Methods and apparatus for securing proxy Mobile IP

US 20040213260A1
Filed: 04/28/2003
Published: 10/28/2004
Est. Priority Date: 04/28/2003
Status: Active Grant

First Claim

Patent Images

1. In an Access Point, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:

receiving a packet from the node, the packet including a source MAC address and a source IP address;

ascertaining whether the source MAC address is in a client association table identifying one or more source MAC addresses; and

composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An invention is disclosed that enables proxy Mobile IP registration to be performed in a secure manner. Various security mechanisms may be used independently, or in combination with one another, to authenticate the identity of a node during the registration process. First, an Access Point receiving a packet from a node verifies that the source MAC address identified in the packet is in the Access Point'"'"'s client association table. In addition, as a second mechanism, the Access Point ensures that a one-to-one mapping exists for the source MAC address and source IP address identified in the packet in a mapping table maintained by the Access Point. As a third mechanism, a binding is not modified in the mobility binding table maintained by the Home Agent unless there is a one-to-one mapping in the mobility binding table between the source MAC address and the source IP address. Similarly, the Foreign Agent may also maintain a mapping between the source IP address and the source MAC address in its visitor table to ensure a one-to-one mapping between a source IP address and the associated MAC address. The MAC address is preferably transmitted in a MAC address extension to the registration request and registration reply packets. In this manner, the Access Point, Home Agent, and Foreign Agent may ascertain the node'"'"'s MAC address and ensure a one-to-one mapping between the IP address and the MAC address during the registration process.

Citations

24 Claims

1. In an Access Point, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  ascertaining whether the source MAC address is in a client association table identifying one or more source MAC addresses; and
  
  composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein composing a registration request is performed when it is ascertained that the source MAC address is in the client association table.
  - 3. The method as recited in claim 1, further comprising:
    - ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table.
  - 4. The method as recited in claim 3, wherein composing a registration request is performed when it is ascertained that the mapping between the source MAC address and the source IP address exists in the mapping table.
  - 5. The method as recited in claim 3, wherein composing a registration request is performed when it is ascertained that the mapping between the source MAC address and the source IP address exists in the mapping table and when it is ascertained that the source MAC address is in the client association table.
  - 6. The method as recited in claim 3, further comprising:
    - ascertaining whether the mapping table includes an entry for the source IP address; and
      
      updating the mapping table with a mapping between the source MAC address and the source IP address when it is ascertained that the mapping table does not include an entry for the source IP address.
  - 7. The method as recited in claim 1, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
  - 8. The method as recited in claim 2, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
  - 9. The method as recited in claim 4, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
  - 10. The method as recited in claim 5, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.

11. In a Home Agent, a method of processing a registration request, comprising:
- receiving a registration request having a home address field including a source IP address, a care-of address field including a care-of address, and having a MAC address extension including a source MAC address;
  
  composing a registration reply including a home address field including the source IP address, a care-of address field including the care-of address, and having a MAC address extension including the source MAC address; and
  
  sending the registration reply to the care-of address.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method as recited in claim 11, further comprising:
    - updating a mobility binding table with a mapping between the source MAC address and the source IP address such that the mapping is associated with the care-of address.
  - 13. The method as recited in claim 11, further comprising:
    - determining whether a mapping between the source MAC address and the source IP address exists in a mobility binding table.
  - 14. The method as recited in claim 11, further comprising:
    - determining whether the source IP address matches a binding in a mobility binding table;
      
      when the source IP address matches a binding in the mobility binding table, determining whether the binding maps the source MAC address to the source IP address; and
      
      when it is determined that the binding maps the source MAC address to the source IP address, composing and sending the registration reply to the care-of address.
  - 15. The method as recited in claim 14, further comprising:
    - when the source IP address does not match a binding in the mobility binding table, updating the mobility binding table with a mapping between the source MAC address and the source IP address such that the mapping is associated with the care-of address.

16. In a Foreign Agent, a method of processing a registration request, comprising:
- receiving a registration request having a home address field including a source IP address, a Home Agent field including a Home Agent address, and a MAC address extension including a source MAC address;
  
  forwarding the registration request to the Home Agent address;
  
  receiving a registration reply having a home address field including the source IP address, a Home Agent field including the Home Agent address, and a MAC address extension including the source MAC address; and
  
  forwarding the registration reply to the source IP address.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as recited in claim 16, further comprising:
    - updating a visitor table such that the visitor table includes an entry that associates the source IP address and the source MAC address with the Home Agent address.
  - 18. The method as recited in claim 17, wherein updating a visitor table is performed when the registration reply is received.
  - 19. The method as recited in claim 16, further comprising:
    - determining whether an entry including the source IP address and the source MAC address is in a visitor table maintained by the Foreign Agent.
  - 20. The method as recited in claim 19, further comprising:
    - determining whether an entry including the source IP address is in the visitor table;
      
      when an entry including the source IP address is in the visitor table, determining whether the entry includes the source MAC address;
      
      when the entry is determined to include the source MAC address, forwarding the registration request to the Home Agent address; and
      
      when the entry is determined not to include the source MAC address, dropping the registration request.

21. In an Access Point, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

22. A computer-readable medium storing thereon computer-readable instructions for performing a method n an Access Point of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- instructions for receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  instructions for ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  instructions for composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

23. An Access Point adapted for performing a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- means for receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  means for ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  means for composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

24. An Access Point adapted for performing a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- a processor; and
  
  a memory, at least one of the processor and the memory being adapted for;
  
  receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Leung, Kent K., Dommety, Gopal

Granted Patent

US 7,505,432 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.3
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/5084   Providing for device mobili...

H04L 63/0281   Proxies

H04L 63/1466   Active attacks involving in...

H04L 69/329   in the application layer [O...

H04W 12/062   Pre-authentication

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 60/00   Affiliation to network, e.g...

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

H04W 88/08   Access point devices

H04W 88/182   Network node acting on beha...

Methods and apparatus for securing proxy Mobile IP

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for securing proxy Mobile IP

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links