g...

H04W 80/04   Network layer protocols, e....

H04W 88/182   Network node acting on beha...

System and method for integrating mobile networking with security-based VPNs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

System and method for integrating mobile networking with security-based VPNs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others