METHODS AND APPARATUS FOR SECURING PROXY MOBILE IP

US 20090141688A1
Filed: 02/09/2009
Published: 06/04/2009
Est. Priority Date: 04/28/2003
Status: Active Grant

First Claim

Patent Images

1. In an Access Point, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:

receiving a packet from the node, the packet including a source MAC address and a source IP address;

ascertaining whether a one-to-one mapping between the source MAC address and the source IP address exists in a mapping table; and

composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An invention is disclosed that enables proxy Mobile IP registration to be performed in a secure manner. Various security mechanisms may be used independently, or in combination with one another, to authenticate the identity of a node during the registration process. First, an Access Point receiving a packet from a node verifies that the source MAC address identified in the packet is in the Access Point'"'"'s client association table. In addition, as a second mechanism, the Access Point ensures that a one-to-one mapping exists for the source MAC address and source IP address identified in the packet in a mapping table maintained by the Access Point. As a third mechanism, a binding is not modified in the mobility binding table maintained by the Home Agent unless there is a one-to-one mapping in the mobility binding table between the source MAC address and the source IP address. Similarly, the Foreign Agent may also maintain a mapping between the source IP address and the source MAC address in its visitor table to ensure a one-to-one mapping between a source IP address and the associated MAC address. The MAC address is preferably transmitted in a MAC address extension to the registration request and registration reply packets. In this manner, the Access Point, Home Agent, and Foreign Agent may ascertain the node'"'"'s MAC address and ensure a one-to-one mapping between the IP address and the MAC address during the registration process.

113 Citations

View as Search Results

20 Claims

1. In an Access Point, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  ascertaining whether a one-to-one mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.
- View Dependent Claims (2, 3)
- - 2. The method as recited in claim 1, wherein composing and sending the registration request are performed according to whether it is ascertained that a one-to-one mapping between the source MAC address and the source IP address exists in a mapping table.
  - 3. The method as recited in claim 1, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.

4. An Access Point adapted for performing a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- a processor; and
  
  a memory, at least one of the processor and the memory being adapted for;
  
  receiving a packet from the node, the packet including a source MAC address and a source IP address;
  
  ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.

5. In a Foreign Agent, a method of processing a registration request, comprising:
- receiving a registration request having a home address field including a source IP address, a Home Agent field including a Home Agent address, and a MAC address extension including a source MAC address;
  
  determining whether an entry including the source IP address and the source MAC address is in a visitor table maintained by the Foreign Agent; and
  
  forwarding the registration request according to whether an entry in the visitor table maintained by the Foreign Agent includes the source IP address and the source MAC address.
- View Dependent Claims (6, 7)
- - 6. The method as recited in claim 5, wherein determining whether an entry including the source IP address and the source MAC address is in the visitor table maintained by the Foreign Agent includes determining whether a one-to-one mapping exists between the source IP address and the source MAC address.
  - 7. The method as recited in claim 6, wherein when a one-to-one mapping between the source IP address and the source MAC address does not exist in the visitor table, dropping the registration request without forwarding the registration request.

8. In a Home Agent, a method of processing a registration request, comprising:
- receiving a registration request having a home address field including a source IP address, a care-of address field including a care-of address, and having a MAC address extension including a source MAC address; and
  
  determining whether a one-to-one mapping between the source MAC address and the source IP address exists in a mobility binding table;
  
  wherein registering the source IP address with the Home Agent, composing a registration reply and sending the registration reply to the care-of address are performed according to whether it is determined that a one-to-one mapping between the source MAC address and the source IP address exists in the mobility binding table.
- View Dependent Claims (9)
- - 9. The method as recited in claim 8, wherein composing a registration reply comprises:
    - composing a registration reply including a home address field including the source IP address, a care-of address field including the care-of address, and having a MAC address extension including the source MAC address

10. In a Home Agent, a method of processing a registration request, comprising:
- receiving a registration request having a home address field including a source IP address, a care-of address field including a care-of address, and having a MAC address extension including a source MAC address;
  
  composing a registration reply including a home address field including the source IP address, a care-of address field including the care-of address, and having a MAC address extension including the source MAC address; and
  
  sending the registration reply to the care-of address.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as recited in claim 10, further comprising:
    - updating a mobility binding table with a mapping between the source MAC address and the source IP address such that the mapping is associated with the care-of address.
  - 12. The method as recited in claim 11, further comprising:
    - determining whether a mapping between the source MAC address and the source IP address exists in a mobility binding table;
      
      wherein composing and sending the registration reply to the care-of address and updating the mobility binding table are performed when it is determined that a mapping between the source MAC address and the source IP address exists in the mobility binding table.
  - 13. The method as recited in claim 10, further comprising:
    - determining whether a mapping between the source MAC address and the source IP address exists in a mobility binding table;
      
      wherein composing and sending the registration reply to the care-of address are performed when it is determined that a mapping between the source MAC address and the source IP address exists in the mobility binding table.
  - 14. The method as recited in claim 10, further comprising:
    - determining whether the source IP address matches a binding in a mobility binding table;
      
      when the source IP address matches a binding in the mobility binding table, determining whether the binding maps the source MAC address to the source IP address; and
      
      wherein composing and sending the registration reply to the care-of address is performed when it is determined that the binding maps the source MAC address to the source IP address.
  - 15. The method as recited in claim 14, further comprising:
    - when the source IP address does not match a binding in the mobility binding table, updating the mobility binding table with a mapping between the source MAC address and the source IP address such that the mapping is associated with the care-of address.

16. In a Foreign Agent, a method of processing a registration request, comprising:
- receiving a registration request having a home address field including a source IP address, a Home Agent field including a Home Agent address, and a MAC address extension including a source MAC address;
  
  forwarding the registration request to the Home Agent address;
  
  receiving a registration reply having a home address field including the source IP address, a Home Agent field including the Home Agent address, and a MAC address extension including the source MAC address; and
  
  forwarding the registration reply to the source IP address.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method as recited in claim 16, further comprising:
    - updating a visitor table such that the visitor table includes an entry that associates the source IP address and the source MAC address with the Home Agent address.
  - 18. The method as recited in claim 17, wherein updating a visitor table is performed when the registration reply is received.
  - 19. The method as recited in claim 16, further comprising:
    - determining whether an entry including the source IP address and the source MAC address is in a visitor table maintained by the Foreign Agent.
  - 20. The method as recited in claim 19, further comprising:
    - determining whether an entry including the source IP address is in the visitor table;
      
      when an entry including the source IP address is in the visitor table, determining whether the entry includes the source MAC address;
      
      when the entry is determined to include the source MAC address and the source IP address, forwarding the registration request to the Home Agent address; and
      
      when the entry is determined not to include the source MAC address and the source IP address, dropping the registration request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Leung, Kent K., Dommety, Gopal

Granted Patent

US 8,259,676 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/331
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/5084   Providing for device mobili...

H04L 63/0281   Proxies

H04L 63/1466   Active attacks involving in...

H04L 69/329   in the application layer [O...

H04W 12/062   Pre-authentication

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 60/00   Affiliation to network, e.g...

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

H04W 88/08   Access point devices

H04W 88/182   Network node acting on beha...

METHODS AND APPARATUS FOR SECURING PROXY MOBILE IP

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR SECURING PROXY MOBILE IP

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links