Securing IP Traffic
First Claim
Patent Images
1. A method of hiding data within packets of an IP session between first and second hosts which may otherwise be used to link packets of the session, the first and second hosts being attached respectively to first and second access points, the method comprising:
- using as interface identifier within the source and/or destination address an interface identifier generated using a group key and a host identity, both the group key and the host identity being known to said first host and said second access point;
maintaining a mapping at said second access point between a network prefix of said first access point, said host identity and a local access network address of said second host;
upon receipt of a packet at said second access point from said first host, identifying said group key using the network prefix of the packet source address, and using the group key and the host address to map the interface identifier part of the source and/or destination address to a local access network address; and
using said local access network address to forward the packet to said second host.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points. The method comprises establishing a shared secret between said first and second hosts, and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.
-
Citations
20 Claims
-
1. A method of hiding data within packets of an IP session between first and second hosts which may otherwise be used to link packets of the session, the first and second hosts being attached respectively to first and second access points, the method comprising:
-
using as interface identifier within the source and/or destination address an interface identifier generated using a group key and a host identity, both the group key and the host identity being known to said first host and said second access point; maintaining a mapping at said second access point between a network prefix of said first access point, said host identity and a local access network address of said second host; upon receipt of a packet at said second access point from said first host, identifying said group key using the network prefix of the packet source address, and using the group key and the host address to map the interface identifier part of the source and/or destination address to a local access network address; and using said local access network address to forward the packet to said second host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of hiding data within packets of an IP session between first and second hosts and which may be used to link packets of the session, the first and second hosts being attached respectively to first and second access points, the method comprising:
-
at said first host, receiving a group key from said second host and generating a host identity; providing said group key and said host identity to said second access point, and mapping the host identity to an access network address of said second host; for each packet to be sent from the first host to the second host, at the first host, generating a pseudo-random number, using said pseudo-random number and said group key to generate a pseudo-random identifier, combining said pseudo-random identifier with said host identity using an invertible function to generate a new interface identifier, including the new interface identifier in the packet source or destination address, and including said pseudo-random number in the packet header; at said second access router, receiving a packet sent by said first host, identifying said group key using the network prefix of the source address, using said pseudo-random number and said group key to generate a pseudo-random identifier, combining said pseudo-random number with said new interface identifier using said invertible function, validating the result as matching a cached host identity and identifying the corresponding local network address, and forwarding the packet to the second host using said local network address.
-
-
11. A network node arranged to act as an access point for a second host, the node comprising:
-
an input for receiving a packet from a first host; and means for identifying a destination group key using the network prefix of the packet source address, and for using the destination group key and the destination host address to map the interface identifier part of the destination address to a local access network address.
-
-
12. A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points, the method comprising:
-
establishing a shared secret between said first and second hosts; and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.
-
-
13. A terminal comprising:
-
means for establishing a shared secret between the terminal and a peer terminal; and for each packet to be sent, means for using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.
-
-
14. A method of securing IP packets to be transmitted over an IP network, the method comprising:
for each packet to be sent, using the next number of a pseudo-random number sequence together with a secret key to generate a pad and combining the pad with the packet using an invertible function, and including in the packet header the used pseudo-random number. - View Dependent Claims (15, 16, 17, 18)
-
19. A terminal arranged in use to send IP packets to a peer terminal, the terminal comprising:
-
a pseudo-random number sequence generator; and a processor arranged, for each packet to be sent, to use the next number of said sequence together with a secret key to generate a pad, to combine the pad with the packet using an invertible function, and to include in the packet header the used pseudo-random number. - View Dependent Claims (20)
-
Specification