SYSTEM AND METHOD TO SUPPORT NETWORKING FUNCTIONS FOR MOBILE HOSTS THAT ACCESS MULTIPLE NETWORKS

US 20090022152A1
Filed: 09/30/2008
Published: 01/22/2009
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method of routing packets between a first network access device and a second network access device, the method being performed at a secure mobility gateway having at least one Internet interface and at least one intranet interface, comprising:

receiving an encapsulated IP-in-UDP packet having an IP packet sent from the first network access device to the second network access device through the Internet interface, the IP packet being encrypted;

locating a mobile status record for the first network access device;

verifying the encapsulated IP-in-UDP packet based on a parameter contained in the IP-in-UDP packet and, if the parameter is valid, thenupdating the mobile status record by replacing a current care-of IP address in the mobile status record with an outer source IP address of the encapsulated IP-in-UDP packet, replacing a current interface in the mobile status record with the Internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with the packet sequence number of the encapsulated IP-in-UDP packet for the first network access device, if the packet sequence number of the encapsulated IP-in-UDP packet is greater than a current packet sequence number stored in the mobile status record;

decapsulating the encapsulated IP-in-UDP packet;

decrypting the IP packet and;

sending the IP packet that is unencrypted to the second network access device through an Intranet interface, as if the first network access device is deployed on a subnet of an Intranet that is represented by the Intranet interface.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An IP-based corporate network architecture and method for providing seamless secure mobile networking across office WLAN, home WLAN, public WLAN, and 2.5 G/3 G cellular networks for corporate wireless data users. The system includes Internet roaming clients (IRCs), a secure mobility gateway (SMG), optional secure IP access (SIA) gateways, and a virtual single account (VSA) server. The IRC is a special client tool installed on a mobile computer (laptop or PDA) equipped with a WLAN adaptor and a cellular modem. It is responsible for establishing and maintaining a mobile IPsec tunnel between the mobile computer and a corporate intranet. The SMG is a mobile IPsec gateway installed between the corporate intranet and the Internet. It works in conjunction with the IRC to maintain the mobile IPsec tunnel when the mobile computer is connected on the Internet via a home WLAN, a public WLAN, or a cellular network. The SIA gateway is a special IPsec gateway installed in the middle of the wired corporate intranet and an office WLAN. It works with the IRC to ensure data security and efficient use of corporate IP addresses when the mobile computer is connected to the office WLAN. The VSA server manages authentication credentials for every corporate user based on a virtual single account concept. The Internet Roaming system can provide secure, always-on office network connectivity for corporate users no matter where they are located using best available wireless networks.

Citations

17 Claims

1. A method of routing packets between a first network access device and a second network access device, the method being performed at a secure mobility gateway having at least one Internet interface and at least one intranet interface, comprising:
- receiving an encapsulated IP-in-UDP packet having an IP packet sent from the first network access device to the second network access device through the Internet interface, the IP packet being encrypted;
  
  locating a mobile status record for the first network access device;
  
  verifying the encapsulated IP-in-UDP packet based on a parameter contained in the IP-in-UDP packet and, if the parameter is valid, thenupdating the mobile status record by replacing a current care-of IP address in the mobile status record with an outer source IP address of the encapsulated IP-in-UDP packet, replacing a current interface in the mobile status record with the Internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with the packet sequence number of the encapsulated IP-in-UDP packet for the first network access device, if the packet sequence number of the encapsulated IP-in-UDP packet is greater than a current packet sequence number stored in the mobile status record;
  
  decapsulating the encapsulated IP-in-UDP packet;
  
  decrypting the IP packet and;
  
  sending the IP packet that is unencrypted to the second network access device through an Intranet interface, as if the first network access device is deployed on a subnet of an Intranet that is represented by the Intranet interface.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the mobile status record is located using a Security Association Index number in the encapsulated IP-in-UDP packet.
  - 3. The method of claim 1, wherein the parameter contained in the encapsulated IP-in-UDP packet is a message integrity code.
  - 4. The method of claim 2, wherein the encapsulated IP-in-UDP packet includes a Security Association Index in at least one of:
    - a plain text, a message integrity code, or an encapsulated IP packet.
  - 5. The method of claim 4, wherein the message integrity code is generated using a session key specified in the Security Association Index.
  - 6. The method of claim 4, wherein the IP packet is encrypted using a session key specified in the Security Association Index.

7. A method of routing packets between a first network access device connected to an Intranet through a private access network, and a second network access device, comprising:
- receiving an encapsulated IP-in-UDP packet having an IP packet sent from the first network access device to the second network access device at a secure IP access gateway disposed between the private access network and the Intranet, the IP packet being encrypted using a session key negotiated between the first network access device and the secure IP access gateway, and the encapsulated IP-in-UDP packet having a message integrity code generated using another session key specified by a Security Association in a mobile status record in a secure mobility gateway;
  
  decrypting the IP packet at the secure IP access gateway, wherein the message integrity code of the encapsulated IP-in-UDP packet remains unchanged;
  
  sending the encapsulated IP-in-UDP packet to the secure mobility gateway having an Internet interface facing an Internet, and an Intranet interface facing the Intranet, the encapsulated IP-in-UDP packet being sent to the Intranet interface;
  
  locating a mobile status record using a Security Association Index number in the encapsulated IP-in-UDP packet;
  
  verifying the message integrity code of the encapsulated IP-in-UDP packet based on the Security Association; and
  
  if it is valid, thenupdating the mobile status record by replacing a current care-of IP address in the mobile status record with an outer source IP address of the encapsulated IP-in-UDP packet, replacing a current interface in the mobile status record with the Internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with a packet sequence number of the encapsulated IP-in-UDP packet for the first network access device, if the packet sequence number of the encapsulated IP-in-UDP packet is greater than the current packet sequence number stored in the mobile status record;
  
  decapsulating the encapsulated IP-in-UDP packet at the secure mobility gateway; and
  
  sending the IP packet that is unencrypted to the second network access device through the Intranet interface, as if the first network access device is deployed on a subnet of the Intranet that is represented by the Intranet interface.

8. A method of routing packets between a first network access device connected to an Intranet through a private access network, and a second network access device, comprising:
- receiving an encapsulated IP-in-UDP packet having an IP packet sent from the first network access device to the second network access device at an access point on a first access network, the IP packet being encrypted;
  
  decrypting the IP packet at the access point;
  
  sending the encapsulated IP-in-UDP packet to a secure mobility gateway having an Internet interface facing an Internet, and an Intranet interface facing the Intranet, the unencrypted IP-in-UDP packet being sent to the Intranet interface;
  
  locating a mobile status record using a Security Association Index number in the unencrypted IP-in-UDP packet;
  
  verifying a message integrity code of the unencrypted IP-in-UDP packet based on the Security Association Index number; and
  
  if it is valid, thenupdating the mobile status record by replacing a current care-of IP address in the mobile status record with an outer source IP address of the unencrypted IP-in-UDP packet, replacing a current interface in the mobile status record with the Internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with a packet sequence number of the unencrypted IP-in-UDP packet for the first network access device, if the packet sequence number of the unencrypted IP-in-UDP packet is greater than a current packet sequence number stored in the mobile status record;
  
  decapsulating the unencrypted IP-in-UDP packet at the secure mobility gateway; and
  
  sending the IP packet that is unencrypted to the second network access device through the Intranet interface, as if the first network access device is deployed on a subnet of the Intranet that is represented by the Intranet interface.
- View Dependent Claims (9)
- - 9. The method of claim 8, further comprising:
    - receiving a second IP packet sent from the second network access device to the first network access device at the Intranet interface of a secure mobility gateway;
      
      locating a mobile status record using a destination IP address as an index;
      
      encapsulating the second IP packet into a second encapsulated IP-in-UDP packet with a Security Association Index and a message integrity code at the secure mobility gateway;
      
      sending the second encapsulated IP-in-UDP packet to the first network access device through the Intranet interface; and
      
      encrypting the second encapsulated IP-in-UDP packet when it passes an access point of the private access network.

10. A method of connecting a network access device to a private network, the private network being connected to a secure mobility gateway located between the private network and an Internet, comprising:
- computing a decryption key from a user password;
  
  detecting an access network from a SSID broadcast by an access point;
  
  determining whether the access network is directly connected to the private network or connected to the private network via the secure mobility gateway, and further determining whether to use at least one of;
  
  an Internet interface, or an Intranet interface of the secure mobility gateway;
  
  decrypting an authentication credential stored on the network access device with the decryption key;
  
  sending an authentication frame to the access point, the authentication frame comprising the authentication credential;
  
  receiving a positive acknowledgment from the access point if the authentication credential is authenticated by the access point;
  
  decrypting an authentication credential stored on the network access device for remote access to the secure mobility gateway;
  
  sending an authentication request to one of the Internet interface and the Intranet interface of the secure mobility gateway;
  
  receiving an authentication response from one of the Internet interface and the Intranet interface of the secure mobility gateway; and
  
  establishing a secure IP tunnel with the one of the Internet interface and the Intranet interface of the secure mobility gateway.
- View Dependent Claims (11)
- - 11. The method of claim 10, further comprising:
    - sending a configuration update request to an authentication server through one of the Internet interface and the Intranet interface of the secure mobility gateway for account information to access at least one other access network.

12. A method of routing packets between a first network access device connected to an Internet through a first access network, and a second network access device, the method being performed at a secure mobility gateway having at least one Internet interface and at least one intranet interface, comprising:
- receiving an encapsulated IP-in-UDP packet having an IP packet sent from the first network access device to the second network access device through the at least one Internet interface, the IP packet being encrypted;
  
  locating a mobile status record for the first network access device;
  
  verifying the IP packet based on a parameter contained in the encapsulated IP-in-UDP packet and, if the parameter is valid, thenupdating the mobile status record if a current interface is the intranet interface for the first network access device;
  
  decapsulating the encapsulated IP-in-UDP packet;
  
  decrypting the IP packet; and
  
  sending the IP packet that is unencrypted to the second network access device through an Intranet interface, as if the first network access device is deployed on a subnet of the Intranet that is represented by the Intranet interface.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, wherein the mobile status record is located using a Security Association Index number in the encapsulated IP-in-UDP packet.
  - 14. The method of claim 13, wherein the encapsulated IP-in-UDP packet includes the Security Association Index number in at least one of:
    - a plain text, a message integrity code, or an encapsulated IP packet.
  - 15. The method of claim 14, wherein the message integrity code is generated using a session key specified in the Security Association Index number.
  - 16. The method of claim 14, wherein the IP packet is encrypted using a session key specified in the Security Association Index number.
  - 17. The method recited in claim 12, further comprising:
    - receiving a second IP packet sent from the second network access device to the first network access device at the Intranet interface;
      
      locating a mobile status record using a destination IP address as an index;
      
      encrypting the second IP packet using a Security Association in the mobile status record;
      
      encapsulating the second IP packet into a second encapsulated IP-in-UDP packet; and
      
      sending the second encapsulated IP-in-UDP packet to the first network access device through the Internet interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Byoung-Jo J. Kim, Hui Luo, Kin K. Leung, Nemmara K. Shankaranarayanan, Paul Shala Henry, Zhimei Jiang
Original Assignee
Byoung-Jo J. Kim, Hui Luo, Kin K. Leung, Nemmara K. Shankaranarayanan, Paul Shala Henry, Zhimei Jiang
Inventors
Kim, Byoung-Jo J., Luo, Hui, Shankaranarayanan, Nemmara K., Leung, Kin K., Jiang, Zhimei, Henry, Paul Shala

Granted Patent

US 7,929,528 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 61/25   of the same type

H04L 61/2564   for a higher-layer protocol...

H04L 61/2592   using tunnelling or encapsu...

H04L 63/0272   Virtual private networks

H04L 63/0815   providing single-sign-on or...

H04L 63/164   at the network layer

H04L 69/18   Multiprotocol handlers, e.g...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 80/04   Network layer protocols, e....

H04W 88/08   Access point devices

SYSTEM AND METHOD TO SUPPORT NETWORKING FUNCTIONS FOR MOBILE HOSTS THAT ACCESS MULTIPLE NETWORKS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD TO SUPPORT NETWORKING FUNCTIONS FOR MOBILE HOSTS THAT ACCESS MULTIPLE NETWORKS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links