Seamless IP mobility across security boundaries

US 20080040793A1
Filed: 06/20/2007
Published: 02/14/2008
Est. Priority Date: 07/11/2002
Status: Abandoned Application

First Claim

Patent Images

1. An arrangement in a mobile data communications first terminal (103) for providing mobile internet protocol, hereinafter mobile IP, communication via a dual tunnel IP packet data connection between a first application (121) in the first terminal and a second application (101) in a second terminal in communication with an inner network (105), said inner network connected with an outer network (107) directly or via a firewall (104), wherein an outer mobile IP home agent (102) is arranged in the outer network (107) or in a demilitarized zone (106), hereinafter DMZ, associated with the firewall, and an inner mobile IP home agent (130) is arranged in the inner network, said arrangement comprising:

an outer mobile IP client part (115) configured to associate with an outer mobile IP home agent (102), and arranged to convey data between a virtual private network client part and an outer network by an outer tunnel part (124) directed to an outer home agent, the virtual private network client part being interposed between the outer mobile IP client part and an inner mobile IP client part for establishing a secure connection between a first terminal and an inner network, and the inner mobile IP client part (116) configured to associate with an inner mobile IP home agent (130), and arranged to convey data between a first application and the virtual private network client part by an inner tunnel part (123) directed to the inner mobile IP home agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an arrangement and a computer program product, for providing seamless IP mobility across a security boundary between two domains comprises a novel architecture of known network infrastructure components along with enabling client software on the user device. The specific client software as well as the novel architecture represents the invention. The method is based on the combined use of independent IP mobility systems in each of the two domains. The key is client software being able to operate with both mobility systems simultaneously. Moreover, communication takes place in such a way that the ordinary remote access security solution is in control of all access to the secure home domain of the user. The resulting method provides secure and seamless IP mobility in any domain with independent choice of mobility and security technologies.

59 Citations

View as Search Results

12 Claims

1. An arrangement in a mobile data communications first terminal (103) for providing mobile internet protocol, hereinafter mobile IP, communication via a dual tunnel IP packet data connection between a first application (121) in the first terminal and a second application (101) in a second terminal in communication with an inner network (105), said inner network connected with an outer network (107) directly or via a firewall (104), wherein an outer mobile IP home agent (102) is arranged in the outer network (107) or in a demilitarized zone (106), hereinafter DMZ, associated with the firewall, and an inner mobile IP home agent (130) is arranged in the inner network, said arrangement comprising:
- an outer mobile IP client part (115) configured to associate with an outer mobile IP home agent (102), and arranged to convey data between a virtual private network client part and an outer network by an outer tunnel part (124) directed to an outer home agent, the virtual private network client part being interposed between the outer mobile IP client part and an inner mobile IP client part for establishing a secure connection between a first terminal and an inner network, and the inner mobile IP client part (116) configured to associate with an inner mobile IP home agent (130), and arranged to convey data between a first application and the virtual private network client part by an inner tunnel part (123) directed to the inner mobile IP home agent.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 11, 12)
- - 2. Arrangement according to claim 1, wherein said outer mobile IP client part is further configured to convey data between the first application and the outer network, and said arrangement further comprises a device configured to i) provide, on condition that the terminal obtains access via the outer network, a first connection between the first application and the inner mobile IP client part, a second connection between the inner mobile IP client part and the outer mobile IP client part, and a third connection between the outer mobile IP client part and the outer mobile IP home agent, and ii) provide, on condition that the terminal obtains access via the inner network, a fourth connection between the first application and the outer mobile IP client part, and a fifth connection between the outer mobile IP client part and the inner mobile IP home agent.
  - 3. Arrangement according to claim 1, wherein said inner mobile IP client part (116) is controllable for activation and deactivation, and said arrangement further comprises a mobile IP detection device, said mobile IP detection device configured to i) activate the inner mobile IP client part on detection of a connection to the inner network (105) and a successful mobile IP registration with the inner home agent (130), and ii) activate the outer mobile IP client part on detection of a connection to the outer network (107) and a successful mobile IP registration with the outer home agent (130).
  - 4. Arrangement according to claim 1, wherein said inner mobile IP client part (116) is controllable for activation and deactivation, and the arrangement further comprises a mobile IP detection device configured to activate the inner mobile IP client part on detection of connection to the outer network (107) by means of at least one of a first monitoring device configured to determine a source IP first address of an incoming packet and to determine that the first address is outside an address range configured for the inner network (105), a second monitoring device configured to analyze an Internet Control Message Protocol message, hereinafter ICMP control message, and to determine that a second address associated with the ICMP control message is outside the address range configured for the inner network (105), a third monitoring device configured to detect the outer home agent (102) on transmission of a registration message with improper security association, and a fourth monitoring device configured to compare results from said first monitoring device and said second monitoring device with a collected history regarding Media Access Control addresses to mobile IP Foreign Agents, IP addresses to mobile IP Foreign Agents, Default gateways, and wireless local area network access points that indicate that the mobile terminal is operating in the outer network.
  - 5. Arrangement according to claim 1, wherein said inner mobile IP client part (116) is controllable for deactivation, and said arrangement further comprises a mobile IP detection device configured to deactivate the inner mobile IP client part on detection of a connection to the outer network (107) by means of at least one of a first monitoring device configured to determine a source IP first address of an incoming packet and to detect whether the first address is inside an address range configured for the inner network (105), a second monitoring device configured to analyze an Internet Control Message Protocol message, hereinafter ICMP control message and to detect that a second address associated with the ICMP control message is inside the address range configured for the inner network (105), a third monitoring device arranged to detect the inner home agent (130) on transmission of a registration message with incorrect security association, and a fourth monitoring device arranged to detect inconsistencies in results provided by the first monitoring device, the second monitoring device, the third monitoring device, and a collected history regarding Media Access Control addresses to mobile IP Foreign Agents, IP addresses to mobile IP Foreign Agents, Default Gateways, and wireless local area network access points that indicate that the mobile terminal is operating in the inner network (105).
  - 7. A mobile IP terminal, wherein said mobile IP terminal comprises an arrangement according to claim 1.
  - 8. A computer program product comprising:
    - a computer readable medium having thereon a computer program code loadable and executable in a mobile IP data communications terminal, wherein said computer program code when loaded and executed in the mobile IP data communications terminal effects the establishment of an arrangement as recited in claim 1.
  - 11. Arrangement according to claim 1, wherein the inner mobile IP home agent (130) is within the inner network, and the outer mobile IP home agent (102) is within the DMZ (106).
  - 12. Arrangement according to claim 1, wherein the inner mobile IP home agent (130) is within the inner network, and the outer mobile IP home agent (102) is within the outer network (107).

6. (canceled)

9. An information technology system for providing a packet data connection between a second application (101) operable in a second terminal in an inner network (105) and a first application (121) operable in a mobile data communications first terminal (103), said system arranged for communication by means of mobile internet protocol, hereinafter IP, the system comprising:
- an inner network;
  
  an outer network (107);
  
  an outer home agent (102) in the outer network (107) or in a demilitarized zone (106), hereinafter DMZ, (106) associated with a firewall, the firewall arranged between the inner network and the outer network, said outer home agent configured to associate with an outer mobile IP client part (115) operable in a mobile data communications terminal, said outer mobile IP client part being configured to convey data between a virtual private network client and said outer network by an outer tunnel part (124) directed to said outer home agent; and
  
  a virtual private network server arranged between the inner network and the outer network, wherein, an inner home agent (130) is arranged in the inner network and is configured to associate with an inner mobile IP client part (116) operable in the mobile data communications terminal, said inner mobile IP client part being configured to convey data between a first application and said virtual private network client by an inner tunnel part (123) directed to the inner home agent, said virtual private network client being interposed between the outer mobile IP client part and the inner mobile IP client part to establish a secure connection between the terminal and the inner network.

10. A data communications system for providing a packet data connection between a first application operable in a mobile data communications terminal (103) and a second application (101) operable in a second terminal connected to an inner network (105) protected by a firewall (104), said system arranged for communication by means of mobile internet protocol, hereinafter mobile IP, between the inner network, an outer network (107), and an outer home agent (102) arranged in said outer network (107) or in a demilitarized zone (106), hereinafter DMZ, associated with the firewall (104), the firewall being interposed between the inner network and the outer network, the system comprising:
- an inner mobile IP home agent (130) in an inner network; and
  
  a mobile data communications terminal, the terminal having an outer mobile IP client part (115) configured to associate with an outer mobile IP home agent (102), and arranged to convey data between a virtual private network client part and an outer network by an outer tunnel part (124) directed to the outer home agent, and the outer network by an outer tunnel part (124) directed to the outer mobile IP home agent, the VPN client part being interposed between the outer mobile IP client part and an inner mobile IP client part for establishing a secure connection between the terminal and the inner network, and iii) the inner mobile IP client part (116) configured to associate with the inner mobile IP home agent (130), and arranged to convey data between a first application and the virtual private network client part by an inner tunnel part (123) directed to the inner mobile IP home agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Birdstep Technology Ace
Original Assignee
Birdstep Technology Ace
Inventors
Nilsen, Frode, Klovning, Espen, Bryhni, Haakon

Application Number

US11/812,559
Publication Number

US 20080040793A1
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04W 76/12   Setup of transport tunnels

H04W 80/04   Network layer protocols, e....

Seamless IP mobility across security boundaries

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless IP mobility across security boundaries

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links