Reuse of security associations for improving hand-over performance
First Claim
1. In a radio telecommunication system, a method for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said method comprising the steps of:
- disconnecting the mobile unit from the first stationary unit;
connecting the mobile unit to the second stationary unit; and
reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit.
1 Assignment
0 Petitions
Accused Products
Abstract
In a radio telecommunication system, the performance of a mobile unit can be significantly improved during a hand-over procedure by reusing existing security associations that correspond to the mobile unit. By reusing existing security associations, a mobile unit can begin secure communications immediately following the hand-over. Otherwise, and in accordance with conventional practice, the mobile unit will have to undertake the time consuming task of renegotiating the required security associations, before it can begin transmitting and receiving secure communications.
-
Citations
35 Claims
-
1. In a radio telecommunication system, a method for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said method comprising the steps of:
-
disconnecting the mobile unit from the first stationary unit;
connecting the mobile unit to the second stationary unit; and
reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
transferring a number of security association attributes, associated with the security association, from the first stationary unit to the second stationary unit.
-
-
3. The method of claim 2, wherein the security association attributes are transferred from the first stationary unit directly to the second stationary unit.
-
4. The method of claim 2, wherein said step of transferring the number of security association attributes, associated with the security association, from the first stationary unit to the second stationary unit comprises the steps of:
-
transferring the number of security association attributes from the first stationary unit to a data storage entity; and
transferring the number of security association attributes from the data storage entity to the second stationary unit.
-
-
5. The method of claim 4, wherein the data storage entity is a database accessible to the second stationary unit.
-
6. The method of claim 2 further comprising the step of:
encrypting the number of security association attributes, prior to the step of transferring the number of security association attributes from the first stationary unit to the second stationary unit, using an encryption key that is shared by the first and the second stationary units.
-
7. The method of claim 1, wherein the existing security association is an ISAKMP security association.
-
8. The method of claim 1, wherein the existing security association is an IPSEC security association.
-
9. The method of claim 1, wherein the first stationary unit and the second stationary unit are both associated with a common administrative domain, such that the first stationary unit and the second stationary unit are subject to a common security policy.
-
10. The method of claim 9, wherein the first stationary unit and the second stationary unit share a common IP address.
-
11. In a radio telecommunication system, a method for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said method comprising the steps of:
-
disconnecting the mobile unit from the first stationary unit;
connecting the mobile unit to the second mobile unit; and
reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to ensure secure communications for a connection between the mobile unit and a third stationary unit, and wherein the third stationary unit and the second stationary unit are associated with a first administrative domain that employs a common security policy. - View Dependent Claims (12, 13, 14, 15)
transferring a set of security association attributes associated with the existing security association from the third stationary unit to the second stationary unit.
-
-
13. The method of claim 11, wherein said step of transferring the set of security association attributes associated with the existing security association from the third stationary unit to the second stationary unit comprises the steps of:
-
transferring the security association attributes from the third stationary unit to a storage location; and
transferring the security association attributes from the storage location to the second stationary unit.
-
-
14. The method of claim 13, wherein the storage location is in a database associated with the first administrative domain to which the third stationary unit and the second stationary unit belong.
-
15. The method of claim 11, wherein the first stationary unit is associated with a second administrative domain.
-
16. In a radio telecommunication network, a method for reusing security associations to facilitate hand-over of a mobile unit between stationary units that are associated with a common administrative domain, wherein all of the stationary units associated with the common administrative domain are subject to the same security policy, said method comprising the steps of:
-
negotiating a first security association for a connection between the mobile unit and a first stationary unit associated with the common administrative domain;
disconnecting the mobile unit from the first stationary unit;
connecting the mobile unit to a second stationary unit associated with the common administrative domain;
transferring a first set of security association attributes, corresponding to the first security association, from the first stationary unit to the second stationary unit; and
employing the first security association to ensure secure communications for the connection between the mobile unit and the second stationary unit. - View Dependent Claims (17, 18, 19, 20)
establishing an ISAKMP security association in accordance with an IKE phase 1 negotiation procedure.
-
-
18. The method of claim 17 further comprising the steps of:
-
negotiating a second security association, in accordance with an IKE phase 2 negotiation procedure, for the connection between the mobile unit and the first stationary unit;
transferring a second set of security association attributes, corresponding to the second security association, from the first stationary unit to the second stationary unit; and
employing the second security association, in conjunction with the first security association, to further ensure secure communications for the connection between the mobile unit and the second stationary unit.
-
-
19. The method of claim 18, wherein the second security association is an IPSEC authentication header protocol security association.
-
20. The method of claim 18, wherein the second security association is an IPSEC encapsulating security payload protocol security association.
-
21. In a radio telecommunication system, an apparatus for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said apparatus comprising:
-
means for disconnecting the mobile unit from the first stationary unit;
means for connecting the mobile unit to the second stationary unit; and
means for reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
means for transferring a number of security association attributes associated with the security association from the first stationary unit to the second stationary unit.
-
-
23. The apparatus of claim 22, wherein the security association attributes are transferred from the first stationary unit directly to the second stationary unit.
-
24. The apparatus of claim 22, wherein said means for transferring the number of security association attributes associated with the security association from the first stationary unit to the second stationary unit comprises:
-
means for transferring the number of security association attributes from the first stationary unit to a data storage entity; and
means for transferring the number of security association attributes from the data storage entity to the second stationary unit.
-
-
25. The apparatus of claim 24, wherein the data storage entity is a database accessible to the second stationary unit.
-
26. The apparatus of claim 22 further comprising:
means for encrypting the number of security association attributes, prior to transferring the number of security association attributes from the first stationary unit to the second stationary unit, wherein said means for encrypting the number of security association attributes employs an encryption key that is shared by the first and the second stationary units.
-
27. The apparatus of claim 21, wherein the existing security association is an ISAKMP security association.
-
28. The apparatus of claim 21, wherein the existing security association is an IPSEC security association.
-
29. The apparatus of claim 21, wherein the first stationary unit and the second stationary unit are both associated with a common administrative domain, such that the first stationary unit and the second stationary unit are subject to a common security policy.
-
30. The apparatus of claim 29, wherein the first stationary unit and the second stationary unit share a common IP address.
-
31. In a radio telecommunication system, an apparatus for accomplishing handover of a mobile unit from a first stationary unit to a second stationary unit, said apparatus comprising:
-
means for disconnecting the mobile unit from the first stationary unit;
means for connecting the mobile unit to the second mobile unit; and
means for reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to ensure secure communications for a connection between the mobile unit and a third stationary unit, and wherein the third stationary unit and the second stationary unit are associated with a first administrative domain that employs a common security policy. - View Dependent Claims (32, 33, 34, 35)
means for transferring a set of security association attributes associated with the existing security association from the third stationary unit to the second stationary unit.
-
-
33. The apparatus of claim 31, wherein said means for transferring the set of security association attributes associated with the existing security association from the third stationary unit to the second stationary unit comprises:
-
means for transferring the security association attributes from the third stationary unit to a storage location; and
means for transferring the security association attributes from the storage location to the second stationary unit.
-
-
34. The apparatus of claim 33, wherein the storage location is in a database associated with the first administrative domain to which the third stationary unit and the second stationary unit belong.
-
35. The apparatus of claim 31, wherein the first stationary unit is associated with a second administrative domain.
Specification