RE-ESTABLISHMENT OF A SECURITY ASSOCIATION
First Claim
1. A method of re-establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts, the method comprising:
- sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier;
at said first access router, upon receipt of said connection request, obtaining a verified IP address for said second access router and sending an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host'"'"'s claimed IP address, said care-of-address, and said session identifier;
at said second access router, confirming that said second host is attached to the second access router using the claimed Interface Identifier including sending to the second host said care-of-address and said session identifier, and reporting the presence status to said first access router;
at said second host, using said session identifier to identify said security association, and updating the binding cache entry for said first host with the new care-of-address.
1 Assignment
0 Petitions
Accused Products
Abstract
According to a first aspect of the present invention there is provided a method of re-establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts. The method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier. Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host'"'"'s claimed IP address, said care-of-address, and said session identifier. Said second access router confirms that said second host is attached to the second access router using the claimed Interface Identifier, sending to the second host said care-of-address and said session identifier. The second access router then reports the presence status to said first access router. Said second host uses said session identifier to identify said security association, and updates the binding cache entry for said first host with the new care-of-address.
44 Citations
16 Claims
-
1. A method of re-establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts, the method comprising:
-
sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier; at said first access router, upon receipt of said connection request, obtaining a verified IP address for said second access router and sending an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host'"'"'s claimed IP address, said care-of-address, and said session identifier; at said second access router, confirming that said second host is attached to the second access router using the claimed Interface Identifier including sending to the second host said care-of-address and said session identifier, and reporting the presence status to said first access router; at said second host, using said session identifier to identify said security association, and updating the binding cache entry for said first host with the new care-of-address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An access router for use in an IP communication network and comprising:
an input for receiving from a mobile node an attachment request, the request containing a care-of-address acquired by the mobile node, an IPv6 address claimed by a correspondent node of the mobile node, and a session identifier; first processing means for obtaining a validated IP address for a peer access router behind which the correspondent node should be located; output means for forwarding an on link presence request to said peer access router using said validated IP address and containing said care-of-address, the claimed IPv6 address, and said session identifier.
-
15. An access router for use in an IP communication network and comprising:
-
an input for receiving from a peer access router an on link presence request containing a care-of-address acquired by a mobile node located behind said peer access router, an IPv6 address claimed by a correspondent node and containing an Interface Identifier part belonging to the access router, and a session identifier; processing means for confirming that said correspondent node is present on the local link including means for sending said care-of-address and said session identifier to said correspondent node; and output means for reporting a link status to said peer access router.
-
-
16. A mobile node for use in an IP communication network and comprising:
-
processing means for establishing a session with a correspondent node, said session comprising one or more security associations and a session identifier identifying the session; attachment means for detaching from a previous access router and for attaching to a new access router and arranged to send an attachment request to the new access router, the attachment request containing an IPv6 address of said correspondent node, a care-of-address claimed by said correspondent node, said session identifier, and a prefix reachability request in respect of the Interface Identifier part of the correspondent node'"'"'s claimed IP address; input means for receiving reachability confirmation in respect of said claimed IP address from said access router; and packet processing means for exchanging packets with said correspondent node following receipt of said confirmation.
-
Specification
-
- Resources
-
Current AssigneeTelefonaktiebolaget LM Ericsson
-
Original AssigneeTelefonaktiebolaget LM Ericsson
-
InventorsHaddad, Wassim
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current713/162
-
CPC Class CodesH04L 63/0414 during transmission, i.e. p...H04L 63/0435 wherein the sending and rec...H04L 63/0442 wherein the sending and rec...H04L 63/061 for key exchange, e.g. in p...H04L 63/1441 Countermeasures against mal...H04L 63/1466 Active attacks involving in...H04W 12/02 Protecting privacy or anony...H04W 12/03 Protecting confidentiality,...H04W 12/0471 Key exchangeH04W 12/122 Counter-measures against at...H04W 36/0011 for data sessions of end-to...H04W 36/0019 adapted for mobile IP [MIP]H04W 76/22 Manipulation of transport t...H04W 8/082 for traffic bypassing of mo...H04W 8/16 selectively restricting mob...H04W 80/04 Network layer protocols, e....
