Seamless IP mobility across security boundaries
First Claim
1. An arrangement in a mobile data communications first terminal (103) for providing mobile internet protocol, hereinafter mobile IP, communication via a dual tunnel IP packet data connection between a first application (121) in the first terminal and a second application (101) in a second terminal in communication with an inner network (105), said inner network connected with an outer network (107) directly or via a firewall (104), wherein an outer mobile IP home agent (102) is arranged in the outer network (107) or in a demilitarized zone (106), hereinafter DMZ, associated with the firewall, and an inner mobile IP home agent (130) is arranged in the inner network, said arrangement comprising:
- an outer mobile IP client part (115) configured to associate with an outer mobile IP home agent (102), and arranged to convey data between a virtual private network client part and an outer network by an outer tunnel part (124) directed to an outer home agent, the virtual private network client part being interposed between the outer mobile IP client part and an inner mobile IP client part for establishing a secure connection between a first terminal and an inner network, and the inner mobile IP client part (116) configured to associate with an inner mobile IP home agent (130), and arranged to convey data between a first application and the virtual private network client part by an inner tunnel part (123) directed to the inner mobile IP home agent.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, an arrangement and a computer program product, for providing seamless IP mobility across a security boundary between two domains comprises a novel architecture of known network infrastructure components along with enabling client software on the user device. The specific client software as well as the novel architecture represents the invention. The method is based on the combined use of independent IP mobility systems in each of the two domains. The key is client software being able to operate with both mobility systems simultaneously. Moreover, communication takes place in such a way that the ordinary remote access security solution is in control of all access to the secure home domain of the user. The resulting method provides secure and seamless IP mobility in any domain with independent choice of mobility and security technologies.
59 Citations
12 Claims
-
1. An arrangement in a mobile data communications first terminal (103) for providing mobile internet protocol, hereinafter mobile IP, communication via a dual tunnel IP packet data connection between a first application (121) in the first terminal and a second application (101) in a second terminal in communication with an inner network (105), said inner network connected with an outer network (107) directly or via a firewall (104), wherein an outer mobile IP home agent (102) is arranged in the outer network (107) or in a demilitarized zone (106), hereinafter DMZ, associated with the firewall, and an inner mobile IP home agent (130) is arranged in the inner network, said arrangement comprising:
-
an outer mobile IP client part (115) configured to associate with an outer mobile IP home agent (102), and arranged to convey data between a virtual private network client part and an outer network by an outer tunnel part (124) directed to an outer home agent, the virtual private network client part being interposed between the outer mobile IP client part and an inner mobile IP client part for establishing a secure connection between a first terminal and an inner network, and the inner mobile IP client part (116) configured to associate with an inner mobile IP home agent (130), and arranged to convey data between a first application and the virtual private network client part by an inner tunnel part (123) directed to the inner mobile IP home agent. - View Dependent Claims (2, 3, 4, 5, 7, 8, 11, 12)
-
-
6. (canceled)
-
9. An information technology system for providing a packet data connection between a second application (101) operable in a second terminal in an inner network (105) and a first application (121) operable in a mobile data communications first terminal (103), said system arranged for communication by means of mobile internet protocol, hereinafter IP, the system comprising:
-
an inner network;
an outer network (107);
an outer home agent (102) in the outer network (107) or in a demilitarized zone (106), hereinafter DMZ, (106) associated with a firewall, the firewall arranged between the inner network and the outer network, said outer home agent configured to associate with an outer mobile IP client part (115) operable in a mobile data communications terminal, said outer mobile IP client part being configured to convey data between a virtual private network client and said outer network by an outer tunnel part (124) directed to said outer home agent; and
a virtual private network server arranged between the inner network and the outer network, wherein, an inner home agent (130) is arranged in the inner network and is configured to associate with an inner mobile IP client part (116) operable in the mobile data communications terminal, said inner mobile IP client part being configured to convey data between a first application and said virtual private network client by an inner tunnel part (123) directed to the inner home agent, said virtual private network client being interposed between the outer mobile IP client part and the inner mobile IP client part to establish a secure connection between the terminal and the inner network.
-
-
10. A data communications system for providing a packet data connection between a first application operable in a mobile data communications terminal (103) and a second application (101) operable in a second terminal connected to an inner network (105) protected by a firewall (104), said system arranged for communication by means of mobile internet protocol, hereinafter mobile IP, between the inner network, an outer network (107), and an outer home agent (102) arranged in said outer network (107) or in a demilitarized zone (106), hereinafter DMZ, associated with the firewall (104), the firewall being interposed between the inner network and the outer network, the system comprising:
-
an inner mobile IP home agent (130) in an inner network; and
a mobile data communications terminal, the terminal having an outer mobile IP client part (115) configured to associate with an outer mobile IP home agent (102), and arranged to convey data between a virtual private network client part and an outer network by an outer tunnel part (124) directed to the outer home agent, and the outer network by an outer tunnel part (124) directed to the outer mobile IP home agent, the VPN client part being interposed between the outer mobile IP client part and an inner mobile IP client part for establishing a secure connection between the terminal and the inner network, and iii) the inner mobile IP client part (116) configured to associate with the inner mobile IP home agent (130), and arranged to convey data between a first application and the virtual private network client part by an inner tunnel part (123) directed to the inner mobile IP home agent.
-
Specification