Method and apparatus for providing low-latency secure session continuity between mobile nodes

US 20060268901A1
Filed: 01/06/2006
Published: 11/30/2006
Est. Priority Date: 01/07/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

establishing a first internal communication tunnel between a first mobile node and a first internal home agent via a security gateway;

establishing a second internal communication tunnel between a second mobile node and a second internal home agent via the security gateway;

bridging, at the security gateway, the communication between the first mobile node and the second mobile node such that the first internal communication tunnel and the second internal communication tunnel are not needed to convey the communication between the first mobile node and the second mobile node.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with at least one embodiment of the present invention, IP application traffic can be provided confidentiality to and from one or more mobile nodes (MNs) belonging to the same domain even when such MNs are remotely located. It is possible to provide, preferably at all times, a similar level of confidentiality and integrity in communications between MNs as is typically provided within a corporate environment (e.g., within a secured intranet). Secure and efficient communication is provided when one or more MNs is communicating via a connection that cannot be presumed to be inherently secure, for example, a connection to a public network such as the internet or a network outside of a secured intranet.

Citations

20 Claims

1. A method comprising:
- establishing a first internal communication tunnel between a first mobile node and a first internal home agent via a security gateway;
  
  establishing a second internal communication tunnel between a second mobile node and a second internal home agent via the security gateway;
  
  bridging, at the security gateway, the communication between the first mobile node and the second mobile node such that the first internal communication tunnel and the second internal communication tunnel are not needed to convey the communication between the first mobile node and the second mobile node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising:
    - checking a binding table entry of a binding table to determine whether a destination of data from the first mobile node is a second mobile node outside of an intranet having a boundary established by the security gateway.
  - 3. The method of claim 2 wherein checking the binding table entries further comprises:
    - checking, in the binding table, to determine content of an external care-of address field for the second mobile node.
  - 4. The method of claim 3 wherein checking, in the binding table, to determine the content of the external care-of address field for the second mobile node further comprises:
    - when the external care-of address field for the second mobile node is non-empty, determining that the second mobile node is outside the intranet.
  - 5. The method of claim 2 further comprising:
    - adding headers to the data, the headers comprising routing headers and virtual private network (VPN) headers, wherein the VPN headers are derived from security association identifiers (SAiDs) stored in the binding table.
  - 6. The method of claim 1 further comprising:
    - adding headers to data being communicated to a mobile node selected from the first mobile node and the second mobile node, the headers comprising routing headers and virtual private network (VPN) headers, wherein the VPN headers are derived from security association identifiers (SAiDs) stored in a binding table.
  - 7. The method of claim 6 further comprising:
    - storing addressing information for the mobile node in the binding table.
  - 8. The method of claim 7 wherein storing the addressing information for the mobile node in the binding table further comprises:
    - storing an external home address of the mobile node, an internal home address of the mobile node, and an external care-of address of the mobile node in the binding table.
  - 9. The method of claim 8 wherein the SAiDs stored in a binding table comprise first SAiDs applicable from the mobile node to the security gateway and second SAiDs applicable from the security gateway to the mobile node.
  - 10. The method of claim 1 wherein establishing the first internal communication tunnel between the first mobile node and the first internal home agent via the security gateway further comprises:
    - performing mobile internet protocol (MIP) registration of the first mobile node with a first internal home agent.
  - 11. The method of claim 10 wherein performing MIP registration of the first mobile node and the first internal home agent further comprises:
    - using the security gateway'"'"'s private address as a first internal care-of address of the first mobile node.
  - 12. The method of claim 11 further comprising:
    - establishing a first external communication tunnel between the first mobile node and a first external home agent.
  - 13. The method of claim 12 wherein establishing the first external communication tunnel further comprises:
    - establishing the first external communication tunnel between the security gateway and a first external care-of address of the first mobile node.
  - 14. The method of claim 12 wherein establishing the first external tunnel further comprises:
    - performing MIP registration with a first external home agent.
  - 15. The method of claim 12 further comprising:
    - establishing a first external secure tunnel between the first mobile node and the security gateway.
  - 16. The method of claim 15 wherein establishing the first external secure tunnel further comprises:
    - establishing a first virtual private network (VPN) between the security gateway and a first external home address of the first mobile node.

17. Apparatus comprising:
- a first mobile node;
  
  a first home agent coupled to the first mobile node via a first internal communication tunnel;
  
  a second mobile node;
  
  a second home agent coupled to the second mobile node via a second internal communication tunnel;
  
  a security gateway coupled to the first internal communication tunnel and the second internal communication tunnel, wherein the security gateway bridges communication between the first mobile node and the second mobile node such that the first internal communication tunnel and the second internal communication tunnel are not needed to convey the communication between the first mobile node and the second mobile node.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17 wherein the security gateway maintains a binding table comprising binding table entries containing addressing information for the first mobile node and the second mobile node.
  - 19. The apparatus of claim 18 wherein the addressing information comprises a first external home address for the first mobile node and a first internal home address for the first mobile node.
  - 20. The apparatus of claim 19 wherein, when the first mobile node is outside of an intranet bounded by the security gateway, the addressing information further comprises a first external care-of address for the first mobile node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Barbeau, Michel, Choyi, Vinod Kumar

Application Number

US11/327,304
Publication Number

US 20060268901A1
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/062   for key distribution, e.g. ...

H04L 63/164   at the network layer

H04W 12/033   of the user plane, e.g. use...

H04W 12/041   Key generation or derivation

H04W 12/0471   Key exchange

H04W 40/00   Communication routing or co...

H04W 76/12   Setup of transport tunnels

H04W 8/082   for traffic bypassing of mo...

H04W 80/00   Wireless network protocols ...

H04W 80/04   Network layer protocols, e....

Method and apparatus for providing low-latency secure session continuity between mobile nodes

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing low-latency secure session continuity between mobile nodes

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links