Maintaining secrecy of assigned unique local addresses for IPv6 nodes within a prescribed site during access of a wide area network
First Claim
1. A method in an IPv6 node, the method including:
- acquiring a unique in-site IPv6 address for communication with at least a second gateway node within a prescribed site, the unique in-site IPv6 address being reachable only by nodes within the prescribed site, the unique in-site IPv6 address having a first address prefix that is not advertised outside of the prescribed site;
obtaining from within the prescribed site a unique extra-site address having a second address prefix, distinct from the first address prefix, that is advertised inside and outside the prescribed site; and
sending a first packet to a correspondent node outside of the prescribed site based on;
(1) first generating the first packet, the first packet having a first header with a destination address field specifying an address of the correspondent node and a source address field specifying the extra-site address, (2) second generating a second packet including the first packet and a second header for reception and removal by the second gateway node, the second header having a destination address field specifying an IPv6 address of the second IPv6 gateway node and a source address field specifying the in-site IPv6 address, and (3) outputting the second packet, having the first and second headers, to the second IPv6 gateway node via a secure connection established between the IP-based node and the second IPv6 gateway node, for transfer of the first packet by the second IPv6 gateway node outside of the prescribed site for delivery to the correspondent node.
1 Assignment
0 Petitions
Accused Products
Abstract
A network includes network nodes and a gateway. Each network node has a corresponding unique in-site IPv6 address for communication within a prescribed site, each in-site IPv6 address having a first IPv6 address prefix that is not advertised outside of the prescribed site. Network nodes can obtain from within the prescribed site a unique extra-site IPv6 address for mobile or extra-site communications. The extra-site IPv6 address has a second IPv6 address prefix, distinct from the first IPv6 address prefix, advertised by the gateway to the prescribed site and the wide area network. The gateway establishes a secure connection (e.g., tunnel) with each corresponding IPv6 node using its corresponding extra-site IPv6 address, and creates a corresponding binding cache entry specifying the corresponding extra-site IPv6 address and in-site IPv6 address. Hence, the gateway provides wide area network access while maintaining secrecy of the in-site IPv6 addresses.
-
Citations
68 Claims
-
1. A method in an IPv6 node, the method including:
-
acquiring a unique in-site IPv6 address for communication with at least a second gateway node within a prescribed site, the unique in-site IPv6 address being reachable only by nodes within the prescribed site, the unique in-site IPv6 address having a first address prefix that is not advertised outside of the prescribed site;
obtaining from within the prescribed site a unique extra-site address having a second address prefix, distinct from the first address prefix, that is advertised inside and outside the prescribed site; and
sending a first packet to a correspondent node outside of the prescribed site based on;
(1) first generating the first packet, the first packet having a first header with a destination address field specifying an address of the correspondent node and a source address field specifying the extra-site address, (2) second generating a second packet including the first packet and a second header for reception and removal by the second gateway node, the second header having a destination address field specifying an IPv6 address of the second IPv6 gateway node and a source address field specifying the in-site IPv6 address, and (3) outputting the second packet, having the first and second headers, to the second IPv6 gateway node via a secure connection established between the IP-based node and the second IPv6 gateway node, for transfer of the first packet by the second IPv6 gateway node outside of the prescribed site for delivery to the correspondent node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 37)
-
-
13. A method in an IPv6 gateway configured for providing connectivity between a prescribed site and a wide area network, the method comprising:
-
advertising only within the prescribed site that a first IPv6 address prefix is reachable via the gateway, the first address prefix not advertised outside of the prescribed site;
advertising to the prescribed site and the wide area network that a second IPv6 address prefix is reachable via the gateway;
establishing a secure connection with a first IPv6 node within the prescribed site, based on the first IPv6 node having a unique in-site IPv6 address that includes the first IPv6 address prefix;
receiving from the first IPv6 node, via the secure connection, a first packet having a source address field specifying the in-site IPv6 address, a destination address field specifying an IPv6 address of the gateway, and a second packet;
forwarding the second packet to a destination node in response to the destination address field of the first packet specifying the IPv6 address of the gateway, including;
(1) recovering the second packet from the first packet, the second packet having a source address field specifying a unique extra-site IPv6 address having the second IPv6 address prefix and a destination address field specifying an IPv6 address of the destination node, and (2) outputting the second packet, without the in-site IPv6 address of the IPv6 node; and
creating a binding cache entry specifying that the extra-site IPv6 address of the first IPv6 node is reachable via the in-site IPv6 address of the IPv6 node. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A network configured for communications with a wide area network, the network comprising:
-
network nodes, each having a corresponding unique in-site IPv6 address for communication within a prescribed site, each of the in-site IPv6 addresses having a first IPv6 address prefix that is not advertised outside of the prescribed site, at least one of the network nodes configured for obtaining from within the prescribed site a unique extra-site IPv6 address having a second IPv6 address prefix that is distinct from the first IPv6 address prefix; and
a gateway configured for;
(1) advertising to the prescribed site and the wide area network that the second IPv6 address prefix is reachable via the gateway, (2) advertising only within the prescribed site that the first IPv6 address prefix is reachable via the gateway, the first address prefix not advertised outside of the prescribed site, (3) establishing a secure connection with each corresponding IPv6 node that uses a corresponding extra-site IPv6 address having the second IPv6 address prefix, the gateway configured for creating, for said each IPv6 node that uses a corresponding extra-site IPv6 address, a corresponding binding cache entry specifying the corresponding extra-site IPv6 address and in-site IPv6 address, (4) decapasulating a first packet, received from one of the secure connections, having a source address field specifying the corresponding in-site IPv6 address and a second packet, the second packet having a source address field specifying the corresponding extra-site IPv6 address, and (5) outputting the second packet for a specified destination node, without the corresponding in-site IPv6 address specified in the source address field of the first packet. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer readable medium having stored thereon sequences of instructions for outputting an IPv6 packet by an IP-based node to a correspondent node, the sequences of instructions including instructions for:
-
acquiring a unique in-site IPv6 address for communication with at least a second IPv6 gateway node within a prescribed site, the unique in-site IPv6 address being reachable only by nodes within the prescribed site, the unique in-site IPv6 address having a first address prefix that is not advertised outside of the prescribed site;
obtaining from within the prescribed site a unique extra-site IPv6 address having a second address prefix, distinct from the first address prefix, that is advertised inside and outside the prescribed site; and
sending a first packet to a correspondent node outside of the prescribed site based on;
(1) first generating the first packet, the first packet having a first header with a destination address field specifying an IPv6 address of the correspondent node and a source address field specifying the extra-site IPv6 address, (2) second generating a second packet including the first packet and a second header for reception and removal by the second IPv6 gateway node, the second header having a destination address field specifying an IPv6 address of the second IPv6 gateway node and a source address field specifying the in-site IPv6 address, and (3) outputting the second packet, having the first and second headers, to the second IPv6 gateway node via a secure connection established between the IPv6 node and the second IPv6 gateway node, for transfer of the first packet by the second IPv6 gateway node outside of the prescribed site for delivery to the correspondent node. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 38, 39, 40)
-
-
41. A computer readable medium having stored thereon sequences of instructions for a gateway to provide connectivity between a prescribed site and a wide area network, the sequences of instructions including instructions for:
-
advertising only within the prescribed site that a first IPv6 address prefix is reachable via the gateway, the first address prefix not advertised outside of the prescribed site;
advertising to the prescribed site and the wide area network that a second IPv6 address prefix is reachable via the gateway;
establishing a secure connection with a first IPv6 node within the prescribed site, based on the first IPv6 node having a unique in-site IPv6 address that includes the first IPv6 address prefix;
receiving from the first IPv6 node, via the secure connection, a first packet having a source address field specifying the in-site IPv6 address, a destination address field specifying an IPv6 address of the gateway, and a second packet;
forwarding the second packet to a destination node in response to the destination address field of the first packet specifying the IPv6 address of the gateway, including;
(1) recovering the second packet from the first packet, the second packet having a source address field specifying a unique extra-site IPv6 address having the second IPv6 address prefix and a destination address field specifying an IPv6 address of the destination node, and (2) outputting the second packet, without the in-site IPv6 address of the IPv6 node; and
creating a binding cache entry specifying that the extra-site IPv6 address of the first IPv6 node is reachable via the in-site IPv6 address of the IPv6 node. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48)
-
-
49. An IP-based node comprising:
-
means for acquiring a unique in-site IPv6 address for communication with at least a second IPv6 gateway node within a prescribed site, the unique in-site IPv6 address being reachable only by nodes within the prescribed site, the unique in-site IPv6 address having a first address prefix that is not advertised outside of the prescribed site;
means for obtaining from within the prescribed site a unique extra-site IPv6 address having a second address prefix, distinct from the first address prefix, that is advertised inside and outside the prescribed site; and
means for sending a first packet to a correspondent node outside of the prescribed site based on;
(1) first generating the first packet, the first packet having a first header with a destination address field specifying an IPv6 address of the correspondent node and a source address field specifying the extra-site IPv6 address, (2) second generating a second packet including the first packet and a second header for reception and removal by the second IPv6 gateway node, the second header having a destination address field specifying an IPv6 address of the second IPv6 gateway node and a source address field specifying the in-site IPv6 address, and (3) outputting the second packet, having the first and second headers, to the second IPv6 gateway node via a secure connection established between the IPv6 node and the second IPv6 gateway node, for transfer of the first packet by the second IPv6 gateway node outside of the prescribed site for delivery to the correspondent node. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
-
-
61. A gateway configured for providing connectivity between a prescribed site and a wide area network, the gateway comprising:
-
means for advertising only within the prescribed site that a first IPv6 address prefix is reachable via the gateway, the first address prefix not advertised outside of the prescribed site, the means for advertising configured for advertising to the prescribed site and the wide area network that a second IPv6 address prefix is reachable via the gateway;
means for establishing a secure connection with a first IPv6 node within the prescribed site, based on the first IPv6 node having a unique in-site IPv6 address that includes the first IPv6 address prefix, the means for establishing configured for receiving from the first IPv6 node, via the secure connection, a first packet having a source address field specifying the in-site IPv6 address, a destination address field specifying an IPv6 address of the gateway, and a second packet;
means for forwarding the second packet to a destination node in response to the destination address field of the first packet specifying the IPv6 address of the gateway, based on;
(1) recovering the second packet from the first packet, the second packet having a source address field specifying a unique extra-site IPv6 address having the second IPv6 address prefix and a destination address field specifying an IPv6 address of the destination node, and (2) outputting the second packet, without the in-site IPv6 address of the IPv6 node; and
means for creating a binding cache entry specifying that the extra-site IPv6 address of the first IPv6 node is reachable via the in-site IPv6 address of the IPv6 node. - View Dependent Claims (62, 63, 64, 65, 66, 67, 68)
-
Specification