Method for providing virtual private network services to mobile node in IPv6 network and gateway using the same

US 20070177550A1
Filed: 12/06/2006
Published: 08/02/2007
Est. Priority Date: 12/07/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing VPN (virtual private network) services of a gateway in an IPv6 network, the method comprising:

performing IKE (Internet key exchange) negotiation with an MN (mobile node) which has performed handover, acquiring SA (security association) and then authenticating a terminal of the MN;

receiving a BU (binding update) message from the MN and verifying the BU message, storing new position information of the MN, transmitting a BA (binding acknowledgement) message and performing mobility processing;

if the mobility processing is completed, performing IPsec processing on packets which the MN transmits to a CN (correspondent node), and transmitting the packets; and

re-configuring and transmitting packets so that packets which the CN transmits to a home address of the MN, can be transmitted to a CoA (Care-of-Address) of the MN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a method for providing virtual private network (VPN) services to a mobile node (MN) in an IPv6 network and a gateway using the same. The method includes: performing IKE (Internet key exchange) negotiation with an MN (mobile node) which has performed handover, acquiring SA (security association) and then authenticating a terminal of the MN; receiving a BU (binding update) message from the MN and verifying the BU message, storing new position information of the MN, transmitting a BA (binding acknowledgement) message and performing mobility processing; if the mobility processing is completed, performing IPsec processing on packets which the MN transmits to a CN (correspondent node), and transmitting the packets; and re-configuring and transmitting packets so that packets which the CN transmits to a home address of the MN can be transmitted to a CoA (Care-of-Address) of the MN. A function performed by a home agent (HA) of Mobile IPv6 is performed so that IP mobility in VPN services can be provided and both mobility inside a VPN domain of the MN and mobility outside the VPN domain can be supported.

Citations

19 Claims

1. A method for providing VPN (virtual private network) services of a gateway in an IPv6 network, the method comprising:
- performing IKE (Internet key exchange) negotiation with an MN (mobile node) which has performed handover, acquiring SA (security association) and then authenticating a terminal of the MN;
  
  receiving a BU (binding update) message from the MN and verifying the BU message, storing new position information of the MN, transmitting a BA (binding acknowledgement) message and performing mobility processing;
  
  if the mobility processing is completed, performing IPsec processing on packets which the MN transmits to a CN (correspondent node), and transmitting the packets; and
  
  re-configuring and transmitting packets so that packets which the CN transmits to a home address of the MN, can be transmitted to a CoA (Care-of-Address) of the MN.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the BU message comprises a home address of the MN and a CoA (Care-of-Address) generated by handover of the MN.
  - 3. The method of claim 2, wherein an IPsec tunnel header generated based on the SA (security association) is added to the the BU message
  - 4. The method of claim 1, wherein the receiving of a BU (binding update) message from the MN and the verifying of the BU message, the storing of new position information of the MN, the transmitting of a BA (binding acknowledgement) message and the performing of mobility processing comprises:
    - extracting the SA from the BU message;
      
      removing an IPsec tunnel header and decrypting packets based on the extracted SA;
      
      updating new position information of the MN in a binding cache in the decrypted packets; and
      
      transmitting the new position information to the BA message in an IPsec tunnel mode.
  - 5. The method of claim 1, wherein, if the mobility processing is completed, the performing of IPsec processing on packets which the MN transmits to a CN (correspondent node), and the transmitting of the packets comprises:
    - receiving packets which the MN transmits to the CN; and
      
      decrypting and decapsulating the received packets by performing IPsec processing on the received packets and then transmitting the packets to the CN using the home address of the MN located in an inner header as a source address.
  - 6. The method of claim 1, wherein the re-configuring and the transmitting of packets so that packets which the CN transmits to a home address of the MN, can be transmitted to a CoA (Care-of-Address) of the MN comprises:
    - intercepting the packets transmitted to the MN; and
      
      setting a source address of an outer header of the packets as an address of the gateway and setting a destination address of the outer header as a CoA of the MN and then transmitting the packets using IPsec.

7. A method for providing VPN (virtual private network) services between a gateway and an MN (mobile node) in an IPv6 network in which the MN, a VPN gateway and a CN (correspondent node) are connected to one another, the method comprising:
- providing SA (security association) after performing IKE (Internet key exchange) negotiation between the MN and the gateway;
  
  transmitting a BU (binding update) message to which an IPsec tunnel header generated based on the SA is added, to the gateway using the MN;
  
  performing IPsec processing and decrypting packets based on the SA using the gateway which has verified the BU message, and transmitting a BA (binding acknowledgement) message to the MN;
  
  if IPsec processing is performed on packets which the MN transmits to the CN and the packets are transmitted to the gateway, transmitting the packets to the CN which is a destination, by referring to binding cache information using the gateway; and
  
  re-configuring and transmitting packets so that packets which the CN transmits to a home address of the MN, can be transmitted to a Care-of-Address (CoA) of the MN using the gateway receiving the packets.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, before the providing of SA (security association) after performing IKE (Internet key exchange) negotiation between the MN and the gateway, further comprising registering the home address of the MN in a firewall for protecting the network.
  - 9. The method of claim 7, wherein the providing of SA (security association) after performing IKE (Internet key exchange) negotiation between the MN and the gateway comprises:
    - generating a CoA (Care-of-Address) address generated by handover using the MN; and
      
      authenticating the MN, negotiating the SA with the MN and storing the SA during the IKE negotiation using the gateway.
  - 10. The method of claim 7, wherein the performing of IPsec processing and the decrypting packets of based on the SA using the gateway which has verified the BU message, and the transmitting of a BA (binding acknowledgement) message to the MN comprises:
    - extracting the SA from the BU message;
      
      removing an IPsec tunnel header and decrypting packets based on the extracted SA;
      
      updating new position information of the MN in a binding cache in the decrypted packets; and
      
      transmitting the new position information to the BA message in an IPsec tunnel mode.
  - 11. The method of claim 7, wherein, if IPsec processing is performed on packets which the MN transmits to the CN and the packets are transmitted to the gateway, transmitting the packets to the CN which is a destination, by referring to binding cache information using the gateway comprises:
    - receiving packets which the MN transmits to the CN; and
      
      decrypting and decapsulating the packets by performing IPsec processing on the received packets and then transmitting the packets to the CN using the home address of the MN located in an inner header as a source address.
  - 12. The method of claim 7, wherein the re-configuring and transmitting of packets so that packets which the CN transmits to a home address of the MN, can be transmitted to a Care-of-Address (CoA) of the MN using the gateway receiving the packets comprises:
    - intercepting the packets transmitted to the MN; and
      
      setting a source address of an outer header of the packets as an address of the gateway and setting a destination address of the outer header as a CoA of the MN and then transmitting the packets using IPsec.

13. A gateway for providing VPN (virtual private network) services in an IPv6 network, the gateway comprising:
- an IPsec engine module processing ESP (encapsulating security payload) and an authentication overhead to perform IPsec processing with communication with a MN (mobile node);
  
  an encryption/decryption processing unit performing encryption/decryption processing and hash function processing used in IPsec and generating and verifying a message authentication code;
  
  a VPN service module providing VPN services if authentication of the MN is successfully performed; and
  
  a mobility processing &
  
  management module performing processing of an address of the MN and packets to perform the VPN services and outputting the address of the MN and the packets to the VPN service module.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The gateway of claim 13, wherein the VPN service module comprises:
    - an IPsec tunneling unit processing IPsec tunneling; and
      
      an IKE processing unit performing IKE negotiation with the MN.
  - 15. The gateway of claim 14, wherein the VPN service module further comprises an IP packet filtering unit filtering packets which the MN transmits or receives, if there is no firewall in the IPv6 network.
  - 16. The gateway of claim 13, wherein the mobility processing &
    - management module comprises;
      
      a binding cash management unit authenticating the MN after performing IKE negotiation with the MN and acquiring SA;
      
      a BU (binding update) message processing unit verifying a BU message received from the MN, storing new position information of the MN, and transmitting a BA (binding acknowledgement) message;
      
      a packet intercept unit performing IPsec processing on packets transmitted or received between the MN and the CN; and
      
      an MH (mobility header) processing unit processing an MH.
  - 17. The gateway of claim 16, wherein the BU message comprises a home address and Care-of-Address (CoA) generated by handover of the MN and an IPsec tunnel header generated based on the SA is added to the BU message.
  - 18. The gateway of claim 16, wherein the BU message processing unit extracts SA from the BU message, removes an IPsec tunnel header and decrypts packets based on the extracted SA, updates new position information of the MN in a binding cache in the decrypted packets, and then transmits the new position information to the BA message in an IPsec tunnel mode.
  - 19. The gateway of claim 16, wherein the packet intercept unit comprises:
    - a first packet intercept unit decrypting and decapsulating the packets by performing IPsec processing on the packets which the MN transmits to a CN (correspondent node), and then transmitting the packets to the CN using the home address of the MN located in an inner header as a source address; and
      
      a second packet intercept unit intercepting the packets transmitted to the MN and setting a source address of an outer header of the packets as an address of the gateway and setting a destination address of the outer header as a CoA of the MN and then transmitting the packets using IPsec.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Jang, Jong Soo, Nah, Jae Hoon, Kwon, Hyeok Chan

Application Number

US11/634,688
Publication Number

US 20070177550A1
Time in Patent Office

Days
Field of Search
US Class Current

370/331
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04W 12/03   Protecting confidentiality,...

H04W 36/0038   of security context informa...

H04W 60/00   Affiliation to network, e.g...

H04W 8/04   Registration at HLR or HSS ...

H04W 80/04   Network layer protocols, e....

Method for providing virtual private network services to mobile node in IPv6 network and gateway using the same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing virtual private network services to mobile node in IPv6 network and gateway using the same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links