Adaptive IPsec processing in mobile-enhanced virtual private networks

US 20070006295A1
Filed: 06/23/2006
Published: 01/04/2007
Est. Priority Date: 06/24/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method providing secure mobility for a terminal in a mobile system comprising at least two IP based sub-networks, the method comprising:

detecting a change of an IP based sub-network by the terminal;

updating connection parameters of the terminal so as to be connected with a new IP based sub-network;

detecting security requirements of the new IP based sub-network; and

adapting security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method providing secure mobility for a terminal in a mobile system comprising at least two IP based sub-networks. The method comprises to detect a change of the IP based sub-network by the terminal. The connection parameters of the terminal are updated so as to be connected with a new IP based sub-network. Further, the security requirements of the new IP based sub-network are detected, and the security associations of the terminal to the new IP based sub-network are adapted to the security requirements of the new IP based sub-network.

35 Citations

View as Search Results

20 Claims

1. A method providing secure mobility for a terminal in a mobile system comprising at least two IP based sub-networks, the method comprising:
- detecting a change of an IP based sub-network by the terminal;
  
  updating connection parameters of the terminal so as to be connected with a new IP based sub-network;
  
  detecting security requirements of the new IP based sub-network; and
  
  adapting security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein the step of updating includes using Internet key exchange mobility extensions for updating an IP address of the terminal;
    - the step of detecting security requirements includes detecting, by one of the terminal and a gateway node, that security properties of the new IP based sub-network and an old IP based sub-network are different, and initiating a re-negotiation of the security associations according to a secure Internet Protocol using the Internet key exchange protocol; and
      
      the step of adapting includes adapting, by one of the terminal and the gateway node, a list of allowed cipher suites according to the security requirements of the new IP based sub-network, and selecting a new cipher suite according to an adaptation of the secure Internet Protocol processing the security requirements of the new IP based sub-network.
  - 3. The method according to claim 1, wherein the step of updating includes performing a Mobile IP registration;
    - the step of detecting security requirements includes receiving indications in Mobile IP registration message extensions about allowed security associations and required security processing in the new IP based sub-network; and
      
      the step of adapting includes adapting the security processing according to a secure Internet Protocol based on the Mobile IP registration message extensions.
  - 4. The method according to claim 1, comprising the consecutive steps of:
    - negotiating an IPsec session with an IPsec gateway node by the terminal while the terminal is located in a trusted network;
      
      detecting security requirements of an untrusted network;
      
      detecting a change of an IP based sub-network by the terminal, wherein the change is from trusted access to untrusted access;
      
      updating connection parameters of the terminal so as to be connected with a new IP based sub-network providing untrusted access; and
      
      adapting security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network including informing the IPsec gateway node of a change in an IP address of the terminal and enabling IPsec for all traffic.

5. A system comprising:
- a terminal; and
  
  a mobile system comprising at least two IP based sub-networks and a gateway node;
  
  wherein the system is configured to detect a change of an IP based sub-network by the terminal, update connection parameters of the terminal so as to be connected with a new IP based sub-network, detect security requirements of the new IP based sub-network, and adapt security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.
- View Dependent Claims (6, 7, 8)
- - 6. The system according to claim 5, wherein the system is further configured to update the connection parameters by using Internet key exchange mobility extensions for updating an IP address of the terminal;
    - detect security requirements by detecting, by one of the terminal and a gateway node, that security properties of the new IP based sub-network and an old IP based sub-network are different, and initiating a re-negotiation of the security associations according to a secure Internet Protocol using the Internet key exchange protocol; and
      
      adapt security associations by adapting, by one of the terminal and the gateway node, a list of allowed cipher suites according to the security requirements of the new IP based sub-network, and selecting a new cipher suite according to an adaptation of the secure Internet Protocol processing the security requirements of the new IP based sub-network.
  - 7. The system according to claim 5, wherein the system is further configured to update connection parameters by performing a Mobile IP registration;
    - detect security requirements by receiving indications in Mobile IP registration message extensions about allowed security associations and required security processing in the new IP based sub-network; and
      
      adapt security associations by adapting the security processing according to a secure Internet Protocol based on the Mobile IP registration message extensions.
  - 8. The system according to claim 5, wherein the system is further configured to negotiate an IPsec session with an IPsec gateway node by the terminal while the terminal is located in a trusted network;
    - detect security requirements of an untrusted network;
      
      detect a change of an IP based sub-network by the terminal, wherein the change is from trusted access to untrusted access;
      
      update connection parameters of the terminal so as to be connected with a new IP based sub-network providing untrusted access; and
      
      adapt security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network including informing the IPsec gateway node of a change in an IP address of the terminal and enabling IPsec for all traffic.

9. A gateway node of a mobile system, wherein the gateway node is configured to detect a change of an IP based sub-network by the terminal, update connection parameters of the terminal so as to be connected with a new IP based sub-network, detect security requirements of the new IP based sub-network, and adapt security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.
- View Dependent Claims (10, 11, 12)
- - 10. The gateway node according to claim 9, wherein the gateway node is further configured to update the connection parameters by using Internet key exchange mobility extensions for updating an IP address of the terminal;
    - detect security requirements by detecting, by the gateway node, that security properties of the new IP based sub-network and an old IP based sub-network are different, and initiating a re-negotiation of the security associations according to a secure Internet Protocol using the Internet key exchange protocol; and
      
      adapt security associations by adapting, by the gateway node, a list of allowed cipher suites according to the security requirements of the new IP based sub-network, and selecting a new cipher suite according to an adaptation of the secure Internet Protocol processing the security requirements of the new IP based sub-network.
  - 11. The gateway node according to claim 9, wherein the gateway node is further configured to update connection parameters by performing a Mobile IP registration;
    - detect security requirements by receiving indications in Mobile IP registration message extensions about allowed security associations and required security processing in the new IP based sub-network; and
      
      adapt security associations by adapting the security processing according to a secure Internet Protocol based on the Mobile IP registration message extensions.
  - 12. The gateway node according to claim 9, wherein the gateway node is an IPsec gateway node and further configured to negotiate an IPsec session with the terminal while the terminal is located in a trusted network;
    - and adapt security associations of the terminal connected to a new IP based sub-network providing untrusted access to the security requirements of the new IP based sub-network including informing the IPsec gateway node of a change in an IP address of the terminal and enabling IPsec for all traffic.

13. A terminal configured to change a connection between IP based sub-networks of a mobile system, and configured to detect a change of an IP based sub-network by the terminal, update connection parameters of the terminal so as to be connected with a new IP based sub-network, detect security requirements of the new IP based sub-network, and adapt security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.
- View Dependent Claims (14, 15, 16)
- - 14. The terminal according to claim 13, wherein the terminal is further configured to update the connection parameters by using Internet key exchange mobility extensions for updating an IP address of the terminal;
    - detect security requirements by detecting, by one of the terminal and a gateway node, that security properties of the new IP based sub-network and an old IP based sub-network are different, and initiating a re-negotiation of the security associations according to a secure Internet Protocol using the Internet key exchange protocol; and
      
      adapt security associations by adapting, by one of the terminal and the gateway node, a list of allowed cipher suites according to the security requirements of the new IP based sub-network, and selecting a new cipher suite according to an adaptation of the secure Internet Protocol processing the security requirements of the new IP based sub-network.
  - 15. The terminal according to claim 13, wherein the terminal is further configured to update connection parameters by performing a Mobile IP registration;
    - detect security requirements by receiving indications in Mobile IP registration message extensions about allowed security associations and required security processing in the new IP based sub-network; and
      
      adapt security associations by adapting the security processing according to a secure Internet Protocol based on the Mobile IP registration message extensions.
  - 16. The terminal according to claim 13, wherein the terminal is further configured to negotiate an IPsec session with an IPsec gateway node by the terminal while the terminal is located in a trusted network;
    - detect security requirements of an untrusted network;
      
      detect a change of an IP based sub-network by the terminal, wherein the change is from trusted access to untrusted access;
      
      update connection parameters of the terminal so as to be connected with a new IP based sub-network providing untrusted access; and
      
      adapt security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network including informing the IPsec gateway node of a change in an IP address of the terminal and enabling IPsec for all traffic.

17. A computer program product, comprising processor implementable instruction portions, wherein, when the computer program product is run on a computer, the following steps are performed:
- detecting a change of an IP based sub-network by the terminal;
  
  updating connection parameters of the terminal so as to be connected with a new IP based sub-network;
  
  detecting security requirements of the new IP based sub-network; and
  
  adapting security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.
- View Dependent Claims (18, 19)
- - 18. The computer program product according to claim 17, wherein said computer program product comprises a software medium storing said processor implementable instruction portions.
  - 19. The computer program product according to claim 17, wherein said computer program product is directly loadable into the internal memory of a computer.

20. A signal for carrying processor implementable instructions for controlling a computer to perform the following steps:
- detecting a change of an IP based sub-network by the terminal;
  
  updating connection parameters of the terminal so as to be connected with a new IP based sub-network;
  
  detecting security requirements of the new IP based sub-network; and
  
  adapting security associations of the terminal connected to the new IP based sub-network to the security requirements of the new IP based sub-network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Haverinen, Henry, Grech, Sandro, Eronen, Pasi

Application Number

US11/472,996
Publication Number

US 20070006295A1
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04W 12/03   Protecting confidentiality,...

H04W 80/04   Network layer protocols, e....

Adaptive IPsec processing in mobile-enhanced virtual private networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Adaptive IPsec processing in mobile-enhanced virtual private networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others